Refactor Telegram bot and web application for improved functionality

- Disabled the default menu button in the Telegram bot, allowing users to access the app via a direct link.
- Updated the initData validation process to ensure URL-decoded values are used in the data-check string.
- Enhanced error handling in the web application to provide more informative access denial messages.
- Removed unnecessary debug information from the access denied section in the web app.
- Cleaned up the web application code by removing unused functions and improving CSS styles for hidden elements.

webapp/app.js

@@ -77,14 +77,6 @@
     return "";
   }
 
-  function getInitDataDebug() {
-    var sdk = !!(window.Telegram && window.Telegram.WebApp && window.Telegram.WebApp.initData);
-    var hash = window.location.hash ? window.location.hash.slice(1) : "";
-    var hashHasData = !!(hash && (getTgWebAppDataFromHash(hash) || new URLSearchParams(hash).get("tgWebAppData")));
-    var queryHasData = !!(window.location.search && new URLSearchParams(window.location.search).get("tgWebAppData"));
-    return "SDK: " + (sdk ? "да" : "нет") + ", hash: " + (hashHasData ? hash.length + " симв." : (hash ? "есть, без tgWebAppData" : "нет")) + ", query: " + (queryHasData ? "да" : "нет");
-  }
-
   function isLocalhost() {
     var h = window.location.hostname;
     return h === "localhost" || h === "127.0.0.1" || h === "";
@@ -101,8 +93,8 @@
     } catch (e) { return false; }
   }
 
-  function showAccessDenied() {
-    var debugStr = getInitDataDebug();
+  /** @param {string} [serverDetail] - message from API 403 detail (unused; kept for callers) */
+  function showAccessDenied(serverDetail) {
     if (headerEl) headerEl.hidden = true;
     if (weekdaysEl) weekdaysEl.hidden = true;
     calendarEl.hidden = true;
@@ -110,14 +102,6 @@
     loadingEl.classList.add("hidden");
     errorEl.hidden = true;
     accessDeniedEl.hidden = false;
-    var debugEl = document.getElementById("accessDeniedDebug");
-    if (debugEl) debugEl.textContent = debugStr;
-    var hintEl = document.getElementById("accessDeniedHint");
-    if (hintEl) {
-      hintEl.textContent = hasTelegramHashButNoInitData()
-        ? "Откройте календарь через кнопку меню бота (⋮ или «Календарь»), а не через «Открыть в браузере» или прямую ссылку."
-        : "Откройте календарь из Telegram.";
-    }
   }
 
   function hideAccessDenied() {
@@ -138,7 +122,18 @@
     var timeoutId = setTimeout(function () { controller.abort(); }, FETCH_TIMEOUT_MS);
     try {
       var res = await fetch(url, { headers: headers, signal: controller.signal });
-      if (res.status === 403) throw new Error("ACCESS_DENIED");
+      if (res.status === 403) {
+        var detail = "Доступ запрещён";
+        try {
+          var body = await res.json();
+          if (body && body.detail !== undefined) {
+            detail = typeof body.detail === "string" ? body.detail : (body.detail.msg || JSON.stringify(body.detail));
+          }
+        } catch (parseErr) { /* ignore */ }
+        var err = new Error("ACCESS_DENIED");
+        err.serverDetail = detail;
+        throw err;
+      }
       if (!res.ok) throw new Error("Ошибка загрузки");
       return res.json();
     } catch (e) {
@@ -281,7 +276,7 @@
       renderDutyList(duties);
     } catch (e) {
       if (e.message === "ACCESS_DENIED") {
-        showAccessDenied();
+        showAccessDenied(e.serverDetail);
         setNavEnabled(true);
         if (window.Telegram && window.Telegram.WebApp && !window._initDataRetried) {
           window._initDataRetried = true;
@@ -298,10 +293,12 @@
   }
 
   document.getElementById("prevMonth").addEventListener("click", function () {
+    if (!accessDeniedEl.hidden) return;
     current.setMonth(current.getMonth() - 1);
     loadMonth();
   });
   document.getElementById("nextMonth").addEventListener("click", function () {
+    if (!accessDeniedEl.hidden) return;
     current.setMonth(current.getMonth() + 1);
     loadMonth();
   });

webapp/index.html

@@ -22,8 +22,6 @@
     <div class="error" id="error" hidden></div>
     <div class="access-denied" id="accessDenied" hidden>
       <p>Доступ запрещён.</p>
-      <p class="muted" id="accessDeniedHint">Откройте календарь из Telegram.</p>
-      <p class="debug" id="accessDeniedDebug"></p>
     </div>
   </div>
   <script src="https://telegram.org/js/telegram-web-app.js"></script>

webapp/style.css

@@ -36,6 +36,11 @@ body {
   margin-bottom: 12px;
 }
 
+.header[hidden],
+.weekdays[hidden] {
+  display: none !important;
+}
+
 .nav {
   width: 40px;
   height: 40px;
@@ -166,12 +171,6 @@ body {
   font-weight: 600;
 }
 
-.access-denied .debug {
-  font-size: 0.75rem;
-  margin-top: 12px;
-  word-break: break-all;
-}
-
 .access-denied[hidden] {
   display: none !important;
 }