I am very confused about this topic, I am creating a program and to extract media from a telegram channel I wanted to use
the Telethon api, are therefore necessary api_id and api_hash, if then I wanted to distribute this software is safe to do this considering that there are these two data?
Yes, they are personal and secret, you should distribute the software without your API ID or hash. Every user can get its own values from https://my.telegram.org and set it in a config file or similar. Then you can load it from it.
Related
I use a software for scrapping telegram members from groups. The software requires a phone number, api id and hash. I have .session file, but I can't add this file into software, it doesn't work like that. I need to write api id and hash manually.
I use MacOS. Is it possible to extract datas from this file? Or to open this session file in telegram app, to receive a code?
Many different media types on Telegram have a file_id and file_unique_id property, such as Stickers, Audio, and Document.
The file_id property is unique to each Telegram bot, so one Telegram bot will not report the same file_id as another Telegram bot will, even if it's the same piece of media.
I want to have two Telegram bots communicate with each other, but they are currently unable to do so because the file_id property is meaningless when one bot tries to talk to the other.
The file_unique_id property is consistent between the bots, but it does not seem like you can do much of anything with that identifier.
Is there any way to pass a reference to a file stored on Telegram's servers from one bot to another, without having to re-upload the file on both bots?
Bot can't interact with each other. But there's a workaround,
we can use channels as a medium (with only BotAPI)
Steps,
Add two bots as admin in channel
Broadcast the messages from Bot A to channel
Now, the Bot B will get these as channel posts and your new fileid
for the same file which will be unique for Bot B (obviously)
You have officially transferred all fileid to Bot B
There aren't any official methods to share fileIds between bots. In fact, you can't even get 2 bots talk to each other, also you won't get bot updates in groups. So bot to bot communication is not possible at all at this moment.
But what you can do is to use Mtproto api and sign-in to telegram as a normal user (with phone number). And follow these steps using the logged in account:
Start both of your bots.
Forward messages you receive from bot 1 to bot 2.
This way you'll be able to access any files in bot 1 in bot 2.
You can use Telethon to write a script that does the job for you, listening to updates coming from bot 1 & forwarding them to bot 2.
Also using normal bot api you should forward received messages to your logged-in account.
The only way is to use a shared channel. Both bots have admin access. However, you may encounter error 429 while transferring the file.
The solution is to send the files to the channel at longer intervals.
I have to design an e-learning tutorbot that has multiple possible channels living in parallel:
A live chat (to support learner with FAQ when browsing the e-learning application website)
A IM chat as Telegram (for asyncronous notifications)
An email (for anything else)
...
Take a part the connectors gateway communication logics.
My problem/question is mainly about how to manage user identification.
I want that a user is identified with an unique identifier (call it conversation_id) regardless of channel.
In the mentioned scenario user has one different ID for each channel:
An account_id on the website (e.g. solyarisoftware)
A chat_id on Telegram (e.g. 1234567890)
An email_address (e.g. giorgio.robino#blabla.com)
So, how to let RASA chatbot accept requests coming from the same user (but from different channels)? In other words, how can I map multiple channel IDs into a RASA unique ID, say the conversation_id ?
At the end of the day I need to generate a lookup table that map a UUID with all channel ids. Right?
But is not clear to me what's a good (simple) user experience. At first glance seems to me that that I need a sort of login/registration flow: each time user submit a request on channel X, only for the first time, the user must identify himself somewhere (with his email/account_id?). So by example trough Telegram, when the Telegram connector server receive a /start command, the bot must ask the user email(or account_id), to be able to associate 1-to-1 the TG chat_id with that email. Not perfect in terms of security, I admit.
Any experience/idea/suggestion?
Thanks/giorgio
I don't have an hands-on experience on this but it is something I have been thinking myself for a while.
Indeed the 'merge' of the different accounts (across channels) is something that we need to maintain ourselves, making sure each channel user ID is eventually mapped to a universal user ID (lookup table makes sense to me).
Since you have a website, an email address and multiple channels I would say the assumption is that users first registered on the web site. Each user has a unique email address and obtains an account secured by username/password, as well as a unique secret token.
When chatting on browser (ie Rasa WebChat) you can initialise the plugin with custom parameters (ie userId=1 or token=X), in this case the chat session is assigned to the given user id.
When using Telegram (or other messenger application) I would (at the very first access) ask the user if he/she has already registered. If yes then I would ask the token: this can be used to perform the map and link this Telegram user to the universal user Id. Same approach for other channels.
Depending on your needs you might need to deal with anonymous access (users don't provide the token) or maybe you want to provide a different token for each channel (more secure, but requires more work and an easy way to explain this to users).
Finally something to look at (I haven't tried myself) is the possibility to provide in the web site the option to open Telegram (or others) passing an extra parameter, which would allow you to perform the mapping. I don't know if this is possible, but it would simplify this process for your end users. Or the other way around: the users in Telegram could be provided with a link which opens the website, where they can login and be recognised.
I want to make a desktop application which will need to use a 3rd party REST API to get information. However, the number of requests is limited by the API Key. If I use one API key for all users, the request quota will be exhausted really fast. Now, is it standard (and legal) to make each user sign up for his/her own API key? How are API keys used in context of open-source projects?
To generate the API key, I want to make a sign up form within the application, where the user puts in his/her information and the application sends those information to the 3rd party website to get an API key. Does that sound right?
In general the use of an API is limited to the requests from one machine and not to the API key most of the time.
Again depending of the type of third party services you are using, but the requests to the service should be established by the client not the server.
For example if you want to know geographic coordinates from a specific place, but obviously you can't ask the user directly for GPS coordinates. So you implement the Google Maps Javascript Library into your app which requests the Google API for the coordinates to the human readable address and returns it to the client. This in turn sends the data to your server.
In this way your server never comes into contact with the third party service.
If you have sensitive data or data which shouldn't be manipulated by the user you have to request from your server directly of course. But take a look into the documentation of the service before hack something together which isn't in the intention of the service provider.
Never ever try to outwit a service provider. They will detect your inappropriate use and block you for all time!
We're building a multi-tenant SAAS web-application. Our tenants want the option to accept credit card payments for the various products that we allow them to market through our application. To support this we will require that the tenant has their own Braintree account. The tenant provides us with their Braintree API keys through our app. We then use those API keys to interact with their Braintree account on their behalf (card storage, card verification and basic transactions).
This model is the same as the model used by the existing Braintree customers WooThemes, Goodsie, TutorTrove and many more.
We need to record the tenant's API info (merchant ID, public API key and private API key) for this all to work.
My questions are:
Can we simply store this information in our application database?
Does storing this information affect the PCI/DSS scope of us or our tenants?
If we can't store the information in raw form, what is an appropriate storage form?
Note: we have contacted Braintree directly with this same question, but we didn't think it would hurt to get other opinions as well :).
Cheers,
Sam
IMHO, Please note that you will be [if not, should be] having tenant based crypt keys [each tenant can configure their own crytographic algorithm and the keys => SAAS Cusomization], Please do encrypt the AuthorizationId using the tenant specific keys and then persist in the database. These kind of sensitive data should be secured and you should have a note stating that you are maintaining these keys in the database so that the tenant's can opt out if not required and manually enter the key whenever required. This will ensure safety. By the way is your application using SSL.
Please do share your thoughts on this suggestion
So Braintree responded to this question with:
So long as your system is PCI compliant, and your merchants are aware
that their API keys are stored on your server, then you should be
fine. How you store the integration API keys is completely up to you,
and [we] don’t really have any best practices to offer.
So, it doesn't seem like this case affects the PCI/DSS scope of our product, and it seems we are free to choose an appropriate way to store the private API keys that we obtain (saravanan's suggestion is one possible option).