developer/galaxy-game
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
7ff81de2b6f20b3e5c66e87025c1ee0d9f5b5f97
galaxy-game/gateway/docs/flows.md
T
Ilia Denisov 118f7c17a2 phase 4: connectrpc on the gateway authenticated edge 
Replace the native-gRPC server bootstrap with a single
`connectrpc.com/connect` HTTP/h2c listener. Connect-Go natively
serves Connect, gRPC, and gRPC-Web on the same port, so browsers can
now reach the authenticated surface without giving up the gRPC
framing native and desktop clients may use later. The decorator
stack (envelope → session → payload-hash → signature →
freshness/replay → rate-limit → routing/push) is reused unchanged
behind a small Connect → gRPC adapter and a `grpc.ServerStream`
shim around `*connect.ServerStream`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 11:49:28 +02:00

2.8 KiB
Raw Blame History

Request and Push Flows

Public Auth Flow

sequenceDiagram
    participant Client
    participant Gateway
    participant Limiter as Public anti-abuse
    participant Backend as backendclient.RESTClient

    Client->>Gateway: POST /api/v1/public/auth/send-email-code
    Gateway->>Limiter: classify + rate-limit + body checks
    Limiter-->>Gateway: allowed
    Gateway->>Backend: POST /api/v1/public/auth/send-email-code
    Backend-->>Gateway: 200 {challenge_id}
    Gateway-->>Client: 200 {challenge_id}

    Client->>Gateway: POST /api/v1/public/auth/confirm-email-code
    Gateway->>Limiter: classify + rate-limit + body checks
    Limiter-->>Gateway: allowed
    Gateway->>Backend: POST /api/v1/public/auth/confirm-email-code
    Backend-->>Gateway: 200 {device_session_id}
    Gateway-->>Client: 200 {device_session_id}

Authenticated ExecuteCommand Flow

sequenceDiagram
    participant Client
    participant Gateway
    participant Backend as backendclient.RESTClient
    participant Replay as ReplayStore
    participant Policy as Rate limit / policy

    Client->>Gateway: ExecuteCommand(envelope, payload_bytes, signature)
    Gateway->>Gateway: validate envelope + protocol_version
    Gateway->>Backend: GET /api/v1/internal/sessions/{device_session_id}
    Backend-->>Gateway: session record
    Gateway->>Gateway: verify payload_hash
    Gateway->>Gateway: verify Ed25519 signature
    Gateway->>Gateway: verify freshness window
    Gateway->>Replay: reserve(device_session_id, request_id, ttl)
    Replay-->>Gateway: accepted
    Gateway->>Policy: apply IP/session/user/message_type budgets
    Policy-->>Gateway: allowed
    Gateway->>Backend: PATCH/POST/GET /api/v1/user/...
    Backend-->>Gateway: JSON success or error
    Gateway->>Gateway: hash payload + sign response
    Gateway-->>Client: ExecuteCommandResponse + signature

SubscribeEvents Lifecycle

sequenceDiagram
    participant Client
    participant Gateway
    participant Backend as backend Push.SubscribePush
    participant Hub as PushHub
    participant Dispatcher

    Client->>Gateway: SubscribeEvents(envelope, signature)
    Gateway->>Gateway: validate envelope + verify request
    Gateway->>Gateway: lookup session via backend REST
    Gateway->>Client: gateway.server_time event
    Gateway->>Hub: register(user_id, device_session_id)

    Backend-->>Dispatcher: PushEvent{ClientEvent}
    Dispatcher->>Hub: Publish(push.Event)
    Hub-->>Client: matching event delivery (signed envelope)

    Backend-->>Dispatcher: PushEvent{SessionInvalidation}
    Dispatcher->>Hub: RevokeDeviceSession or RevokeAllForUser
    Hub-->>Client: stream closes with FAILED_PRECONDITION

    Note over Gateway,Hub: During shutdown the gateway closes PushHub before HTTP graceful stop.
    Hub-->>Client: stream closes with UNAVAILABLE
Reference in New Issue View Git Blame Copy Permalink