Enhance API access control and update Docker configuration

- Added port mapping to docker-compose for local development.
- Modified the API to allow access from localhost without Telegram initData for local development.
- Updated the web application to check for localhost before denying access based on initData.

api/app.py

@@ -2,7 +2,7 @@
 from pathlib import Path
 
 import config
-from fastapi import FastAPI, Header, HTTPException, Query
+from fastapi import FastAPI, Header, HTTPException, Query, Request
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
 
@@ -23,12 +23,31 @@ app.add_middleware(
 
 @app.get("/api/duties", response_model=list[DutyWithUser])
 def list_duties(
-    from_date: str = Query(..., description="ISO date YYYY-MM-DD"),
+    request: Request,
-    to_date: str = Query(..., description="ISO date YYYY-MM-DD"),
+    from_date: str = Query(..., description="ISO date YYYY-MM-DD", alias="from"),
+    to_date: str = Query(..., description="ISO date YYYY-MM-DD", alias="to"),
     x_telegram_init_data: str | None = Header(None, alias="X-Telegram-Init-Data"),
 ) -> list[DutyWithUser]:
     init_data = (x_telegram_init_data or "").strip()
     if not init_data:
+        # Allow access from localhost without Telegram initData (local dev only)
+        client_host = request.client.host if request.client else None
+        if client_host in ("127.0.0.1", "::1"):
+            session = get_session(config.DATABASE_URL)
+            try:
+                rows = get_duties(session, from_date=from_date, to_date=to_date)
+                return [
+                    DutyWithUser(
+                        id=duty.id,
+                        user_id=duty.user_id,
+                        start_at=duty.start_at,
+                        end_at=duty.end_at,
+                        full_name=full_name,
+                    )
+                    for duty, full_name in rows
+                ]
+            finally:
+                session.close()
         raise HTTPException(status_code=403, detail="Откройте календарь из Telegram")
     username = validate_init_data(init_data, config.BOT_TOKEN)
     if username is None:

docker-compose.dev.yml

@@ -4,6 +4,8 @@ services:
       context: .
       dockerfile: Dockerfile
     env_file: .env
+    ports:
+      - "${HTTP_PORT:-8080}:8080"
     volumes:
       - .:/app
     restart: "no"

webapp/app.js

@@ -36,6 +36,11 @@
     return (window.Telegram && window.Telegram.WebApp && window.Telegram.WebApp.initData) || "";
   }
 
+  function isLocalhost() {
+    var h = window.location.hostname;
+    return h === "localhost" || h === "127.0.0.1" || h === "";
+  }
+
   function showAccessDenied() {
     if (headerEl) headerEl.hidden = true;
     if (weekdaysEl) weekdaysEl.hidden = true;
@@ -147,7 +152,8 @@
   }
 
   async function loadMonth() {
-    if (!getInitData()) {
+    var _initData = getInitData();
+    if (!_initData && !isLocalhost()) {
       showAccessDenied();
       return;
     }