2.0 KiB
2.0 KiB
Telegram Pairing Flow
Goal
Allow a new Telegram admin to be approved from the server console without editing the database manually.
Runtime behavior
Unpaired user
- A user opens the Telegram bot.
- The bot checks whether
telegram_user_idis present in the allowlist. - If not present, the bot creates a pending pairing record with:
- Telegram user ID
- Telegram username and display name snapshot
- pairing code hash
- expiration timestamp
- status
pending
- The bot replies with a message telling the user to run
nproxy pair <code>on the server.
Current runtime note:
- The current bot runtime uses Telegram long polling.
- On each message from an unpaired user, the bot rotates any previous pending code and issues a fresh pairing code.
- Pending pairing creation writes an audit-log entry with actor type
system.
Pair completion
- An operator runs
nproxy pair <code>on the server. - The CLI looks up the pending pairing by code.
- The CLI prints the target Telegram identity and asks for confirmation.
- On confirmation, the CLI adds the Telegram user to the allowlist.
- The CLI marks the pending pairing record as
completed. - The CLI writes an admin action log entry.
Required CLI commands
nproxy pair <code>nproxy pair listnproxy pair revoke <telegram-user-id>nproxy pair cleanup
Current CLI behavior
nproxy pair <code>prints the Telegram identity and requires explicit confirmation unless--yesis provided.nproxy pair listprints active allowlist entries and pending pairing records.nproxy pair revoke <telegram-user-id>requires explicit confirmation unless--yesis provided.nproxy pair cleanupmarks expired pending pairing records asexpiredand writes an audit log entry.
Security rules
- Pairing codes expire.
- Pairing codes are stored hashed, not in plaintext.
- Only the server-side CLI can complete a pairing.
- Telegram bot access is denied until allowlist membership exists.
- Every pairing and revocation action is auditable.