Added Middleware for checking Request Source on webhooks,

Refactoring

Author: TiiFuchs

config/telepath.php

@@ -12,6 +12,7 @@
     | you don't need to worry about it.
     |
     */
+
     'default' => 'main',
 
     /*
@@ -24,6 +25,7 @@
     | that are preconfigured for the default bot.
     |
     */
+
     'bots'    => [
 
         'main' => [
@@ -34,29 +36,49 @@
 
     ],
 
-    /*
-    |--------------------------------------------------------------------------
-    | Webhook Secret Token
-    |--------------------------------------------------------------------------
-    |
-    | Here you may specify the secret token that is used to verify
-    | the webhook url. This is used to prevent unauthorized
-    | access to your webhook url.
-    |
-    */
+    'webhook' => [
 
-    'webhook_secret' => env('TELEGRAM_WEBHOOK_SECRET'),
+        /*
+        |--------------------------------------------------------------------------
+        | Webhook Secret Token
+        |--------------------------------------------------------------------------
+        |
+        | Here you may specify the secret token that is used to verify
+        | the webhook url. This is used to prevent unauthorized
+        | access to your webhook url.
+        |
+        */
 
-    /*
-    |--------------------------------------------------------------------------
-    | Webhook Resolver
-    |--------------------------------------------------------------------------
-    |
-    | Here you may specify the class that is responsible for resolving
-    | the webhook url secret. The default implementation uses Laravels
-    | Hash::make function.
-    |
-    */
-    'webhook_resolver' => \Telepath\Laravel\WebhookResolver\HashWebhookResolver::class,
+        'secret' => env('TELEGRAM_WEBHOOK_SECRET'),
+
+        /*
+        |--------------------------------------------------------------------------
+        | Webhook Middleware
+        |--------------------------------------------------------------------------
+        |
+        |
+        |
+        */
+
+        'middleware' => [
+            Telepath\Laravel\Http\Middleware\ResolveWebhook::class,
+            Telepath\Laravel\Http\Middleware\ValidateRequestSource::class,
+            Telepath\Laravel\Http\Middleware\ValidateSecretToken::class,
+        ],
+
+        /*
+        |--------------------------------------------------------------------------
+        | Webhook Resolver
+        |--------------------------------------------------------------------------
+        |
+        | Here you may specify the class that is responsible for resolving
+        | the webhook url secret. The default implementation uses Laravels
+        | Hash::make function.
+        |
+        */
+
+        'resolver'   => \Telepath\Laravel\WebhookResolver\HashWebhookResolver::class,
+
+    ],
 
 ];

routes/telepath.php

@@ -1,17 +1,12 @@
 <?php
 
 use Illuminate\Support\Facades\Route;
-use Telepath\Laravel\Http\Middleware\ResolveWebhook;
-use Telepath\Laravel\Http\Middleware\ValidateSecretToken;
 use Telepath\TelegramBot;
 
-Route::post('/telepath/bot/{secret}', function (TelegramBot $bot) {
+Route::name('telepath.webhook')
+    ->middleware('telepath')
+    ->post('/telepath/bot/{secret}', function (TelegramBot $bot) {
 
-    $bot->handleWebhook();
+        $bot->handleWebhook();
 
-})
-    ->name('telepath.webhook')
-    ->middleware([
-        ResolveWebhook::class,
-        ValidateSecretToken::class,
-    ]);
+    });

src/Console/Commands/SetWebhookCommand.php

@@ -33,7 +33,7 @@ public function handle(): void
         $this->comment("Setting webhook for '{$name}' bot to {$url}...");
 
         // Configuration
-        $secretToken = config('telepath.webhook_secret') ?: null;
+        $secretToken = config('telepath.webhook.secret') ?: null;
 
         // Options
         $dropPendingUpdates = $this->option('drop-pending-updates');

src/Http/Middleware/ValidateRequestSource.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Telepath\Laravel\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\IpUtils;
+use Symfony\Component\HttpFoundation\Response;
+
+class ValidateRequestSource
+{
+
+    protected array $telegramSubnets = [
+        '149.154.160.0/20',
+        '91.108.4.0/22',
+    ];
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        abort_unless(
+            IpUtils::checkIp($request->ip(), $this->telegramSubnets),
+            403,
+            'Forbidden'
+        );
+
+        return $next($request);
+    }
+
+}

src/Http/Middleware/ValidateSecretToken.php

@@ -11,11 +11,12 @@ class ValidateSecretToken
 
     public function handle(Request $request, Closure $next): Response
     {
-        $secretToken = config('telepath.secret_token') ?: null;
+        $secretToken = config('telepath.webhook.secret') ?: null;
 
         abort_if(
             $secretToken !== null && $request->header('X-Telegram-Bot-Api-Secret-Token') !== $secretToken,
-            403
+            403,
+            'Forbidden'
         );
 
         return $next($request);

src/TelepathServiceProvider.php

@@ -2,6 +2,7 @@
 
 namespace Telepath\Laravel;
 
+use Illuminate\Support\Facades\Route;
 use Illuminate\Support\ServiceProvider;
 use Symfony\Component\Cache\Adapter\FilesystemAdapter;
 use Telepath\Laravel\Config\BotConfig;
@@ -45,11 +46,13 @@ public function register(): void
         }
 
         // Register Webhook Resolver
-        $this->app->bind(WebhookResolver::class, config('telepath.webhook_resolver'));
+        $this->app->bind(WebhookResolver::class, config('telepath.webhook.resolver'));
     }
 
     public function boot(): void
     {
+        Route::middlewareGroup('telepath', config('telepath.webhook.middleware', []));
+
         $this->loadRoutesFrom(
             __DIR__ . '/../routes/telepath.php'
         );