2
\$\begingroup\$

I developed a chatbot using the Telegraf.js framework. Although the latest version of Telegraf offers TypeScript support, I chose to use JavaScript. I followed a tutorial to deploy it and would like to know if there are any security vulnerabilities that can be addressed.

The files involved in the project are as follows:

path: src/bot.js

import { Telegraf } from 'telegraf'
const bot = new Telegraf(process.env.BOT_TOKEN)
bot.start((ctx) => ctx.reply('Welcome'))
export default bot

path: api/index.js

import bot from '../src/bot.js';
export default async function handler(req, res) {
 if (req.method === 'POST') {
 try {
 await bot.handleUpdate(req.body)
 res.status(200).send('OK')
 } catch (err) {
 console.error('Erro ao lidar com update:', err)
 res.status(500).send('Erro interno')
 }
 } else {
 res.status(200).send('Bot do Telegram está rodando com webhook!')
 }
}

path: ./vercel.json

{
 "version": 2,
 "builds": [
 { "src": "api/index.js", "use": "@vercel/node" }
 ],
 "routes": [
 { "src": "/.*", "dest": "api/index.js" }
 ]
}

The deployment was successful; however, I’d like to know if there are any security issues that should be addressed.

toolic
14.6k5 gold badges29 silver badges204 bronze badges
asked Jun 29 at 9:54
\$\endgroup\$
0

1 Answer 1

1
\$\begingroup\$

The bot.js file should also be in the api folder to make it clear that this is part of the backend and not the frontend. (even though you do import that file in the backend).

answered Jul 1 at 13:04
\$\endgroup\$
3
  • \$\begingroup\$ I changed the file path: api/index.js to the following version: the idea is to try to secure the connection. I added a parameter in the post request of the setWebHook method. Did I do it right? core.telegram.org/bots/api#setwebhook \$\endgroup\$ Commented Jul 2 at 21:05
  • \$\begingroup\$ If I create a Helper, should I insert it inside the API as well? \$\endgroup\$ Commented Jul 2 at 23:06
  • \$\begingroup\$ All code that should execute on the server should be in the API folder so it remains hidden from the end user. If you have any frontend code (a user interface and a "index.html"), then that code should be in the root of the project or in the SRC folder. \$\endgroup\$ Commented Jul 5 at 10:29

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.