developer/galaxy-game
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: authsession service

Browse Source
This commit is contained in:
Ilia Denisov
2026-04-08 16:23:07 +02:00
committed by GitHub
parent 28f04916af
commit 86a68ed9d0
174 changed files with 31732 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files
authsession/internal/service/revokeallusersessions/consistency_test.go
+106
View File
@@ -0,0 +1,106 @@
package revokeallusersessions
import (
"context"
"errors"
"testing"
"time"
"galaxy/authsession/internal/domain/common"
"galaxy/authsession/internal/domain/devicesession"
"galaxy/authsession/internal/service/shared"
"galaxy/authsession/internal/testkit"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestExecuteRetriesProjectionPublishesForBulkRevoke(t *testing.T) {
t.Parallel()
store := &testkit.InMemorySessionStore{}
userDirectory := &testkit.InMemoryUserDirectory{}
publisher := &testkit.RecordingProjectionPublisher{
Errors: []error{
errors.New("publish failed"),
nil,
errors.New("publish failed"),
nil,
},
}
require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-2", "user-1", time.Unix(20, 0).UTC())))
service, err := New(store, userDirectory, publisher, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
result, err := service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
require.NoError(t, err)
assert.Equal(t, "revoked", result.Outcome)
assert.EqualValues(t, 2, result.AffectedSessionCount)
assert.Equal(t, []string{"device-session-2", "device-session-1"}, result.AffectedDeviceSessionIDs)
require.Len(t, publisher.PublishedSnapshots(), 4)
}
func TestExecuteRepublishesCurrentRevokedSessionsOnNoActiveSessionsRetry(t *testing.T) {
t.Parallel()
store := &testkit.InMemorySessionStore{}
userDirectory := &testkit.InMemoryUserDirectory{}
publisher := &testkit.RecordingProjectionPublisher{
Errors: []error{
nil,
errors.New("publish failed"),
errors.New("publish failed"),
errors.New("publish failed"),
},
}
require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-2", "user-1", time.Unix(20, 0).UTC())))
service, err := New(store, userDirectory, publisher, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
_, err = service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
require.Error(t, err)
assert.Equal(t, shared.ErrorCodeServiceUnavailable, shared.CodeOf(err))
require.Len(t, publisher.PublishedSnapshots(), 4)
for _, deviceSessionID := range []common.DeviceSessionID{"device-session-1", "device-session-2"} {
record, getErr := store.Get(context.Background(), deviceSessionID)
require.NoError(t, getErr)
require.NotNil(t, record.Revocation)
assert.Equal(t, devicesession.StatusRevoked, record.Status)
}
publisher.Errors = nil
publisher.Err = nil
result, err := service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
require.NoError(t, err)
assert.Equal(t, "no_active_sessions", result.Outcome)
assert.EqualValues(t, 0, result.AffectedSessionCount)
require.NotNil(t, result.AffectedDeviceSessionIDs)
assert.Empty(t, result.AffectedDeviceSessionIDs)
published := publisher.PublishedSnapshots()
require.Len(t, published, 6)
assert.Equal(t, []common.DeviceSessionID{"device-session-2", "device-session-1"}, []common.DeviceSessionID{
published[4].DeviceSessionID,
published[5].DeviceSessionID,
})
}
authsession/internal/service/revokeallusersessions/service.go
+200
View File
@@ -0,0 +1,200 @@
// Package revokeallusersessions implements the trusted internal bulk revoke
// use case for all sessions of one user.
package revokeallusersessions
import (
"context"
"fmt"
"galaxy/authsession/internal/domain/common"
"galaxy/authsession/internal/domain/devicesession"
"galaxy/authsession/internal/ports"
"galaxy/authsession/internal/service/shared"
"galaxy/authsession/internal/telemetry"
"go.uber.org/zap"
)
// Input describes one trusted internal revoke-all-user-sessions request.
type Input struct {
// UserID identifies the owner whose sessions should be revoked.
UserID string
// ReasonCode stores the machine-readable revoke reason code.
ReasonCode string
// ActorType stores the machine-readable revoke actor type.
ActorType string
// ActorID stores the optional stable revoke actor identifier.
ActorID string
}
// Result describes the frozen internal bulk revoke acknowledgement.
type Result struct {
// Outcome reports whether active sessions were revoked during the current
// call.
Outcome string
// UserID identifies the user addressed by the operation.
UserID string
// AffectedSessionCount reports how many sessions changed state during the
// current call.
AffectedSessionCount int64
// AffectedDeviceSessionIDs lists every session identifier affected during
// the current call.
AffectedDeviceSessionIDs []string
}
// Service executes the trusted internal revoke-all-user-sessions use case.
type Service struct {
sessionStore ports.SessionStore
userDirectory ports.UserDirectory
publisher ports.GatewaySessionProjectionPublisher
clock ports.Clock
logger *zap.Logger
telemetry *telemetry.Runtime
}
// New returns a revoke-all-user-sessions service wired to the required ports.
func New(sessionStore ports.SessionStore, userDirectory ports.UserDirectory, publisher ports.GatewaySessionProjectionPublisher, clock ports.Clock) (*Service, error) {
return NewWithObservability(sessionStore, userDirectory, publisher, clock, nil, nil)
}
// NewWithObservability returns a revoke-all-user-sessions service wired to the
// required ports plus optional structured logging and telemetry dependencies.
func NewWithObservability(
sessionStore ports.SessionStore,
userDirectory ports.UserDirectory,
publisher ports.GatewaySessionProjectionPublisher,
clock ports.Clock,
logger *zap.Logger,
telemetryRuntime *telemetry.Runtime,
) (*Service, error) {
switch {
case sessionStore == nil:
return nil, fmt.Errorf("revokeallusersessions: session store must not be nil")
case userDirectory == nil:
return nil, fmt.Errorf("revokeallusersessions: user directory must not be nil")
case publisher == nil:
return nil, fmt.Errorf("revokeallusersessions: projection publisher must not be nil")
case clock == nil:
return nil, fmt.Errorf("revokeallusersessions: clock must not be nil")
default:
return &Service{
sessionStore: sessionStore,
userDirectory: userDirectory,
publisher: publisher,
clock: clock,
logger: namedLogger(logger, "revoke_all_user_sessions"),
telemetry: telemetryRuntime,
}, nil
}
}
// Execute revokes all active sessions of one user and republishes revoked
// gateway projections for every affected session.
func (s *Service) Execute(ctx context.Context, input Input) (result Result, err error) {
logFields := []zap.Field{
zap.String("component", "service"),
zap.String("use_case", "revoke_all_user_sessions"),
}
defer func() {
shared.LogServiceOutcome(s.logger, ctx, "revoke all user sessions completed", err, logFields...)
}()
userID, err := shared.ParseUserID(input.UserID)
if err != nil {
return Result{}, err
}
logFields = append(logFields, zap.String("user_id", userID.String()))
revocation, err := shared.BuildRevocation(input.ReasonCode, input.ActorType, input.ActorID, s.clock.Now())
if err != nil {
return Result{}, err
}
logFields = append(logFields, zap.String("reason_code", revocation.ReasonCode.String()))
exists, err := s.userDirectory.ExistsByUserID(ctx, userID)
if err != nil {
return Result{}, shared.ServiceUnavailable(err)
}
s.telemetry.RecordUserDirectoryOutcome(ctx, "exists_by_user_id", boolOutcome(exists))
if !exists {
return Result{}, shared.SubjectNotFound()
}
storeResult, err := s.sessionStore.RevokeAllByUserID(ctx, ports.RevokeUserSessionsInput{
UserID: userID,
Revocation: revocation,
})
if err != nil {
return Result{}, shared.ServiceUnavailable(err)
}
if err := storeResult.Validate(); err != nil {
return Result{}, shared.InternalError(err)
}
logFields = append(logFields, zap.String("outcome", string(storeResult.Outcome)))
affectedDeviceSessionIDs := make([]string, 0, len(storeResult.Sessions))
for _, record := range storeResult.Sessions {
if err := shared.PublishSessionProjectionWithTelemetry(ctx, s.publisher, record, s.telemetry, "revoke_all_user_sessions"); err != nil {
return Result{}, err
}
affectedDeviceSessionIDs = append(affectedDeviceSessionIDs, record.ID.String())
}
if storeResult.Outcome == ports.RevokeUserSessionsOutcomeNoActiveSessions {
if err := s.republishCurrentRevokedSessions(ctx, userID); err != nil {
return Result{}, err
}
}
affectedSessionCount := int64(len(storeResult.Sessions))
if affectedSessionCount > 0 {
s.telemetry.RecordSessionRevocations(ctx, "revoke_all_user_sessions", revocation.ReasonCode.String(), affectedSessionCount)
}
logFields = append(logFields, zap.Int64("affected_session_count", affectedSessionCount))
return Result{
Outcome: string(storeResult.Outcome),
UserID: storeResult.UserID.String(),
AffectedSessionCount: affectedSessionCount,
AffectedDeviceSessionIDs: affectedDeviceSessionIDs,
}, nil
}
func (s *Service) republishCurrentRevokedSessions(ctx context.Context, userID common.UserID) error {
records, err := s.sessionStore.ListByUserID(ctx, userID)
if err != nil {
return shared.ServiceUnavailable(err)
}
for _, record := range records {
if record.Status != devicesession.StatusRevoked {
continue
}
if err := shared.PublishSessionProjectionWithTelemetry(ctx, s.publisher, record, s.telemetry, "revoke_all_user_sessions_repair"); err != nil {
return err
}
}
return nil
}
func boolOutcome(value bool) string {
if value {
return "exists"
}
return "missing"
}
func namedLogger(logger *zap.Logger, name string) *zap.Logger {
if logger == nil {
logger = zap.NewNop()
}
return logger.Named(name)
}
authsession/internal/service/revokeallusersessions/service_test.go
+162
View File
@@ -0,0 +1,162 @@
package revokeallusersessions
import (
"context"
"errors"
"testing"
"time"
"galaxy/authsession/internal/domain/common"
"galaxy/authsession/internal/domain/devicesession"
"galaxy/authsession/internal/domain/gatewayprojection"
"galaxy/authsession/internal/service/shared"
"galaxy/authsession/internal/testkit"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestExecuteRevokesExistingUserSessionsAndPublishes(t *testing.T) {
t.Parallel()
store := &testkit.InMemorySessionStore{}
userDirectory := &testkit.InMemoryUserDirectory{}
publisher := &testkit.RecordingProjectionPublisher{}
if err := userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")); err != nil {
require.Failf(t, "test failed", "SeedExisting() returned error: %v", err)
}
for _, record := range []devicesession.Session{
activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC()),
activeSessionFixture("device-session-2", "user-1", time.Unix(20, 0).UTC()),
} {
if err := store.Create(context.Background(), record); err != nil {
require.Failf(t, "test failed", "Create() returned error: %v", err)
}
}
service, err := New(store, userDirectory, publisher, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
result, err := service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
require.NoError(t, err)
assert.Equal(t, "revoked", result.Outcome)
assert.EqualValues(t, 2, result.AffectedSessionCount)
assert.Equal(t, []string{"device-session-2", "device-session-1"}, result.AffectedDeviceSessionIDs)
for _, deviceSessionID := range result.AffectedDeviceSessionIDs {
stored, getErr := store.Get(context.Background(), common.DeviceSessionID(deviceSessionID))
require.NoError(t, getErr)
require.NotNil(t, stored.Revocation)
assert.Equal(t, devicesession.StatusRevoked, stored.Status)
assert.Equal(t, devicesession.RevokeReasonLogoutAll, stored.Revocation.ReasonCode)
assert.Equal(t, common.RevokeActorType("system"), stored.Revocation.ActorType)
assert.Empty(t, stored.Revocation.ActorID)
assert.Equal(t, time.Unix(30, 0).UTC(), stored.Revocation.At)
}
published := publisher.PublishedSnapshots()
require.Len(t, published, 2)
assert.Equal(t, []common.DeviceSessionID{"device-session-2", "device-session-1"}, []common.DeviceSessionID{
published[0].DeviceSessionID,
published[1].DeviceSessionID,
})
for _, snapshot := range published {
assert.Equal(t, gatewayprojection.StatusRevoked, snapshot.Status)
assert.Equal(t, devicesession.RevokeReasonLogoutAll, snapshot.RevokeReasonCode)
assert.Equal(t, common.RevokeActorType("system"), snapshot.RevokeActorType)
require.NotNil(t, snapshot.RevokedAt)
assert.Equal(t, time.Unix(30, 0).UTC(), *snapshot.RevokedAt)
}
}
func TestExecuteReturnsNoActiveSessionsForExistingUserWithoutActiveSessions(t *testing.T) {
t.Parallel()
store := &testkit.InMemorySessionStore{}
userDirectory := &testkit.InMemoryUserDirectory{}
publisher := &testkit.RecordingProjectionPublisher{}
if err := userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")); err != nil {
require.Failf(t, "test failed", "SeedExisting() returned error: %v", err)
}
service, err := New(store, userDirectory, publisher, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
result, err := service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
require.NoError(t, err)
assert.Equal(t, "no_active_sessions", result.Outcome)
assert.EqualValues(t, 0, result.AffectedSessionCount)
require.NotNil(t, result.AffectedDeviceSessionIDs)
assert.Empty(t, result.AffectedDeviceSessionIDs)
assert.Empty(t, publisher.PublishedSnapshots())
}
func TestExecuteReturnsSubjectNotFoundForUnknownUser(t *testing.T) {
t.Parallel()
service, err := New(&testkit.InMemorySessionStore{}, &testkit.InMemoryUserDirectory{}, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
if err != nil {
require.Failf(t, "test failed", "New() returned error: %v", err)
}
_, err = service.Execute(context.Background(), Input{
UserID: "missing",
ReasonCode: "logout_all",
ActorType: "system",
})
assert.Equal(t, shared.ErrorCodeSubjectNotFound, shared.CodeOf(err))
}
func TestExecuteReturnsServiceUnavailableWhenPublishFails(t *testing.T) {
t.Parallel()
store := &testkit.InMemorySessionStore{}
userDirectory := &testkit.InMemoryUserDirectory{}
publisher := &testkit.RecordingProjectionPublisher{Err: errors.New("publish failed")}
if err := userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")); err != nil {
require.Failf(t, "test failed", "SeedExisting() returned error: %v", err)
}
if err := store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())); err != nil {
require.Failf(t, "test failed", "Create() returned error: %v", err)
}
service, err := New(store, userDirectory, publisher, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
_, err = service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
assert.Equal(t, shared.ErrorCodeServiceUnavailable, shared.CodeOf(err))
stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
require.NoError(t, getErr)
require.NotNil(t, stored.Revocation)
assert.Equal(t, devicesession.StatusRevoked, stored.Status)
assert.Equal(t, devicesession.RevokeReasonLogoutAll, stored.Revocation.ReasonCode)
assert.Equal(t, common.RevokeActorType("system"), stored.Revocation.ActorType)
}
func activeSessionFixture(deviceSessionID string, userID string, createdAt time.Time) devicesession.Session {
key, err := common.NewClientPublicKey(make([]byte, 32))
if err != nil {
panic(err)
}
return devicesession.Session{
ID: common.DeviceSessionID(deviceSessionID),
UserID: common.UserID(userID),
ClientPublicKey: key,
Status: devicesession.StatusActive,
CreatedAt: createdAt,
}
}
authsession/internal/service/revokeallusersessions/stub_user_directory_test.go
+53
View File
@@ -0,0 +1,53 @@
package revokeallusersessions
import (
"context"
"testing"
"time"
stubuserservice "galaxy/authsession/internal/adapters/userservice"
"galaxy/authsession/internal/domain/common"
"galaxy/authsession/internal/service/shared"
"galaxy/authsession/internal/testkit"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestExecuteWithRuntimeStubUserDirectory(t *testing.T) {
t.Parallel()
t.Run("existing user uses ExistsByUserID and returns no active sessions", func(t *testing.T) {
t.Parallel()
userDirectory := &stubuserservice.StubDirectory{}
require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
service, err := New(&testkit.InMemorySessionStore{}, userDirectory, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
result, err := service.Execute(context.Background(), Input{
UserID: "user-1",
ReasonCode: "logout_all",
ActorType: "system",
})
require.NoError(t, err)
assert.Equal(t, "no_active_sessions", result.Outcome)
assert.Zero(t, result.AffectedSessionCount)
})
t.Run("unknown user returns subject not found", func(t *testing.T) {
t.Parallel()
service, err := New(&testkit.InMemorySessionStore{}, &stubuserservice.StubDirectory{}, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(30, 0).UTC()})
require.NoError(t, err)
_, err = service.Execute(context.Background(), Input{
UserID: "missing",
ReasonCode: "logout_all",
ActorType: "system",
})
require.Error(t, err)
assert.Equal(t, shared.ErrorCodeSubjectNotFound, shared.CodeOf(err))
})
}