@yaebal/panel 0.0.1 → 0.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +203 -12
- package/lib/index.d.ts +131 -17
- package/lib/index.d.ts.map +1 -1
- package/lib/index.js +619 -36
- package/lib/index.js.map +1 -1
- package/lib/index.test.js +400 -1
- package/lib/index.test.js.map +1 -1
- package/lib/panel-html.d.ts +2 -2
- package/lib/panel-html.d.ts.map +1 -1
- package/lib/panel-html.js +504 -44
- package/lib/panel-html.js.map +1 -1
- package/lib/serve.d.ts +25 -0
- package/lib/serve.d.ts.map +1 -0
- package/lib/serve.js +47 -0
- package/lib/serve.js.map +1 -0
- package/lib/sqlite.d.ts +29 -0
- package/lib/sqlite.d.ts.map +1 -0
- package/lib/sqlite.js +155 -0
- package/lib/sqlite.js.map +1 -0
- package/lib/sqlite.test.d.ts +2 -0
- package/lib/sqlite.test.d.ts.map +1 -0
- package/lib/sqlite.test.js +75 -0
- package/lib/sqlite.test.js.map +1 -0
- package/package.json +10 -2
- package/src/index.test.ts +514 -2
- package/src/index.ts +804 -54
- package/src/panel-html.ts +504 -44
- package/src/serve.ts +65 -0
- package/src/sqlite.test.ts +96 -0
- package/src/sqlite.ts +213 -0
package/lib/index.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { createApi, media } from "@yaebal/core";
|
|
1
2
|
import { PANEL_HTML } from "./panel-html.js";
|
|
2
3
|
/** keep at most this many messages per chat in the in-memory store. */
|
|
3
4
|
const MAX_HISTORY = 1000;
|
|
@@ -11,10 +12,145 @@ function safeEqual(a, b) {
|
|
|
11
12
|
return diff === 0;
|
|
12
13
|
}
|
|
13
14
|
export { PANEL_HTML } from "./panel-html.js";
|
|
15
|
+
/** single-file media kinds (photo is special — it's an array of sizes). */
|
|
16
|
+
const FILE_KINDS = [
|
|
17
|
+
"video",
|
|
18
|
+
"animation",
|
|
19
|
+
"audio",
|
|
20
|
+
"voice",
|
|
21
|
+
"video_note",
|
|
22
|
+
"document",
|
|
23
|
+
"sticker",
|
|
24
|
+
];
|
|
25
|
+
/** non-downloadable kinds we still label in the chat preview. */
|
|
26
|
+
const TAG_KINDS = ["location", "contact", "poll", "dice"];
|
|
27
|
+
function isRecord(value) {
|
|
28
|
+
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
29
|
+
}
|
|
30
|
+
function stringValue(value) {
|
|
31
|
+
return typeof value === "string" && value ? value : undefined;
|
|
32
|
+
}
|
|
33
|
+
function numberValue(value) {
|
|
34
|
+
return typeof value === "number" && Number.isFinite(value) ? value : undefined;
|
|
35
|
+
}
|
|
36
|
+
/** pull every downloadable attachment out of a telegram message. */
|
|
37
|
+
function extractAttachments(message) {
|
|
38
|
+
const out = [];
|
|
39
|
+
const photo = message.photo;
|
|
40
|
+
if (Array.isArray(photo) && photo.length > 0) {
|
|
41
|
+
const largest = photo[photo.length - 1];
|
|
42
|
+
if (largest.file_id)
|
|
43
|
+
out.push({ type: "photo", fileId: largest.file_id });
|
|
44
|
+
}
|
|
45
|
+
for (const kind of FILE_KINDS) {
|
|
46
|
+
const m = message[kind];
|
|
47
|
+
if (m && typeof m.file_id === "string") {
|
|
48
|
+
out.push({ type: kind, fileId: m.file_id, fileName: m.file_name, mimeType: m.mime_type });
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
return out;
|
|
52
|
+
}
|
|
53
|
+
function keyboardButton(raw) {
|
|
54
|
+
if (!isRecord(raw))
|
|
55
|
+
return undefined;
|
|
56
|
+
const text = stringValue(raw.text);
|
|
57
|
+
if (!text)
|
|
58
|
+
return undefined;
|
|
59
|
+
const button = { text };
|
|
60
|
+
const callbackData = stringValue(raw.callback_data);
|
|
61
|
+
const url = stringValue(raw.url);
|
|
62
|
+
if (callbackData) {
|
|
63
|
+
button.kind = "callback";
|
|
64
|
+
button.callbackData = callbackData;
|
|
65
|
+
}
|
|
66
|
+
else if (url) {
|
|
67
|
+
button.kind = "url";
|
|
68
|
+
button.url = url;
|
|
69
|
+
}
|
|
70
|
+
else if (raw.web_app !== undefined)
|
|
71
|
+
button.kind = "web_app";
|
|
72
|
+
else if (raw.login_url !== undefined)
|
|
73
|
+
button.kind = "login_url";
|
|
74
|
+
else if (raw.switch_inline_query !== undefined ||
|
|
75
|
+
raw.switch_inline_query_current_chat !== undefined) {
|
|
76
|
+
button.kind = "switch_inline";
|
|
77
|
+
}
|
|
78
|
+
else if (raw.pay === true)
|
|
79
|
+
button.kind = "pay";
|
|
80
|
+
else
|
|
81
|
+
button.kind = "unknown";
|
|
82
|
+
return button;
|
|
83
|
+
}
|
|
84
|
+
function keyboardRows(raw) {
|
|
85
|
+
if (!Array.isArray(raw))
|
|
86
|
+
return [];
|
|
87
|
+
const rows = [];
|
|
88
|
+
for (const row of raw) {
|
|
89
|
+
if (!Array.isArray(row))
|
|
90
|
+
continue;
|
|
91
|
+
const buttons = [];
|
|
92
|
+
for (const item of row) {
|
|
93
|
+
const button = keyboardButton(item);
|
|
94
|
+
if (button)
|
|
95
|
+
buttons.push(button);
|
|
96
|
+
}
|
|
97
|
+
if (buttons.length > 0)
|
|
98
|
+
rows.push(buttons);
|
|
99
|
+
}
|
|
100
|
+
return rows;
|
|
101
|
+
}
|
|
102
|
+
function extractKeyboard(message) {
|
|
103
|
+
const markup = message.reply_markup;
|
|
104
|
+
if (!isRecord(markup))
|
|
105
|
+
return undefined;
|
|
106
|
+
const inline = keyboardRows(markup.inline_keyboard);
|
|
107
|
+
if (inline.length > 0)
|
|
108
|
+
return { type: "inline", rows: inline };
|
|
109
|
+
const reply = keyboardRows(markup.keyboard);
|
|
110
|
+
if (reply.length > 0)
|
|
111
|
+
return { type: "reply", rows: reply };
|
|
112
|
+
return undefined;
|
|
113
|
+
}
|
|
114
|
+
/** best-effort one-line label for a message: its text/caption, else a `[media]` tag. */
|
|
115
|
+
function describe(message) {
|
|
116
|
+
if (!message)
|
|
117
|
+
return undefined;
|
|
118
|
+
const text = message.text ?? message.caption;
|
|
119
|
+
if (typeof text === "string")
|
|
120
|
+
return text;
|
|
121
|
+
const att = extractAttachments(message);
|
|
122
|
+
if (att.length > 0)
|
|
123
|
+
return `[${att[0]?.type}]`;
|
|
124
|
+
for (const kind of TAG_KINDS) {
|
|
125
|
+
if (message[kind] !== undefined)
|
|
126
|
+
return `[${kind}]`;
|
|
127
|
+
}
|
|
128
|
+
return undefined;
|
|
129
|
+
}
|
|
130
|
+
/** build a {@link PanelMessage} from a telegram message, or undefined if nothing to log. */
|
|
131
|
+
function toPanelMessage(direction, message) {
|
|
132
|
+
if (!message)
|
|
133
|
+
return undefined;
|
|
134
|
+
const text = describe(message);
|
|
135
|
+
const attachments = extractAttachments(message);
|
|
136
|
+
const keyboard = extractKeyboard(message);
|
|
137
|
+
if (text === undefined && attachments.length === 0 && !keyboard)
|
|
138
|
+
return undefined;
|
|
139
|
+
const date = typeof message.date === "number" ? message.date : Math.floor(Date.now() / 1000);
|
|
140
|
+
const msg = { direction, text: text ?? "", date };
|
|
141
|
+
if (attachments.length > 0)
|
|
142
|
+
msg.attachments = attachments;
|
|
143
|
+
if (typeof message.media_group_id === "string")
|
|
144
|
+
msg.mediaGroupId = message.media_group_id;
|
|
145
|
+
if (keyboard)
|
|
146
|
+
msg.keyboard = keyboard;
|
|
147
|
+
return msg;
|
|
148
|
+
}
|
|
14
149
|
/** defaults to in-memory store. Lost on restart — swap for a persistent one in production. */
|
|
15
150
|
export class MemoryPanelStore {
|
|
16
151
|
#chats = new Map();
|
|
17
152
|
#messages = new Map();
|
|
153
|
+
#listeners = new Set();
|
|
18
154
|
record(chat, message) {
|
|
19
155
|
const list = this.#messages.get(chat.id) ?? [];
|
|
20
156
|
list.push(message);
|
|
@@ -22,85 +158,532 @@ export class MemoryPanelStore {
|
|
|
22
158
|
list.shift();
|
|
23
159
|
this.#messages.set(chat.id, list);
|
|
24
160
|
const prev = this.#chats.get(chat.id);
|
|
25
|
-
|
|
161
|
+
const next = {
|
|
26
162
|
id: chat.id,
|
|
27
163
|
name: chat.name ?? prev?.name ?? `chat ${chat.id}`,
|
|
28
164
|
lastText: message.text,
|
|
29
165
|
lastDate: message.date,
|
|
30
|
-
}
|
|
166
|
+
};
|
|
167
|
+
const firstName = chat.firstName ?? prev?.firstName;
|
|
168
|
+
const lastName = chat.lastName ?? prev?.lastName;
|
|
169
|
+
const username = chat.username ?? prev?.username;
|
|
170
|
+
const lastAttachmentType = message.attachments?.[0]?.type;
|
|
171
|
+
const lastEventType = message.event?.type;
|
|
172
|
+
if (firstName)
|
|
173
|
+
next.firstName = firstName;
|
|
174
|
+
if (lastName)
|
|
175
|
+
next.lastName = lastName;
|
|
176
|
+
if (username)
|
|
177
|
+
next.username = username;
|
|
178
|
+
if (lastAttachmentType)
|
|
179
|
+
next.lastAttachmentType = lastAttachmentType;
|
|
180
|
+
if (lastEventType)
|
|
181
|
+
next.lastEventType = lastEventType;
|
|
182
|
+
this.#chats.set(chat.id, next);
|
|
183
|
+
for (const fn of this.#listeners) {
|
|
184
|
+
fn({ type: "record", chatId: chat.id, direction: message.direction });
|
|
185
|
+
}
|
|
31
186
|
}
|
|
32
187
|
chats() {
|
|
33
188
|
return [...this.#chats.values()].sort((a, b) => b.lastDate - a.lastDate);
|
|
34
189
|
}
|
|
35
|
-
history(chatId) {
|
|
36
|
-
|
|
190
|
+
history(chatId, options) {
|
|
191
|
+
let list = this.#messages.get(chatId) ?? [];
|
|
192
|
+
if (options?.before !== undefined)
|
|
193
|
+
list = list.filter((m) => m.date < options.before);
|
|
194
|
+
if (options?.limit !== undefined)
|
|
195
|
+
list = list.slice(-options.limit);
|
|
196
|
+
return list;
|
|
197
|
+
}
|
|
198
|
+
subscribe(listener) {
|
|
199
|
+
this.#listeners.add(listener);
|
|
200
|
+
return () => this.#listeners.delete(listener);
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
function chatIdentity(chatId, user) {
|
|
204
|
+
const out = { id: chatId };
|
|
205
|
+
if (isRecord(user)) {
|
|
206
|
+
const firstName = stringValue(user.first_name);
|
|
207
|
+
const lastName = stringValue(user.last_name);
|
|
208
|
+
const username = stringValue(user.username);
|
|
209
|
+
if (firstName)
|
|
210
|
+
out.firstName = firstName;
|
|
211
|
+
if (lastName)
|
|
212
|
+
out.lastName = lastName;
|
|
213
|
+
if (username)
|
|
214
|
+
out.username = username;
|
|
215
|
+
const fullName = [firstName, lastName].filter(Boolean).join(" ");
|
|
216
|
+
out.name = username ? `@${username}` : fullName || undefined;
|
|
217
|
+
}
|
|
218
|
+
out.name ??= `chat ${chatId}`;
|
|
219
|
+
return out;
|
|
220
|
+
}
|
|
221
|
+
function privateChatId(chat) {
|
|
222
|
+
if (!isRecord(chat) || chat.type !== "private")
|
|
223
|
+
return undefined;
|
|
224
|
+
return numberValue(chat.id);
|
|
225
|
+
}
|
|
226
|
+
function eventMessage(type, title, detail, data) {
|
|
227
|
+
const event = { type, title };
|
|
228
|
+
if (detail)
|
|
229
|
+
event.detail = detail;
|
|
230
|
+
if (data)
|
|
231
|
+
event.data = data;
|
|
232
|
+
return {
|
|
233
|
+
direction: "in",
|
|
234
|
+
text: detail ? `${title}: ${detail}` : title,
|
|
235
|
+
date: Math.floor(Date.now() / 1000),
|
|
236
|
+
event,
|
|
237
|
+
};
|
|
238
|
+
}
|
|
239
|
+
function reactionCount(raw) {
|
|
240
|
+
return Array.isArray(raw) ? raw.length : undefined;
|
|
241
|
+
}
|
|
242
|
+
function eventRecord(update) {
|
|
243
|
+
if (isRecord(update.callback_query)) {
|
|
244
|
+
const query = update.callback_query;
|
|
245
|
+
const message = isRecord(query.message) ? query.message : undefined;
|
|
246
|
+
const chatId = privateChatId(message?.chat);
|
|
247
|
+
if (chatId === undefined)
|
|
248
|
+
return undefined;
|
|
249
|
+
const data = stringValue(query.data);
|
|
250
|
+
return {
|
|
251
|
+
chat: chatIdentity(chatId, query.from),
|
|
252
|
+
message: eventMessage("callback", "button clicked", data ?? "callback query", data),
|
|
253
|
+
};
|
|
254
|
+
}
|
|
255
|
+
if (isRecord(update.message_reaction)) {
|
|
256
|
+
const reaction = update.message_reaction;
|
|
257
|
+
const chatId = privateChatId(reaction.chat);
|
|
258
|
+
if (chatId === undefined)
|
|
259
|
+
return undefined;
|
|
260
|
+
const next = reactionCount(reaction.new_reaction) ?? 0;
|
|
261
|
+
const detail = `changed to ${next} reaction${next === 1 ? "" : "s"}`;
|
|
262
|
+
return {
|
|
263
|
+
chat: chatIdentity(chatId, reaction.user),
|
|
264
|
+
message: eventMessage("reaction", "message reaction", detail),
|
|
265
|
+
};
|
|
266
|
+
}
|
|
267
|
+
if (isRecord(update.message_reaction_count)) {
|
|
268
|
+
const reaction = update.message_reaction_count;
|
|
269
|
+
const chatId = privateChatId(reaction.chat);
|
|
270
|
+
if (chatId === undefined)
|
|
271
|
+
return undefined;
|
|
272
|
+
const next = reactionCount(reaction.reactions) ?? 0;
|
|
273
|
+
const detail = `${next} reaction type${next === 1 ? "" : "s"}`;
|
|
274
|
+
return {
|
|
275
|
+
chat: chatIdentity(chatId, reaction.chat),
|
|
276
|
+
message: eventMessage("reaction_count", "reaction count", detail),
|
|
277
|
+
};
|
|
278
|
+
}
|
|
279
|
+
if (isRecord(update.poll_answer)) {
|
|
280
|
+
const answer = update.poll_answer;
|
|
281
|
+
const user = answer.user;
|
|
282
|
+
if (!isRecord(user))
|
|
283
|
+
return undefined;
|
|
284
|
+
const chatId = numberValue(user.id);
|
|
285
|
+
if (chatId === undefined)
|
|
286
|
+
return undefined;
|
|
287
|
+
const optionIds = Array.isArray(answer.option_ids)
|
|
288
|
+
? answer.option_ids.filter((id) => typeof id === "number")
|
|
289
|
+
: [];
|
|
290
|
+
return {
|
|
291
|
+
chat: chatIdentity(chatId, user),
|
|
292
|
+
message: eventMessage("poll_answer", "poll answer", `options ${optionIds.join(", ")}`),
|
|
293
|
+
};
|
|
294
|
+
}
|
|
295
|
+
const member = isRecord(update.my_chat_member)
|
|
296
|
+
? update.my_chat_member
|
|
297
|
+
: isRecord(update.chat_member)
|
|
298
|
+
? update.chat_member
|
|
299
|
+
: undefined;
|
|
300
|
+
if (member) {
|
|
301
|
+
const chatId = privateChatId(member.chat);
|
|
302
|
+
if (chatId === undefined)
|
|
303
|
+
return undefined;
|
|
304
|
+
const next = isRecord(member.new_chat_member)
|
|
305
|
+
? stringValue(member.new_chat_member.status)
|
|
306
|
+
: undefined;
|
|
307
|
+
return {
|
|
308
|
+
chat: chatIdentity(chatId, member.from),
|
|
309
|
+
message: eventMessage("chat_member", "chat member", next ?? "updated"),
|
|
310
|
+
};
|
|
311
|
+
}
|
|
312
|
+
return undefined;
|
|
313
|
+
}
|
|
314
|
+
/** records a raw Telegram update into the store; useful from any bot framework. */
|
|
315
|
+
export async function recordTelegramUpdate(store, update) {
|
|
316
|
+
if (!isRecord(update))
|
|
317
|
+
return false;
|
|
318
|
+
let recorded = false;
|
|
319
|
+
const rawMessage = update.message ?? update.edited_message ?? update.channel_post;
|
|
320
|
+
if (isRecord(rawMessage)) {
|
|
321
|
+
const chatId = privateChatId(rawMessage.chat);
|
|
322
|
+
const message = toPanelMessage("in", rawMessage);
|
|
323
|
+
if (chatId !== undefined && message) {
|
|
324
|
+
await store.record(chatIdentity(chatId, rawMessage.from), message);
|
|
325
|
+
recorded = true;
|
|
326
|
+
}
|
|
327
|
+
}
|
|
328
|
+
const event = eventRecord(update);
|
|
329
|
+
if (event) {
|
|
330
|
+
await store.record(event.chat, event.message);
|
|
331
|
+
recorded = true;
|
|
37
332
|
}
|
|
333
|
+
return recorded;
|
|
38
334
|
}
|
|
39
|
-
/** records incoming private-chat
|
|
335
|
+
/** records incoming private-chat updates into the store so the panel can show them. */
|
|
40
336
|
export function recorder(store) {
|
|
41
337
|
const plugin = (composer) => composer.use(async (ctx, next) => {
|
|
42
|
-
|
|
43
|
-
const chat = ctx.chat;
|
|
44
|
-
if (text !== undefined && chat?.type === "private") {
|
|
45
|
-
const name = ctx.from?.username
|
|
46
|
-
? `@${ctx.from.username}`
|
|
47
|
-
: (ctx.from?.first_name ?? `chat ${chat.id}`);
|
|
48
|
-
await store.record({ id: chat.id, name }, { direction: "in", text, date: Math.floor(Date.now() / 1000) });
|
|
49
|
-
}
|
|
338
|
+
await recordTelegramUpdate(store, ctx.update);
|
|
50
339
|
await next();
|
|
51
340
|
});
|
|
52
341
|
return plugin;
|
|
53
342
|
}
|
|
343
|
+
/** create a small Bot API client that satisfies {@link PanelApi}; useful with any framework. */
|
|
344
|
+
export function createPanelApi(token, options) {
|
|
345
|
+
return createApi(token, options);
|
|
346
|
+
}
|
|
347
|
+
/** map an attachment kind to its telegram send method + param field. */
|
|
348
|
+
const SEND_METHODS = {
|
|
349
|
+
photo: { method: "sendPhoto", field: "photo" },
|
|
350
|
+
video: { method: "sendVideo", field: "video" },
|
|
351
|
+
animation: { method: "sendAnimation", field: "animation" },
|
|
352
|
+
audio: { method: "sendAudio", field: "audio" },
|
|
353
|
+
voice: { method: "sendVoice", field: "voice" },
|
|
354
|
+
video_note: { method: "sendVideoNote", field: "video_note" },
|
|
355
|
+
document: { method: "sendDocument", field: "document" },
|
|
356
|
+
sticker: { method: "sendSticker", field: "sticker" },
|
|
357
|
+
};
|
|
358
|
+
/** choose how to send an operator-uploaded file: explicit `type`, else infer from mime. */
|
|
359
|
+
function pickSendKind(type, mime) {
|
|
360
|
+
if (type && type in SEND_METHODS)
|
|
361
|
+
return type;
|
|
362
|
+
if (mime.startsWith("image/"))
|
|
363
|
+
return mime === "image/gif" ? "animation" : "photo";
|
|
364
|
+
if (mime.startsWith("video/"))
|
|
365
|
+
return "video";
|
|
366
|
+
if (mime === "audio/ogg")
|
|
367
|
+
return "voice";
|
|
368
|
+
if (mime.startsWith("audio/"))
|
|
369
|
+
return "audio";
|
|
370
|
+
return "document";
|
|
371
|
+
}
|
|
372
|
+
/** log a single telegram message result as an outgoing record (text or media). */
|
|
373
|
+
function recordResult(store, result) {
|
|
374
|
+
if (!result || typeof result !== "object")
|
|
375
|
+
return;
|
|
376
|
+
const raw = result;
|
|
377
|
+
const chat = raw.chat;
|
|
378
|
+
if (chat?.id === undefined || chat.type !== "private")
|
|
379
|
+
return;
|
|
380
|
+
const message = toPanelMessage("out", raw);
|
|
381
|
+
if (message)
|
|
382
|
+
void Promise.resolve(store.record(chatIdentity(chat.id, raw.chat), message));
|
|
383
|
+
}
|
|
384
|
+
/**
|
|
385
|
+
* record replies the bot sends *outside* the panel (e.g. `ctx.reply(...)` or `ctx.replyWithPhoto(...)`
|
|
386
|
+
* in your handlers) so they show up in the conversation too. hooks the api's `after` stage and logs
|
|
387
|
+
* every successful `send*` call (including `sendMediaGroup`, which returns an array) to a private chat.
|
|
388
|
+
*
|
|
389
|
+
* pairs with `panelHandler(..., { recordSends: false })` — the panel records its own sends,
|
|
390
|
+
* so disable that to avoid double entries when this is installed.
|
|
391
|
+
*
|
|
392
|
+
* ```ts
|
|
393
|
+
* recordOutgoing(bot.api, store);
|
|
394
|
+
* const handler = panelHandler(bot.api, store, { token, recordSends: false });
|
|
395
|
+
* ```
|
|
396
|
+
*/
|
|
397
|
+
export function recordOutgoing(api, store) {
|
|
398
|
+
api.after((method, result) => {
|
|
399
|
+
if (method.startsWith("send")) {
|
|
400
|
+
if (Array.isArray(result))
|
|
401
|
+
for (const item of result)
|
|
402
|
+
recordResult(store, item);
|
|
403
|
+
else
|
|
404
|
+
recordResult(store, result);
|
|
405
|
+
}
|
|
406
|
+
return result;
|
|
407
|
+
});
|
|
408
|
+
return api;
|
|
409
|
+
}
|
|
54
410
|
const json = (data, status = 200) => new Response(JSON.stringify(data), {
|
|
55
411
|
status,
|
|
56
412
|
headers: { "content-type": "application/json", "x-content-type-options": "nosniff" },
|
|
57
413
|
});
|
|
414
|
+
/** resolve the `Access-Control-Allow-Origin` value for a request, or undefined if disallowed. */
|
|
415
|
+
function corsOrigin(cors, request) {
|
|
416
|
+
if (cors === undefined)
|
|
417
|
+
return undefined;
|
|
418
|
+
if (cors === "*")
|
|
419
|
+
return "*";
|
|
420
|
+
const origin = request.headers.get("origin");
|
|
421
|
+
if (!origin)
|
|
422
|
+
return undefined;
|
|
423
|
+
const allowed = Array.isArray(cors) ? cors : [cors];
|
|
424
|
+
return allowed.includes(origin) ? origin : undefined;
|
|
425
|
+
}
|
|
426
|
+
/** fields a panel client may pass through to `sendMessage` alongside `chat_id`/`text`. */
|
|
427
|
+
const SEND_PASSTHROUGH = [
|
|
428
|
+
"parse_mode",
|
|
429
|
+
"entities",
|
|
430
|
+
"link_preview_options",
|
|
431
|
+
"reply_to_message_id",
|
|
432
|
+
"reply_parameters",
|
|
433
|
+
"reply_markup",
|
|
434
|
+
"disable_notification",
|
|
435
|
+
"protect_content",
|
|
436
|
+
];
|
|
437
|
+
/** normalize a mount prefix: `""` or `/foo` (no trailing slash). */
|
|
438
|
+
function normalizeBase(basePath) {
|
|
439
|
+
if (!basePath)
|
|
440
|
+
return "";
|
|
441
|
+
const trimmed = basePath.replace(/\/+$/, "");
|
|
442
|
+
return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
|
|
443
|
+
}
|
|
444
|
+
/** a tiny in-memory limiter for failed auth attempts, keyed per client. */
|
|
445
|
+
function createLimiter(config) {
|
|
446
|
+
if (config === false)
|
|
447
|
+
return undefined;
|
|
448
|
+
const max = config?.max ?? 10;
|
|
449
|
+
const windowMs = config?.windowMs ?? 60_000;
|
|
450
|
+
const hits = new Map();
|
|
451
|
+
return {
|
|
452
|
+
/** ms the caller must wait, or 0 if still allowed. */
|
|
453
|
+
blockedFor(key) {
|
|
454
|
+
const now = Date.now();
|
|
455
|
+
const entry = hits.get(key);
|
|
456
|
+
if (entry && now < entry.resetAt && entry.count >= max) {
|
|
457
|
+
return entry.resetAt - now;
|
|
458
|
+
}
|
|
459
|
+
return 0;
|
|
460
|
+
},
|
|
461
|
+
fail(key) {
|
|
462
|
+
const now = Date.now();
|
|
463
|
+
const entry = hits.get(key);
|
|
464
|
+
if (!entry || now >= entry.resetAt) {
|
|
465
|
+
hits.set(key, { count: 1, resetAt: now + windowMs });
|
|
466
|
+
}
|
|
467
|
+
else {
|
|
468
|
+
entry.count++;
|
|
469
|
+
}
|
|
470
|
+
},
|
|
471
|
+
reset(key) {
|
|
472
|
+
hits.delete(key);
|
|
473
|
+
},
|
|
474
|
+
};
|
|
475
|
+
}
|
|
476
|
+
function defaultClientKey(request) {
|
|
477
|
+
const fwd = request.headers.get("x-forwarded-for");
|
|
478
|
+
const forwardedIp = fwd?.split(",")[0]?.trim();
|
|
479
|
+
if (forwardedIp)
|
|
480
|
+
return forwardedIp;
|
|
481
|
+
return request.headers.get("x-real-ip") ?? "shared";
|
|
482
|
+
}
|
|
483
|
+
/** an SSE response that forwards store events to the browser (keep-alive pinged). */
|
|
484
|
+
function streamResponse(store) {
|
|
485
|
+
const encoder = new TextEncoder();
|
|
486
|
+
let unsubscribe;
|
|
487
|
+
let ping;
|
|
488
|
+
const stream = new ReadableStream({
|
|
489
|
+
start(controller) {
|
|
490
|
+
const push = (chunk) => {
|
|
491
|
+
try {
|
|
492
|
+
controller.enqueue(encoder.encode(chunk));
|
|
493
|
+
}
|
|
494
|
+
catch {
|
|
495
|
+
/* client gone — cancel() will clean up */
|
|
496
|
+
}
|
|
497
|
+
};
|
|
498
|
+
push(": connected\n\n");
|
|
499
|
+
unsubscribe = store.subscribe?.((event) => push(`event: record\ndata: ${JSON.stringify(event)}\n\n`));
|
|
500
|
+
ping = setInterval(() => push(": ping\n\n"), 25_000);
|
|
501
|
+
},
|
|
502
|
+
cancel() {
|
|
503
|
+
if (ping)
|
|
504
|
+
clearInterval(ping);
|
|
505
|
+
unsubscribe?.();
|
|
506
|
+
},
|
|
507
|
+
});
|
|
508
|
+
return new Response(stream, {
|
|
509
|
+
headers: {
|
|
510
|
+
"content-type": "text/event-stream; charset=utf-8",
|
|
511
|
+
"cache-control": "no-cache, no-transform",
|
|
512
|
+
"x-content-type-options": "nosniff",
|
|
513
|
+
},
|
|
514
|
+
});
|
|
515
|
+
}
|
|
58
516
|
/**
|
|
59
|
-
* a fetch-style handler for the operator panel: serves the
|
|
60
|
-
* api to list chats, read a conversation, and send a
|
|
61
|
-
*
|
|
517
|
+
* a fetch-style handler for the operator panel: serves the login + chat UI at the mount
|
|
518
|
+
* root, and a small api to list chats, read a conversation, stream updates, and send a
|
|
519
|
+
* reply. mount it on any fetch-compatible server.
|
|
62
520
|
*/
|
|
63
521
|
export function panelHandler(api, store, options) {
|
|
64
522
|
if (!options.token)
|
|
65
523
|
throw new Error("panelHandler: a non-empty token is required");
|
|
524
|
+
const base = normalizeBase(options.basePath);
|
|
525
|
+
const limiter = createLimiter(options.rateLimit);
|
|
526
|
+
const clientKey = options.clientKey ?? defaultClientKey;
|
|
66
527
|
return async (request) => {
|
|
528
|
+
const allowOrigin = corsOrigin(options.cors, request);
|
|
529
|
+
// attach CORS headers (when enabled) to every response the handler returns
|
|
530
|
+
const finish = (response) => {
|
|
531
|
+
if (allowOrigin) {
|
|
532
|
+
response.headers.set("access-control-allow-origin", allowOrigin);
|
|
533
|
+
response.headers.set("vary", "origin");
|
|
534
|
+
}
|
|
535
|
+
return response;
|
|
536
|
+
};
|
|
537
|
+
// preflight is unauthenticated by spec — answer it before the token check
|
|
538
|
+
if (request.method === "OPTIONS") {
|
|
539
|
+
return finish(new Response(null, {
|
|
540
|
+
status: 204,
|
|
541
|
+
headers: {
|
|
542
|
+
"access-control-allow-methods": "GET, POST, OPTIONS",
|
|
543
|
+
"access-control-allow-headers": "authorization, content-type",
|
|
544
|
+
"access-control-max-age": "86400",
|
|
545
|
+
},
|
|
546
|
+
}));
|
|
547
|
+
}
|
|
67
548
|
const url = new URL(request.url);
|
|
549
|
+
// resolve the path relative to the configured mount prefix
|
|
550
|
+
let path = url.pathname;
|
|
551
|
+
if (base) {
|
|
552
|
+
if (path === base)
|
|
553
|
+
path = "/";
|
|
554
|
+
else if (path.startsWith(`${base}/`))
|
|
555
|
+
path = path.slice(base.length);
|
|
556
|
+
else
|
|
557
|
+
return finish(json({ error: "not found" }, 404));
|
|
558
|
+
}
|
|
559
|
+
// the login + app shell is public; auth is enforced on /api/* only
|
|
560
|
+
if (path === "/" && request.method === "GET") {
|
|
561
|
+
return finish(new Response(PANEL_HTML.replaceAll("__BASE__", base), {
|
|
562
|
+
headers: {
|
|
563
|
+
"content-type": "text/html; charset=utf-8",
|
|
564
|
+
// tokens are never put in the page url anymore, but stay strict anyway
|
|
565
|
+
"referrer-policy": "no-referrer",
|
|
566
|
+
"content-security-policy": "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'",
|
|
567
|
+
"x-content-type-options": "nosniff",
|
|
568
|
+
},
|
|
569
|
+
}));
|
|
570
|
+
}
|
|
571
|
+
// ---- everything below requires a valid token ----
|
|
572
|
+
const key = clientKey(request);
|
|
573
|
+
const wait = limiter?.blockedFor(key) ?? 0;
|
|
574
|
+
if (wait > 0) {
|
|
575
|
+
const res = json({ error: "too many attempts" }, 429);
|
|
576
|
+
res.headers.set("retry-after", String(Math.ceil(wait / 1000)));
|
|
577
|
+
return finish(res);
|
|
578
|
+
}
|
|
68
579
|
const provided = url.searchParams.get("token") ??
|
|
69
580
|
request.headers.get("authorization")?.replace(/^Bearer\s+/i, "") ??
|
|
70
581
|
"";
|
|
71
582
|
// fail closed: reject empty/missing tokens and use a constant-time compare
|
|
72
583
|
if (!provided || !safeEqual(provided, options.token)) {
|
|
73
|
-
|
|
584
|
+
limiter?.fail(key);
|
|
585
|
+
return finish(new Response("unauthorized", { status: 401 }));
|
|
586
|
+
}
|
|
587
|
+
limiter?.reset(key);
|
|
588
|
+
if (path === "/api/chats" && request.method === "GET") {
|
|
589
|
+
return finish(json(await store.chats()));
|
|
74
590
|
}
|
|
75
|
-
|
|
76
|
-
|
|
591
|
+
// realtime stream of store events (EventSource can't set headers → token in query)
|
|
592
|
+
if (path === "/api/stream" && request.method === "GET") {
|
|
593
|
+
return finish(streamResponse(store));
|
|
594
|
+
}
|
|
595
|
+
// proxy a telegram file by file_id, keeping the bot token server-side
|
|
596
|
+
if (path === "/api/file" && request.method === "GET") {
|
|
597
|
+
const fileId = url.searchParams.get("id");
|
|
598
|
+
if (!fileId)
|
|
599
|
+
return finish(json({ error: "id required" }, 400));
|
|
600
|
+
if (!api.call || !api.fileUrl) {
|
|
601
|
+
return finish(json({ error: "media proxy needs an api with call()/fileUrl()" }, 501));
|
|
602
|
+
}
|
|
603
|
+
const file = await api
|
|
604
|
+
.call("getFile", { file_id: fileId })
|
|
605
|
+
.catch(() => undefined);
|
|
606
|
+
if (!file?.file_path)
|
|
607
|
+
return finish(json({ error: "file not found" }, 404));
|
|
608
|
+
const upstream = await fetch(api.fileUrl(file.file_path));
|
|
609
|
+
if (!upstream.ok || !upstream.body)
|
|
610
|
+
return finish(json({ error: "download failed" }, 502));
|
|
611
|
+
return finish(new Response(upstream.body, {
|
|
77
612
|
headers: {
|
|
78
|
-
"content-type": "
|
|
79
|
-
|
|
80
|
-
"referrer-policy": "no-referrer",
|
|
81
|
-
"content-security-policy": "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'",
|
|
613
|
+
"content-type": upstream.headers.get("content-type") ?? "application/octet-stream",
|
|
614
|
+
"cache-control": "private, max-age=86400",
|
|
82
615
|
"x-content-type-options": "nosniff",
|
|
83
616
|
},
|
|
84
|
-
});
|
|
85
|
-
}
|
|
86
|
-
if (url.pathname === "/api/chats" && request.method === "GET") {
|
|
87
|
-
return json(await store.chats());
|
|
617
|
+
}));
|
|
88
618
|
}
|
|
89
|
-
const get =
|
|
619
|
+
const get = path.match(/^\/api\/chats\/(-?\d+)$/);
|
|
90
620
|
if (get?.[1] && request.method === "GET") {
|
|
91
|
-
|
|
621
|
+
const before = url.searchParams.get("before");
|
|
622
|
+
const limit = url.searchParams.get("limit");
|
|
623
|
+
const opts = {};
|
|
624
|
+
if (before !== null)
|
|
625
|
+
opts.before = Number(before);
|
|
626
|
+
if (limit !== null)
|
|
627
|
+
opts.limit = Number(limit);
|
|
628
|
+
return finish(json(await store.history(Number(get[1]), opts)));
|
|
92
629
|
}
|
|
93
|
-
const send =
|
|
630
|
+
const send = path.match(/^\/api\/chats\/(-?\d+)\/send$/);
|
|
94
631
|
if (send?.[1] && request.method === "POST") {
|
|
95
632
|
const chatId = Number(send[1]);
|
|
633
|
+
const contentType = request.headers.get("content-type") ?? "";
|
|
634
|
+
// ---- operator file upload (multipart) -> sendPhoto / sendDocument / sendVoice / ... ----
|
|
635
|
+
if (contentType.includes("multipart/form-data")) {
|
|
636
|
+
if (!api.call) {
|
|
637
|
+
return finish(json({ error: "uploads need an api with call()" }, 501));
|
|
638
|
+
}
|
|
639
|
+
const form = await request.formData().catch(() => undefined);
|
|
640
|
+
const file = form?.get("file");
|
|
641
|
+
if (!(file instanceof Blob))
|
|
642
|
+
return finish(json({ error: "file required" }, 400));
|
|
643
|
+
const kind = pickSendKind(String(form?.get("type") ?? ""), file.type);
|
|
644
|
+
const { method, field } = SEND_METHODS[kind];
|
|
645
|
+
const filename = file.name || kind;
|
|
646
|
+
const bytes = new Uint8Array(await file.arrayBuffer());
|
|
647
|
+
const params = {
|
|
648
|
+
chat_id: chatId,
|
|
649
|
+
[field]: media.buffer(bytes, filename),
|
|
650
|
+
};
|
|
651
|
+
const caption = form?.get("caption");
|
|
652
|
+
if (typeof caption === "string" && caption)
|
|
653
|
+
params.caption = caption;
|
|
654
|
+
const result = await api.call(method, params);
|
|
655
|
+
if (options.recordSends !== false)
|
|
656
|
+
recordResult(store, result);
|
|
657
|
+
return finish(json({ ok: true }));
|
|
658
|
+
}
|
|
659
|
+
// ---- text reply (json) → sendMessage ----
|
|
96
660
|
const body = (await request.json().catch(() => ({})));
|
|
97
|
-
if (!body.text)
|
|
98
|
-
return json({ error: "text required" }, 400);
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
661
|
+
if (typeof body.text !== "string" || !body.text) {
|
|
662
|
+
return finish(json({ error: "text required" }, 400));
|
|
663
|
+
}
|
|
664
|
+
const params = { chat_id: chatId, text: body.text };
|
|
665
|
+
for (const field of SEND_PASSTHROUGH) {
|
|
666
|
+
if (body[field] !== undefined)
|
|
667
|
+
params[field] = body[field];
|
|
668
|
+
}
|
|
669
|
+
const result = await api.sendMessage(params);
|
|
670
|
+
// skip when recordOutgoing already logs every send (avoids double entries)
|
|
671
|
+
if (options.recordSends !== false) {
|
|
672
|
+
// record from the api result when it's a real message, else fall back to the text
|
|
673
|
+
if (result && typeof result === "object" && "chat" in result)
|
|
674
|
+
recordResult(store, result);
|
|
675
|
+
else {
|
|
676
|
+
const fallback = toPanelMessage("out", {
|
|
677
|
+
text: body.text,
|
|
678
|
+
date: Math.floor(Date.now() / 1000),
|
|
679
|
+
reply_markup: body.reply_markup,
|
|
680
|
+
}) ?? { direction: "out", text: body.text, date: Math.floor(Date.now() / 1000) };
|
|
681
|
+
await store.record({ id: chatId }, fallback);
|
|
682
|
+
}
|
|
683
|
+
}
|
|
684
|
+
return finish(json({ ok: true }));
|
|
102
685
|
}
|
|
103
|
-
return json({ error: "not found" }, 404);
|
|
686
|
+
return finish(json({ error: "not found" }, 404));
|
|
104
687
|
};
|
|
105
688
|
}
|
|
106
689
|
//# sourceMappingURL=index.js.map
|