No project description provided

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for b0g3r from gravatar.com b0g3r

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License (MIT)

Author: Dima Boger

Tags fastapi, fastapi security, telegram, telegram webhook, bot webhook

Requires: Python >=3.6

Classifiers

Project description

fastapi-security-telegram-webhook

Plugin for FastAPI which allows you to secure your Telegram Bot API webhook endpoint with IP restriction and an optional secret token.

Telegram provides two ways of getting updates: long polling and webhook. When you use webhook you just register endpoint address and telegram sends JSON to this address. If the bad guy finds out the address of your webhook, then he can send fake "telegram updates" to your bot.

Telegram doesn't provide any security features like signing or authentication mechanisms, so securing webhook is a task for a bot developer.

Thence, for securing your webhook you have only two option:

  • Allow requests only from Telegram subnets. Telegram assures that they won't change.
  • Use secret value in endpoint address, e.g. /telegram-webhook/468e95826f224a60a4e9355ab76e0875. It will complicate the brute force attack and you can easily change it if the value was compromised.

This little plugin allows you to use both ways to secure.

How to use

Use pip or another package management util:

pip install fastapi-security-telegram-webhook

or

poetry add fastapi-security-telegram-webhook

or

pipenv install fastapi-security-telegram-webhook

Package contains two Security objects:

  • OnlyTelegramNetwork allows request only from telegram subnets
  • OnlyTelegramNetworkWithSecret additionally checks secret in path

Example with OnlyTelegramNetworkWithSecret. Pay attention to {secret} in path operation, it's required

from fastapi import FastAPI, Body, Depends
from fastapi_security_telegram_webhook import OnlyTelegramNetworkWithSecret

app = FastAPI()
webhook_security = OnlyTelegramNetworkWithSecret(real_secret="your-secret-from-config-or-env")

# {secret} in path and OnlyTelegramNetworkWithSecret as dependency:
@app.post('/webhook/{secret}', dependencies=[Depends(webhook_security)])
def process_telegram_update(update_raw = Body(...)):
   ...

Use behind proxy

The plugin uses starlette.Request.client.host for extracting IP address of the request, so if your web-app is behind proxy you should pass the real IP to the app.

For uvicorn you can use --proxy-headers as it describes in documentation.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for b0g3r from gravatar.com b0g3r

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License (MIT)

Author: Dima Boger

Tags fastapi, fastapi security, telegram, telegram webhook, bot webhook

Requires: Python >=3.6

Classifiers

Release history Release notifications | RSS feed

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fastapi-security-telegram-webhook-0.2.0.tar.gz (4.2 kB view hashes)

Uploaded Source

Built Distribution

fastapi_security_telegram_webhook-0.2.0-py3-none-any.whl (5.1 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page