User authorization about addarr HOT 20 CLOSED

I've looked into that code and didn't directly found an example where you have to enter a username and password. The username and password you have to enter in the config of tgrsbot were for radarr and sonarr.

I could implement a feature that only specific groupchatids are allowed to chat with your bot. Is it that what you were implicating?

from addarr.

Sorry, i posted wrong project. https://github.com/eamondo2/telegram-radarr-bot?files=1

Look at the acl.json

from addarr.

I've found the auth part in that project. I just don't quite get it why I should do this. When you don't share your TelegramBot API, it's secure I assume. Except you could convince me?

from addarr.

Bots can't initiate conversations with users. A user must either add them to a group or send them a message first. People can use telegram.me/<bot_username> links or username search to find your bot..

So by default anyone can access your, on his name..

from addarr.

That's something I didn't know. Thanks for the explanation! I will look into it to make this chatbot more secure. I will make an /auth command that you need to execute the first time.

from addarr.

Creat job! Thnx for your work

from addarr.

You could also implement a whitelist of user id's that would actually be allowed to interact with the bot at all instead. Would be quite easy to implement and would achieve the same goal.

from addarr.

That's indeed also a possibility how to implement this.

I was thinking to implement it like this. Before you could use the bot, you should execute an /auth command with password. Then when it's the right password, the chatid will be added to a whitelist of allowed chatid's. And every time you use the bot, this will be checked.

from addarr.

Wouldn't it make more sense to make /start prompt for a password instead of requiring the user to call /auth <password> before sending /start? Especially because a new conversation with a bot on Telegram will automatically send /start.

from addarr.

That's indeed a better way to handle this. I will soon change it to this. So the first time you enter the bot. Telegram will send /start and then the bot will ask for the password. If it's it correct, your chatid will be saved to a file. Does this sound alright to you?

from addarr.

That would sound perfect yes. Could you however specify what file? Odds are the strange behavior I have with the docker image is directly related to this. As in if I restart the process of the bot I have to message /start again to get it to work at all.

from addarr.

Now it's saved to chatid.txt. So every time a chat is authorized, the bot will write the chatid int to this file.

from addarr.

Great work, I'll try it tomorrow 😊

from addarr.

It works, but it is flawed and that should probably be fixed ASAP.
You probably only tested this with a single user, in the case of multiple users the chat id's are simply appended after each other without any form of delimiter. As a result, if my user id would be 1 and yours would be 2, then the contents of chatids.txt would be 12. Naturally granting access to user with id 12 as well. New line delimiting would already be enough to fix this.

from addarr.

I fixed it. Thanks for letting me know!

from addarr.

I would say that it's still not entirely fixed though. You should probably read out the file line by line and check the complete line. If my id would be 12 and user with 1 or 2 would try to use this service it would still work.

from addarr.

I've made a fix for it. Now it reads line by line. I don't think my fix is the most efficient one. When I have more time I will look to change it.

from addarr.

Feature works great now, multiple chatids.
But what about logging when someone enters the wrong password? (audit)

from addarr.

Is a great idea. I will surely add this later!

from addarr.

The latest release consist of the added audit function. The audit is saved to the logfile.

from addarr.