go-pkgz / auth / 25592801746 / 1
85%
master: 85%

DEFAULT BRANCH: master
Ran
Files 25
Run time 0s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.928% (-0.02%) from 84.944%
25592801746.1

push

github

umputun 
fix(telegram): never expose bot token in avatar URL

tgAPI.Avatar returned a URL with the bot token embedded in its path:

    https://api.telegram.org/file/bot{TOKEN}/photos/file_X.jpg

The token is a bearer credential for the entire bot API. The URL flowed
into User.Picture and from there:

* Into avatar.Proxy.Put debug logs ("[DEBUG] saved avatar from <url>"
  and the corresponding load-failure line) regardless of whether avatar
  saving succeeded.
* Into the JWT claims and the user JSON returned to the browser when
  no AvatarSaver was configured (User.Picture is in the User struct).

Either path leaks the bot token to anyone with log access, anyone who
can read the JWT (the user themselves on the device, plus anyone
intercepting browser/devtools), or any third-party observability stack.

Two-part fix in v1 and v2:

1. avatar/avatar.go: redact the URL in Put's two debug log lines via a
   new redactAvatarURL helper (hostname only). Add Proxy.PutContent so
   pre-fetched bytes can be saved without the URL-fetch round trip.
2. provider/telegram.go: in processUpdates, never assign the bot URL
   to User.Picture. Pass it to a new saveTelegramAvatar method that
   fetches the bytes server-side and stores them via the new content-
   saver interface (avatar.Proxy implements it). The call returns a
   clean local proxy URL or "" — whatever lands in Picture is safe to
   log and to send to the client.

A graceful fallback path warns and drops the avatar when the
configured AvatarSaver does not implement PutContent (custom external
implementations) — never exposes the token to satisfy the avatar
feature.

Tests in both modules:

* TestSaveTelegramAvatar_BotTokenNeverLogged — unit-level table for
  the helper covering the success, fallback-without-PutContent and
  empty-URL paths.
* TestTelegramProcessUpdates_BotTokenNeverInUserPicture — regression
  test for the property: drive processUpdates with a mock that returns
  a URL containing a bot-token marker; ... (continued)

2902 of 3417 relevant lines covered (84.93%)

7.82 hits per line

Source Files on job 25592801746.1