Fix critical security vulnerability

[antimech]

Closes botman/studio#99

• Force Telegram Bot server to send "X-Telegram-Bot-Api-Secret-Token" HTTP header
• Check the header on update request to the webhook

This is a breaking change all users must run the src/Console/Commands/TelegramRegisterCommand.php console command.

Edits are welcome.

[antimech]

What is the place to check the header?

This?
https://github.com/botman/driver-telegram/blob/b681bf94a8e1537c385a34131e8de8075c3866c8/src/TelegramDriver.php#L107C21-L107C35

[antimech]

@mpociot to avoid the breaking change you could make this optional.

[antimech]

Tests runs fine on my machine. Seems like to fix it here this needs to be added to the end of the composer.json file:

"config": {
    "allow-plugins": {
        "thecodingmachine/discovery": true
    }
}

and add --ignore-platform-req=composer-plugin-api to tests.yml composer install section.

[filippotoso]

I'm closing this because it's not implemented correctly.

You should not use TELEGRAM_TOKEN as secret_token but a custom secret as per documentation:

https://core.telegram.org/bots/api#setwebhook

Moreover, it must be possible to enable and disable this feature from the configuration file (i.e. secre_token = null, makes it disabled) and make it working also for existing installations (ie. disabled by default).

Feel free to refactor it and send a new PR.