#155 refactor: remove server-side validation from SDK (#156)

- Remove validate_init_data module and ValidationKey
- Remove verify_init_data_hash from interop
- Remove dependencies: hmac-sha256, hex, base64, ed25519-dalek
- Update README to recommend init-data-rs for backend validation
- Delete validation tests

Validation must happen on the server with bot token.
Client-side SDK should not handle server responsibilities.
Recommend init-data-rs crate for backend validation.

Author: RAprogramm

Cargo.lock

@@ -42,11 +42,7 @@ web-sys = { version = "0.3", features = [
   "Location",
   "CssStyleDeclaration",
 ] }
-hmac-sha256 = "1"
-hex = "0.4"
 percent-encoding = "2"
-base64 = "0.22"
-ed25519-dalek = "2"
 masterror = { workspace = true }
 regex = "1"
 reqwest = { version = "0.12", default-features = false, features = [

Cargo.toml

@@ -678,33 +678,25 @@ with the parsed data available in the context.
 
 ### Validating initData
 
-Validate the integrity of the `Telegram.WebApp.initData` payload on the server.
-The `validate_init_data` module is re-exported at the crate root and can be
-used directly or through the `TelegramWebApp::validate_init_data` helper:
+**Server-side validation is required.** Use the [`init-data-rs`](https://github.com/escwxyz/init-data-rs) crate for backend validation:
 
-```rust,no_run
-use telegram_webapp_sdk::{
-    validate_init_data::ValidationKey,
-    TelegramWebApp
-};
+```rust,ignore
+// On your backend server
+use init_data_rs::{validate, InitData};
 
-let bot_token = "123456:ABC";
-let query = "user=alice&auth_date=1&hash=48f4c0e9d3dd46a5734bf2c5d4df9f4ec52a3cd612f6482a7d2c68e84e702ee2";
-TelegramWebApp::validate_init_data(query, ValidationKey::BotToken(bot_token))?;
+async fn authenticate(init_data_str: &str, bot_token: &str) -> Result<InitData, Box<dyn std::error::Error>> {
+    // Validate with optional expiration time (in seconds)
+    let init_data: InitData = validate(init_data_str, bot_token, Some(3600))?;
+    Ok(init_data)
+}
+```
 
-// For Ed25519-signed data
-# use ed25519_dalek::{Signer, SigningKey};
-# let sk = SigningKey::from_bytes(&[1u8;32]);
-# let pk = sk.verifying_key();
-# let sig = sk.sign(b"a=1\nb=2");
-# let init_data = format!("a=1&b=2&signature={}", base64::encode(sig.to_bytes()));
-TelegramWebApp::validate_init_data(
-    &init_data,
-    ValidationKey::Ed25519PublicKey(pk.as_bytes())
-)?;
+**Why server-side only?**
+- Bot tokens must never be exposed to client-side code
+- Validation requires secret keys that should remain on the server
+- This follows industry-standard security practices
 
-# Ok::<(), Box<dyn std::error::Error>>(())
-```
+See the [init-data-rs documentation](https://docs.rs/init-data-rs) for complete usage examples.
 
 <p align="right"><a href="#readme-top">Back to top</a></p>
 

README.md

@@ -256,22 +256,22 @@ export function apply_default_theme() {
     }
 }
 
-function wasm_bindgen__convert__closures_____invoke__h9a03a9b032c64c17(arg0, arg1) {
-    wasm.wasm_bindgen__convert__closures_____invoke__h9a03a9b032c64c17(arg0, arg1);
-}
-
 function wasm_bindgen__convert__closures_____invoke__hde3f86340efe2d67(arg0, arg1, arg2) {
     wasm.wasm_bindgen__convert__closures_____invoke__hde3f86340efe2d67(arg0, arg1, arg2);
 }
 
-function wasm_bindgen__convert__closures_____invoke__h77889b4a60ffe254(arg0, arg1) {
-    wasm.wasm_bindgen__convert__closures_____invoke__h77889b4a60ffe254(arg0, arg1);
+function wasm_bindgen__convert__closures_____invoke__h9a03a9b032c64c17(arg0, arg1) {
+    wasm.wasm_bindgen__convert__closures_____invoke__h9a03a9b032c64c17(arg0, arg1);
 }
 
 function wasm_bindgen__convert__closures_____invoke__hd9400bcc9f3461f7(arg0, arg1, arg2) {
     wasm.wasm_bindgen__convert__closures_____invoke__hd9400bcc9f3461f7(arg0, arg1, arg2);
 }
 
+function wasm_bindgen__convert__closures_____invoke__h77889b4a60ffe254(arg0, arg1) {
+    wasm.wasm_bindgen__convert__closures_____invoke__h77889b4a60ffe254(arg0, arg1);
+}
+
 const EXPECTED_RESPONSE_TYPES = new Set(['basic', 'cors', 'default']);
 
 async function __wbg_load(module, imports) {