go-pkgz / auth / 25592801771
85%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 25
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.968% (+0.02%) from 84.944%
25592801771

push

github

umputun 
fix(telegram): never expose bot token in avatar URL

tgAPI.Avatar returned a URL with the bot token embedded in its path:

    https://api.telegram.org/file/bot{TOKEN}/photos/file_X.jpg

The token is a bearer credential for the entire bot API. The URL flowed
into User.Picture and from there:

* Into avatar.Proxy.Put debug logs ("[DEBUG] saved avatar from <url>"
  and the corresponding load-failure line) regardless of whether avatar
  saving succeeded.
* Into the JWT claims and the user JSON returned to the browser when
  no AvatarSaver was configured (User.Picture is in the User struct).

Either path leaks the bot token to anyone with log access, anyone who
can read the JWT (the user themselves on the device, plus anyone
intercepting browser/devtools), or any third-party observability stack.

Two-part fix in v1 and v2:

1. avatar/avatar.go: redact the URL in Put's two debug log lines via a
   new redactAvatarURL helper (hostname only). Add Proxy.PutContent so
   pre-fetched bytes can be saved without the URL-fetch round trip.
2. provider/telegram.go: in processUpdates, never assign the bot URL
   to User.Picture. Pass it to a new saveTelegramAvatar method that
   fetches the bytes server-side and stores them via the new content-
   saver interface (avatar.Proxy implements it). The call returns a
   clean local proxy URL or "" — whatever lands in Picture is safe to
   log and to send to the client.

A graceful fallback path warns and drops the avatar when the
configured AvatarSaver does not implement PutContent (custom external
implementations) — never exposes the token to satisfy the avatar
feature.

Tests in both modules:

* TestSaveTelegramAvatar_BotTokenNeverLogged — unit-level table for
  the helper covering the success, fallback-without-PutContent and
  empty-URL paths.
* TestTelegramProcessUpdates_BotTokenNeverInUserPicture — regression
  test for the property: drive processUpdates with a mock that returns
  a URL containing a bot-token marker; ... (continued)

79 of 96 new or added lines in 2 files covered. (82.29%)

2877 of 3386 relevant lines covered (84.97%)

7.7 hits per line

Uncovered Changes

Lines Coverage File
13
83.11
 0.99% provider/telegram.go
4
80.21
 -0.02% avatar/avatar.go
Jobs
ID Job ID Ran Files Coverage
1 25592801771.1 25
84.97
 GitHub Action Run
Source Files on build 25592801771