feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -26,7 +26,8 @@ func TestSessionLifecycle(t *testing.T) {
|
||||
store := session.NewStore(testDB)
|
||||
svc := session.NewService(store, session.NewCache())
|
||||
|
||||
token, sess, err := svc.Create(ctx, acc.ID)
|
||||
platform := session.Platform{Kind: session.PlatformKindVK, Subtype: session.SubtypeIOS}
|
||||
token, sess, err := svc.Create(ctx, acc.ID, platform)
|
||||
if err != nil {
|
||||
t.Fatalf("create session: %v", err)
|
||||
}
|
||||
@@ -36,6 +37,9 @@ func TestSessionLifecycle(t *testing.T) {
|
||||
if token == sess.TokenHash {
|
||||
t.Error("plaintext token must not equal the stored hash")
|
||||
}
|
||||
if sess.Platform != platform {
|
||||
t.Errorf("session platform = %+v, want %+v", sess.Platform, platform)
|
||||
}
|
||||
|
||||
// Resolve via the warm write-through cache.
|
||||
got, err := svc.Resolve(ctx, token)
|
||||
@@ -63,8 +67,8 @@ func TestSessionLifecycle(t *testing.T) {
|
||||
if _, ok := cold.Get(session.HashToken(token)); !ok {
|
||||
t.Error("Warm must load the active session into the cache")
|
||||
}
|
||||
if got2, err := svc2.Resolve(ctx, token); err != nil || got2.ID != sess.ID {
|
||||
t.Errorf("resolve after warm = (%s, %v), want %s", got2.ID, err, sess.ID)
|
||||
if got2, err := svc2.Resolve(ctx, token); err != nil || got2.ID != sess.ID || got2.Platform != platform {
|
||||
t.Errorf("resolve after warm = (%s, %+v, %v), want %s / %+v", got2.ID, got2.Platform, err, sess.ID, platform)
|
||||
}
|
||||
|
||||
// Revoke, then the token no longer resolves; revoke again is a no-op.
|
||||
|
||||
Reference in New Issue
Block a user