feat: backend service
This commit is contained in:
Ilia Denisov
+18
-42
@@ -7,20 +7,20 @@ sequenceDiagram
|
||||
participant Client
|
||||
participant Gateway
|
||||
participant Limiter as Public anti-abuse
|
||||
participant Auth as AuthServiceClient
|
||||
participant Backend as backendclient.RESTClient
|
||||
|
||||
Client->>Gateway: POST /api/v1/public/auth/send-email-code
|
||||
Gateway->>Limiter: classify + rate-limit + body checks
|
||||
Limiter-->>Gateway: allowed
|
||||
Gateway->>Auth: SendEmailCode(email)
|
||||
Auth-->>Gateway: challenge_id
|
||||
Gateway->>Backend: POST /api/v1/public/auth/send-email-code
|
||||
Backend-->>Gateway: 200 {challenge_id}
|
||||
Gateway-->>Client: 200 {challenge_id}
|
||||
|
||||
Client->>Gateway: POST /api/v1/public/auth/confirm-email-code
|
||||
Gateway->>Limiter: classify + rate-limit + body checks
|
||||
Limiter-->>Gateway: allowed
|
||||
Gateway->>Auth: ConfirmEmailCode(challenge_id, code, client_public_key, time_zone)
|
||||
Auth-->>Gateway: device_session_id
|
||||
Gateway->>Backend: POST /api/v1/public/auth/confirm-email-code
|
||||
Backend-->>Gateway: 200 {device_session_id}
|
||||
Gateway-->>Client: 200 {device_session_id}
|
||||
```
|
||||
|
||||
@@ -30,15 +30,14 @@ sequenceDiagram
|
||||
sequenceDiagram
|
||||
participant Client
|
||||
participant Gateway
|
||||
participant Cache as SessionCache
|
||||
participant Backend as backendclient.RESTClient
|
||||
participant Replay as ReplayStore
|
||||
participant Policy as Rate limit / policy
|
||||
participant Downstream
|
||||
|
||||
Client->>Gateway: ExecuteCommand(envelope, payload_bytes, signature)
|
||||
Gateway->>Gateway: validate envelope + protocol_version
|
||||
Gateway->>Cache: lookup(device_session_id)
|
||||
Cache-->>Gateway: session record
|
||||
Gateway->>Backend: GET /api/v1/internal/sessions/{device_session_id}
|
||||
Backend-->>Gateway: session record
|
||||
Gateway->>Gateway: verify payload_hash
|
||||
Gateway->>Gateway: verify Ed25519 signature
|
||||
Gateway->>Gateway: verify freshness window
|
||||
@@ -46,57 +45,34 @@ sequenceDiagram
|
||||
Replay-->>Gateway: accepted
|
||||
Gateway->>Policy: apply IP/session/user/message_type budgets
|
||||
Policy-->>Gateway: allowed
|
||||
Gateway->>Downstream: verified authenticated command
|
||||
Downstream-->>Gateway: result_code + payload_bytes
|
||||
Gateway->>Backend: PATCH/POST/GET /api/v1/user/...
|
||||
Backend-->>Gateway: JSON success or error
|
||||
Gateway->>Gateway: hash payload + sign response
|
||||
Gateway-->>Client: ExecuteCommandResponse + signature
|
||||
```
|
||||
|
||||
## Direct Gateway -> User Self-Service Flow
|
||||
|
||||
```mermaid
|
||||
sequenceDiagram
|
||||
participant Client
|
||||
participant Gateway
|
||||
participant User as User Service
|
||||
|
||||
Client->>Gateway: ExecuteCommand(user.account.get | user.profile.update | user.settings.update)
|
||||
Gateway->>Gateway: verify envelope + session + signature + replay
|
||||
Gateway->>Gateway: decode FlatBuffers payload
|
||||
Gateway->>User: trusted REST/JSON internal request
|
||||
User-->>Gateway: JSON account aggregate or JSON error envelope
|
||||
Gateway->>Gateway: encode FlatBuffers success or error payload
|
||||
Gateway->>Gateway: sign response
|
||||
Gateway-->>Client: ExecuteCommandResponse(result_code, payload_bytes, signature)
|
||||
```
|
||||
|
||||
## SubscribeEvents Lifecycle
|
||||
|
||||
```mermaid
|
||||
sequenceDiagram
|
||||
participant Client
|
||||
participant Gateway
|
||||
participant Cache as SessionCache
|
||||
participant Replay as ReplayStore
|
||||
participant Backend as backend Push.SubscribePush
|
||||
participant Hub as PushHub
|
||||
participant Stream as Client event stream
|
||||
participant Sess as Session event stream
|
||||
participant Dispatcher
|
||||
|
||||
Client->>Gateway: SubscribeEvents(envelope, signature)
|
||||
Gateway->>Gateway: validate envelope + verify request
|
||||
Gateway->>Cache: lookup(device_session_id)
|
||||
Cache-->>Gateway: session record
|
||||
Gateway->>Replay: reserve(device_session_id, request_id, ttl)
|
||||
Replay-->>Gateway: accepted
|
||||
Gateway->>Gateway: lookup session via backend REST
|
||||
Gateway->>Client: gateway.server_time event
|
||||
Gateway->>Hub: register(user_id, device_session_id)
|
||||
|
||||
Stream-->>Gateway: client-facing event for user_id / device_session_id
|
||||
Gateway->>Hub: publish signed event
|
||||
Hub-->>Client: matching event delivery
|
||||
Backend-->>Dispatcher: PushEvent{ClientEvent}
|
||||
Dispatcher->>Hub: Publish(push.Event)
|
||||
Hub-->>Client: matching event delivery (signed envelope)
|
||||
|
||||
Sess-->>Gateway: revoked session snapshot
|
||||
Gateway->>Hub: revoke(device_session_id)
|
||||
Backend-->>Dispatcher: PushEvent{SessionInvalidation}
|
||||
Dispatcher->>Hub: RevokeDeviceSession or RevokeAllForUser
|
||||
Hub-->>Client: stream closes with FAILED_PRECONDITION
|
||||
|
||||
Note over Gateway,Hub: During shutdown the gateway closes PushHub before gRPC graceful stop.
|
||||
|
||||
Reference in New Issue
Block a user