Add webhook secret token to bot config and automatically check it

README.md

@@ -95,6 +95,7 @@ Telegram.bots_config = {
     token: CHAT_BOT_TOKEN,
     username: 'ChatBot', # to support commands with mentions (/help@ChatBot)
     server: 'http://local.bot.api.server', # for Local Bot API Server
+    webhook_token: 'webhook_secret', # optional, to authorize incoming requests
   },
 }
 
@@ -118,6 +119,7 @@ development:
       token: TOKEN
       username: SomeBot
       server: http://local.bot.api.server
+      webhook_token: 'webhook_secret'
 
     # For multiple bots in single app use hash of `internal_bot_id => settings`
     bots:

lib/telegram/bot/client.rb

@@ -55,12 +55,13 @@ def error_for_response(response)
         end
       end
 
-      attr_reader :client, :token, :username, :base_uri
+      attr_reader :client, :token, :username, :webhook_token, :base_uri
 
       def initialize(token = nil, username = nil, server: SERVER, **options)
         @client = HTTPClient.new
         @token = token || options[:token]
         @username = username || options[:username]
+        @webhook_token = options[:webhook_token]
         @base_uri = format(URL_TEMPLATE, server: server, token: self.token)
       end
 

lib/telegram/bot/middleware.rb

@@ -18,13 +18,23 @@ def initialize(bot, controller)
       def call(env)
         request = ActionDispatch::Request.new(env)
         update = request.request_parameters
-        controller.dispatch(bot, update, request)
-        [200, {}, ['']]
+        if webhook_token_matches?(bot, request)
+          controller.dispatch(bot, update, request)
+          [200, {}, ['']]
+        else
+          [403, {}, ['Forbidden']]
+        end
       end
 
       def inspect
         "#<#{self.class.name}(#{controller&.name})>"
       end
+
+      private
+
+      def webhook_token_matches?(bot, request)
+        request.headers['X-Telegram-Bot-Api-Secret-Token'] == bot.webhook_token
+      end
     end
   end
 end

lib/telegram/bot/tasks.rb

@@ -18,6 +18,7 @@ def set_webhook
             certificate: cert,
             ip_address: ENV.fetch('IP_ADDRESS', nil),
             drop_pending_updates: drop_pending_updates,
+            secret_token: bot.webhook_token,
           )
         end
       end

spec/telegram/bot/config_methods_spec.rb

@@ -13,6 +13,7 @@
       chat: {
         token: 'chat_token',
         username: 'Chat',
+        webhook_token: 'webhook_secret_token',
       },
       other_chat: {
         'token' => 'other_chat_token',
@@ -43,6 +44,7 @@
       its(:id) { should eq :chat }
       its(:token) { should eq config[:chat][:token] }
       its(:username) { should eq config[:chat][:username] }
+      its(:webhook_token) { should eq config[:chat][:webhook_token] }
     end
 
     context 'configured by hash with stringified keys' do

spec/telegram/bot/middleware_spec.rb

@@ -4,7 +4,7 @@
 
 RSpec.describe Telegram::Bot::Middleware do
   let(:instance) { described_class.new bot, controller }
-  let(:bot) { double(:bot) }
+  let(:bot) { double(:bot, webhook_token: nil) }
   let(:controller) { double(:controller, dispatch: :dispatch_result) }
 
   describe '#call' do

spec/telegram/bot/routes_helper_spec.rb

@@ -56,6 +56,7 @@ def assert_route(bot, controller, path: nil, **expected_options) # rubocop:disab
         expect(middleware.controller).to eq(controller)
         expect(middleware.bot.token).to eq(bot.token)
         expect(middleware.bot.username).to eq(bot.username)
+        expect(middleware.bot.webhook_token).to eq(bot.webhook_token)
         expect(actual_options).to include(expected_options)
       end
       yield