docs: clarify mini app dashboard for GMs

fix: stabilize mini app login and safe area
fix: refresh login fallback in mini app
2026-04-28 21:01:30 +03:00 · 2026-04-28 20:25:18 +03:00 · 2026-04-28 17:20:29 +03:00 · 2026-04-28 17:03:53 +03:00 · 2026-04-28 14:56:55 +03:00 · 2026-04-28 10:36:52 +03:00
25 changed files with 1296 additions and 34 deletions
@@ -6,6 +6,10 @@ TELEGRAM_BOT_TOKEN=YOUR_BOT_TOKEN_HERE
 # Найти его можно в информации о боте у @BotFather.
 TELEGRAM_BOT_USERNAME=YOUR_BOT_USERNAME_HERE

+# HTTPS URL Mini App dashboard, например: https://your-domain.example/miniapp
+# Используется ботом для кнопки меню Telegram и кнопки /start.
+TELEGRAM_MINI_APP_URL=
+
 # Пароль для базы данных PostgreSQL
 POSTGRES_PASSWORD=StrongPasswordForDatabase

@@ -6,7 +6,7 @@ on:
      - main 

 env:
-  VERSION: 1.8.1
+  VERSION: 1.9.4

 jobs:
  # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)
@@ -64,6 +64,7 @@ jobs:
          echo "TELEGRAM_BOT_TOKEN=${{ secrets.TELEGRAM_BOT_TOKEN }}" > .env
          echo "POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}" >> .env
          echo "TELEGRAM_BOT_USERNAME=${{ secrets.TELEGRAM_BOT_USERNAME }}" >> .env
+          echo "TELEGRAM_MINI_APP_URL=${{ secrets.TELEGRAM_MINI_APP_URL }}" >> .env

      - name: Deploy Containers
        run: |
@@ -1,6 +1,6 @@
 <Project>
  <PropertyGroup>
-    <Version>1.8.1</Version>
+    <Version>1.9.4</Version>
    <TargetFramework>net10.0</TargetFramework>
    <LangVersion>preview</LangVersion>
    <Nullable>enable</Nullable>
@@ -4,7 +4,7 @@

 Проект разработан с упором на производительность, архитектуру Vertical Slice, Native AOT (для бота) и удобство развертывания с использованием .NET Aspire.

-**Текущая версия:** `v1.8.1`.
+**Текущая версия:** `v1.9.4`.

 ---

@@ -24,6 +24,7 @@

 ### 🌐 Web Dashboard (Blazor Server)
 - **🔐 Авторизация через Telegram**: Безопасный вход с использованием Telegram Login Widget (HMAC-SHA256 валидация).
+- **📱 Telegram Mini App Dashboard**: Мобильная версия dashboard открывается прямо из Telegram, проверяет WebApp `initData` на сервере и использует те же права owner/co-GM, что и обычный Web Dashboard. Если Mini App попадает в fallback-вход, Telegram Login Widget авторизует пользователя callback-запросом внутри текущего WebView, а интерфейс учитывает safe-area телефона и верхнюю панель Telegram.
 - **📝 Удобное редактирование**: Веб-интерфейс для детального редактирования сессий, изменения дат, названий и статусов.
 - **🤝 Co-GM и делегирование**: Owner группы назначает помощников по Telegram ID, а co-GM получает доступ к управлению расписанием в Telegram и Web Dashboard.
 - **📋 Шаблоны кампаний**: Owner и co-GM управляют типовыми параметрами кампаний в отдельной вкладке `Шаблоны`, а на странице группы запускают новый повторяющийся batch из выбранного шаблона.
@@ -74,6 +75,10 @@ TELEGRAM_BOT_TOKEN=ваш_токен_здесь
 # Используется для работы виджета авторизации (Telegram Login Widget).
 TELEGRAM_BOT_USERNAME=ваше_имя_бота_здесь

+# HTTPS URL Mini App dashboard, например: https://your-domain.example/miniapp.
+# Используется кнопкой меню Telegram и кнопкой /start.
+TELEGRAM_MINI_APP_URL=https://your-domain.example/miniapp
+
 # Пароль для базы данных PostgreSQL
 POSTGRES_PASSWORD=ваш_надежный_пароль

@@ -83,6 +88,8 @@ GMRELAY_WEB_PORT=8080

 *(Опционально)* Настройте домен Telegram бота в @BotFather командой `/setdomain` для работы виджета авторизации на вашем сайте.

+Для Telegram Mini App настройте в @BotFather домен Web Dashboard и menu button на URL из `TELEGRAM_MINI_APP_URL`. Бот также показывает кнопку `Открыть dashboard` в ответе на `/start`, если переменная задана. Начиная с v1.9.3 дополнительных действий в BotFather для фикса входа не требуется: URL остаётся тем же HTTPS-адресом `/miniapp`, а fallback-вход выполняется внутри активного Telegram WebView.
+
 ### 3. Запуск
 Выполните команду:
 ```bash
@@ -171,6 +178,13 @@ Owner или co-GM нажимает кнопку `⏰ Перенести` у н

 Если включён режим `В группе и в личку`, бот дополнительно отправляет игрокам персональные сообщения о RSVP за 24 часа, напоминание за 1 час, ссылку перед стартом, отмену и перенос. Если Telegram не позволяет написать игроку в ЛС, бот логирует ошибку и продолжает отправку остальным участникам.

+### Telegram Mini App Dashboard
+Owner и co-GM могут открыть мобильный dashboard прямо из Telegram: через кнопку меню бота или кнопку `Открыть dashboard` после `/start`. Дополнительный пароль вводить не нужно: GM-Relay сам проверит вход через Telegram.
+
+Внутри открывается та же панель управления, только удобная для телефона. Можно смотреть свои группы, редактировать игры, управлять листом ожидания, запускать шаблоны и выполнять массовые действия с пачками игр. Чужие группы не появятся: dashboard показывает только те группы, где вы owner или co-GM.
+
+Если автоматический вход не сработал, Mini App покажет понятное сообщение и кнопку входа через Telegram. Нажмите её, подтвердите вход, и dashboard откроется в том же окне Telegram.
+
 ### Другие команды
 - `/listsessions` — Показать список всех актуальных игр в этой группе.
 - `⏰ Перенести` в сообщении расписания — Запустить голосование по 2-3 вариантам нового времени.
@@ -17,7 +17,7 @@ services:
      retries: 10

  bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:1.8.1
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:1.9.4
    restart: always
    depends_on:
      db:
@@ -25,11 +25,12 @@ services:
    environment:
      - "ConnectionStrings__gmrelaydb=Host=db;Port=5432;Database=gmrelay_db;Username=gmrelay;Password=${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}"
      - "Telegram__BotToken=${TELEGRAM_BOT_TOKEN:?Set TELEGRAM_BOT_TOKEN in .env}"
+      - "Telegram__MiniAppUrl=${TELEGRAM_MINI_APP_URL:-}"
    networks:
      - gmrelay

  web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:1.8.1
+    image: git.codeanddice.ru/toutsu/gmrelay-web:1.9.4
    restart: always
    depends_on:
      db:
@@ -38,6 +39,7 @@ services:
      - "ConnectionStrings__gmrelaydb=Host=db;Port=5432;Database=gmrelay_db;Username=gmrelay;Password=${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}"
      - "Telegram__BotToken=${TELEGRAM_BOT_TOKEN:?Set TELEGRAM_BOT_TOKEN in .env}"
      - "Telegram__BotUsername=${TELEGRAM_BOT_USERNAME:?Set TELEGRAM_BOT_USERNAME in .env}"
+      - "Telegram__MiniAppUrl=${TELEGRAM_MINI_APP_URL:-}"
    ports:
      - "${GMRELAY_WEB_PORT:-8080}:8080"
    volumes:
@@ -0,0 +1,69 @@
+# Telegram Mini App Dashboard Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Add a Telegram Mini App mobile dashboard that reuses the existing Web Dashboard and validates Telegram WebApp `initData` on the server.
+
+**Architecture:** Extend `TelegramAuthService` for WebApp init data, add a `/miniapp` Blazor entry page plus `/auth/telegram-webapp` endpoint, and add bot entry points through an inline WebApp button and optional menu button setup. Existing application/domain services remain the only write path.
+
+**Tech Stack:** .NET 10, Blazor Server, Telegram.Bot, xUnit, Dapper/Npgsql-backed existing services.
+
+---
+
+### Task 1: Telegram WebApp Authentication
+
+**Files:**
+- Modify: `src/GmRelay.Web/Services/TelegramAuthService.cs`
+- Modify: `src/GmRelay.Web/Program.cs`
+- Test: `tests/GmRelay.Bot.Tests/Web/TelegramAuthServiceTests.cs`
+
+- [ ] Write failing tests for valid WebApp `initData`, tampered hash, and expired auth date.
+- [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --filter TelegramAuthServiceTests`.
+- [ ] Implement WebApp HMAC verification using the Telegram `WebAppData` secret derivation.
+- [ ] Add `/auth/telegram-webapp` endpoint that signs in using the same claims as `/auth/telegram`.
+- [ ] Re-run the filtered tests.
+
+### Task 2: Mini App Entry Page
+
+**Files:**
+- Create: `src/GmRelay.Web/Components/Pages/MiniApp.razor`
+- Modify: `src/GmRelay.Web/Components/App.razor`
+- Modify: `src/GmRelay.Web/wwwroot/app.css`
+- Test: `tests/GmRelay.Bot.Tests/Web/MiniAppDashboardTests.cs`
+
+- [ ] Write failing tests that assert `/miniapp`, `telegram-web-app.js`, `authenticateTelegramMiniApp`, and Mini App CSS hooks exist.
+- [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --filter MiniAppDashboardTests`.
+- [ ] Implement `/miniapp` to post `Telegram.WebApp.initData` to `/auth/telegram-webapp`, expand/ready the Mini App, and show fallback login when opened outside Telegram.
+- [ ] Add CSS for a mobile-first Mini App shell and compact dashboard spacing.
+- [ ] Re-run the filtered tests.
+
+### Task 3: Bot Entry Points
+
+**Files:**
+- Create: `src/GmRelay.Bot/Infrastructure/Telegram/TelegramMiniAppMenuButtonService.cs`
+- Modify: `src/GmRelay.Bot/Infrastructure/Telegram/UpdateRouter.cs`
+- Modify: `src/GmRelay.Bot/Program.cs`
+- Test: `tests/GmRelay.Bot.Tests/Infrastructure/Telegram/TelegramMiniAppEntryPointTests.cs`
+
+- [ ] Write failing tests that assert `/start` exposes a WebApp button and startup registers the menu button service.
+- [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --filter TelegramMiniAppEntryPointTests`.
+- [ ] Add a configurable `Telegram:MiniAppUrl` entry point; when missing, keep existing command behavior.
+- [ ] Add hosted service that calls `SetChatMenuButton` with `MenuButtonWebApp` only when the URL is configured.
+- [ ] Re-run the filtered tests.
+
+### Task 4: Docs, Versions, and Release Prep
+
+**Files:**
+- Modify: `Directory.Build.props`
+- Modify: `compose.yaml`
+- Modify: `.gitea/workflows/deploy.yml`
+- Modify: `src/GmRelay.Web/wwwroot/app.css`
+- Modify: `src/GmRelay.Web/Components/Layout/NavMenu.razor`
+- Modify: `README.md`
+- Wiki: `Home`, `Быстрый старт`, `Руководство ГМа`, `Развёртывание`, `Архитектура`, `Разработка`
+
+- [ ] Update project/container/workflow/UI versions to `1.9.0`.
+- [ ] Document `TELEGRAM_MINI_APP_URL`, BotFather `/setmenubutton`, `/miniapp`, and WebApp auth.
+- [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --collect:"XPlat Code Coverage"`.
+- [ ] Run `dotnet build GM-Relay.slnx -c Release`.
+- [ ] Commit, push, close issue #17, update wiki, create tag/release `v1.9.0`.
@@ -0,0 +1,44 @@
+# Telegram Mini App Dashboard Design
+
+## Goal
+
+Issue #17 adds a Telegram Mini App dashboard as the mobile entry point for the existing Web Dashboard. Owner and co-GM users must be able to open the dashboard from Telegram, pass server-side Telegram WebApp `initData` validation, and manage only their own groups.
+
+## Scope
+
+- Add Mini App authentication using Telegram WebApp `initData`.
+- Add a `/miniapp` entry page that signs the user into the existing cookie auth flow, then opens the regular dashboard UI in mobile-first mode.
+- Reuse `AuthorizedSessionService`, `SessionService`, and existing Blazor pages for groups, sessions, templates, waitlist promotion, edit forms, and bulk batch operations.
+- Add bot entry points: a Mini App button in `/start` and a configurable default menu button when `Telegram:MiniAppUrl` is set.
+- Update README, wiki, deployment config, and visible version strings to `1.9.0`.
+
+## Architecture
+
+The Mini App is not a second dashboard implementation. It is a Telegram-authenticated entrance into the existing Blazor dashboard. This keeps authorization, domain operations, Telegram message synchronization, and Web Dashboard behavior in one place.
+
+`TelegramAuthService` gains a second verification method for WebApp `initData`. The server accepts the raw URL-encoded init payload at `/auth/telegram-webapp`, verifies the Telegram HMAC with the bot token, extracts the user id/name from the embedded `user` JSON, and issues the same auth cookie as the login widget endpoint.
+
+`/miniapp` loads `telegram-web-app.js`, posts `window.Telegram.WebApp.initData` to the server endpoint, expands the WebApp viewport, and redirects to `/`. If a user opens `/miniapp` outside Telegram, the page shows the regular login fallback.
+
+## Data Flow
+
+1. User opens the Mini App from the bot menu button or `/start` inline button.
+2. Telegram injects `initData` into the WebApp JavaScript API.
+3. `/miniapp` posts `{ initData }` to `/auth/telegram-webapp`.
+4. The server verifies the WebApp signature and expiry.
+5. The server creates the same claims used by Telegram Login Widget.
+6. Existing Blazor pages load groups through `AuthorizedSessionService`.
+7. Any edit, waitlist, template, or batch action still goes through existing services and keeps Telegram messages synchronized.
+
+## Error Handling
+
+- Missing or invalid init data returns `401` and leaves the user on the Mini App page.
+- Expired auth data is rejected with the same 24-hour window used by the Login Widget.
+- A verified Telegram user with no owner/co-GM groups sees the existing empty dashboard state.
+- Direct navigation to a foreign group/session still redirects to `/access-denied` through existing authorization checks.
+
+## Testing
+
+- Unit tests cover valid and invalid WebApp `initData`.
+- File-level regression tests ensure `/miniapp`, `/auth/telegram-webapp`, Telegram WebApp script loading, bot Mini App button, menu button setup, and mobile Mini App CSS hooks remain present.
+- Existing `AuthorizedSessionServiceTests` continue covering owner/co-GM access behavior.
@@ -0,0 +1,46 @@
+using Telegram.Bot;
+using Telegram.Bot.Types;
+
+namespace GmRelay.Bot.Infrastructure.Telegram;
+
+public sealed class TelegramMiniAppMenuButtonService(
+    ITelegramBotClient bot,
+    IConfiguration configuration,
+    ILogger<TelegramMiniAppMenuButtonService> logger) : IHostedService
+{
+    public async Task StartAsync(CancellationToken cancellationToken)
+    {
+        var miniAppUrl = configuration["Telegram:MiniAppUrl"];
+        if (string.IsNullOrWhiteSpace(miniAppUrl))
+        {
+            logger.LogInformation("Telegram Mini App URL is not configured; menu button setup skipped.");
+            return;
+        }
+
+        if (!Uri.TryCreate(miniAppUrl, UriKind.Absolute, out var uri) ||
+            (uri.Scheme != Uri.UriSchemeHttps && !uri.IsLoopback))
+        {
+            logger.LogWarning("Telegram Mini App URL {MiniAppUrl} is not a valid HTTPS URL.", miniAppUrl);
+            return;
+        }
+
+        try
+        {
+            await bot.SetChatMenuButton(
+                menuButton: new MenuButtonWebApp
+                {
+                    Text = "Dashboard",
+                    WebApp = new WebAppInfo(miniAppUrl)
+                },
+                cancellationToken: cancellationToken);
+
+            logger.LogInformation("Telegram Mini App menu button configured for {MiniAppUrl}.", miniAppUrl);
+        }
+        catch (Exception ex)
+        {
+            logger.LogWarning(ex, "Failed to configure Telegram Mini App menu button.");
+        }
+    }
+
+    public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+}
@@ -9,6 +9,7 @@ using GmRelay.Bot.Features.Sessions.RescheduleSession;
 using Telegram.Bot;
 using Telegram.Bot.Types;
 using Telegram.Bot.Types.Enums;
+using Telegram.Bot.Types.ReplyMarkups;

 namespace GmRelay.Bot.Infrastructure.Telegram;

@@ -30,6 +31,7 @@ public sealed class UpdateRouter(
    HandleRescheduleTimeInputHandler rescheduleTimeInputHandler,
    HandleRescheduleVoteHandler rescheduleVoteHandler,
    ITelegramBotClient bot,
+    IConfiguration configuration,
    ILogger<UpdateRouter> logger) : ITelegramUpdateHandler
 {
    public async Task RouteAsync(Update update, CancellationToken ct)
@@ -188,10 +190,7 @@ public sealed class UpdateRouter(
        switch (command)
        {
            case "/start":
-                await bot.SendMessage(
-                    chatId: message.Chat.Id,
-                    text: "GM-Relay Bot ready. Use /help for commands.",
-                    cancellationToken: ct);
+                await SendStartMessageAsync(message, ct);
                break;

            case "/newsession":
@@ -236,4 +235,24 @@ public sealed class UpdateRouter(
                break;
        }
    }
+
+    private async Task SendStartMessageAsync(Message message, CancellationToken ct)
+    {
+        var miniAppUrl = configuration["Telegram:MiniAppUrl"];
+        if (string.IsNullOrWhiteSpace(miniAppUrl))
+        {
+            await bot.SendMessage(
+                chatId: message.Chat.Id,
+                text: "GM-Relay Bot ready. Use /help for commands.",
+                cancellationToken: ct);
+            return;
+        }
+
+        await bot.SendMessage(
+            chatId: message.Chat.Id,
+            text: "GM-Relay Bot ready. Откройте dashboard внутри Telegram или используйте /help для команд.",
+            replyMarkup: new InlineKeyboardMarkup(
+                InlineKeyboardButton.WithWebApp("Открыть dashboard", new WebAppInfo(miniAppUrl))),
+            cancellationToken: ct);
+    }
 }
@@ -71,6 +71,7 @@ builder.Services.AddSingleton<HandleRescheduleVoteHandler>();
 // ── Telegram infrastructure ──────────────────────────────────────────
 builder.Services.AddSingleton<UpdateRouter>();
 builder.Services.AddSingleton<ITelegramUpdateHandler>(sp => sp.GetRequiredService<UpdateRouter>());
+builder.Services.AddHostedService<TelegramMiniAppMenuButtonService>();
 builder.Services.AddHostedService<TelegramBotService>();

 // ── Session scheduler ────────────────────────────────────────────────
@@ -7,6 +7,7 @@
    }
  },
  "Telegram": {
-    "BotToken": ""
+    "BotToken": "",
+    "MiniAppUrl": ""
  }
 }
@@ -13,6 +13,7 @@
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet" />
    <link rel="stylesheet" href="@Assets["app.css"]" />
    <link rel="stylesheet" href="@Assets["GmRelay.Web.styles.css"]" />
+    <script src="https://telegram.org/js/telegram-web-app.js"></script>
    <ImportMap />
    <link rel="icon" type="image/png" href="favicon.png" />
    <HeadOutlet @rendermode="InteractiveServer" />
@@ -23,19 +24,275 @@
    <ReconnectModal />
    <script src="@Assets["_framework/blazor.web.js"]"></script>
    <script>
+        window.waitForTelegramMiniApp = async function (timeoutMs) {
+            var deadline = Date.now() + (timeoutMs || 3000);
+
+            while (Date.now() <= deadline) {
+                if (window.Telegram && window.Telegram.WebApp) {
+                    return window.Telegram.WebApp;
+                }
+
+                await new Promise(function (resolve) {
+                    setTimeout(resolve, 100);
+                });
+            }
+
+            return null;
+        };
+
+        window.waitForTelegramMiniAppInitData = async function (timeoutMs) {
+            var deadline = Date.now() + (timeoutMs || 3000);
+
+            while (Date.now() <= deadline) {
+                if (window.Telegram && window.Telegram.WebApp && window.Telegram.WebApp.initData) {
+                    return window.Telegram.WebApp;
+                }
+
+                await new Promise(function (resolve) {
+                    setTimeout(resolve, 100);
+                });
+            }
+
+            return null;
+        };
+
+        window.syncTelegramMiniAppViewport = function (webApp) {
+            if (!webApp) {
+                return;
+            }
+
+            var root = document.documentElement;
+            var safeArea = webApp.safeAreaInset || {};
+            var contentSafeArea = webApp.contentSafeAreaInset || {};
+            var setPx = function (name, value) {
+                root.style.setProperty(name, Math.max(0, Number(value) || 0) + 'px');
+            };
+
+            setPx('--gm-tg-safe-top', safeArea.top);
+            setPx('--gm-tg-safe-right', safeArea.right);
+            setPx('--gm-tg-safe-bottom', safeArea.bottom);
+            setPx('--gm-tg-safe-left', safeArea.left);
+            setPx('--gm-tg-content-safe-top', contentSafeArea.top);
+            setPx('--gm-tg-content-safe-right', contentSafeArea.right);
+            setPx('--gm-tg-content-safe-bottom', contentSafeArea.bottom);
+            setPx('--gm-tg-content-safe-left', contentSafeArea.left);
+
+            if (webApp.viewportHeight) {
+                root.style.setProperty('--gm-tg-viewport-height', webApp.viewportHeight + 'px');
+            }
+        };
+
+        window.prepareTelegramMiniApp = function (webApp) {
+            if (!webApp) {
+                return;
+            }
+
+            document.body.classList.add('telegram-mini-app');
+            window.syncTelegramMiniAppViewport(webApp);
+
+            try {
+                webApp.ready();
+            } catch (error) {
+            }
+
+            try {
+                webApp.expand();
+            } catch (error) {
+            }
+
+            if (webApp.onEvent && !window.gmRelayTelegramMiniAppViewportEventsRegistered) {
+                window.gmRelayTelegramMiniAppViewportEventsRegistered = true;
+                webApp.onEvent('safeAreaChanged', function () {
+                    window.syncTelegramMiniAppViewport(webApp);
+                });
+                webApp.onEvent('contentSafeAreaChanged', function () {
+                    window.syncTelegramMiniAppViewport(webApp);
+                });
+                webApp.onEvent('viewportChanged', function () {
+                    window.syncTelegramMiniAppViewport(webApp);
+                });
+            }
+        };
+
+        (async function () {
+            var webApp = await window.waitForTelegramMiniApp(1000);
+            window.prepareTelegramMiniApp(webApp);
+        })();
+
        window.loadTelegramWidget = function (botUsername, authUrl) {
            var container = document.getElementById('telegram-login-container');
            if (!container) return;
            container.innerHTML = '';
+            window.gmRelayTelegramLoginAuthUrl = authUrl || '/auth/telegram-login';
            var script = document.createElement('script');
            script.async = true;
            script.src = 'https://telegram.org/js/telegram-widget.js?22';
            script.setAttribute('data-telegram-login', botUsername);
            script.setAttribute('data-size', 'large');
-            script.setAttribute('data-auth-url', authUrl);
+            script.setAttribute('data-onauth', 'window.handleTelegramLogin(user)');
            script.setAttribute('data-request-access', 'write');
            container.appendChild(script);
        };
+
+        window.handleTelegramLogin = async function (user) {
+            if (!user) {
+                window.location.href = '/login?error=auth_failed';
+                return;
+            }
+
+            try {
+                var response = await fetch(window.gmRelayTelegramLoginAuthUrl || '/auth/telegram-login', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    credentials: 'same-origin',
+                    cache: 'no-store',
+                    body: JSON.stringify(user)
+                });
+
+                if (!response.ok) {
+                    window.location.href = '/login?error=auth_failed';
+                    return;
+                }
+
+                var payload = await response.json();
+                window.location.href = payload.redirectUrl || '/';
+            } catch (error) {
+                window.location.href = '/login?error=auth_failed';
+            }
+        };
+
+        window.watchTelegramMiniAppLogin = function (statusUrl, redirectUrl, reloadOnReturn) {
+            window.gmRelayMiniAppLoginReloadOnReturn =
+                window.gmRelayMiniAppLoginReloadOnReturn || reloadOnReturn === true;
+
+            if (window.gmRelayMiniAppLoginWatcher) {
+                return;
+            }
+
+            window.gmRelayMiniAppLoginLeftPage = false;
+
+            var stopWatching = function () {
+                if (window.gmRelayMiniAppLoginWatcher) {
+                    window.clearInterval(window.gmRelayMiniAppLoginWatcher);
+                    window.gmRelayMiniAppLoginWatcher = null;
+                }
+            };
+
+            var reloadAfterExternalLogin = function () {
+                if (!window.gmRelayMiniAppLoginReloadOnReturn || !window.gmRelayMiniAppLoginLeftPage) {
+                    return;
+                }
+
+                window.gmRelayMiniAppLoginLeftPage = false;
+
+                try {
+                    var refreshKey = 'gmrelay-miniapp-login-refresh:' + window.location.pathname;
+                    if (window.sessionStorage && window.sessionStorage.getItem(refreshKey) === '1') {
+                        return;
+                    }
+
+                    if (window.sessionStorage) {
+                        window.sessionStorage.setItem(refreshKey, '1');
+                    }
+                } catch (error) {
+                }
+
+                window.location.reload();
+            };
+
+            var allowNextExternalLoginReload = function () {
+                window.gmRelayMiniAppLoginLeftPage = true;
+
+                try {
+                    var refreshKey = 'gmrelay-miniapp-login-refresh:' + window.location.pathname;
+                    if (window.sessionStorage) {
+                        window.sessionStorage.removeItem(refreshKey);
+                    }
+                } catch (error) {
+                }
+            };
+
+            var checkLogin = async function (reloadWhenUnauthenticated) {
+                try {
+                    var response = await fetch(statusUrl, {
+                        credentials: 'same-origin',
+                        cache: 'no-store'
+                    });
+
+                    if (!response.ok) {
+                        return;
+                    }
+
+                    var payload = await response.json();
+                    if (payload.authenticated) {
+                        stopWatching();
+                        window.location.href = redirectUrl || '/';
+                        return;
+                    }
+
+                    if (reloadWhenUnauthenticated) {
+                        reloadAfterExternalLogin();
+                    }
+                } catch (error) {
+                    return;
+                }
+            };
+
+            window.gmRelayMiniAppLoginWatcher = window.setInterval(checkLogin, 1000);
+            window.addEventListener('blur', function () {
+                allowNextExternalLoginReload();
+            });
+            window.addEventListener('focus', function () {
+                void checkLogin(true);
+            });
+            document.addEventListener('visibilitychange', function () {
+                if (document.hidden) {
+                    allowNextExternalLoginReload();
+                    return;
+                }
+
+                void checkLogin(true);
+            });
+
+            void checkLogin(false);
+        };
+
+        window.authenticateTelegramMiniApp = async function (authUrl, redirectUrl) {
+            var webApp = await window.waitForTelegramMiniApp(3000);
+            if (!webApp) {
+                return { authenticated: false, reason: 'telegram-webapp-missing' };
+            }
+
+            window.prepareTelegramMiniApp(webApp);
+
+            if (!webApp.initData) {
+                return { authenticated: false, reason: 'telegram-init-data-empty' };
+            }
+
+            try {
+                var response = await fetch(authUrl, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    credentials: 'same-origin',
+                    cache: 'no-store',
+                    body: JSON.stringify({ initData: webApp.initData })
+                });
+
+                if (!response.ok) {
+                    return {
+                        authenticated: false,
+                        reason: 'telegram-auth-failed',
+                        status: response.status
+                    };
+                }
+
+                var payload = await response.json();
+                window.location.href = payload.redirectUrl || redirectUrl || '/';
+                return { authenticated: true, redirectUrl: payload.redirectUrl || redirectUrl || '/' };
+            } catch (error) {
+                return { authenticated: false, reason: 'telegram-auth-failed' };
+            }
+        };
    </script>
 </body>

@@ -60,12 +60,17 @@
 /* === Mobile Responsive === */
@media (max-width: 768px) {
    .sidebar {
-        transform: translateX(-100%);
-        width: 280px;
+        transform: none;
+        width: 100%;
+        height: auto;
+        min-height: 0;
+        position: sticky;
+        border-right: none;
+        border-bottom: 1px solid var(--border-color);
    }

-    .sidebar.open {
-        transform: translateX(0);
+    .page {
+        display: block;
    }

    .main-area {
@@ -56,7 +56,7 @@
                    </button>
                </form>

-                <div class="nav-version">v1.8.1</div>
+                <div class="nav-version">v1.9.4</div>
            </div>
        </Authorized>
        <NotAuthorized>
@@ -56,13 +56,17 @@
 .nav-section {
    padding: 0 0.75rem;
    flex: 1;
+    display: flex;
+    flex-direction: column;
+    gap: 0.25rem;
 }

 /* === Nav Items === */
-.nav-item {
+.nav-section ::deep .nav-item {
    display: flex;
    align-items: center;
    gap: 0.75rem;
+    width: 100%;
    padding: 0.625rem 0.875rem;
    border-radius: var(--radius-sm);
    color: var(--text-secondary);
@@ -70,16 +74,16 @@
    font-size: 0.875rem;
    font-weight: 500;
    transition: all var(--transition-normal);
-    margin-bottom: 0.125rem;
+    white-space: nowrap;
+    box-sizing: border-box;
 }

-.nav-item:hover {
+.nav-section ::deep .nav-item:hover {
    background: rgba(255, 255, 255, 0.06);
    color: var(--text-primary);
 }

-.nav-item.active,
-.nav-item ::deep a.active {
+.nav-section ::deep .nav-item.active {
    background: rgba(124, 58, 237, 0.15);
    color: var(--accent-primary);
    border: 1px solid rgba(124, 58, 237, 0.2);
@@ -25,7 +25,6 @@

@code {
    private string BotUsername => Configuration["Telegram:BotUsername"] ?? "GmRelayBot";
-    private string AuthUrl => Navigation.ToAbsoluteUri("/auth/telegram").ToString();

    [CascadingParameter]
    private Task<AuthenticationState>? AuthStateTask { get; set; }
@@ -46,7 +45,8 @@
    {
        if (firstRender)
        {
-            await JS.InvokeVoidAsync("loadTelegramWidget", BotUsername, AuthUrl);
+            await JS.InvokeVoidAsync("loadTelegramWidget", BotUsername, "/auth/telegram-login");
+            await JS.InvokeVoidAsync("watchTelegramMiniAppLogin", "/auth/status", "/", false);
        }
    }
 }
@@ -0,0 +1,103 @@
+@page "/miniapp"
+@using Microsoft.AspNetCore.Components.Authorization
+@using System.Text.Json.Serialization
+@inject IJSRuntime JS
+@inject NavigationManager Navigation
+
+<PageTitle>Mini App Dashboard — GM-Relay</PageTitle>
+
+<div class="mini-app-page">
+    <div class="mini-app-auth-card" data-auth-status="@miniAppAuthStatus">
+        <div class="mini-app-logo">🎲</div>
+        <h1>GM-Relay</h1>
+        <p>@statusMessage</p>
+
+        @if (showFallback)
+        {
+            <a href="/login" class="btn-gm btn-gm-primary">Войти через Telegram</a>
+        }
+    </div>
+</div>
+
+@code {
+    private string statusMessage = "Открываем dashboard внутри Telegram...";
+    private string miniAppAuthStatus = "starting";
+    private bool showFallback;
+
+    [CascadingParameter]
+    private Task<AuthenticationState>? AuthStateTask { get; set; }
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (AuthStateTask is null)
+        {
+            return;
+        }
+
+        var user = (await AuthStateTask).User;
+        if (user.Identity?.IsAuthenticated == true)
+        {
+            Navigation.NavigateTo("/");
+        }
+    }
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (!firstRender)
+        {
+            return;
+        }
+
+        try
+        {
+            var result = await JS.InvokeAsync<MiniAppAuthResult>(
+                "authenticateTelegramMiniApp",
+                "/auth/telegram-webapp",
+                "/");
+
+            if (!result.Authenticated)
+            {
+                miniAppAuthStatus = string.IsNullOrWhiteSpace(result.Reason)
+                    ? "telegram-auth-failed"
+                    : result.Reason;
+                statusMessage = GetStatusMessage(miniAppAuthStatus);
+                showFallback = true;
+                StateHasChanged();
+                await TryWatchLoginAsync();
+            }
+        }
+        catch (JSException)
+        {
+            miniAppAuthStatus = "telegram-auth-failed";
+            statusMessage = "Не удалось получить данные Telegram Mini App. Попробуйте открыть dashboard из бота.";
+            showFallback = true;
+            StateHasChanged();
+            await TryWatchLoginAsync();
+        }
+    }
+
+    private async Task TryWatchLoginAsync()
+    {
+        try
+        {
+            await JS.InvokeVoidAsync("watchTelegramMiniAppLogin", "/auth/status", "/");
+        }
+        catch (JSException)
+        {
+        }
+    }
+
+    private static string GetStatusMessage(string reason) => reason switch
+    {
+        "telegram-webapp-missing" => "Mini App API не найден. Если страница открыта в браузере, войдите через Telegram.",
+        "telegram-init-data-empty" => "Telegram открыл страницу без Mini App initData. Попробуйте войти через Telegram на этом экране.",
+        "telegram-auth-failed" => "Не удалось проверить Telegram Mini App. Попробуйте войти через Telegram.",
+        _ => "Mini App доступен из Telegram. Для браузера используйте обычный вход."
+    };
+
+    private sealed record MiniAppAuthResult(
+        [property: JsonPropertyName("authenticated")] bool Authenticated,
+        [property: JsonPropertyName("reason")] string? Reason,
+        [property: JsonPropertyName("status")] int? Status,
+        [property: JsonPropertyName("redirectUrl")] string? RedirectUrl);
+}
@@ -87,23 +87,58 @@ app.MapGet("/auth/telegram", async (HttpContext context, TelegramAuthService aut
 {
    if (authService.Verify(context.Request.Query, out var telegramId, out var name))
    {
-        var claims = new List<Claim>
-        {
-            new Claim(ClaimTypes.NameIdentifier, telegramId.ToString()),
-            new Claim(ClaimTypes.Name, name),
-            new Claim("TelegramId", telegramId.ToString())
-        };
-
-        var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
        var authProperties = new AuthenticationProperties { IsPersistent = true };
-
-        await context.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);
+        await context.SignInAsync(
+            CookieAuthenticationDefaults.AuthenticationScheme,
+            CreateTelegramPrincipal(telegramId, name),
+            authProperties);
        return Results.Redirect("/");
    }

    return Results.Redirect("/login?error=auth_failed");
 });

+app.MapPost("/auth/telegram-webapp", async (
+    HttpContext context,
+    TelegramAuthService authService,
+    TelegramWebAppAuthRequest request) =>
+{
+    if (!authService.VerifyWebAppInitData(request.InitData, out var telegramId, out var name))
+    {
+        return Results.Unauthorized();
+    }
+
+    var authProperties = new AuthenticationProperties { IsPersistent = true };
+    await context.SignInAsync(
+        CookieAuthenticationDefaults.AuthenticationScheme,
+        CreateTelegramPrincipal(telegramId, name),
+        authProperties);
+
+    return Results.Ok(new { redirectUrl = "/" });
+}).DisableAntiforgery();
+
+app.MapPost("/auth/telegram-login", async (
+    HttpContext context,
+    TelegramAuthService authService,
+    TelegramLoginPayload request) =>
+{
+    if (!authService.VerifyLoginPayload(request, out var telegramId, out var name))
+    {
+        return Results.Unauthorized();
+    }
+
+    var authProperties = new AuthenticationProperties { IsPersistent = true };
+    await context.SignInAsync(
+        CookieAuthenticationDefaults.AuthenticationScheme,
+        CreateTelegramPrincipal(telegramId, name),
+        authProperties);
+
+    return Results.Ok(new { redirectUrl = "/" });
+}).DisableAntiforgery();
+
+app.MapGet("/auth/status", (HttpContext context) =>
+    Results.Ok(new { authenticated = context.User.Identity?.IsAuthenticated == true }));
+
 app.MapPost("/auth/logout", async (HttpContext context) =>
 {
    await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
@@ -111,3 +146,18 @@ app.MapPost("/auth/logout", async (HttpContext context) =>
 });

 app.Run();
+
+static ClaimsPrincipal CreateTelegramPrincipal(long telegramId, string name)
+{
+    var claims = new List<Claim>
+    {
+        new(ClaimTypes.NameIdentifier, telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture)),
+        new(ClaimTypes.Name, name),
+        new("TelegramId", telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture))
+    };
+
+    var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+    return new ClaimsPrincipal(claimsIdentity);
+}
+
+public sealed record TelegramWebAppAuthRequest(string InitData);
@@ -1,5 +1,8 @@
 using System.Security.Cryptography;
 using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Microsoft.AspNetCore.WebUtilities;

 namespace GmRelay.Web.Services;

@@ -55,4 +58,170 @@ public sealed class TelegramAuthService(IConfiguration configuration)

        return false;
    }
+
+    public bool VerifyWebAppInitData(string initData, out long telegramId, out string name)
+    {
+        telegramId = 0;
+        name = string.Empty;
+
+        if (string.IsNullOrWhiteSpace(initData))
+            return false;
+
+        var token = configuration["Telegram__BotToken"] ?? configuration["Telegram:BotToken"];
+        if (string.IsNullOrEmpty(token))
+            return false;
+
+        var values = QueryHelpers.ParseQuery(initData);
+        if (!values.TryGetValue("hash", out var hash) || string.IsNullOrWhiteSpace(hash))
+            return false;
+
+        var dataCheckString = string.Join(
+            "\n",
+            values
+                .Where(pair => pair.Key != "hash")
+                .OrderBy(pair => pair.Key, StringComparer.Ordinal)
+                .Select(pair => $"{pair.Key}={pair.Value}"));
+
+        var secretKey = HMACSHA256.HashData(Encoding.UTF8.GetBytes("WebAppData"), Encoding.UTF8.GetBytes(token));
+        var computedHashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
+
+        byte[] hashBytes;
+        try
+        {
+            hashBytes = Convert.FromHexString(hash.ToString());
+        }
+        catch (FormatException)
+        {
+            return false;
+        }
+
+        if (!CryptographicOperations.FixedTimeEquals(computedHashBytes, hashBytes))
+            return false;
+
+        if (!values.TryGetValue("auth_date", out var authDateStr) ||
+            !long.TryParse(authDateStr, out var authDate))
+        {
+            return false;
+        }
+
+        var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
+        if (now - authDate > 86400)
+            return false;
+
+        if (!values.TryGetValue("user", out var userJson) || string.IsNullOrWhiteSpace(userJson))
+            return false;
+
+        return TryReadWebAppUser(userJson.ToString(), out telegramId, out name);
+    }
+
+    public bool VerifyLoginPayload(TelegramLoginPayload payload, out long telegramId, out string name)
+    {
+        telegramId = 0;
+        name = string.Empty;
+
+        if (payload.Id <= 0 ||
+            string.IsNullOrWhiteSpace(payload.FirstName) ||
+            payload.AuthDate <= 0 ||
+            string.IsNullOrWhiteSpace(payload.Hash))
+        {
+            return false;
+        }
+
+        var token = configuration["Telegram__BotToken"] ?? configuration["Telegram:BotToken"];
+        if (string.IsNullOrEmpty(token))
+            return false;
+
+        var values = new SortedDictionary<string, string>(StringComparer.Ordinal)
+        {
+            ["auth_date"] = payload.AuthDate.ToString(System.Globalization.CultureInfo.InvariantCulture),
+            ["first_name"] = payload.FirstName,
+            ["id"] = payload.Id.ToString(System.Globalization.CultureInfo.InvariantCulture)
+        };
+
+        if (!string.IsNullOrWhiteSpace(payload.LastName))
+            values["last_name"] = payload.LastName;
+        if (!string.IsNullOrWhiteSpace(payload.PhotoUrl))
+            values["photo_url"] = payload.PhotoUrl;
+        if (!string.IsNullOrWhiteSpace(payload.Username))
+            values["username"] = payload.Username;
+
+        var dataCheckString = string.Join("\n", values.Select(pair => $"{pair.Key}={pair.Value}"));
+        var secretKey = SHA256.HashData(Encoding.UTF8.GetBytes(token));
+        var computedHashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
+
+        byte[] hashBytes;
+        try
+        {
+            hashBytes = Convert.FromHexString(payload.Hash);
+        }
+        catch (FormatException)
+        {
+            return false;
+        }
+        catch (ArgumentException)
+        {
+            return false;
+        }
+
+        if (!CryptographicOperations.FixedTimeEquals(computedHashBytes, hashBytes))
+            return false;
+
+        var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
+        if (now - payload.AuthDate > 86400)
+            return false;
+
+        telegramId = payload.Id;
+        name = string.IsNullOrWhiteSpace(payload.LastName)
+            ? payload.FirstName
+            : $"{payload.FirstName} {payload.LastName}";
+        return true;
+    }
+
+    private static bool TryReadWebAppUser(string userJson, out long telegramId, out string name)
+    {
+        telegramId = 0;
+        name = string.Empty;
+
+        try
+        {
+            using var document = JsonDocument.Parse(userJson);
+            var root = document.RootElement;
+
+            if (!root.TryGetProperty("id", out var idElement) || !idElement.TryGetInt64(out telegramId))
+                return false;
+
+            var firstName = root.TryGetProperty("first_name", out var firstNameElement)
+                ? firstNameElement.GetString() ?? string.Empty
+                : string.Empty;
+            var lastName = root.TryGetProperty("last_name", out var lastNameElement)
+                ? lastNameElement.GetString() ?? string.Empty
+                : string.Empty;
+            var username = root.TryGetProperty("username", out var usernameElement)
+                ? usernameElement.GetString()
+                : null;
+
+            name = (firstName, lastName) switch
+            {
+                ({ Length: > 0 }, { Length: > 0 }) => $"{firstName} {lastName}",
+                ({ Length: > 0 }, _) => firstName,
+                _ when !string.IsNullOrWhiteSpace(username) => "@" + username,
+                _ => $"Telegram {telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture)}"
+            };
+
+            return true;
+        }
+        catch (JsonException)
+        {
+            return false;
+        }
+    }
 }
+
+public sealed record TelegramLoginPayload(
+    [property: JsonPropertyName("id")] long Id,
+    [property: JsonPropertyName("first_name")] string FirstName,
+    [property: JsonPropertyName("last_name")] string? LastName,
+    [property: JsonPropertyName("username")] string? Username,
+    [property: JsonPropertyName("photo_url")] string? PhotoUrl,
+    [property: JsonPropertyName("auth_date")] long AuthDate,
+    [property: JsonPropertyName("hash")] string Hash);
@@ -1,5 +1,5 @@
 /* ============================================
-   GM-Relay Design System v1.8.1
+   GM-Relay Design System v1.9.4
   Dark RPG Dashboard Theme
   ============================================ */

@@ -69,6 +69,21 @@

    /* Sidebar */
    --sidebar-width: 260px;
+
+    /* Telegram Mini App safe areas */
+    --gm-tg-safe-top: var(--tg-safe-area-inset-top, env(safe-area-inset-top, 0px));
+    --gm-tg-safe-right: var(--tg-safe-area-inset-right, env(safe-area-inset-right, 0px));
+    --gm-tg-safe-bottom: var(--tg-safe-area-inset-bottom, env(safe-area-inset-bottom, 0px));
+    --gm-tg-safe-left: var(--tg-safe-area-inset-left, env(safe-area-inset-left, 0px));
+    --gm-tg-content-safe-top: var(--tg-content-safe-area-inset-top, 0px);
+    --gm-tg-content-safe-right: var(--tg-content-safe-area-inset-right, 0px);
+    --gm-tg-content-safe-bottom: var(--tg-content-safe-area-inset-bottom, 0px);
+    --gm-tg-content-safe-left: var(--tg-content-safe-area-inset-left, 0px);
+    --gm-mini-app-top-inset: calc(var(--gm-tg-safe-top, 0px) + var(--gm-tg-content-safe-top, 0px));
+    --gm-mini-app-bottom-inset: calc(var(--gm-tg-safe-bottom, 0px) + var(--gm-tg-content-safe-bottom, 0px));
+    --gm-mini-app-left-inset: calc(var(--gm-tg-safe-left, 0px) + var(--gm-tg-content-safe-left, 0px));
+    --gm-mini-app-right-inset: calc(var(--gm-tg-safe-right, 0px) + var(--gm-tg-content-safe-right, 0px));
+    --gm-tg-viewport-height: 100dvh;
 }

 /* === Reset & Base === */
@@ -842,6 +857,62 @@ select option {
    margin-bottom: 2rem;
 }

+/* === Telegram Mini App entry === */
+.mini-app-page {
+    min-height: 100vh;
+    min-height: var(--gm-tg-viewport-height, 100dvh);
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    padding: 1rem;
+    background: var(--bg-primary);
+}
+
+.mini-app-auth-card {
+    width: 100%;
+    max-width: 360px;
+    padding: 1.5rem;
+    border: 1px solid var(--glass-border);
+    border-radius: var(--radius-md);
+    background: var(--glass-bg);
+    text-align: center;
+}
+
+.mini-app-logo {
+    font-size: 2.25rem;
+    margin-bottom: 0.75rem;
+}
+
+.mini-app-auth-card h1 {
+    font-size: 1.375rem;
+    margin-bottom: 0.5rem;
+}
+
+.mini-app-auth-card p {
+    color: var(--text-secondary);
+    font-size: 0.875rem;
+    margin-bottom: 1.25rem;
+}
+
+.telegram-mini-app .page-container {
+    max-width: 720px;
+}
+
+body.telegram-mini-app {
+    min-height: var(--gm-tg-viewport-height, 100dvh);
+}
+
+body.telegram-mini-app .mini-app-page {
+    padding-top: calc(1rem + var(--gm-mini-app-top-inset, 0px));
+    padding-right: calc(1rem + var(--gm-mini-app-right-inset, 0px));
+    padding-bottom: calc(1rem + var(--gm-mini-app-bottom-inset, 0px));
+    padding-left: calc(1rem + var(--gm-mini-app-left-inset, 0px));
+}
+
+body.telegram-mini-app .content {
+    padding-bottom: calc(1.5rem + var(--gm-mini-app-bottom-inset, 0px));
+}
+
 /* === Mobile Sessions Cards (instead of table) === */
 .session-card-mobile {
    display: none;
@@ -928,6 +999,26 @@ select option {
        padding: 1rem;
    }

+    .telegram-mini-app .content {
+        padding: 0.75rem;
+        padding-bottom: calc(0.75rem + var(--gm-mini-app-bottom-inset, 0px));
+    }
+
+    .telegram-mini-app .page-container {
+        padding: 0.75rem;
+    }
+
+    body.telegram-mini-app .nav-header {
+        padding-top: calc(1.25rem + var(--gm-mini-app-top-inset, 0px));
+        padding-left: calc(1rem + var(--gm-mini-app-left-inset, 0px));
+        padding-right: calc(0.75rem + var(--gm-mini-app-right-inset, 0px));
+    }
+
+    body.telegram-mini-app .nav-toggle {
+        top: calc(0.75rem + var(--gm-mini-app-top-inset, 0px));
+        left: calc(0.75rem + var(--gm-mini-app-left-inset, 0px));
+    }
+
    h2 {
        font-size: 1.25rem;
    }
@@ -0,0 +1,50 @@
+namespace GmRelay.Bot.Tests.Infrastructure.Telegram;
+
+public sealed class TelegramMiniAppEntryPointTests
+{
+    [Fact]
+    public async Task UpdateRouter_ShouldExposeMiniAppButtonInStartCommand()
+    {
+        var updateRouter = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Bot/Infrastructure/Telegram/UpdateRouter.cs"));
+
+        Assert.Contains("Telegram:MiniAppUrl", updateRouter, StringComparison.Ordinal);
+        Assert.Contains("InlineKeyboardButton.WithWebApp", updateRouter, StringComparison.Ordinal);
+        Assert.Contains("Открыть dashboard", updateRouter, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public async Task BotStartup_ShouldRegisterMiniAppMenuButtonService()
+    {
+        var program = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Bot/Program.cs"));
+
+        Assert.Contains("TelegramMiniAppMenuButtonService", program, StringComparison.Ordinal);
+        Assert.Contains("AddHostedService<TelegramMiniAppMenuButtonService>", program, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public async Task MiniAppMenuButtonService_ShouldSetTelegramWebAppMenuButtonWhenConfigured()
+    {
+        var service = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Bot/Infrastructure/Telegram/TelegramMiniAppMenuButtonService.cs"));
+
+        Assert.Contains("SetChatMenuButton", service, StringComparison.Ordinal);
+        Assert.Contains("MenuButtonWebApp", service, StringComparison.Ordinal);
+        Assert.Contains("Telegram:MiniAppUrl", service, StringComparison.Ordinal);
+    }
+
+    private static string FindRepositoryFile(string relativePath)
+    {
+        var directory = new DirectoryInfo(AppContext.BaseDirectory);
+        while (directory is not null)
+        {
+            var candidate = Path.Combine(directory.FullName, relativePath);
+            if (File.Exists(candidate))
+            {
+                return candidate;
+            }
+
+            directory = directory.Parent;
+        }
+
+        throw new FileNotFoundException($"Could not locate repository file '{relativePath}'.");
+    }
+}
@@ -11,6 +11,20 @@ public sealed class CampaignTemplatesNavigationTests
        Assert.Contains("Шаблоны", navMenu, StringComparison.Ordinal);
    }

+    [Fact]
+    public async Task NavMenuStyles_ShouldStyleNavLinkAnchorsAsStackedRows()
+    {
+        var navCss = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/Layout/NavMenu.razor.css"));
+
+        Assert.Contains("::deep .nav-item", navCss, StringComparison.Ordinal);
+        Assert.Matches(
+            @"\.nav-section\s*\{[^}]*display:\s*flex;[^}]*flex-direction:\s*column;[^}]*gap:\s*0\.25rem;",
+            navCss);
+        Assert.Matches(
+            @"::deep\s+\.nav-item\s*\{[^}]*display:\s*flex;[^}]*width:\s*100%;",
+            navCss);
+    }
+
    [Fact]
    public async Task GroupDetails_ShouldApplyTemplatesWithoutManagingThem()
    {
@@ -0,0 +1,104 @@
+namespace GmRelay.Bot.Tests.Web;
+
+public sealed class MiniAppDashboardTests
+{
+    [Fact]
+    public async Task MiniAppPage_ShouldExposeTelegramWebAppDashboardEntryPoint()
+    {
+        var miniAppPage = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/Pages/MiniApp.razor"));
+
+        Assert.Contains("@page \"/miniapp\"", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("authenticateTelegramMiniApp", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("/auth/telegram-webapp", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("watchTelegramMiniAppLogin", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("/auth/status", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("miniAppAuthStatus", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("telegram-webapp-missing", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("telegram-init-data-empty", miniAppPage, StringComparison.Ordinal);
+        Assert.Contains("telegram-auth-failed", miniAppPage, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public async Task AppShell_ShouldLoadTelegramWebAppScriptAndAuthenticator()
+    {
+        var appShell = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/App.razor"));
+
+        Assert.Contains("telegram-web-app.js", appShell, StringComparison.Ordinal);
+        Assert.Contains("window.authenticateTelegramMiniApp", appShell, StringComparison.Ordinal);
+        Assert.Contains("Telegram.WebApp.initData", appShell, StringComparison.Ordinal);
+        Assert.Contains("window.waitForTelegramMiniAppInitData", appShell, StringComparison.Ordinal);
+        Assert.Contains("window.watchTelegramMiniAppLogin", appShell, StringComparison.Ordinal);
+        Assert.Contains("window.handleTelegramLogin", appShell, StringComparison.Ordinal);
+        Assert.Contains("/auth/telegram-login", appShell, StringComparison.Ordinal);
+        Assert.Contains("data-onauth", appShell, StringComparison.Ordinal);
+        Assert.DoesNotContain("data-auth-url", appShell, StringComparison.Ordinal);
+        Assert.Contains("setTimeout(resolve, 100)", appShell, StringComparison.Ordinal);
+        Assert.Contains("reloadOnReturn", appShell, StringComparison.Ordinal);
+        Assert.Contains("gmRelayMiniAppLoginLeftPage", appShell, StringComparison.Ordinal);
+        Assert.Contains("window.location.reload()", appShell, StringComparison.Ordinal);
+        Assert.Contains("syncTelegramMiniAppViewport", appShell, StringComparison.Ordinal);
+        Assert.Contains("safeAreaChanged", appShell, StringComparison.Ordinal);
+        Assert.Contains("contentSafeAreaChanged", appShell, StringComparison.Ordinal);
+        Assert.Contains("viewportChanged", appShell, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public async Task Program_ShouldMapTelegramWebAppAuthEndpoint()
+    {
+        var program = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Program.cs"));
+
+        Assert.Contains("MapPost(\"/auth/telegram-webapp\"", program, StringComparison.Ordinal);
+        Assert.Contains("MapPost(\"/auth/telegram-login\"", program, StringComparison.Ordinal);
+        Assert.Contains("VerifyWebAppInitData", program, StringComparison.Ordinal);
+        Assert.Contains("VerifyLoginPayload", program, StringComparison.Ordinal);
+        Assert.Contains("MapGet(\"/auth/status\"", program, StringComparison.Ordinal);
+        Assert.Contains("authenticated", program, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public async Task Styles_ShouldIncludeMiniAppMobileDashboardRules()
+    {
+        var css = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/wwwroot/app.css"));
+
+        Assert.Contains("mini-app-page", css, StringComparison.Ordinal);
+        Assert.Contains("mini-app-auth-card", css, StringComparison.Ordinal);
+        Assert.Contains("@media (max-width: 768px)", css, StringComparison.Ordinal);
+        Assert.Contains("--tg-safe-area-inset-top", css, StringComparison.Ordinal);
+        Assert.Contains("--tg-content-safe-area-inset-top", css, StringComparison.Ordinal);
+        Assert.Contains(".telegram-mini-app .nav-header", css, StringComparison.Ordinal);
+        Assert.Contains(".telegram-mini-app .nav-toggle", css, StringComparison.Ordinal);
+        Assert.Contains(".telegram-mini-app .mini-app-page", css, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public async Task LoginPage_ShouldAuthenticateMiniAppFallbackInsideCurrentWebView()
+    {
+        var loginPage = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/Pages/Login.razor"));
+
+        Assert.Contains(
+            "JS.InvokeVoidAsync(\"loadTelegramWidget\", BotUsername, \"/auth/telegram-login\")",
+            loginPage,
+            StringComparison.Ordinal);
+        Assert.Contains(
+            "JS.InvokeVoidAsync(\"watchTelegramMiniAppLogin\", \"/auth/status\", \"/\", false)",
+            loginPage,
+            StringComparison.Ordinal);
+    }
+
+    private static string FindRepositoryFile(string relativePath)
+    {
+        var directory = new DirectoryInfo(AppContext.BaseDirectory);
+        while (directory is not null)
+        {
+            var candidate = Path.Combine(directory.FullName, relativePath);
+            if (File.Exists(candidate))
+            {
+                return candidate;
+            }
+
+            directory = directory.Parent;
+        }
+
+        throw new FileNotFoundException($"Could not locate repository file '{relativePath}'.");
+    }
+}
@@ -1,5 +1,6 @@
 using System.Security.Cryptography;
 using System.Text;
+using System.Text.Json;
 using GmRelay.Web.Services;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
@@ -77,6 +78,183 @@ public sealed class TelegramAuthServiceTests
        Assert.False(verified);
    }

+    [Fact]
+    public void VerifyWebAppInitData_ShouldAcceptValidTelegramWebAppPayload()
+    {
+        const string botToken = "test-bot-token";
+        var initData = CreateWebAppInitData(
+            botToken,
+            new Dictionary<string, string>
+            {
+                ["auth_date"] = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(),
+                ["query_id"] = "AAHdF6IQAAAAAN0XohDhrOrc",
+                ["user"] = """{"id":424242,"first_name":"Ada","last_name":"Lovelace","username":"ada"}"""
+            });
+        var service = new TelegramAuthService(CreateConfiguration(botToken));
+
+        var verified = service.VerifyWebAppInitData(initData, out var telegramId, out var name);
+
+        Assert.True(verified);
+        Assert.Equal(424242L, telegramId);
+        Assert.Equal("Ada Lovelace", name);
+    }
+
+    [Fact]
+    public void VerifyWebAppInitData_ShouldRejectTamperedHash()
+    {
+        const string botToken = "test-bot-token";
+        var initData = CreateWebAppInitData(
+            botToken,
+            new Dictionary<string, string>
+            {
+                ["auth_date"] = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(),
+                ["user"] = """{"id":424242,"first_name":"Ada"}"""
+            });
+        var tamperedInitData = initData.Replace("hash=", "hash=00", StringComparison.Ordinal);
+        var service = new TelegramAuthService(CreateConfiguration(botToken));
+
+        var verified = service.VerifyWebAppInitData(tamperedInitData, out _, out _);
+
+        Assert.False(verified);
+    }
+
+    [Fact]
+    public void VerifyWebAppInitData_ShouldRejectExpiredPayload()
+    {
+        const string botToken = "test-bot-token";
+        var initData = CreateWebAppInitData(
+            botToken,
+            new Dictionary<string, string>
+            {
+                ["auth_date"] = DateTimeOffset.UtcNow.AddDays(-2).ToUnixTimeSeconds().ToString(),
+                ["user"] = """{"id":424242,"first_name":"Ada"}"""
+            });
+        var service = new TelegramAuthService(CreateConfiguration(botToken));
+
+        var verified = service.VerifyWebAppInitData(initData, out _, out _);
+
+        Assert.False(verified);
+    }
+
+    [Fact]
+    public void VerifyLoginPayload_ShouldAcceptValidTelegramWidgetCallbackPayload()
+    {
+        const string botToken = "test-bot-token";
+        var authDate = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
+        var values = new Dictionary<string, string>
+        {
+            ["auth_date"] = authDate.ToString(),
+            ["first_name"] = "Ada",
+            ["id"] = "424242",
+            ["last_name"] = "Lovelace",
+            ["photo_url"] = "https://t.me/i/userpic/320/ada.jpg",
+            ["username"] = "ada"
+        };
+        var payload = new TelegramLoginPayload(
+            424242,
+            "Ada",
+            "Lovelace",
+            "ada",
+            "https://t.me/i/userpic/320/ada.jpg",
+            authDate,
+            ComputeTelegramHash(botToken, values));
+        var service = new TelegramAuthService(CreateConfiguration(botToken));
+
+        var verified = service.VerifyLoginPayload(payload, out var telegramId, out var name);
+
+        Assert.True(verified);
+        Assert.Equal(424242L, telegramId);
+        Assert.Equal("Ada Lovelace", name);
+    }
+
+    [Fact]
+    public void VerifyLoginPayload_ShouldRejectTamperedCallbackHash()
+    {
+        var payload = new TelegramLoginPayload(
+            424242,
+            "Ada",
+            null,
+            null,
+            null,
+            DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
+            "00");
+        var service = new TelegramAuthService(CreateConfiguration("test-bot-token"));
+
+        var verified = service.VerifyLoginPayload(payload, out _, out _);
+
+        Assert.False(verified);
+    }
+
+    [Fact]
+    public void VerifyLoginPayload_ShouldRejectExpiredCallbackPayload()
+    {
+        const string botToken = "test-bot-token";
+        var authDate = DateTimeOffset.UtcNow.AddDays(-2).ToUnixTimeSeconds();
+        var values = new Dictionary<string, string>
+        {
+            ["auth_date"] = authDate.ToString(),
+            ["first_name"] = "Ada",
+            ["id"] = "424242"
+        };
+        var payload = new TelegramLoginPayload(
+            424242,
+            "Ada",
+            null,
+            null,
+            null,
+            authDate,
+            ComputeTelegramHash(botToken, values));
+        var service = new TelegramAuthService(CreateConfiguration(botToken));
+
+        var verified = service.VerifyLoginPayload(payload, out _, out _);
+
+        Assert.False(verified);
+    }
+
+    [Fact]
+    public void VerifyLoginPayload_ShouldRejectMissingRequiredCallbackFields()
+    {
+        var payload = new TelegramLoginPayload(
+            0,
+            "",
+            null,
+            null,
+            null,
+            DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
+            "");
+        var service = new TelegramAuthService(CreateConfiguration("test-bot-token"));
+
+        var verified = service.VerifyLoginPayload(payload, out _, out _);
+
+        Assert.False(verified);
+    }
+
+    [Fact]
+    public void TelegramLoginPayload_ShouldDeserializeTelegramWidgetSnakeCaseJson()
+    {
+        var payload = JsonSerializer.Deserialize<TelegramLoginPayload>(
+            """
+            {
+              "id": 424242,
+              "first_name": "Ada",
+              "last_name": "Lovelace",
+              "username": "ada",
+              "photo_url": "https://t.me/i/userpic/320/ada.jpg",
+              "auth_date": 1714300000,
+              "hash": "abcdef"
+            }
+            """);
+
+        Assert.NotNull(payload);
+        Assert.Equal(424242L, payload.Id);
+        Assert.Equal("Ada", payload.FirstName);
+        Assert.Equal("Lovelace", payload.LastName);
+        Assert.Equal("ada", payload.Username);
+        Assert.Equal("https://t.me/i/userpic/320/ada.jpg", payload.PhotoUrl);
+        Assert.Equal(1714300000L, payload.AuthDate);
+        Assert.Equal("abcdef", payload.Hash);
+    }
+
    private static IConfiguration CreateConfiguration(string botToken) =>
        new ConfigurationBuilder()
            .AddInMemoryCollection(new Dictionary<string, string?>
@@ -106,4 +284,27 @@ public sealed class TelegramAuthServiceTests
        var hashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
        return Convert.ToHexString(hashBytes).ToLowerInvariant();
    }
+
+    private static string CreateWebAppInitData(string botToken, IReadOnlyDictionary<string, string> values)
+    {
+        var hash = ComputeTelegramWebAppHash(botToken, values);
+        var encodedPairs = values
+            .OrderBy(pair => pair.Key, StringComparer.Ordinal)
+            .Select(pair => $"{Uri.EscapeDataString(pair.Key)}={Uri.EscapeDataString(pair.Value)}")
+            .Append($"hash={hash}");
+
+        return string.Join("&", encodedPairs);
+    }
+
+    private static string ComputeTelegramWebAppHash(string botToken, IReadOnlyDictionary<string, string> values)
+    {
+        var dataCheckString = string.Join(
+            "\n",
+            values
+                .OrderBy(pair => pair.Key, StringComparer.Ordinal)
+                .Select(pair => $"{pair.Key}={pair.Value}"));
+        var secretKey = HMACSHA256.HashData(Encoding.UTF8.GetBytes("WebAppData"), Encoding.UTF8.GetBytes(botToken));
+        var hashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
+        return Convert.ToHexString(hashBytes).ToLowerInvariant();
+    }
 }
@@ -12,6 +12,19 @@ public sealed class WebStylesTests
            css);
    }

+    [Fact]
+    public async Task AppCss_ShouldReserveTelegramMiniAppSafeAreaForMobileChrome()
+    {
+        var appCss = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/wwwroot/app.css"));
+        Assert.Contains("--gm-tg-safe-top", appCss, StringComparison.Ordinal);
+        Assert.Contains("--tg-safe-area-inset-top", appCss, StringComparison.Ordinal);
+        Assert.Contains("--tg-content-safe-area-inset-top", appCss, StringComparison.Ordinal);
+        Assert.Contains("env(safe-area-inset-top", appCss, StringComparison.Ordinal);
+        Assert.Contains(".telegram-mini-app .content", appCss, StringComparison.Ordinal);
+        Assert.Contains(".telegram-mini-app .nav-header", appCss, StringComparison.Ordinal);
+        Assert.Contains(".telegram-mini-app .nav-toggle", appCss, StringComparison.Ordinal);
+    }
+
    private static string FindRepositoryFile(string relativePath)
    {
        var directory = new DirectoryInfo(AppContext.BaseDirectory);
Author	SHA1	Message	Date
Toutsu	cb40c2438d	docs: clarify mini app dashboard for GMs Deploy Telegram Bot / build-and-push (push) Successful in 4m18s Details Deploy Telegram Bot / deploy (push) Successful in 12s Details	2026-04-28 21:01:30 +03:00
Toutsu	2a76ec0fb8	fix: stabilize mini app login and safe area Deploy Telegram Bot / build-and-push (push) Successful in 3m53s Details Deploy Telegram Bot / deploy (push) Successful in 17s Details	2026-04-28 20:25:18 +03:00
Toutsu	57c8714889	fix: refresh login fallback in mini app Deploy Telegram Bot / build-and-push (push) Successful in 4m11s Details Deploy Telegram Bot / deploy (push) Successful in 12s Details	2026-04-28 17:20:29 +03:00
Toutsu	8220f2060f	fix: refresh mini app login state Deploy Telegram Bot / build-and-push (push) Successful in 4m23s Details Deploy Telegram Bot / deploy (push) Successful in 12s Details	2026-04-28 17:03:53 +03:00
Toutsu	41f2ea6e90	feat: add telegram mini app dashboard Deploy Telegram Bot / build-and-push (push) Successful in 23s Details Deploy Telegram Bot / deploy (push) Successful in 10s Details	2026-04-28 14:56:55 +03:00
Toutsu	5082dd4fcf	fix: stack sidebar template nav item Deploy Telegram Bot / build-and-push (push) Successful in 3m45s Details Deploy Telegram Bot / deploy (push) Successful in 9s Details	2026-04-28 10:36:52 +03:00