What I did:
I developed a Telegram bot using TelegrafJS framework. This bot allow the user to subscribe to a paid channel, this channel is privated.
So after that the payment is completed, the bot send the invitation link to let the user join to the channel.
The problem
Now suppose that the paying user send the invitation link to another user (who didn't pay), the non-paying user will get the access to the paid channel as if it paid.
Before thinking of a solution, it's necessary to know the limit about the invitation links of Telegram:
It's not possible to add a user to a channel without invite link;
It's not possible to create a single-use invite link;
It's not possible to create a personal invite link (that only one user can use);
Invite links are cached on Telegram servers and become unstable if you reset them too fast (try resetting a link 2-3 times in 10 seconds using your Telegram app — you'll understand what I mean).
What I thought as solution
I thought to show the invite link behind an inline button, so the user will see CLICK HERE button for 3 seconds then this will be revoked and another link will be created. This doesn't remove the problem of access to the paying channel without pay a subscription, but it makes life for unfair users more difficult.
Possible other problem: When the user click on the link got:
Sorry, this channel doesn't seem to exist.
This means that the invite link to the channel is unstable at the moment. It usually happens after clicking Join several times in row OR if multiple users are trying to join at the same time.
Too many attempts, please try again later
It means that the user has clicked on too many invalid invite links recently. Most likely, he had a lot of messages "Sorry, this channel doesn't seem to exist" right before this one or joined too many channels/groups in a row.
Conclusion
Is there a more secure way to handle this?
Given the limitations of the Telegram API, the best option I can think of is having a unique link which redirects to your bot's invite link.
The bitly API might be something cool to look at for this.
As for now (Since March 9, 2021) there is a number of methods available to working with limited chat/channel invite links.
You can use createChatInviteLink method to create unique invite link limited to join certain users number.
Please refer to the official Telegram Bot API documentation.
How about you generate a link with an expire time on the website where only paid users have access. When they click on the link your Server responds the invite link with a 302 redirect Response.
Example: [Join telegram] https://myserver.com/generateInviteLink?expiretime={Date.now}+10minutes
Response
Http 302 location: T.me/invite/key
When the request time is < expiretime, otherwise you throw an error
The endpoint generateinvitelink should be pw protected aswell. And the Key should be encrypted
I know that an User who is tracking it's http requests will be able to get to the URL but for some users it would work.
Through userbot API your bot can act as a user who is the creator (unlimited admin) of the secret channel. So, this admin can watch the channel's log of subscribers joining/leaving this channel. This log lasts for 24 hours. As soon as the invited user has joined the secret channel, the joinchat-Button can be deleted, and the joinchat URL can be revoked. ElseIf other users join this secret channel, they can be kicked.
You can count number of members in your private chat (channel or group), when count=count+1 create a new invite link.
Well why not you add them personally from add member option. Ask them to open their privacy setting for a minute and add them. Keep your link private no one will know.
Related
I need to get list of attendees of a MSTeams meeting call, and their times by an Azure Application.
For now, i've tried 3 different approaches without success:
Registering a Bot
Retrieve the attendee report of an event
callRecord subscription
In more detail:
Registering a Bot
MembersAdded event works as described in the documentation for v4.7 of the Bots SDK, ie. when a new user is added to a chat or a team, webhook is called, which does not work for online meetings. However for v3 of the Bots SDK there is a mention:
The conversationUpdate event with the membersAdded object in the
payload is sent when a user is added to a private scheduled meeting.
The event details will be sent even when anonymous users join the
meeting.
I've not tried this version of SDK, but i think it has the same behaviour as v4.7 because i don't see any request comming to my bot's webhook when an user joins a meeting.
Moreover, when i request Members of a meeting on message event to a bot by invoking:
var members = await TeamsInfo.GetMembersAsync(turnContext);
i get a list of team/chat members where a meeting is created but not the list of attendees of a meeting for the current time.
Retrieve the attendee report of an event
By this request, I can get the list of attenees, but only for live events.
However Teams clients (in preview mode now) can get this report for ordinary meeting with the full history of who/when entered/leaved a meeting with even guest names(!).
Anyway, this method has the following disadvantages:
As mentioned in the Get onlineMeeting and according to the Allow applications to access online meetings on behalf of a user, a Tenant administrator have to invoke PS command Grant-CsApplicationAccessPolicy for each meeting organiser, to grand my app permision to download this report
Administrators must create an application access policy and grant it to a user, authorizing the
app configured in the policy to retrieve an
online meeting on behalf of that user (user ID specified in the
request path).
Uses Beta version of the GraphAPI, so it can't be used in production
callRecord subscription
According to the Create subscription, i can subscribe to create and update events of a callRecord, and everything works well - when a meeting call is finished, my notification URL is called in 5-20 minutes, so i can find original meeting by callRecord.joinWebUrl and Get onlineMeeting:Example 3. Seems it's most suitable method for me, but has the following disadvantages:
Guests cannot be identified, their names as them passed in MSTeams clients are not reported to callRecord ie. callRecord.Participants[].AddtionalData["guest"].displayName == "Guest user" for any guest (seems like a bug), however entered/leaved information can be found by searching callRecord.Participants[].AddtionalData["guest"].id in callRecord.Sessions[].Segments[].Caller.Identity.AddtionalData["guest"].id
External users cannot be also indentified, callRecord.Participants[].User.DisplayName == "External user" for any external user, however i can retrive tenantId and userId, but still cannot get user's profile because my app has to have Directory.Read.All permision in that tenant, and it's not possible for every tenant.
PS. I can setup MSTeams to do not allow guests or external users, then it works partially well, because each user has to have Teams license assigned, and there is NO login page appears during joining a meeting, just an error page saying that meeting does not allow guest or external users, so the user should find a link to login to a tenant, which is not obvious in MSTeams Web Client, but possible.
PSS. In the Microsoft Teams admin center, i've checked the calling history of an organiser for a meeting with 1 guest, 1 tenant and 1 external and here it is:
Seems for guests, displayName is not stored at all, however for an external user there AAD email is stored (this is AAD guest user ie has '#EXT#' in his principal name, and has the same email as on the picture), however i'm not sure from where it resolved from by Azure - either from external tenant AAD or my tenant AAD for external user, because Azure has access to both.
So, maybe you know a method to get attendees and their times in a meeting call ?
Thank you for your suggestion/advice/reply !
Thanks for reaching us!
Teams by default generate attendees report and meeting report after completion of meeting call. We can able to see the list of attendees and the report. But at present we don't have any API to fetch list of attendees and their timings.
As this feature is not available at present, could you please raise an UserVoice if this needs to be consider as a future request.
Everything I see around slack bot say that a bot cannot post within a conversation it's not been invited to.
➡️ However, why /giphy or simple poll (/poll) can post in PM (one to one) OR in a conversation where the bot has not been added to?
The current permissions are chat:write,commands,files:write
The oauth token is a "Bot User OAuth Access Token"
The plan is to support the Add to slack and to distribute the app.
Functionality wise, it support a /command and post file to a conversation.
The bot can:
- receive the oauth token uppon app install (via add to slack)
- delete ephemeral messages
- post a file only where it's been added too, which suck because the bot does not need to read any message within anything.
Code of the bot here
If the bot is not invited too, the answer is either channel_not_found or not_in_channel.
What am I missing?
It is correct that bots in general can only post messages to channels they are invited to. However, there are two exceptions:
Bots can inherit the rights of the installing user. So bots can post to every private channel the installing user is a member of (including direct message channels).
Slash commands work differently. If a user issues a slash command from a channel the bot can reply to that slash command. That works for every channel and does not require the bot to be invited. Those replies are normal Slack messages, so the can contain all kind of message features incl. image attachments or blocks with images.
A common pattern to give bot full access to private channels is the following:
User starts the bot with a slash command
Bot checks if it has full access to the current channel
If not it asks the user to invite it to that channel
I've built a peer to peer ecommerce website and while it works, I'm getting some feedback from users (which at this point are just a few of my friends) that the Stripe interactions are a little confusing.
I think this is more to do with how I've set up my site than Stripe itself.
Here is the current setup:
All users must add their debit/credit card when completing their profile. I'm using a simple card input, the one that comes from <script src="https://js.stripe.com/v3/"></script>.
Any users who want to sell their items must also create a Stripe Connect account (I'm using Connect Express). This is the one where they are taken to Stripe.com and redirected to my site upon adding their bank account info. This onboarding process is only initiated when a user tries to upload an item to sell.
To complete a transaction, I'm using:
charge = stripe.Charge.create(
amount=amount_to_owner+200,
currency="usd",
customer = stripe_customer_id,
application_fee_amount=200,
transfer_data={
"destination": owner_connect_acct,
}
)
So, I'm charging the user with the customer id, and paying the other user to their connect account.
The fact that there are two separate actions - one where the user simply adds their card info, and the other where they go through Connect, might be confusing to some people.
Is there a way I can do this all in one? I'm open to anything and don't mind changing up things. Thank you in advance for any guidance.
I am trying to implement a Bot which can get all the Direct Message Channels, all the workspace Users and send Direct Messages to them.
If I work with my development workspace everything works as expected but when I try with my company workspace, my Bot is only capable to retrieve the Direct Message Channel it is belonging to.
Any idea on how to fix by production Bot.
You can't. Due to the security architecture of Slack one can only see the messages of channels he is part of. Its the same even for the "super admin" of a Slack team (the primary owner). Bots and apps inherit that right from the user who installed it (= authed the access token).
The reason it works on your development Slack, is that your user has probably created all private channels on Slack, and/or is the same that authed the access token your app uses.
Thanks to Slack support I got my answer:
The OAuth Token issued is specific to the user who has installed your app and represents the permission(s) to perform actions on behalf of the user. More detailed information here - https://api.slack.com/docs/oauth.
The token can only perform the same actions as the user who installed the app i.e If the user can’t view or post in the channel, they can’t grant permission to something they do not have.
The facebook chat api is a power tool. From a purely technically point of view, it definitely does more than its predecessor of private messages in the Graph API.
This brings up a question of where Facebook is drawing the line of abuse of its chat api.
So here's how I'm planning to use the Facebook chat api for my app.
The app is an event planning app that lets users invite their friends to an event. Other than sending SMS, and emails to notify the guests, the most reliable way is to send invitations through the list of facebook friends. And let's face it, sometimes you may not have the person's phone number in your contact book, and you definitely don't remember most of their emails, so facebook is your only source for reaching them.
So I need a solution to send invitations to the guests. Here are my requirements and conditions:
The guest is a facebook friend of the user
There's no way of obtaining the guest's email (unless the user enters it) or phone number (ie. sms is not an option)
Each guest must receive a link that is unique to him/her
No one else should be able to obtain this link (ie. the message shouldn't be seen publicly)
It must not require the user's interaction to send these invitations (imagine having the user confirm a facebook post 10 times for the 10 facebook friends he's inviting). The invitation must be sent automatically.
Here's the obstacle. Facebook had revoked the functionality to send private message recently (I was able to have my facebook friends send me private messages via an app just over a month ago, not anymore). However, I discover that I could do so using Facebook Chat API.
This seems to be a grey area, my app is using the chat api for the sole purpose of helping the users notify their friends of their event invitation. There's no intention of abuse (such as mass messaging everyone of the user's friends with a link to my APP/website). Is Facebook going to hunt me down and revoke my App's privilege to use Facebook's API?
Can anyone shed some light on whether my intended usage of the API is an abuse or is it legitimate? If it is not legitimate, what are your suggestions.
I'd recommend using core functionality wherever possible here. For example, you could utilise the Facebook 'Event' object and the Graph API to create invite-only events and to invite individual friends of your app's users. This would deliver the same functionality without the need for nonce-based invite URLs and possible misuse of the Chat API. Take a look at https://developers.facebook.com/docs/reference/api/event/#invited for details.