mirror of
https://github.com/pezkuwichain/pezkuwi-telegram-miniapp.git
synced 2026-04-22 00:47:55 +00:00
pezkuwichain
910610491f
- All 17 edge functions now check both TELEGRAM_BOT_TOKEN and TELEGRAM_BOT_TOKEN_KRD for session verification - Add perPage:1000 to listUsers calls to prevent pagination issues - Fix offer button label: Buy tab shows "Al" (green), Sell tab shows "Sat" (red) - Fix active tab highlight with cyan color for visibility - Fix modal transparency (add --card CSS variable) - Fix withdraw tab sync (useEffect on modal open)
293 lines
8.6 KiB
TypeScript
293 lines
8.6 KiB
TypeScript
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
|
|
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
|
|
import { createHmac } from 'https://deno.land/std@0.177.0/node/crypto.ts';
|
|
|
|
// CORS - Production domain only
|
|
const ALLOWED_ORIGINS = [
|
|
'https://telegram.pezkuwichain.io',
|
|
'https://telegram.pezkiwi.app',
|
|
'https://t.me',
|
|
];
|
|
|
|
function getCorsHeaders(origin: string | null): Record<string, string> {
|
|
const allowedOrigin =
|
|
origin && ALLOWED_ORIGINS.some((o) => origin.startsWith(o)) ? origin : ALLOWED_ORIGINS[0];
|
|
|
|
return {
|
|
'Access-Control-Allow-Origin': allowedOrigin,
|
|
'Access-Control-Allow-Headers':
|
|
'authorization, x-client-info, apikey, content-type, x-supabase-client-platform',
|
|
'Access-Control-Allow-Methods': 'POST, OPTIONS',
|
|
};
|
|
}
|
|
|
|
interface CreateOfferRequest {
|
|
sessionToken: string;
|
|
token: 'HEZ' | 'PEZ';
|
|
amountCrypto: number;
|
|
fiatCurrency: 'TRY' | 'IQD' | 'IRR' | 'EUR' | 'USD';
|
|
fiatAmount: number;
|
|
paymentMethodId: string;
|
|
paymentDetailsEncrypted: string;
|
|
minOrderAmount?: number;
|
|
maxOrderAmount?: number;
|
|
timeLimitMinutes?: number;
|
|
adType?: 'buy' | 'sell';
|
|
}
|
|
|
|
// Session token secret (derived from bot token)
|
|
function getSessionSecret(botToken: string): Uint8Array {
|
|
return createHmac('sha256', 'SessionTokenSecret').update(botToken).digest();
|
|
}
|
|
|
|
// Verify HMAC-signed session token
|
|
function verifySessionToken(token: string, botToken: string): number | null {
|
|
try {
|
|
const parts = token.split('.');
|
|
if (parts.length !== 2) {
|
|
// Try legacy format for backwards compatibility
|
|
return verifyLegacyToken(token);
|
|
}
|
|
|
|
const [payloadB64, signature] = parts;
|
|
|
|
// Verify signature
|
|
const secret = getSessionSecret(botToken);
|
|
const expectedSig = createHmac('sha256', secret).update(payloadB64).digest('hex');
|
|
|
|
if (signature !== expectedSig) {
|
|
return null;
|
|
}
|
|
|
|
// Parse payload
|
|
const payload = JSON.parse(atob(payloadB64));
|
|
|
|
// Check expiration
|
|
if (Date.now() > payload.exp) {
|
|
return null;
|
|
}
|
|
|
|
return payload.tgId;
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
// Legacy token format (Base64 only) - for backwards compatibility
|
|
function verifyLegacyToken(token: string): number | null {
|
|
try {
|
|
const decoded = atob(token);
|
|
const [telegramId, timestamp] = decoded.split(':');
|
|
const ts = parseInt(timestamp);
|
|
// Token valid for 7 days
|
|
if (Date.now() - ts > 7 * 24 * 60 * 60 * 1000) {
|
|
return null;
|
|
}
|
|
return parseInt(telegramId);
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
serve(async (req) => {
|
|
const origin = req.headers.get('origin');
|
|
const corsHeaders = getCorsHeaders(origin);
|
|
|
|
// Handle CORS
|
|
if (req.method === 'OPTIONS') {
|
|
return new Response('ok', { headers: corsHeaders });
|
|
}
|
|
|
|
try {
|
|
const body: CreateOfferRequest = await req.json();
|
|
const {
|
|
sessionToken,
|
|
token,
|
|
amountCrypto,
|
|
fiatCurrency,
|
|
fiatAmount,
|
|
paymentMethodId,
|
|
paymentDetailsEncrypted,
|
|
minOrderAmount,
|
|
maxOrderAmount,
|
|
timeLimitMinutes = 30,
|
|
adType = 'sell',
|
|
} = body;
|
|
|
|
// Get bot tokens for session verification (dual bot support)
|
|
const botTokens: string[] = [];
|
|
const _mainToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
|
|
const _krdToken = Deno.env.get('TELEGRAM_BOT_TOKEN_KRD');
|
|
if (_mainToken) botTokens.push(_mainToken);
|
|
if (_krdToken) botTokens.push(_krdToken);
|
|
if (botTokens.length === 0) {
|
|
return new Response(JSON.stringify({ error: 'Server configuration error' }), {
|
|
status: 500,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
});
|
|
}
|
|
|
|
// Validate session token
|
|
if (!sessionToken) {
|
|
return new Response(JSON.stringify({ error: 'Missing session token' }), {
|
|
status: 401,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
});
|
|
}
|
|
|
|
let telegramId: number | null = null;
|
|
for (const bt of botTokens) {
|
|
telegramId = verifySessionToken(sessionToken, bt);
|
|
if (telegramId) break;
|
|
}
|
|
if (!telegramId) {
|
|
return new Response(JSON.stringify({ error: 'Invalid or expired session' }), {
|
|
status: 401,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
});
|
|
}
|
|
|
|
// Validate required fields
|
|
if (!token || !amountCrypto || !fiatCurrency || !fiatAmount || !paymentMethodId) {
|
|
return new Response(JSON.stringify({ error: 'Missing required fields' }), {
|
|
status: 400,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
});
|
|
}
|
|
|
|
// Create Supabase admin client (bypasses RLS)
|
|
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
|
|
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
|
|
const supabase = createClient(supabaseUrl, supabaseServiceKey);
|
|
|
|
// Get auth user ID for this telegram user
|
|
const telegramEmail = `telegram_${telegramId}@pezkuwichain.io`;
|
|
const {
|
|
data: { users: authUsers },
|
|
} = await supabase.auth.admin.listUsers({ perPage: 1000 });
|
|
const authUser = authUsers?.find((u: { email?: string }) => u.email === telegramEmail);
|
|
|
|
if (!authUser) {
|
|
return new Response(JSON.stringify({ error: 'User not found. Please authenticate first.' }), {
|
|
status: 404,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
});
|
|
}
|
|
|
|
const userId = authUser.id;
|
|
|
|
// 1. Lock escrow from internal balance
|
|
const { data: lockResult, error: lockError } = await supabase.rpc('lock_escrow_internal', {
|
|
p_user_id: userId,
|
|
p_token: token,
|
|
p_amount: amountCrypto,
|
|
});
|
|
|
|
if (lockError) {
|
|
console.error('Lock escrow error:', lockError);
|
|
return new Response(
|
|
JSON.stringify({ error: 'Failed to lock escrow: ' + lockError.message }),
|
|
{
|
|
status: 500,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
}
|
|
);
|
|
}
|
|
|
|
// Parse result
|
|
const lockResponse = typeof lockResult === 'string' ? JSON.parse(lockResult) : lockResult;
|
|
|
|
if (!lockResponse.success) {
|
|
return new Response(
|
|
JSON.stringify({ error: lockResponse.error || 'Failed to lock balance' }),
|
|
{
|
|
status: 400,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
}
|
|
);
|
|
}
|
|
|
|
// 2. Create offer in database (using service role bypasses RLS)
|
|
const { data: offer, error: offerError } = await supabase
|
|
.from('p2p_fiat_offers')
|
|
.insert({
|
|
seller_id: userId,
|
|
seller_wallet: '',
|
|
token,
|
|
amount_crypto: amountCrypto,
|
|
fiat_currency: fiatCurrency,
|
|
fiat_amount: fiatAmount,
|
|
payment_method_id: paymentMethodId,
|
|
payment_details_encrypted: paymentDetailsEncrypted,
|
|
min_order_amount: minOrderAmount || null,
|
|
max_order_amount: maxOrderAmount || null,
|
|
time_limit_minutes: timeLimitMinutes,
|
|
status: 'open',
|
|
remaining_amount: amountCrypto,
|
|
escrow_locked_at: new Date().toISOString(),
|
|
ad_type: adType,
|
|
})
|
|
.select()
|
|
.single();
|
|
|
|
if (offerError) {
|
|
console.error('Create offer error:', offerError);
|
|
|
|
// Rollback: refund escrow
|
|
try {
|
|
await supabase.rpc('refund_escrow_internal', {
|
|
p_user_id: userId,
|
|
p_token: token,
|
|
p_amount: amountCrypto,
|
|
});
|
|
} catch (refundErr) {
|
|
console.error('Failed to refund escrow:', refundErr);
|
|
}
|
|
|
|
return new Response(
|
|
JSON.stringify({ error: 'Failed to create offer: ' + offerError.message }),
|
|
{
|
|
status: 500,
|
|
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
}
|
|
);
|
|
}
|
|
|
|
// 3. Log to audit
|
|
await supabase.from('p2p_audit_log').insert({
|
|
user_id: userId,
|
|
action: 'create_offer',
|
|
entity_type: 'offer',
|
|
entity_id: offer.id,
|
|
details: {
|
|
token,
|
|
amount_crypto: amountCrypto,
|
|
fiat_currency: fiatCurrency,
|
|
fiat_amount: fiatAmount,
|
|
escrow_type: 'internal_ledger',
|
|
},
|
|
});
|
|
|
|
return new Response(
|
|
JSON.stringify({
|
|
success: true,
|
|
offer_id: offer.id,
|
|
offer,
|
|
locked_balance: lockResponse.locked_balance,
|
|
available_balance: lockResponse.available_balance,
|
|
}),
|
|
{ headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
|
|
);
|
|
} catch (error) {
|
|
console.error('Error:', error);
|
|
const origin = req.headers.get('origin');
|
|
return new Response(
|
|
JSON.stringify({ error: error instanceof Error ? error.message : 'Internal server error' }),
|
|
{
|
|
status: 500,
|
|
headers: { ...getCorsHeaders(origin), 'Content-Type': 'application/json' },
|
|
}
|
|
);
|
|
}
|
|
});
|