Refactor configuration and enhance Telegram initData validation

- Improved formatting and readability in config.py and other files by adding line breaks.
- Introduced INIT_DATA_MAX_AGE_SECONDS to enforce replay protection for Telegram initData.
- Updated validate_init_data function to include max_age_seconds parameter for validation.
- Enhanced API to reject old initData based on the new max_age_seconds setting.
- Added tests for auth_date expiry and validation of initData in test_telegram_auth.py.
- Updated README with details on the new INIT_DATA_MAX_AGE_SECONDS configuration.

api/test_telegram_auth.py

@@ -1,19 +1,25 @@
 """Tests for api.telegram_auth.validate_init_data."""
+
 import hashlib
 import hmac
 import json
-from urllib.parse import quote, urlencode
+from urllib.parse import quote
 
-import pytest
 
 from api.telegram_auth import validate_init_data
 
 
-def _make_init_data(user: dict | None, bot_token: str) -> str:
+def _make_init_data(
+    user: dict | None,
+    bot_token: str,
+    auth_date: int | None = None,
+) -> str:
     """Build initData string with valid HMAC for testing."""
     params = {}
     if user is not None:
         params["user"] = quote(json.dumps(user))
+    if auth_date is not None:
+        params["auth_date"] = str(auth_date)
     pairs = sorted(params.items())
     data_string = "\n".join(f"{k}={v}" for k, v in pairs)
     secret_key = hmac.new(
@@ -82,3 +88,36 @@ def test_empty_bot_token_returns_none():
     user = {"id": 1, "username": "u"}
     init_data = _make_init_data(user, "token")
     assert validate_init_data(init_data, "") is None
+
+
+def test_auth_date_expiry_rejects_old_init_data():
+    """When max_age_seconds is set, initData older than that is rejected."""
+    import time as t
+
+    bot_token = "123:ABC"
+    user = {"id": 1, "username": "testuser"}
+    # auth_date 100 seconds ago
+    old_ts = int(t.time()) - 100
+    init_data = _make_init_data(user, bot_token, auth_date=old_ts)
+    assert validate_init_data(init_data, bot_token, max_age_seconds=60) is None
+    assert validate_init_data(init_data, bot_token, max_age_seconds=200) == "testuser"
+
+
+def test_auth_date_expiry_accepts_fresh_init_data():
+    """Fresh auth_date within max_age_seconds is accepted."""
+    import time as t
+
+    bot_token = "123:ABC"
+    user = {"id": 1, "username": "testuser"}
+    fresh_ts = int(t.time()) - 10
+    init_data = _make_init_data(user, bot_token, auth_date=fresh_ts)
+    assert validate_init_data(init_data, bot_token, max_age_seconds=60) == "testuser"
+
+
+def test_auth_date_expiry_requires_auth_date_when_max_age_set():
+    """When max_age_seconds is set but auth_date is missing, return None."""
+    bot_token = "123:ABC"
+    user = {"id": 1, "username": "testuser"}
+    init_data = _make_init_data(user, bot_token)  # no auth_date
+    assert validate_init_data(init_data, bot_token, max_age_seconds=86400) is None
+    assert validate_init_data(init_data, bot_token) == "testuser"