safra36 · March 3, 2026 17:11
diff --git a/auth.ts b/auth.ts
 // to use it on your webapp, simply create a backend with these functions, and use this to verify authorization

 fetch("/auth", {
    method : "POST",
    body : window.Telegram.WebApp.initData,
 })

diff --git a/authorization.ts b/authorization.ts
 import type { TelegramUser } from "./types";


 export function isAuthorized(mapped : URLSearchParams) : boolean {

    const hashString = [...mapped.entries()]
        .filter(([key]) => key !== 'hash')
        .sort(([a], [b]) => a.localeCompare(b))
        .map(([key, value]) => `${key}=${value}`)
        .join('\n');
    
        const secretKey = createHmac("sha256", "WebAppData").update(PRIVATE_BOT_TOKEN).digest();
        const hash = createHmac("sha256", secretKey).update(hashString).digest("hex");
        
        // indicate how much this token is valid in your app, in out case it was 1 day (24 * 60 * 60 * 1000)
        if(mapped.get('hash') == hash && (Date.now() - new Date(+mapped.get("auth_date")! * 1000).getTime()) < 24 * 60 * 60 * 1000) {
            return true
        }
        else {
            return false;
        }

 }


 export function getUserFromParams( mapped : URLSearchParams ) : TelegramUser {
    return JSON.parse(mapped.get("user"));
 }
diff --git a/types.ts b/types.ts
 export interface TelegramUser {
 	id: number;
 	first_name: string;
 	last_name: string;
 	username: string;
 	language_code: string;
 	allows_write_to_pm: boolean;
 	photo_url: string;
 }
	// to use it on your webapp, simply create a backend with these functions, and use this to verify authorization

	fetch("/auth", {
	method : "POST",
	body : window.Telegram.WebApp.initData,
	})
	import type { TelegramUser } from "./types";


	export function isAuthorized(mapped : URLSearchParams) : boolean {

	const hashString = [...mapped.entries()]
	.filter(([key]) => key !== 'hash')
	.sort(([a], [b]) => a.localeCompare(b))
	.map(([key, value]) => `${key}=${value}`)
	.join('\n');

	const secretKey = createHmac("sha256", "WebAppData").update(PRIVATE_BOT_TOKEN).digest();
	const hash = createHmac("sha256", secretKey).update(hashString).digest("hex");

	// indicate how much this token is valid in your app, in out case it was 1 day (24 * 60 * 60 * 1000)
	if(mapped.get('hash') == hash && (Date.now() - new Date(+mapped.get("auth_date")! * 1000).getTime()) < 24 * 60 * 60 * 1000) {
	return true
	}
	else {
	return false;
	}

	}


	export function getUserFromParams( mapped : URLSearchParams ) : TelegramUser {
	return JSON.parse(mapped.get("user"));
	}
	export interface TelegramUser {
	id: number;
	first_name: string;
	last_name: string;
	username: string;
	language_code: string;
	allows_write_to_pm: boolean;
	photo_url: string;
	}