feat: add session token support for P2P cross-app auth

- AuthContext now stores and exposes sessionToken from telegram-auth
- App.tsx sends session_token instead of tg_id to P2P
- Enables secure cross-app authentication without from_miniapp method

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pezkuwi-telegram-miniapp",
-  "version": "1.0.117",
+  "version": "1.0.119",
   "type": "module",
   "description": "Pezkuwichain Telegram Mini App - Forum, Announcements, Rewards",
   "author": "Pezkuwichain Team",

src/App.tsx

@@ -53,29 +53,28 @@ const P2P_WEB_URL = 'https://telegram.pezkuwichain.io/p2p';
 export default function App() {
   const [activeSection, setActiveSection] = useState<Section>('announcements');
   const [showP2PModal, setShowP2PModal] = useState(false);
-  const { user } = useAuth();
+  const { sessionToken } = useAuth();
   const { address } = useWallet();
 
   // Open P2P in popup with auth params
   const openP2P = useCallback(() => {
     window.Telegram?.WebApp.HapticFeedback.impactOccurred('medium');
 
-    // Build auth URL with params
+    // Build auth URL with session token
     const params = new URLSearchParams();
-    if (user?.telegram_id) {
-      params.set('tg_id', user.telegram_id.toString());
+    if (sessionToken) {
+      params.set('session_token', sessionToken);
     }
     if (address) {
       params.set('wallet', address);
     }
-    params.set('ts', Date.now().toString());
     params.set('from', 'miniapp');
 
     const url = `${P2P_WEB_URL}?${params.toString()}`;
 
     // Open in new window/tab
     window.open(url, '_blank');
-  }, [user, address]);
+  }, [sessionToken, address]);
 
   const handleNavClick = (item: NavItem) => {
     window.Telegram?.WebApp.HapticFeedback.selectionChanged();

src/contexts/AuthContext.tsx

@@ -4,6 +4,7 @@ import type { User } from '@/hooks/useSupabase';
 
 interface AuthContextType {
   user: User | null;
+  sessionToken: string | null;
   isLoading: boolean;
   isAuthenticated: boolean;
   signIn: () => Promise<void>;
@@ -13,6 +14,7 @@ const AuthContext = createContext<AuthContextType | null>(null);
 
 export function AuthProvider({ children }: { children: ReactNode }) {
   const [user, setUser] = useState<User | null>(null);
+  const [sessionToken, setSessionToken] = useState<string | null>(null);
   const [isLoading, setIsLoading] = useState(true);
 
   const signIn = async () => {
@@ -28,6 +30,10 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       if (result?.user) {
         setUser(result.user);
       }
+      // Store session token for P2P and other cross-app auth
+      if (result?.session_token) {
+        setSessionToken(result.session_token);
+      }
     } catch (error) {
       // Auth failed silently - user will see unauthenticated state
       if (import.meta.env.DEV) {
@@ -47,6 +53,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     <AuthContext.Provider
       value={{
         user,
+        sessionToken,
         isLoading,
         isAuthenticated: !!user,
         signIn,

src/version.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.0.117",
-  "buildTime": "2026-02-06T01:19:32.586Z",
-  "buildNumber": 1770340772586
+  "version": "1.0.119",
+  "buildTime": "2026-02-06T01:34:49.512Z",
+  "buildNumber": 1770341689513
 }

supabase/migrations/20260205_rls_clean.sql

@@ -0,0 +1,43 @@
+-- =====================================================
+-- CLEAN RLS POLICIES - PezkuwiChain Telegram MiniApp
+-- Strategy: SELECT for anon, mutations via Edge Functions
+-- =====================================================
+
+-- Drop all existing policies first
+DO $$
+DECLARE
+  r RECORD;
+BEGIN
+  FOR r IN (
+    SELECT schemaname, tablename, policyname
+    FROM pg_policies
+    WHERE schemaname = 'public'
+  ) LOOP
+    EXECUTE format('DROP POLICY IF EXISTS %I ON %I.%I', r.policyname, r.schemaname, r.tablename);
+  END LOOP;
+END $$;
+
+-- Enable RLS and create SELECT policies for all tables
+DO $$
+DECLARE
+  t RECORD;
+BEGIN
+  FOR t IN (
+    SELECT tablename
+    FROM pg_tables
+    WHERE schemaname = 'public'
+  ) LOOP
+    -- Enable RLS
+    EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', t.tablename);
+
+    -- Allow SELECT for anon and authenticated
+    EXECUTE format(
+      'CREATE POLICY %I ON %I FOR SELECT TO anon, authenticated USING (true)',
+      t.tablename || '_select',
+      t.tablename
+    );
+  END LOOP;
+END $$;
+
+-- Note: INSERT/UPDATE/DELETE blocked for anon by default
+-- All mutations must go through Edge Functions (service role bypasses RLS)