使用带有 Spring Security 的 Telegram 登录
我正在尝试在 Spring Boot 应用程序上实现使用 Telegram 登录(https://core.telegram.org/widgets/login),但遇到了问题。
我一直在尝试实施他们提供的 PHP 代码来验证身份验证,但出了点问题,我无法理解是什么。
所以,这就是 PHP 上的代码
secret_key = SHA256(<bot_token>)
if (hex(HMAC_SHA256(data_check_string, secret_key)) == hash) {
// data is from Telegram
}
Data-check-string 是所有接收到的字段的串联,按字母顺序排序,格式key=<value>为使用换行符('\n',0xA0)作为分隔符 - 例如,'auth_date=<auth_date>\nfirst_name=<first_name>\nid=<id>\nusername=<username>.
所以,我所做的是:
@AllArgsConstructor
@JsonNaming(PropertyNamingStrategy.SnakeCaseStrategy.class)
public class AuthenticationRequest {
@NotNull
private Long authDate;
private String firstName;
@NotEmpty
private String id;
private String lastName;
private String photoUrl;
private String username;
@NotEmpty
private String hash;
@Override
public String toString() {
final var data = new StringBuilder();
for (final Field field : getClass().getDeclaredFields()) {
try {
if (!field.getName().equals("hash") && field.get(this) != null) {
final var fieldName = CaseFormat.LOWER_CAMEL
.to(CaseFormat.LOWER_UNDERSCORE, field.getName());
data.append(fieldName).append("=").append(field.get(this)).append("\\n");
}
} catch (IllegalAccessException e) {
e.printStackTrace();
}
}
return data.substring(0, data.length() - 2);
}
}
还有这两个方法:
private static String hmacSha256(final String data, final byte[] secret) {
try {
Mac sha256Hmac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(secret, "HmacSHA256");
sha256Hmac.init(secretKey);
byte[] signedBytes = sha256Hmac.doFinal(data.getBytes());
return bytesToHex(signedBytes);
} catch (NoSuchAlgorithmException | InvalidKeyException ex) {
return null;
}
你能告诉我我做错了什么吗?也许我完全误解了验证身份验证数据的方式,或者我错过了什么?
慕桂英33893312回答
-
蓝山帝景
试试这个,代码有点难看,但效果很好!public boolean verifyAuth(JsonObject Telegram_User){ String hash = Telegram_User.remove("hash").getAsString(); try { Mac sha256_HMAC = Mac.getInstance("HmacSHA256"); String[] t = Telegram_User.toString().replace("{","").replace("}","").replace("\":","=").replace(",","\n").replace("\"","").split("\n"); sha256_HMAC.init(new SecretKeySpec(MessageDigest.getInstance("SHA-256").digest(BezouroBot.telegram.getBotToken().getBytes(StandardCharsets.UTF_8)),"SHA256")); Arrays.sort(t); StringBuilder i = new StringBuilder(); boolean First = true; for (String s : t) if(First){ First = false; i = new StringBuilder(s);} else i.append("\n").append(s); return Hex.encodeHexString(sha256_HMAC.doFinal(i.toString().getBytes())).equals(hash); } catch (NoSuchAlgorithmException | InvalidKeyException e) { e.printStackTrace(); return false; }} -
慕码人2483693
这是我的工具// define your token to a variableprivate final String TELEGRAM_TOKEN = ""@PostMapping("auth/telegram")public ResponseEntity<Object> telegramAuth(@RequestBody Map<String, Object> request) { String hash = (String) request.get("hash"); request.remove("hash"); // Prepare the string String str = request.entrySet().stream() .sorted((a, b) -> a.getKey().compareToIgnoreCase(b.getKey())) .map(kvp -> kvp.getKey() + "=" + kvp.getValue()) .collect(Collectors.joining("\n")); try { SecretKeySpec sk = new SecretKeySpec( // Get SHA 256 from telegram token MessageDigest.getInstance("SHA-256").digest(TELEGRAM_TOKEN.getBytes(StandardCharsets.UTF_8) ), "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(sk); byte[] result = mac.doFinal(str.getBytes(StandardCharsets.UTF_8)); // Convert the result to hex string // Like https://stackoverflow.com/questions/9655181 String resultStr = ByteBufUtil.bytesToHex(result); // Compare the result with the hash from body if(hash.compareToIgnoreCase(resultStr) == 0) { // Do other things like create a user and JWT token return ResponseEntity.ok("ok"); } else { return ResponseEntity.status(HttpStatus.FORBIDDEN).body( new MessageResponse("Login info hash mismatch") ); } } catch (Exception e) { logger.error(e.getMessage(), e); return ResponseEntity.status(HttpStatus.FORBIDDEN).body( new MessageResponse("Server error while authenticating") ); }}
随时随地看视频慕课网APP
相关分类
Java