feat(account): VK ID web login to link a VK identity from a browser
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m4s
CI / conformance (pull_request) Successful in 9s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m39s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m4s
CI / conformance (pull_request) Successful in 9s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m39s
A browser has no signed VK Mini App launch params, so linking VK on the web uses
VK ID's raw OAuth 2.1 flow (PKCE, no @vkid/sdk): the SPA redirects to VK's hosted
login and returns with an authorization code, which the gateway exchanges
server-side (confidential, under the VK "Web" app's protected key) for the trusted
vk user id — then the existing link/merge machinery attaches or merges it.
- fbs LinkVKRequest{code, device_id, code_verifier}; codec + TS bindings.
- backend link.Service ConfirmVK/MergeVK/attachVK (KindVK, mirror Telegram),
handleLinkVK[Merge], routes /user/link/vk[/merge], backendclient LinkVK[Merge].
- gateway internal/vkid confidential code exchange (id.vk.com/oauth2/auth);
transcode link.vk.confirm/merge (registered only when configured) + config
GATEWAY_VK_ID_{APP_ID,CLIENT_SECRET,REDIRECT_URL} + main wiring.
- UI lib/vkid (PKCE authorize redirect + callback), Profile "Link VK" control,
boot callback handling; a merge re-authorizes for a fresh code (VK codes are
single-use). Web-only (a redirect strands a Mini App webview).
- Deploy: VITE_VK_APP_ID + VITE_VK_ID_REDIRECT_URL build args + gateway env,
ci.yaml/prod-deploy TEST_/PROD_ vars, compose/Dockerfile/.env.example/README.
- Tests: vkid exchange unit (string/number user_id, id_token fallback, errors),
transcode link.vk, backend ConfirmVK/MergeVK inttest, codec encodeLinkVK.
- Docs: ARCHITECTURE §4, FUNCTIONAL(+ru), gateway README.
This commit is contained in:
@@ -74,6 +74,8 @@ func (s *Server) registerRoutes() {
|
||||
u.POST("/link/email/merge", s.handleLinkEmailMerge)
|
||||
u.POST("/link/telegram", s.handleLinkTelegram)
|
||||
u.POST("/link/telegram/merge", s.handleLinkTelegramMerge)
|
||||
u.POST("/link/vk", s.handleLinkVK)
|
||||
u.POST("/link/vk/merge", s.handleLinkVKMerge)
|
||||
u.POST("/link/unlink", s.handleUnlink)
|
||||
// Change the account's confirmed email: mail a code to the new address, then
|
||||
// atomically switch on confirm (a new address owned by another account is
|
||||
|
||||
@@ -34,6 +34,12 @@ type linkTelegramBody struct {
|
||||
ExternalID string `json:"external_id"`
|
||||
}
|
||||
|
||||
// linkVKBody carries a gateway-validated VK identity (the trusted vk user id the
|
||||
// gateway resolved from the VK ID code exchange).
|
||||
type linkVKBody struct {
|
||||
ExternalID string `json:"external_id"`
|
||||
}
|
||||
|
||||
// linkResultResponse is the unified result of a confirm or merge step. Status is
|
||||
// "linked" (bound to the caller), "merge_required" (the identity belongs to another
|
||||
// account — the secondary_* fields summarise it for the irreversible confirmation),
|
||||
@@ -233,6 +239,48 @@ func (s *Server) handleLinkTelegramMerge(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, s.mergeResultResponse(c, res))
|
||||
}
|
||||
|
||||
// handleLinkVK attaches a gateway-validated VK identity to the caller or reports a
|
||||
// required merge.
|
||||
func (s *Server) handleLinkVK(c *gin.Context) {
|
||||
uid, ok := userID(c)
|
||||
if !ok {
|
||||
abortBadRequest(c, "missing identity")
|
||||
return
|
||||
}
|
||||
var req linkVKBody
|
||||
if err := c.ShouldBindJSON(&req); err != nil || req.ExternalID == "" {
|
||||
abortBadRequest(c, "missing external_id")
|
||||
return
|
||||
}
|
||||
res, err := s.links.ConfirmVK(c.Request.Context(), uid, req.ExternalID)
|
||||
if err != nil {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
}
|
||||
c.JSON(http.StatusOK, s.confirmResultResponse(c, uid, res))
|
||||
}
|
||||
|
||||
// handleLinkVKMerge merges the account owning a gateway-validated VK identity into
|
||||
// the caller's.
|
||||
func (s *Server) handleLinkVKMerge(c *gin.Context) {
|
||||
uid, ok := userID(c)
|
||||
if !ok {
|
||||
abortBadRequest(c, "missing identity")
|
||||
return
|
||||
}
|
||||
var req linkVKBody
|
||||
if err := c.ShouldBindJSON(&req); err != nil || req.ExternalID == "" {
|
||||
abortBadRequest(c, "missing external_id")
|
||||
return
|
||||
}
|
||||
res, err := s.links.MergeVK(c.Request.Context(), uid, req.ExternalID)
|
||||
if err != nil {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
}
|
||||
c.JSON(http.StatusOK, s.mergeResultResponse(c, res))
|
||||
}
|
||||
|
||||
// confirmResultResponse renders a confirm step: a merge preview (secondary summary)
|
||||
// or a completed link (the active account's refreshed profile).
|
||||
func (s *Server) confirmResultResponse(c *gin.Context, activeID uuid.UUID, res link.ConfirmResult) linkResultResponse {
|
||||
|
||||
Reference in New Issue
Block a user