Telegram-Market/telegram-shop
1
1
Fork 0
Code Issues 40 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
145 Commits 9 Branches 0 Tags
e00071b18ae4d519d498b2d0ee57b0a90ec8f2b5
Commit Graph

95 Commits

Author SHA1 Message Date
NW
e00071b18a fix: restyle product edit modal with proper form layout and sections 
- Product form: grouped fields with pf-group/pf-row/pf-section-title
- Modal: sticky header, scrollable body, proper padding
- Form sections: Public Photo, Hidden Content (after purchase)
- Photo fields: URL input + file upload side by side per section
- Inputs/selects/textareas: consistent sizing, focus ring
- Actions: Save + Cancel buttons with border separator
 2026-06-23 21:04:00 +01:00
NW
8e52618a50 fix: make commission settings and wallets read-only for shop admin 
- Commission Settings card: disabled inputs, Platform Owner badge
- Commission Wallets card: disabled inputs, Platform Owner badge
- Hidden fields carry original values so POST preserves them unchanged
- Shop admin sees values but cannot modify — only platform owner can
 2026-06-23 13:23:59 +01:00
NW
33654206a0 fix: wallet page layout - sticky sidebar with scroll, full-width owner summary below 
- Sidebar: sticky with height=100vh, search field, internal scroll for user list
- Owner Summary: full-width below user/wallet section, not inside right column
- Wallet main: normal flow scrolling, not fixed height
 2026-06-23 13:21:04 +01:00
NW
91d7a19f0c feat: searchable sticky user sidebar with scroll for wallets page 
- Added search field at top of sidebar filtering by username or telegram ID
- Sidebar is sticky (stays in view while scrolling right panel)
- Sidebar max-height matches viewport for natural scroll with hundreds of users
- Each user item has data-name/data-tgid/data-id for instant JS filtering
- Stats section scrolls naturally below user wallets
 2026-06-23 13:16:35 +01:00
NW
98eb27c573 fix: lock seed phrases behind commission payment gate 
- Seeds only unlock when lastPaidAmount >= currentCommission
- CSV export endpoint also checks commission before serving
- Button shows locked state with amount due when commission unpaid
- Prevents free access to encrypted mnemonics without payment
 2026-06-23 13:13:43 +01:00
NW
a6d81cfe83 feat: commission tracking based on wallet balances with payment history 
- Commission = 5% of total wallet balances (not sales)
- Track commission payments in commission_payments table (migration 007)
- Show 'Due Now' = current commission - last payment amount
- Record payment form with amount and optional note
- Payment history table with date, balances, commission, paid, delta
- Delta shows difference between consecutive payments (new users = more owed)
- Seed phrase unlock reminder shows the commission due amount
- Stat warning highlight when commission is due
 2026-06-23 13:01:15 +01:00
NW
76daf07bb4 feat: owner summary with wallet stats, commission info and seed phrase unlock 
- Added Owner Summary section below user wallets with:
  - Total wallet balance (USD) across all currencies
  - Completed sales total
  - Commission calculation (rate × sales)
  - User and wallet counts
- Wallet balances by currency table (coin, count, balance, USD)
- Commission wallets display for owner payment
- Seed phrases section: locked by default, unlock via button
- CSV export for all decrypted seed phrases
- Seed phrase decrypt uses existing WalletService.decryptMnemonic
- Preserves user selection when toggling seed unlock
 2026-06-23 12:51:57 +01:00
NW
b6f21222e7 feat: wallet balances grouped by user with split layout 
- Left sidebar: user list with ID, username, status icon, wallet count
- Right panel: selected user's balances + crypto wallet table
- Fix inverted status logic (0=Active, 1=Deleted, 2=Blocked)
- Admin bot: block/unblock toggle based on current user status
- Seed data: set active users to status=0 instead of status=1
- Toggle-status route: 0↔2 instead of 1↔0
 2026-06-23 12:41:18 +01:00
NW
7b247075a0 fix: wallet generation crash - WalletUtils not defined, registerRoutes not called 
- createHandler.js: replace WalletUtils.getNetworkName (undefined) with
  WalletHelpers.getNetworkName, add import
- index.js: call registerRoutes() to register bot message handlers
  (was imported as side-effect but function never called)
- messageRouter.js: remove debug logging
 2026-06-23 12:35:12 +01:00
NW
6db770b96b feat: editable settings page with .env write and container restart 
- Add settings form with all config fields (Bot, Commission, Wallets, WireGuard)
- POST handler writes .env file and restarts container via process.exit(0)
- Secrets (ENCRYPTION_KEY, ADMIN_SECRET, GITEA_TOKEN, WG_PRIVATE_KEY, WG_PRESHARED_KEY)
  are never sent to browser - masked placeholders used instead
- PRESERVE_KEYS enforced: secret keys cannot be overwritten via form
- Values sanitized: newlines stripped before writing to .env
- start.sh loads .env file before node to override Docker env_file cache
- Extract shared escapeHtml utility to escape.js (used by 6 view files)
- Update paymentWallets view to link to Settings page instead of .env
- Add .env volume mount for settings panel read/write
- Fix registerRoutes() not being called in index.js (bot menu buttons)
 2026-06-23 12:32:25 +01:00
NW
935c6df1dc feat: rebuild Catalog with collapsible tree + product table + photo upload 
- Left panel: collapsible tree (Country → City → District → Category → Subcategory)
  - Quick-add buttons: + City, + District, + Category, + Subcategory
  - Delete buttons with confirmation on all nodes
  - Product count badges on each node
  - Click node to filter right panel
- Right panel: Product table with Photo, Name, Category, Subcategory, Price, Stock
  - Edit (✎) and Delete (✕) buttons per row
  - Add Product modal with all fields
- Product edit form: name, price, stock, description, category, subcategory (JS filtered),
  photo_url/hidden_photo_url (URL or file upload), hidden_coordinates, hidden_description, private_data
- Multer file upload for photos stored in /uploads/
- Routes: add-city, add-district, product CRUD with photo upload
- Product JSON API for modal editing
- Responsive grid: tree (320px) + table (1fr)
 2026-06-22 21:42:56 +01:00
NW
c7bf3f132c feat: unified Catalog page with Location→Category→Subcategory→Product tree 
- New /catalog page with tree view: Location (🌍) → Category (📂) → Subcategory (📁) → Product
- Add/delete locations, categories, subcategories, products from one page
- JS-powered subcategory dropdown filtered by category
- Sticky sidebar with Add Location/Category/Product forms
- Responsive grid layout (tree + forms side by side, stacks on mobile)
- Navigation simplified: Catalog replaces separate Locations/Categories/Products
- Old routes still accessible for backward compatibility
- Subcategories table migration (006_subcategories.js)
- subcategory_id column added to products table
- Seed data includes subcategories (VPN, Accounts, Hardware, etc.)
 2026-06-22 21:12:05 +01:00
NW
2012435370 feat: admin panel - Settings, Categories, Payment Wallets, Seed/Clear data, User Balances 
- Settings page: bot token (masked), admin IDs, commission config, WireGuard status
- Categories page: CRUD with product count, delete guard
- Payment Wallets page: commission wallets display, toggle, percentage
- Users page: balance adjustment form (total_balance / bonus_balance) with audit log
- Seed & Reset page: seed demo data (5 users, 10 products, 5 wallets, 5 purchases)
  and clear all data button with confirmation
- Dashboard: flash messages for seed/clear success
- Fixed seed.js: use dynamic IDs instead of hardcoded to avoid FK violations
- Fixed seed.js: clear all tables before seeding to avoid UNIQUE constraints
 2026-06-22 14:20:58 +01:00
NW
4657b1dfb5 feat: web admin panel + better-sqlite3 migration + Docker fixes 
- Added Express.js admin panel on port 3001 (ADMIN_PORT env)
  - Dashboard: stats (users, products, purchases, revenue)
  - Users: list, details, ban/unban toggle
  - Products: CRUD by category
  - Wallets: list with balances
  - Purchases: history with filters
  - Audit log: view audit trail
  - Auth: token-based login with ADMIN_SECRET env var
- Migrated sqlite3 → better-sqlite3
  - database.js: async adapter (runAsync/allAsync/getAsync)
  - purchaseService.js: lastID → lastInsertRowid
  - userService.js: lastID → lastInsertRowid
  - Removed sqlite3 from package.json
- Fixed: dotenv/config import added to index.js
- Fixed: ENCRYPTION_KEY validation (32+ char hex)
- Fixed: Dockerfile multi-stage build (no python needed)
- Fixed: Docker DNS (network: host in build)
- Fixed: docker-compose port 3001, healthcheck on 3001
- Added express, cookie-parser, pino-pretty, better-sqlite3 deps
 2026-06-22 10:54:01 +01:00
NW
25d8507b11 fix: Docker multi-stage build for sqlite3, health endpoint, productValidator exports 
- Dockerfile: multi-stage build (builder with python3+g++ for native addons)
- Dockerfile: wireguard-tools from edge/community repo
- Dockerfile: removed USER appuser (start.sh needs root for wg-quick)
- Dockerfile: health check on port 3000
- Added /health HTTP endpoint in index.js for Docker healthcheck
- Fixed productValidator.js: added named exports (validateProductName, validateProductPrice)
- Added better-sqlite3 as fallback dependency
 2026-06-22 10:18:36 +01:00
NW
49945d9d81 security(csv-export): harden mnemonic export with super admin, audit, watermark (#48) 
- Add SUPER_ADMIN_IDS config (fallback to ADMIN_IDS if not set)
- Add isSuperAdmin() to middleware/auth.js
- Create auditService.js for structured audit logging (DB + pino)
- Create migration 005_audit_log.js
- Add confirmation dialog before CSV export (confirm_export_ callback)
- Check isSuperAdmin before export — block non-super admins
- Audit log every export: admin ID, wallet type, wallet count
- Add exported_by watermark column to CSV with admin telegram ID
- Notify all other super admins when export occurs
- Add SUPER_ADMIN_IDS to .env.example

8 files changed, 154 insertions, 39 deletions
 2026-06-22 10:07:58 +01:00
NW
a04e60d751 feat(state): replace in-memory Map with SQLite-backed stateService (#59) 
- Create src/services/stateService.js with get/set/delete/has API
- Create migration 004_user_states.js (chat_id PK, state_data JSON, updated_at)
- TTL of 24 hours — expired states auto-deleted
- Cleanup job runs every hour (setInterval)
- Replace src/context/userStates.js Map with async stateService proxy
- Add await to all 45 userStates.get/set/delete/has calls across 13 files
- Add initStates() call in index.js startup sequence
- All state survives bot restarts now

18 files changed, 172 insertions, 46 deletions
 2026-06-22 10:02:57 +01:00
NW
ce1b6003cb feat(logging): replace 207 console.log/error/warn with pino structured logger (#58) 
- Add pino + pino-pretty dependencies
- Create src/utils/logger.js with env-based LOG_LEVEL
- Replace all 207 console.log/error/warn calls across 46 source files
- Remove [DEBUG], [ERROR] string prefixes (levels convey this)
- Add pino redact for sensitive fields (mnemonic, privateKey, token, etc.)
- Structured logging with context objects instead of string interpolation
- NODE_ENV=production disables pino-pretty transport

49 files changed, 5601 insertions, 6056 deletions
 2026-06-22 01:42:47 +01:00
NW
d0b26dae25 refactor(arch): replace if/else router with Map-based dispatcher (#53) 
- index.js: 394→69 lines (82% reduction)
- callbackRouter.js (36 lines): Map-based dispatch with exact + prefix matching
  - Longest-prefix-first for specificity
  - Logs warning for unregistered callbacks
- messageRouter.js (27 lines): Ordered input handlers + text command Map
- routes.js (345 lines): All 59 callback routes + 9 text commands + 7 input handlers
  - Exact routes: 19 (add_wallet, back_to_balance, etc.)
  - Prefix routes: 40 (generate_wallet_, view_product_, etc.)
  - Admin text commands with isAdmin guard
  - Special cases: view_transaction_history_ page extraction
  - Input handler order preserved (location → category → import → edit → dump → bonus)
 2026-06-22 01:16:34 +01:00
NW
f8123e42bb refactor(arch): split userWalletsHandler.js into 7 modular files (#52) 
- 747-line monolith → 8 files (all ≤108 lines)
- balanceHandler (96 lines): showBalance, handleBackToBalance
- historyHandler (107 lines): handleTransactionHistory, handleWalletHistory
- refreshHandler (75 lines): handleRefreshBalance with balance refresh
- createHandler (94 lines): handleAddWallet, handleGenerateWallet
- topUpHandler (60 lines): handleTopUpWallet
- archiveHandler (86 lines): handleViewArchivedWallets
- helpers (19 lines): getNetworkName, getWalletAddress
- index.js (20 lines): re-exports all 11 handler methods
- Removed duplicate getBaseWalletType (now uses WalletUtils)
- Removed duplicate getNetworkName (now in helpers.js)
 2026-06-22 01:11:53 +01:00
NW
4b7ed0c251 refactor(arch): split adminProductHandler.js into 13 modular files (#51) 
- 1093-line monolith → 13 files (all ≤97 lines)
- navigationHandler: product management entry + country selection
- districtHandler: city + district selection
- categoryAddHandler: add category input + handler
- categoryEditHandler: edit category input + handler
- categorySelectionHandler: category selection display
- createHandler: add product prompt
- importHandler: product import (JSON/text/file)
- editStartHandler: product edit prompt
- editImportHandler: product edit import
- deleteHandler: product delete + confirm
- viewHandler: product detail view
- listHandler: product list with pagination
- productValidator: shared validation utilities
- index.js: router re-exporting all 17 handler methods
- Removed duplicate handleCategorySelection (subcategories table doesn't exist)
- Removed handleSubcategoryInput/handleAddSubcategory (references non-existent subcategories table)
 2026-06-17 22:41:04 +01:00
NW
4b8144ac40 refactor(arch): split database.js into migrations + connection module (#57) 
- database.js: 292→42 lines (connection + async helpers only)
- 001_initial_schema.js: 7 CREATE TABLE statements in transaction
- 002_add_columns.js: 5 ALTER TABLE checks with checkColumnExists
- 003_add_indexes.js: 6 CREATE INDEX statements
- runner.js: versioned migration runner with _meta table
- index.js: calls runMigrations() + cleanUpInvalidForeignKeys()
- ALLOWED_TABLES whitelist preserved in runner.js
- Schema version tracked in _meta table for idempotent runs
 2026-06-17 22:28:11 +01:00
NW
2e8b6b5659 fix: add isAdmin delegate method to AdminHandler, fix exportCSV call in adminWalletsHandler 
- AdminHandler.isAdmin() static method delegates to middleware/auth.js
  (index.js calls adminHandler.isAdmin() which needs a class method)
- adminWalletsHandler: this.exportCSV() → this.handleExportCSV(callbackQuery)
  (exportCSV doesn't exist, handleExportCSV is the correct method)
 2026-06-17 22:19:40 +01:00
NW
68d83807ad refactor(arch): Phase 2 — deduplicate isAdmin, convertToUsd, getBaseWalletType 
- #54: Extract isAdmin() to src/middleware/auth.js, remove duplicates from 7 admin handlers
- #55: Add WalletUtils.convertToUsd(), replace 8 switch-case blocks across 4 files
- #56: Unify getBaseWalletType() — keep only WalletUtils version (most complete),
  remove duplicates from Wallet.js and userWalletsHandler.js

New file: src/middleware/auth.js
Net: -215 lines, +80 lines

Closes: #54, #55, #56
 2026-06-17 22:10:34 +01:00
NW
de415633be feat(security): Phase 1 — critical security fixes and hardening 
- #42: Remove hardcoded ENCRYPTION_KEY fallback from config.js,
  add startup validation for BOT_TOKEN and ENCRYPTION_KEY length
- #43: Fix SQL injection vulnerabilities — add ALLOWED_TABLES
  whitelist in database.js, ALLOWED_USER_FIELDS in userService.js,
  validate table names before PRAGMA
- #44: Fix race condition in purchaseService.js — wrap createPurchase
  in BEGIN IMMEDIATE TRANSACTION, add atomic balance/stock checks
- #41: Move all secrets from docker-compose.yml to .env file,
  use env_file directive
- #45: Replace MD5 tx_hash with crypto.randomUUID()
- #46: Upgrade KDF from SHA-256 to HKDF for mnemonic encryption,
  add backward compatibility for legacy format
- #47: Add input validation across all handlers — walletType
  whitelist, string length limits, numeric ID checks, price bounds

New files:
- src/utils/encryption.js (HKDF key derivation)
- src/__tests__/security.test.js (SQL injection prevention tests)

Closes: #41, #42, #43, #44, #45, #46, #47
 2026-06-17 21:52:49 +01:00
NW
c8b6e3ceb3 litle update 2025-02-05 16:40:00 +00:00
NW
23b7f8b4bd big update WG-TOR bot connecting 2025-02-03 09:43:25 +00:00
NW
633a27164b upgrade comission wallet function 2025-01-26 22:21:13 +00:00
NW
ae1cd45aea create functional commission 2025-01-25 13:35:22 +00:00
NW
fa09e81ddf crypto mnemonic case 2025-01-25 01:13:10 +00:00
NW
fcd89bc345 update calculate user balance in admin section 2025-01-09 20:13:45 +00:00
NW
dd18e74529 update calculate user balance 2025-01-09 20:07:44 +00:00
NW
f9356c6bbe update user purchase list 2025-01-09 13:25:35 +00:00
NW
18647091cf minor edits to aesthetics and functionality 2025-01-08 18:26:50 +00:00
NW
5ae148a2ba update planned wallets function 2025-01-08 16:20:43 +00:00
NW
66f5251795 update check ETH USDT USDC balance function 2025-01-08 12:01:02 +00:00
NW
e64f185eda separate wallet ETH USDT USDC 2025-01-02 19:31:28 +00:00
NW
22f76c64a6 delet TRON wallet type 2025-01-02 16:19:39 +00:00
NW
c9bcb09221 udpdate wallet function 2024-12-24 09:19:14 +00:00
NW
3129525a1e update user and admin wallet function 2024-12-23 20:44:56 +00:00
NW
a970a188db new user registration function 2024-12-18 19:46:29 +00:00
NW
b224b3f331 update UserService 2024-12-18 16:16:41 +00:00
NW
bfb9a55e36 update viev balance 2024-12-17 00:19:53 +00:00
NW
4aebb4e41b update user info page 2024-12-17 00:05:59 +00:00
NW
a575f75faf user catalog navigation upgrade 2024-12-16 23:56:09 +00:00
NW
21465022b3 whallets upgrade function 2024-12-16 23:43:44 +00:00
NW
d51bc9f0b9 User start registration update function 2024-12-16 12:37:44 +00:00
NW
2cfa37ea86 fix bug back navigation 2024-12-15 02:04:43 +00:00
NW
9d9e0e80ad Bug update function 2024-12-14 23:12:36 +00:00
NW
682246675e update handleProductSelection 2024-12-14 15:06:22 +00:00