No project description provided
Project description
fastapi-security-telegram-webhook
Plugin for FastAPI which allows you to secure your Telegram Bot API webhook endpoint with IP restriction and an optional secret token.
Telegram provides two ways of getting updates: long polling and webhook. When you use webhook you just register endpoint address and telegram sends JSON to this address. If the bad guy finds out the address of your webhook, then he can send fake "telegram updates" to your bot.
Telegram doesn't provide any security features like signing or authentication mechanisms, so securing webhook is a task for a bot developer.
Thence, for securing your webhook you have only two option:
- Allow requests only from Telegram subnets. Telegram assures that they won't change.
- Use secret value in endpoint address, e.g.
/telegram-webhook/468e95826f224a60a4e9355ab76e0875. It will complicate the brute force attack and you can easily change it if the value was compromised.
This little plugin allows you to use both ways to secure.
How to use
Use pip or another package management util:
pip install fastapi-security-telegram-webhook
or
poetry add fastapi-security-telegram-webhook
or
pipenv install fastapi-security-telegram-webhook
Package contains two Security objects:
OnlyTelegramNetworkallows request only from telegram subnetsOnlyTelegramNetworkWithSecretadditionally checks secret in path
Example with OnlyTelegramNetworkWithSecret. Pay attention to {secret} in path operation, it's required
from fastapi import FastAPI, Body, Depends
from fastapi_security_telegram_webhook import OnlyTelegramNetworkWithSecret
app = FastAPI()
webhook_security = OnlyTelegramNetworkWithSecret(real_secret="your-secret-from-config-or-env")
# {secret} in path and OnlyTelegramNetworkWithSecret as dependency:
@app.post('/webhook/{secret}', dependencies=[Depends(webhook_security)])
def process_telegram_update(update_raw = Body(...)):
...
Use behind proxy
The plugin uses starlette.Request.client.host for extracting IP address of the request, so if your web-app is
behind proxy you should pass the real IP to the app.
For uvicorn you can use --proxy-headers as it describes in
documentation.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file fastapi-security-telegram-webhook-0.2.0.tar.gz.
File metadata
- Download URL: fastapi-security-telegram-webhook-0.2.0.tar.gz
- Upload date:
- Size: 4.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.1 Linux/4.15.0-1028-gcp
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | aa3c908cfa8ba9305fa483d2958aea52bd4605554fea9f429bbf95c2bf2e2d51 |
|
| MD5 | 9515e48051921fdab6844d3582f5e0c0 |
|
| BLAKE2b-256 | 48ba5de4d413b4882a4ec423ede8dedf4bfea925456c347db4190c5e071ab846 |
File details
Details for the file fastapi_security_telegram_webhook-0.2.0-py3-none-any.whl.
File metadata
- Download URL: fastapi_security_telegram_webhook-0.2.0-py3-none-any.whl
- Upload date:
- Size: 5.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.1 Linux/4.15.0-1028-gcp
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 22d1575add1a6e239956ccc8fb8819964393d2e5ee8bef181e6f4e5ee63a8df1 |
|
| MD5 | 585f4a21c11e72bb92a8aa909617563d |
|
| BLAKE2b-256 | 871f6eca16f56b30563dcebcbbf8b151f42317b85e3ef462d2de4f6327c79a38 |
