app.py

from flask import Flask, render_template_string, request, redirect, url_for, jsonify, flash, send_from_directory
import json
import os
import logging
import threading
import time
from datetime import datetime
from huggingface_hub import HfApi, hf_hub_download
from huggingface_hub.utils import RepositoryNotFoundError, HfHubHTTPError
from werkzeug.utils import secure_filename
from dotenv import load_dotenv
import uuid
import hmac
import hashlib
import urllib.parse
import requests

load_dotenv()

app = Flask(name)
app.secret_key = os.getenv("FLASK_SECRET_KEY", 'telegram_wall_secret_key_for_flash_messages_only')

--- CONFIGURATION ---

DATA_FILE = 'wall_data.json'
UPLOAD_FOLDER = 'uploads'
SYNC_FILES = [DATA_FILE, UPLOAD_FOLDER] # Will be treated as a list of files/folders
MAX_CONTENT_LENGTH = 16 * 1024 * 1024 # 16 MB limit for file uploads
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif', 'mp4', 'mov', 'avi', 'pdf', 'doc', 'docx', 'txt'}

if not os.path.exists(UPLOAD_FOLDER):
os.makedirs(UPLOAD_FOLDER)

app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
app.config['MAX_CONTENT_LENGTH'] = MAX_CONTENT_LENGTH

REPO_ID = os.getenv("HF_REPO_ID", "Kgshop/telegram-wall-app")
HF_TOKEN_WRITE = os.getenv("HF_TOKEN_WRITE")
HF_TOKEN_READ = os.getenv("HF_TOKEN_READ")

NOTE: The provided token is not a real Telegram Bot Token format.
A real token looks like: <BOT_ID>:<RANDOM_STRING>

TELEGRAM_BOT_TOKEN = os.getenv("TELEGRAM_BOT_TOKEN", "7549355625:AAGYWatM-nUVQirgBiBwoAtWZgzfp3QnQjY")

DOWNLOAD_RETRIES = 3
DOWNLOAD_DELAY = 5

logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

--- UTILITIES ---

def allowed_file(filename):
return '.' in filename and
filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

def download_db_from_hf(specific_file=None, retries=DOWNLOAD_RETRIES, delay=DOWNLOAD_DELAY):
token_to_use = HF_TOKEN_READ if HF_TOKEN_READ else HF_TOKEN_WRITE
files_to_download = [specific_file] if specific_file else SYNC_FILES
all_successful = True
for file_name in files_to_download:
if file_name == UPLOAD_FOLDER:
logging.info("Skipping UPLOAD_FOLDER direct download as it's typically large. Requires git-lfs/separate process.")
continue

code
Code
download
content_copy
expand_less
success = False
    for attempt in range(retries + 1):
        try:
            logging.info(f"Downloading {file_name} (Attempt {attempt + 1}/{retries + 1})...")
            local_path = hf_hub_download(
                repo_id=REPO_ID, filename=file_name, repo_type="dataset",
                token=token_to_use, local_dir=".", local_dir_use_symlinks=False,
                force_download=True, resume_download=False
            )
            logging.info(f"Successfully downloaded {file_name} to {local_path}.")
            success = True
            break
        except RepositoryNotFoundError:
             logging.error(f"Repository {REPO_ID} not found. Download cancelled for all files.")
             return False
        except HfHubHTTPError as e:
            if e.response.status_code == 404:
                logging.warning(f"File {file_name} not found in repo {REPO_ID} (404). Skipping this file.")
                if attempt == 0 and not os.path.exists(file_name):
                    try:
                        if file_name == DATA_FILE:
                            default_data = {'posts': [], 'users': {}}
                            with open(file_name, 'w', encoding='utf-8') as f:
                                json.dump(default_data, f)
                            logging.info(f"Created empty local file {file_name} because it was not found on HF.")
                    except Exception as create_e:
                        logging.error(f"Failed to create empty local file {file_name}: {create_e}")
                success = True
                break
            else:
                logging.error(f"HTTP error downloading {file_name} (Attempt {attempt + 1}): {e}. Retrying in {delay}s...")
        except Exception as e:
             logging.error(f"Unexpected error downloading {file_name} (Attempt {attempt + 1}): {e}. Retrying in {delay}s...", exc_info=True)
        if attempt < retries: time.sleep(delay)
    if not success:
        logging.error(f"Failed to download {file_name} after {retries + 1} attempts.")
        all_successful = False
return all_successful

def upload_db_to_hf(specific_file=None):
if not HF_TOKEN_WRITE:
logging.warning("HF_TOKEN_WRITE not set. Skipping upload to Hugging Face.")
return
try:
api = HfApi()
files_to_upload = [specific_file] if specific_file and specific_file != UPLOAD_FOLDER else []

code
Code
download
content_copy
expand_less
if not specific_file:
        files_to_upload = [DATA_FILE]
        # Add files from UPLOAD_FOLDER
        for root, _, files in os.walk(UPLOAD_FOLDER):
            for file_name in files:
                local_path = os.path.join(root, file_name)
                path_in_repo = local_path 
                files_to_upload.append((local_path, path_in_repo))

    logging.info(f"Starting upload of {len(files_to_upload)} files/paths to HF repo {REPO_ID}...")
    
    for item in files_to_upload:
        local_path = item if isinstance(item, tuple) else item
        path_in_repo = item if isinstance(item, tuple) else item
        
        if os.path.exists(local_path):
            try:
                api.upload_file(
                    path_or_fileobj=local_path, path_in_repo=path_in_repo, repo_id=REPO_ID,
                    repo_type="dataset", token=HF_TOKEN_WRITE,
                    commit_message=f"Sync {path_in_repo} {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}"
                )
                logging.info(f"File {path_in_repo} successfully uploaded to Hugging Face.")
            except Exception as e:
                 logging.error(f"Error uploading file {path_in_repo} to Hugging Face: {e}")
        else:
            logging.warning(f"File {local_path} not found locally, skipping upload.")
    logging.info("Finished uploading files to HF.")
except Exception as e:
    logging.error(f"General error during Hugging Face upload initialization or process: {e}", exc_info=True)

def periodic_backup():
backup_interval = 1800
logging.info(f"Setting up periodic backup every {backup_interval} seconds.")
while True:
time.sleep(backup_interval)
logging.info("Starting periodic backup...")
upload_db_to_hf()
logging.info("Periodic backup finished.")

def load_data():
default_data = {'posts': [], 'users': {}}
try:
with open(DATA_FILE, 'r', encoding='utf-8') as file:
data = json.load(file)
logging.info(f"Local data loaded successfully from {DATA_FILE}")
if not isinstance(data, dict): raise FileNotFoundError
for key in default_data:
if key not in data: data[key] = default_data[key]
return data
except (FileNotFoundError, json.JSONDecodeError) as e:
logging.warning(f"Error loading local data ({e}). Attempting download from HF.")

code
Code
download
content_copy
expand_less
if download_db_from_hf(specific_file=DATA_FILE):
    try:
        with open(DATA_FILE, 'r', encoding='utf-8') as file:
            data = json.load(file)
        logging.info(f"Data loaded successfully from {DATA_FILE} after download.")
        if not isinstance(data, dict): return default_data
        for key in default_data:
            if key not in data: data[key] = default_data[key]
        return data
    except Exception as load_e:
        logging.error(f"Error loading downloaded {DATA_FILE}: {load_e}. Using default.", exc_info=True)
        return default_data
else:
    logging.error(f"Failed to download {DATA_FILE} from HF. Using empty default data structure.")
    if not os.path.exists(DATA_FILE):
        try:
            with open(DATA_FILE, 'w', encoding='utf-8') as f: json.dump(default_data, f)
            logging.info(f"Created empty local file {DATA_FILE} after failed download.")
        except Exception as create_e:
            logging.error(f"Failed to create empty local file {DATA_FILE}: {create_e}")
    return default_data

def save_data(data):
try:
if not isinstance(data, dict):
logging.error("Attempted to save invalid data structure (not a dict). Aborting save.")
return
default_keys = {'posts': [], 'users': {}}
for key in default_keys:
if key not in data: data[key] = default_keys[key]

code
Code
download
content_copy
expand_less
with open(DATA_FILE, 'w', encoding='utf-8') as file:
        json.dump(data, file, ensure_ascii=False, indent=4)
    logging.info(f"Data successfully saved to {DATA_FILE}")
    threading.Thread(target=upload_db_to_hf, args=(DATA_FILE,), daemon=True).start()
except Exception as e:
    logging.error(f"Error saving data to {DATA_FILE}: {e}", exc_info=True)

def verify_telegram_auth_data(auth_data_str, bot_token):
if not auth_data_str:
return False, None

code
Code
download
content_copy
expand_less
params = dict(urllib.parse.parse_qsl(auth_data_str))
if 'hash' not in params:
    return False, None

received_hash = params.pop('hash')

sorted_params = sorted(params.items())
data_check_string_parts = []
for key, value in sorted_params:
    data_check_string_parts.append(f"{key}={value}")

data_check_string = "\n".join(data_check_string_parts)

secret_key = hmac.new("WebAppData".encode(), bot_token.encode(), hashlib.sha256).digest()
calculated_hash = hmac.new(secret_key, data_check_string.encode(), hashlib.sha256).hexdigest()

if calculated_hash == received_hash:
    try:
        user_data = json.loads(params.get('user', '{}'))
        # Get chat_id if available (often same as user_id in private chats)
        chat_id = params.get('chat_id', user_data.get('id')) 
        user_data['chat_id'] = chat_id
        return True, user_data
    except json.JSONDecodeError:
        return False, None
return False, None

def get_authenticated_user_details(request_headers):
auth_data_str = request_headers.get('X-Telegram-Auth')
if not auth_data_str:
return None
is_valid, user_data_from_auth = verify_telegram_auth_data(auth_data_str, TELEGRAM_BOT_TOKEN)
if is_valid and user_data_from_auth:
data = load_data()
user_id_str = str(user_data_from_auth.get('id'))
return data.get('users', {}).get(user_id_str)
return None

def send_telegram_notification(chat_id, message):
if not TELEGRAM_BOT_TOKEN:
logging.warning("TELEGRAM_BOT_TOKEN not set. Cannot send notification.")
return

code
Code
download
content_copy
expand_less
url = f"https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessage"
payload = {
    'chat_id': chat_id,
    'text': message,
    'parse_mode': 'HTML'
}

try:
    response = requests.post(url, data=payload, timeout=5)
    response.raise_for_status()
    logging.info(f"Notification sent to {chat_id}.")
    return response.json()
except requests.exceptions.RequestException as e:
    logging.error(f"Error sending Telegram notification to {chat_id}: {e}")
    return None
--- API ROUTES ---

@app.route('/api/auth_user', methods=['POST'])
def auth_user():
auth_data_str = request.headers.get('X-Telegram-Auth')
if not auth_data_str:
init_data_payload = request.json.get('init_data')
if init_data_payload:
auth_data_str = init_data_payload
else:
return jsonify({"error": "Authentication data not provided"}), 401

code
Code
download
content_copy
expand_less
is_valid, user_data_from_auth = verify_telegram_auth_data(auth_data_str, TELEGRAM_BOT_TOKEN)

if not is_valid or not user_data_from_auth:
    return jsonify({"error": "Invalid authentication data"}), 403

data = load_data()
users = data.get('users', {})
user_id_str = str(user_data_from_auth.get('id'))

# Update/Create user record
user_record = users.get(user_id_str, {})

# Store chat_id (assuming it is available or fallback to user_id)
# Note: In a real-world bot, the chat_id should be captured during the /start command.
user_record.update({
    'id': user_data_from_auth.get('id'),
    'chat_id': user_data_from_auth.get('chat_id') or user_data_from_auth.get('id'), # Critical for notifications
    'first_name': user_data_from_auth.get('first_name'),
    'last_name': user_data_from_auth.get('last_name'),
    'username': user_data_from_auth.get('username'),
    'language_code': user_data_from_auth.get('language_code'),
    'photo_url': user_data_from_auth.get('photo_url'),
    'last_seen': datetime.now().isoformat()
})

if 'first_seen' not in user_record:
    user_record['first_seen'] = datetime.now().isoformat()

users[user_id_str] = user_record
data['users'] = users
save_data(data)

return jsonify({"message": "User authenticated", "user": users[user_id_str]}), 200

@app.route('/api/users', methods=['GET'])
def get_users():
# Only authenticated users can view the list
if not get_authenticated_user_details(request.headers):
return jsonify({"error": "Authentication required"}), 401

code
Code
download
content_copy
expand_less
data = load_data()
user_list = list(data.get('users', {}).values())
# Return limited user info for the list
safe_user_list = [{
    'id': user['id'],
    'first_name': user['first_name'],
    'last_name': user['last_name'],
    'username': user.get('username'),
    'photo_url': user.get('photo_url')
} for user in user_list]

return jsonify(sorted(safe_user_list, key=lambda x: x.get('first_name', 'z'))), 200

@app.route('/api/wall/<user_id>', methods=['GET'])
def get_user_wall(user_id):
if not get_authenticated_user_details(request.headers):
return jsonify({"error": "Authentication required"}), 401

code
Code
download
content_copy
expand_less
data = load_data()
all_posts = data.get('posts', [])

# Filter posts:
# 1. Posts made by the user_id on their own wall (target_user_id is None or same as user_id)
# 2. Posts made by *others* targeting this user_id's wall
wall_posts = [
    post for post in all_posts
    if (str(post.get('user_id')) == str(user_id) and not post.get('target_user_id')) or 
       (str(post.get('target_user_id')) == str(user_id))
]

# Enrich posts with user info (poster and target)
users = data.get('users', {})
enriched_posts = []
for post in sorted(wall_posts, key=lambda x: x.get('timestamp', ''), reverse=True):
    poster = users.get(str(post['user_id']), {})
    target = users.get(str(post.get('target_user_id')), {}) if post.get('target_user_id') else None
    
    enriched_post = post.copy()
    enriched_post['poster_name'] = f"{poster.get('first_name', 'Unknown')} {poster.get('last_name', '')}".strip()
    enriched_post['poster_username'] = poster.get('username', None)
    if target:
        enriched_post['target_name'] = f"{target.get('first_name', 'Unknown')} {target.get('last_name', '')}".strip()
        enriched_post['target_username'] = target.get('username', None)
    
    enriched_posts.append(enriched_post)
    
return jsonify(enriched_posts), 200

@app.route('/api/post/<target_user_id>', methods=['POST'])
def create_post(target_user_id):
user = get_authenticated_user_details(request.headers)
if not user:
return jsonify({"error": "Authentication required or user not found in DB"}), 401

code
Code
download
content_copy
expand_less
if str(target_user_id) == 'me':
    target_user_id = str(user['id'])

data = load_data()
users = data.get('users', {})
target_user = users.get(str(target_user_id))

if not target_user:
    return jsonify({"error": "Target user not found"}), 404

text_content = request.form.get('content', '').strip()
file = request.files.get('file')

if not text_content and not file:
    return jsonify({"error": "Post must contain text or a file"}), 400

new_post = {
    "id": str(uuid.uuid4()),
    "user_id": str(user['id']),
    "target_user_id": str(target_user_id) if str(target_user_id) != str(user['id']) else None, # Null for own wall post
    "timestamp": datetime.now().isoformat(),
    "content": text_content,
    "type": "text",
    "file_path": None
}

# Handle file upload
if file and file.filename:
    if not allowed_file(file.filename):
        return jsonify({"error": "File type not allowed"}), 400
    
    extension = file.filename.rsplit('.', 1)[[1](https://www.google.com/url?sa=E&q=https%3A%2F%2Fvertexaisearch.cloud.google.com%2Fgrounding-api-redirect%2FAUZIYQF6S04rq1C0Z_rbzF1NSAxsil9bBG4L3nuHOSOAbHHtJiwnE2LxVsPOVpiPhBXRK6XaybxBsn0UZ9Mn1KLhTGONkEjmCPX1AD7mT0SoQ15oTUhmR7n6PGa73aBGIEQ67iFmSMDvPPA3aXv6RLq5SesfTK1HYQ3z5Q%3D%3D)].lower()
    filename = secure_filename(f"{new_post['id']}.{extension}")
    file_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
    
    try:
        file.save(file_path)
        new_post['file_path'] = filename
        
        if extension in ['png', 'jpg', 'jpeg', 'gif']: new_post['type'] = 'photo'
        elif extension in ['mp4', 'mov', 'avi']: new_post['type'] = 'video'
        else: new_post['type'] = 'document'
        
        # Asynchronously upload file to HF
        threading.Thread(target=upload_db_to_hf, args=((file_path, os.path.join(UPLOAD_FOLDER, filename)),), daemon=True).start()

    except Exception as e:
        logging.error(f"File save/upload failed: {e}")
        return jsonify({"error": f"Failed to save file: {e}"}), 500

data['posts'].append(new_post)
save_data(data)

# --- Notification Logic ---
if str(target_user_id) != str(user['id']):
    # Post to another user's wall, send notification to the target user
    poster_name = user.get('first_name', 'Someone')
    target_chat_id = target_user.get('chat_id')
    
    if target_chat_id:
        message = f"📢 New post on your wall!\n\n<b>{poster_name}</b> posted: {text_content[:100]}..."
        threading.Thread(target=send_telegram_notification, args=(target_chat_id, message), daemon=True).start()

return jsonify(new_post), 201

@app.route('/api/post/<post_id>', methods=['DELETE'])
def delete_post(post_id):
user = get_authenticated_user_details(request.headers)
if not user: return jsonify({"error": "Authentication required or user not found in DB"}), 401

code
Code
download
content_copy
expand_less
data = load_data()
posts_list = data.get('posts', [])
original_length = len(posts_list)

item_to_delete = next((i for i in posts_list if i['id'] == post_id), None)
if not item_to_delete: return jsonify({"error": "Post not found"}), 404

# Allow deleting if the user is the poster OR the user is the wall owner (if target_user_id is set)
is_poster = str(item_to_delete.get('user_id')) == str(user.get('id'))
is_wall_owner = str(item_to_delete.get('target_user_id')) == str(user.get('id'))

if not is_poster and not is_wall_owner:
    return jsonify({"error": "Forbidden: You can only delete your own posts or posts on your wall"}), 403

# Delete the associated file if it exists
file_path = item_to_delete.get('file_path')
if file_path:
    full_path = os.path.join(app.config['UPLOAD_FOLDER'], file_path)
    if os.path.exists(full_path):
        os.remove(full_path)
        logging.info(f"Deleted file: {full_path}")
        # Note: File deletion on HF requires complex logic (git delete commit) - skipping for this example.

data['posts'] = [i for i in posts_list if i['id'] != post_id]

if len(data['posts']) < original_length:
    save_data(data)
    return jsonify({"message": "Post deleted successfully"}), 200
return jsonify({"error": "Post not found or deletion failed"}), 404

@app.route('/uploads/<filename>', methods=['GET'])
def uploaded_file(filename):
return send_from_directory(app.config['UPLOAD_FOLDER'], filename)

--- WEBAPP TEMPLATES & MAIN VIEW ---

MAIN_APP_TEMPLATE = '''

<!DOCTYPE html>

<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no, viewport-fit=cover">
<title>TonWall</title>
<script src="https://telegram.org/js/telegram-web-app.js"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.2/css/all.min.css">
<style>
:root {
--tg-theme-bg-color: #ffffff;
--tg-theme-text-color: #000000;
--tg-theme-hint-color: #999999;
--tg-theme-link-color: #007aff;
--tg-theme-button-color: #007aff;
--tg-theme-button-text-color: #ffffff;
--tg-theme-secondary-bg-color: #f0f0f0;
--tg-theme-header-bg-color: #efeff4;
--tg-theme-section-bg-color: #ffffff;
--tg-theme-destructive-text-color: #ff3b30;
}
body {
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Helvetica Neue", Arial, sans-serif;
margin: 0;
padding: 0;
background-color: var(--tg-theme-bg-color);
color: var(--tg-theme-text-color);
overscroll-behavior-y: none;
-webkit-font-smoothing: antialiased;
min-height: 100vh;
display: flex;
flex-direction: column;
}
.header {
background-color: var(--tg-theme-header-bg-color);
padding: 12px 15px;
text-align: center;
font-weight: 600;
font-size: 17px;
border-bottom: 0.5px solid var(--tg-theme-secondary-bg-color);
position: sticky;
top: 0;
z-index: 100;
}
.content { flex-grow: 1; padding: 10px 0; overflow-x: hidden; transition: opacity 0.2s ease-out; }
.footer-nav {
display: flex;
justify-content: space-around;
background-color: var(--tg-theme-header-bg-color);
border-top: 0.5px solid var(--tg-theme-hint-color);
position: sticky;
bottom: 0;
z-index: 100;
padding-top: 5px;
padding-bottom: env(safe-area-inset-bottom);
}
.nav-button {
display: flex;
flex-direction: column;
align-items: center;
padding: 5px 0 8px 0;
flex-grow: 1;
cursor: pointer;
background: none;
border: none;
color: var(--tg-theme-hint-color);
font-size: 11px;
font-weight: 500;
-webkit-tap-highlight-color: transparent;
transition: color 0.2s ease;
}
.nav-button.active { color: var(--tg-theme-link-color); }
.nav-button i { font-size: 20px; margin-bottom: 2px; }

code
Code
download
content_copy
expand_less
/* Wall Styles */
    .post-list { display: flex; flex-direction: column; gap: 10px; padding: 0 15px; }
    .post-card {
        background-color: var(--tg-theme-section-bg-color);
        padding: 15px;
        border-radius: 10px;
        box-shadow: 0 2px 8px rgba(0,0,0,0.06);
        word-wrap: break-word;
    }
    .post-header { display: flex; align-items: center; margin-bottom: 10px; }
    .post-header img { width: 40px; height: 40px; border-radius: 50%; margin-right: 10px; object-fit: cover; background-color: var(--tg-theme-secondary-bg-color); }
    .post-info { flex-grow: 1; }
    .post-info h4 { margin: 0; font-size: 15px; font-weight: 600; color: var(--tg-theme-text-color); }
    .post-info span { font-size: 12px; color: var(--tg-theme-hint-color); }
    .post-content p { margin: 5px 0; font-size: 15px; color: var(--tg-theme-text-color); white-space: pre-wrap; }
    .post-content a { color: var(--tg-theme-link-color); text-decoration: none; }
    .post-content a:hover { text-decoration: underline; }
    .post-content .media-container { max-width: 100%; border-radius: 8px; overflow: hidden; margin-top: 10px; }
    .post-content img, .post-content video { width: 100%; height: auto; display: block; }

    /* User List Styles */
    .user-list { padding: 10px 15px; display: flex; flex-direction: column; gap: 1px; }
    .user-list-item {
        display: flex;
        align-items: center;
        padding: 12px 15px;
        background-color: var(--tg-theme-section-bg-color);
        border-radius: 8px;
        margin-bottom: 8px;
        box-shadow: 0 1px 4px rgba(0,0,0,0.05);
        cursor: pointer;
        transition: background-color 0.1s ease;
    }
    .user-list-item:active { background-color: var(--tg-theme-secondary-bg-color); }
    .user-list-item img { width: 45px; height: 45px; border-radius: 50%; margin-right: 15px; object-fit: cover; background-color: var(--tg-theme-secondary-bg-color); }
    .user-list-item span { font-size: 16px; font-weight: 500; color: var(--tg-theme-text-color); }

    /* Form Styles */
    .form-container { padding: 20px 15px; }
    .form-group { margin-bottom: 18px; }
    .form-group label { display: block; font-size: 14px; color: var(--tg-theme-hint-color); margin-bottom: 6px; font-weight: 500; }
    .form-group textarea {
        width: 100%;
        padding: 12px;
        border: 1px solid var(--tg-theme-secondary-bg-color);
        border-radius: 8px;
        font-size: 16px;
        background-color: var(--tg-theme-bg-color);
        color: var(--tg-theme-text-color);
        box-sizing: border-box;
        transition: border-color 0.2s ease;
        min-height: 100px;
        resize: vertical;
    }
    .form-group input[type="file"] { border: none; padding: 5px 0; }
    .form-group textarea:focus { border-color: var(--tg-theme-link-color); outline: none; }
    .error-message { color: var(--tg-theme-destructive-text-color); font-size: 14px; margin-top: 10px; text-align: center; }
    .loading, .empty-state { text-align: center; padding: 50px 15px; color: var(--tg-theme-hint-color); font-size: 16px; }
    
    .delete-button {
        margin-top: 10px;
        padding: 6px 12px;
        background-color: var(--tg-theme-destructive-text-color);
        color: var(--tg-theme-button-text-color);
        border: none;
        border-radius: 6px;
        cursor: pointer;
        font-size: 13px;
        transition: opacity 0.1s;
    }
    .delete-button:active { opacity: 0.8; }

    /* Media utility classes */
    .media-image { max-height: 400px; object-fit: cover; }
    .media-video { max-height: 400px; }
    .media-document {
        background-color: var(--tg-theme-secondary-bg-color);
        padding: 10px;
        border-radius: 6px;
        font-size: 14px;
        display: flex;
        align-items: center;
    }
    .media-document i { margin-right: 8px; font-size: 18px; color: var(--tg-theme-link-color); }
    .media-document span { font-weight: 500; }
</style>
</head>
<body>
<div class="app-container">
<div class="header" id="appHeader"></div>
<div class="content" id="mainContent">
<div class="loading">Loading...</div>
</div>
<div class="footer-nav" id="footerNav">
<button class="nav-button active" data-view="my_wall" id="navMyWall">
<i class="fas fa-home"></i>
<span id="labelMyWall">My Wall</span>
</button>
<button class="nav-button" data-view="users" id="navUsers">
<i class="fas fa-users"></i>
<span id="labelUsers">Users</span>
</button>
<button class="nav-button" data-view="new_post" id="navNewPost">
<i class="fas fa-plus-circle"></i>
<span id="labelNewPost">New Post</span>
</button>
</div>
</div>

code
Code
download
content_copy
expand_less
<script>
    const tg = window.Telegram.WebApp;
    let currentUser = null;
    let currentView = 'my_wall'; 
    let currentTargetUserId = null; 
    const mainContent = document.getElementById('mainContent');
    const footerNav = document.getElementById('footerNav');
    const appHeader = document.getElementById('appHeader');
    
    const langCode = tg.initDataUnsafe.user?.language_code;
    const isRussian = langCode && (langCode.startsWith('ru') || langCode.startsWith('uk') || langCode.startsWith('be'));

    const T = {
        'My Wall': isRussian ? 'Моя Стена' : 'My Wall',
        'Users': isRussian ? 'Пользователи' : 'Users',
        'New Post': isRussian ? 'Новая Запись' : 'New Post',
        'Post on Wall': isRussian ? 'Опубликовать на Стену' : 'Post on Wall',
        'Users List': isRussian ? 'Список Пользователей' : 'Users List',
        'Wall of': isRussian ? 'Стена' : 'Wall of',
        'Post Text': isRussian ? 'Текст записи...' : 'Post Text...',
        'Attachment (optional)': isRussian ? 'Вложение (необязательно)' : 'Attachment (optional)',
        'Post': isRussian ? 'Опубликовать' : 'Post',
        'No posts found.': isRussian ? 'Записей не найдено.' : 'No posts found.',
        'No users found.': isRussian ? 'Пользователей не найдено.' : 'No users found.',
        'Loading...': isRussian ? 'Загрузка...' : 'Loading...',
        'Posted by': isRussian ? 'Опубликовано' : 'Posted by',
        'on': isRussian ? 'на' : 'on',
        'View Wall': isRussian ? 'Посмотреть Стену' : 'View Wall',
        'Delete Post?': isRussian ? 'Удалить эту запись?' : 'Delete this post?',
        'Post deleted.': isRussian ? 'Запись удалена.' : 'Post deleted.',
        'Post failed.': isRussian ? 'Ошибка публикации.' : 'Post failed.',
        'Error loading.': isRussian ? 'Ошибка загрузки.' : 'Error loading.',
        'File': isRussian ? 'Файл' : 'File',
        'Document': isRussian ? 'Документ' : 'Document',
        'Video': isRussian ? 'Видео' : 'Video',
        'Photo': isRussian ? 'Фото' : 'Photo',
        'Post must contain text or a file': isRussian ? 'Запись должна содержать текст или файл' : 'Post must contain text or a file',
        'Delete': isRussian ? 'Удалить' : 'Delete',
        'to your wall': isRussian ? 'на вашу стену' : 'to your wall',
        'on the wall of': isRussian ? 'на стене' : 'on the wall of'
    };

    function translateUI() {
        document.getElementById('appHeader').textContent = 'TonWall';
        document.getElementById('labelMyWall').textContent = T['My Wall'];
        document.getElementById('labelUsers').textContent = T['Users'];
        document.getElementById('labelNewPost').textContent = T['New Post'];
    }

    function applyThemeParams() {
        const rootStyle = document.documentElement.style;
        // Use fallback colors based on Telegram WebApp documentation
        rootStyle.setProperty('--tg-theme-bg-color', tg.themeParams.bg_color || '#ffffff');
        rootStyle.setProperty('--tg-theme-text-color', tg.themeParams.text_color || '#000000');
        rootStyle.setProperty('--tg-theme-hint-color', tg.themeParams.hint_color || '#999999');
        rootStyle.setProperty('--tg-theme-link-color', tg.themeParams.link_color || '#007aff');
        rootStyle.setProperty('--tg-theme-button-color', tg.themeParams.button_color || '#007aff');
        rootStyle.setProperty('--tg-theme-button-text-color', tg.themeParams.button_button_text_color || '#ffffff');
        rootStyle.setProperty('--tg-theme-secondary-bg-color', tg.themeParams.secondary_bg_color || '#f0f0f0');
        rootStyle.setProperty('--tg-theme-header-bg-color', tg.themeParams.header_bg_color || tg.themeParams.secondary_bg_color || '#efeff4');
        rootStyle.setProperty('--tg-theme-section-bg-color', tg.themeParams.section_bg_color || tg.themeParams.bg_color || '#ffffff');
        rootStyle.setProperty('--tg-theme-destructive-text-color', tg.themeParams.destructive_text_color || '#ff3b30');
        tg.setBackgroundColor(tg.themeParams.bg_color || '#ffffff');
    }
    
    async function apiCall(endpoint, method = 'GET', body = null, isFormData = false) {
        const headers = {};
        if (tg.initData) {
            headers['X-Telegram-Auth'] = tg.initData;
        }

        const options = { method, headers };

        if (isFormData) {
            // Flask handles multipart/form-data without setting Content-Type in JS headers
            delete options.headers['Content-Type']; 
            options.body = body;
        } else if (body) {
            headers['Content-Type'] = 'application/json';
            options.body = JSON.stringify(body);
        }

        try {
            const response = await fetch(endpoint, options);
            if (response.status === 401 || response.status === 403) {
                 tg.showAlert("Authentication failed. Please restart the Mini App from the bot.");
                 throw new Error("Authentication failed");
            }
            if (!response.ok) {
                const errorData = await response.json().catch(() => ({ error: `HTTP error ${response.status}` }));
                throw new Error(errorData.error || `HTTP error ${response.status}`);
            }
            if (response.status === 204 || response.headers.get('content-length') === '0') return {}; 
            return response.json();
        } catch (error) {
            console.error('API Call Error:', error);
            tg.showAlert(error.message || T['Error loading.']);
            throw error;
        }
    }

    function getUserAvatarUrl(user) {
        return user.photo_url || 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7';
    }

    function getFullUserName(user) {
        let name = `${user.first_name || ''} ${user.last_name || ''}`.trim();
        if (!name) name = user.username || `User ${user.id}`;
        return name;
    }

    function renderPostMedia(post) {
        if (!post.file_path) return '';
        
        const fileUrl = `/uploads/${post.file_path}`;
        
        if (post.type === 'photo') {
            return `<div class="media-container"><img src="${fileUrl}" class="media-image" alt="${T['Photo']}"></div>`;
        } else if (post.type === 'video') {
            return `<div class="media-container"><video controls src="${fileUrl}" class="media-video"></video></div>`;
        } else if (post.type === 'document') {
            return `
                <a href="${fileUrl}" target="_blank" rel="noopener noreferrer" class="media-document">
                    <i class="fas fa-file"></i>
                    <span>${T['Document']} (${post.file_path})</span>
                </a>
            `;
        }
        return '';
    }

    function renderPostList(posts, wallOwnerId) {
        mainContent.style.opacity = 0;
        tg.BackButton.hide();
        tg.MainButton.hide();

        if (!posts || posts.length === 0) {
            mainContent.innerHTML = `<div class="empty-state">${T['No posts found.']}</div>`;
        } else {
            mainContent.innerHTML = `<div class="post-list">${posts.map(post => {
                const poster = { id: post.user_id, first_name: post.poster_name, username: post.poster_username, photo_url: post.photo_url };
                const isCurrentUserWall = String(wallOwnerId) === String(currentUser.id);
                const isPoster = String(post.user_id) === String(currentUser.id);
                const isWallOwner = isCurrentUserWall || (post.target_user_id && String(post.target_user_id) === String(currentUser.id));
                
                const postTarget = post.target_user_id 
                    ? `${T['on the wall of']} <a href="#" onclick="loadView('user_wall', '${post.target_user_id}')">${post.target_name}</a>`
                    : `${T['to your wall']}`;

                let infoLine;
                if (isCurrentUserWall && !post.target_user_id) { // My Wall main view
                    infoLine = `<span>${new Date(post.timestamp).toLocaleDateString()} ${new Date(post.timestamp).toLocaleTimeString([], {hour: '2-digit', minute:'2-digit'})}</span>`;
                } else {
                     infoLine = `<span>${T['Posted by']} <a href="#" onclick="loadView('user_wall', '${post.user_id}')">@${post.poster_username || post.poster_name}</a> ${postTarget}</span>`;
                }


                return `
                    <div class="post-card" id="post-${post.id}">
                        <div class="post-header">
                            <img src="${getUserAvatarUrl(poster)}" alt="Avatar">
                            <div class="post-info">
                                <h4>${post.poster_name}</h4>
                                <span>@${post.poster_username || 'anonymous'}</span>
                            </div>
                        </div>
                        <div class="post-content">
                            ${post.content ? `<p>${post.content.replace(/\\n/g, '<br>')}</p>` : ''}
                            ${renderPostMedia(post)}
                        </div>
                        <div style="font-size: 12px; color: var(--tg-theme-hint-color); margin-top: 10px;">
                            ${infoLine}
                        </div>
                        ${(isPoster || isWallOwner) ? `<button class="delete-button" onclick="handleDeletePost('${post.id}')">${T['Delete']}</button>` : ''}
                    </div>
                `;
            }).join('')}</div>`;
        }
        setTimeout(() => { mainContent.style.opacity = 1; }, 50);
    }

    function renderUsersList(users) {
        mainContent.style.opacity = 0;
        tg.BackButton.hide();
        tg.MainButton.hide();

        if (!users || users.length === 0) {
            mainContent.innerHTML = `<div class="empty-state">${T['No users found.']}</div>`;
        } else {
            mainContent.innerHTML = `<div class="user-list">${users.map(user => {
                const fullName = getFullUserName(user);
                return `
                    <div class="user-list-item" onclick="loadView('user_wall', '${user.id}')">
                        <img src="${getUserAvatarUrl(user)}" alt="Avatar">
                        <span>${fullName} ${user.username ? `(@${user.username})` : ''}</span>
                        <div style="margin-left: auto; color: var(--tg-theme-link-color); font-size: 14px; font-weight: 500;">${T['View Wall']}</div>
                    </div>
                `;
            }).join('')}</div>`;
        }
        setTimeout(() => { mainContent.style.opacity = 1; }, 50);
    }

    function renderNewPostForm(targetUser) {
        mainContent.style.opacity = 0;
        tg.MainButton.hide();
        const targetName = targetUser ? getFullUserName(targetUser) : getFullUserName(currentUser);
        const isTargetingSelf = !targetUser || String(targetUser.id) === String(currentUser.id);
        const targetHeader = isTargetingSelf 
            ? `${T['New Post']} (${T['My Wall']})`
            : `${T['Post on Wall']} ${targetName}`;
            
        appHeader.textContent = targetHeader;
        
        let formHtml = `<div class="form-container">
            <form id="postForm" enctype="multipart/form-data">
                <div class="form-group">
                    <label for="postContent">${T['Post Text']}</label>
                    <textarea id="postContent" name="content" placeholder="${T['Post Text']}..."></textarea>
                </div>
                <div class="form-group">
                    <label for="postFile">${T['Attachment (optional)']}</label>
                    <input type="file" id="postFile" name="file" accept="image/*,video/*,.pdf,.doc,.docx,.txt">
                </div>
                <div id="formError" class="error-message"></div>
            </form>
        </div>`;
        mainContent.innerHTML = formHtml;
        setTimeout(() => { mainContent.style.opacity = 1; }, 50);

        tg.MainButton.setText(T['Post']);
        tg.MainButton.show();
        tg.MainButton.onClick(() => handleSubmitPost(targetUser ? targetUser.id : currentUser.id));
    }
    
    function handleSubmitPost(targetUserId) {
        const content = document.getElementById('postContent').value.trim();
        const fileInput = document.getElementById('postFile');
        const file = fileInput.files;
        const formError = document.getElementById('formError');
        formError.textContent = '';

        if (!content && !file) {
            formError.textContent = T['Post must contain text or a file'];
            tg.HapticFeedback.notificationOccurred('error');
            return;
        }

        const formData = new FormData();
        formData.append('content', content);
        if (file) {
            formData.append('file', file);
        }
        
        tg.MainButton.showProgress();
        tg.HapticFeedback.impactOccurred('light');

        apiCall(`/api/post/${targetUserId}`, 'POST', formData, true)
            .then(response => {
                tg.HapticFeedback.notificationOccurred('success');
                tg.MainButton.hideProgress();
                tg.MainButton.hide();
                if (String(targetUserId) === String(currentUser.id)) {
                    loadView('my_wall'); 
                } else {
                    loadView('user_wall', targetUserId);
                }
                
            })
            .catch(err => {
                tg.HapticFeedback.notificationOccurred('error');
                tg.MainButton.hideProgress();
                formError.textContent = err.message || T['Post failed.'];
            });
    }
    
    function handleDeletePost(postId) {
        tg.showConfirm(T['Delete Post?'], (confirmed) => {
            if (confirmed) {
                tg.HapticFeedback.impactOccurred('medium');
                apiCall(`/api/post/${postId}`, 'DELETE')
                    .then(() => {
                        tg.HapticFeedback.notificationOccurred('success');
                        tg.showAlert(T['Post deleted.']);
                        // Reload current view
                        if (currentView === 'my_wall') loadView('my_wall');
                        else if (currentView === 'user_wall') loadView('user_wall', currentTargetUserId);
                    })
                    .catch(err => {
                        tg.HapticFeedback.notificationOccurred('error');
                        tg.showAlert(err.message || T['Error loading.']);
                    });
            } else {
                tg.HapticFeedback.impactOccurred('light');
            }
        });
    }

    async function loadView(viewName, userId = null) {
        if (currentView === viewName && viewName !== 'new_post' && viewName !== 'user_wall') return;

        tg.HapticFeedback.impactOccurred('light');
        currentView = viewName;
        currentTargetUserId = userId;
        
        document.querySelectorAll('.nav-button').forEach(btn => btn.classList.remove('active'));
        if (viewName !== 'user_wall' && viewName !== 'new_post') {
            document.querySelector(`.nav-button[data-view="${viewName}"]`).classList.add('active');
        }

        mainContent.innerHTML = `<div class="loading">${T['Loading...']}</div>`;
        tg.BackButton.hide();
        tg.MainButton.hide();
        
        if (viewName === 'my_wall') {
            appHeader.textContent = T['My Wall'];
            try {
                const posts = await apiCall(`/api/wall/${currentUser.id}`);
                renderPostList(posts, currentUser.id);
            } catch (e) {
                mainContent.innerHTML = `<div class="empty-state">${T['Error loading.']}</div>`;
            }
        } else if (viewName === 'users') {
            appHeader.textContent = T['Users List'];
            try {
                const users = await apiCall('/api/users');
                const filteredUsers = users.filter(u => String(u.id) !== String(currentUser.id));
                renderUsersList(filteredUsers);
            } catch (e) {
                 mainContent.innerHTML = `<div class="empty-state">${T['Error loading.']}</div>`;
            }
        } else if (viewName === 'user_wall' && userId) {
            tg.BackButton.show();
            tg.BackButton.onClick(() => loadView('users'));
            try {
                const users = await apiCall('/api/users');
                const targetUser = users.find(u => String(u.id) === String(userId));
                if (!targetUser) throw new Error("User not found");
                appHeader.textContent = `${T['Wall of']} ${getFullUserName(targetUser)}`;

                const posts = await apiCall(`/api/wall/${userId}`);
                renderPostList(posts, userId);
                
                // Add a button to post to this user's wall
                tg.MainButton.setText(T['Post on Wall']);
                tg.MainButton.show();
                tg.MainButton.onClick(() => loadView('new_post', userId));

            } catch (e) {
                mainContent.innerHTML = `<div class="empty-state">${T['Error loading.']}</div>`;
            }
        } else if (viewName === 'new_post' && userId) {
             tg.BackButton.show();
             tg.BackButton.onClick(() => {
                 if (String(userId) === String(currentUser.id)) loadView('my_wall');
                 else loadView('user_wall', userId);
             });
             try {
                 const users = await apiCall('/api/users');
                 const targetUser = users.find(u => String(u.id) === String(userId));
                 if (!targetUser) throw new Error("User not found");
                 renderNewPostForm(targetUser);
             } catch (e) {
                 mainContent.innerHTML = `<div class="empty-state">${T['Error loading.']}</div>`;
             }
        } else if (viewName === 'new_post') {
             tg.BackButton.show();
             tg.BackButton.onClick(() => loadView('my_wall'));
             renderNewPostForm(currentUser);
        }
    }
    
    async function init() {
        tg.ready();
        applyThemeParams();
        tg.expand();
        tg.enableClosingConfirmation();
        translateUI();

        tg.onEvent('themeChanged', applyThemeParams);
        
        try {
            const authResponse = await apiCall('/api/auth_user', 'POST', { init_data: tg.initData });
            currentUser = authResponse.user;
            if (!currentUser) throw new Error("Auth failed: No user object");
            
            // Set initial view to My Wall for the authenticated user
            loadView('my_wall');
            
        } catch (error) {
            console.error("Auth error:", error);
            mainContent.innerHTML = `<div class="empty-state">Authentication failed. Please launch from the Telegram bot.</div>`;
        }

        document.querySelectorAll('.nav-button').forEach(button => {
            button.addEventListener('click', () => {
                const view = button.dataset.view;
                if (view === 'new_post') {
                    loadView('new_post', currentUser.id); // Default to posting on own wall
                } else {
                    loadView(view);
                }
            });
        });
    }

    init();
</script>
</body>
</html>
'''


@app.route('/')
def main_app_view():
return render_template_string(MAIN_APP_TEMPLATE)

--- BOOTSTRAP ---

if name == 'main':
logging.info("Application starting up. Performing initial data load/download...")
download_db_from_hf()
load_data()
logging.info("Initial data load complete.")

code
Code
download
content_copy
expand_less
if HF_TOKEN_WRITE:
    backup_thread = threading.Thread(target=periodic_backup, daemon=True)
    backup_thread.start()
    logging.info("Periodic backup thread started.")
else:
    logging.warning("Periodic backup will NOT run (HF_TOKEN_WRITE not set).")

port = int(os.environ.get('PORT', 7860))
logging.info(f"Starting Flask app on host 0.0.0.0 and port {port}")
app.run(debug=False, host='0.0.0.0', port=port)