improve signed reads, crypto hardening, and scraper transport
This commit is contained in:
+6
-6
@@ -25,7 +25,8 @@ from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from app.config import settings
|
||||
from app.database import get_db
|
||||
from app.models import TelegramBinding, Subscription
|
||||
from app.services.signed_request import verify_signed_request
|
||||
from app.services.signed_request import (
|
||||
SignedReadCreds, optional_signed_read_creds, verify_signed_request)
|
||||
from app.services.telegram import send_test_message
|
||||
from app.services.telegram_bot import issue_binding_code, unbind_wallet
|
||||
|
||||
@@ -144,8 +145,7 @@ async def _build_status(
|
||||
@router.get("/{wallet}/status", response_model=StatusResponse)
|
||||
async def status(
|
||||
wallet: str,
|
||||
timestamp: Optional[int] = None,
|
||||
signature: Optional[str] = None,
|
||||
creds: Optional[SignedReadCreds] = Depends(optional_signed_read_creds),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
) -> StatusResponse:
|
||||
"""Wallet Telegram status.
|
||||
@@ -162,14 +162,14 @@ async def status(
|
||||
# Accepting view_user avoids requiring a separate wallet signature just to
|
||||
# see Telegram status — the frontend reuses its cached view_user envelope.
|
||||
authenticated = False
|
||||
if timestamp is not None and signature:
|
||||
if creds is not None:
|
||||
for _action in ("view_telegram_status", "view_user"):
|
||||
try:
|
||||
verify_signed_request(
|
||||
action=_action,
|
||||
wallet=wallet,
|
||||
timestamp_ms=timestamp,
|
||||
signature=signature,
|
||||
timestamp_ms=creds.ts,
|
||||
signature=creds.sig,
|
||||
body=None,
|
||||
allow_replay=True,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user