v1.1.0: Полный редизайн фронтенда, усиление безопасности и обновление версии

src/GmRelay.Web/Services/TelegramAuthService.cs

@@ -26,19 +26,18 @@ public sealed class TelegramAuthService(IConfiguration configuration)
 
         var dataCheckString = string.Join("\n", dataCheckList);
 
-        // 2. Compute Secret Key
-        using var sha256 = SHA256.Create();
-        var secretKey = sha256.ComputeHash(Encoding.UTF8.GetBytes(token));
+        // 2. Compute Secret Key (static method — no IDisposable needed)
+        var secretKey = SHA256.HashData(Encoding.UTF8.GetBytes(token));
 
-        // 3. Compute Hash
-        using var hmac = new HMACSHA256(secretKey);
-        var computedHashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(dataCheckString));
-        var computedHash = Convert.ToHexString(computedHashBytes).ToLower();
+        // 3. Compute Hash (static method — no IDisposable needed)
+        var computedHashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
 
-        if (computedHash != hash.ToString().ToLower())
+        // 4. Timing-safe comparison to prevent timing attacks
+        var hashBytes = Convert.FromHexString(hash.ToString());
+        if (!CryptographicOperations.FixedTimeEquals(computedHashBytes, hashBytes))
             return false;
 
-        // 4. Check expiration (auth_date)
+        // 5. Check expiration (auth_date)
         if (query.TryGetValue("auth_date", out var authDateStr) && long.TryParse(authDateStr, out var authDate))
         {
             var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();