I'm new to telegram bots and found its features fantastic for further development of my project and now know that I can send a link button to the bot user so that when tapped, the target url will be opened in telegram's in app browser.
The question I have is how to check in the server if this url is opened within telegram's in app webview only and not in another browser, by copying the url and pasting it for example into chrome?
I need to check that if the url copied and pasted to another browser then redirect the user to a message page and not opening the target page. I want my user to open the url using the telegram's in app browser only and nowhere else. And this telegram should be the one that has received the bot link and even not another telegram of another user.
Therefore checking and controlling the user agent sent to the server will not solve my problem because it may be another telegram of another user or even a faked desktop browser so can't rely on this from a security perspective.
Thanx for your help
I want my user to open the url using the telegram's in app browser only and nowhere else
Telegram bot API does not provide any mechanisms for that on client side.
... how to check in the server if this url is opened within telegram's in app webview only and not in another browser, by copying the url and pasting it for example into chrome?
You cannot detect "invalid" browser usage on server side as well, because you will need some kind of authentication mechansim to ensure that particular user has permissions to read particular page. Server does not receive any kind of cookies, specific for your service and of course it does not receive any information about telegram session and related Telegram API stuff.
And of course you can't rely on User-Agent header because it can be easily manually specified in utilities like curl.
There are some possible solutions, but there's no easy one.
Write your own telegram client using Telegram API. That's the hard way, but in this case you can get the full control of everything your client sends to server - therefore you should be able to solve the problem with permissions.
If you want to show user some sensitive information - think of presenting it using Telegram bot built-in features. This is much easier to achieve, but it heavily depends on your product needs and may not be possible.
Switch to single-use URLs. Insert a hash into URL and ensure that your server shows a particular page exactly once. If a user wants to read the page again, bot generates URL with another hash. That's the easiest solution here, but of couse, you cannot be 100% sure that user won't copy and paste URL before viewing page in telegram webview.