chatwoot admin panel fixes

nginx-testforapp-test-base.conf

@@ -70,13 +70,14 @@ location ~ ^/dfab0676b6cb6b257370fb5743d8ddac42ab8153c2661072e8ef2717a10fcfaa/(a
     access_log off;
 }
 
+# Admin panel: allow embedding in Chatwoot iframe (frame-ancestors); do not set X-Frame-Options here so CSP applies
 location /dfab0676b6cb6b257370fb5743d8ddac42ab8153c2661072e8ef2717a10fcfaa/ {
     alias /opt/app/admin-panel/;
     index index.html;
     try_files $uri $uri/ /dfab0676b6cb6b257370fb5743d8ddac42ab8153c2661072e8ef2717a10fcfaa/index.html;
     expires 0;
     add_header Cache-Control "no-store, no-cache, must-revalidate";
-    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Content-Security-Policy "frame-ancestors 'self' https://honey-support.online;" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
 }

src/main/java/com/honey/honey/controller/AdminUserController.java

@@ -1,7 +1,9 @@
 package com.honey.honey.controller;
 
 import com.honey.honey.dto.*;
+import com.honey.honey.model.UserA;
 import com.honey.honey.service.AdminUserService;
+import com.honey.honey.service.UserService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
@@ -33,6 +35,7 @@ public class AdminUserController {
     private static final Set<String> WITHDRAWAL_SORT_FIELDS = Set.of("id", "usdAmount", "cryptoName", "amountToSend", "txhash", "status", "paymentId", "createdAt", "resolvedAt");
 
     private final AdminUserService adminUserService;
+    private final UserService userService;
 
     private boolean isGameAdmin() {
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@@ -115,8 +118,24 @@ public class AdminUserController {
         return ResponseEntity.ok(response);
     }
 
+    /**
+     * Resolve Honey user ID from Telegram user ID.
+     * Used by the Chatwoot embed when the contact has no honey_user_id set:
+     * Chatwoot (Telegram channel) often uses Telegram user ID as contact identifier.
+     */
+    @GetMapping("/by-telegram-id")
+    @PreAuthorize("hasAnyRole('ADMIN', 'GAME_ADMIN', 'TICKETS_SUPPORT')")
+    public ResponseEntity<Map<String, Integer>> getUserByTelegramId(@RequestParam("telegram_id") Long telegramId) {
+        if (telegramId == null) {
+            return ResponseEntity.badRequest().build();
+        }
+        return userService.getUserByTelegramId(telegramId)
+                .map(user -> ResponseEntity.ok(Map.of("id", user.getId())))
+                .orElse(ResponseEntity.notFound().build());
+    }
+
     @GetMapping("/{id}")
-    @PreAuthorize("hasAnyRole('ADMIN', 'GAME_ADMIN')")
+    @PreAuthorize("hasAnyRole('ADMIN', 'GAME_ADMIN', 'TICKETS_SUPPORT')")
     public ResponseEntity<AdminUserDetailDto> getUserDetail(@PathVariable Integer id) {
         AdminUserDetailDto userDetail = adminUserService.getUserDetail(id, isGameAdmin());
         if (userDetail == null) {