Update configuration and access control for Telegram miniapp

- Added ALLOWED_USERNAMES and ADMIN_USERNAMES to .env.example for user access control. - Implemented validation of Telegram Web App initData in a new telegram_auth.py module. - Enhanced API to check user access before fetching duties. - Updated README with instructions for configuring miniapp access. - Modified .dockerignore and .gitignore to include data directory and database files.
2026-02-17 13:10:45 +03:00
parent d60a4fdf3f
commit 57c24a79af
10 changed files with 166 additions and 3 deletions
--- a/config.py
+++ b/config.py
@@ -14,3 +14,21 @@ DATABASE_URL = os.getenv("DATABASE_URL", "sqlite:///data/duty_teller.db")
 MINI_APP_BASE_URL = os.getenv("MINI_APP_BASE_URL", "").rstrip("/")
 HTTP_PORT = int(os.getenv("HTTP_PORT", "8080"))
 DATA_DIR = Path(__file__).resolve().parent / "data"
+
+# Miniapp access: comma-separated Telegram usernames (no @). Empty = no one allowed.
+_raw_allowed = os.getenv("ALLOWED_USERNAMES", "").strip()
+ALLOWED_USERNAMES = {s.strip().lstrip("@").lower() for s in _raw_allowed.split(",") if s.strip()}
+
+_raw_admin = os.getenv("ADMIN_USERNAMES", "").strip()
+ADMIN_USERNAMES = {s.strip().lstrip("@").lower() for s in _raw_admin.split(",") if s.strip()}
+
+
+def is_admin(username: str) -> bool:
+    """True if the given Telegram username (no @, any case) is in ADMIN_USERNAMES."""
+    return (username or "").strip().lower() in ADMIN_USERNAMES
+
+
+def can_access_miniapp(username: str) -> bool:
+    """True if username is in ALLOWED_USERNAMES or ADMIN_USERNAMES."""
+    u = (username or "").strip().lower()
+    return u in ALLOWED_USERNAMES or u in ADMIN_USERNAMES