pezkuwichain/pezkuwi-telegram-miniapp
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pezkuwi-telegram-miniapp.git synced 2026-04-22 03:07:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: integrate P2P trading into Telegram mini app

Browse Source 
- Add 8 Supabase edge functions for P2P operations (get-internal-balance,
  get-payment-methods, get-p2p-offers, accept-p2p-offer, get-p2p-trades,
  trade-action, p2p-messages, p2p-dispute)
- Add frontend P2P API layer (src/lib/p2p-api.ts)
- Add 8 P2P components (BalanceCard, OfferList, TradeModal, CreateOfferModal,
  TradeView, TradeChat, DisputeModal, P2P section)
- Embed P2P as internal section in App.tsx instead of external link
- Remove old P2PModal component
- Add ~70 P2P translation keys across all 6 languages
This commit is contained in:
Kurdistan Tech Ministry
2026-02-26 18:36:35 +03:00
parent 2fbbce192f
commit 31e768de45
26 changed files with 4938 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files
supabase/functions/accept-p2p-offer/index.ts
+223
View File
@@ -0,0 +1,223 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface AcceptP2POfferRequest {
sessionToken: string;
offerId: string;
amount: number;
buyerWallet: string;
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: AcceptP2POfferRequest = await req.json();
const { sessionToken, offerId, amount, buyerWallet } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate required fields
if (!offerId || !amount || !buyerWallet) {
return new Response(JSON.stringify({ error: 'Missing required fields: offerId, amount, buyerWallet' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
if (amount <= 0) {
return new Response(JSON.stringify({ error: 'Amount must be greater than 0' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Call the accept_p2p_offer RPC function
const { data: rpcResult, error: rpcError } = await supabase.rpc('accept_p2p_offer', {
p_offer_id: offerId,
p_buyer_id: userId,
p_buyer_wallet: buyerWallet,
p_amount: amount,
});
if (rpcError) {
console.error('Accept offer RPC error:', rpcError);
return new Response(
JSON.stringify({ error: 'Failed to accept offer: ' + rpcError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Parse the JSON result
const result = typeof rpcResult === 'string' ? JSON.parse(rpcResult) : rpcResult;
if (!result.success) {
return new Response(
JSON.stringify({ error: result.error || 'Failed to accept offer' }),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Log to p2p_audit_log
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'accept_offer',
entity_type: 'trade',
entity_id: result.trade_id,
details: {
offer_id: offerId,
amount,
buyer_wallet: buyerWallet,
},
});
return new Response(
JSON.stringify({
success: true,
tradeId: result.trade_id,
trade: result.trade || result,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/get-internal-balance/index.ts
+182
View File
@@ -0,0 +1,182 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface GetInternalBalanceRequest {
sessionToken: string;
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: GetInternalBalanceRequest = await req.json();
const { sessionToken } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Query user_internal_balances for this user
const { data: balances, error: balanceError } = await supabase
.from('user_internal_balances')
.select('token, available_balance, locked_balance')
.eq('user_id', userId);
if (balanceError) {
console.error('Balance query error:', balanceError);
return new Response(
JSON.stringify({ error: 'Failed to fetch balances: ' + balanceError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Add computed total field
const enrichedBalances = (balances || []).map((b: { token: string; available_balance: number; locked_balance: number }) => ({
...b,
total: Number(b.available_balance) + Number(b.locked_balance),
}));
return new Response(
JSON.stringify({
success: true,
balances: enrichedBalances,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/get-p2p-offers/index.ts
+268
View File
@@ -0,0 +1,268 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface GetP2POffersRequest {
sessionToken: string;
adType?: 'buy' | 'sell';
token?: 'HEZ' | 'PEZ';
fiatCurrency?: string;
page?: number;
limit?: number;
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: GetP2POffersRequest = await req.json();
const {
sessionToken,
adType,
token,
fiatCurrency,
page = 1,
limit = 20,
} = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Calculate pagination
const safePage = Math.max(1, page);
const safeLimit = Math.min(Math.max(1, limit), 100);
const offset = (safePage - 1) * safeLimit;
// Build query for p2p_fiat_offers
let query = supabase
.from('p2p_fiat_offers')
.select('*', { count: 'exact' })
.eq('status', 'open')
.gt('remaining_amount', 0)
.gt('expires_at', new Date().toISOString())
.neq('seller_id', userId)
.order('created_at', { ascending: false })
.range(offset, offset + safeLimit - 1);
// Apply optional filters
if (adType) {
query = query.eq('ad_type', adType);
}
if (token) {
query = query.eq('token', token);
}
if (fiatCurrency) {
query = query.eq('fiat_currency', fiatCurrency);
}
const { data: offers, error: offersError, count } = await query;
if (offersError) {
console.error('Offers query error:', offersError);
return new Response(
JSON.stringify({ error: 'Failed to fetch offers: ' + offersError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
if (!offers || offers.length === 0) {
return new Response(
JSON.stringify({
success: true,
offers: [],
total: 0,
page: safePage,
limit: safeLimit,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Collect unique payment method IDs and seller IDs
const paymentMethodIds = [...new Set(offers.map((o) => o.payment_method_id).filter(Boolean))];
const sellerIds = [...new Set(offers.map((o) => o.seller_id).filter(Boolean))];
// Fetch payment method names in a separate query
let paymentMethodMap: Record<string, string> = {};
if (paymentMethodIds.length > 0) {
const { data: paymentMethods } = await supabase
.from('payment_methods')
.select('id, method_name')
.in('id', paymentMethodIds);
if (paymentMethods) {
paymentMethodMap = Object.fromEntries(
paymentMethods.map((pm) => [pm.id, pm.method_name])
);
}
}
// Fetch seller reputation data in a separate query
let reputationMap: Record<string, any> = {};
if (sellerIds.length > 0) {
const { data: reputations } = await supabase
.from('p2p_reputation')
.select('user_id, total_trades, completed_trades, reputation_score, trust_level, avg_confirmation_time_minutes')
.in('user_id', sellerIds);
if (reputations) {
reputationMap = Object.fromEntries(
reputations.map((r) => [r.user_id, r])
);
}
}
// Enrich offers with payment method name and seller reputation
const enrichedOffers = offers.map((offer) => ({
...offer,
payment_method_name: paymentMethodMap[offer.payment_method_id] || null,
seller_reputation: reputationMap[offer.seller_id] || null,
}));
return new Response(
JSON.stringify({
success: true,
offers: enrichedOffers,
total: count || 0,
page: safePage,
limit: safeLimit,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/get-p2p-trades/index.ts
+212
View File
@@ -0,0 +1,212 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface GetP2PTradesRequest {
sessionToken: string;
status?: 'active' | 'completed' | 'all';
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: GetP2PTradesRequest = await req.json();
const { sessionToken, status } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Build query: trades where user is seller OR buyer
let query = supabase
.from('p2p_fiat_trades')
.select('*')
.or(`seller_id.eq.${userId},buyer_id.eq.${userId}`)
.order('created_at', { ascending: false });
// Apply status filter
if (status === 'active') {
query = query.in('status', ['pending', 'payment_sent', 'disputed']);
} else if (status === 'completed') {
query = query.in('status', ['completed', 'cancelled', 'refunded']);
}
// 'all' or not provided: no additional filter
const { data: trades, error: tradesError } = await query;
if (tradesError) {
console.error('Fetch trades error:', tradesError);
return new Response(
JSON.stringify({ error: 'Failed to fetch trades: ' + tradesError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Fetch offer details for each trade
const offerIds = [...new Set((trades || []).map((t) => t.offer_id).filter(Boolean))];
let offersMap: Record<string, { token: string; fiat_currency: string; ad_type: string }> = {};
if (offerIds.length > 0) {
const { data: offers, error: offersError } = await supabase
.from('p2p_fiat_offers')
.select('id, token, fiat_currency, ad_type')
.in('id', offerIds);
if (!offersError && offers) {
offersMap = Object.fromEntries(
offers.map((o) => [o.id, { token: o.token, fiat_currency: o.fiat_currency, ad_type: o.ad_type }])
);
}
}
// Enrich trades with offer details
const enrichedTrades = (trades || []).map((trade) => ({
...trade,
offer: trade.offer_id ? offersMap[trade.offer_id] || null : null,
}));
return new Response(
JSON.stringify({
success: true,
trades: enrichedTrades,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/get-payment-methods/index.ts
+185
View File
@@ -0,0 +1,185 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface GetPaymentMethodsRequest {
sessionToken: string;
currency?: string;
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: GetPaymentMethodsRequest = await req.json();
const { sessionToken, currency } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Build query for payment_methods
let query = supabase
.from('payment_methods')
.select(
'id, currency, country, method_name, method_type, logo_url, fields, min_trade_amount, max_trade_amount, processing_time_minutes'
)
.eq('is_active', true)
.order('display_order', { ascending: true });
// Apply optional currency filter
if (currency) {
query = query.eq('currency', currency);
}
const { data: methods, error: methodsError } = await query;
if (methodsError) {
console.error('Payment methods query error:', methodsError);
return new Response(
JSON.stringify({ error: 'Failed to fetch payment methods: ' + methodsError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
return new Response(
JSON.stringify({
success: true,
methods: methods || [],
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/p2p-dispute/index.ts
+385
View File
@@ -0,0 +1,385 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface P2PDisputeRequest {
sessionToken: string;
action: 'open' | 'add_evidence';
tradeId: string;
reason?: string;
category?: 'payment_not_received' | 'wrong_amount' | 'fake_payment_proof' | 'other';
evidenceUrl?: string;
evidenceType?: 'screenshot' | 'receipt' | 'bank_statement' | 'chat_log' | 'transaction_proof' | 'other';
description?: string;
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: P2PDisputeRequest = await req.json();
const { sessionToken, action, tradeId, reason, category, evidenceUrl, evidenceType, description } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate required fields
if (!action || !tradeId) {
return new Response(JSON.stringify({ error: 'Missing required fields: action, tradeId' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
if (!['open', 'add_evidence'].includes(action)) {
return new Response(JSON.stringify({ error: 'Invalid action. Must be "open" or "add_evidence"' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Verify user is a party to this trade
const { data: trade, error: tradeError } = await supabase
.from('p2p_fiat_trades')
.select('*')
.eq('id', tradeId)
.single();
if (tradeError || !trade) {
return new Response(JSON.stringify({ error: 'Trade not found' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
if (trade.seller_id !== userId && trade.buyer_id !== userId) {
return new Response(JSON.stringify({ error: 'You are not a party to this trade' }), {
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// ==================== OPEN DISPUTE ====================
if (action === 'open') {
// Trade must be in active status to dispute
if (!['pending', 'payment_sent'].includes(trade.status)) {
return new Response(JSON.stringify({ error: `Cannot open dispute: trade status is '${trade.status}', must be 'pending' or 'payment_sent'` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate category
const validCategories = ['payment_not_received', 'wrong_amount', 'fake_payment_proof', 'other'];
const disputeCategory = category || 'other';
if (!validCategories.includes(disputeCategory)) {
return new Response(JSON.stringify({ error: `Invalid category. Must be one of: ${validCategories.join(', ')}` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const disputeReason = reason || 'No reason provided';
// Check if there's already an open dispute for this trade
const { data: existingDispute } = await supabase
.from('p2p_fiat_disputes')
.select('id')
.eq('trade_id', tradeId)
.in('status', ['open', 'under_review'])
.single();
if (existingDispute) {
return new Response(JSON.stringify({ error: 'A dispute is already open for this trade' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Insert dispute record
const { data: dispute, error: disputeError } = await supabase
.from('p2p_fiat_disputes')
.insert({
trade_id: tradeId,
opened_by: userId,
reason: disputeReason,
category: disputeCategory,
status: 'open',
})
.select()
.single();
if (disputeError) {
console.error('Create dispute error:', disputeError);
return new Response(
JSON.stringify({ error: 'Failed to create dispute: ' + disputeError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Update trade status to disputed
const now = new Date().toISOString();
const { error: updateError } = await supabase
.from('p2p_fiat_trades')
.update({
status: 'disputed',
dispute_reason: disputeReason,
dispute_opened_at: now,
dispute_opened_by: userId,
})
.eq('id', tradeId);
if (updateError) {
console.error('Update trade dispute status error:', updateError);
// Dispute was created but trade status update failed - log warning but don't fail
}
// Log to audit
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'open_dispute',
entity_type: 'trade',
entity_id: tradeId,
details: {
dispute_id: dispute.id,
reason: disputeReason,
category: disputeCategory,
previous_status: trade.status,
},
});
return new Response(
JSON.stringify({
success: true,
dispute,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// ==================== ADD EVIDENCE ====================
if (action === 'add_evidence') {
// Validate evidence fields
if (!evidenceUrl) {
return new Response(JSON.stringify({ error: 'Missing required field: evidenceUrl' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const validEvidenceTypes = ['screenshot', 'receipt', 'bank_statement', 'chat_log', 'transaction_proof', 'other'];
const evType = evidenceType || 'other';
if (!validEvidenceTypes.includes(evType)) {
return new Response(JSON.stringify({ error: `Invalid evidence type. Must be one of: ${validEvidenceTypes.join(', ')}` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Find the dispute for this trade
const { data: dispute, error: disputeError } = await supabase
.from('p2p_fiat_disputes')
.select('id, status')
.eq('trade_id', tradeId)
.in('status', ['open', 'under_review'])
.single();
if (disputeError || !dispute) {
return new Response(JSON.stringify({ error: 'No active dispute found for this trade' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Insert evidence
const { data: evidence, error: evidenceError } = await supabase
.from('p2p_dispute_evidence')
.insert({
dispute_id: dispute.id,
uploaded_by: userId,
evidence_type: evType,
file_url: evidenceUrl,
description: description || null,
})
.select()
.single();
if (evidenceError) {
console.error('Add evidence error:', evidenceError);
return new Response(
JSON.stringify({ error: 'Failed to add evidence: ' + evidenceError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Log to audit
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'add_dispute_evidence',
entity_type: 'dispute',
entity_id: dispute.id,
details: {
trade_id: tradeId,
evidence_id: evidence.id,
evidence_type: evType,
},
});
return new Response(
JSON.stringify({
success: true,
dispute: {
id: dispute.id,
status: dispute.status,
evidence,
},
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Should not reach here
return new Response(JSON.stringify({ error: 'Invalid action' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/p2p-messages/index.ts
+278
View File
@@ -0,0 +1,278 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface P2PMessagesRequest {
sessionToken: string;
action: 'send' | 'list';
tradeId: string;
message?: string;
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: P2PMessagesRequest = await req.json();
const { sessionToken, action, tradeId, message } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate required fields
if (!action || !tradeId) {
return new Response(JSON.stringify({ error: 'Missing required fields: action, tradeId' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
if (!['send', 'list'].includes(action)) {
return new Response(JSON.stringify({ error: 'Invalid action. Must be "send" or "list"' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Verify user is a party to this trade
const { data: trade, error: tradeError } = await supabase
.from('p2p_fiat_trades')
.select('seller_id, buyer_id')
.eq('id', tradeId)
.single();
if (tradeError || !trade) {
return new Response(JSON.stringify({ error: 'Trade not found' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
if (trade.seller_id !== userId && trade.buyer_id !== userId) {
return new Response(JSON.stringify({ error: 'You are not a party to this trade' }), {
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// ==================== SEND ====================
if (action === 'send') {
if (!message || message.trim().length === 0) {
return new Response(JSON.stringify({ error: 'Message cannot be empty' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const { data: newMessage, error: insertError } = await supabase
.from('p2p_messages')
.insert({
trade_id: tradeId,
sender_id: userId,
message: message.trim(),
message_type: 'text',
})
.select()
.single();
if (insertError) {
console.error('Send message error:', insertError);
return new Response(
JSON.stringify({ error: 'Failed to send message: ' + insertError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
return new Response(
JSON.stringify({
success: true,
messageId: newMessage.id,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// ==================== LIST ====================
if (action === 'list') {
// Fetch all messages for this trade ordered by created_at ASC
const { data: messages, error: messagesError } = await supabase
.from('p2p_messages')
.select('*')
.eq('trade_id', tradeId)
.order('created_at', { ascending: true });
if (messagesError) {
console.error('List messages error:', messagesError);
return new Response(
JSON.stringify({ error: 'Failed to fetch messages: ' + messagesError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Mark unread messages as read for this user
// (messages sent by the OTHER party that haven't been read yet)
const unreadMessageIds = (messages || [])
.filter((m: { sender_id: string; is_read: boolean; id: string }) => m.sender_id !== userId && !m.is_read)
.map((m: { id: string }) => m.id);
if (unreadMessageIds.length > 0) {
await supabase
.from('p2p_messages')
.update({ is_read: true, read_at: new Date().toISOString() })
.in('id', unreadMessageIds);
}
return new Response(
JSON.stringify({
success: true,
messages: messages || [],
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Should not reach here
return new Response(JSON.stringify({ error: 'Invalid action' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});
supabase/functions/trade-action/index.ts
+563
View File
@@ -0,0 +1,563 @@
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
// CORS - Production domain only
const ALLOWED_ORIGINS = [
'https://telegram.pezkuwichain.io',
'https://telegram.pezkiwi.app',
'https://t.me',
];
function getCorsHeaders(origin: string | null): Record<string, string> {
const allowedOrigin =
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
return {
'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Headers':
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
'Access-Control-Allow-Methods': 'POST, OPTIONS',
};
}
interface TradeActionRequest {
sessionToken: string;
tradeId: string;
action: 'mark_paid' | 'confirm' | 'cancel' | 'rate';
payload?: {
rating?: number;
review?: string;
reason?: string;
};
}
// Session token secret (derived from bot token)
function getSessionSecret(botToken: string): Uint8Array {
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
}
// Verify HMAC-signed session token
function verifySessionToken(token: string, botToken: string): number | null {
try {
const parts = token.split('.');
if (parts.length !== 2) {
// Try legacy format for backwards compatibility
return verifyLegacyToken(token);
}
const [payloadB64, signature] = parts;
// Verify signature
const secret = getSessionSecret(botToken);
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
if (signature !== expectedSig) {
return null;
}
// Parse payload
const payload = JSON.parse(atob(payloadB64));
// Check expiration
if (Date.now() > payload.exp) {
return null;
}
return payload.tgId;
} catch {
return null;
}
}
// Legacy token format (Base64 only) - for backwards compatibility
function verifyLegacyToken(token: string): number | null {
try {
const decoded = atob(token);
const [telegramId, timestamp] = decoded.split(':');
const ts = parseInt(timestamp);
// Token valid for 7 days
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
return null;
}
return parseInt(telegramId);
} catch {
return null;
}
}
serve(async (req) => {
const origin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(origin);
// Handle CORS
if (req.method === 'OPTIONS') {
return new Response('ok', { headers: corsHeaders });
}
try {
const body: TradeActionRequest = await req.json();
const { sessionToken, tradeId, action, payload } = body;
// Get bot token for session verification
const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
if (!botToken) {
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate session token
if (!sessionToken) {
return new Response(JSON.stringify({ error: 'Missing session token' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const telegramId = verifySessionToken(sessionToken, botToken);
if (!telegramId) {
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
status: 401,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate required fields
if (!tradeId || !action) {
return new Response(JSON.stringify({ error: 'Missing required fields: tradeId, action' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const validActions = ['mark_paid', 'confirm', 'cancel', 'rate'];
if (!validActions.includes(action)) {
return new Response(JSON.stringify({ error: `Invalid action. Must be one of: ${validActions.join(', ')}` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Create Supabase admin client (bypasses RLS)
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Get auth user ID for this telegram user
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
const {
data: { users: authUsers },
} = await supabase.auth.admin.listUsers();
const authUser = authUsers?.find((u) => u.email === telegramEmail);
if (!authUser) {
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const userId = authUser.id;
// Fetch the trade
const { data: trade, error: tradeError } = await supabase
.from('p2p_fiat_trades')
.select('*')
.eq('id', tradeId)
.single();
if (tradeError || !trade) {
return new Response(JSON.stringify({ error: 'Trade not found' }), {
status: 404,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Verify user is a party to this trade
if (trade.seller_id !== userId && trade.buyer_id !== userId) {
return new Response(JSON.stringify({ error: 'You are not a party to this trade' }), {
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
let updatedTrade;
// ==================== MARK PAID ====================
if (action === 'mark_paid') {
// Only buyer can mark as paid
if (trade.buyer_id !== userId) {
return new Response(JSON.stringify({ error: 'Only the buyer can mark payment as sent' }), {
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Trade must be in pending status
if (trade.status !== 'pending') {
return new Response(JSON.stringify({ error: `Cannot mark paid: trade status is '${trade.status}', expected 'pending'` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const now = new Date().toISOString();
const confirmationDeadline = new Date(Date.now() + 2 * 60 * 60 * 1000).toISOString(); // +2 hours
const { data: updated, error: updateError } = await supabase
.from('p2p_fiat_trades')
.update({
buyer_marked_paid_at: now,
status: 'payment_sent',
confirmation_deadline: confirmationDeadline,
})
.eq('id', tradeId)
.eq('buyer_id', userId)
.eq('status', 'pending')
.select()
.single();
if (updateError) {
console.error('Mark paid error:', updateError);
return new Response(
JSON.stringify({ error: 'Failed to mark payment: ' + updateError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
updatedTrade = updated;
// Log to audit
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'mark_paid',
entity_type: 'trade',
entity_id: tradeId,
details: {
confirmation_deadline: confirmationDeadline,
},
});
}
// ==================== CONFIRM ====================
else if (action === 'confirm') {
// Only seller can confirm
if (trade.seller_id !== userId) {
return new Response(JSON.stringify({ error: 'Only the seller can confirm and release crypto' }), {
status: 403,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Trade must be in payment_sent status
if (trade.status !== 'payment_sent') {
return new Response(JSON.stringify({ error: `Cannot confirm: trade status is '${trade.status}', expected 'payment_sent'` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Get offer details to know the token
const { data: offer, error: offerError } = await supabase
.from('p2p_fiat_offers')
.select('token')
.eq('id', trade.offer_id)
.single();
if (offerError || !offer) {
return new Response(JSON.stringify({ error: 'Associated offer not found' }), {
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Release escrow: transfer from seller's locked balance to buyer's available balance
const { data: releaseResult, error: releaseError } = await supabase.rpc(
'release_escrow_internal',
{
p_from_user_id: trade.seller_id,
p_to_user_id: trade.buyer_id,
p_token: offer.token,
p_amount: trade.crypto_amount,
p_reference_type: 'trade',
p_reference_id: tradeId,
}
);
if (releaseError) {
console.error('Release escrow error:', releaseError);
return new Response(
JSON.stringify({ error: 'Failed to release escrow: ' + releaseError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
const releaseResponse = typeof releaseResult === 'string' ? JSON.parse(releaseResult) : releaseResult;
if (releaseResponse && !releaseResponse.success) {
return new Response(
JSON.stringify({ error: releaseResponse.error || 'Failed to release escrow' }),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Update trade status to completed
const now = new Date().toISOString();
const { data: updated, error: updateError } = await supabase
.from('p2p_fiat_trades')
.update({
seller_confirmed_at: now,
escrow_released_at: now,
status: 'completed',
completed_at: now,
})
.eq('id', tradeId)
.select()
.single();
if (updateError) {
console.error('Confirm trade update error:', updateError);
return new Response(
JSON.stringify({ error: 'Escrow released but failed to update trade status: ' + updateError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
updatedTrade = updated;
// Log to audit
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'confirm_trade',
entity_type: 'trade',
entity_id: tradeId,
details: {
token: offer.token,
crypto_amount: trade.crypto_amount,
buyer_id: trade.buyer_id,
},
});
}
// ==================== CANCEL ====================
else if (action === 'cancel') {
// Trade must be in pending or payment_sent status to cancel
if (!['pending', 'payment_sent'].includes(trade.status)) {
return new Response(JSON.stringify({ error: `Cannot cancel: trade status is '${trade.status}'` }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
const cancelReason = payload?.reason || 'Cancelled by user';
// Try using the cancel_p2p_trade RPC if it exists
const { data: rpcResult, error: rpcError } = await supabase.rpc('cancel_p2p_trade', {
p_trade_id: tradeId,
p_user_id: userId,
p_reason: cancelReason,
});
if (rpcError) {
// If RPC doesn't exist (42883), do manual cancellation
if (rpcError.code === '42883') {
console.warn('cancel_p2p_trade RPC not found, performing manual cancellation');
// Update trade status
const { data: updated, error: updateError } = await supabase
.from('p2p_fiat_trades')
.update({
status: 'cancelled',
cancelled_by: userId,
cancellation_reason: cancelReason,
})
.eq('id', tradeId)
.select()
.single();
if (updateError) {
console.error('Cancel trade error:', updateError);
return new Response(
JSON.stringify({ error: 'Failed to cancel trade: ' + updateError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Restore offer remaining amount
const { data: offer } = await supabase
.from('p2p_fiat_offers')
.select('id, remaining_amount')
.eq('id', trade.offer_id)
.single();
if (offer) {
await supabase
.from('p2p_fiat_offers')
.update({
remaining_amount: (offer.remaining_amount || 0) + (trade.crypto_amount || 0),
status: 'open',
})
.eq('id', offer.id);
}
updatedTrade = updated;
} else {
console.error('Cancel trade RPC error:', rpcError);
return new Response(
JSON.stringify({ error: 'Failed to cancel trade: ' + rpcError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
} else {
// RPC succeeded, parse result
const result = typeof rpcResult === 'string' ? JSON.parse(rpcResult) : rpcResult;
if (result && !result.success) {
return new Response(
JSON.stringify({ error: result.error || 'Failed to cancel trade' }),
{
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Fetch updated trade
const { data: updated } = await supabase
.from('p2p_fiat_trades')
.select('*')
.eq('id', tradeId)
.single();
updatedTrade = updated;
}
// Log to audit
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'cancel_trade',
entity_type: 'trade',
entity_id: tradeId,
details: {
reason: cancelReason,
previous_status: trade.status,
},
});
}
// ==================== RATE ====================
else if (action === 'rate') {
// Trade must be completed to rate
if (trade.status !== 'completed') {
return new Response(JSON.stringify({ error: 'Can only rate completed trades' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Validate rating payload
if (!payload?.rating || payload.rating < 1 || payload.rating > 5) {
return new Response(JSON.stringify({ error: 'Rating must be between 1 and 5' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Determine counterparty
const ratedId = trade.seller_id === userId ? trade.buyer_id : trade.seller_id;
// Check if user already rated this trade
const { data: existingRating } = await supabase
.from('p2p_ratings')
.select('id')
.eq('trade_id', tradeId)
.eq('rater_id', userId)
.single();
if (existingRating) {
return new Response(JSON.stringify({ error: 'You have already rated this trade' }), {
status: 400,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
});
}
// Insert rating
const { data: rating, error: ratingError } = await supabase
.from('p2p_ratings')
.insert({
trade_id: tradeId,
rater_id: userId,
rated_id: ratedId,
rating: payload.rating,
review: payload.review || null,
})
.select()
.single();
if (ratingError) {
console.error('Insert rating error:', ratingError);
return new Response(
JSON.stringify({ error: 'Failed to submit rating: ' + ratingError.message }),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
}
);
}
// Fetch trade as-is for response
updatedTrade = trade;
// Log to audit
await supabase.from('p2p_audit_log').insert({
user_id: userId,
action: 'rate_trade',
entity_type: 'trade',
entity_id: tradeId,
details: {
rated_id: ratedId,
rating: payload.rating,
review: payload.review || null,
},
});
}
return new Response(
JSON.stringify({
success: true,
trade: updatedTrade,
}),
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error:', error);
const origin = req.headers.get('origin');
return new Response(
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
{
status: 500,
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
}
);
}
});