Hello Firebase Community,
I’m developing a web application using Firebase, and I’m trying to implement a feature where my users can send notifications from our app to their own Telegram channels.
The use case is as follows: A user (let’s call them a “tipster”) saves their personal Telegram Bot Token and Channel ID securely in their profile on our app. Then, from a different part of the web app, they can click a button to send a notification about a new “pick” to their own channel.
I’ve been exploring Firebase Functions to handle the communication with the Telegram Bot API. My idea is to have a callable function that:
-
Receives the message content from the web app.
-
Identifies the authenticated user who made the request.
-
Looks up that user’s saved Bot Token and Channel ID in Firestore.
-
Uses those credentials to make a POST request to the Telegram API.
My question is: Is this the correct and most secure approach? I’m looking for guidance on the best practices for this kind of integration. What is the standard process for allowing users to trigger Telegram notifications to their own channels using credentials they provide, all orchestrated through a Firebase backend?
Any advice, examples, or pointers to potential security pitfalls would be greatly appreciated.
Thank you