What I did:
I developed a Telegram
bot using TelegrafJS framework. This bot allow the user to subscribe to a paid channel, this channel is privated.
So after that the payment is completed, the bot send the invitation link to let the user join to the channel.
The problem
Now suppose that the paying user send the invitation link to another user (who didn't pay), the non-paying user will get the access to the paid channel as if it paid.
Before thinking of a solution, it's necessary to know the limit about the invitation links of Telegram:
What I thought as solution
I thought to show the invite link behind an inline button, so the user will see CLICK HERE button for 3 seconds then this will be revoked and another link will be created. This doesn't remove the problem of access to the paying channel without pay a subscription, but it makes life for unfair users more difficult.
Possible other problem: When the user click on the link got:
Sorry, this channel doesn't seem to exist.
This means that the invite link to the channel is unstable at the moment. It usually happens after clicking Join several times in row OR if multiple users are trying to join at the same time.
Too many attempts, please try again later
It means that the user has clicked on too many invalid invite links recently. Most likely, he had a lot of messages "Sorry, this channel doesn't seem to exist" right before this one or joined too many channels/groups in a row.
Conclusion
Is there a more secure way to handle this?
Given the limitations of the Telegram API, the best option I can think of is having a unique link which redirects to your bot's invite link.
The bitly API might be something cool to look at for this.
As for now (Since March 9, 2021) there is a number of methods available to working with limited chat/channel invite links.
You can use createChatInviteLink method to create unique invite link limited to join certain users number.
Please refer to the official Telegram Bot API documentation.
How about you generate a link with an expire time on the website where only paid users have access. When they click on the link your Server responds the invite link with a 302 redirect Response.
Example: [Join telegram] https://myserver.com/generateInviteLink?expiretime={Date.now}+10minutes
Response Http 302 location: T.me/invite/key When the request time is < expiretime, otherwise you throw an error
The endpoint generateinvitelink should be pw protected aswell. And the Key should be encrypted
I know that an User who is tracking it's http requests will be able to get to the URL but for some users it would work.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With