docs: sync vault with codebase state (2026-06-12)
- Update backend, frontend, scanner, deployment, amanat-assist service docs - Update System Overview, Scanner Architecture, Telegram Mini App flow - Update 10 - Services/README.md - Add Tenant data model, Tenant API reference, Tenant Storefront Flow - Add Multi-Shop Branch Project Scan (2026-06-10) - Add tenant.md service doc - Append activity log entry - Reflects archived/search/stats route fix and new E2E test suite Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -6,8 +6,8 @@ related_apis: ["POST /api/auth/telegram", "[[Auth API]]"]
|
||||
task: "5.4"
|
||||
---
|
||||
|
||||
> **Last updated:** 2026-06-08
|
||||
> **Status:** IN PROGRESS — Task 5.4 (dependencies: 5.1 auth infra, 5.2 Telegram sign-in endpoint)
|
||||
> **Last updated:** 2026-06-12
|
||||
> **Status:** LARGELY COMPLETE — Task 5.4 core implementation done; open items are `startapp` deep-link auto-routing, backend Socket.IO room scoping, archived-chat surfacing, review-prompt integration, and cross-platform QA.
|
||||
> **Frontend branch:** `integrate-main-into-development` · v2.8.94+
|
||||
> **Entry point:** `src/sections/telegram/` · route `/telegram`
|
||||
|
||||
@@ -68,15 +68,26 @@ The shell is a **single-page, no-router** design: all navigation (tabs, overlays
|
||||
|
||||
## 2. Launch Points
|
||||
|
||||
| Entry | Mechanism | `startapp` context |
|
||||
|---|---|---|
|
||||
| Bot profile | User opens bot → taps "Open App" | none |
|
||||
| Menu button | Pinned button in any chat with the bot | none |
|
||||
| Inline button | Bot sends a card with an embedded button | `req_<requestId>` |
|
||||
| Direct deep link | `https://t.me/AmanehBot/app?startapp=req_<id>` | `req_<requestId>` |
|
||||
| Web fallback | Browser at `/telegram` | none (unsupported state) |
|
||||
| Entry | Mechanism | `startapp` context | Result |
|
||||
|---|---|---|---|
|
||||
| Bot profile | User opens bot → taps "Open App" | none | Shell loads at Home tab |
|
||||
| Menu button | Pinned button in any chat with the bot | none | Shell loads at Home tab |
|
||||
| Inline button | Bot sends a message card with an embedded button | `req_<requestId>` | Shell loads; request deep-link (see below) |
|
||||
| Direct deep link | `https://t.me/AmanehBot/app?startapp=req_<id>` | `req_<requestId>` | Shell loads; request deep-link (see below) |
|
||||
| Web fallback | Browser at `/telegram` (no Telegram SDK) | none | `TelegramUnsupportedState` — "Open in Telegram" prompt + web dashboard link |
|
||||
|
||||
`startapp` / `tgWebAppStartParam` is read from either the WebApp SDK (`window.Telegram.WebApp`) or from URL query/hash params (for older Telegram clients that append them directly).
|
||||
### 2.1 startapp Context Parsing
|
||||
|
||||
`startapp` / `tgWebAppStartParam` is read from two sources in priority order:
|
||||
|
||||
1. `window.Telegram.WebApp.initDataUnsafe.start_param` — primary source when the SDK is injected.
|
||||
2. URL query/hash params (`tgWebAppStartParam`) — fallback for older Telegram clients that append params directly to the URL.
|
||||
|
||||
Both are normalised into `context.startParam` by `getTelegramContext()` in `src/utils/telegram-webapp.ts`.
|
||||
|
||||
### 2.2 startapp Deep-Link Routing (Partial)
|
||||
|
||||
When `context.startParam` matches `req_<requestId>`, the intent is to auto-open `TelegramRequestDetailView` for that request on first render. **This routing is not yet wired** — `startParam` is parsed and available in context but the shell does not yet act on it. This is open item #1 in section 16.
|
||||
|
||||
---
|
||||
|
||||
@@ -172,9 +183,18 @@ When `initData` is absent (accessed via a path that skips Telegram context), onl
|
||||
|
||||
### 6.3 Backend Endpoint
|
||||
|
||||
`POST /api/auth/telegram` — expects `{ initData: string }`. Backend verifies the HMAC using the Telegram bot token, extracts `user` from the payload, upserts a `User` record (`telegramId`, `telegramVerified: true`), and issues a JWT + refresh token. Returns `{ token, refreshToken, isNewUser }`.
|
||||
`POST /api/auth/telegram` — expects `{ initData: string }`.
|
||||
|
||||
Registered at `authRoutes.ts` line 24: `router.post("/telegram", ctrl.telegramAuth.bind(ctrl))` — public route, no auth middleware.
|
||||
**Verification steps (backend):**
|
||||
1. Parse the `initData` query string into key-value pairs.
|
||||
2. Extract `hash` from the pairs; remove it from the set.
|
||||
3. Build the data-check string: sort remaining pairs alphabetically, join as `key=value\n`.
|
||||
4. Compute `HMAC-SHA256(data_check_string, HMAC-SHA256("WebAppData", TELEGRAM_BOT_TOKEN))`.
|
||||
5. Compare computed hash with the extracted `hash` — reject with 401 on mismatch.
|
||||
6. Parse `user` JSON from `initDataUnsafe`; upsert `User` record with `telegramId`, `telegramVerified: true`.
|
||||
7. Issue JWT + refresh token. Return `{ token, refreshToken, isNewUser }`.
|
||||
|
||||
Registered at `authRoutes.ts` line 24: `router.post("/telegram", ctrl.telegramAuth.bind(ctrl))` — public route, no auth middleware required (HMAC is the authentication proof).
|
||||
|
||||
### 6.4 Session Linking (Telegram ↔ Amaneh Account)
|
||||
|
||||
@@ -415,7 +435,16 @@ The shell has **five bottom tabs** rendered by `TelegramTabBar`:
|
||||
- Fetches user points via `use-telegram-points.ts`.
|
||||
- Shows points balance and transaction history.
|
||||
|
||||
### 9.16 Notifications Overlay
|
||||
### 9.16 Dispute Surface
|
||||
|
||||
The Mini App does not yet have a dedicated dispute-filing view. Dispute access is handled via two escape hatches:
|
||||
|
||||
- **Request detail "View full details" link** (`openTelegramExternalLink`) — opens the web dashboard request detail page where dispute filing is available.
|
||||
- **Support chat** — buyer or seller can reach a support agent from the Account tab or the Home tab quick-action cards; the support agent can escalate to a formal dispute.
|
||||
|
||||
A native in-shell dispute flow (matching the web dashboard `DisputeView`) is planned but not yet implemented. This is a known gap for the Task 5.4 feature surface.
|
||||
|
||||
### 9.17 Notifications Overlay
|
||||
|
||||
- `TelegramNotificationsView` is rendered as `overlayScreen = 'notifications'`.
|
||||
- Fetches via `useTelegramNotifications` → `getNotifications(userId, 1, 50)` → `GET /api/notifications?userId=...&page=1&limit=50`.
|
||||
@@ -453,6 +482,8 @@ The shell has **five bottom tabs** rendered by `TelegramTabBar`:
|
||||
|
||||
Cart operations (add/remove/quantity) are **pure localStorage** — no API calls until checkout.
|
||||
|
||||
Dispute endpoints (`POST /api/disputes`, `GET /api/disputes/:id`) are not yet called from the Mini App shell — dispute access is delegated to the web dashboard via `openTelegramExternalLink`.
|
||||
|
||||
---
|
||||
|
||||
## 11. Bilingual Support (EN / FA)
|
||||
@@ -730,15 +761,19 @@ src/
|
||||
| amanat-assist integration | Done | "Open Assist" CTA in Home + New Request; window.location hand-off with access_token |
|
||||
| Deep link `startapp` routing | Partial | `startParam` parsed; auto-navigation to specific request not yet wired |
|
||||
| Backend room-scoped Socket.IO | Partial | Global socket broadcast fixed client-side (v2.8.4); server-side room scoping is a follow-up |
|
||||
| Dispute filing (in-shell) | Not started | Escape hatch via web dashboard link + support chat; native view planned |
|
||||
| Review prompt integration | Partial | `TelegramReviewPrompt` component exists; trigger point (post-payment/delivery) not yet wired |
|
||||
| Archived chats | Partial | `TelegramArchivedChatsView` exists; not yet surfaced in navigation |
|
||||
| Client matrix QA (iOS/Android/Desktop) | Pending | Needs cross-platform testing pass |
|
||||
|
||||
### Open Items
|
||||
|
||||
1. **`startapp` deep link routing:** if `context.startParam` matches `req_<id>`, auto-open `TelegramRequestDetailView` on first render.
|
||||
2. **Backend room-scoped Socket.IO:** server-side scoping for real-time chat updates (follow-up from client-side fix in v2.8.4).
|
||||
3. **Client matrix QA:** iOS Telegram, Android Telegram, Telegram Desktop, and web clients all need a full feature pass.
|
||||
4. **Review prompt:** `TelegramReviewPrompt` component exists but integration point (post-payment / post-delivery) is TBD.
|
||||
5. **Archived chats:** `TelegramArchivedChatsView` exists but is not yet surfaced in the navigation.
|
||||
1. **`startapp` deep link routing:** if `context.startParam` matches `req_<id>`, auto-open `TelegramRequestDetailView` on first render. `startParam` is already parsed and available in context; the shell needs a one-time effect on mount to act on it.
|
||||
2. **Backend room-scoped Socket.IO:** server-side scoping for real-time chat and notification events (follow-up from client-side provider gate in v2.8.4 that fixed global cart-wipe).
|
||||
3. **In-shell dispute filing:** add `TelegramDisputeView` matching the web dashboard dispute surface; currently only accessible via `openTelegramExternalLink` escape hatch.
|
||||
4. **Review prompt:** wire `TelegramReviewPrompt` to trigger after payment confirmation or delivery acknowledgement.
|
||||
5. **Archived chats:** surface `TelegramArchivedChatsView` from `TelegramChatView` (e.g. an "Archived" row at the bottom of the conversation list).
|
||||
6. **Client matrix QA:** iOS Telegram, Android Telegram, Telegram Desktop, and web clients all need a full feature pass with particular attention to safe-area insets and BackButton behaviour on each platform.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user