@www.hyperlinks.space/program-kit 1.2.91881 → 81.81.81

package/app/index.tsx

@@ -1,8 +1,288 @@
-import { Text, View } from "react-native";
+import { useCallback, useEffect, useState } from "react";
+import { Button, Text, View } from "react-native";
 import { useTelegram } from "../ui/components/Telegram";
+import {
+  createSeedCipher,
+  deriveAddressFromMnemonic,
+  deriveMasterKeyFromMnemonic,
+  generateMnemonic,
+} from "../services/wallet/tonWallet";
+
+type CreateStep = "idle" | "saving" | "done";
+
+type TelegramWebAppBridge = {
+  SecureStorage?: {
+    setItem?: (key: string, value: string, callback?: (err: unknown, stored?: boolean) => void) => void;
+  };
+  DeviceStorage?: {
+    setItem?: (key: string, value: string, callback?: (err: unknown, stored?: boolean) => void) => void;
+  };
+  CloudStorage?: {
+    setItem?: (key: string, value: string, callback?: (err: unknown, stored?: boolean) => void) => void;
+  };
+  onEvent?: (eventType: string, callback: (...args: unknown[]) => void) => void;
+  offEvent?: (eventType: string, callback: (...args: unknown[]) => void) => void;
+};
+
+function getTelegramWebApp(): TelegramWebAppBridge | undefined {
+  if (typeof window === "undefined") return undefined;
+  return (window as unknown as { Telegram?: { WebApp?: TelegramWebAppBridge } }).Telegram?.WebApp;
+}
+
+/**
+ * SecureStorage.setItem: on error the first callback argument is the error; on success it is null
+ * and the second is whether the value was stored. Some clients also emit web events; see
+ * https://core.telegram.org/bots/webapps#securestorage
+ */
+async function setTmaSecureStorageItem(key: string, value: string): Promise<boolean> {
+  const webApp = getTelegramWebApp();
+  if (!webApp) return false;
+  const storage = webApp.SecureStorage;
+  const setItem = storage?.setItem;
+  if (typeof setItem !== "function") return false;
+
+  return new Promise<boolean>((resolve) => {
+    let settled = false;
+    const finish = (ok: boolean) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve(ok);
+    };
+
+    const onSecureStorageFailed = (payload?: unknown) => {
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.warn("[wallet] secure_storage_failed", payload);
+      }
+      finish(false);
+    };
+
+    /** Fired when a value was saved (bridge may deliver this if the JS callback is delayed). */
+    const onSecureStorageKeySaved = () => {
+      finish(true);
+    };
+
+    const cleanup = () => {
+      try {
+        webApp.offEvent?.("secure_storage_failed", onSecureStorageFailed);
+      } catch {
+        /* ignore */
+      }
+      try {
+        webApp.offEvent?.("secure_storage_key_saved", onSecureStorageKeySaved);
+      } catch {
+        /* ignore */
+      }
+    };
+
+    try {
+      webApp.onEvent?.("secure_storage_failed", onSecureStorageFailed);
+      webApp.onEvent?.("secure_storage_key_saved", onSecureStorageKeySaved);
+    } catch {
+      /* older clients */
+    }
+
+    try {
+      setItem(key, value, (err: unknown, stored?: boolean) => {
+        if (err != null) {
+          finish(false);
+          return;
+        }
+        finish(stored !== false);
+      });
+    } catch {
+      cleanup();
+      resolve(false);
+    }
+  });
+}
+
+/**
+ * DeviceStorage: persistent local KV inside the Telegram client (not Keychain/Keystore).
+ * Same callback shape as SecureStorage; some clients emit device_storage_* web events.
+ * @see https://core.telegram.org/bots/webapps#devicestorage
+ */
+async function setTmaDeviceStorageItem(key: string, value: string): Promise<boolean> {
+  const webApp = getTelegramWebApp();
+  if (!webApp) return false;
+  const storage = webApp.DeviceStorage;
+  const setItem = storage?.setItem;
+  if (typeof setItem !== "function") return false;
+
+  return new Promise<boolean>((resolve) => {
+    let settled = false;
+    const finish = (ok: boolean) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve(ok);
+    };
+
+    const onDeviceStorageFailed = (payload?: unknown) => {
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.warn("[wallet] device_storage_failed", payload);
+      }
+      finish(false);
+    };
+
+    const onDeviceStorageKeySaved = () => {
+      finish(true);
+    };
+
+    const cleanup = () => {
+      try {
+        webApp.offEvent?.("device_storage_failed", onDeviceStorageFailed);
+      } catch {
+        /* ignore */
+      }
+      try {
+        webApp.offEvent?.("device_storage_key_saved", onDeviceStorageKeySaved);
+      } catch {
+        /* ignore */
+      }
+    };
+
+    try {
+      webApp.onEvent?.("device_storage_failed", onDeviceStorageFailed);
+      webApp.onEvent?.("device_storage_key_saved", onDeviceStorageKeySaved);
+    } catch {
+      /* older clients */
+    }
+
+    try {
+      setItem(key, value, (err: unknown, stored?: boolean) => {
+        if (err != null) {
+          finish(false);
+          return;
+        }
+        finish(stored !== false);
+      });
+    } catch {
+      cleanup();
+      resolve(false);
+    }
+  });
+}
+
+export type WalletMasterKeyStorageTier = "secure" | "device" | "none";
+
+/**
+ * Prefer hardware-backed SecureStorage; if missing or UNSUPPORTED, fall back to DeviceStorage
+ * so Desktop and older clients can still persist the key (weaker — see docs/security_raw.md).
+ */
+async function persistWalletMasterKey(masterKey: string): Promise<WalletMasterKeyStorageTier> {
+  const okSecure = await setTmaSecureStorageItem("wallet_master_key", masterKey);
+  if (okSecure) return "secure";
+
+  const okDevice = await setTmaDeviceStorageItem("wallet_master_key", masterKey);
+  if (okDevice) return "device";
+
+  if (typeof __DEV__ !== "undefined" && __DEV__) {
+    console.warn("[wallet] wallet_master_key not persisted (no SecureStorage nor DeviceStorage)");
+  }
+  return "none";
+}
+
+/** CloudStorage.setItem uses the same callback shape as SecureStorage. */
+async function setTmaCloudStorageItem(key: string, value: string): Promise<boolean> {
+  const webApp = getTelegramWebApp();
+  const storage = webApp?.CloudStorage;
+  const setItem = storage?.setItem;
+  if (typeof setItem !== "function") return false;
+
+  return new Promise<boolean>((resolve) => {
+    try {
+      setItem(key, value, (err: unknown, stored?: boolean) => {
+        if (err != null) {
+          resolve(false);
+          return;
+        }
+        resolve(stored !== false);
+      });
+    } catch {
+      resolve(false);
+    }
+  });
+}
 
 export default function Index() {
-  const { status, telegramUsername, error, debug } = useTelegram();
+  const {
+    status,
+    telegramUsername,
+    hasWallet,
+    walletRequired,
+    wallet,
+    initData,
+    error,
+    debug,
+  } = useTelegram();
+  const [step, setStep] = useState<CreateStep>("idle");
+  const [flowError, setFlowError] = useState<string | null>(null);
+  const [createdWalletAddress, setCreatedWalletAddress] = useState<string | null>(null);
+  const [masterKeyStorageTier, setMasterKeyStorageTier] = useState<WalletMasterKeyStorageTier | null>(null);
+  const effectiveWalletAddress = wallet?.wallet_address ?? createdWalletAddress;
+  const effectiveHasWallet = hasWallet || Boolean(createdWalletAddress);
+
+  const createAndRegisterWalletFlow = useCallback(async () => {
+    if (!initData) {
+      setFlowError("Missing Telegram initData.");
+      return;
+    }
+    setFlowError(null);
+    setStep("saving");
+    try {
+      const mnemonic = await generateMnemonic();
+      const walletAddress = await deriveAddressFromMnemonic({ mnemonic, testnet: false });
+      const masterKey = await deriveMasterKeyFromMnemonic(mnemonic);
+      const seedCipher = await createSeedCipher(masterKey, mnemonic.join(" "));
+
+      // Register with API first: SecureStorage can fail/hang (see secure_storage_failed) and must not block.
+      const response = await fetch("/api/wallet/register", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          initData,
+          wallet_address: walletAddress,
+          wallet_blockchain: "ton",
+          wallet_net: "mainnet",
+          type: "internal",
+          label: "Main wallet",
+          source: "miniapp",
+        }),
+      });
+      const json = await response.json().catch(() => ({}));
+      if (!response.ok || !json?.ok) {
+        throw new Error(json?.error || `HTTP ${response.status}`);
+      }
+      const [tier, cloudOk] = await Promise.all([
+        persistWalletMasterKey(masterKey),
+        setTmaCloudStorageItem("wallet_seed_cipher", seedCipher),
+      ]);
+      setMasterKeyStorageTier(tier);
+      if (!cloudOk && typeof __DEV__ !== "undefined" && __DEV__) {
+        console.warn("[wallet] wallet_seed_cipher not saved to CloudStorage");
+      }
+
+      setCreatedWalletAddress(walletAddress);
+      setStep("done");
+    } catch (e) {
+      setFlowError(e instanceof Error ? e.message : "Wallet registration failed");
+      setStep("idle");
+    }
+  }, [initData]);
+
+  useEffect(() => {
+    if (
+      status === "ok" &&
+      walletRequired &&
+      !hasWallet &&
+      !createdWalletAddress &&
+      step === "idle" &&
+      initData
+    ) {
+      void createAndRegisterWalletFlow();
+    }
+  }, [status, walletRequired, hasWallet, createdWalletAddress, step, initData, createAndRegisterWalletFlow]);
 
   if (status === "idle" || status === "loading") {
     return (
@@ -79,6 +359,21 @@ export default function Index() {
     );
   }
 
+  if (status === "ok" && walletRequired && !effectiveHasWallet) {
+    return (
+      <View style={{ flex: 1, justifyContent: "center", padding: 16, gap: 10 }}>
+        <Text style={{ fontWeight: "700", fontSize: 18 }}>Preparing your wallet</Text>
+        <Text>
+          No wallet found for this Telegram account. Creating one now and registering public wallet
+          data.
+        </Text>
+        {step === "saving" && <Text>Saving secrets and registering wallet...</Text>}
+        {flowError ? <Text style={{ color: "#b00020" }}>{flowError}</Text> : null}
+        {flowError ? <Button title="Retry wallet creation" onPress={createAndRegisterWalletFlow} /> : null}
+      </View>
+    );
+  }
+
   return (
     <View
       style={{
@@ -91,11 +386,30 @@ export default function Index() {
       <Text style={{ fontWeight: "600", marginBottom: 8 }}>
         HyperlinksSpace Wallet
       </Text>
-      {telegramUsername && (
-        <Text style={{ textAlign: "center" }}>
+      {telegramUsername ? (
+        <Text style={{ textAlign: "center", marginBottom: 8 }}>
           You are logged in via Telegram as @{telegramUsername}.
         </Text>
-      )}
+      ) : null}
+      {effectiveWalletAddress ? (
+        <View style={{ alignItems: "center" }}>
+          <Text style={{ textAlign: "center" }}>Wallet:</Text>
+          <Text style={{ textAlign: "center", marginTop: 4 }}>{effectiveWalletAddress}</Text>
+        </View>
+      ) : null}
+      {masterKeyStorageTier === "device" ? (
+        <Text style={{ marginTop: 14, fontSize: 12, color: "#856404", textAlign: "center", paddingHorizontal: 8 }}>
+          This Telegram client does not support SecureStorage, so your wallet key was stored in DeviceStorage
+          (persistent app storage, not the system keychain). That is weaker than SecureStorage; keep your seed
+          phrase safe and prefer Telegram on iOS/Android when possible.
+        </Text>
+      ) : null}
+      {masterKeyStorageTier === "none" ? (
+        <Text style={{ marginTop: 14, fontSize: 12, color: "#b00020", textAlign: "center", paddingHorizontal: 8 }}>
+          Could not save your wallet key on this device. Cloud ciphertext may still sync, but you will need your
+          recovery phrase to sign here until storage works. Try another Telegram client or update the app.
+        </Text>
+      ) : null}
     </View>
   );
 }

package/database/start.ts

@@ -30,7 +30,6 @@ async function runSchemaMigrations() {
       last_tma_seen_at    TIMESTAMPTZ,
       locale              TEXT,
       time_zone           TEXT,
-      number_of_wallets   INTEGER NOT NULL DEFAULT 0,
       default_wallet      BIGINT
     );
   `;

package/database/wallets.ts

@@ -0,0 +1,266 @@
+/**
+ * Wallet helpers for the wallets table.
+ * Shared by API routes and bot-side services.
+ */
+import { sql } from './start.js';
+import { normalizeUsername } from './users.js';
+
+export type WalletRow = {
+  id: number;
+  telegram_username: string;
+  wallet_address: string;
+  wallet_blockchain: string;
+  wallet_net: string;
+  type: string;
+  label: string | null;
+  is_default: boolean;
+  source: string | null;
+  notes: string | null;
+  created_at: string;
+  updated_at: string;
+  last_used_at: string | null;
+  last_seen_balance_at: string | null;
+};
+
+export type RegisterWalletInput = {
+  telegramUsername: string;
+  walletAddress: string;
+  walletBlockchain: string;
+  walletNet: string;
+  type: string;
+  label?: string | null;
+  source?: string | null;
+  notes?: string | null;
+  isDefault?: boolean;
+};
+
+function normalizeText(raw: unknown): string {
+  if (typeof raw !== 'string') return '';
+  return raw.trim();
+}
+
+function normalizeLower(raw: unknown): string {
+  return normalizeText(raw).toLowerCase();
+}
+
+function normalizeAddress(raw: unknown): string {
+  return normalizeText(raw);
+}
+
+export async function listWalletsByUsername(
+  telegramUsername: string,
+): Promise<WalletRow[]> {
+  const username = normalizeUsername(telegramUsername);
+  if (!username) return [];
+
+  const rows = await sql<WalletRow[]>`
+    SELECT
+      id,
+      telegram_username,
+      wallet_address,
+      wallet_blockchain,
+      wallet_net,
+      type,
+      label,
+      is_default,
+      source,
+      notes,
+      created_at,
+      updated_at,
+      last_used_at,
+      last_seen_balance_at
+    FROM wallets
+    WHERE telegram_username = ${username}
+    ORDER BY is_default DESC, created_at ASC;
+  `;
+  return rows;
+}
+
+export async function getDefaultWalletByUsername(
+  telegramUsername: string,
+): Promise<WalletRow | null> {
+  const username = normalizeUsername(telegramUsername);
+  if (!username) return null;
+
+  const rows = await sql<WalletRow[]>`
+    SELECT
+      id,
+      telegram_username,
+      wallet_address,
+      wallet_blockchain,
+      wallet_net,
+      type,
+      label,
+      is_default,
+      source,
+      notes,
+      created_at,
+      updated_at,
+      last_used_at,
+      last_seen_balance_at
+    FROM wallets
+    WHERE telegram_username = ${username}
+    ORDER BY is_default DESC, created_at ASC
+    LIMIT 1;
+  `;
+
+  return rows[0] ?? null;
+}
+
+export async function setDefaultWallet(opts: {
+  telegramUsername: string;
+  walletAddress: string;
+  walletBlockchain: string;
+  walletNet: string;
+}): Promise<WalletRow | null> {
+  const username = normalizeUsername(opts.telegramUsername);
+  const walletAddress = normalizeAddress(opts.walletAddress);
+  const walletBlockchain = normalizeLower(opts.walletBlockchain);
+  const walletNet = normalizeLower(opts.walletNet);
+
+  if (!username || !walletAddress || !walletBlockchain || !walletNet) {
+    return null;
+  }
+
+  await sql`
+    UPDATE wallets
+    SET is_default = FALSE,
+        updated_at = NOW()
+    WHERE telegram_username = ${username};
+  `;
+
+  const rows = await sql<WalletRow[]>`
+    UPDATE wallets
+    SET is_default = TRUE,
+        updated_at = NOW()
+    WHERE telegram_username = ${username}
+      AND wallet_address = ${walletAddress}
+      AND wallet_blockchain = ${walletBlockchain}
+      AND wallet_net = ${walletNet}
+    RETURNING
+      id,
+      telegram_username,
+      wallet_address,
+      wallet_blockchain,
+      wallet_net,
+      type,
+      label,
+      is_default,
+      source,
+      notes,
+      created_at,
+      updated_at,
+      last_used_at,
+      last_seen_balance_at;
+  `;
+
+  const selected = rows[0] ?? null;
+  if (!selected) return null;
+
+  await sql`
+    UPDATE users
+    SET default_wallet = ${selected.id},
+        updated_at = NOW()
+    WHERE telegram_username = ${username};
+  `;
+
+  return selected;
+}
+
+export async function registerWallet(
+  input: RegisterWalletInput,
+): Promise<WalletRow | null> {
+  const telegramUsername = normalizeUsername(input.telegramUsername);
+  const walletAddress = normalizeAddress(input.walletAddress);
+  const walletBlockchain = normalizeLower(input.walletBlockchain);
+  const walletNet = normalizeLower(input.walletNet);
+  const walletType = normalizeLower(input.type);
+  const label = normalizeText(input.label ?? '');
+  const source = normalizeText(input.source ?? '');
+  const notes = normalizeText(input.notes ?? '');
+
+  if (
+    !telegramUsername ||
+    !walletAddress ||
+    !walletBlockchain ||
+    !walletNet ||
+    !walletType
+  ) {
+    return null;
+  }
+
+  const rows = await sql<WalletRow[]>`
+    INSERT INTO wallets (
+      telegram_username,
+      wallet_address,
+      wallet_blockchain,
+      wallet_net,
+      type,
+      label,
+      source,
+      notes,
+      is_default,
+      created_at,
+      updated_at
+    )
+    VALUES (
+      ${telegramUsername},
+      ${walletAddress},
+      ${walletBlockchain},
+      ${walletNet},
+      ${walletType},
+      ${label || null},
+      ${source || null},
+      ${notes || null},
+      FALSE,
+      NOW(),
+      NOW()
+    )
+    ON CONFLICT (telegram_username, wallet_address, wallet_blockchain, wallet_net)
+    DO UPDATE SET
+      type = EXCLUDED.type,
+      label = EXCLUDED.label,
+      source = EXCLUDED.source,
+      notes = EXCLUDED.notes,
+      updated_at = NOW()
+    RETURNING
+      id,
+      telegram_username,
+      wallet_address,
+      wallet_blockchain,
+      wallet_net,
+      type,
+      label,
+      is_default,
+      source,
+      notes,
+      created_at,
+      updated_at,
+      last_used_at,
+      last_seen_balance_at;
+  `;
+
+  const wallet = rows[0] ?? null;
+  if (!wallet) return null;
+
+  if (input.isDefault) {
+    return setDefaultWallet({
+      telegramUsername,
+      walletAddress,
+      walletBlockchain,
+      walletNet,
+    });
+  }
+
+  const currentDefault = await getDefaultWalletByUsername(telegramUsername);
+  if (!currentDefault) {
+    return setDefaultWallet({
+      telegramUsername,
+      walletAddress,
+      walletBlockchain,
+      walletNet,
+    });
+  }
+
+  return wallet;
+}