@yaebal/panel 0.0.1 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/index.js CHANGED
@@ -1,3 +1,4 @@
1
+ import { createApi, media } from "@yaebal/core";
1
2
  import { PANEL_HTML } from "./panel-html.js";
2
3
  /** keep at most this many messages per chat in the in-memory store. */
3
4
  const MAX_HISTORY = 1000;
@@ -11,10 +12,145 @@ function safeEqual(a, b) {
11
12
  return diff === 0;
12
13
  }
13
14
  export { PANEL_HTML } from "./panel-html.js";
15
+ /** single-file media kinds (photo is special — it's an array of sizes). */
16
+ const FILE_KINDS = [
17
+ "video",
18
+ "animation",
19
+ "audio",
20
+ "voice",
21
+ "video_note",
22
+ "document",
23
+ "sticker",
24
+ ];
25
+ /** non-downloadable kinds we still label in the chat preview. */
26
+ const TAG_KINDS = ["location", "contact", "poll", "dice"];
27
+ function isRecord(value) {
28
+ return value !== null && typeof value === "object" && !Array.isArray(value);
29
+ }
30
+ function stringValue(value) {
31
+ return typeof value === "string" && value ? value : undefined;
32
+ }
33
+ function numberValue(value) {
34
+ return typeof value === "number" && Number.isFinite(value) ? value : undefined;
35
+ }
36
+ /** pull every downloadable attachment out of a telegram message. */
37
+ function extractAttachments(message) {
38
+ const out = [];
39
+ const photo = message.photo;
40
+ if (Array.isArray(photo) && photo.length > 0) {
41
+ const largest = photo[photo.length - 1];
42
+ if (largest.file_id)
43
+ out.push({ type: "photo", fileId: largest.file_id });
44
+ }
45
+ for (const kind of FILE_KINDS) {
46
+ const m = message[kind];
47
+ if (m && typeof m.file_id === "string") {
48
+ out.push({ type: kind, fileId: m.file_id, fileName: m.file_name, mimeType: m.mime_type });
49
+ }
50
+ }
51
+ return out;
52
+ }
53
+ function keyboardButton(raw) {
54
+ if (!isRecord(raw))
55
+ return undefined;
56
+ const text = stringValue(raw.text);
57
+ if (!text)
58
+ return undefined;
59
+ const button = { text };
60
+ const callbackData = stringValue(raw.callback_data);
61
+ const url = stringValue(raw.url);
62
+ if (callbackData) {
63
+ button.kind = "callback";
64
+ button.callbackData = callbackData;
65
+ }
66
+ else if (url) {
67
+ button.kind = "url";
68
+ button.url = url;
69
+ }
70
+ else if (raw.web_app !== undefined)
71
+ button.kind = "web_app";
72
+ else if (raw.login_url !== undefined)
73
+ button.kind = "login_url";
74
+ else if (raw.switch_inline_query !== undefined ||
75
+ raw.switch_inline_query_current_chat !== undefined) {
76
+ button.kind = "switch_inline";
77
+ }
78
+ else if (raw.pay === true)
79
+ button.kind = "pay";
80
+ else
81
+ button.kind = "unknown";
82
+ return button;
83
+ }
84
+ function keyboardRows(raw) {
85
+ if (!Array.isArray(raw))
86
+ return [];
87
+ const rows = [];
88
+ for (const row of raw) {
89
+ if (!Array.isArray(row))
90
+ continue;
91
+ const buttons = [];
92
+ for (const item of row) {
93
+ const button = keyboardButton(item);
94
+ if (button)
95
+ buttons.push(button);
96
+ }
97
+ if (buttons.length > 0)
98
+ rows.push(buttons);
99
+ }
100
+ return rows;
101
+ }
102
+ function extractKeyboard(message) {
103
+ const markup = message.reply_markup;
104
+ if (!isRecord(markup))
105
+ return undefined;
106
+ const inline = keyboardRows(markup.inline_keyboard);
107
+ if (inline.length > 0)
108
+ return { type: "inline", rows: inline };
109
+ const reply = keyboardRows(markup.keyboard);
110
+ if (reply.length > 0)
111
+ return { type: "reply", rows: reply };
112
+ return undefined;
113
+ }
114
+ /** best-effort one-line label for a message: its text/caption, else a `[media]` tag. */
115
+ function describe(message) {
116
+ if (!message)
117
+ return undefined;
118
+ const text = message.text ?? message.caption;
119
+ if (typeof text === "string")
120
+ return text;
121
+ const att = extractAttachments(message);
122
+ if (att.length > 0)
123
+ return `[${att[0]?.type}]`;
124
+ for (const kind of TAG_KINDS) {
125
+ if (message[kind] !== undefined)
126
+ return `[${kind}]`;
127
+ }
128
+ return undefined;
129
+ }
130
+ /** build a {@link PanelMessage} from a telegram message, or undefined if nothing to log. */
131
+ function toPanelMessage(direction, message) {
132
+ if (!message)
133
+ return undefined;
134
+ const text = describe(message);
135
+ const attachments = extractAttachments(message);
136
+ const keyboard = extractKeyboard(message);
137
+ if (text === undefined && attachments.length === 0 && !keyboard)
138
+ return undefined;
139
+ const date = typeof message.date === "number" ? message.date : Math.floor(Date.now() / 1000);
140
+ const msg = { direction, text: text ?? "", date };
141
+ if (attachments.length > 0)
142
+ msg.attachments = attachments;
143
+ if (typeof message.media_group_id === "string")
144
+ msg.mediaGroupId = message.media_group_id;
145
+ if (keyboard)
146
+ msg.keyboard = keyboard;
147
+ return msg;
148
+ }
14
149
  /** defaults to in-memory store. Lost on restart — swap for a persistent one in production. */
15
150
  export class MemoryPanelStore {
16
151
  #chats = new Map();
17
152
  #messages = new Map();
153
+ #listeners = new Set();
18
154
  record(chat, message) {
19
155
  const list = this.#messages.get(chat.id) ?? [];
20
156
  list.push(message);
@@ -22,85 +158,532 @@ export class MemoryPanelStore {
22
158
  list.shift();
23
159
  this.#messages.set(chat.id, list);
24
160
  const prev = this.#chats.get(chat.id);
25
- this.#chats.set(chat.id, {
161
+ const next = {
26
162
  id: chat.id,
27
163
  name: chat.name ?? prev?.name ?? `chat ${chat.id}`,
28
164
  lastText: message.text,
29
165
  lastDate: message.date,
30
- });
166
+ };
167
+ const firstName = chat.firstName ?? prev?.firstName;
168
+ const lastName = chat.lastName ?? prev?.lastName;
169
+ const username = chat.username ?? prev?.username;
170
+ const lastAttachmentType = message.attachments?.[0]?.type;
171
+ const lastEventType = message.event?.type;
172
+ if (firstName)
173
+ next.firstName = firstName;
174
+ if (lastName)
175
+ next.lastName = lastName;
176
+ if (username)
177
+ next.username = username;
178
+ if (lastAttachmentType)
179
+ next.lastAttachmentType = lastAttachmentType;
180
+ if (lastEventType)
181
+ next.lastEventType = lastEventType;
182
+ this.#chats.set(chat.id, next);
183
+ for (const fn of this.#listeners) {
184
+ fn({ type: "record", chatId: chat.id, direction: message.direction });
185
+ }
31
186
  }
32
187
  chats() {
33
188
  return [...this.#chats.values()].sort((a, b) => b.lastDate - a.lastDate);
34
189
  }
35
- history(chatId) {
36
- return this.#messages.get(chatId) ?? [];
190
+ history(chatId, options) {
191
+ let list = this.#messages.get(chatId) ?? [];
192
+ if (options?.before !== undefined)
193
+ list = list.filter((m) => m.date < options.before);
194
+ if (options?.limit !== undefined)
195
+ list = list.slice(-options.limit);
196
+ return list;
197
+ }
198
+ subscribe(listener) {
199
+ this.#listeners.add(listener);
200
+ return () => this.#listeners.delete(listener);
201
+ }
202
+ }
203
+ function chatIdentity(chatId, user) {
204
+ const out = { id: chatId };
205
+ if (isRecord(user)) {
206
+ const firstName = stringValue(user.first_name);
207
+ const lastName = stringValue(user.last_name);
208
+ const username = stringValue(user.username);
209
+ if (firstName)
210
+ out.firstName = firstName;
211
+ if (lastName)
212
+ out.lastName = lastName;
213
+ if (username)
214
+ out.username = username;
215
+ const fullName = [firstName, lastName].filter(Boolean).join(" ");
216
+ out.name = username ? `@${username}` : fullName || undefined;
217
+ }
218
+ out.name ??= `chat ${chatId}`;
219
+ return out;
220
+ }
221
+ function privateChatId(chat) {
222
+ if (!isRecord(chat) || chat.type !== "private")
223
+ return undefined;
224
+ return numberValue(chat.id);
225
+ }
226
+ function eventMessage(type, title, detail, data) {
227
+ const event = { type, title };
228
+ if (detail)
229
+ event.detail = detail;
230
+ if (data)
231
+ event.data = data;
232
+ return {
233
+ direction: "in",
234
+ text: detail ? `${title}: ${detail}` : title,
235
+ date: Math.floor(Date.now() / 1000),
236
+ event,
237
+ };
238
+ }
239
+ function reactionCount(raw) {
240
+ return Array.isArray(raw) ? raw.length : undefined;
241
+ }
242
+ function eventRecord(update) {
243
+ if (isRecord(update.callback_query)) {
244
+ const query = update.callback_query;
245
+ const message = isRecord(query.message) ? query.message : undefined;
246
+ const chatId = privateChatId(message?.chat);
247
+ if (chatId === undefined)
248
+ return undefined;
249
+ const data = stringValue(query.data);
250
+ return {
251
+ chat: chatIdentity(chatId, query.from),
252
+ message: eventMessage("callback", "button clicked", data ?? "callback query", data),
253
+ };
254
+ }
255
+ if (isRecord(update.message_reaction)) {
256
+ const reaction = update.message_reaction;
257
+ const chatId = privateChatId(reaction.chat);
258
+ if (chatId === undefined)
259
+ return undefined;
260
+ const next = reactionCount(reaction.new_reaction) ?? 0;
261
+ const detail = `changed to ${next} reaction${next === 1 ? "" : "s"}`;
262
+ return {
263
+ chat: chatIdentity(chatId, reaction.user),
264
+ message: eventMessage("reaction", "message reaction", detail),
265
+ };
266
+ }
267
+ if (isRecord(update.message_reaction_count)) {
268
+ const reaction = update.message_reaction_count;
269
+ const chatId = privateChatId(reaction.chat);
270
+ if (chatId === undefined)
271
+ return undefined;
272
+ const next = reactionCount(reaction.reactions) ?? 0;
273
+ const detail = `${next} reaction type${next === 1 ? "" : "s"}`;
274
+ return {
275
+ chat: chatIdentity(chatId, reaction.chat),
276
+ message: eventMessage("reaction_count", "reaction count", detail),
277
+ };
278
+ }
279
+ if (isRecord(update.poll_answer)) {
280
+ const answer = update.poll_answer;
281
+ const user = answer.user;
282
+ if (!isRecord(user))
283
+ return undefined;
284
+ const chatId = numberValue(user.id);
285
+ if (chatId === undefined)
286
+ return undefined;
287
+ const optionIds = Array.isArray(answer.option_ids)
288
+ ? answer.option_ids.filter((id) => typeof id === "number")
289
+ : [];
290
+ return {
291
+ chat: chatIdentity(chatId, user),
292
+ message: eventMessage("poll_answer", "poll answer", `options ${optionIds.join(", ")}`),
293
+ };
294
+ }
295
+ const member = isRecord(update.my_chat_member)
296
+ ? update.my_chat_member
297
+ : isRecord(update.chat_member)
298
+ ? update.chat_member
299
+ : undefined;
300
+ if (member) {
301
+ const chatId = privateChatId(member.chat);
302
+ if (chatId === undefined)
303
+ return undefined;
304
+ const next = isRecord(member.new_chat_member)
305
+ ? stringValue(member.new_chat_member.status)
306
+ : undefined;
307
+ return {
308
+ chat: chatIdentity(chatId, member.from),
309
+ message: eventMessage("chat_member", "chat member", next ?? "updated"),
310
+ };
311
+ }
312
+ return undefined;
313
+ }
314
+ /** records a raw Telegram update into the store; useful from any bot framework. */
315
+ export async function recordTelegramUpdate(store, update) {
316
+ if (!isRecord(update))
317
+ return false;
318
+ let recorded = false;
319
+ const rawMessage = update.message ?? update.edited_message ?? update.channel_post;
320
+ if (isRecord(rawMessage)) {
321
+ const chatId = privateChatId(rawMessage.chat);
322
+ const message = toPanelMessage("in", rawMessage);
323
+ if (chatId !== undefined && message) {
324
+ await store.record(chatIdentity(chatId, rawMessage.from), message);
325
+ recorded = true;
326
+ }
327
+ }
328
+ const event = eventRecord(update);
329
+ if (event) {
330
+ await store.record(event.chat, event.message);
331
+ recorded = true;
37
332
  }
333
+ return recorded;
38
334
  }
39
- /** records incoming private-chat text into the store so the panel can show it. */
335
+ /** records incoming private-chat updates into the store so the panel can show them. */
40
336
  export function recorder(store) {
41
337
  const plugin = (composer) => composer.use(async (ctx, next) => {
42
- const text = ctx.text;
43
- const chat = ctx.chat;
44
- if (text !== undefined && chat?.type === "private") {
45
- const name = ctx.from?.username
46
- ? `@${ctx.from.username}`
47
- : (ctx.from?.first_name ?? `chat ${chat.id}`);
48
- await store.record({ id: chat.id, name }, { direction: "in", text, date: Math.floor(Date.now() / 1000) });
49
- }
338
+ await recordTelegramUpdate(store, ctx.update);
50
339
  await next();
51
340
  });
52
341
  return plugin;
53
342
  }
343
+ /** create a small Bot API client that satisfies {@link PanelApi}; useful with any framework. */
344
+ export function createPanelApi(token, options) {
345
+ return createApi(token, options);
346
+ }
347
+ /** map an attachment kind to its telegram send method + param field. */
348
+ const SEND_METHODS = {
349
+ photo: { method: "sendPhoto", field: "photo" },
350
+ video: { method: "sendVideo", field: "video" },
351
+ animation: { method: "sendAnimation", field: "animation" },
352
+ audio: { method: "sendAudio", field: "audio" },
353
+ voice: { method: "sendVoice", field: "voice" },
354
+ video_note: { method: "sendVideoNote", field: "video_note" },
355
+ document: { method: "sendDocument", field: "document" },
356
+ sticker: { method: "sendSticker", field: "sticker" },
357
+ };
358
+ /** choose how to send an operator-uploaded file: explicit `type`, else infer from mime. */
359
+ function pickSendKind(type, mime) {
360
+ if (type && type in SEND_METHODS)
361
+ return type;
362
+ if (mime.startsWith("image/"))
363
+ return mime === "image/gif" ? "animation" : "photo";
364
+ if (mime.startsWith("video/"))
365
+ return "video";
366
+ if (mime === "audio/ogg")
367
+ return "voice";
368
+ if (mime.startsWith("audio/"))
369
+ return "audio";
370
+ return "document";
371
+ }
372
+ /** log a single telegram message result as an outgoing record (text or media). */
373
+ function recordResult(store, result) {
374
+ if (!result || typeof result !== "object")
375
+ return;
376
+ const raw = result;
377
+ const chat = raw.chat;
378
+ if (chat?.id === undefined || chat.type !== "private")
379
+ return;
380
+ const message = toPanelMessage("out", raw);
381
+ if (message)
382
+ void Promise.resolve(store.record(chatIdentity(chat.id, raw.chat), message));
383
+ }
384
+ /**
385
+ * record replies the bot sends *outside* the panel (e.g. `ctx.reply(...)` or `ctx.replyWithPhoto(...)`
386
+ * in your handlers) so they show up in the conversation too. hooks the api's `after` stage and logs
387
+ * every successful `send*` call (including `sendMediaGroup`, which returns an array) to a private chat.
388
+ *
389
+ * pairs with `panelHandler(..., { recordSends: false })` — the panel records its own sends,
390
+ * so disable that to avoid double entries when this is installed.
391
+ *
392
+ * ```ts
393
+ * recordOutgoing(bot.api, store);
394
+ * const handler = panelHandler(bot.api, store, { token, recordSends: false });
395
+ * ```
396
+ */
397
+ export function recordOutgoing(api, store) {
398
+ api.after((method, result) => {
399
+ if (method.startsWith("send")) {
400
+ if (Array.isArray(result))
401
+ for (const item of result)
402
+ recordResult(store, item);
403
+ else
404
+ recordResult(store, result);
405
+ }
406
+ return result;
407
+ });
408
+ return api;
409
+ }
54
410
  const json = (data, status = 200) => new Response(JSON.stringify(data), {
55
411
  status,
56
412
  headers: { "content-type": "application/json", "x-content-type-options": "nosniff" },
57
413
  });
414
+ /** resolve the `Access-Control-Allow-Origin` value for a request, or undefined if disallowed. */
415
+ function corsOrigin(cors, request) {
416
+ if (cors === undefined)
417
+ return undefined;
418
+ if (cors === "*")
419
+ return "*";
420
+ const origin = request.headers.get("origin");
421
+ if (!origin)
422
+ return undefined;
423
+ const allowed = Array.isArray(cors) ? cors : [cors];
424
+ return allowed.includes(origin) ? origin : undefined;
425
+ }
426
+ /** fields a panel client may pass through to `sendMessage` alongside `chat_id`/`text`. */
427
+ const SEND_PASSTHROUGH = [
428
+ "parse_mode",
429
+ "entities",
430
+ "link_preview_options",
431
+ "reply_to_message_id",
432
+ "reply_parameters",
433
+ "reply_markup",
434
+ "disable_notification",
435
+ "protect_content",
436
+ ];
437
+ /** normalize a mount prefix: `""` or `/foo` (no trailing slash). */
438
+ function normalizeBase(basePath) {
439
+ if (!basePath)
440
+ return "";
441
+ const trimmed = basePath.replace(/\/+$/, "");
442
+ return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
443
+ }
444
+ /** a tiny in-memory limiter for failed auth attempts, keyed per client. */
445
+ function createLimiter(config) {
446
+ if (config === false)
447
+ return undefined;
448
+ const max = config?.max ?? 10;
449
+ const windowMs = config?.windowMs ?? 60_000;
450
+ const hits = new Map();
451
+ return {
452
+ /** ms the caller must wait, or 0 if still allowed. */
453
+ blockedFor(key) {
454
+ const now = Date.now();
455
+ const entry = hits.get(key);
456
+ if (entry && now < entry.resetAt && entry.count >= max) {
457
+ return entry.resetAt - now;
458
+ }
459
+ return 0;
460
+ },
461
+ fail(key) {
462
+ const now = Date.now();
463
+ const entry = hits.get(key);
464
+ if (!entry || now >= entry.resetAt) {
465
+ hits.set(key, { count: 1, resetAt: now + windowMs });
466
+ }
467
+ else {
468
+ entry.count++;
469
+ }
470
+ },
471
+ reset(key) {
472
+ hits.delete(key);
473
+ },
474
+ };
475
+ }
476
+ function defaultClientKey(request) {
477
+ const fwd = request.headers.get("x-forwarded-for");
478
+ const forwardedIp = fwd?.split(",")[0]?.trim();
479
+ if (forwardedIp)
480
+ return forwardedIp;
481
+ return request.headers.get("x-real-ip") ?? "shared";
482
+ }
483
+ /** an SSE response that forwards store events to the browser (keep-alive pinged). */
484
+ function streamResponse(store) {
485
+ const encoder = new TextEncoder();
486
+ let unsubscribe;
487
+ let ping;
488
+ const stream = new ReadableStream({
489
+ start(controller) {
490
+ const push = (chunk) => {
491
+ try {
492
+ controller.enqueue(encoder.encode(chunk));
493
+ }
494
+ catch {
495
+ /* client gone — cancel() will clean up */
496
+ }
497
+ };
498
+ push(": connected\n\n");
499
+ unsubscribe = store.subscribe?.((event) => push(`event: record\ndata: ${JSON.stringify(event)}\n\n`));
500
+ ping = setInterval(() => push(": ping\n\n"), 25_000);
501
+ },
502
+ cancel() {
503
+ if (ping)
504
+ clearInterval(ping);
505
+ unsubscribe?.();
506
+ },
507
+ });
508
+ return new Response(stream, {
509
+ headers: {
510
+ "content-type": "text/event-stream; charset=utf-8",
511
+ "cache-control": "no-cache, no-transform",
512
+ "x-content-type-options": "nosniff",
513
+ },
514
+ });
515
+ }
58
516
  /**
59
- * a fetch-style handler for the operator panel: serves the ui at `/`, and a small
60
- * api to list chats, read a conversation, and send a reply. mount it on any
61
- * fetch-compatible server. open it at `/?token=<your token>`.
517
+ * a fetch-style handler for the operator panel: serves the login + chat UI at the mount
518
+ * root, and a small api to list chats, read a conversation, stream updates, and send a
519
+ * reply. mount it on any fetch-compatible server.
62
520
  */
63
521
  export function panelHandler(api, store, options) {
64
522
  if (!options.token)
65
523
  throw new Error("panelHandler: a non-empty token is required");
524
+ const base = normalizeBase(options.basePath);
525
+ const limiter = createLimiter(options.rateLimit);
526
+ const clientKey = options.clientKey ?? defaultClientKey;
66
527
  return async (request) => {
528
+ const allowOrigin = corsOrigin(options.cors, request);
529
+ // attach CORS headers (when enabled) to every response the handler returns
530
+ const finish = (response) => {
531
+ if (allowOrigin) {
532
+ response.headers.set("access-control-allow-origin", allowOrigin);
533
+ response.headers.set("vary", "origin");
534
+ }
535
+ return response;
536
+ };
537
+ // preflight is unauthenticated by spec — answer it before the token check
538
+ if (request.method === "OPTIONS") {
539
+ return finish(new Response(null, {
540
+ status: 204,
541
+ headers: {
542
+ "access-control-allow-methods": "GET, POST, OPTIONS",
543
+ "access-control-allow-headers": "authorization, content-type",
544
+ "access-control-max-age": "86400",
545
+ },
546
+ }));
547
+ }
67
548
  const url = new URL(request.url);
549
+ // resolve the path relative to the configured mount prefix
550
+ let path = url.pathname;
551
+ if (base) {
552
+ if (path === base)
553
+ path = "/";
554
+ else if (path.startsWith(`${base}/`))
555
+ path = path.slice(base.length);
556
+ else
557
+ return finish(json({ error: "not found" }, 404));
558
+ }
559
+ // the login + app shell is public; auth is enforced on /api/* only
560
+ if (path === "/" && request.method === "GET") {
561
+ return finish(new Response(PANEL_HTML.replaceAll("__BASE__", base), {
562
+ headers: {
563
+ "content-type": "text/html; charset=utf-8",
564
+ // tokens are never put in the page url anymore, but stay strict anyway
565
+ "referrer-policy": "no-referrer",
566
+ "content-security-policy": "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'",
567
+ "x-content-type-options": "nosniff",
568
+ },
569
+ }));
570
+ }
571
+ // ---- everything below requires a valid token ----
572
+ const key = clientKey(request);
573
+ const wait = limiter?.blockedFor(key) ?? 0;
574
+ if (wait > 0) {
575
+ const res = json({ error: "too many attempts" }, 429);
576
+ res.headers.set("retry-after", String(Math.ceil(wait / 1000)));
577
+ return finish(res);
578
+ }
68
579
  const provided = url.searchParams.get("token") ??
69
580
  request.headers.get("authorization")?.replace(/^Bearer\s+/i, "") ??
70
581
  "";
71
582
  // fail closed: reject empty/missing tokens and use a constant-time compare
72
583
  if (!provided || !safeEqual(provided, options.token)) {
73
- return new Response("unauthorized", { status: 401 });
584
+ limiter?.fail(key);
585
+ return finish(new Response("unauthorized", { status: 401 }));
586
+ }
587
+ limiter?.reset(key);
588
+ if (path === "/api/chats" && request.method === "GET") {
589
+ return finish(json(await store.chats()));
74
590
  }
75
- if (url.pathname === "/" && request.method === "GET") {
76
- return new Response(PANEL_HTML, {
591
+ // realtime stream of store events (EventSource can't set headers token in query)
592
+ if (path === "/api/stream" && request.method === "GET") {
593
+ return finish(streamResponse(store));
594
+ }
595
+ // proxy a telegram file by file_id, keeping the bot token server-side
596
+ if (path === "/api/file" && request.method === "GET") {
597
+ const fileId = url.searchParams.get("id");
598
+ if (!fileId)
599
+ return finish(json({ error: "id required" }, 400));
600
+ if (!api.call || !api.fileUrl) {
601
+ return finish(json({ error: "media proxy needs an api with call()/fileUrl()" }, 501));
602
+ }
603
+ const file = await api
604
+ .call("getFile", { file_id: fileId })
605
+ .catch(() => undefined);
606
+ if (!file?.file_path)
607
+ return finish(json({ error: "file not found" }, 404));
608
+ const upstream = await fetch(api.fileUrl(file.file_path));
609
+ if (!upstream.ok || !upstream.body)
610
+ return finish(json({ error: "download failed" }, 502));
611
+ return finish(new Response(upstream.body, {
77
612
  headers: {
78
- "content-type": "text/html; charset=utf-8",
79
- // the token rides in the URL on this initial load — keep it out of Referer
80
- "referrer-policy": "no-referrer",
81
- "content-security-policy": "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'",
613
+ "content-type": upstream.headers.get("content-type") ?? "application/octet-stream",
614
+ "cache-control": "private, max-age=86400",
82
615
  "x-content-type-options": "nosniff",
83
616
  },
84
- });
85
- }
86
- if (url.pathname === "/api/chats" && request.method === "GET") {
87
- return json(await store.chats());
617
+ }));
88
618
  }
89
- const get = url.pathname.match(/^\/api\/chats\/(-?\d+)$/);
619
+ const get = path.match(/^\/api\/chats\/(-?\d+)$/);
90
620
  if (get?.[1] && request.method === "GET") {
91
- return json(await store.history(Number(get[1])));
621
+ const before = url.searchParams.get("before");
622
+ const limit = url.searchParams.get("limit");
623
+ const opts = {};
624
+ if (before !== null)
625
+ opts.before = Number(before);
626
+ if (limit !== null)
627
+ opts.limit = Number(limit);
628
+ return finish(json(await store.history(Number(get[1]), opts)));
92
629
  }
93
- const send = url.pathname.match(/^\/api\/chats\/(-?\d+)\/send$/);
630
+ const send = path.match(/^\/api\/chats\/(-?\d+)\/send$/);
94
631
  if (send?.[1] && request.method === "POST") {
95
632
  const chatId = Number(send[1]);
633
+ const contentType = request.headers.get("content-type") ?? "";
634
+ // ---- operator file upload (multipart) -> sendPhoto / sendDocument / sendVoice / ... ----
635
+ if (contentType.includes("multipart/form-data")) {
636
+ if (!api.call) {
637
+ return finish(json({ error: "uploads need an api with call()" }, 501));
638
+ }
639
+ const form = await request.formData().catch(() => undefined);
640
+ const file = form?.get("file");
641
+ if (!(file instanceof Blob))
642
+ return finish(json({ error: "file required" }, 400));
643
+ const kind = pickSendKind(String(form?.get("type") ?? ""), file.type);
644
+ const { method, field } = SEND_METHODS[kind];
645
+ const filename = file.name || kind;
646
+ const bytes = new Uint8Array(await file.arrayBuffer());
647
+ const params = {
648
+ chat_id: chatId,
649
+ [field]: media.buffer(bytes, filename),
650
+ };
651
+ const caption = form?.get("caption");
652
+ if (typeof caption === "string" && caption)
653
+ params.caption = caption;
654
+ const result = await api.call(method, params);
655
+ if (options.recordSends !== false)
656
+ recordResult(store, result);
657
+ return finish(json({ ok: true }));
658
+ }
659
+ // ---- text reply (json) → sendMessage ----
96
660
  const body = (await request.json().catch(() => ({})));
97
- if (!body.text)
98
- return json({ error: "text required" }, 400);
99
- await api.sendMessage({ chat_id: chatId, text: body.text });
100
- await store.record({ id: chatId }, { direction: "out", text: body.text, date: Math.floor(Date.now() / 1000) });
101
- return json({ ok: true });
661
+ if (typeof body.text !== "string" || !body.text) {
662
+ return finish(json({ error: "text required" }, 400));
663
+ }
664
+ const params = { chat_id: chatId, text: body.text };
665
+ for (const field of SEND_PASSTHROUGH) {
666
+ if (body[field] !== undefined)
667
+ params[field] = body[field];
668
+ }
669
+ const result = await api.sendMessage(params);
670
+ // skip when recordOutgoing already logs every send (avoids double entries)
671
+ if (options.recordSends !== false) {
672
+ // record from the api result when it's a real message, else fall back to the text
673
+ if (result && typeof result === "object" && "chat" in result)
674
+ recordResult(store, result);
675
+ else {
676
+ const fallback = toPanelMessage("out", {
677
+ text: body.text,
678
+ date: Math.floor(Date.now() / 1000),
679
+ reply_markup: body.reply_markup,
680
+ }) ?? { direction: "out", text: body.text, date: Math.floor(Date.now() / 1000) };
681
+ await store.record({ id: chatId }, fallback);
682
+ }
683
+ }
684
+ return finish(json({ ok: true }));
102
685
  }
103
- return json({ error: "not found" }, 404);
686
+ return finish(json({ error: "not found" }, 404));
104
687
  };
105
688
  }
106
689
  //# sourceMappingURL=index.js.map