Merge remote-tracking branch 'origin/main'

Update verification TTL and init data checks
2026-04-19 19:45:56 +08:00 · 2026-04-19 19:44:35 +08:00
1 changed files with 21 additions and 1 deletions
--- a/src/index.ts
+++ b/src/index.ts
@@ -77,7 +77,8 @@ interface RequestContext {
 const JOIN_PREFIX = "join:";
 const ACTIVE_PREFIX = "active:";
 const CHALLENGE_TTL_MS = 10 * 60 * 1000;
-const RECORD_TTL_SECONDS = 24 * 60 * 60;
+const RECORD_TTL_SECONDS = 30 * 60;
+const INIT_DATA_MAX_AGE_SECONDS = 10 * 60;
 type Locale = "zh" | "en";

 export default {
@@ -362,6 +363,25 @@ async function verifyTelegramWebAppInitData(env: Env, initData: string, expected
    throw new HttpError(401, "invalid_init_data_hash");
  }

+  const authDateRaw = params.get("auth_date");
+  if (!authDateRaw) {
+    throw new HttpError(401, "missing_init_data_auth_date");
+  }
+
+  const authDate = Number(authDateRaw);
+  if (!Number.isFinite(authDate)) {
+    throw new HttpError(401, "invalid_init_data_auth_date");
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000);
+  if (authDate > nowSeconds + 30) {
+    throw new HttpError(401, "invalid_init_data_auth_date");
+  }
+
+  if (nowSeconds - authDate > INIT_DATA_MAX_AGE_SECONDS) {
+    throw new HttpError(401, "expired_init_data");
+  }
+
  const userRaw = params.get("user");
  if (!userRaw) {
    throw new HttpError(401, "missing_init_data_user");
Author	SHA1	Message	Date
zimk	a7f7c12ac5	Merge remote-tracking branch 'origin/main'	2026-04-19 19:45:56 +08:00
zimk	2e058e5c60	Update verification TTL and init data checks	2026-04-19 19:44:35 +08:00