What Is the Proper Way to Verify a Telegram Bot Hash in C#?

Ethan99 · February 12, 2025, 3:29pm

Using C#, how can one verify the Telegram bot hash from login parameters? Below is a revised code example that sorts parameters, decodes URLs, and compares HMAC-SHA256 hashes.

public IActionResult VerifyTelegramLogin([FromQuery] Dictionary<string, string> entries)
{
    if (!entries.TryGetValue("signature", out string receivedSig) || string.IsNullOrWhiteSpace(receivedSig))
        return BadRequest("Signature not provided");
    entries.Remove("signature");
    if (entries.ContainsKey("avatar_url"))
        entries["avatar_url"] = WebUtility.UrlDecode(entries["avatar_url"]);

    string sortedData = string.Join("\n", entries.OrderBy(pair => pair.Key)
                                                    .Select(pair => $"{pair.Key}:{pair.Value}"));
    byte[] keyHash = GenerateSHA256("YourBotTokenHere");
    byte[] computedSig = CreateHMAC(keyHash, Encoding.UTF8.GetBytes(sortedData));
    string computedSigStr = string.Concat(computedSig.Select(b => b.ToString("x2")));

    return computedSigStr == receivedSig ? Ok("Verified") : Unauthorized("Invalid signature");
}

private static byte[] GenerateSHA256(string input)
{
    using (SHA256 sha = SHA256.Create())
        return sha.ComputeHash(Encoding.UTF8.GetBytes(input));
}

private static byte[] CreateHMAC(byte[] key, byte[] data)
{
    using (HMACSHA256 hmac = new HMACSHA256(key))
        return hmac.ComputeHash(data);
}

DancingFox · February 18, 2025, 9:27pm

I recently implemented a similar verification for a Telegram bot in C# and found that attention to subtle encoding details is critical. The approach shown is fundamentally correct, but it is important to remain cautious with the order and processing of parameters. Ensuring that URL decoding is applied correctly and experimenting with test data from Telegram can help reveal any discrepancies in the HMAC calculation. Consider adding detailed logging during development to trace potential issues and verify that the computed signature consistently matches the expected outcome under all circumstances.

Alex_Brave · February 20, 2025, 4:30am

hey, i bumped into similar issues in c# and found constant-time comparisons help avoid timing leaks. also, slight differences in url encoding or extra spaces can mess things up. make sure youre testing with real tele data and adjust accordingly