"""Tests for api.telegram_auth.validate_init_data.""" import hashlib import hmac import json from urllib.parse import quote, unquote from api.telegram_auth import validate_init_data def _make_init_data( user: dict | None, bot_token: str, auth_date: int | None = None, ) -> str: """Build initData string with valid HMAC for testing.""" params = {} if user is not None: params["user"] = quote(json.dumps(user)) if auth_date is not None: params["auth_date"] = str(auth_date) pairs = sorted(params.items()) data_string = "\n".join(f"{k}={unquote(v)}" for k, v in pairs) secret_key = hmac.new( b"WebAppData", msg=bot_token.encode(), digestmod=hashlib.sha256, ).digest() computed = hmac.new( secret_key, msg=data_string.encode(), digestmod=hashlib.sha256, ).hexdigest() params["hash"] = computed return "&".join(f"{k}={v}" for k, v in sorted(params.items())) def test_valid_payload_returns_username(): bot_token = "123:ABC" user = {"id": 123, "username": "testuser", "first_name": "Test"} init_data = _make_init_data(user, bot_token) assert validate_init_data(init_data, bot_token) == "testuser" def test_valid_payload_username_lowercase(): bot_token = "123:ABC" user = {"id": 123, "username": "TestUser", "first_name": "Test"} init_data = _make_init_data(user, bot_token) assert validate_init_data(init_data, bot_token) == "testuser" def test_invalid_hash_returns_none(): bot_token = "123:ABC" user = {"id": 123, "username": "testuser"} init_data = _make_init_data(user, bot_token) # Tamper with hash init_data = init_data.replace("hash=", "hash=x") assert validate_init_data(init_data, bot_token) is None def test_wrong_bot_token_returns_none(): bot_token = "123:ABC" user = {"id": 123, "username": "testuser"} init_data = _make_init_data(user, bot_token) assert validate_init_data(init_data, "other:token") is None def test_missing_user_returns_none(): bot_token = "123:ABC" init_data = _make_init_data(None, bot_token) # no user key assert validate_init_data(init_data, bot_token) is None def test_user_without_username_returns_none(): bot_token = "123:ABC" user = {"id": 123, "first_name": "Test"} # no username init_data = _make_init_data(user, bot_token) assert validate_init_data(init_data, bot_token) is None def test_empty_init_data_returns_none(): assert validate_init_data("", "token") is None assert validate_init_data(" ", "token") is None def test_empty_bot_token_returns_none(): user = {"id": 1, "username": "u"} init_data = _make_init_data(user, "token") assert validate_init_data(init_data, "") is None def test_auth_date_expiry_rejects_old_init_data(): """When max_age_seconds is set, initData older than that is rejected.""" import time as t bot_token = "123:ABC" user = {"id": 1, "username": "testuser"} # auth_date 100 seconds ago old_ts = int(t.time()) - 100 init_data = _make_init_data(user, bot_token, auth_date=old_ts) assert validate_init_data(init_data, bot_token, max_age_seconds=60) is None assert validate_init_data(init_data, bot_token, max_age_seconds=200) == "testuser" def test_auth_date_expiry_accepts_fresh_init_data(): """Fresh auth_date within max_age_seconds is accepted.""" import time as t bot_token = "123:ABC" user = {"id": 1, "username": "testuser"} fresh_ts = int(t.time()) - 10 init_data = _make_init_data(user, bot_token, auth_date=fresh_ts) assert validate_init_data(init_data, bot_token, max_age_seconds=60) == "testuser" def test_auth_date_expiry_requires_auth_date_when_max_age_set(): """When max_age_seconds is set but auth_date is missing, return None.""" bot_token = "123:ABC" user = {"id": 1, "username": "testuser"} init_data = _make_init_data(user, bot_token) # no auth_date assert validate_init_data(init_data, bot_token, max_age_seconds=86400) is None assert validate_init_data(init_data, bot_token) == "testuser"