Files
roa2web-service-auto/reports-app/telegram-bot/.env.example
Marius Mutu 706062dc0f Implement email-based 2FA authentication for Telegram bot with Oracle integration fixes
This commit adds a complete email authentication flow for the Telegram bot, allowing users to login with email + password instead of web app linking codes. Includes critical bug fixes for Oracle integration.

**New Features:**
- Email-based 2FA authentication with 6-digit codes sent via SMTP
- Backend endpoints: verify-email and login-with-email
- ConversationHandler for email authentication flow in Telegram bot
- Session token verification to prevent user ID spoofing
- Rate limiting (5 attempts per 5 minutes)
- Email code expiry (5 minutes) with automatic cleanup

**Bug Fixes:**
- Fixed Oracle column name: ACTIV → INACTIV (with inverted logic)
- Fixed Oracle password verification: verificautilizator returns checksum, not user_id
- Fixed username case sensitivity: Oracle usernames must be uppercase
- Fixed SMTP connection: use start_tls parameter instead of manual STARTTLS
- Added middleware exclusions for public email auth endpoints

**Backend Changes:**
- Added verify-email endpoint (public) in telegram.py
- Added login-with-email endpoint (public) with rate limiting and session verification
- Updated middleware exclusions in main.py and auth_middleware_wrapper.py
- Added AUTH_SESSION_SECRET configuration for session token signing

**Telegram Bot Changes:**
- New modules: app/auth/email_auth.py, app/bot/email_handlers.py
- New utilities: app/utils/email_service.py (SMTP email sending)
- Updated handlers.py: ignore callbacks handled by ConversationHandler
- Updated menus.py: show Login button for unauthenticated users
- Updated API client: verify_email() and login_with_email() methods
- Database: email_auth_codes table with cleanup task

**Configuration:**
- Added SMTP configuration to telegram-bot .env.example
- Added AUTH_SESSION_SECRET to backend .env.example
- Updated .gitignore: exclude temporary files (*.pid, *.checksum, test scripts)

**Dependencies:**
- Added aiosmtplib for async SMTP email sending

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 12:00:46 +02:00

103 lines
3.7 KiB
Plaintext

# ============================================================================
# ROA2WEB Telegram Bot - Environment Configuration
# ============================================================================
# Copy this file to .env and fill in your actual values
# IMPORTANT: Never commit .env file to git!
# ============================================================================
# REQUIRED CONFIGURATION
# ============================================================================
# Telegram Bot Configuration
# Obtain from @BotFather on Telegram
TELEGRAM_BOT_TOKEN=your_bot_token_here
# Claude Authentication Configuration
# ============================================================================
# You have TWO options for Claude authentication:
#
# OPTION 1: API Key (pay per token - requires API credits)
# - Get API key from: https://console.anthropic.com/
# - Set CLAUDE_API_KEY below
# - You will be charged per API usage (separate from Claude subscription)
#
# OPTION 2: Claude Pro/Max Subscription (RECOMMENDED if you have subscription)
# - If you have Claude Pro or Claude Max subscription
# - Run: claude-code login (one-time setup)
# - Leave CLAUDE_API_KEY empty or commented out
# - You won't pay extra API credits (uses your existing subscription)
#
# For development/local usage: Use Option 2 if you have subscription
# For Docker/production: Use Option 1 (API key is simpler in containers)
# ============================================================================
# OPTION 1: Set this if using API key
CLAUDE_API_KEY=
# OPTION 2: Leave empty and run "claude-code login" before starting bot
# Backend API URL
# Development: http://localhost:8001
# Docker: http://roa-backend:8000
BACKEND_URL=http://roa-backend:8000
# ============================================================================
# EMAIL AUTHENTICATION (SMTP) CONFIGURATION
# ============================================================================
# Required for email-based 2FA authentication flow
# Users can login with email + password instead of web app linking
# SMTP Server Configuration
SMTP_HOST=mail.romfast.ro
SMTP_PORT=587
SMTP_USER=ups@romfast.ro
SMTP_PASSWORD=your_smtp_password_here
SMTP_FROM_EMAIL=ups@romfast.ro
SMTP_FROM_NAME=ROA2WEB
SMTP_USE_TLS=true
# Email Sending Settings
EMAIL_MAX_RETRIES=3
EMAIL_RETRY_DELAY=2.0
EMAIL_CODE_EXPIRY_MINUTES=5
EMAIL_CODE_LENGTH=6
MAX_EMAIL_ATTEMPTS_PER_HOUR=3
# Session Security (must match backend AUTH_SESSION_SECRET)
# Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
AUTH_SESSION_SECRET=your-secure-random-secret-here-min-32-chars
# ============================================================================
# DATABASE CONFIGURATION
# ============================================================================
# SQLite Database Path (STANDALONE)
# This is where user data, auth codes, and sessions are stored
# Development: ./data/telegram_bot.db
# Docker: /app/data/telegram_bot.db
SQLITE_DB_PATH=/app/data/telegram_bot.db
# ============================================================================
# NETWORKING CONFIGURATION
# ============================================================================
# Internal API Port (for backend to call telegram-bot)
# This port is used by the backend to save auth codes
INTERNAL_API_PORT=8002
# ============================================================================
# OPTIONAL CONFIGURATION
# ============================================================================
# Logging Level
# Options: DEBUG, INFO, WARNING, ERROR, CRITICAL
LOG_LEVEL=INFO
# Sentry DSN for error monitoring (optional)
# Get from: https://sentry.io/
SENTRY_DSN=
# Environment
# Options: development, production
ENVIRONMENT=production