Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide bot token from public view and access #3

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Hide bot token from public view and access #3

wants to merge 2 commits into from

Conversation

Ferido07
Copy link

  • Exposing bot token for public would allow easy hijack of the bot. In
    addition, assuming the best in everyone and we say no one will do
    malicious act, it would not allow for 2 developers to run the bot at the
    same time while developing.

@Ferido07
Hide bot token from public view and access
00e95a8 
- Exposing bot token for public would allow easy hijack of the bot. In
addition, assuming the best in everyone and we say no one will do
malicious act, it would not allow for 2 developers to run the bot at the
same time while developing.
@theShinigami
Copy link
Collaborator

I already revoked the API token, i accidentally pushed it. And what do you mean by '2 developers to run the bot at the same time', if you mean 2 developer running the bot in the same API token, the token is already revoked.

@Eyob-T
Copy link

Eyob-T commented Mar 19, 2020
edited
Loading

Hey, although you removed the bot token from the file, the token is still visible from the history page. I think easiest thing to do is create a new bot to generate a new bot token and just read the token from another file (e.g token.js) and add the token.js file to .gitignoreI guess you can share the token with other trusted developers or make a private repository.

@Ferido07
Copy link
Author

Ferido07 commented Mar 20, 2020
edited
Loading

I already revoked the API token, i accidentally pushed it. And what do you mean by '2 developers to run the bot at the same time', if you mean 2 developer running the bot in the same API token, the token is already revoked.

@masterSal I meant running more than one instance of the bot with same token.
Its good that it is revoked that is the intention any developer who needs to run it should create his own token. No token should be included in the code.

@Ferido07
Copy link
Author

Ferido07 commented Mar 20, 2020
edited
Loading

Hey, although you removed the bot token from the file, the token is still visible from the history page.

@Eyob-T
Yes that's why git is there to track changes. Removing the token is not complete until you change the token using botfather.

I think easiest thing to do is create a new bot to generate a new bot token and just read the token from another file (e.g token.js) and add the token.js file to .gitignoreI guess you can share the token with other trusted developers or make a private repository.

Creating a bot to generate a bot token is too much work. In addition that is the job of botfather. We just have to make sure no token is included in the code. When any developer needs to run the bot he just has to create his own token and run an instance of the bot with the new token he created.

In order to add the token to environment variables we can use dotenv package. The only addition required is to add a .env file at the root directory that is not included in source control.

This just reminded me to add .env exception to .gitignore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ferido07 @theShinigami @Eyob-T