go-pkgz / auth

85%

master: 85%

LAST BUILD ON BRANCH fix/telegram-redact-bot-token-in-avatar-url

branch: fix/telegram-redact-bot-token-in-avatar-url

CHANGE BRANCH

x

Reset

• fix/telegram-redact-bot-token-in-avatar-url
• allowed-provider-check
• apple-reponse-mode-fix
• aud-secrets
• ava-factory
• chore/go-fix
• configurable-microsoft-tenant
• cookie-domain
• custom-dev-host
• custom-dev-port
• dependabot/go_modules/_example/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/_example/golang.org/x/crypto-0.17.0
• dependabot/go_modules/_example/golang.org/x/image-0.38.0
• dependabot/go_modules/_example/golang.org/x/image-0.5.0
• dependabot/go_modules/_example/golang.org/x/net-0.17.0
• dependabot/go_modules/_example/golang.org/x/net-0.7.0
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/image-0.38.0
• dependabot/go_modules/v2/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/v2/golang.org/x/crypto-0.31.0
• dependabot/go_modules/v2/golang.org/x/crypto-0.45.0
• dependabot/go_modules/v2/golang.org/x/net-0.33.0
• dependabot/go_modules/v2/golang.org/x/net-0.36.0
• direct-custom-id
• docs/comment-sweep
• dverhoturov/telegram_fix
• email-sender
• feat/csrf-middleware
• feature/custom-error-handler
• fix-anon
• fix-content-type-header
• fix-oauth-from-open-redirect
• fix-oauth-sendjwtheader
• fix-providers-names
• fix/admin-passwd-log-leak
• fix/apple-id-token-iss-aud
• fix/apple-log-redact-token-response
• fix/auth-sensitive-logging
• fix/avatar-content-type-spoofing-xss
• fix/csp-consumer-note
• fix/dev-custom-bind-localhost
• fix/email-sender-redact-body
• fix/panic-save-ava-nil
• fix/v1-from-redirect-validator
• fix/verify-replay
• fix/verify-replay-typed-nil-followup
• followups/security-review
• go1_20
• jwt-header
• master
• microsoft
• migrate-example-to-routegroup
• no-ava
• official-mongo-drvier
• paskal/HttpOnly
• paskal/add_common_processor
• paskal/avatar_return_proper_content_type
• paskal/bump_ci_go_version
• paskal/bump_dep
• paskal/bump_go_modules
• paskal/bump_modules
• paskal/double_close
• paskal/email_module
• paskal/facelift
• paskal/fix_actions_test
• paskal/fix_apple_key_panic
• paskal/fix_custom_server
• paskal/fix_error
• paskal/fix_golangcilint
• paskal/fix_lint_report
• paskal/fix_send_jwt_header
• paskal/google_auth_doc
• paskal/improve_telegram
• paskal/modules_bump
• paskal/mongodb
• paskal/moq
• paskal/new_errors
• paskal/plain_text
• paskal/switch_to_v2
• paskal/sync_v2
• paskal/telegram_site_id
• paskal/tg_username
• paskal/token_generation_instructions
• paskal/update-dependencies
• paskal/update-modules
• paskal/update_modules
• paskal/update_pkcs8
• paskal/v2
• paskal/v2_golangcilint
• paskal/v2_jwt5
• rbac
• refs/tags/v0.10.0
• refs/tags/v0.10.1
• refs/tags/v0.10.2
• refs/tags/v0.11.0
• refs/tags/v0.12.0
• refs/tags/v0.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.15.0
• refs/tags/v1.16.0
• refs/tags/v1.17.0
• refs/tags/v1.18.0
• refs/tags/v1.19.0
• refs/tags/v1.19.1
• refs/tags/v1.20.0
• refs/tags/v1.21.0
• refs/tags/v1.22.0
• refs/tags/v1.22.1
• refs/tags/v1.23.0
• refs/tags/v1.24.0
• refs/tags/v1.24.1
• refs/tags/v1.24.2
• refs/tags/v1.25.1
• refs/tags/v1.25.2
• refs/tags/v1.25.3
• refs/tags/v1.25.4
• refs/tags/v1.5.1
• refs/tags/v2.0.0
• refs/tags/v2.1.0
• refs/tags/v2.1.1
• refs/tags/v2.1.2
• refs/tags/v2.1.3
• refs/tags/v2.1.4
• remove-bluemonday
• samesite
• sanitize-verifyed
• update-dependencies-2026-04
• update-dependencies-dec2024
• update-deps-and-golangci-v2
• upgrade-repeater-v2
• v0.8.0
• v0.8.1
• v0.8.2
• v0.8.3
• v0.9.0
• verify-avatar

Build # 25587623060

Build Type

Pull #286

github

Committed by paskal

Commit Message

fix(telegram): never expose bot token in avatar URL

tgAPI.Avatar returned a URL with the bot token embedded in its path:

    https://api.telegram.org/file/bot{TOKEN}/photos/file_X.jpg

The token is a bearer credential for the entire bot API. The URL flowed
into User.Picture and from there:

* Into avatar.Proxy.Put debug logs ("[DEBUG] saved avatar from <url>"
  and the corresponding load-failure line) regardless of whether avatar
  saving succeeded.
* Into the JWT claims and the user JSON returned to the browser when
  no AvatarSaver was configured (User.Picture is in the User struct).

Either path leaks the bot token to anyone with log access, anyone who
can read the JWT (the user themselves on the device, plus anyone
intercepting browser/devtools), or any third-party observability stack.

Two-part fix in v1 and v2:

1. avatar/avatar.go: redact the URL in Put's two debug log lines via a
   new redactAvatarURL helper (hostname only). Add Proxy.PutContent so
   pre-fetched bytes can be saved without the URL-fetch round trip.
2. provider/telegram.go: in processUpdates, never assign the bot URL
   to User.Picture. Pass it to a new saveTelegramAvatar method that
   fetches the bytes server-side and stores them via the new content-
   saver interface (avatar.Proxy implements it). The call returns a
   clean local proxy URL or "" — whatever lands in Picture is safe to
   log and to send to the client.

A graceful fallback path warns and drops the avatar when the
configured AvatarSaver does not implement PutContent (custom external
implementations) — never exposes the token to satisfy the avatar
feature.

Tests in both modules:

* TestSaveTelegramAvatar_BotTokenNeverLogged — unit-level table for
  the helper covering the success, fallback-without-PutContent and
  empty-URL paths.
* TestTelegramProcessUpdates_BotTokenNeverInUserPicture — regression
  test for the property: drive processUpdates with a mock that returns
  a URL containing a bot-token marker; ... (continued)

Pull Request Pull Request #286: fix(telegram): never expose bot token in avatar URL

Coverage Stats

79 of 96 new or added lines in 2 files covered. (82.29%)

2895 of 3410 relevant lines covered (84.9%)

7.73 hits per line