From 4af6356cfcb7dd0048b1f27f2ff72766af552df1 Mon Sep 17 00:00:00 2001
From: Chimit <chimit@users.noreply.github.com>
Date: Fri, 7 Mar 2025 11:28:33 +0800
Subject: [PATCH 1/2] Added API secret token support

---
 .../Commands/TelegramRegisterCommand.php      |  4 ++++
 src/TelegramAudioDriver.php                   |  4 +++-
 src/TelegramContactDriver.php                 |  4 +++-
 src/TelegramDriver.php                        | 19 ++++++++++++++++++-
 src/TelegramFileDriver.php                    |  4 +++-
 src/TelegramInlineQueryDriver.php             |  3 ++-
 src/TelegramLocationDriver.php                |  4 +++-
 src/TelegramPhotoDriver.php                   |  4 +++-
 src/TelegramVideoDriver.php                   |  4 +++-
 stubs/telegram.php                            |  1 +
 10 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/src/Console/Commands/TelegramRegisterCommand.php b/src/Console/Commands/TelegramRegisterCommand.php
index 73947be..9c023c1 100644
--- a/src/Console/Commands/TelegramRegisterCommand.php
+++ b/src/Console/Commands/TelegramRegisterCommand.php
@@ -36,6 +36,10 @@ public function handle()
 
         if (! $remove) {
             $url .= '?url='.$this->ask('What is the target url for the telegram bot?');
+
+            if (config('botman.telegram.api_secret_token')) {
+                $url .= '&secret_token='.config('botman.telegram.api_secret_token');
+            }
         }
 
         $this->info('Using '.$url);
diff --git a/src/TelegramAudioDriver.php b/src/TelegramAudioDriver.php
index 8e0017f..9c408a6 100644
--- a/src/TelegramAudioDriver.php
+++ b/src/TelegramAudioDriver.php
@@ -18,7 +18,9 @@ class TelegramAudioDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return !is_null($this->event->get('from')) && (!is_null($this->event->get('audio')) || !is_null($this->event->get('voice')));
+        return !is_null($this->event->get('from'))
+            && (!is_null($this->event->get('audio')) || !is_null($this->event->get('voice')))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/src/TelegramContactDriver.php b/src/TelegramContactDriver.php
index bd7d7ff..39c9321 100644
--- a/src/TelegramContactDriver.php
+++ b/src/TelegramContactDriver.php
@@ -16,7 +16,9 @@ class TelegramContactDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return ! is_null($this->event->get('from')) && ! is_null($this->event->get('contact'));
+        return ! is_null($this->event->get('from'))
+            && ! is_null($this->event->get('contact'))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/src/TelegramDriver.php b/src/TelegramDriver.php
index f6e89d3..72dbf2e 100644
--- a/src/TelegramDriver.php
+++ b/src/TelegramDriver.php
@@ -83,6 +83,9 @@ class TelegramDriver extends HttpDriver
     /** @var Collection */
     protected $queryParameters;
 
+    /** @var Request */
+    protected $request;
+
     /**
      * @param Request $request
      */
@@ -105,6 +108,7 @@ public function buildPayload(Request $request)
         $this->event = Collection::make($message);
         $this->config = Collection::make($this->config->get('telegram'));
         $this->queryParameters = Collection::make($request->query);
+        $this->request = $request;
     }
 
     /**
@@ -156,7 +160,8 @@ public function matchesRequest()
 
         return $noAttachments
             && (! is_null($this->event->get('from')) || ! is_null($this->payload->get('callback_query')) || ! is_null($this->payload->get('pre_checkout_query')))
-            && ! is_null($this->payload->get('update_id'));
+            && ! is_null($this->payload->get('update_id'))
+            && $this->isValidToken();
     }
 
     /**
@@ -183,6 +188,18 @@ public function hasMatchingEvent()
         return $event;
     }
 
+    /**
+     * Validate the Telegram API secret token.
+     *
+     * @return bool
+     */
+    protected function isValidToken()
+    {
+        $secretToken = $this->config->get('api_secret_token');
+
+        return ! $secretToken || $this->request->headers->get('X-Telegram-Bot-Api-Secret-Token') === $secretToken;
+    }
+
     /**
      * Check if the query parameters contain information about a
      * valid Telegram login request.
diff --git a/src/TelegramFileDriver.php b/src/TelegramFileDriver.php
index e666be2..5ca67b3 100644
--- a/src/TelegramFileDriver.php
+++ b/src/TelegramFileDriver.php
@@ -18,7 +18,9 @@ class TelegramFileDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return !is_null($this->event->get('from')) && (!is_null($this->event->get('document')));
+        return !is_null($this->event->get('from'))
+            && (!is_null($this->event->get('document')))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/src/TelegramInlineQueryDriver.php b/src/TelegramInlineQueryDriver.php
index 455876c..f3611d7 100644
--- a/src/TelegramInlineQueryDriver.php
+++ b/src/TelegramInlineQueryDriver.php
@@ -18,7 +18,8 @@ class TelegramInlineQueryDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return ! is_null($this->payload->get('inline_query'));
+        return ! is_null($this->payload->get('inline_query'))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/src/TelegramLocationDriver.php b/src/TelegramLocationDriver.php
index 72b4e4e..48f0f76 100644
--- a/src/TelegramLocationDriver.php
+++ b/src/TelegramLocationDriver.php
@@ -16,7 +16,9 @@ class TelegramLocationDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return ! is_null($this->event->get('from')) && ! is_null($this->event->get('location'));
+        return ! is_null($this->event->get('from'))
+            && ! is_null($this->event->get('location'))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/src/TelegramPhotoDriver.php b/src/TelegramPhotoDriver.php
index 3de193b..37b1ad7 100644
--- a/src/TelegramPhotoDriver.php
+++ b/src/TelegramPhotoDriver.php
@@ -19,7 +19,9 @@ class TelegramPhotoDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return !is_null($this->event->get('from')) && !is_null($this->event->get('photo'));
+        return !is_null($this->event->get('from'))
+            && !is_null($this->event->get('photo'))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/src/TelegramVideoDriver.php b/src/TelegramVideoDriver.php
index cb77855..dec588c 100644
--- a/src/TelegramVideoDriver.php
+++ b/src/TelegramVideoDriver.php
@@ -18,7 +18,9 @@ class TelegramVideoDriver extends TelegramDriver
      */
     public function matchesRequest()
     {
-        return !is_null($this->event->get('from')) && (!is_null($this->event->get('video')) || !is_null($this->event->get('video_note')));
+        return !is_null($this->event->get('from'))
+            && (!is_null($this->event->get('video')) || !is_null($this->event->get('video_note')))
+            && $this->isValidToken();
     }
 
     /**
diff --git a/stubs/telegram.php b/stubs/telegram.php
index 477429b..7b4c807 100644
--- a/stubs/telegram.php
+++ b/stubs/telegram.php
@@ -12,5 +12,6 @@
     |
     */
     'token' => env('TELEGRAM_TOKEN'),
+    'api_secret_token' => env('TELEGRAM_API_SECRET_TOKEN', null),
     'test_environment' => env('TELEGRAM_TEST_ENVIRONMENT', false),
 ];

From 7ac725aeb808c1c9dd5efdf097b492c5bbc98aec Mon Sep 17 00:00:00 2001
From: Chimit <chimit@users.noreply.github.com>
Date: Tue, 25 Mar 2025 00:56:40 +0800
Subject: [PATCH 2/2] Check if message is from topic before setting thread id

---
 src/TelegramDriver.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/TelegramDriver.php b/src/TelegramDriver.php
index 72dbf2e..0fdccfd 100644
--- a/src/TelegramDriver.php
+++ b/src/TelegramDriver.php
@@ -565,10 +565,13 @@ public function buildServicePayload($message, $matchingMessage, $additionalParam
         $this->endpoint = 'sendMessage';
 
         $recipient = $matchingMessage->getRecipient() === '' ? $matchingMessage->getSender() : $matchingMessage->getRecipient();
+        $messageThreadId = isset($matchingMessage->getPayload()['is_topic_message']) && $matchingMessage->getPayload()['is_topic_message'] === true
+            ? $matchingMessage->getPayload()['message_thread_id']
+            : null;
         $defaultAdditionalParameters = $this->config->get('default_additional_parameters', []);
         $parameters = array_merge_recursive([
             'chat_id' => $recipient,
-            'message_thread_id' => $matchingMessage->getPayload()['message_thread_id'] ?? null,
+            'message_thread_id' => $messageThreadId,
         ], $additionalParameters + $defaultAdditionalParameters);
 
         /*
@@ -666,7 +669,9 @@ public function sendRequest($endpoint, array $parameters, IncomingMessage $match
     {
         $parameters = array_replace_recursive([
             'chat_id' => $matchingMessage->getRecipient(),
-            'message_thread_id' => $matchingMessage->getPayload()['message_thread_id'] ?? null,
+            'message_thread_id' => isset($matchingMessage->getPayload()['is_topic_message']) && $matchingMessage->getPayload()['is_topic_message'] === true
+                ? $matchingMessage->getPayload()['message_thread_id']
+                : null,
         ], $parameters);
 
         if ($this->config->get('throw_http_exceptions')) {