Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] What if user has no name? #9

Open
JokerQyou opened this issue Mar 16, 2023 · 4 comments
Open

[Question] What if user has no name? #9

JokerQyou opened this issue Mar 16, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@JokerQyou
Copy link

Username is optional on Telegram. So if a user has no username, it's impossible to manage - you can't set him as admin, or dynamically add / delete him.
@unixzii
Copy link
Member

unixzii commented Mar 16, 2023

Hi @JokerQyou, this is a known issue found at the early-stage of the development. For security considerations, we will not support changing the first admin user at run time. However, using username is not that good as well, because users may change their usernames anytime.

We are planning to use user_id to identify a user, it will be an option addition to the username.

@unixzii unixzii added the enhancement New feature or request label Mar 16, 2023
@t4nature
Copy link

I have an idea: After running the bot executable file, make the bot temporarily unusable by anyone and have no administrators assigned. At this time, a link like 'https://t.me/botname_bot?start=token' will be displayed in the terminal where the bot executable is run. This guides users to use their own Telegram account to open it for 'bot recognition.' The token, randomly generated on the first run, is long enough to ensure security.

Furthermore, after the 'recognition,' a password can be generated and sent to the user via a message with a copy feature. This password is used to encrypt local sensitive data, such as the OpenAI token and the Telegram bot token, and also serves as the database password. When rerunning the bot executable, it will require entering the password, similar to a Linux login (I am aware that sending the password in plain text to the user seems insecure. However, most people are actually lazy; if it's not done this way, they might set weak passwords or even no password at all. Security-conscious users can also delete the password, store it elsewhere, and figure out more secure implementations on their own).

@unixzii
Copy link
Member

unixzii commented Mar 19, 2024

It sounds like a good idea. Thanks for the advice, @t4nature. I think we can do it step-by-step, starting from admin recognition. As for the encryption of database, we may need further consideration before implementing it.

I wonder if you'd be interested to add the admin recognition based on your proposal?

@t4nature
Copy link

It sounds like a good idea. Thanks for the advice, @t4nature. I think we can do it step-by-step, starting from admin recognition. As for the encryption of database, we may need further consideration before implementing it.

I wonder if you'd be interested to add the admin recognition based on your proposal?

Yes, I plan to write a lib crate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JokerQyou @unixzii @t4nature