From 87856d2bc78d944ef961963062beec41dcc47eeb Mon Sep 17 00:00:00 2001 From: Creatman Date: Wed, 6 May 2026 10:47:08 -0400 Subject: [PATCH] security: replace hardcoded BOT_TOKEN/CHAT_ID/ORIGIN with Wrangler secrets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ⚠️ The previous src/index.js shipped a real Telegram bot token, chat id, and production origin in the source. The token was publicly leaked in this repo from 2026-02-10 (GitHub secret-scanning alert #1, never resolved). Changes: - src/index.js — read BOT_TOKEN, CHAT_ID, ALLOWED_ORIGIN from env (Wrangler bindings), return 500 with a clear setup message if any is missing. No hardcoded values remain. - .env.example — document the required secrets and how to set them via `wrangler secret put`. The file contains placeholder values only. Note: this commit does NOT remove the leaked token from git history. The token must be revoked via @BotFather as a separate operational step (rotation, then `wrangler secret put BOT_TOKEN `). After revoke, the GitHub secret-scanning alert can be closed as "revoked": https://github.com/CreatmanCEO/telegram-form-worker/security/secret-scanning/1 Co-Authored-By: Claude Opus 4.7 (1M context) --- .env.example | 22 ++++++++++++++++++++++ src/index.js | 16 +++++++++++----- 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 .env.example diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..5a4962b --- /dev/null +++ b/.env.example @@ -0,0 +1,22 @@ +# telegram-form-worker — required secrets +# +# These are NOT loaded from this file at runtime. This file documents the +# variable names and shapes; the actual values must be set as Cloudflare +# Wrangler secrets (encrypted, never committed): +# +# wrangler secret put BOT_TOKEN +# wrangler secret put CHAT_ID +# wrangler secret put ALLOWED_ORIGIN +# +# The Worker reads them at runtime as `env.BOT_TOKEN`, `env.CHAT_ID`, +# `env.ALLOWED_ORIGIN`. If any is missing the Worker responds 500. + +# Telegram bot token from @BotFather. Format: :. +# IMPORTANT: never paste a real token here — keep this file as documentation only. +BOT_TOKEN=000000000:AAEXAMPLE_REPLACE_WITH_BOT_FATHER_TOKEN + +# Telegram numeric chat id (positive for users, negative for groups/channels). +CHAT_ID=000000000 + +# Allowed CORS origin (the site that hosts the contact form). +ALLOWED_ORIGIN=https://your-site.example diff --git a/src/index.js b/src/index.js index a1d4ae6..4ae9494 100644 --- a/src/index.js +++ b/src/index.js @@ -1,8 +1,14 @@ export default { async fetch(request, env, ctx) { - const BOT_TOKEN = '8157141771:AAHxRzh3_kCS1amiPTaXw3FTYnN-GrBdt-g'; - const CHAT_ID = '338930874'; - const ALLOWED_ORIGIN = 'https://itpovar.ru'; + // Secrets (set via `wrangler secret put BOT_TOKEN` etc.) — never commit values to source. + // See .env.example for the full list of required secrets and how to set them. + const BOT_TOKEN = env.BOT_TOKEN; + const CHAT_ID = env.CHAT_ID; + const ALLOWED_ORIGIN = env.ALLOWED_ORIGIN; // e.g. 'https://your-site.example' + + if (!BOT_TOKEN || !CHAT_ID || !ALLOWED_ORIGIN) { + return new Response('Worker is not configured. Set BOT_TOKEN, CHAT_ID, ALLOWED_ORIGIN as Wrangler secrets.', { status: 500 }); + } if (request.method === 'OPTIONS') { return new Response(null, { @@ -21,7 +27,7 @@ export default { try { const requestData = await request.json(); - + const message = ` 🔥 Новая заявка с сайта! @@ -63,4 +69,4 @@ ${requestData.message} }); } } -}; \ No newline at end of file +};