@www.hyperlinks.space/program-kit 1.2.181818 → 81.81.81

package/.env.example

@@ -0,0 +1,19 @@
+# Copy to .env and fill in. Used by bot (npm run bot:local) and optionally by Expo.
+# Do not commit .env.
+
+# Telegram bot (required for local bot; optional for Expo app)
+# Get token from @BotFather on Telegram
+BOT_TOKEN=1234567890:ABCdefGHIjklMNOpqrsTUVwxyz-EXAMPLE
+# Neon/Postgres connection string (from Neon dashboard)
+DATABASE_URL=postgresql://user:password@ep-xxx-xxx.region.aws.neon.tech/neondb?sslmode=require
+# OpenAI API key for /api/ai (required for AI responses). Get from https://platform.openai.com/api-keys
+OPENAI=sk-proj-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+# Optional: base URL for calling APIs in dev (used by app and bot).
+# Example for local Vercel dev: http://localhost:3000
+# EXPO_PUBLIC_API_BASE_URL=http://localhost:3000
+
+# Optional: Swap.Coffee API key for TON token info and routing.
+# COFFEE=your-swap-coffee-api-key
+# COFFEE_BASE_URL=https://api.swap.coffee
+# COFFEE_TOKENS_BASE_URL=https://tokens.swap.coffee

package/api/{base.ts → _base.ts}

@@ -5,7 +5,7 @@
  * - EXPO_PUBLIC_API_BASE_URL (explicit override for any environment)
  * - React Native / Expo Go dev: derive from dev server host (port 3000)
  * - Browser:
- *   - In dev: map localhost/LAN + dev port (8081/19000/19006) → port 3000
+ *   - In dev: map localhost/LAN + dev port (8081/19000/19006) -> port 3000
  *   - In prod: window.location.origin (e.g. https://hsbexpo.vercel.app)
  * - Node (no window): Vercel host if available, otherwise http://localhost:3000
  */

package/api/wallet/_auth.ts

@@ -0,0 +1,143 @@
+import crypto from 'crypto';
+import { normalizeUsername } from '../../database/users.js';
+
+type TelegramUserPayload = {
+  username?: string;
+  language_code?: string;
+  [key: string]: unknown;
+};
+
+type VerifiedInitData = {
+  user?: TelegramUserPayload;
+  [key: string]: unknown;
+};
+
+const TELEGRAM_WEBAPP_PUBLIC_KEY_RAW = Buffer.from(
+  'e7bf03a2fa4602af4580703d88dda5bb59f32ed8b02a56c187fe7d34caed242d',
+  'hex',
+);
+const ED25519_SPKI_HEADER = Buffer.from('302a300506032b6570032100', 'hex');
+const TELEGRAM_WEBAPP_PUBLIC_KEY = crypto.createPublicKey({
+  key: Buffer.concat([
+    ED25519_SPKI_HEADER,
+    Buffer.from([0]),
+    TELEGRAM_WEBAPP_PUBLIC_KEY_RAW,
+  ]),
+  format: 'der',
+  type: 'spki',
+});
+
+function verifyTelegramWebAppInitData(
+  initData: string,
+  botToken: string,
+  maxAgeSeconds: number = 24 * 3600,
+): VerifiedInitData | null {
+  if (!initData || !botToken) return null;
+  try {
+    const params = new URLSearchParams(initData);
+    const data: Record<string, string> = {};
+    for (const [key, value] of params.entries()) data[key] = value;
+
+    const authDateStr = data.auth_date;
+    if (authDateStr) {
+      const authDate = Number(authDateStr);
+      if (!Number.isFinite(authDate)) return null;
+      const now = Math.floor(Date.now() / 1000);
+      if (authDate > now + 60) return null;
+      if (maxAgeSeconds != null && now - authDate > maxAgeSeconds) return null;
+    }
+
+    const receivedHash = data.hash;
+    const receivedSignature = data.signature;
+
+    if (receivedHash) {
+      const dataForHash = { ...data };
+      delete dataForHash.hash;
+      const sorted = Object.keys(dataForHash)
+        .sort()
+        .map((k) => `${k}=${dataForHash[k]}`)
+        .join('\n');
+      const dataCheckString = Buffer.from(sorted, 'utf8');
+      const secretKey = crypto
+        .createHmac('sha256', 'WebAppData')
+        .update(botToken)
+        .digest();
+      const computedHash = crypto
+        .createHmac('sha256', secretKey)
+        .update(dataCheckString)
+        .digest('hex');
+      const valid =
+        receivedHash.length === computedHash.length &&
+        crypto.timingSafeEqual(
+          Buffer.from(receivedHash, 'hex'),
+          Buffer.from(computedHash, 'hex'),
+        );
+      if (!valid) return null;
+    } else if (receivedSignature) {
+      const botId = botToken.split(':')[0];
+      if (!botId) return null;
+      const dataForSig = { ...data };
+      delete dataForSig.hash;
+      delete dataForSig.signature;
+      const sorted = Object.keys(dataForSig)
+        .sort()
+        .map((k) => `${k}=${dataForSig[k]}`)
+        .join('\n');
+      const dataCheckString = `${botId}:WebAppData\n${sorted}`;
+      const base64 = receivedSignature.replace(/-/g, '+').replace(/_/g, '/');
+      const pad = (4 - (base64.length % 4)) % 4;
+      const sigBuffer = Buffer.from(base64 + '='.repeat(pad), 'base64');
+      const ok = crypto.verify(
+        null,
+        Buffer.from(dataCheckString, 'utf8'),
+        TELEGRAM_WEBAPP_PUBLIC_KEY,
+        sigBuffer,
+      );
+      if (!ok) return null;
+    } else {
+      return null;
+    }
+
+    const result: VerifiedInitData = { ...data };
+    delete result.hash;
+    delete result.signature;
+    if (data.user) {
+      try {
+        result.user = JSON.parse(data.user) as TelegramUserPayload;
+      } catch {
+        return null;
+      }
+    }
+    return result;
+  } catch {
+    return null;
+  }
+}
+
+export type AuthResult = {
+  telegramUsername: string;
+  locale: string | null;
+};
+
+export function authByInitData(initData: string): AuthResult {
+  const botToken = (process.env.BOT_TOKEN || '').trim();
+  if (!botToken) {
+    throw new Error('bot_token_not_configured');
+  }
+  const verified = verifyTelegramWebAppInitData(initData, botToken);
+  if (!verified) {
+    throw new Error('invalid_initdata');
+  }
+  const user =
+    verified.user && typeof verified.user === 'object'
+      ? (verified.user as TelegramUserPayload)
+      : {};
+  const telegramUsername = normalizeUsername(user.username);
+  if (!telegramUsername) {
+    throw new Error('username_required');
+  }
+  const locale =
+    typeof user.language_code === 'string' ? user.language_code : null;
+  return { telegramUsername, locale };
+}
+

package/api/wallet/register.ts

@@ -0,0 +1,151 @@
+import { registerWallet } from '../../database/wallets.js';
+import { upsertUserFromTma } from '../../database/users.js';
+import { authByInitData } from './_auth.js';
+
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+
+function jsonResponse(body: object, status: number): Response {
+  return new Response(JSON.stringify(body), { status, headers: JSON_HEADERS });
+}
+
+type RegisterRequestBody = {
+  initData?: unknown;
+  wallet_address?: unknown;
+  wallet_blockchain?: unknown;
+  wallet_net?: unknown;
+  type?: unknown;
+  label?: unknown;
+  source?: unknown;
+  [key: string]: unknown;
+};
+
+async function getBody(
+  request:
+    | Request
+    | {
+        json?: () => Promise<unknown>;
+        body?: unknown;
+      },
+): Promise<unknown> {
+  if (typeof (request as { json?: () => Promise<unknown> }).json === 'function') {
+    return (request as Request).json();
+  }
+  return (request as { body?: unknown }).body ?? null;
+}
+
+function hasSensitiveFields(body: RegisterRequestBody): boolean {
+  const forbidden = [
+    'mnemonic',
+    'seed',
+    'private_key',
+    'secret',
+    'secret_key',
+    'wallet_master_key',
+    'wallet_seed_cipher',
+  ];
+  return forbidden.some((key) => key in body);
+}
+
+function toTrimmedString(value: unknown): string {
+  return typeof value === 'string' ? value.trim() : '';
+}
+
+async function handler(request: Request): Promise<Response> {
+  const method = (request as { method?: string }).method ?? request.method;
+  if (method === 'GET') {
+    return jsonResponse(
+      {
+        ok: true,
+        endpoint: 'wallet/register',
+        use: 'POST with initData + public wallet fields',
+      },
+      200,
+    );
+  }
+  if (method !== 'POST') {
+    return new Response('Method Not Allowed', { status: 405 });
+  }
+
+  const rawBody = (await getBody(request)) as RegisterRequestBody | null;
+  if (!rawBody || typeof rawBody !== 'object') {
+    return jsonResponse({ ok: false, error: 'bad_json' }, 400);
+  }
+  if (hasSensitiveFields(rawBody)) {
+    return jsonResponse(
+      { ok: false, error: 'sensitive_fields_not_allowed' },
+      400,
+    );
+  }
+
+  const initData = toTrimmedString(rawBody.initData);
+  if (!initData) return jsonResponse({ ok: false, error: 'missing_initData' }, 400);
+
+  try {
+    const auth = authByInitData(initData);
+    await upsertUserFromTma({
+      telegramUsername: auth.telegramUsername,
+      locale: auth.locale,
+    });
+
+    const wallet_address = toTrimmedString(rawBody.wallet_address);
+    const wallet_blockchain = toTrimmedString(rawBody.wallet_blockchain);
+    const wallet_net = toTrimmedString(rawBody.wallet_net);
+    const type = toTrimmedString(rawBody.type);
+    const label = toTrimmedString(rawBody.label);
+    const source = toTrimmedString(rawBody.source);
+
+    if (!wallet_address || !wallet_blockchain || !wallet_net || !type) {
+      return jsonResponse(
+        {
+          ok: false,
+          error:
+            'required_fields_missing (wallet_address, wallet_blockchain, wallet_net, type)',
+        },
+        400,
+      );
+    }
+
+    const wallet = await registerWallet({
+      telegramUsername: auth.telegramUsername,
+      walletAddress: wallet_address,
+      walletBlockchain: wallet_blockchain,
+      walletNet: wallet_net,
+      type,
+      label: label || null,
+      source: source || null,
+      isDefault: true,
+    });
+
+    if (!wallet) {
+      return jsonResponse({ ok: false, error: 'wallet_register_failed' }, 500);
+    }
+
+    return jsonResponse(
+      {
+        ok: true,
+        telegram_username: auth.telegramUsername,
+        has_wallet: true,
+        wallet: {
+          id: wallet.id,
+          wallet_address: wallet.wallet_address,
+          wallet_blockchain: wallet.wallet_blockchain,
+          wallet_net: wallet.wallet_net,
+          type: wallet.type,
+          label: wallet.label,
+          is_default: wallet.is_default,
+          source: wallet.source,
+        },
+      },
+      200,
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : 'internal_error';
+    const status = msg === 'bot_token_not_configured' ? 500 : msg === 'invalid_initdata' ? 401 : 400;
+    return jsonResponse({ ok: false, error: msg }, status);
+  }
+}
+
+export default handler;
+export const GET = handler;
+export const POST = handler;
+

package/api/wallet/status.ts

@@ -0,0 +1,89 @@
+import { getDefaultWalletByUsername } from '../../database/wallets.js';
+import { upsertUserFromTma } from '../../database/users.js';
+import { authByInitData } from './_auth.js';
+
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+
+function jsonResponse(body: object, status: number): Response {
+  return new Response(JSON.stringify(body), { status, headers: JSON_HEADERS });
+}
+
+async function getBody(
+  request:
+    | Request
+    | {
+        json?: () => Promise<unknown>;
+        body?: unknown;
+      },
+): Promise<unknown> {
+  if (typeof (request as { json?: () => Promise<unknown> }).json === 'function') {
+    return (request as Request).json();
+  }
+  return (request as { body?: unknown }).body ?? null;
+}
+
+async function handler(request: Request): Promise<Response> {
+  const method = (request as { method?: string }).method ?? request.method;
+  if (method === 'GET') {
+    return jsonResponse(
+      { ok: true, endpoint: 'wallet/status', use: 'POST with initData' },
+      200,
+    );
+  }
+  if (method !== 'POST') {
+    return new Response('Method Not Allowed', { status: 405 });
+  }
+
+  const body = (await getBody(request)) as { initData?: unknown } | null;
+  const initData = typeof body?.initData === 'string' ? body.initData : '';
+  if (!initData) return jsonResponse({ ok: false, error: 'missing_initData' }, 400);
+
+  try {
+    const auth = authByInitData(initData);
+    await upsertUserFromTma({
+      telegramUsername: auth.telegramUsername,
+      locale: auth.locale,
+    });
+
+    const wallet = await getDefaultWalletByUsername(auth.telegramUsername);
+    if (!wallet) {
+      return jsonResponse(
+        {
+          ok: true,
+          telegram_username: auth.telegramUsername,
+          has_wallet: false,
+          wallet_required: true,
+        },
+        200,
+      );
+    }
+
+    return jsonResponse(
+      {
+        ok: true,
+        telegram_username: auth.telegramUsername,
+        has_wallet: true,
+        wallet: {
+          id: wallet.id,
+          wallet_address: wallet.wallet_address,
+          wallet_blockchain: wallet.wallet_blockchain,
+          wallet_net: wallet.wallet_net,
+          type: wallet.type,
+          label: wallet.label,
+          is_default: wallet.is_default,
+          source: wallet.source,
+        },
+      },
+      200,
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : 'internal_error';
+    const status = msg === 'bot_token_not_configured' ? 500 : msg === 'invalid_initdata' ? 401 : 400;
+    return jsonResponse({ ok: false, error: msg }, status);
+  }
+}
+
+export default handler;
+export const GET = handler;
+export const POST = handler;
+