Enhance API and configuration for Telegram miniapp

- Added support for CORS origins and a new environment variable for miniapp access control. - Implemented date validation for API requests to ensure correct date formats. - Updated FastAPI app to allow access without Telegram initData for local development. - Enhanced error handling and logging for better debugging. - Added tests for API functionality and Telegram initData validation. - Updated README with new environment variable details and testing instructions. - Modified Docker and Git ignore files to include additional directories and files.
2026-02-17 17:21:35 +03:00
parent 7cdf1edc34
commit 5dc8c8f255
19 changed files with 447 additions and 64 deletions
--- a/api/test_telegram_auth.py
+++ b/api/test_telegram_auth.py
@@ -0,0 +1,84 @@
+"""Tests for api.telegram_auth.validate_init_data."""
+import hashlib
+import hmac
+import json
+from urllib.parse import quote, urlencode
+
+import pytest
+
+from api.telegram_auth import validate_init_data
+
+
+def _make_init_data(user: dict | None, bot_token: str) -> str:
+    """Build initData string with valid HMAC for testing."""
+    params = {}
+    if user is not None:
+        params["user"] = quote(json.dumps(user))
+    pairs = sorted(params.items())
+    data_string = "\n".join(f"{k}={v}" for k, v in pairs)
+    secret_key = hmac.new(
+        b"WebAppData",
+        msg=bot_token.encode(),
+        digestmod=hashlib.sha256,
+    ).digest()
+    computed = hmac.new(
+        secret_key,
+        msg=data_string.encode(),
+        digestmod=hashlib.sha256,
+    ).hexdigest()
+    params["hash"] = computed
+    return "&".join(f"{k}={v}" for k, v in sorted(params.items()))
+
+
+def test_valid_payload_returns_username():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "testuser", "first_name": "Test"}
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, bot_token) == "testuser"
+
+
+def test_valid_payload_username_lowercase():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "TestUser", "first_name": "Test"}
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, bot_token) == "testuser"
+
+
+def test_invalid_hash_returns_none():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "testuser"}
+    init_data = _make_init_data(user, bot_token)
+    # Tamper with hash
+    init_data = init_data.replace("hash=", "hash=x")
+    assert validate_init_data(init_data, bot_token) is None
+
+
+def test_wrong_bot_token_returns_none():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "testuser"}
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, "other:token") is None
+
+
+def test_missing_user_returns_none():
+    bot_token = "123:ABC"
+    init_data = _make_init_data(None, bot_token)  # no user key
+    assert validate_init_data(init_data, bot_token) is None
+
+
+def test_user_without_username_returns_none():
+    bot_token = "123:ABC"
+    user = {"id": 123, "first_name": "Test"}  # no username
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, bot_token) is None
+
+
+def test_empty_init_data_returns_none():
+    assert validate_init_data("", "token") is None
+    assert validate_init_data("   ", "token") is None
+
+
+def test_empty_bot_token_returns_none():
+    user = {"id": 1, "username": "u"}
+    init_data = _make_init_data(user, "token")
+    assert validate_init_data(init_data, "") is None