Feature Request: 在 WebHook 模式下自动生成 secret_token

[src-hyc]

I tried this adapter in webhook mode. I noticed in the current version, when it sets up the webhook, it does not have a secret_token (defined in https://core.telegram.org/bots/api#setwebhook) field in it. It neither checks if the request is from one of the Telegram servers (defined in https://core.telegram.org/bots/webhooks). Therefore, it is possible for an attacker to forge a request from Telegram server, and the bot is vulnerable to it, unless the user has their custom routing to limit the connection from Telegram servers.

My suggestion it to randomly generate a secret_token when a user sets up the bot in webhook mode, and checks whether a request has a matching X-Telegram-Bot-Api-Secret-Token header when it receives an update. This change should be transparent to existing users, and save users without a custom routing rule from forged updates.

[j1g5awi]

ありがとうございます。はい、 シークレット_トークン は、リクエストがテレグラムサーバーから送信されたことを確認するのに非常に役立ちます。 この機能をできるだけ早く実装します。

[j1g5awi]

Breaking 使用 WebHook 获取更新的用户需要更改配置！

改动前：

telegram_bots = [{"token": "1234567890:ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI", "webhook_url":  "https://yourdomain.com"}]

改动后：

telegram_bots = [{"token": "1234567890:ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI", "is_webhook": True}]
telegram_webhook_url = "https://yourdomain.com"