whekin/household-bot
1
0
Fork 0
mirror of https://github.com/whekin/household-bot.git synced 2026-04-01 05:54:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(review): harden miniapp auth and finance flows

Browse Source
This commit is contained in:
whekin
2026-03-09 00:30:31 +04:00
parent 91a040f2ee
commit c8b17136be
22 changed files with 327 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
apps/bot/src/telegram-miniapp-auth.test.ts
View File

@@ -1,30 +1,12 @@
import { describe, expect, test } from 'bun:test'
import { createHmac } from 'node:crypto'
import { verifyTelegramMiniAppInitData } from './telegram-miniapp-auth'
function buildInitData(botToken: string, authDate: number, user: object): string {
const params = new URLSearchParams()
params.set('auth_date', authDate.toString())
params.set('query_id', 'AAHdF6IQAAAAAN0XohDhrOrc')
params.set('user', JSON.stringify(user))
const dataCheckString = [...params.entries()]
.sort(([left], [right]) => left.localeCompare(right))
.map(([key, value]) => `${key}=${value}`)
.join('\n')
const secretKey = createHmac('sha256', 'WebAppData').update(botToken).digest()
const hash = createHmac('sha256', secretKey).update(dataCheckString).digest('hex')
params.set('hash', hash)
return params.toString()
}
import { buildMiniAppInitData } from './telegram-miniapp-test-helpers'
describe('verifyTelegramMiniAppInitData', () => {
test('verifies valid init data and extracts user payload', () => {
const now = new Date('2026-03-08T12:00:00.000Z')
const initData = buildInitData('test-bot-token', Math.floor(now.getTime() / 1000), {
const initData = buildMiniAppInitData('test-bot-token', Math.floor(now.getTime() / 1000), {
id: 123456,
first_name: 'Stan',
username: 'stanislav'
@@ -44,7 +26,7 @@ describe('verifyTelegramMiniAppInitData', () => {
test('rejects invalid hash', () => {
const now = new Date('2026-03-08T12:00:00.000Z')
const params = new URLSearchParams(
buildInitData('test-bot-token', Math.floor(now.getTime() / 1000), {
buildMiniAppInitData('test-bot-token', Math.floor(now.getTime() / 1000), {
id: 123456,
first_name: 'Stan'
})
@@ -58,7 +40,23 @@ describe('verifyTelegramMiniAppInitData', () => {
test('rejects expired init data', () => {
const now = new Date('2026-03-08T12:00:00.000Z')
const initData = buildInitData('test-bot-token', Math.floor(now.getTime() / 1000) - 7200, {
const initData = buildMiniAppInitData(
'test-bot-token',
Math.floor(now.getTime() / 1000) - 7200,
{
id: 123456,
first_name: 'Stan'
}
)
const result = verifyTelegramMiniAppInitData(initData, 'test-bot-token', now, 3600)
expect(result).toBeNull()
})
test('rejects init data timestamps from the future', () => {
const now = new Date('2026-03-08T12:00:00.000Z')
const initData = buildMiniAppInitData('test-bot-token', Math.floor(now.getTime() / 1000) + 5, {
id: 123456,
first_name: 'Stan'
})