diff --git a/backend-py/app/auth.py b/backend-py/app/auth.py index edfb606..b9e8c4d 100644 --- a/backend-py/app/auth.py +++ b/backend-py/app/auth.py @@ -15,27 +15,43 @@ def verify_init_data(init_data: str, bot_token: str, max_age_sec: int = 86400) - Спецификация: https://core.telegram.org/bots/webapps#validating-data-received-via-the-mini-app """ + import sys if not init_data: + print("[AUTH] empty init_data", flush=True, file=sys.stderr) return None parsed = dict(parse_qsl(init_data, keep_blank_values=True)) received_hash = parsed.pop("hash", None) if not received_hash: + print(f"[AUTH] no hash in initData. keys={list(parsed.keys())}", flush=True, file=sys.stderr) return None # data_check_string: ключ=значение, отсортированы алфавитно, разделитель \n data_check_string = "\n".join(f"{k}={parsed[k]}" for k in sorted(parsed)) + # Trim token to handle accidental whitespace in env + token_clean = bot_token.strip() # secret_key = HMAC-SHA-256(key="WebAppData", data=BOT_TOKEN) - secret_key = hmac.new(b"WebAppData", bot_token.encode(), hashlib.sha256).digest() + secret_key = hmac.new(b"WebAppData", token_clean.encode(), hashlib.sha256).digest() expected_hash = hmac.new(secret_key, data_check_string.encode(), hashlib.sha256).hexdigest() if not hmac.compare_digest(expected_hash, received_hash): + print( + f"[AUTH] HASH MISMATCH\n" + f" token_len={len(bot_token)} clean_len={len(token_clean)} " + f"head={token_clean[:6]}... tail=...{token_clean[-6:]}\n" + f" data_check_string={data_check_string!r}\n" + f" received_hash={received_hash}\n" + f" expected_hash={expected_hash}", + flush=True, file=sys.stderr, + ) return None # Свежесть подписи (24 часа по умолчанию) auth_date = int(parsed.get("auth_date", "0")) if time.time() - auth_date > max_age_sec: + print(f"[AUTH] auth_date too old: {auth_date}, now={time.time()}", flush=True, file=sys.stderr) return None + print(f"[AUTH] OK auth_date={auth_date}", flush=True, file=sys.stderr) user = None if "user" in parsed: