fix: stabilize mini app login and safe area

fix: refresh login fallback in mini app
fix: refresh mini app login state
2026-04-28 20:25:18 +03:00 · 2026-04-28 17:20:29 +03:00 · 2026-04-28 17:03:53 +03:00 · 2026-04-28 14:56:55 +03:00
23 changed files with 1273 additions and 29 deletions
@@ -6,6 +6,10 @@ TELEGRAM_BOT_TOKEN=YOUR_BOT_TOKEN_HERE
 # Найти его можно в информации о боте у @BotFather.
 TELEGRAM_BOT_USERNAME=YOUR_BOT_USERNAME_HERE
 # HTTPS URL Mini App dashboard, например: https://your-domain.example/miniapp
 # Используется ботом для кнопки меню Telegram и кнопки /start.
 TELEGRAM_MINI_APP_URL=
 # Пароль для базы данных PostgreSQL
 POSTGRES_PASSWORD=StrongPasswordForDatabase
@@ -6,7 +6,7 @@ on:
      - main 
 env:
-  VERSION: 1.8.2
+  VERSION: 1.9.3
 jobs:
  # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)
@@ -64,6 +64,7 @@ jobs:
          echo "TELEGRAM_BOT_TOKEN=${{ secrets.TELEGRAM_BOT_TOKEN }}" > .env
          echo "POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}" >> .env
          echo "TELEGRAM_BOT_USERNAME=${{ secrets.TELEGRAM_BOT_USERNAME }}" >> .env
          echo "TELEGRAM_MINI_APP_URL=${{ secrets.TELEGRAM_MINI_APP_URL }}" >> .env
      - name: Deploy Containers
        run: |
@@ -1,6 +1,6 @@
 <Project>
  <PropertyGroup>
-    <Version>1.8.2</Version>
+    <Version>1.9.3</Version>
    <TargetFramework>net10.0</TargetFramework>
    <LangVersion>preview</LangVersion>
    <Nullable>enable</Nullable>
@@ -4,7 +4,7 @@
 Проект разработан с упором на производительность, архитектуру Vertical Slice, Native AOT (для бота) и удобство развертывания с использованием .NET Aspire.
-**Текущая версия:** `v1.8.2`.
+**Текущая версия:** `v1.9.3`.
 ---
@@ -24,6 +24,7 @@
 ### 🌐 Web Dashboard (Blazor Server)
 - **🔐 Авторизация через Telegram**: Безопасный вход с использованием Telegram Login Widget (HMAC-SHA256 валидация).
 - **📱 Telegram Mini App Dashboard**: Мобильная версия dashboard открывается прямо из Telegram, проверяет WebApp `initData` на сервере и использует те же права owner/co-GM, что и обычный Web Dashboard. Если Mini App попадает в fallback-вход, Telegram Login Widget авторизует пользователя callback-запросом внутри текущего WebView, а интерфейс учитывает safe-area телефона и верхнюю панель Telegram.
 - **📝 Удобное редактирование**: Веб-интерфейс для детального редактирования сессий, изменения дат, названий и статусов.
 - **🤝 Co-GM и делегирование**: Owner группы назначает помощников по Telegram ID, а co-GM получает доступ к управлению расписанием в Telegram и Web Dashboard.
 - **📋 Шаблоны кампаний**: Owner и co-GM управляют типовыми параметрами кампаний в отдельной вкладке `Шаблоны`, а на странице группы запускают новый повторяющийся batch из выбранного шаблона.
@@ -74,6 +75,10 @@ TELEGRAM_BOT_TOKEN=ваш_токен_здесь
 # Используется для работы виджета авторизации (Telegram Login Widget).
 TELEGRAM_BOT_USERNAME=ваше_имя_бота_здесь
 # HTTPS URL Mini App dashboard, например: https://your-domain.example/miniapp.
 # Используется кнопкой меню Telegram и кнопкой /start.
 TELEGRAM_MINI_APP_URL=https://your-domain.example/miniapp
 # Пароль для базы данных PostgreSQL
 POSTGRES_PASSWORD=ваш_надежный_пароль
@@ -83,6 +88,8 @@ GMRELAY_WEB_PORT=8080
 *(Опционально)* Настройте домен Telegram бота в @BotFather командой `/setdomain` для работы виджета авторизации на вашем сайте.
 Для Telegram Mini App настройте в @BotFather домен Web Dashboard и menu button на URL из `TELEGRAM_MINI_APP_URL`. Бот также показывает кнопку `Открыть dashboard` в ответе на `/start`, если переменная задана. Начиная с v1.9.3 дополнительных действий в BotFather для фикса входа не требуется: URL остаётся тем же HTTPS-адресом `/miniapp`, а fallback-вход выполняется внутри активного Telegram WebView.
 ### 3. Запуск
 Выполните команду:
 ```bash
@@ -171,6 +178,13 @@ Owner или co-GM нажимает кнопку `⏰ Перенести` у н
 Если включён режим `В группе и в личку`, бот дополнительно отправляет игрокам персональные сообщения о RSVP за 24 часа, напоминание за 1 час, ссылку перед стартом, отмену и перенос. Если Telegram не позволяет написать игроку в ЛС, бот логирует ошибку и продолжает отправку остальным участникам.
 ### Telegram Mini App Dashboard
 Owner и co-GM могут открыть мобильный dashboard прямо из Telegram через кнопку меню бота или кнопку `Открыть dashboard` после `/start`. Страница `/miniapp` получает `Telegram.WebApp.initData`, отправляет его на серверный endpoint `/auth/telegram-webapp`, проходит HMAC-проверку токеном бота и выдаёт обычную cookie-сессию dashboard.
 После входа Mini App использует те же страницы, что и Web Dashboard: список групп, карточки сессий, редактирование игры, повышение игрока из листа ожидания, применение шаблонов и bulk-операции batch. Доступ к чужим группам не появляется: все данные по-прежнему фильтруются через `AuthorizedSessionService` по роли owner/co-GM.
 Если `Telegram.WebApp.initData` недоступен или серверная проверка Mini App не прошла, `/miniapp` показывает диагностичное состояние и fallback-кнопку входа. Fallback больше не зависит от внешнего redirect: Telegram Login Widget вызывает callback на странице, отправляет payload на `/auth/telegram-login`, получает cookie в текущем WebView и сразу возвращает пользователя в dashboard.
 ### Другие команды
 - `/listsessions` — Показать список всех актуальных игр в этой группе.
 - `⏰ Перенести` в сообщении расписания — Запустить голосование по 2-3 вариантам нового времени.
@@ -17,7 +17,7 @@ services:
      retries: 10
  bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:1.8.2
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:1.9.3
    restart: always
    depends_on:
      db:
@@ -25,11 +25,12 @@ services:
    environment:
      - "ConnectionStrings__gmrelaydb=Host=db;Port=5432;Database=gmrelay_db;Username=gmrelay;Password=${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}"
      - "Telegram__BotToken=${TELEGRAM_BOT_TOKEN:?Set TELEGRAM_BOT_TOKEN in .env}"
      - "Telegram__MiniAppUrl=${TELEGRAM_MINI_APP_URL:-}"
    networks:
      - gmrelay
  web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:1.8.2
+    image: git.codeanddice.ru/toutsu/gmrelay-web:1.9.3
    restart: always
    depends_on:
      db:
@@ -38,6 +39,7 @@ services:
      - "ConnectionStrings__gmrelaydb=Host=db;Port=5432;Database=gmrelay_db;Username=gmrelay;Password=${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}"
      - "Telegram__BotToken=${TELEGRAM_BOT_TOKEN:?Set TELEGRAM_BOT_TOKEN in .env}"
      - "Telegram__BotUsername=${TELEGRAM_BOT_USERNAME:?Set TELEGRAM_BOT_USERNAME in .env}"
      - "Telegram__MiniAppUrl=${TELEGRAM_MINI_APP_URL:-}"
    ports:
      - "${GMRELAY_WEB_PORT:-8080}:8080"
    volumes:
@@ -0,0 +1,69 @@
 # Telegram Mini App Dashboard Implementation Plan
 > **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
 **Goal:** Add a Telegram Mini App mobile dashboard that reuses the existing Web Dashboard and validates Telegram WebApp `initData` on the server.
 **Architecture:** Extend `TelegramAuthService` for WebApp init data, add a `/miniapp` Blazor entry page plus `/auth/telegram-webapp` endpoint, and add bot entry points through an inline WebApp button and optional menu button setup. Existing application/domain services remain the only write path.
 **Tech Stack:** .NET 10, Blazor Server, Telegram.Bot, xUnit, Dapper/Npgsql-backed existing services.
 ---
 ### Task 1: Telegram WebApp Authentication
 **Files:**
 - Modify: `src/GmRelay.Web/Services/TelegramAuthService.cs`
 - Modify: `src/GmRelay.Web/Program.cs`
 - Test: `tests/GmRelay.Bot.Tests/Web/TelegramAuthServiceTests.cs`
 - [ ] Write failing tests for valid WebApp `initData`, tampered hash, and expired auth date.
 - [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --filter TelegramAuthServiceTests`.
 - [ ] Implement WebApp HMAC verification using the Telegram `WebAppData` secret derivation.
 - [ ] Add `/auth/telegram-webapp` endpoint that signs in using the same claims as `/auth/telegram`.
 - [ ] Re-run the filtered tests.
 ### Task 2: Mini App Entry Page
 **Files:**
 - Create: `src/GmRelay.Web/Components/Pages/MiniApp.razor`
 - Modify: `src/GmRelay.Web/Components/App.razor`
 - Modify: `src/GmRelay.Web/wwwroot/app.css`
 - Test: `tests/GmRelay.Bot.Tests/Web/MiniAppDashboardTests.cs`
 - [ ] Write failing tests that assert `/miniapp`, `telegram-web-app.js`, `authenticateTelegramMiniApp`, and Mini App CSS hooks exist.
 - [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --filter MiniAppDashboardTests`.
 - [ ] Implement `/miniapp` to post `Telegram.WebApp.initData` to `/auth/telegram-webapp`, expand/ready the Mini App, and show fallback login when opened outside Telegram.
 - [ ] Add CSS for a mobile-first Mini App shell and compact dashboard spacing.
 - [ ] Re-run the filtered tests.
 ### Task 3: Bot Entry Points
 **Files:**
 - Create: `src/GmRelay.Bot/Infrastructure/Telegram/TelegramMiniAppMenuButtonService.cs`
 - Modify: `src/GmRelay.Bot/Infrastructure/Telegram/UpdateRouter.cs`
 - Modify: `src/GmRelay.Bot/Program.cs`
 - Test: `tests/GmRelay.Bot.Tests/Infrastructure/Telegram/TelegramMiniAppEntryPointTests.cs`
 - [ ] Write failing tests that assert `/start` exposes a WebApp button and startup registers the menu button service.
 - [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --filter TelegramMiniAppEntryPointTests`.
 - [ ] Add a configurable `Telegram:MiniAppUrl` entry point; when missing, keep existing command behavior.
 - [ ] Add hosted service that calls `SetChatMenuButton` with `MenuButtonWebApp` only when the URL is configured.
 - [ ] Re-run the filtered tests.
 ### Task 4: Docs, Versions, and Release Prep
 **Files:**
 - Modify: `Directory.Build.props`
 - Modify: `compose.yaml`
 - Modify: `.gitea/workflows/deploy.yml`
 - Modify: `src/GmRelay.Web/wwwroot/app.css`
 - Modify: `src/GmRelay.Web/Components/Layout/NavMenu.razor`
 - Modify: `README.md`
 - Wiki: `Home`, `Быстрый старт`, `Руководство ГМа`, `Развёртывание`, `Архитектура`, `Разработка`
 - [ ] Update project/container/workflow/UI versions to `1.9.0`.
 - [ ] Document `TELEGRAM_MINI_APP_URL`, BotFather `/setmenubutton`, `/miniapp`, and WebApp auth.
 - [ ] Run `dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --collect:"XPlat Code Coverage"`.
 - [ ] Run `dotnet build GM-Relay.slnx -c Release`.
 - [ ] Commit, push, close issue #17, update wiki, create tag/release `v1.9.0`.
@@ -0,0 +1,44 @@
 # Telegram Mini App Dashboard Design
 ## Goal
 Issue #17 adds a Telegram Mini App dashboard as the mobile entry point for the existing Web Dashboard. Owner and co-GM users must be able to open the dashboard from Telegram, pass server-side Telegram WebApp `initData` validation, and manage only their own groups.
 ## Scope
 - Add Mini App authentication using Telegram WebApp `initData`.
 - Add a `/miniapp` entry page that signs the user into the existing cookie auth flow, then opens the regular dashboard UI in mobile-first mode.
 - Reuse `AuthorizedSessionService`, `SessionService`, and existing Blazor pages for groups, sessions, templates, waitlist promotion, edit forms, and bulk batch operations.
 - Add bot entry points: a Mini App button in `/start` and a configurable default menu button when `Telegram:MiniAppUrl` is set.
 - Update README, wiki, deployment config, and visible version strings to `1.9.0`.
 ## Architecture
 The Mini App is not a second dashboard implementation. It is a Telegram-authenticated entrance into the existing Blazor dashboard. This keeps authorization, domain operations, Telegram message synchronization, and Web Dashboard behavior in one place.
 `TelegramAuthService` gains a second verification method for WebApp `initData`. The server accepts the raw URL-encoded init payload at `/auth/telegram-webapp`, verifies the Telegram HMAC with the bot token, extracts the user id/name from the embedded `user` JSON, and issues the same auth cookie as the login widget endpoint.
 `/miniapp` loads `telegram-web-app.js`, posts `window.Telegram.WebApp.initData` to the server endpoint, expands the WebApp viewport, and redirects to `/`. If a user opens `/miniapp` outside Telegram, the page shows the regular login fallback.
 ## Data Flow
 1. User opens the Mini App from the bot menu button or `/start` inline button.
 2. Telegram injects `initData` into the WebApp JavaScript API.
 3. `/miniapp` posts `{ initData }` to `/auth/telegram-webapp`.
 4. The server verifies the WebApp signature and expiry.
 5. The server creates the same claims used by Telegram Login Widget.
 6. Existing Blazor pages load groups through `AuthorizedSessionService`.
 7. Any edit, waitlist, template, or batch action still goes through existing services and keeps Telegram messages synchronized.
 ## Error Handling
 - Missing or invalid init data returns `401` and leaves the user on the Mini App page.
 - Expired auth data is rejected with the same 24-hour window used by the Login Widget.
 - A verified Telegram user with no owner/co-GM groups sees the existing empty dashboard state.
 - Direct navigation to a foreign group/session still redirects to `/access-denied` through existing authorization checks.
 ## Testing
 - Unit tests cover valid and invalid WebApp `initData`.
 - File-level regression tests ensure `/miniapp`, `/auth/telegram-webapp`, Telegram WebApp script loading, bot Mini App button, menu button setup, and mobile Mini App CSS hooks remain present.
 - Existing `AuthorizedSessionServiceTests` continue covering owner/co-GM access behavior.
@@ -0,0 +1,46 @@
 using Telegram.Bot;
 using Telegram.Bot.Types;
 namespace GmRelay.Bot.Infrastructure.Telegram;
 public sealed class TelegramMiniAppMenuButtonService(
    ITelegramBotClient bot,
    IConfiguration configuration,
    ILogger<TelegramMiniAppMenuButtonService> logger) : IHostedService
 {
    public async Task StartAsync(CancellationToken cancellationToken)
    {
        var miniAppUrl = configuration["Telegram:MiniAppUrl"];
        if (string.IsNullOrWhiteSpace(miniAppUrl))
        {
            logger.LogInformation("Telegram Mini App URL is not configured; menu button setup skipped.");
            return;
        }
        if (!Uri.TryCreate(miniAppUrl, UriKind.Absolute, out var uri) ||
            (uri.Scheme != Uri.UriSchemeHttps && !uri.IsLoopback))
        {
            logger.LogWarning("Telegram Mini App URL {MiniAppUrl} is not a valid HTTPS URL.", miniAppUrl);
            return;
        }
        try
        {
            await bot.SetChatMenuButton(
                menuButton: new MenuButtonWebApp
                {
                    Text = "Dashboard",
                    WebApp = new WebAppInfo(miniAppUrl)
                },
                cancellationToken: cancellationToken);
            logger.LogInformation("Telegram Mini App menu button configured for {MiniAppUrl}.", miniAppUrl);
        }
        catch (Exception ex)
        {
            logger.LogWarning(ex, "Failed to configure Telegram Mini App menu button.");
        }
    }
    public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
 }
@@ -9,6 +9,7 @@ using GmRelay.Bot.Features.Sessions.RescheduleSession;
 using Telegram.Bot;
 using Telegram.Bot.Types;
 using Telegram.Bot.Types.Enums;
 using Telegram.Bot.Types.ReplyMarkups;
 namespace GmRelay.Bot.Infrastructure.Telegram;
@@ -30,6 +31,7 @@ public sealed class UpdateRouter(
    HandleRescheduleTimeInputHandler rescheduleTimeInputHandler,
    HandleRescheduleVoteHandler rescheduleVoteHandler,
    ITelegramBotClient bot,
    IConfiguration configuration,
    ILogger<UpdateRouter> logger) : ITelegramUpdateHandler
 {
    public async Task RouteAsync(Update update, CancellationToken ct)
@@ -188,10 +190,7 @@ public sealed class UpdateRouter(
        switch (command)
        {
            case "/start":
-                await bot.SendMessage(
+                await SendStartMessageAsync(message, ct);
                    chatId: message.Chat.Id,
                    text: "GM-Relay Bot ready. Use /help for commands.",
                    cancellationToken: ct);
                break;
            case "/newsession":
@@ -236,4 +235,24 @@ public sealed class UpdateRouter(
                break;
        }
    }
    private async Task SendStartMessageAsync(Message message, CancellationToken ct)
    {
        var miniAppUrl = configuration["Telegram:MiniAppUrl"];
        if (string.IsNullOrWhiteSpace(miniAppUrl))
        {
            await bot.SendMessage(
                chatId: message.Chat.Id,
                text: "GM-Relay Bot ready. Use /help for commands.",
                cancellationToken: ct);
            return;
        }
        await bot.SendMessage(
            chatId: message.Chat.Id,
            text: "GM-Relay Bot ready. Откройте dashboard внутри Telegram или используйте /help для команд.",
            replyMarkup: new InlineKeyboardMarkup(
                InlineKeyboardButton.WithWebApp("Открыть dashboard", new WebAppInfo(miniAppUrl))),
            cancellationToken: ct);
    }
 }
@@ -71,6 +71,7 @@ builder.Services.AddSingleton<HandleRescheduleVoteHandler>();
 // ── Telegram infrastructure ──────────────────────────────────────────
 builder.Services.AddSingleton<UpdateRouter>();
 builder.Services.AddSingleton<ITelegramUpdateHandler>(sp => sp.GetRequiredService<UpdateRouter>());
 builder.Services.AddHostedService<TelegramMiniAppMenuButtonService>();
 builder.Services.AddHostedService<TelegramBotService>();
 // ── Session scheduler ────────────────────────────────────────────────
@@ -7,6 +7,7 @@
    }
  },
  "Telegram": {
-    "BotToken": ""
+    "BotToken": "",
    "MiniAppUrl": ""
  }
 }
@@ -13,6 +13,7 @@
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet" />
    <link rel="stylesheet" href="@Assets["app.css"]" />
    <link rel="stylesheet" href="@Assets["GmRelay.Web.styles.css"]" />
    <script src="https://telegram.org/js/telegram-web-app.js"></script>
    <ImportMap />
    <link rel="icon" type="image/png" href="favicon.png" />
    <HeadOutlet @rendermode="InteractiveServer" />
@@ -23,19 +24,275 @@
    <ReconnectModal />
    <script src="@Assets["_framework/blazor.web.js"]"></script>
    <script>
        window.waitForTelegramMiniApp = async function (timeoutMs) {
            var deadline = Date.now() + (timeoutMs || 3000);
            while (Date.now() <= deadline) {
                if (window.Telegram && window.Telegram.WebApp) {
                    return window.Telegram.WebApp;
                }
                await new Promise(function (resolve) {
                    setTimeout(resolve, 100);
                });
            }
            return null;
        };
        window.waitForTelegramMiniAppInitData = async function (timeoutMs) {
            var deadline = Date.now() + (timeoutMs || 3000);
            while (Date.now() <= deadline) {
                if (window.Telegram && window.Telegram.WebApp && window.Telegram.WebApp.initData) {
                    return window.Telegram.WebApp;
                }
                await new Promise(function (resolve) {
                    setTimeout(resolve, 100);
                });
            }
            return null;
        };
        window.syncTelegramMiniAppViewport = function (webApp) {
            if (!webApp) {
                return;
            }
            var root = document.documentElement;
            var safeArea = webApp.safeAreaInset || {};
            var contentSafeArea = webApp.contentSafeAreaInset || {};
            var setPx = function (name, value) {
                root.style.setProperty(name, Math.max(0, Number(value) || 0) + 'px');
            };
            setPx('--gm-tg-safe-top', safeArea.top);
            setPx('--gm-tg-safe-right', safeArea.right);
            setPx('--gm-tg-safe-bottom', safeArea.bottom);
            setPx('--gm-tg-safe-left', safeArea.left);
            setPx('--gm-tg-content-safe-top', contentSafeArea.top);
            setPx('--gm-tg-content-safe-right', contentSafeArea.right);
            setPx('--gm-tg-content-safe-bottom', contentSafeArea.bottom);
            setPx('--gm-tg-content-safe-left', contentSafeArea.left);
            if (webApp.viewportHeight) {
                root.style.setProperty('--gm-tg-viewport-height', webApp.viewportHeight + 'px');
            }
        };
        window.prepareTelegramMiniApp = function (webApp) {
            if (!webApp) {
                return;
            }
            document.body.classList.add('telegram-mini-app');
            window.syncTelegramMiniAppViewport(webApp);
            try {
                webApp.ready();
            } catch (error) {
            }
            try {
                webApp.expand();
            } catch (error) {
            }
            if (webApp.onEvent && !window.gmRelayTelegramMiniAppViewportEventsRegistered) {
                window.gmRelayTelegramMiniAppViewportEventsRegistered = true;
                webApp.onEvent('safeAreaChanged', function () {
                    window.syncTelegramMiniAppViewport(webApp);
                });
                webApp.onEvent('contentSafeAreaChanged', function () {
                    window.syncTelegramMiniAppViewport(webApp);
                });
                webApp.onEvent('viewportChanged', function () {
                    window.syncTelegramMiniAppViewport(webApp);
                });
            }
        };
        (async function () {
            var webApp = await window.waitForTelegramMiniApp(1000);
            window.prepareTelegramMiniApp(webApp);
        })();
        window.loadTelegramWidget = function (botUsername, authUrl) {
            var container = document.getElementById('telegram-login-container');
            if (!container) return;
            container.innerHTML = '';
            window.gmRelayTelegramLoginAuthUrl = authUrl || '/auth/telegram-login';
            var script = document.createElement('script');
            script.async = true;
            script.src = 'https://telegram.org/js/telegram-widget.js?22';
            script.setAttribute('data-telegram-login', botUsername);
            script.setAttribute('data-size', 'large');
-            script.setAttribute('data-auth-url', authUrl);
+            script.setAttribute('data-onauth', 'window.handleTelegramLogin(user)');
            script.setAttribute('data-request-access', 'write');
            container.appendChild(script);
        };
        window.handleTelegramLogin = async function (user) {
            if (!user) {
                window.location.href = '/login?error=auth_failed';
                return;
            }
            try {
                var response = await fetch(window.gmRelayTelegramLoginAuthUrl || '/auth/telegram-login', {
                    method: 'POST',
                    headers: { 'Content-Type': 'application/json' },
                    credentials: 'same-origin',
                    cache: 'no-store',
                    body: JSON.stringify(user)
                });
                if (!response.ok) {
                    window.location.href = '/login?error=auth_failed';
                    return;
                }
                var payload = await response.json();
                window.location.href = payload.redirectUrl || '/';
            } catch (error) {
                window.location.href = '/login?error=auth_failed';
            }
        };
        window.watchTelegramMiniAppLogin = function (statusUrl, redirectUrl, reloadOnReturn) {
            window.gmRelayMiniAppLoginReloadOnReturn =
                window.gmRelayMiniAppLoginReloadOnReturn || reloadOnReturn === true;
            if (window.gmRelayMiniAppLoginWatcher) {
                return;
            }
            window.gmRelayMiniAppLoginLeftPage = false;
            var stopWatching = function () {
                if (window.gmRelayMiniAppLoginWatcher) {
                    window.clearInterval(window.gmRelayMiniAppLoginWatcher);
                    window.gmRelayMiniAppLoginWatcher = null;
                }
            };
            var reloadAfterExternalLogin = function () {
                if (!window.gmRelayMiniAppLoginReloadOnReturn || !window.gmRelayMiniAppLoginLeftPage) {
                    return;
                }
                window.gmRelayMiniAppLoginLeftPage = false;
                try {
                    var refreshKey = 'gmrelay-miniapp-login-refresh:' + window.location.pathname;
                    if (window.sessionStorage && window.sessionStorage.getItem(refreshKey) === '1') {
                        return;
                    }
                    if (window.sessionStorage) {
                        window.sessionStorage.setItem(refreshKey, '1');
                    }
                } catch (error) {
                }
                window.location.reload();
            };
            var allowNextExternalLoginReload = function () {
                window.gmRelayMiniAppLoginLeftPage = true;
                try {
                    var refreshKey = 'gmrelay-miniapp-login-refresh:' + window.location.pathname;
                    if (window.sessionStorage) {
                        window.sessionStorage.removeItem(refreshKey);
                    }
                } catch (error) {
                }
            };
            var checkLogin = async function (reloadWhenUnauthenticated) {
                try {
                    var response = await fetch(statusUrl, {
                        credentials: 'same-origin',
                        cache: 'no-store'
                    });
                    if (!response.ok) {
                        return;
                    }
                    var payload = await response.json();
                    if (payload.authenticated) {
                        stopWatching();
                        window.location.href = redirectUrl || '/';
                        return;
                    }
                    if (reloadWhenUnauthenticated) {
                        reloadAfterExternalLogin();
                    }
                } catch (error) {
                    return;
                }
            };
            window.gmRelayMiniAppLoginWatcher = window.setInterval(checkLogin, 1000);
            window.addEventListener('blur', function () {
                allowNextExternalLoginReload();
            });
            window.addEventListener('focus', function () {
                void checkLogin(true);
            });
            document.addEventListener('visibilitychange', function () {
                if (document.hidden) {
                    allowNextExternalLoginReload();
                    return;
                }
                void checkLogin(true);
            });
            void checkLogin(false);
        };
        window.authenticateTelegramMiniApp = async function (authUrl, redirectUrl) {
            var webApp = await window.waitForTelegramMiniApp(3000);
            if (!webApp) {
                return { authenticated: false, reason: 'telegram-webapp-missing' };
            }
            window.prepareTelegramMiniApp(webApp);
            if (!webApp.initData) {
                return { authenticated: false, reason: 'telegram-init-data-empty' };
            }
            try {
                var response = await fetch(authUrl, {
                    method: 'POST',
                    headers: { 'Content-Type': 'application/json' },
                    credentials: 'same-origin',
                    cache: 'no-store',
                    body: JSON.stringify({ initData: webApp.initData })
                });
                if (!response.ok) {
                    return {
                        authenticated: false,
                        reason: 'telegram-auth-failed',
                        status: response.status
                    };
                }
                var payload = await response.json();
                window.location.href = payload.redirectUrl || redirectUrl || '/';
                return { authenticated: true, redirectUrl: payload.redirectUrl || redirectUrl || '/' };
            } catch (error) {
                return { authenticated: false, reason: 'telegram-auth-failed' };
            }
        };
    </script>
 </body>
@@ -60,12 +60,17 @@
 /* === Mobile Responsive === */
@media (max-width: 768px) {
    .sidebar {
-        transform: translateX(-100%);
+        transform: none;
-        width: 280px;
+        width: 100%;
        height: auto;
        min-height: 0;
        position: sticky;
        border-right: none;
        border-bottom: 1px solid var(--border-color);
    }
-    .sidebar.open {
+    .page {
-        transform: translateX(0);
+        display: block;
    }
    .main-area {
@@ -56,7 +56,7 @@
                    </button>
                </form>
-                <div class="nav-version">v1.8.2</div>
+                <div class="nav-version">v1.9.3</div>
            </div>
        </Authorized>
        <NotAuthorized>
@@ -25,7 +25,6 @@
@code {
    private string BotUsername => Configuration["Telegram:BotUsername"] ?? "GmRelayBot";
    private string AuthUrl => Navigation.ToAbsoluteUri("/auth/telegram").ToString();
    [CascadingParameter]
    private Task<AuthenticationState>? AuthStateTask { get; set; }
@@ -46,7 +45,8 @@
    {
        if (firstRender)
        {
-            await JS.InvokeVoidAsync("loadTelegramWidget", BotUsername, AuthUrl);
+            await JS.InvokeVoidAsync("loadTelegramWidget", BotUsername, "/auth/telegram-login");
            await JS.InvokeVoidAsync("watchTelegramMiniAppLogin", "/auth/status", "/", false);
        }
    }
 }
@@ -0,0 +1,103 @@
@page "/miniapp"
@using Microsoft.AspNetCore.Components.Authorization
@using System.Text.Json.Serialization
@inject IJSRuntime JS
@inject NavigationManager Navigation
 <PageTitle>Mini App Dashboard — GM-Relay</PageTitle>
 <div class="mini-app-page">
    <div class="mini-app-auth-card" data-auth-status="@miniAppAuthStatus">
        <div class="mini-app-logo">🎲</div>
        <h1>GM-Relay</h1>
        <p>@statusMessage</p>
        @if (showFallback)
        {
            <a href="/login" class="btn-gm btn-gm-primary">Войти через Telegram</a>
        }
    </div>
 </div>
@code {
    private string statusMessage = "Открываем dashboard внутри Telegram...";
    private string miniAppAuthStatus = "starting";
    private bool showFallback;
    [CascadingParameter]
    private Task<AuthenticationState>? AuthStateTask { get; set; }
    protected override async Task OnInitializedAsync()
    {
        if (AuthStateTask is null)
        {
            return;
        }
        var user = (await AuthStateTask).User;
        if (user.Identity?.IsAuthenticated == true)
        {
            Navigation.NavigateTo("/");
        }
    }
    protected override async Task OnAfterRenderAsync(bool firstRender)
    {
        if (!firstRender)
        {
            return;
        }
        try
        {
            var result = await JS.InvokeAsync<MiniAppAuthResult>(
                "authenticateTelegramMiniApp",
                "/auth/telegram-webapp",
                "/");
            if (!result.Authenticated)
            {
                miniAppAuthStatus = string.IsNullOrWhiteSpace(result.Reason)
                    ? "telegram-auth-failed"
                    : result.Reason;
                statusMessage = GetStatusMessage(miniAppAuthStatus);
                showFallback = true;
                StateHasChanged();
                await TryWatchLoginAsync();
            }
        }
        catch (JSException)
        {
            miniAppAuthStatus = "telegram-auth-failed";
            statusMessage = "Не удалось получить данные Telegram Mini App. Попробуйте открыть dashboard из бота.";
            showFallback = true;
            StateHasChanged();
            await TryWatchLoginAsync();
        }
    }
    private async Task TryWatchLoginAsync()
    {
        try
        {
            await JS.InvokeVoidAsync("watchTelegramMiniAppLogin", "/auth/status", "/");
        }
        catch (JSException)
        {
        }
    }
    private static string GetStatusMessage(string reason) => reason switch
    {
        "telegram-webapp-missing" => "Mini App API не найден. Если страница открыта в браузере, войдите через Telegram.",
        "telegram-init-data-empty" => "Telegram открыл страницу без Mini App initData. Попробуйте войти через Telegram на этом экране.",
        "telegram-auth-failed" => "Не удалось проверить Telegram Mini App. Попробуйте войти через Telegram.",
        _ => "Mini App доступен из Telegram. Для браузера используйте обычный вход."
    };
    private sealed record MiniAppAuthResult(
        [property: JsonPropertyName("authenticated")] bool Authenticated,
        [property: JsonPropertyName("reason")] string? Reason,
        [property: JsonPropertyName("status")] int? Status,
        [property: JsonPropertyName("redirectUrl")] string? RedirectUrl);
 }
@@ -87,23 +87,58 @@ app.MapGet("/auth/telegram", async (HttpContext context, TelegramAuthService aut
 {
    if (authService.Verify(context.Request.Query, out var telegramId, out var name))
    {
        var claims = new List<Claim>
        {
            new Claim(ClaimTypes.NameIdentifier, telegramId.ToString()),
            new Claim(ClaimTypes.Name, name),
            new Claim("TelegramId", telegramId.ToString())
        };
        var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
        var authProperties = new AuthenticationProperties { IsPersistent = true };
-
+        await context.SignInAsync(
-        await context.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);
+            CookieAuthenticationDefaults.AuthenticationScheme,
            CreateTelegramPrincipal(telegramId, name),
            authProperties);
        return Results.Redirect("/");
    }
    return Results.Redirect("/login?error=auth_failed");
 });
 app.MapPost("/auth/telegram-webapp", async (
    HttpContext context,
    TelegramAuthService authService,
    TelegramWebAppAuthRequest request) =>
 {
    if (!authService.VerifyWebAppInitData(request.InitData, out var telegramId, out var name))
    {
        return Results.Unauthorized();
    }
    var authProperties = new AuthenticationProperties { IsPersistent = true };
    await context.SignInAsync(
        CookieAuthenticationDefaults.AuthenticationScheme,
        CreateTelegramPrincipal(telegramId, name),
        authProperties);
    return Results.Ok(new { redirectUrl = "/" });
 }).DisableAntiforgery();
 app.MapPost("/auth/telegram-login", async (
    HttpContext context,
    TelegramAuthService authService,
    TelegramLoginPayload request) =>
 {
    if (!authService.VerifyLoginPayload(request, out var telegramId, out var name))
    {
        return Results.Unauthorized();
    }
    var authProperties = new AuthenticationProperties { IsPersistent = true };
    await context.SignInAsync(
        CookieAuthenticationDefaults.AuthenticationScheme,
        CreateTelegramPrincipal(telegramId, name),
        authProperties);
    return Results.Ok(new { redirectUrl = "/" });
 }).DisableAntiforgery();
 app.MapGet("/auth/status", (HttpContext context) =>
    Results.Ok(new { authenticated = context.User.Identity?.IsAuthenticated == true }));
 app.MapPost("/auth/logout", async (HttpContext context) =>
 {
    await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
@@ -111,3 +146,18 @@ app.MapPost("/auth/logout", async (HttpContext context) =>
 });
 app.Run();
 static ClaimsPrincipal CreateTelegramPrincipal(long telegramId, string name)
 {
    var claims = new List<Claim>
    {
        new(ClaimTypes.NameIdentifier, telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture)),
        new(ClaimTypes.Name, name),
        new("TelegramId", telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture))
    };
    var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
    return new ClaimsPrincipal(claimsIdentity);
 }
 public sealed record TelegramWebAppAuthRequest(string InitData);
@@ -1,5 +1,8 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using Microsoft.AspNetCore.WebUtilities;
 namespace GmRelay.Web.Services;
@@ -55,4 +58,170 @@ public sealed class TelegramAuthService(IConfiguration configuration)
        return false;
    }
    public bool VerifyWebAppInitData(string initData, out long telegramId, out string name)
    {
        telegramId = 0;
        name = string.Empty;
        if (string.IsNullOrWhiteSpace(initData))
            return false;
        var token = configuration["Telegram__BotToken"] ?? configuration["Telegram:BotToken"];
        if (string.IsNullOrEmpty(token))
            return false;
        var values = QueryHelpers.ParseQuery(initData);
        if (!values.TryGetValue("hash", out var hash) || string.IsNullOrWhiteSpace(hash))
            return false;
        var dataCheckString = string.Join(
            "\n",
            values
                .Where(pair => pair.Key != "hash")
                .OrderBy(pair => pair.Key, StringComparer.Ordinal)
                .Select(pair => $"{pair.Key}={pair.Value}"));
        var secretKey = HMACSHA256.HashData(Encoding.UTF8.GetBytes("WebAppData"), Encoding.UTF8.GetBytes(token));
        var computedHashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
        byte[] hashBytes;
        try
        {
            hashBytes = Convert.FromHexString(hash.ToString());
        }
        catch (FormatException)
        {
            return false;
        }
        if (!CryptographicOperations.FixedTimeEquals(computedHashBytes, hashBytes))
            return false;
        if (!values.TryGetValue("auth_date", out var authDateStr) ||
            !long.TryParse(authDateStr, out var authDate))
        {
            return false;
        }
        var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
        if (now - authDate > 86400)
            return false;
        if (!values.TryGetValue("user", out var userJson) || string.IsNullOrWhiteSpace(userJson))
            return false;
        return TryReadWebAppUser(userJson.ToString(), out telegramId, out name);
    }
    public bool VerifyLoginPayload(TelegramLoginPayload payload, out long telegramId, out string name)
    {
        telegramId = 0;
        name = string.Empty;
        if (payload.Id <= 0 ||
            string.IsNullOrWhiteSpace(payload.FirstName) ||
            payload.AuthDate <= 0 ||
            string.IsNullOrWhiteSpace(payload.Hash))
        {
            return false;
        }
        var token = configuration["Telegram__BotToken"] ?? configuration["Telegram:BotToken"];
        if (string.IsNullOrEmpty(token))
            return false;
        var values = new SortedDictionary<string, string>(StringComparer.Ordinal)
        {
            ["auth_date"] = payload.AuthDate.ToString(System.Globalization.CultureInfo.InvariantCulture),
            ["first_name"] = payload.FirstName,
            ["id"] = payload.Id.ToString(System.Globalization.CultureInfo.InvariantCulture)
        };
        if (!string.IsNullOrWhiteSpace(payload.LastName))
            values["last_name"] = payload.LastName;
        if (!string.IsNullOrWhiteSpace(payload.PhotoUrl))
            values["photo_url"] = payload.PhotoUrl;
        if (!string.IsNullOrWhiteSpace(payload.Username))
            values["username"] = payload.Username;
        var dataCheckString = string.Join("\n", values.Select(pair => $"{pair.Key}={pair.Value}"));
        var secretKey = SHA256.HashData(Encoding.UTF8.GetBytes(token));
        var computedHashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
        byte[] hashBytes;
        try
        {
            hashBytes = Convert.FromHexString(payload.Hash);
        }
        catch (FormatException)
        {
            return false;
        }
        catch (ArgumentException)
        {
            return false;
        }
        if (!CryptographicOperations.FixedTimeEquals(computedHashBytes, hashBytes))
            return false;
        var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
        if (now - payload.AuthDate > 86400)
            return false;
        telegramId = payload.Id;
        name = string.IsNullOrWhiteSpace(payload.LastName)
            ? payload.FirstName
            : $"{payload.FirstName} {payload.LastName}";
        return true;
    }
    private static bool TryReadWebAppUser(string userJson, out long telegramId, out string name)
    {
        telegramId = 0;
        name = string.Empty;
        try
        {
            using var document = JsonDocument.Parse(userJson);
            var root = document.RootElement;
            if (!root.TryGetProperty("id", out var idElement) || !idElement.TryGetInt64(out telegramId))
                return false;
            var firstName = root.TryGetProperty("first_name", out var firstNameElement)
                ? firstNameElement.GetString() ?? string.Empty
                : string.Empty;
            var lastName = root.TryGetProperty("last_name", out var lastNameElement)
                ? lastNameElement.GetString() ?? string.Empty
                : string.Empty;
            var username = root.TryGetProperty("username", out var usernameElement)
                ? usernameElement.GetString()
                : null;
            name = (firstName, lastName) switch
            {
                ({ Length: > 0 }, { Length: > 0 }) => $"{firstName} {lastName}",
                ({ Length: > 0 }, _) => firstName,
                _ when !string.IsNullOrWhiteSpace(username) => "@" + username,
                _ => $"Telegram {telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture)}"
            };
            return true;
        }
        catch (JsonException)
        {
            return false;
        }
    }
 }
 public sealed record TelegramLoginPayload(
    [property: JsonPropertyName("id")] long Id,
    [property: JsonPropertyName("first_name")] string FirstName,
    [property: JsonPropertyName("last_name")] string? LastName,
    [property: JsonPropertyName("username")] string? Username,
    [property: JsonPropertyName("photo_url")] string? PhotoUrl,
    [property: JsonPropertyName("auth_date")] long AuthDate,
    [property: JsonPropertyName("hash")] string Hash);
@@ -1,5 +1,5 @@
 /* ============================================
-   GM-Relay Design System v1.8.2
+   GM-Relay Design System v1.9.3
   Dark RPG Dashboard Theme
   ============================================ */
@@ -69,6 +69,21 @@
    /* Sidebar */
    --sidebar-width: 260px;
    /* Telegram Mini App safe areas */
    --gm-tg-safe-top: var(--tg-safe-area-inset-top, env(safe-area-inset-top, 0px));
    --gm-tg-safe-right: var(--tg-safe-area-inset-right, env(safe-area-inset-right, 0px));
    --gm-tg-safe-bottom: var(--tg-safe-area-inset-bottom, env(safe-area-inset-bottom, 0px));
    --gm-tg-safe-left: var(--tg-safe-area-inset-left, env(safe-area-inset-left, 0px));
    --gm-tg-content-safe-top: var(--tg-content-safe-area-inset-top, 0px);
    --gm-tg-content-safe-right: var(--tg-content-safe-area-inset-right, 0px);
    --gm-tg-content-safe-bottom: var(--tg-content-safe-area-inset-bottom, 0px);
    --gm-tg-content-safe-left: var(--tg-content-safe-area-inset-left, 0px);
    --gm-mini-app-top-inset: calc(var(--gm-tg-safe-top, 0px) + var(--gm-tg-content-safe-top, 0px));
    --gm-mini-app-bottom-inset: calc(var(--gm-tg-safe-bottom, 0px) + var(--gm-tg-content-safe-bottom, 0px));
    --gm-mini-app-left-inset: calc(var(--gm-tg-safe-left, 0px) + var(--gm-tg-content-safe-left, 0px));
    --gm-mini-app-right-inset: calc(var(--gm-tg-safe-right, 0px) + var(--gm-tg-content-safe-right, 0px));
    --gm-tg-viewport-height: 100dvh;
 }
 /* === Reset & Base === */
@@ -842,6 +857,62 @@ select option {
    margin-bottom: 2rem;
 }
 /* === Telegram Mini App entry === */
 .mini-app-page {
    min-height: 100vh;
    min-height: var(--gm-tg-viewport-height, 100dvh);
    display: flex;
    align-items: center;
    justify-content: center;
    padding: 1rem;
    background: var(--bg-primary);
 }
 .mini-app-auth-card {
    width: 100%;
    max-width: 360px;
    padding: 1.5rem;
    border: 1px solid var(--glass-border);
    border-radius: var(--radius-md);
    background: var(--glass-bg);
    text-align: center;
 }
 .mini-app-logo {
    font-size: 2.25rem;
    margin-bottom: 0.75rem;
 }
 .mini-app-auth-card h1 {
    font-size: 1.375rem;
    margin-bottom: 0.5rem;
 }
 .mini-app-auth-card p {
    color: var(--text-secondary);
    font-size: 0.875rem;
    margin-bottom: 1.25rem;
 }
 .telegram-mini-app .page-container {
    max-width: 720px;
 }
 body.telegram-mini-app {
    min-height: var(--gm-tg-viewport-height, 100dvh);
 }
 body.telegram-mini-app .mini-app-page {
    padding-top: calc(1rem + var(--gm-mini-app-top-inset, 0px));
    padding-right: calc(1rem + var(--gm-mini-app-right-inset, 0px));
    padding-bottom: calc(1rem + var(--gm-mini-app-bottom-inset, 0px));
    padding-left: calc(1rem + var(--gm-mini-app-left-inset, 0px));
 }
 body.telegram-mini-app .content {
    padding-bottom: calc(1.5rem + var(--gm-mini-app-bottom-inset, 0px));
 }
 /* === Mobile Sessions Cards (instead of table) === */
 .session-card-mobile {
    display: none;
@@ -928,6 +999,26 @@ select option {
        padding: 1rem;
    }
    .telegram-mini-app .content {
        padding: 0.75rem;
        padding-bottom: calc(0.75rem + var(--gm-mini-app-bottom-inset, 0px));
    }
    .telegram-mini-app .page-container {
        padding: 0.75rem;
    }
    body.telegram-mini-app .nav-header {
        padding-top: calc(1.25rem + var(--gm-mini-app-top-inset, 0px));
        padding-left: calc(1rem + var(--gm-mini-app-left-inset, 0px));
        padding-right: calc(0.75rem + var(--gm-mini-app-right-inset, 0px));
    }
    body.telegram-mini-app .nav-toggle {
        top: calc(0.75rem + var(--gm-mini-app-top-inset, 0px));
        left: calc(0.75rem + var(--gm-mini-app-left-inset, 0px));
    }
    h2 {
        font-size: 1.25rem;
    }
@@ -0,0 +1,50 @@
 namespace GmRelay.Bot.Tests.Infrastructure.Telegram;
 public sealed class TelegramMiniAppEntryPointTests
 {
    [Fact]
    public async Task UpdateRouter_ShouldExposeMiniAppButtonInStartCommand()
    {
        var updateRouter = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Bot/Infrastructure/Telegram/UpdateRouter.cs"));
        Assert.Contains("Telegram:MiniAppUrl", updateRouter, StringComparison.Ordinal);
        Assert.Contains("InlineKeyboardButton.WithWebApp", updateRouter, StringComparison.Ordinal);
        Assert.Contains("Открыть dashboard", updateRouter, StringComparison.Ordinal);
    }
    [Fact]
    public async Task BotStartup_ShouldRegisterMiniAppMenuButtonService()
    {
        var program = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Bot/Program.cs"));
        Assert.Contains("TelegramMiniAppMenuButtonService", program, StringComparison.Ordinal);
        Assert.Contains("AddHostedService<TelegramMiniAppMenuButtonService>", program, StringComparison.Ordinal);
    }
    [Fact]
    public async Task MiniAppMenuButtonService_ShouldSetTelegramWebAppMenuButtonWhenConfigured()
    {
        var service = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Bot/Infrastructure/Telegram/TelegramMiniAppMenuButtonService.cs"));
        Assert.Contains("SetChatMenuButton", service, StringComparison.Ordinal);
        Assert.Contains("MenuButtonWebApp", service, StringComparison.Ordinal);
        Assert.Contains("Telegram:MiniAppUrl", service, StringComparison.Ordinal);
    }
    private static string FindRepositoryFile(string relativePath)
    {
        var directory = new DirectoryInfo(AppContext.BaseDirectory);
        while (directory is not null)
        {
            var candidate = Path.Combine(directory.FullName, relativePath);
            if (File.Exists(candidate))
            {
                return candidate;
            }
            directory = directory.Parent;
        }
        throw new FileNotFoundException($"Could not locate repository file '{relativePath}'.");
    }
 }
@@ -0,0 +1,104 @@
 namespace GmRelay.Bot.Tests.Web;
 public sealed class MiniAppDashboardTests
 {
    [Fact]
    public async Task MiniAppPage_ShouldExposeTelegramWebAppDashboardEntryPoint()
    {
        var miniAppPage = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/Pages/MiniApp.razor"));
        Assert.Contains("@page \"/miniapp\"", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("authenticateTelegramMiniApp", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("/auth/telegram-webapp", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("watchTelegramMiniAppLogin", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("/auth/status", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("miniAppAuthStatus", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("telegram-webapp-missing", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("telegram-init-data-empty", miniAppPage, StringComparison.Ordinal);
        Assert.Contains("telegram-auth-failed", miniAppPage, StringComparison.Ordinal);
    }
    [Fact]
    public async Task AppShell_ShouldLoadTelegramWebAppScriptAndAuthenticator()
    {
        var appShell = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/App.razor"));
        Assert.Contains("telegram-web-app.js", appShell, StringComparison.Ordinal);
        Assert.Contains("window.authenticateTelegramMiniApp", appShell, StringComparison.Ordinal);
        Assert.Contains("Telegram.WebApp.initData", appShell, StringComparison.Ordinal);
        Assert.Contains("window.waitForTelegramMiniAppInitData", appShell, StringComparison.Ordinal);
        Assert.Contains("window.watchTelegramMiniAppLogin", appShell, StringComparison.Ordinal);
        Assert.Contains("window.handleTelegramLogin", appShell, StringComparison.Ordinal);
        Assert.Contains("/auth/telegram-login", appShell, StringComparison.Ordinal);
        Assert.Contains("data-onauth", appShell, StringComparison.Ordinal);
        Assert.DoesNotContain("data-auth-url", appShell, StringComparison.Ordinal);
        Assert.Contains("setTimeout(resolve, 100)", appShell, StringComparison.Ordinal);
        Assert.Contains("reloadOnReturn", appShell, StringComparison.Ordinal);
        Assert.Contains("gmRelayMiniAppLoginLeftPage", appShell, StringComparison.Ordinal);
        Assert.Contains("window.location.reload()", appShell, StringComparison.Ordinal);
        Assert.Contains("syncTelegramMiniAppViewport", appShell, StringComparison.Ordinal);
        Assert.Contains("safeAreaChanged", appShell, StringComparison.Ordinal);
        Assert.Contains("contentSafeAreaChanged", appShell, StringComparison.Ordinal);
        Assert.Contains("viewportChanged", appShell, StringComparison.Ordinal);
    }
    [Fact]
    public async Task Program_ShouldMapTelegramWebAppAuthEndpoint()
    {
        var program = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Program.cs"));
        Assert.Contains("MapPost(\"/auth/telegram-webapp\"", program, StringComparison.Ordinal);
        Assert.Contains("MapPost(\"/auth/telegram-login\"", program, StringComparison.Ordinal);
        Assert.Contains("VerifyWebAppInitData", program, StringComparison.Ordinal);
        Assert.Contains("VerifyLoginPayload", program, StringComparison.Ordinal);
        Assert.Contains("MapGet(\"/auth/status\"", program, StringComparison.Ordinal);
        Assert.Contains("authenticated", program, StringComparison.Ordinal);
    }
    [Fact]
    public async Task Styles_ShouldIncludeMiniAppMobileDashboardRules()
    {
        var css = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/wwwroot/app.css"));
        Assert.Contains("mini-app-page", css, StringComparison.Ordinal);
        Assert.Contains("mini-app-auth-card", css, StringComparison.Ordinal);
        Assert.Contains("@media (max-width: 768px)", css, StringComparison.Ordinal);
        Assert.Contains("--tg-safe-area-inset-top", css, StringComparison.Ordinal);
        Assert.Contains("--tg-content-safe-area-inset-top", css, StringComparison.Ordinal);
        Assert.Contains(".telegram-mini-app .nav-header", css, StringComparison.Ordinal);
        Assert.Contains(".telegram-mini-app .nav-toggle", css, StringComparison.Ordinal);
        Assert.Contains(".telegram-mini-app .mini-app-page", css, StringComparison.Ordinal);
    }
    [Fact]
    public async Task LoginPage_ShouldAuthenticateMiniAppFallbackInsideCurrentWebView()
    {
        var loginPage = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/Pages/Login.razor"));
        Assert.Contains(
            "JS.InvokeVoidAsync(\"loadTelegramWidget\", BotUsername, \"/auth/telegram-login\")",
            loginPage,
            StringComparison.Ordinal);
        Assert.Contains(
            "JS.InvokeVoidAsync(\"watchTelegramMiniAppLogin\", \"/auth/status\", \"/\", false)",
            loginPage,
            StringComparison.Ordinal);
    }
    private static string FindRepositoryFile(string relativePath)
    {
        var directory = new DirectoryInfo(AppContext.BaseDirectory);
        while (directory is not null)
        {
            var candidate = Path.Combine(directory.FullName, relativePath);
            if (File.Exists(candidate))
            {
                return candidate;
            }
            directory = directory.Parent;
        }
        throw new FileNotFoundException($"Could not locate repository file '{relativePath}'.");
    }
 }
@@ -1,5 +1,6 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 using GmRelay.Web.Services;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
@@ -77,6 +78,183 @@ public sealed class TelegramAuthServiceTests
        Assert.False(verified);
    }
    [Fact]
    public void VerifyWebAppInitData_ShouldAcceptValidTelegramWebAppPayload()
    {
        const string botToken = "test-bot-token";
        var initData = CreateWebAppInitData(
            botToken,
            new Dictionary<string, string>
            {
                ["auth_date"] = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(),
                ["query_id"] = "AAHdF6IQAAAAAN0XohDhrOrc",
                ["user"] = """{"id":424242,"first_name":"Ada","last_name":"Lovelace","username":"ada"}"""
            });
        var service = new TelegramAuthService(CreateConfiguration(botToken));
        var verified = service.VerifyWebAppInitData(initData, out var telegramId, out var name);
        Assert.True(verified);
        Assert.Equal(424242L, telegramId);
        Assert.Equal("Ada Lovelace", name);
    }
    [Fact]
    public void VerifyWebAppInitData_ShouldRejectTamperedHash()
    {
        const string botToken = "test-bot-token";
        var initData = CreateWebAppInitData(
            botToken,
            new Dictionary<string, string>
            {
                ["auth_date"] = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(),
                ["user"] = """{"id":424242,"first_name":"Ada"}"""
            });
        var tamperedInitData = initData.Replace("hash=", "hash=00", StringComparison.Ordinal);
        var service = new TelegramAuthService(CreateConfiguration(botToken));
        var verified = service.VerifyWebAppInitData(tamperedInitData, out _, out _);
        Assert.False(verified);
    }
    [Fact]
    public void VerifyWebAppInitData_ShouldRejectExpiredPayload()
    {
        const string botToken = "test-bot-token";
        var initData = CreateWebAppInitData(
            botToken,
            new Dictionary<string, string>
            {
                ["auth_date"] = DateTimeOffset.UtcNow.AddDays(-2).ToUnixTimeSeconds().ToString(),
                ["user"] = """{"id":424242,"first_name":"Ada"}"""
            });
        var service = new TelegramAuthService(CreateConfiguration(botToken));
        var verified = service.VerifyWebAppInitData(initData, out _, out _);
        Assert.False(verified);
    }
    [Fact]
    public void VerifyLoginPayload_ShouldAcceptValidTelegramWidgetCallbackPayload()
    {
        const string botToken = "test-bot-token";
        var authDate = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
        var values = new Dictionary<string, string>
        {
            ["auth_date"] = authDate.ToString(),
            ["first_name"] = "Ada",
            ["id"] = "424242",
            ["last_name"] = "Lovelace",
            ["photo_url"] = "https://t.me/i/userpic/320/ada.jpg",
            ["username"] = "ada"
        };
        var payload = new TelegramLoginPayload(
            424242,
            "Ada",
            "Lovelace",
            "ada",
            "https://t.me/i/userpic/320/ada.jpg",
            authDate,
            ComputeTelegramHash(botToken, values));
        var service = new TelegramAuthService(CreateConfiguration(botToken));
        var verified = service.VerifyLoginPayload(payload, out var telegramId, out var name);
        Assert.True(verified);
        Assert.Equal(424242L, telegramId);
        Assert.Equal("Ada Lovelace", name);
    }
    [Fact]
    public void VerifyLoginPayload_ShouldRejectTamperedCallbackHash()
    {
        var payload = new TelegramLoginPayload(
            424242,
            "Ada",
            null,
            null,
            null,
            DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
            "00");
        var service = new TelegramAuthService(CreateConfiguration("test-bot-token"));
        var verified = service.VerifyLoginPayload(payload, out _, out _);
        Assert.False(verified);
    }
    [Fact]
    public void VerifyLoginPayload_ShouldRejectExpiredCallbackPayload()
    {
        const string botToken = "test-bot-token";
        var authDate = DateTimeOffset.UtcNow.AddDays(-2).ToUnixTimeSeconds();
        var values = new Dictionary<string, string>
        {
            ["auth_date"] = authDate.ToString(),
            ["first_name"] = "Ada",
            ["id"] = "424242"
        };
        var payload = new TelegramLoginPayload(
            424242,
            "Ada",
            null,
            null,
            null,
            authDate,
            ComputeTelegramHash(botToken, values));
        var service = new TelegramAuthService(CreateConfiguration(botToken));
        var verified = service.VerifyLoginPayload(payload, out _, out _);
        Assert.False(verified);
    }
    [Fact]
    public void VerifyLoginPayload_ShouldRejectMissingRequiredCallbackFields()
    {
        var payload = new TelegramLoginPayload(
            0,
            "",
            null,
            null,
            null,
            DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
            "");
        var service = new TelegramAuthService(CreateConfiguration("test-bot-token"));
        var verified = service.VerifyLoginPayload(payload, out _, out _);
        Assert.False(verified);
    }
    [Fact]
    public void TelegramLoginPayload_ShouldDeserializeTelegramWidgetSnakeCaseJson()
    {
        var payload = JsonSerializer.Deserialize<TelegramLoginPayload>(
            """
            {
              "id": 424242,
              "first_name": "Ada",
              "last_name": "Lovelace",
              "username": "ada",
              "photo_url": "https://t.me/i/userpic/320/ada.jpg",
              "auth_date": 1714300000,
              "hash": "abcdef"
            }
            """);
        Assert.NotNull(payload);
        Assert.Equal(424242L, payload.Id);
        Assert.Equal("Ada", payload.FirstName);
        Assert.Equal("Lovelace", payload.LastName);
        Assert.Equal("ada", payload.Username);
        Assert.Equal("https://t.me/i/userpic/320/ada.jpg", payload.PhotoUrl);
        Assert.Equal(1714300000L, payload.AuthDate);
        Assert.Equal("abcdef", payload.Hash);
    }
    private static IConfiguration CreateConfiguration(string botToken) =>
        new ConfigurationBuilder()
            .AddInMemoryCollection(new Dictionary<string, string?>
@@ -106,4 +284,27 @@ public sealed class TelegramAuthServiceTests
        var hashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
        return Convert.ToHexString(hashBytes).ToLowerInvariant();
    }
    private static string CreateWebAppInitData(string botToken, IReadOnlyDictionary<string, string> values)
    {
        var hash = ComputeTelegramWebAppHash(botToken, values);
        var encodedPairs = values
            .OrderBy(pair => pair.Key, StringComparer.Ordinal)
            .Select(pair => $"{Uri.EscapeDataString(pair.Key)}={Uri.EscapeDataString(pair.Value)}")
            .Append($"hash={hash}");
        return string.Join("&", encodedPairs);
    }
    private static string ComputeTelegramWebAppHash(string botToken, IReadOnlyDictionary<string, string> values)
    {
        var dataCheckString = string.Join(
            "\n",
            values
                .OrderBy(pair => pair.Key, StringComparer.Ordinal)
                .Select(pair => $"{pair.Key}={pair.Value}"));
        var secretKey = HMACSHA256.HashData(Encoding.UTF8.GetBytes("WebAppData"), Encoding.UTF8.GetBytes(botToken));
        var hashBytes = HMACSHA256.HashData(secretKey, Encoding.UTF8.GetBytes(dataCheckString));
        return Convert.ToHexString(hashBytes).ToLowerInvariant();
    }
 }
@@ -12,6 +12,19 @@ public sealed class WebStylesTests
            css);
    }
    [Fact]
    public async Task AppCss_ShouldReserveTelegramMiniAppSafeAreaForMobileChrome()
    {
        var appCss = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/wwwroot/app.css"));
        Assert.Contains("--gm-tg-safe-top", appCss, StringComparison.Ordinal);
        Assert.Contains("--tg-safe-area-inset-top", appCss, StringComparison.Ordinal);
        Assert.Contains("--tg-content-safe-area-inset-top", appCss, StringComparison.Ordinal);
        Assert.Contains("env(safe-area-inset-top", appCss, StringComparison.Ordinal);
        Assert.Contains(".telegram-mini-app .content", appCss, StringComparison.Ordinal);
        Assert.Contains(".telegram-mini-app .nav-header", appCss, StringComparison.Ordinal);
        Assert.Contains(".telegram-mini-app .nav-toggle", appCss, StringComparison.Ordinal);
    }
    private static string FindRepositoryFile(string relativePath)
    {
        var directory = new DirectoryInfo(AppContext.BaseDirectory);
Author	SHA1	Message	Date
Toutsu	2a76ec0fb8	fix: stabilize mini app login and safe area Deploy Telegram Bot / build-and-push (push) Successful in 3m53s Details Deploy Telegram Bot / deploy (push) Successful in 17s Details	2026-04-28 20:25:18 +03:00
Toutsu	57c8714889	fix: refresh login fallback in mini app Deploy Telegram Bot / build-and-push (push) Successful in 4m11s Details Deploy Telegram Bot / deploy (push) Successful in 12s Details	2026-04-28 17:20:29 +03:00
Toutsu	8220f2060f	fix: refresh mini app login state Deploy Telegram Bot / build-and-push (push) Successful in 4m23s Details Deploy Telegram Bot / deploy (push) Successful in 12s Details	2026-04-28 17:03:53 +03:00
Toutsu	41f2ea6e90	feat: add telegram mini app dashboard Deploy Telegram Bot / build-and-push (push) Successful in 23s Details Deploy Telegram Bot / deploy (push) Successful in 10s Details	2026-04-28 14:56:55 +03:00