tg-initdata-validator/index.js

Validate Telegram Mini App initData signature using Node.js

const crypto = require('crypto')

function validateTelegramInitData(initData, botToken) {
    const parsed = new URLSearchParams(initData)
    const hash = parsed.get('hash')
    parsed.delete('hash')

    const dataCheckString = [...parsed.entries()]
        .sort(([a], [b]) => a.localeCompare(b))
        .map(([k, v]) => `${k}=${v}`)
        .join('\n')

    const secretKey = crypto
        .createHmac('sha256', 'WebAppData')
        .update(botToken)
        .digest()

    const hmac = crypto
        .createHmac('sha256', secretKey)
        .update(dataCheckString)
        .digest('hex')

    const isValid = hmac === hash
    const user = JSON.parse(parsed.get('user') || '{}')

    return { isValid, user }
}

module.exports = { validateTelegramInitData }