developer/galaxy-game
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
86a68ed9d0af72bbea9503c7ab7adcea6390694f
galaxy-game/ARCHITECTURE.md
T
Ilia Denisov 86a68ed9d0 feat: authsession service
2026-04-08 16:23:07 +02:00

255 lines
7.3 KiB
Markdown
Raw Blame History

# Services Architecture
Galaxy Plus: Turn-based Strategy Game
## Purpose
This document fixes the high-level service architecture of the system.
It is the starting point for implementing the external edge layer, authentication/session management, business services, and push delivery.
## Main Principles
- The system exposes a single external entry point: **Edge Gateway**.
- Internal business services are **not reachable directly from outside**.
- Any external command, except public auth commands, must be authenticated before it is routed further.
- Gateway handles only edge concerns. Business validation and domain rules remain inside business services.
- Gateway owns external delivery channels; the v1 implementation uses
authenticated gRPC server-streaming push, while long-polling remains out of
scope.
```mermaid
flowchart LR
Client["Clients\n(native and browser)"]
Gateway["Edge Gateway\npublic REST + authenticated gRPC"]
Auth["Auth / Session Service"]
Business["Business Services"]
Redis["Redis\nsession cache + replay keys + event streams"]
Telemetry["Telemetry Backends\nPrometheus / OTLP"]
Client --> Gateway
Gateway --> Auth
Gateway --> Business
Gateway --> Redis
Gateway --> Telemetry
Auth --> Redis
Business --> Redis
```
## Main Components
### 1. [Edge Gateway](./gateway/README.md)
The gateway is the only public entry point for client traffic.
Responsibilities:
- transport parsing
- authentication of external requests
- transport integrity checks
- session cache lookup
- request signature verification
- timestamp window verification
- anti-replay checks
- rate limiting and abuse protection
- command routing
- basic policy enforcement
- authenticated gRPC server-streaming push connection handling
- delivery of client-facing events from pub/sub
The gateway must not implement domain-specific business logic.
### 2. [Auth / Session Service](./authsession/README.md)
This service owns authentication and device session lifecycle.
Responsibilities:
- `send_email_code`
- `confirm_email_code`
- device session creation
- public key registration for device sessions
- session revoke / logout
- persistence of session state
- publishing session state changes for cache invalidation/update
This service is the source of truth for `device_session` state.
### 3. Session Store
Persistent storage for device sessions.
Typical fields:
- `device_session_id`
- `user_id`
- client public key
- session status
- creation / revoke timestamps
- optional client metadata
### 4. Session Cache
Fast lookup cache used by the gateway.
Purpose:
- resolve `device_session_id -> user_id + public_key + status`
- avoid synchronous calls from gateway to auth/session service on every request
Cache updates should be driven by session lifecycle events and may also use TTL.
### 5. Anti-Replay Store
Edge-level storage for recently seen transport `request_id` values.
Purpose:
- reject replayed authenticated transport messages within the allowed time window
This is transport-level replay protection, not business idempotency.
### 6. Rate Limit Store
Shared state for edge-level throttling and abuse control.
Typical dimensions:
- IP / network
- `device_session_id`
- `user_id`
- command class
### 7. Business Services
Internal services that process authenticated commands.
Responsibilities:
- business validation
- authorization by `user_id`
- ownership checks
- domain invariants
- state transitions
- business idempotency where required
- publishing domain events and/or client-facing events
Business services do not verify external signatures and do not access external clients directly.
### 8. Event Bus / Pub-Sub
Used for internal event distribution.
Purposes:
- session cache invalidation/update
- client-facing event delivery through the gateway
- optional internal domain event propagation between services
## External Flows
### Public Auth Flow
These commands are public and do not require an existing device session:
- `send_email_code`
- `confirm_email_code`
Flow:
1. client sends public auth command to gateway
2. gateway applies public-edge checks (format, rate limits, abuse policy)
3. gateway routes command to auth/session service
4. auth/session service performs auth logic
5. if login is confirmed, auth/session service creates `device_session`
6. auth/session service publishes cache update/invalidation event
### Authenticated Command Flow
All other external commands require authentication.
Flow:
1. client sends authenticated request to gateway
2. gateway validates transport envelope presence and protocol version
3. gateway resolves `device_session_id` through session cache
4. gateway rejects unknown or revoked sessions
5. gateway verifies request signature
6. gateway verifies timestamp window
7. gateway verifies anti-replay constraints
8. gateway applies rate limits and basic policy checks
9. gateway extracts authenticated context, including `user_id`
10. gateway routes the request to the target business service based on `message_type`
No business service should receive an unauthenticated external request.
### Push Flow
The gateway owns external delivery connections.
The v1 gateway uses authenticated gRPC server-streaming push.
Long-polling remains out of scope for the implemented gateway.
Flow:
1. client opens authenticated push connection through gateway
2. gateway binds connection to `user_id` and `device_session_id`
3. gateway starts the channel with a signed service event that includes the
current server time for clock offset calculation
4. internal services publish client-facing events to pub/sub targeted by
`user_id` and optionally by `device_session_id`
5. gateway consumes those events and delivers them to the proper client
connections
Gateway is a delivery layer, not the source of business events.
## Internal Contract Between Gateway and Business Services
Business services should receive an internal authenticated command, not raw external transport data.
Typical internal authenticated context:
- `user_id`
- `device_session_id`
- `message_type`
- verified payload bytes
- transport `request_id`
- optional command id / trace id
- optional client metadata relevant for logging
Business services must trust only the gateway as their external ingress.
## Separation of Responsibilities
### Gateway is responsible for
- who sent the request
- whether transport integrity is valid
- whether the request is fresh
- whether replay is detected
- whether request volume is acceptable
- where to route the request
### Business services are responsible for
- whether the user is allowed to perform the business action
- whether the target object belongs to the user
- whether the domain state transition is valid
- whether business idempotency rules are satisfied
## Revocation Behavior
When a device session is revoked:
- auth/session service updates the source of truth
- auth/session service publishes revoke/invalidation event
- gateway updates or invalidates session cache
- gateway rejects further requests for that session
- gateway closes active authenticated push streams bound to that session, if applicable
## Non-Goals
The gateway is not a place for full domain authorization logic.
It must not become a business “god service”.
The auth/session service is not the hot path for every authenticated request.
The gateway should authenticate most requests from cache, not by synchronous round-trips.
Reference in New Issue View Git Blame Copy Permalink