Enhance API and configuration for Telegram miniapp

- Added support for CORS origins and a new environment variable for miniapp access control. - Implemented date validation for API requests to ensure correct date formats. - Updated FastAPI app to allow access without Telegram initData for local development. - Enhanced error handling and logging for better debugging. - Added tests for API functionality and Telegram initData validation. - Updated README with new environment variable details and testing instructions. - Modified Docker and Git ignore files to include additional directories and files.
2026-02-17 17:21:35 +03:00
parent 7cdf1edc34
commit 5dc8c8f255
19 changed files with 447 additions and 64 deletions
--- a/config.py
+++ b/config.py
@@ -22,6 +22,13 @@ ALLOWED_USERNAMES = {s.strip().lstrip("@").lower() for s in _raw_allowed.split("
 _raw_admin = os.getenv("ADMIN_USERNAMES", "").strip()
 ADMIN_USERNAMES = {s.strip().lstrip("@").lower() for s in _raw_admin.split(",") if s.strip()}

+# Dev only: set to 1 to allow /api/duties without Telegram initData (insecure, no user check).
+MINI_APP_SKIP_AUTH = os.getenv("MINI_APP_SKIP_AUTH", "").strip() in ("1", "true", "yes")
+
+# CORS: comma-separated origins, or empty/"*" for allow all. For production, set to MINI_APP_BASE_URL or specific origins.
+_raw_cors = os.getenv("CORS_ORIGINS", "").strip()
+CORS_ORIGINS = [_o.strip() for _o in _raw_cors.split(",") if _o.strip()] if _raw_cors and _raw_cors != "*" else ["*"]
+

 def is_admin(username: str) -> bool:
    """True if the given Telegram username (no @, any case) is in ADMIN_USERNAMES."""