@lumiapassport/ui-kit 1.9.3 → 1.10.1

package/dist/iframe/_headers

@@ -6,8 +6,11 @@
   # IMPORTANT: frame-ancestors 'https:' allows embedding on any HTTPS site
   # Domain validation is performed via projectId check in JavaScript
   # connect-src whitelist: only allowed TSS servers (where the second key share is stored) and lumiapassport.com subdomains
+  # script-src: Added https://telegram.org for Telegram Login Widget
+  # script-src: Added 'unsafe-eval' required by Telegram Widget (uses eval for callbacks)
+  # frame-src: Added https://oauth.telegram.org for Telegram OAuth iframe
   # NOTE: http://localhost:* in frame-ancestors is for development testing only
-  Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self'; connect-src 'self' https://*.lumiapassport.com; frame-ancestors https: http://localhost:*; base-uri 'self'; form-action 'self';
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' https://telegram.org; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self'; connect-src 'self' https://*.lumiapassport.com; frame-src https://oauth.telegram.org; frame-ancestors https: http://localhost:*; base-uri 'self'; form-action 'self';
 
   # Allow iframe embedding from HTTPS sites (domain validation in JS)
   # X-Frame-Options is NOT set (CSP frame-ancestors takes precedence)

package/dist/iframe/index.html

@@ -10,12 +10,12 @@
     <!-- WARNING: localhost is allowed ONLY for local development, production CSP in _headers is stricter -->
     <meta
       http-equiv="Content-Security-Policy"
-      content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self'; connect-src 'self' http://localhost:* https://*.lumiapassport.com; base-uri 'self'; form-action 'self';"
+      content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' https://telegram.org; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self'; connect-src 'self' http://localhost:* https://*.lumiapassport.com; frame-src https://oauth.telegram.org; base-uri 'self'; form-action 'self';"
     />
     <meta http-equiv="X-Content-Type-Options" content="nosniff" />
     <meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin" />
 
-    <title>Lumia Passport Secure Wallet - iframe version 1.9.3</title>
+    <title>Lumia Passport Secure Wallet - iframe version 1.10.1</title>
 
     <!-- Styles will be injected by build process -->
     <style>

package/dist/iframe/main.js

@@ -3947,7 +3947,7 @@ var BackupManager = class {
 };
 
 // src/iframe/main.ts
-var IFRAME_VERSION = "1.9.3";
+var IFRAME_VERSION = "1.10.1";
 var IframeWallet = class {
   constructor() {
     console.log("=".repeat(60));

package/dist/iframe/oauth/telegram.html

@@ -0,0 +1,128 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Telegram Login - Lumia Passport</title>
+
+    <style>
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Helvetica', 'Arial', sans-serif;
+        background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+        color: #333;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 2rem;
+      }
+
+      .container {
+        background: white;
+        border-radius: 16px;
+        padding: 3rem 2rem;
+        max-width: 450px;
+        width: 100%;
+        box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+        text-align: center;
+      }
+
+      .logo {
+        width: 80px;
+        height: 80px;
+        margin: 0 auto 1.5rem;
+        background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+        border-radius: 50%;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        font-size: 2.5rem;
+        color: white;
+        font-weight: bold;
+      }
+
+      h1 {
+        font-size: 1.75rem;
+        margin-bottom: 0.5rem;
+        color: #333;
+      }
+
+      p {
+        color: #666;
+        margin-bottom: 2rem;
+        line-height: 1.5;
+      }
+
+      #telegram-widget-container {
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        min-height: 80px;
+        margin: 2rem 0;
+      }
+
+      .loading {
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        gap: 1rem;
+      }
+
+      .spinner {
+        width: 40px;
+        height: 40px;
+        border: 4px solid rgba(102, 126, 234, 0.3);
+        border-top-color: #667eea;
+        border-radius: 50%;
+        animation: spin 1s linear infinite;
+      }
+
+      @keyframes spin {
+        to { transform: rotate(360deg); }
+      }
+
+      .error {
+        background: #fee;
+        border: 1px solid #fcc;
+        border-radius: 8px;
+        padding: 1rem;
+        color: #c33;
+        margin-top: 1rem;
+      }
+
+      .footer {
+        margin-top: 2rem;
+        padding-top: 1.5rem;
+        border-top: 1px solid #e0e0e0;
+        font-size: 0.875rem;
+        color: #999;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="logo">L</div>
+      <h1>Sign in with Telegram</h1>
+      <p>Click the button below to authenticate with your Telegram account</p>
+
+      <div id="telegram-widget-container">
+        <div class="loading">
+          <div class="spinner"></div>
+          <p>Loading Telegram widget...</p>
+        </div>
+      </div>
+
+      <div class="footer">
+        <p>You can close this window after authentication</p>
+      </div>
+    </div>
+
+    <script src="./telegram.js"></script>
+  </body>
+</html>

package/dist/iframe/oauth/telegram.js

@@ -0,0 +1,112 @@
+/**
+ * Telegram OAuth Popup Script
+ * Handles Telegram Login Widget integration in popup window
+ */
+
+// Get bot username from URL parameter
+const urlParams = new URLSearchParams(window.location.search);
+const BOT_USERNAME = urlParams.get('bot');
+
+console.log('[Telegram OAuth] Initializing with bot:', BOT_USERNAME);
+
+// Setup callback for Telegram widget
+window.onTelegramAuth = function(user) {
+  console.log('[Telegram OAuth] Authentication successful:', user);
+
+  try {
+    // Send data to opener window
+    if (window.opener) {
+      window.opener.postMessage({
+        type: 'TELEGRAM_AUTH_SUCCESS',
+        provider: 'telegram',
+        user: user
+      }, '*');
+
+      // Show success message
+      const container = document.getElementById('telegram-widget-container');
+      if (container) {
+        container.innerHTML = `
+          <div style="color: #10b981; font-weight: 500;">
+            ✓ Authentication successful!<br>
+            <small style="color: #666;">Closing window...</small>
+          </div>
+        `;
+      }
+
+      // Close popup after short delay
+      setTimeout(() => {
+        window.close();
+      }, 1500);
+    } else {
+      throw new Error('No opener window found');
+    }
+  } catch (error) {
+    console.error('[Telegram OAuth] Error:', error);
+    showError('Failed to communicate with parent window');
+  }
+};
+
+function showError(message) {
+  const container = document.getElementById('telegram-widget-container');
+  if (container) {
+    container.innerHTML = `
+      <div class="error">
+        <strong>Error:</strong> ${message}
+      </div>
+    `;
+  }
+}
+
+// Load Telegram Login Widget
+function loadTelegramWidget() {
+  if (!BOT_USERNAME) {
+    showError('Bot username not configured. Pass ?bot=username in URL parameter.');
+    return;
+  }
+
+  const container = document.getElementById('telegram-widget-container');
+  if (!container) {
+    return;
+  }
+
+  // Clear loading indicator
+  container.innerHTML = '';
+
+  // Create script element for Telegram widget
+  const script = document.createElement('script');
+  script.async = true;
+  script.src = 'https://telegram.org/js/telegram-widget.js?22';
+  script.setAttribute('data-telegram-login', BOT_USERNAME);
+  script.setAttribute('data-size', 'large');
+  script.setAttribute('data-userpic', 'true');
+  script.setAttribute('data-onauth', 'onTelegramAuth(user)');
+  script.setAttribute('data-request-access', 'write');
+
+  script.onload = () => {
+    console.log('[Telegram OAuth] Widget loaded successfully');
+  };
+
+  script.onerror = (error) => {
+    console.error('[Telegram OAuth] Failed to load widget:', error);
+    showError('Failed to load Telegram widget');
+  };
+
+  container.appendChild(script);
+}
+
+// Load widget when DOM is ready
+if (document.readyState === 'loading') {
+  document.addEventListener('DOMContentLoaded', loadTelegramWidget);
+} else {
+  loadTelegramWidget();
+}
+
+// Handle popup closing without authentication
+window.addEventListener('beforeunload', () => {
+  if (window.opener) {
+    window.opener.postMessage({
+      type: 'TELEGRAM_AUTH_CANCELLED',
+      provider: 'telegram'
+    }, '*');
+  }
+});