feat(payments): live payment-availability kill switch + per-account override
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 21s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 2m0s
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 21s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 2m0s
Let an operator disable purchases live from the admin — a whole rail/channel or one account — and show the user a localized reason on their next attempt, so a provider outage or a misconfig is explained instead of a silent dead button. - rail kill switch (payments.rail_status, per rail direct:web / direct:android / vk / telegram): enabled + a per-language message, edited on the catalog page. Fail-open — a rail with no row stays enabled, so payments are never accidentally killed. The intake gate (CanPurchase in handleWalletOrder, before the order) returns payment_unavailable + the localized message, orthogonal to the security gates. - per-account override (payments.account_payment_override, a row only for non-default): allow / deny / default, edited on the user card. "allow" bypasses ONLY the ops rail switch, never the security gates (trusted platform, the email anchor, the VK-iOS freeze, the min client version). - wire: an additive ExecuteResponse.message envelope field (frozen-contract-safe); the gateway forwards a backend domain-error message; the client shows it on a payment_unavailable buy attempt. - admin: rail toggles on the catalog page, the override control on the user card. - tests: the pure gate (unit, TDD), the store + gate + override end-to-end (integration, migration 00016), the client (svelte-check / vitest). - docs: PAYMENTS (+ru), the decisions log (D45/D46). Fiscalization stays cabinet-side (owner decision) — no itemized-receipt code. Contour-safe: additive migration (two new tables, no wipe), the wire add is additive, and fail-open so nothing is disabled until an operator acts.
This commit is contained in:
@@ -0,0 +1,107 @@
|
||||
package payments
|
||||
|
||||
import "slices"
|
||||
|
||||
// PurchaseOverride is a per-account purchase override that forces purchases allowed or denied for
|
||||
// one account regardless of the operational rail switch, or is absent (OverrideDefault) when the
|
||||
// account follows the rail switch. The zero value is OverrideDefault, so a missing override row maps
|
||||
// to it. OverrideAllow bypasses ONLY the operational rail switch — never the security / compliance
|
||||
// gates (trusted platform, the D36 email anchor, the VK-iOS spend freeze, the min client version),
|
||||
// which CreateOrder enforces separately.
|
||||
type PurchaseOverride int
|
||||
|
||||
const (
|
||||
// OverrideDefault follows the rail switch (no override row for the account).
|
||||
OverrideDefault PurchaseOverride = iota
|
||||
// OverrideAllow always allows the purchase, bypassing only the operational rail switch.
|
||||
OverrideAllow
|
||||
// OverrideDeny always denies the purchase for the account.
|
||||
OverrideDeny
|
||||
)
|
||||
|
||||
// RailAvailability is a payment rail's operational availability: whether purchases are enabled and,
|
||||
// when disabled, the operator's explanation in each language, shown to the user on a purchase
|
||||
// attempt. A rail with no status row is treated as enabled (fail-open — see the store), so the
|
||||
// zero value is never used as a live "enabled" default.
|
||||
type RailAvailability struct {
|
||||
Enabled bool
|
||||
MessageRU string
|
||||
MessageEN string
|
||||
}
|
||||
|
||||
// PurchaseGate decides whether an account may open a purchase order on a rail, from the per-account
|
||||
// override and the rail's operational availability. It is the operational layer only — the caller
|
||||
// still enforces the security gates. On a block it returns a reason localized to lang ("ru", else
|
||||
// English). Fail-open: OverrideDefault on an enabled rail allows.
|
||||
func PurchaseGate(override PurchaseOverride, rail RailAvailability, lang string) (ok bool, reason string) {
|
||||
switch override {
|
||||
case OverrideAllow:
|
||||
return true, "" // bypasses only the ops switch; the security gates still apply upstream
|
||||
case OverrideDeny:
|
||||
return false, defaultUnavailable(lang) // a per-account block — a neutral reason
|
||||
default: // OverrideDefault — follow the rail switch
|
||||
if rail.Enabled {
|
||||
return true, ""
|
||||
}
|
||||
return false, railMessage(rail, lang)
|
||||
}
|
||||
}
|
||||
|
||||
// railMessage returns the operator's rail-off message in lang, falling back to the other language
|
||||
// and then to the built-in default when the operator left both blank.
|
||||
func railMessage(rail RailAvailability, lang string) string {
|
||||
if lang == "ru" {
|
||||
if rail.MessageRU != "" {
|
||||
return rail.MessageRU
|
||||
}
|
||||
if rail.MessageEN != "" {
|
||||
return rail.MessageEN
|
||||
}
|
||||
} else {
|
||||
if rail.MessageEN != "" {
|
||||
return rail.MessageEN
|
||||
}
|
||||
if rail.MessageRU != "" {
|
||||
return rail.MessageRU
|
||||
}
|
||||
}
|
||||
return defaultUnavailable(lang)
|
||||
}
|
||||
|
||||
// defaultUnavailable is the built-in localized "payments unavailable" reason used when the operator
|
||||
// set no custom message, and for a per-account deny.
|
||||
func defaultUnavailable(lang string) string {
|
||||
if lang == "ru" {
|
||||
return "Оплата временно недоступна. Попробуйте позже."
|
||||
}
|
||||
return "Payments are temporarily unavailable. Please try again later."
|
||||
}
|
||||
|
||||
// Rail keys name the operational payment rails the kill switch and the per-account override key on.
|
||||
// The direct rail is split per channel (D42); vk and telegram are single-rail.
|
||||
const (
|
||||
RailDirectWeb = "direct:web"
|
||||
RailDirectAndroid = "direct:android"
|
||||
RailVK = "vk"
|
||||
RailTelegram = "telegram"
|
||||
)
|
||||
|
||||
// KnownRails is the fixed set of rail keys, for the admin editor and for validation.
|
||||
var KnownRails = []string{RailDirectWeb, RailDirectAndroid, RailVK, RailTelegram}
|
||||
|
||||
// RailKey maps a payment context to its operational rail key: the direct rail by channel subtype
|
||||
// (android, else web), or the store rail's own name (vk / telegram).
|
||||
func RailKey(kind Source, subtype string) string {
|
||||
if kind == SourceDirect {
|
||||
if subtype == "android" {
|
||||
return RailDirectAndroid
|
||||
}
|
||||
return RailDirectWeb
|
||||
}
|
||||
return string(kind)
|
||||
}
|
||||
|
||||
// isKnownRail reports whether rail is one of the fixed rail keys.
|
||||
func isKnownRail(rail string) bool {
|
||||
return slices.Contains(KnownRails, rail)
|
||||
}
|
||||
@@ -0,0 +1,40 @@
|
||||
package payments
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestPurchaseGate(t *testing.T) {
|
||||
on := RailAvailability{Enabled: true}
|
||||
offMsg := RailAvailability{Enabled: false, MessageRU: "Чиним", MessageEN: "Fixing"}
|
||||
offNoMsg := RailAvailability{Enabled: false}
|
||||
|
||||
// OverrideDefault follows the rail switch.
|
||||
if ok, _ := PurchaseGate(OverrideDefault, on, "en"); !ok {
|
||||
t.Error("default + enabled rail should allow")
|
||||
}
|
||||
if ok, r := PurchaseGate(OverrideDefault, offMsg, "ru"); ok || r != "Чиним" {
|
||||
t.Errorf("default + off rail (ru) = %v/%q, want false/Чиним", ok, r)
|
||||
}
|
||||
if ok, r := PurchaseGate(OverrideDefault, offMsg, "en"); ok || r != "Fixing" {
|
||||
t.Errorf("default + off rail (en) = %v/%q, want false/Fixing", ok, r)
|
||||
}
|
||||
|
||||
// Off rail with no custom message → the built-in default, localized (not the English default in ru).
|
||||
if ok, r := PurchaseGate(OverrideDefault, offNoMsg, "ru"); ok || r != defaultUnavailable("ru") {
|
||||
t.Errorf("default + off no-msg (ru) = %v/%q, want false + the ru default", ok, r)
|
||||
}
|
||||
|
||||
// OverrideAllow bypasses the ops switch even when the rail is off.
|
||||
if ok, r := PurchaseGate(OverrideAllow, offMsg, "en"); !ok || r != "" {
|
||||
t.Errorf("allow + off rail = %v/%q, want true/empty (bypasses the ops switch)", ok, r)
|
||||
}
|
||||
|
||||
// OverrideDeny blocks even when the rail is on, with a non-empty reason.
|
||||
if ok, r := PurchaseGate(OverrideDeny, on, "en"); ok || r == "" {
|
||||
t.Errorf("deny + on rail = %v/%q, want false + a reason", ok, r)
|
||||
}
|
||||
|
||||
// The message falls back to the other language when only one is set.
|
||||
if _, r := PurchaseGate(OverrideDefault, RailAvailability{MessageEN: "OnlyEN"}, "ru"); r != "OnlyEN" {
|
||||
t.Errorf("off rail ru with only EN msg = %q, want OnlyEN (fallback)", r)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,63 @@
|
||||
package payments
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// CanPurchase reports whether an account may open a purchase order on rail, combining the account's
|
||||
// per-account override with the rail's operational switch (PurchaseGate). It is the operational
|
||||
// availability layer only — the caller still enforces the security gates (trusted platform, the D36
|
||||
// email anchor, the VK-iOS spend freeze, the min client version). On a block, reason is localized to
|
||||
// lang for the user; err is only a store failure.
|
||||
func (s *Service) CanPurchase(ctx context.Context, accountID uuid.UUID, rail, lang string) (ok bool, reason string, err error) {
|
||||
ov, err := s.store.purchaseOverride(ctx, accountID)
|
||||
if err != nil {
|
||||
return false, "", err
|
||||
}
|
||||
avail, err := s.store.railAvailability(ctx, rail)
|
||||
if err != nil {
|
||||
return false, "", err
|
||||
}
|
||||
ok, reason = PurchaseGate(ov, avail, lang)
|
||||
return ok, reason, nil
|
||||
}
|
||||
|
||||
// RailStatuses returns every known rail's operational status for the admin editor, filling a rail
|
||||
// with no stored row with the fail-open enabled default so the editor always shows one row per rail.
|
||||
func (s *Service) RailStatuses(ctx context.Context) (map[string]RailAvailability, error) {
|
||||
stored, err := s.store.allRailStatus(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
out := make(map[string]RailAvailability, len(KnownRails))
|
||||
for _, rail := range KnownRails {
|
||||
if a, ok := stored[rail]; ok {
|
||||
out[rail] = a
|
||||
} else {
|
||||
out[rail] = RailAvailability{Enabled: true}
|
||||
}
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// SetRailStatus upserts a rail's operational status from the admin editor. It rejects an unknown rail
|
||||
// key so a typo cannot create a dead row.
|
||||
func (s *Service) SetRailStatus(ctx context.Context, rail string, a RailAvailability) error {
|
||||
if !isKnownRail(rail) {
|
||||
return fmt.Errorf("payments: unknown rail %q", rail)
|
||||
}
|
||||
return s.store.setRailStatus(ctx, rail, a, s.clock())
|
||||
}
|
||||
|
||||
// PurchaseOverrideFor returns an account's purchase override (OverrideDefault when none is set).
|
||||
func (s *Service) PurchaseOverrideFor(ctx context.Context, accountID uuid.UUID) (PurchaseOverride, error) {
|
||||
return s.store.purchaseOverride(ctx, accountID)
|
||||
}
|
||||
|
||||
// SetPurchaseOverride sets or clears an account's purchase override (OverrideDefault deletes the row).
|
||||
func (s *Service) SetPurchaseOverride(ctx context.Context, accountID uuid.UUID, ov PurchaseOverride) error {
|
||||
return s.store.setPurchaseOverride(ctx, accountID, ov, s.clock())
|
||||
}
|
||||
@@ -0,0 +1,96 @@
|
||||
package payments
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// railAvailability reads a rail's operational availability. A missing row is fail-open: enabled with
|
||||
// no message, so payments stay on unless an operator explicitly disabled the rail.
|
||||
func (s *Store) railAvailability(ctx context.Context, rail string) (RailAvailability, error) {
|
||||
var a RailAvailability
|
||||
err := s.db.QueryRowContext(ctx,
|
||||
`SELECT enabled, message_ru, message_en FROM payments.rail_status WHERE rail = $1`, rail).
|
||||
Scan(&a.Enabled, &a.MessageRU, &a.MessageEN)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return RailAvailability{Enabled: true}, nil
|
||||
}
|
||||
if err != nil {
|
||||
return RailAvailability{}, fmt.Errorf("payments: read rail status %q: %w", rail, err)
|
||||
}
|
||||
return a, nil
|
||||
}
|
||||
|
||||
// allRailStatus reads every stored rail-status row for the admin editor, keyed by rail. Rails with
|
||||
// no row are absent (the caller fills them with the fail-open enabled default).
|
||||
func (s *Store) allRailStatus(ctx context.Context) (map[string]RailAvailability, error) {
|
||||
rows, err := s.db.QueryContext(ctx,
|
||||
`SELECT rail, enabled, message_ru, message_en FROM payments.rail_status`)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("payments: read rail statuses: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
out := make(map[string]RailAvailability)
|
||||
for rows.Next() {
|
||||
var rail string
|
||||
var a RailAvailability
|
||||
if err := rows.Scan(&rail, &a.Enabled, &a.MessageRU, &a.MessageEN); err != nil {
|
||||
return nil, fmt.Errorf("payments: scan rail status: %w", err)
|
||||
}
|
||||
out[rail] = a
|
||||
}
|
||||
return out, rows.Err()
|
||||
}
|
||||
|
||||
// setRailStatus upserts a rail's operational status (admin).
|
||||
func (s *Store) setRailStatus(ctx context.Context, rail string, a RailAvailability, now time.Time) error {
|
||||
if _, err := s.db.ExecContext(ctx,
|
||||
`INSERT INTO payments.rail_status (rail, enabled, message_ru, message_en, updated_at)
|
||||
VALUES ($1, $2, $3, $4, $5)
|
||||
ON CONFLICT (rail) DO UPDATE SET enabled = $2, message_ru = $3, message_en = $4, updated_at = $5`,
|
||||
rail, a.Enabled, a.MessageRU, a.MessageEN, now); err != nil {
|
||||
return fmt.Errorf("payments: set rail status %q: %w", rail, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// purchaseOverride reads an account's purchase override; a missing row is OverrideDefault.
|
||||
func (s *Store) purchaseOverride(ctx context.Context, accountID uuid.UUID) (PurchaseOverride, error) {
|
||||
var allow bool
|
||||
err := s.db.QueryRowContext(ctx,
|
||||
`SELECT allow FROM payments.account_payment_override WHERE account_id = $1`, accountID).Scan(&allow)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return OverrideDefault, nil
|
||||
}
|
||||
if err != nil {
|
||||
return OverrideDefault, fmt.Errorf("payments: read purchase override %s: %w", accountID, err)
|
||||
}
|
||||
if allow {
|
||||
return OverrideAllow, nil
|
||||
}
|
||||
return OverrideDeny, nil
|
||||
}
|
||||
|
||||
// setPurchaseOverride upserts an account's override, or deletes the row for OverrideDefault (the
|
||||
// default state is the absence of a row).
|
||||
func (s *Store) setPurchaseOverride(ctx context.Context, accountID uuid.UUID, ov PurchaseOverride, now time.Time) error {
|
||||
if ov == OverrideDefault {
|
||||
if _, err := s.db.ExecContext(ctx,
|
||||
`DELETE FROM payments.account_payment_override WHERE account_id = $1`, accountID); err != nil {
|
||||
return fmt.Errorf("payments: clear purchase override %s: %w", accountID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
if _, err := s.db.ExecContext(ctx,
|
||||
`INSERT INTO payments.account_payment_override (account_id, allow, updated_at) VALUES ($1, $2, $3)
|
||||
ON CONFLICT (account_id) DO UPDATE SET allow = $2, updated_at = $3`,
|
||||
accountID, ov == OverrideAllow, now); err != nil {
|
||||
return fmt.Errorf("payments: set purchase override %s: %w", accountID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user