Authentication

[LoyVanBeek]

Anyone can interact with a a Telegram bot but because this is linked to a real robot, this may not be desired. Someone from across the world can command a robot to do something.

Some for of authentication would check that the telegram user has permission to use the robot and has to be near it at least once during a conversation.

How exactly this should work is TODO

[reinzor]

User whitelist or blacklist?

[LoyVanBeek]

Whitelist.
The flow I have in mind is something like this:

1. You message /register to a robot
2. It sends you a QR code for your phone
3. You let the robot see the QR code, so you have to be physically at the robot to register.
4. Registration is saved to a file on the robot.

Alternative for 2 & 3: robot audibly speaks a password or PIN and you have to enter it into Telegram.

I don't know yet how to authenticate on a robot without camera or speech capability. Of course manually registering specific users should also be possible.

[LoyVanBeek]

As you said, it might be simpler and OK for a first step to just manually create a whitelist and load the allowed user_id's on the parameter server or something.
Maybe add a service to register the current user and/or to add a user ID.

A telegram.Message has a from_user member, which is a telegram.User that has an id member variable.

[LoyVanBeek]

Another flow for authentication could be to have a sort of admin user, that may grant users access and to add them to the whitelist.