Update configuration and access control for Telegram miniapp

- Added ALLOWED_USERNAMES and ADMIN_USERNAMES to .env.example for user access control.
- Implemented validation of Telegram Web App initData in a new telegram_auth.py module.
- Enhanced API to check user access before fetching duties.
- Updated README with instructions for configuring miniapp access.
- Modified .dockerignore and .gitignore to include data directory and database files.

api/app.py

@@ -2,13 +2,14 @@
 from pathlib import Path
 
 import config
-from fastapi import FastAPI, Query
+from fastapi import FastAPI, Header, HTTPException, Query
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
 
 from db.session import get_session
 from db.repository import get_duties
 from db.schemas import DutyWithUser
+from api.telegram_auth import validate_init_data
 
 app = FastAPI(title="Duty Teller API")
 app.add_middleware(
@@ -24,7 +25,16 @@ app.add_middleware(
 def list_duties(
     from_date: str = Query(..., description="ISO date YYYY-MM-DD"),
     to_date: str = Query(..., description="ISO date YYYY-MM-DD"),
+    x_telegram_init_data: str | None = Header(None, alias="X-Telegram-Init-Data"),
 ) -> list[DutyWithUser]:
+    init_data = (x_telegram_init_data or "").strip()
+    if not init_data:
+        raise HTTPException(status_code=403, detail="Откройте календарь из Telegram")
+    username = validate_init_data(init_data, config.BOT_TOKEN)
+    if username is None:
+        raise HTTPException(status_code=403, detail="Неверные данные авторизации")
+    if not config.can_access_miniapp(username):
+        raise HTTPException(status_code=403, detail="Доступ запрещён")
     session = get_session(config.DATABASE_URL)
     try:
         rows = get_duties(session, from_date=from_date, to_date=to_date)