Skip to content

feat!: Telegram bot MVP + Telegram auth, Redis, MongoDB audit, structured logging#92

Merged
dzhhem merged 29 commits into
masterfrom
feat/bot-mvp
Jun 17, 2026
Merged

feat!: Telegram bot MVP + Telegram auth, Redis, MongoDB audit, structured logging#92
dzhhem merged 29 commits into
masterfrom
feat/bot-mvp

Conversation

@dzhhem

@dzhhem dzhhem commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Description

Brings up the Telegram bot as a second FinTrack client and the infra to support it as a real account surface.

Bot (grammY + @grammyjs/conversations)

  • Add transactions from chat (+1500 salary / -50 coffee), optional location share.
  • /summary, /history, /delete, /edit (set/remove location), /help, /start.
  • Inline pagination (◀/▶) for history/edit/delete; inline confirm for delete.
  • API client with token refresh; conversation.external wrapper returning replay-safe serializable results; telegramId read from ctx.from inside conversations (replay-safe).
  • Sessions persisted in Redis.

Auth (breaking)

  • Telegram Login Widget on web, /auth/telegram exchange on API, bot token store.
  • One account usable from both web and bot.
  • Bearer (header-token) clients skip CSRF.

Infra / observability

  • Redis: distributed rate limiting (rate-limit-redis) + persistent bot sessions (30d TTL).
  • MongoDB audit log (Mongoose): auth events persisted.
  • pino structured logging across API + bot, request-id correlation, clean startup.
  • compose/dev: API healthcheck so bot waits for API; filesystem polling for reliable hot-reload in Docker.

Closes #91

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

Breaking: feat!: add Telegram Login Widget auth across web, api and bot — auth flow changed; new env vars required (see .env.example updates).

How Has This Been Tested?

  • Unit tests (Jest/Vitest)

  • Integration tests

  • Manual testing (screenshots/screencasts encouraged)

  • API: auth integration tests, seed idempotency, authSecurity unit tests, ioredis mock.

  • Bot: history.format unit tests (Jest).

  • Manual: bot flows (add/summary/history/edit/delete/pagination) against local API; Telegram Login Widget login on web; Redis sessions survive bot restart; Mongo audit entries written on auth events.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have documented non-obvious behavior or constraints where necessary
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • (If API) Database migrations have been created and tested
  • (If UI) Changes look good on mobile and desktop

dzhhem and others added 24 commits May 21, 2026 12:36
@dzhhem
feat: scaffold Telegram bot and add Telegram auth endpoints to API
2b11957
@dzhhem
test(auth): stabilize revoked-token assertion to status-only check
2f161b4
@dzhhem @BODMAT
feat(infra): add Redis — distributed rate limits and persistent bot s…
db991e2 
…essions

- Replace in-memory tokenStore Map with Redis (30-day TTL per session)
- Switch all API rate limiters to rate-limit-redis RedisStore
- Add Redis service to compose.yaml and compose.dev.yaml
- Mock ioredis in jest (SCRIPT LOAD + EVALSHA simulation, no real connection)
- Add REDIS_URL to env examples; set via compose environment for Docker

Co-authored-by: Bohdan Matula <matula.bohdan@gmail.com>
@dzhhem
feat(observability): add MongoDB audit log — auth events persisted vi…
50d6f57 
…a Mongoose
@dzhhem
feat(observability): structured logging + clean startup sequence
1b05c88 
- Add Pino logging (replace all console.*) in API and bot
- Add request correlation ID via AsyncLocalStorage (requestId on every log)
- Add X-Request-Id response header
- Move redis.ts → lib/redis.ts in API and bot (infra singleton convention)
- Fix startup: connect Redis before dynamic import of app (no rate-limit init warnings)
- Fix errorHandler: 4xx → WARN, 5xx → ERROR
- Add Redis graceful shutdown (redis.quit())
- Persist audit events to MongoDB (auth events)
@dzhhem
feat!: add Telegram Login Widget auth across web, api and bot
c44f9c2 
Let users authenticate and link their account via the Telegram Login
Widget so the bot recognises the same person by telegram_id, closing
the gap between web and bot identities.

- web: add TelegramLoginWidget + AuthProviderIcons, wire into popups
- api: add /auth/telegram/exchange (bot|widget) and /auth/link/telegram
- bot: rename BOT_TOKEN to TELEGRAM_BOT_TOKEN, send {source:bot} payload
- config: fail fast on missing TELEGRAM_BOT_TOKEN/GOOGLE_CLIENT_ID and
  invalid PORT/SMTP_PORT
- docs: sync auth.yml swagger and contributor env docs with the code

Hardcoded UI strings remain English; i18n is tracked as a follow-up.

BREAKING CHANGE: the API now requires TELEGRAM_BOT_TOKEN and
GOOGLE_CLIENT_ID at startup and exits if either is missing. Existing
deployments must set both before upgrading.
@dzhhem
docs(api): add missing responses for DELETE /transactions/{id}
f3109fa
@dzhhem
i18n(web): localize Telegram widget and auth popup strings
8e87585
@dzhhem
feat(bot): add /history command with recent transactions
d8044ac
@dzhhem
fix(compose): add api healthcheck so bot waits until API ready
5a540f8
@dzhhem
feat(api): add SEED_TELEGRAM_LINK_ID to link admin to dev Telegram in…
b2de914 
… seed
@dzhhem
feat(bot): add /help command handler
3276010
@dzhhem
feat(bot): add /delete command with inline confirm
8193761
@dzhhem
fix(api): skip CSRF for header-token (Bearer) clients
06ee9f9
@dzhhem
fix(bot): return serializable result from addTransaction external
a8d6727
@dzhhem
test(api): mock authMethod.create in seed idempotency test
e6e5085
@dzhhem
feat(bot): add /edit command via conversation
c9a883f
@dzhhem
feat(bot): add /edit command with location update
9502241
@dzhhem
feat(bot): paginate history, edit and delete with inline nav
9c24484
@dzhhem
refactor(bot): extract shared tx label, parser, location and picker u…
5ffb29b 
…tils
@dzhhem
refactor(bot): dedupe external-call wrapper, page size, amount fmt, t…
dc063b2 
…elegram id
@dzhhem
fix(bot): read telegramId from ctx.from in conversations
601ce31
@dzhhem
feat: allow removing transaction location on edit
2c3f151
@dzhhem
chore(dev): poll filesystem for reliable hot-reload in Docker
da4a212
@dzhhem dzhhem requested a review from BODMAT June 17, 2026 06:31
@dzhhem dzhhem self-assigned this Jun 17, 2026
@vercel

vercel Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
fin-track-web Ready Ready Preview, Comment Jun 17, 2026 8:35am

@dzhhem dzhhem merged commit a491901 into master Jun 17, 2026
14 checks passed
@dzhhem dzhhem deleted the feat/bot-mvp branch June 17, 2026 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BODMAT BODMAT BODMAT approved these changes

Assignees

@dzhhem dzhhem

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Telegram bot MVP + Telegram auth, Redis, MongoDB audit, structured logging

2 participants

@dzhhem @BODMAT