Merge remote-tracking branch 'origin/main'

src/index.ts

@@ -77,7 +77,8 @@ interface RequestContext {
 const JOIN_PREFIX = "join:";
 const ACTIVE_PREFIX = "active:";
 const CHALLENGE_TTL_MS = 10 * 60 * 1000;
-const RECORD_TTL_SECONDS = 24 * 60 * 60;
+const RECORD_TTL_SECONDS = 30 * 60;
+const INIT_DATA_MAX_AGE_SECONDS = 10 * 60;
 type Locale = "zh" | "en";
 
 export default {
@@ -362,6 +363,25 @@ async function verifyTelegramWebAppInitData(env: Env, initData: string, expected
     throw new HttpError(401, "invalid_init_data_hash");
   }
 
+  const authDateRaw = params.get("auth_date");
+  if (!authDateRaw) {
+    throw new HttpError(401, "missing_init_data_auth_date");
+  }
+
+  const authDate = Number(authDateRaw);
+  if (!Number.isFinite(authDate)) {
+    throw new HttpError(401, "invalid_init_data_auth_date");
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000);
+  if (authDate > nowSeconds + 30) {
+    throw new HttpError(401, "invalid_init_data_auth_date");
+  }
+
+  if (nowSeconds - authDate > INIT_DATA_MAX_AGE_SECONDS) {
+    throw new HttpError(401, "expired_init_data");
+  }
+
   const userRaw = params.get("user");
   if (!userRaw) {
     throw new HttpError(401, "missing_init_data_user");