Add secret_token support to telegram_bot component

[zehuanli]

Proposed change

This is an updated PR over #100787. There will be no changes to the YAML configuration. In fact, the creation of Telegram Bot webhook secret token does not need user's entry or any other interactions. The secret token is generated automatically if not exists, and will be stored in Store.

Below is the original proposal in the previous PR.

Supports secret_token in Telegram setWebHook API. This is to prevent an adversary from sending crafted messages to the Telegram webhook, as an additional layer of protection to the trusted networks.

It should be noted that this component's dependency, python-telegram-bot, adds explicit support for secret_token as of the latest version v20.5 (currently v13.1 is used). However, this new version introduces many breaking changes to not only this component telegram_bot, but also telegram, which it is not considered given the simplicity of this feature being added.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Black (black --fast homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[emontnemery]

Please fix the lint errors, your PR will not be merged unless they are fixed.
If you follow the development guide, the linters are automatically run when you commit.

Also, why do we need to store a token in a store, why don't we just generate a new one every time Home Assistant is restarted?

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[zehuanli]

The code has been reformatted accordingly.

Indeed, it's possible to generate a new secret token for the webhook each time Home Assistant restarts. I've modified the code to eliminate the need for storage; now, the secret token will simply be retained in memory for the duration of each session.

[emontnemery]

LGTM, thanks @zehuanli 👍

[emontnemery]

Tests are failing.

You can for example patch telegram.bot.Bot.set_webhook to get to know the secret_token, then use that in the test:

-    response = await client.post(TELEGRAM_WEBHOOK_URL, json=update_message_text)
+    response = await client.post(
+        TELEGRAM_WEBHOOK_URL,
+        json=update_message_text,
+        headers={"X-Telegram-Bot-Api-Secret-Token": `secret_token`},
+    )

If it's unclear how to achieve this, comment here or contact me on discord (@emontnemery).

[emontnemery]

One more suggestion. Tests also need to be fixed.

[zehuanli]

You can for example patch telegram.bot.Bot.set_webhook to get to know the secret_token, then use that in the test

I'm not sure if this is necessary. For the setWebhook API, the token is sent as HTTP POST data, not a header.

I think the test failed because the header X-Telegram-Bot-Api-Secret-Token may not exist in the request to the webhook. I have modified the code to address this scenario: if the header is absent/mismatched while the secret_token exists, access will be denied.

[emontnemery]

I think the test failed because the header X-Telegram-Bot-Api-Secret-Token may not exist in the request to the webhook.

Right, it originally failed because of that.
But now that you correctly handle absence of the token, tests fail because the token is not there.

Hence, you need to fix the tests as I suggested earlier such that the correct secret token is included in the requests.

Also, tests should be added to show that:

• Requests without a secret token are rejected
• Requests with the wrong secret token are rejected

[zehuanli]

Hence, you need to fix the tests as I suggested earlier such that the correct secret token is included in the requests.

Ah, I see what you mean now. I'll look into this.

[zehuanli]

The tests have been fixed to incorporate the secret token. As you pointed out, two new tests have been added:

• Requests without a secret token are rejected
• Requests with the wrong secret token are rejected

I removed the check for the secret token variable since it's created unconditionally.

[zehuanli]

Patching method has been changed; use side_effect on secrets.choice.

[emontnemery]

Thanks, @zehuanli 👍

Nice first PR! 🎉

[MartinHjelmare]

Please address the comment in a new PR. Thanks!

[MartinHjelmare]

Please use f-strings instead of string concatenation.