feat: user service

2026-04-10 19:05:02 +02:00
parent 710bad712e
commit 23ffcb7535
140 changed files with 33418 additions and 952 deletions
@@ -0,0 +1,90 @@
+package authsessionuser_test
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestAuthsessionUserBlackBoxConfirmCreatesUserWithForwardedRegistrationContext(t *testing.T) {
+	t.Parallel()
+
+	h := newAuthsessionUserHarness(t)
+	email := "created@example.com"
+
+	challengeID := h.sendChallenge(t, email)
+	code := lastMailCodeFor(t, h.mailStub, email)
+
+	response := h.confirmCode(t, challengeID, code)
+	var confirmBody struct {
+		DeviceSessionID string `json:"device_session_id"`
+	}
+	requireJSONStatus(t, response, http.StatusOK, &confirmBody)
+	require.True(t, strings.HasPrefix(confirmBody.DeviceSessionID, "device-session-"))
+
+	lookupResponse, account := lookupUserByEmail(t, h.userServiceURL, email)
+	require.Equalf(t, http.StatusOK, lookupResponse.StatusCode, formatStatusError(lookupResponse))
+	require.Equal(t, email, account.User.Email)
+	require.Equal(t, "en", account.User.PreferredLanguage)
+	require.Equal(t, testTimeZone, account.User.TimeZone)
+	require.True(t, strings.HasPrefix(account.User.UserID, "user-"))
+	require.True(t, strings.HasPrefix(account.User.RaceName, "player-"))
+	require.Equal(t, "free", account.User.Entitlement.PlanCode)
+	require.False(t, account.User.Entitlement.IsPaid)
+	require.Empty(t, account.User.ActiveSanctions)
+	require.Empty(t, account.User.ActiveLimits)
+}
+
+func TestAuthsessionUserBlackBoxConfirmForExistingUserKeepsCreateOnlySettings(t *testing.T) {
+	t.Parallel()
+
+	h := newAuthsessionUserHarness(t)
+	email := "existing@example.com"
+
+	created := postEnsureUser(t, h.userServiceURL, email, "fr-FR", "Europe/Paris")
+	require.Equal(t, "created", created.Outcome)
+	sleepForDistinctCreatedAt()
+
+	challengeID := h.sendChallenge(t, email)
+	code := lastMailCodeFor(t, h.mailStub, email)
+
+	response := h.confirmCode(t, challengeID, code)
+	var confirmBody struct {
+		DeviceSessionID string `json:"device_session_id"`
+	}
+	requireJSONStatus(t, response, http.StatusOK, &confirmBody)
+	require.True(t, strings.HasPrefix(confirmBody.DeviceSessionID, "device-session-"))
+
+	lookupResponse, account := lookupUserByEmail(t, h.userServiceURL, email)
+	require.Equalf(t, http.StatusOK, lookupResponse.StatusCode, formatStatusError(lookupResponse))
+	require.Equal(t, created.UserID, account.User.UserID)
+	require.Equal(t, "fr-FR", account.User.PreferredLanguage)
+	require.Equal(t, "Europe/Paris", account.User.TimeZone)
+}
+
+func TestAuthsessionUserBlackBoxBlockedEmailSendIsSuccessShapedAndConfirmIsRejectedWithoutCreatingUser(t *testing.T) {
+	t.Parallel()
+
+	h := newAuthsessionUserHarness(t)
+
+	blockedAtSendEmail := "blocked-send@example.com"
+	postBlockByEmail(t, h.userServiceURL, blockedAtSendEmail)
+
+	beforeBlockedSendDeliveries := len(h.mailStub.RecordedDeliveries())
+	blockedChallengeID := h.sendChallenge(t, blockedAtSendEmail)
+	require.NotEmpty(t, blockedChallengeID)
+	require.Len(t, h.mailStub.RecordedDeliveries(), beforeBlockedSendDeliveries)
+
+	blockedAtConfirmEmail := "blocked-confirm@example.com"
+	challengeID := h.sendChallenge(t, blockedAtConfirmEmail)
+	code := lastMailCodeFor(t, h.mailStub, blockedAtConfirmEmail)
+	postBlockByEmail(t, h.userServiceURL, blockedAtConfirmEmail)
+
+	confirmResponse := h.confirmCode(t, challengeID, code)
+	requireJSONStatusRaw(t, confirmResponse, http.StatusForbidden, `{"error":{"code":"blocked_by_policy","message":"authentication is blocked by policy"}}`)
+
+	lookupResponse, _ := lookupUserByEmail(t, h.userServiceURL, blockedAtConfirmEmail)
+	requireLookupNotFound(t, lookupResponse)
+}
@@ -0,0 +1,386 @@
+package authsessionuser_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	"galaxy/integration/internal/harness"
+
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	testClientPublicKey = "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8="
+	testTimeZone        = "Europe/Kaliningrad"
+)
+
+type authsessionUserHarness struct {
+	mailStub *harness.MailStub
+
+	authsessionPublicURL string
+	userServiceURL       string
+
+	authsessionProcess *harness.Process
+	userServiceProcess *harness.Process
+}
+
+func newAuthsessionUserHarness(t *testing.T) *authsessionUserHarness {
+	t.Helper()
+
+	redisServer := harness.StartMiniredis(t)
+	mailStub := harness.NewMailStub(t)
+
+	userServiceAddr := harness.FreeTCPAddress(t)
+	authsessionPublicAddr := harness.FreeTCPAddress(t)
+	authsessionInternalAddr := harness.FreeTCPAddress(t)
+
+	userServiceBinary := harness.BuildBinary(t, "userservice", "./user/cmd/userservice")
+	authsessionBinary := harness.BuildBinary(t, "authsession", "./authsession/cmd/authsession")
+
+	userServiceEnv := map[string]string{
+		"USERSERVICE_LOG_LEVEL":          "info",
+		"USERSERVICE_INTERNAL_HTTP_ADDR": userServiceAddr,
+		"USERSERVICE_REDIS_ADDR":         redisServer.Addr(),
+		"OTEL_TRACES_EXPORTER":           "none",
+		"OTEL_METRICS_EXPORTER":          "none",
+	}
+	userServiceProcess := harness.StartProcess(t, "userservice", userServiceBinary, userServiceEnv)
+	waitForUserServiceReady(t, userServiceProcess, "http://"+userServiceAddr)
+
+	authsessionEnv := map[string]string{
+		"AUTHSESSION_LOG_LEVEL":                     "info",
+		"AUTHSESSION_PUBLIC_HTTP_ADDR":              authsessionPublicAddr,
+		"AUTHSESSION_INTERNAL_HTTP_ADDR":            authsessionInternalAddr,
+		"AUTHSESSION_REDIS_ADDR":                    redisServer.Addr(),
+		"AUTHSESSION_USER_SERVICE_MODE":             "rest",
+		"AUTHSESSION_USER_SERVICE_BASE_URL":         "http://" + userServiceAddr,
+		"AUTHSESSION_MAIL_SERVICE_MODE":             "rest",
+		"AUTHSESSION_MAIL_SERVICE_BASE_URL":         mailStub.BaseURL(),
+		"OTEL_TRACES_EXPORTER":                      "none",
+		"OTEL_METRICS_EXPORTER":                     "none",
+		"AUTHSESSION_PUBLIC_HTTP_REQUEST_TIMEOUT":   time.Second.String(),
+		"AUTHSESSION_INTERNAL_HTTP_REQUEST_TIMEOUT": time.Second.String(),
+	}
+	authsessionProcess := harness.StartProcess(t, "authsession", authsessionBinary, authsessionEnv)
+	waitForAuthsessionPublicReady(t, authsessionProcess, "http://"+authsessionPublicAddr)
+
+	return &authsessionUserHarness{
+		mailStub:             mailStub,
+		authsessionPublicURL: "http://" + authsessionPublicAddr,
+		userServiceURL:       "http://" + userServiceAddr,
+		authsessionProcess:   authsessionProcess,
+		userServiceProcess:   userServiceProcess,
+	}
+}
+
+func (h *authsessionUserHarness) sendChallenge(t *testing.T, email string) string {
+	t.Helper()
+
+	response := postJSONValue(t, h.authsessionPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
+		"email": email,
+	})
+	require.Equal(t, http.StatusOK, response.StatusCode)
+
+	var body struct {
+		ChallengeID string `json:"challenge_id"`
+	}
+	require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
+	require.NotEmpty(t, body.ChallengeID)
+
+	return body.ChallengeID
+}
+
+func (h *authsessionUserHarness) confirmCode(t *testing.T, challengeID string, code string) httpResponse {
+	t.Helper()
+
+	return postJSONValue(t, h.authsessionPublicURL+"/api/v1/public/auth/confirm-email-code", map[string]string{
+		"challenge_id":      challengeID,
+		"code":              code,
+		"client_public_key": testClientPublicKey,
+		"time_zone":         testTimeZone,
+	})
+}
+
+type httpResponse struct {
+	StatusCode int
+	Body       string
+	Header     http.Header
+}
+
+func postJSONValue(t *testing.T, targetURL string, body any) httpResponse {
+	t.Helper()
+
+	payload, err := json.Marshal(body)
+	require.NoError(t, err)
+
+	request, err := http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(payload))
+	require.NoError(t, err)
+	request.Header.Set("Content-Type", "application/json")
+
+	client := &http.Client{
+		Timeout: 250 * time.Millisecond,
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+		},
+	}
+	t.Cleanup(client.CloseIdleConnections)
+
+	response, err := client.Do(request)
+	require.NoError(t, err)
+	defer response.Body.Close()
+
+	responseBody, err := io.ReadAll(response.Body)
+	require.NoError(t, err)
+
+	return httpResponse{
+		StatusCode: response.StatusCode,
+		Body:       string(responseBody),
+		Header:     response.Header.Clone(),
+	}
+}
+
+func decodeStrictJSONPayload(payload []byte, target any) error {
+	decoder := json.NewDecoder(bytes.NewReader(payload))
+	decoder.DisallowUnknownFields()
+
+	if err := decoder.Decode(target); err != nil {
+		return err
+	}
+	if err := decoder.Decode(&struct{}{}); err != io.EOF {
+		if err == nil {
+			return errors.New("unexpected trailing JSON input")
+		}
+		return err
+	}
+
+	return nil
+}
+
+func waitForUserServiceReady(t *testing.T, process *harness.Process, baseURL string) {
+	t.Helper()
+
+	client := &http.Client{Timeout: 250 * time.Millisecond}
+	deadline := time.Now().Add(10 * time.Second)
+
+	for time.Now().Before(deadline) {
+		request, err := http.NewRequest(http.MethodGet, baseURL+"/api/v1/internal/users/user-missing/exists", nil)
+		require.NoError(t, err)
+
+		response, err := client.Do(request)
+		if err == nil {
+			_, _ = io.Copy(io.Discard, response.Body)
+			response.Body.Close()
+			if response.StatusCode == http.StatusOK {
+				return
+			}
+		}
+
+		time.Sleep(25 * time.Millisecond)
+	}
+
+	t.Fatalf("wait for userservice readiness: timeout\n%s", process.Logs())
+}
+
+func waitForAuthsessionPublicReady(t *testing.T, process *harness.Process, baseURL string) {
+	t.Helper()
+
+	client := &http.Client{Timeout: 250 * time.Millisecond}
+	deadline := time.Now().Add(10 * time.Second)
+
+	for time.Now().Before(deadline) {
+		response, err := postJSONValueMaybe(client, baseURL+"/api/v1/public/auth/send-email-code", map[string]string{
+			"email": "",
+		})
+		if err == nil && response.StatusCode == http.StatusBadRequest {
+			return
+		}
+
+		time.Sleep(25 * time.Millisecond)
+	}
+
+	t.Fatalf("wait for authsession public readiness: timeout\n%s", process.Logs())
+}
+
+func postJSONValueMaybe(client *http.Client, targetURL string, body any) (httpResponse, error) {
+	payload, err := json.Marshal(body)
+	if err != nil {
+		return httpResponse{}, err
+	}
+
+	request, err := http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(payload))
+	if err != nil {
+		return httpResponse{}, err
+	}
+	request.Header.Set("Content-Type", "application/json")
+
+	response, err := client.Do(request)
+	if err != nil {
+		return httpResponse{}, err
+	}
+	defer response.Body.Close()
+
+	responseBody, err := io.ReadAll(response.Body)
+	if err != nil {
+		return httpResponse{}, err
+	}
+
+	return httpResponse{
+		StatusCode: response.StatusCode,
+		Body:       string(responseBody),
+		Header:     response.Header.Clone(),
+	}, nil
+}
+
+func requireJSONStatus(t *testing.T, response httpResponse, wantStatus int, target any) {
+	t.Helper()
+
+	require.Equal(t, wantStatus, response.StatusCode, "response body: %s", response.Body)
+	require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), target))
+}
+
+func requireJSONStatusRaw(t *testing.T, response httpResponse, wantStatus int, wantBody string) {
+	t.Helper()
+
+	require.Equal(t, wantStatus, response.StatusCode, "response body: %s", response.Body)
+	require.JSONEq(t, wantBody, response.Body)
+}
+
+func postEnsureUser(t *testing.T, baseURL string, email string, preferredLanguage string, timeZone string) ensureByEmailResponse {
+	t.Helper()
+
+	response := postJSONValue(t, baseURL+"/api/v1/internal/users/ensure-by-email", map[string]any{
+		"email": email,
+		"registration_context": map[string]string{
+			"preferred_language": preferredLanguage,
+			"time_zone":          timeZone,
+		},
+	})
+
+	var body ensureByEmailResponse
+	requireJSONStatus(t, response, http.StatusOK, &body)
+	return body
+}
+
+func postBlockByEmail(t *testing.T, baseURL string, email string) {
+	t.Helper()
+
+	response := postJSONValue(t, baseURL+"/api/v1/internal/user-blocks/by-email", map[string]string{
+		"email":       email,
+		"reason_code": "policy_blocked",
+	})
+
+	var body blockMutationResponse
+	requireJSONStatus(t, response, http.StatusOK, &body)
+}
+
+func lookupUserByEmail(t *testing.T, baseURL string, email string) (httpResponse, userLookupResponse) {
+	t.Helper()
+
+	response := postJSONValue(t, baseURL+"/api/v1/internal/user-lookups/by-email", map[string]string{
+		"email": email,
+	})
+
+	if response.StatusCode != http.StatusOK {
+		return response, userLookupResponse{}
+	}
+
+	var body userLookupResponse
+	require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
+	return response, body
+}
+
+type ensureByEmailResponse struct {
+	Outcome string `json:"outcome"`
+	UserID  string `json:"user_id,omitempty"`
+}
+
+type blockMutationResponse struct {
+	Outcome string `json:"outcome"`
+	UserID  string `json:"user_id,omitempty"`
+}
+
+type userLookupResponse struct {
+	User accountView `json:"user"`
+}
+
+type accountView struct {
+	UserID            string                  `json:"user_id"`
+	Email             string                  `json:"email"`
+	RaceName          string                  `json:"race_name"`
+	PreferredLanguage string                  `json:"preferred_language"`
+	TimeZone          string                  `json:"time_zone"`
+	DeclaredCountry   string                  `json:"declared_country,omitempty"`
+	Entitlement       entitlementSnapshotView `json:"entitlement"`
+	ActiveSanctions   []activeSanctionView    `json:"active_sanctions"`
+	ActiveLimits      []activeLimitView       `json:"active_limits"`
+	CreatedAt         time.Time               `json:"created_at"`
+	UpdatedAt         time.Time               `json:"updated_at"`
+}
+
+type entitlementSnapshotView struct {
+	PlanCode   string       `json:"plan_code"`
+	IsPaid     bool         `json:"is_paid"`
+	Source     string       `json:"source"`
+	Actor      actorRefView `json:"actor"`
+	ReasonCode string       `json:"reason_code"`
+	StartsAt   time.Time    `json:"starts_at"`
+	EndsAt     *time.Time   `json:"ends_at,omitempty"`
+	UpdatedAt  time.Time    `json:"updated_at"`
+}
+
+type activeSanctionView struct {
+	SanctionCode string       `json:"sanction_code"`
+	Scope        string       `json:"scope"`
+	ReasonCode   string       `json:"reason_code"`
+	Actor        actorRefView `json:"actor"`
+	AppliedAt    time.Time    `json:"applied_at"`
+	ExpiresAt    *time.Time   `json:"expires_at,omitempty"`
+}
+
+type activeLimitView struct {
+	LimitCode  string       `json:"limit_code"`
+	Value      int          `json:"value"`
+	ReasonCode string       `json:"reason_code"`
+	Actor      actorRefView `json:"actor"`
+	AppliedAt  time.Time    `json:"applied_at"`
+	ExpiresAt  *time.Time   `json:"expires_at,omitempty"`
+}
+
+type actorRefView struct {
+	Type string `json:"type"`
+	ID   string `json:"id,omitempty"`
+}
+
+func requireLookupNotFound(t *testing.T, response httpResponse) {
+	t.Helper()
+
+	requireJSONStatusRaw(t, response, http.StatusNotFound, `{"error":{"code":"subject_not_found","message":"subject not found"}}`)
+}
+
+func lastMailCodeFor(t *testing.T, stub *harness.MailStub, email string) string {
+	t.Helper()
+
+	deliveries := stub.RecordedDeliveries()
+	for index := len(deliveries) - 1; index >= 0; index-- {
+		if deliveries[index].Email == email {
+			return deliveries[index].Code
+		}
+	}
+
+	t.Fatalf("mail stub did not record delivery for %s", email)
+	return ""
+}
+
+func sleepForDistinctCreatedAt() {
+	time.Sleep(10 * time.Millisecond)
+}
+
+func formatStatusError(response httpResponse) string {
+	return fmt.Sprintf("status=%d body=%s", response.StatusCode, response.Body)
+}