Commit Graph

7 Commits

Author SHA1 Message Date
nineap 0927053f4a Fix Docker build: vendor the cyberhack wasm bundle instead of a cross-repo file: path
CI build failed with ENOENT on /Cyberhack/pkg: package.json pointed the
"cyberhack" dependency at "file:../../Cyberhack/pkg", a path outside this
repo's own directory tree entirely. That only ever resolved on a
developer machine that happened to have a sibling checkout of the
Cyberhack repo — Docker's build context is confined to this repo, and CI
never checks out Cyberhack in the first place, so pnpm install had
nothing to link against.

There's no npm registry publish set up for that package, so vendor the
already-built wasm-pack output directly into frontend/vendor/cyberhack
(committed) and point the dependency at "file:./vendor/cyberhack" instead
— a path inside the build context. Dockerfile now copies frontend/vendor
before pnpm install so the file: resolution actually has something to
link to. Verified with a `docker build --no-cache` end-to-end.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 15:45:05 +07:00
nineap 52531dd41a Unify auth into refresh-token cookie sessions; server-authoritative nodes and Cyberhack
Auth was effectively broken for every login path: the Telegram handler
built a Set-Cookie header but never attached it to the response, and
Ghost Protocol (seed) login never set a cookie at all — so billing, the
game, and admin actions never actually worked once the frontend was fixed
to stop trying to read an HttpOnly cookie from JS. Replaced the bare
10-minute JWT with AuthService::issue_session: a 15-minute access cookie
plus a rotating 30-day refresh cookie (opaque token, only its SHA-256
hash stored in the new refresh_sessions table); reusing an already-
rotated refresh token now revokes every session for that user. CSRF/CORS
origin allowlists moved from a single hardcoded domain to env-configured
lists so the same session works across the landing and account subdomains.
The bot's WebApp deep links (Личный Кабинет/Тарифы/Синдикат) now bridge
through a short-lived bootstrap token exchanged via POST /auth/exchange
instead of a bare access token in the URL.

Nodes: /nodes/routing now serializes the tunnel_* fields, public_key,
sni_domain and a one-time session token gated on an active subscription
instead of a stub ip/port/protocol list; node provisioning returns 202
immediately and finishes in the background instead of blocking the
request for the whole SSH run; a new background task TCP-pings nodes
every 60s and flips online/offline itself; admin can now force-restart a
node over SSH.

Billing: TON exchange rate is cached in Redis (60s) instead of hitting
TonAPI on every invoice, and the request/response now actually uses the
requested currency and TonAPI's real (uppercase) key casing — previously
only USD/RUB were ever requested and the lookup used the wrong case, so
non-USD/RUB plans could never price correctly.

Cyberhack: the server now generates and stores the board itself and
replays the client's raw click path to compute the score, instead of
clamping a client-reported number — closes the "final score is whatever
the browser sends" hole flagged in the security audit.

Frontend: api.ts no longer tries to read the HttpOnly session cookie from
JS (that never worked) and instead relies on same-origin credentials plus
a silent refresh-and-retry on 401; AdminDashboard's restart/delete actions
are wired up; Auth.tsx drops the artificial delays and requires an
explicit seed download/confirmation before continuing, since a lost Ghost
seed is unrecoverable.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 15:29:51 +07:00
nineap 26d6f2db8a deploy change, update token system, fix abuses and add admin verify 2026-05-26 12:50:25 +07:00
nineap 1ef93c2025 [AI] fix some modules, develop the big part of modules. TODO fix critical errors, update pipeline, test everything 2026-05-16 19:16:50 +07:00
nineap eebe10967d game update 2026-04-28 19:41:31 +07:00
nineap 963eb01357 game and maybe database fix 2026-04-23 14:39:21 +07:00
nineap b03d8cf556 [AI] initial commit 2026-04-19 17:15:50 +07:00