developer/galaxy-game
1
1
Fork 0
Code Issues Pull Requests Actions Packages Releases Wiki Activity
Files
140ee8e0eedbd083492d50f039c953cc92d5b65a
galaxy-game/gateway/docs/flows.md
T
Ilia Denisov 91e34a0929
Tests · Go / test (push) Successful in 2m1s
Details
Tests · Go / test (pull_request) Successful in 2m58s
Details
Tests · Integration / integration (pull_request) Successful in 1m39s
Details
fix(gateway): verify client signature before payload_hash 
ARCHITECTURE.md §15 "Verification order" specifies signature verification
(step 4) before payload_hash (step 5), but the authenticated-edge
decorator chain wrapped the payload-hash gate outside the signature gate,
so the hash was checked first. gateway/README.md and gateway/docs/flows.md
had drifted to match the code (hash-first), leaving ARCHITECTURE.md as the
lone source describing the intended order.

Swap the two decorators in server.go so the signature gate runs first, and
align README + flows.md to ARCHITECTURE.md. Signature-first is the
cryptographically sound order: the signature covers the payload_hash field,
so the request is authenticated before any of its content is processed.

Observable side effect: a request carrying a tampered payload_hash whose
signature was computed over the original hash is now rejected at the
signature gate (UNAUTHENTICATED "invalid request signature") instead of the
hash gate (INVALID_ARGUMENT). Security is unchanged — both refusals happen
before the payload is handled. The four payload-hash unit tests re-sign
over the tampered hash so they keep exercising the hash gate; the
cross-service integration test signs over the overridden hash and already
accepts both codes.

Refs #39

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 02:42:09 +02:00

81 lines
2.8 KiB
Markdown
Raw Blame History

# Request and Push Flows
## Public Auth Flow
```mermaid
sequenceDiagram
participant Client
participant Gateway
participant Limiter as Public anti-abuse
participant Backend as backendclient.RESTClient
Client->>Gateway: POST /api/v1/public/auth/send-email-code
Gateway->>Limiter: classify + rate-limit + body checks
Limiter-->>Gateway: allowed
Gateway->>Backend: POST /api/v1/public/auth/send-email-code
Backend-->>Gateway: 200 {challenge_id}
Gateway-->>Client: 200 {challenge_id}
Client->>Gateway: POST /api/v1/public/auth/confirm-email-code
Gateway->>Limiter: classify + rate-limit + body checks
Limiter-->>Gateway: allowed
Gateway->>Backend: POST /api/v1/public/auth/confirm-email-code
Backend-->>Gateway: 200 {device_session_id}
Gateway-->>Client: 200 {device_session_id}
```
## Authenticated ExecuteCommand Flow
```mermaid
sequenceDiagram
participant Client
participant Gateway
participant Backend as backendclient.RESTClient
participant Replay as ReplayStore
participant Policy as Rate limit / policy
Client->>Gateway: ExecuteCommand(envelope, payload_bytes, signature)
Gateway->>Gateway: validate envelope + protocol_version
Gateway->>Backend: GET /api/v1/internal/sessions/{device_session_id}
Backend-->>Gateway: session record
Gateway->>Gateway: verify Ed25519 signature
Gateway->>Gateway: verify payload_hash
Gateway->>Gateway: verify freshness window
Gateway->>Replay: reserve(device_session_id, request_id, ttl)
Replay-->>Gateway: accepted
Gateway->>Policy: apply IP/session/user/message_type budgets
Policy-->>Gateway: allowed
Gateway->>Backend: PATCH/POST/GET /api/v1/user/...
Backend-->>Gateway: JSON success or error
Gateway->>Gateway: hash payload + sign response
Gateway-->>Client: ExecuteCommandResponse + signature
```
## SubscribeEvents Lifecycle
```mermaid
sequenceDiagram
participant Client
participant Gateway
participant Backend as backend Push.SubscribePush
participant Hub as PushHub
participant Dispatcher
Client->>Gateway: SubscribeEvents(envelope, signature)
Gateway->>Gateway: validate envelope + verify request
Gateway->>Gateway: lookup session via backend REST
Gateway->>Client: gateway.server_time event
Gateway->>Hub: register(user_id, device_session_id)
Backend-->>Dispatcher: PushEvent{ClientEvent}
Dispatcher->>Hub: Publish(push.Event)
Hub-->>Client: matching event delivery (signed envelope)
Backend-->>Dispatcher: PushEvent{SessionInvalidation}
Dispatcher->>Hub: RevokeDeviceSession or RevokeAllForUser
Hub-->>Client: stream closes with FAILED_PRECONDITION
Note over Gateway,Hub: During shutdown the gateway closes PushHub before HTTP graceful stop.
Hub-->>Client: stream closes with UNAVAILABLE
```
Reference in New Issue View Git Blame Copy Permalink