Enhance API access control and update Docker configuration

- Added port mapping to docker-compose for local development. - Modified the API to allow access from localhost without Telegram initData for local development. - Updated the web application to check for localhost before denying access based on initData.
2026-02-17 14:15:06 +03:00
parent 57c24a79af
commit 7cdf1edc34
3 changed files with 31 additions and 4 deletions
--- a/api/app.py
+++ b/api/app.py
@@ -2,7 +2,7 @@
 from pathlib import Path

 import config
-from fastapi import FastAPI, Header, HTTPException, Query
+from fastapi import FastAPI, Header, HTTPException, Query, Request
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles

@@ -23,12 +23,31 @@ app.add_middleware(

@app.get("/api/duties", response_model=list[DutyWithUser])
 def list_duties(
-    from_date: str = Query(..., description="ISO date YYYY-MM-DD"),
-    to_date: str = Query(..., description="ISO date YYYY-MM-DD"),
+    request: Request,
+    from_date: str = Query(..., description="ISO date YYYY-MM-DD", alias="from"),
+    to_date: str = Query(..., description="ISO date YYYY-MM-DD", alias="to"),
    x_telegram_init_data: str | None = Header(None, alias="X-Telegram-Init-Data"),
 ) -> list[DutyWithUser]:
    init_data = (x_telegram_init_data or "").strip()
    if not init_data:
+        # Allow access from localhost without Telegram initData (local dev only)
+        client_host = request.client.host if request.client else None
+        if client_host in ("127.0.0.1", "::1"):
+            session = get_session(config.DATABASE_URL)
+            try:
+                rows = get_duties(session, from_date=from_date, to_date=to_date)
+                return [
+                    DutyWithUser(
+                        id=duty.id,
+                        user_id=duty.user_id,
+                        start_at=duty.start_at,
+                        end_at=duty.end_at,
+                        full_name=full_name,
+                    )
+                    for duty, full_name in rows
+                ]
+            finally:
+                session.close()
        raise HTTPException(status_code=403, detail="Откройте календарь из Telegram")
    username = validate_init_data(init_data, config.BOT_TOKEN)
    if username is None:
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -4,6 +4,8 @@ services:
      context: .
      dockerfile: Dockerfile
    env_file: .env
+    ports:
+      - "${HTTP_PORT:-8080}:8080"
    volumes:
      - .:/app
    restart: "no"
--- a/webapp/app.js
+++ b/webapp/app.js
@@ -36,6 +36,11 @@
    return (window.Telegram && window.Telegram.WebApp && window.Telegram.WebApp.initData) || "";
  }

+  function isLocalhost() {
+    var h = window.location.hostname;
+    return h === "localhost" || h === "127.0.0.1" || h === "";
+  }
+
  function showAccessDenied() {
    if (headerEl) headerEl.hidden = true;
    if (weekdaysEl) weekdaysEl.hidden = true;
@@ -147,7 +152,8 @@
  }

  async function loadMonth() {
-    if (!getInitData()) {
+    var _initData = getInitData();
+    if (!_initData && !isLocalhost()) {
      showAccessDenied();
      return;
    }