Only @tutlot.com emails allowed for registration (checked server-side,
invisible to frontend inspect). Wrong domain → scary message + IP
violation tracked. 5 violations → IP permanently blocked from login
and registration. Block screen with OK button on frontend.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When signal has geo, show clickable Google Maps link instead of raw
coordinates. Without geo, show "Гео нету". Added parse_mode=HTML
to send_message for link rendering.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Login now requires login/email + password verified against DB via
/api/auth/login. Only approved registrations can access the app.
Signal endpoint accepts JWT Bearer tokens alongside legacy api_key auth.
Old UUID-only registration flow removed from frontend.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Дублирует аналогичный fix в telegram.py — httpcore тоже логирует
URLs с BOT_TOKEN на transport уровне. Синхронизировано с ручным
патчем на сервере.
Refs: #1303, #1309
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add validate_bot_token() to backend/telegram.py: calls getMe on startup,
logs ERROR if token is invalid (never raises per #1215 contract)
- Call validate_bot_token() in lifespan() after db.init_db() for early detection
- Update conftest.py make_app_client() to mock getMe endpoint
- Add 3 tests for validate_bot_token (200, 401, network error cases)
Root cause: CHAT_ID=5190015988 (positive) was wrong — fixed to -5190015988
on server per decision #1212. Group "Big Red Button" confirmed via getChat.
Service restarted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
