UNPKG

node-red-contrib-telegrambot

Version:

Telegram bot nodes for Node-RED

github.com/windkh/node-red-contrib-telegrambot

windkh/node-red-contrib-telegrambot

112 lines (88 loc) 4.92 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Automated / git-managed deployments This document covers what you need to do when your Node-RED flows live in source control (or are otherwise managed by automation) and your bot's token is supposed to flow in from an environment variable or a secrets store rather than being typed into the editor by hand. It is also the answer to issue [#432](https://github.com/windkh/node-red-contrib-telegrambot/issues/432). ## Why this needs special handling The bot's `token` field is declared to Node-RED as a **credential**, not a regular config property. Node-RED treats credentials specially: - It strips them out of `flows.json` on save. - It stores their encrypted form in a separate `flows_cred.json` file. - The encryption key is `credentialSecret` from `settings.js`. If `credentialSecret` isn't pinned in `settings.js`, Node-RED generates one and stores it in `.config.runtime.json`. So if your automated deployment commits `flows.json` and uses a fresh `credentialSecret` on every container start, the token will appear to "vanish" — you'll see the bot abort with `Aborting: Token of <botname> is not set`. The plugin's `{env.get("X")}` / `{flow.get("X")}` / `{global.get("X")}` expressions are evaluated **at runtime, inside the credential resolution path**. They work — but only once the encrypted credential has been re-read from `flows_cred.json`. The expression has to survive the credential-serialisation step first. ## Pattern 1 — pin `credentialSecret` and commit `flows_cred.json` The most robust pattern. Pick a deterministic secret per environment and tell Node-RED to use it via `settings.js`: ```js // settings.js module.exports = { credentialSecret: process.env.NODE_RED_CREDENTIAL_SECRET || '<a-strong-fallback>', // ... }; ``` Then commit both `flows.json` **and** `flows_cred.json` to your repo. The token field can be a literal value or a `{env.get("...")}` expression — either survives, because Node-RED re-decrypts `flows_cred.json` with the same secret on every boot. If you want to keep the token out of the encrypted file too, put the `{env.get("TG_TOKEN")}` expression in the token field before committing. The plugin will resolve it at runtime against whatever `TG_TOKEN` the container inherits from its environment. ## Pattern 2 — write `flows_cred.json` at boot If you don't want to commit any credential material, generate `flows_cred.json` from your secrets store as the container starts. A small entrypoint script that reads from Vault / SOPS / Doppler / AWS Secrets Manager / ... and writes the file to `$HOME/.node-red/flows_cred.json` before launching Node-RED works fine. `credentialSecret` still needs to match what was used to encrypt it. ## Pattern 3`userDir` and `flowFile` overrides The `userDir` and `flowFile` settings let you point Node-RED at any directory. A common pattern is to keep `flows.json` in `/etc/node-red/flows.json` (read-only, baked into the image) and have Node-RED write `flows_cred.json` to a writable volume. ## What `{env.get(...)}` does and doesn't fix Once the token expression makes it past Node-RED's credential serialisation, the plugin's expression evaluator (see [ADR 0004](doc/architecture/adr/0004-safe-expression-evaluator.md)) handles the supported forms: ``` {env.get("TG_TOKEN")} {flow.get("token")} {global.get("token")} {context.get("token")} {context.flow.get("token")} {context.global.get("token")} ``` `usernames` and `chatids` use the same syntax. As of V17.3.1 a raw string result from `env.get` / `flow.get` / `global.get` is split on commas — so `CHATIDS=123,456` resolves to `[123, 456]`. Anything outside that grammar (function calls, statement chains, prototype walks, `require`, `eval`, etc.) evaluates to `undefined` — see [ADR 0004](doc/architecture/adr/0004-safe-expression-evaluator.md) for the exact whitelist. ## Common pitfalls - **`credentialSecret` is not set in `settings.js`.** Node-RED generates a random one on first start and writes it to `.config.runtime.json`. Subsequent container restarts that lose that file will be unable to decrypt the existing `flows_cred.json`. The bot will then abort with "token is not set". - **`credentialSecret` is rotated.** Same effect — old `flows_cred.json` can no longer be decrypted. Re-enter the token via the editor (or delete `flows_cred.json` and let Node-RED re-create it on save). - **`flows.json` is regenerated by a flow-export step.** Make sure your export pipeline preserves the credential references (it normally just strips the values, which is correct), and doesn't accidentally write back the bot config node with `credentials: {}` cleared. - **Multiple bot config nodes share the same token.** The plugin's `botsByToken` registry aborts the second one with "Token of <botname> is already in use by ...". Use one config node per token and reference it from multiple runtime nodes.