feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -0,0 +1,65 @@
|
||||
package session
|
||||
|
||||
import "context"
|
||||
|
||||
// Platform is the trusted execution context recorded on a session: the wrapper
|
||||
// Kind the session was established through and the device Subtype. An empty Kind
|
||||
// marks an untrusted session — one minted before platform capture, or one the
|
||||
// gateway could not attribute — which the payments compliance gate treats as
|
||||
// view-only.
|
||||
//
|
||||
// Kind is always trustworthy: it is derived server-side from the validated
|
||||
// establish path, never from a client-supplied field. Subtype is trustworthy only
|
||||
// for VK (vk_platform rides inside the signed launch params); for telegram and
|
||||
// direct it is client-reported and best-effort, so the gate must never rely on it.
|
||||
type Platform struct {
|
||||
Kind string
|
||||
Subtype string
|
||||
}
|
||||
|
||||
// Platform kinds recorded in platform_kind.
|
||||
const (
|
||||
PlatformKindVK = "vk"
|
||||
PlatformKindTelegram = "telegram"
|
||||
PlatformKindDirect = "direct"
|
||||
)
|
||||
|
||||
// Platform subtypes recorded in platform_subtype.
|
||||
const (
|
||||
SubtypeIOS = "ios"
|
||||
SubtypeAndroid = "android"
|
||||
SubtypeWeb = "web"
|
||||
)
|
||||
|
||||
// Trusted reports whether the session was attributed to a platform (a non-empty
|
||||
// Kind). The zero Platform is untrusted.
|
||||
func (p Platform) Trusted() bool { return p.Kind != "" }
|
||||
|
||||
// NormalizeSubtype coerces subtype to one of the known device families, defaulting
|
||||
// an empty or unrecognised value to web. A newly established session always carries
|
||||
// at least a web subtype, so a trusted session is never left without one.
|
||||
func NormalizeSubtype(subtype string) string {
|
||||
switch subtype {
|
||||
case SubtypeIOS, SubtypeAndroid, SubtypeWeb:
|
||||
return subtype
|
||||
default:
|
||||
return SubtypeWeb
|
||||
}
|
||||
}
|
||||
|
||||
// platformCtxKey types the request-context slot the trusted platform rides in.
|
||||
type platformCtxKey struct{}
|
||||
|
||||
// WithPlatform returns a copy of ctx carrying platform. The backend middleware
|
||||
// calls it after parsing the gateway-injected X-Platform header, so downstream
|
||||
// handlers and the link/merge session mint read the caller's platform from ctx.
|
||||
func WithPlatform(ctx context.Context, platform Platform) context.Context {
|
||||
return context.WithValue(ctx, platformCtxKey{}, platform)
|
||||
}
|
||||
|
||||
// PlatformFromContext returns the platform stored by WithPlatform and whether one
|
||||
// was present. A missing value yields the zero (untrusted) Platform.
|
||||
func PlatformFromContext(ctx context.Context) (Platform, bool) {
|
||||
p, ok := ctx.Value(platformCtxKey{}).(Platform)
|
||||
return p, ok
|
||||
}
|
||||
Reference in New Issue
Block a user