Document Telegram first-class auth
This commit is contained in:
@@ -617,14 +617,29 @@
|
||||
"testStrategy": "See Telegram-native PRD acceptance criteria.",
|
||||
"parentId": "undefined",
|
||||
"updatedAt": "2026-05-24T09:18:26.638Z"
|
||||
},
|
||||
{
|
||||
"id": 10,
|
||||
"title": "Implement Telegram as first-class authentication provider",
|
||||
"description": "Add a POST /auth/telegram endpoint and frontend login flow so users can authenticate with Amanat using only their Telegram identity — no email or password required.",
|
||||
"details": "Source PRD: .taskmaster/docs/prd-telegram-phone-auth.md. Backend: create POST /auth/telegram that accepts Mini App initData or Telegram Login Widget payload, verifies the signature (reuse verifyMiniAppInitData; add verifyTelegramLoginWidget for the widget path), looks up TelegramLink by telegramUserId, and either authenticates the linked user or auto-provisions a new Amanat account (authProvider: telegram, telegramVerified: true, nullable email via sparse unique index). Returns JWT + refreshToken + isNewUser flag. Apply existing replay protection and rate limits. User model: make email nullable (sparse index), add authProvider and telegramVerified fields. Frontend: auto-detect Telegram Mini App context and skip login page; POST initData to /auth/telegram; show lightweight onboarding overlay for new users (optional email, language, currency). Add 'Continue with Telegram' button on web login page alongside Google OAuth. Security: blocked Telegram accounts return 403 regardless of re-linking attempts; high-risk action step-up policy is unchanged; never expose raw phone number.",
|
||||
"status": "done",
|
||||
"dependencies": [
|
||||
2,
|
||||
8
|
||||
],
|
||||
"priority": "high",
|
||||
"testStrategy": "Verify: new Telegram user auto-provisions and receives JWT; returning user authenticates via both initData and Login Widget; replayed initData is rejected; stale auth_date is rejected; blocked account returns 403; existing email-password users are unaffected; email remains optional (not required) for Telegram-authed users; isNewUser flag triggers onboarding overlay; high-risk actions still require step-up confirmation.\n\nImplemented verification: backend typecheck; backend targeted Jest __tests__/telegram-auth.test.ts and __tests__/telegram-service.test.ts; frontend targeted Jest __tests__/auth/telegram-auth-action.test.ts and __tests__/sections/telegram/telegram-mini-app-shell.test.tsx. Full frontend typecheck still has unrelated pre-existing payment icon/payload errors outside Task 5.10.",
|
||||
"parentId": "5",
|
||||
"updatedAt": "2026-05-24T11:59:32.372Z"
|
||||
}
|
||||
],
|
||||
"updatedAt": "2026-05-24T09:18:26.638Z"
|
||||
"updatedAt": "2026-05-24T11:59:32.372Z"
|
||||
}
|
||||
],
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"lastModified": "2026-05-24T09:18:26.638Z",
|
||||
"lastModified": "2026-05-24T11:59:32.372Z",
|
||||
"taskCount": 5,
|
||||
"completedCount": 4,
|
||||
"tags": [
|
||||
@@ -632,4 +647,4 @@
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user