feat: support time_zone for user registration context

gateway/internal/restapi/public_anti_abuse_test.go

@@ -18,7 +18,7 @@ func TestPublicAntiAbuseRejectsOversizedBodies(t *testing.T) {
 	t.Parallel()
 
 	oversizedJSONBody := `{"email":"` + strings.Repeat("a", 8200) + `@example.com"}`
-	oversizedConfirmJSONBody := `{"challenge_id":"` + strings.Repeat("c", 8300) + `","code":"123456","client_public_key":"key"}`
+	oversizedConfirmJSONBody := `{"challenge_id":"` + strings.Repeat("c", 8300) + `","code":"123456","client_public_key":"key","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`
 
 	tests := []struct {
 		name      string
@@ -282,9 +282,9 @@ func TestPublicAntiAbuseConfirmEmailIdentityThrottle(t *testing.T) {
 	}
 	handler := newPublicHandlerWithConfig(cfg, ServerDependencies{AuthService: authService})
 
-	first := confirmEmailCodeRequest(`{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material"}`)
-	second := confirmEmailCodeRequest(`{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material"}`)
-	third := confirmEmailCodeRequest(`{"challenge_id":"challenge-456","code":"123456","client_public_key":"public-key-material"}`)
+	first := confirmEmailCodeRequest(`{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`)
+	second := confirmEmailCodeRequest(`{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`)
+	third := confirmEmailCodeRequest(`{"challenge_id":"challenge-456","code":"123456","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`)
 
 	firstResp := httptest.NewRecorder()
 	handler.ServeHTTP(firstResp, first)

gateway/internal/restapi/public_auth.go

@@ -79,6 +79,11 @@ type ConfirmEmailCodeInput struct {
 	// ClientPublicKey is the standard base64-encoded raw 32-byte Ed25519 public
 	// key that should be registered for the created device session.
 	ClientPublicKey string `json:"client_public_key"`
+
+	// TimeZone is the client-selected IANA time zone name forwarded to the
+	// Auth / Session Service as registration context for first-time user
+	// creation.
+	TimeZone string `json:"time_zone"`
 }
 
 // ConfirmEmailCodeResult describes the public REST and adapter payload
@@ -391,6 +396,11 @@ func validateConfirmEmailCodeInput(input *ConfirmEmailCodeInput) error {
 		return errors.New("client_public_key must not be empty")
 	}
 
+	input.TimeZone = strings.TrimSpace(input.TimeZone)
+	if input.TimeZone == "" {
+		return errors.New("time_zone must not be empty")
+	}
+
 	return nil
 }
 

gateway/internal/restapi/public_auth_test.go

@@ -16,6 +16,8 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+const confirmEmailCodeTestTimeZone = "Europe/Kaliningrad"
+
 func TestSendEmailCodeHandlerSuccess(t *testing.T) {
 	t.Parallel()
 
@@ -59,7 +61,7 @@ func TestConfirmEmailCodeHandlerSuccess(t *testing.T) {
 	req := httptest.NewRequest(
 		http.MethodPost,
 		"/api/v1/public/auth/confirm-email-code",
-		strings.NewReader(`{"challenge_id":" challenge-123 ","code":" 123456 ","client_public_key":" public-key-material "}`),
+		strings.NewReader(`{"challenge_id":" challenge-123 ","code":" 123456 ","client_public_key":" public-key-material ","time_zone":" `+confirmEmailCodeTestTimeZone+` "}`),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()
@@ -75,6 +77,7 @@ func TestConfirmEmailCodeHandlerSuccess(t *testing.T) {
 		ChallengeID:     "challenge-123",
 		Code:            "123456",
 		ClientPublicKey: "public-key-material",
+		TimeZone:        confirmEmailCodeTestTimeZone,
 	}, authService.confirmEmailCodeInput)
 	assert.True(t, authService.confirmEmailCodeRouteClassOK)
 	assert.Equal(t, PublicRouteClassPublicAuth, authService.confirmEmailCodeRouteClass)
@@ -113,12 +116,21 @@ func TestPublicAuthHandlersRejectInvalidRequests(t *testing.T) {
 		{
 			name:             "confirm email empty code",
 			target:           "/api/v1/public/auth/confirm-email-code",
-			body:             `{"challenge_id":"challenge-123","code":"   ","client_public_key":"public-key-material"}`,
+			body:             `{"challenge_id":"challenge-123","code":"   ","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`,
 			wantStatus:       http.StatusBadRequest,
 			wantBody:         `{"error":{"code":"invalid_request","message":"code must not be empty"}}`,
 			wantSendCalls:    0,
 			wantConfirmCalls: 0,
 		},
+		{
+			name:             "confirm email empty time zone",
+			target:           "/api/v1/public/auth/confirm-email-code",
+			body:             `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"   "}`,
+			wantStatus:       http.StatusBadRequest,
+			wantBody:         `{"error":{"code":"invalid_request","message":"time_zone must not be empty"}}`,
+			wantSendCalls:    0,
+			wantConfirmCalls: 0,
+		},
 	}
 
 	for _, tt := range tests {
@@ -159,7 +171,7 @@ func TestPublicAuthHandlersMapAdapterErrors(t *testing.T) {
 		{
 			name:   "auth service projected bad request",
 			target: "/api/v1/public/auth/confirm-email-code",
-			body:   `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material"}`,
+			body:   `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`,
 			authClient: &recordingAuthServiceClient{
 				confirmEmailCodeErr: &AuthServiceError{
 					StatusCode: http.StatusBadRequest,
@@ -187,7 +199,7 @@ func TestPublicAuthHandlersMapAdapterErrors(t *testing.T) {
 		{
 			name:   "auth service projected gateway normalizes blank gateway error fields",
 			target: "/api/v1/public/auth/confirm-email-code",
-			body:   `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material"}`,
+			body:   `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`,
 			authClient: &recordingAuthServiceClient{
 				confirmEmailCodeErr: &AuthServiceError{
 					StatusCode: http.StatusBadGateway,
@@ -253,7 +265,7 @@ func TestDefaultAuthServiceReturnsServiceUnavailable(t *testing.T) {
 			name:       "confirm email code",
 			method:     http.MethodPost,
 			target:     "/api/v1/public/auth/confirm-email-code",
-			body:       `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material"}`,
+			body:       `{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"` + confirmEmailCodeTestTimeZone + `"}`,
 			wantStatus: http.StatusServiceUnavailable,
 			wantBody:   `{"error":{"code":"service_unavailable","message":"auth service is unavailable"}}`,
 		},
@@ -325,7 +337,7 @@ func TestPublicAuthLogsDoNotContainSensitiveFields(t *testing.T) {
 	req := httptest.NewRequest(
 		http.MethodPost,
 		"/api/v1/public/auth/confirm-email-code",
-		strings.NewReader(`{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material"}`),
+		strings.NewReader(`{"challenge_id":"challenge-123","code":"123456","client_public_key":"public-key-material","time_zone":"`+confirmEmailCodeTestTimeZone+`"}`),
 	)
 	req.Header.Set("Content-Type", "application/json")
 	recorder := httptest.NewRecorder()