Consider using an intermediary document hosting service

[Tjzabel]

Summary

When a Telegram user sends a document file, upload it to an intermediary file hosting service to avoid leaking API key

Background

Is your feature request related to a problem? Please describe:

In v1.x.x, there is an option (disabled by default) to support sending documents from Telegram to IRC. As noted in #241, this leaks the Telegram bot API key. For the v2.x.x rewrite, we should not include this as an option without a way to mask the API key.

Describe the solution you'd like:

We might be able to use a third-party service, such as Dropbox, Mega, or other platforms to host documents. We could provide an API key option for a user to configure for any of these services.

Describe alternatives you've considered:

First we need to figure out what our possible platforms/services are.

Details

https://core.telegram.org/api/files

• Evaluate existing file hosting services out there
• Evaluate which ones have good Go libraries available
• Research rate-limiting for each platform
• Make final decision for what we will support and whether a default option is provided

Outcome

Successfully share files from Telegram to IRC without exposing Telegram bot API key

[jwflory]

Thanks for opening this @Tjzabel.

Due to TeleIRC disabling sending over documents by default due to Telegram sending over the API key, it may be worthwhile looking into possibly using an intermediary measure to translate the Telegram link to another hosting source.

We need more research on our options. We could do something fancy like integrate with Google Drive, but that type of storage seems more permanent than Telegram messages are meant for. Do you have some time to explore other ephemeral options?

Another possible measure would be to ask Telegram to change how bots send documents. This would fix many issues that I'm sure many other Telegram bots suffer from.

The upstream fix is the best but also hardest fix. Despite Telegram touting its open source roots, they do not have a transparent or accessible development community or place to share feedback.

[jwflory]

Someone popped into our developer chat and suggested Firefox Send as one possible option for this service. If it is possible to register an API key to send files through an API, this would be a nifty way of doing it. For example, maybe we could set files to expire after a week or a month, or offer that as a config option to the user.

Not sure if this is possible, but from a privacy point-of-view, Firefox Send would be a cool tool to integrate with here.