feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -10,6 +10,7 @@ import (
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/notify"
|
||||
"scrabble/backend/internal/session"
|
||||
)
|
||||
|
||||
// The /api/v1/internal/sessions/* endpoints are gateway-only: the gateway has
|
||||
@@ -23,7 +24,9 @@ import (
|
||||
// brand-new account's display name and language; BrowserTZ (the client's detected
|
||||
// "±HH:MM" UTC offset) seeds its time zone; StartParam is the validated launch
|
||||
// deep-link payload, which may seed the new account's variant preferences (first
|
||||
// contact only).
|
||||
// contact only). Subtype is the client-reported device family (ios/android/web);
|
||||
// Telegram's initData does not sign it, so it is recorded best-effort and the
|
||||
// payments gate never relies on it.
|
||||
type telegramAuthRequest struct {
|
||||
ExternalID string `json:"external_id"`
|
||||
Username string `json:"username"`
|
||||
@@ -31,6 +34,7 @@ type telegramAuthRequest struct {
|
||||
LanguageCode string `json:"language_code"`
|
||||
BrowserTZ string `json:"browser_tz"`
|
||||
StartParam string `json:"start_param"`
|
||||
Subtype string `json:"subtype"`
|
||||
}
|
||||
|
||||
// handleTelegramAuth provisions (or finds) the account bound to a Telegram
|
||||
@@ -63,19 +67,22 @@ func (s *Server) handleTelegramAuth(c *gin.Context) {
|
||||
}
|
||||
}
|
||||
}
|
||||
s.mintSession(c, acc)
|
||||
s.mintSession(c, acc, session.Platform{Kind: session.PlatformKindTelegram, Subtype: session.NormalizeSubtype(req.Subtype)})
|
||||
}
|
||||
|
||||
// vkAuthRequest carries the identity the gateway extracted from verified VK launch
|
||||
// params. LanguageCode (vk_language) and DisplayName (read client-side via
|
||||
// VKWebAppGetUserInfo, since VK omits the name from the signed params) seed a brand-new
|
||||
// account's language and display name; BrowserTZ (the client's detected "±HH:MM" UTC
|
||||
// offset) seeds its time zone. All seeds apply on first contact only.
|
||||
// offset) seeds its time zone. All seeds apply on first contact only. Subtype is the
|
||||
// device family the gateway derived from the signed vk_platform param — trusted,
|
||||
// since it rides inside the verified launch signature.
|
||||
type vkAuthRequest struct {
|
||||
ExternalID string `json:"external_id"`
|
||||
LanguageCode string `json:"language_code"`
|
||||
DisplayName string `json:"display_name"`
|
||||
BrowserTZ string `json:"browser_tz"`
|
||||
Subtype string `json:"subtype"`
|
||||
}
|
||||
|
||||
// handleVKAuth provisions (or finds) the account bound to a VK identity and mints a
|
||||
@@ -94,7 +101,7 @@ func (s *Server) handleVKAuth(c *gin.Context) {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
}
|
||||
s.mintSession(c, acc)
|
||||
s.mintSession(c, acc, session.Platform{Kind: session.PlatformKindVK, Subtype: session.NormalizeSubtype(req.Subtype)})
|
||||
}
|
||||
|
||||
// pushTargetRequest asks for a user's out-of-app push routing data by account id.
|
||||
@@ -150,6 +157,9 @@ func (s *Server) handlePushTarget(c *gin.Context) {
|
||||
// time zone, so robot timing is anchored to the player's zone from the first game.
|
||||
type guestAuthRequest struct {
|
||||
BrowserTZ string `json:"browser_tz"`
|
||||
// Subtype is the client-reported device family (ios/android/web) of this direct
|
||||
// (web/native) session; there is no external signer, so it is recorded best-effort.
|
||||
Subtype string `json:"subtype"`
|
||||
}
|
||||
|
||||
// handleGuestAuth provisions a fresh ephemeral guest account and mints a session,
|
||||
@@ -164,7 +174,7 @@ func (s *Server) handleGuestAuth(c *gin.Context) {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
}
|
||||
s.mintSession(c, acc)
|
||||
s.mintSession(c, acc, session.Platform{Kind: session.PlatformKindDirect, Subtype: session.NormalizeSubtype(req.Subtype)})
|
||||
}
|
||||
|
||||
// emailRequest is an email-login code request. BrowserTZ (the client's detected
|
||||
@@ -196,10 +206,12 @@ func (s *Server) handleEmailRequest(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, okResponse{OK: true})
|
||||
}
|
||||
|
||||
// emailLoginRequest verifies an email login code.
|
||||
// emailLoginRequest verifies an email login code. Subtype is the client-reported
|
||||
// device family (ios/android/web) of this direct session; recorded best-effort.
|
||||
type emailLoginRequest struct {
|
||||
Email string `json:"email"`
|
||||
Code string `json:"code"`
|
||||
Email string `json:"email"`
|
||||
Code string `json:"code"`
|
||||
Subtype string `json:"subtype"`
|
||||
}
|
||||
|
||||
// handleEmailLogin verifies the code and mints a session for the owning account.
|
||||
@@ -214,7 +226,7 @@ func (s *Server) handleEmailLogin(c *gin.Context) {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
}
|
||||
s.mintSession(c, acc)
|
||||
s.mintSession(c, acc, session.Platform{Kind: session.PlatformKindDirect, Subtype: session.NormalizeSubtype(req.Subtype)})
|
||||
}
|
||||
|
||||
// confirmLinkResponse is the outcome of a one-tap deeplink confirmation. For a login,
|
||||
@@ -248,7 +260,8 @@ func (s *Server) handleEmailConfirmLink(c *gin.Context) {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
}
|
||||
token, _, err := s.sessions.Create(c.Request.Context(), acc.ID)
|
||||
// A magic-link login always opens in a browser, so its session is direct/web.
|
||||
token, _, err := s.sessions.Create(c.Request.Context(), acc.ID, session.Platform{Kind: session.PlatformKindDirect, Subtype: session.SubtypeWeb})
|
||||
if err != nil {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
@@ -288,7 +301,11 @@ func (s *Server) handleResolveSession(c *gin.Context) {
|
||||
// is_guest is best-effort: a transient account read must not fail an otherwise
|
||||
// valid resolve (the auth hot path), so a read error falls back to false; the
|
||||
// per-operation backend gate remains the authoritative guest check.
|
||||
resp := resolveResponse{UserID: sess.AccountID.String()}
|
||||
resp := resolveResponse{
|
||||
UserID: sess.AccountID.String(),
|
||||
PlatformKind: sess.Platform.Kind,
|
||||
PlatformSubtype: sess.Platform.Subtype,
|
||||
}
|
||||
if acc, err := s.accounts.GetByID(c.Request.Context(), sess.AccountID); err == nil {
|
||||
resp.IsGuest = acc.IsGuest
|
||||
}
|
||||
@@ -309,9 +326,10 @@ func (s *Server) handleRevokeSession(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, okResponse{OK: true})
|
||||
}
|
||||
|
||||
// mintSession creates a session for acc and writes the credential response.
|
||||
func (s *Server) mintSession(c *gin.Context, acc account.Account) {
|
||||
token, _, err := s.sessions.Create(c.Request.Context(), acc.ID)
|
||||
// mintSession creates a session for acc carrying the captured platform and writes
|
||||
// the credential response.
|
||||
func (s *Server) mintSession(c *gin.Context, acc account.Account, platform session.Platform) {
|
||||
token, _, err := s.sessions.Create(c.Request.Context(), acc.ID, platform)
|
||||
if err != nil {
|
||||
s.abortErr(c, err)
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user