2
\$\begingroup\$

I developed a chatbot using the Telegraf.js framework. Although the latest version of Telegraf offers TypeScript support, I chose to use JavaScript. I followed a tutorial to deploy it and would like to know if there are any security vulnerabilities that can be addressed.

The files involved in the project are as follows:

path: src/bot.js

import { Telegraf } from 'telegraf'

const bot = new Telegraf(process.env.BOT_TOKEN)
bot.start((ctx) => ctx.reply('Welcome'))

export default bot

path: api/index.js

import bot from '../src/bot.js';

export default async function handler(req, res) {
  if (req.method === 'POST') {
    try {
      await bot.handleUpdate(req.body)
      res.status(200).send('OK')
    } catch (err) {
      console.error('Erro ao lidar com update:', err)
      res.status(500).send('Erro interno')
    }
  } else {
    res.status(200).send('Bot do Telegram está rodando com webhook!')
  }
}

path: ./vercel.json

{
  "version": 2,
  "builds": [
    { "src": "api/index.js", "use": "@vercel/node" }
  ],
  "routes": [
    { "src": "/.*", "dest": "api/index.js" }
  ]
}

The deployment was successful; however, I’d like to know if there are any security issues that should be addressed.

\$\endgroup\$
0

1 Answer 1

Reset to default
1
\$\begingroup\$

The bot.js file should also be in the api folder to make it clear that this is part of the backend and not the frontend. (even though you do import that file in the backend).

\$\endgroup\$
3
  • \$\begingroup\$ I changed the file path: api/index.js to the following version: the idea is to try to secure the connection. I added a parameter in the post request of the setWebHook method. Did I do it right? core.telegram.org/bots/api#setwebhook \$\endgroup\$ Commented Jul 2 at 21:05
  • \$\begingroup\$ If I create a Helper, should I insert it inside the API as well? \$\endgroup\$ Commented Jul 2 at 23:06
  • \$\begingroup\$ All code that should execute on the server should be in the API folder so it remains hidden from the end user. If you have any frontend code (a user interface and a "index.html"), then that code should be in the root of the project or in the SRC folder. \$\endgroup\$ Commented Jul 5 at 10:29

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.