feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -25,7 +25,8 @@ const (
|
||||
var ErrNotFound = errors.New("session: not found")
|
||||
|
||||
// Session mirrors a row in backend.sessions. TokenHash is the hex-encoded
|
||||
// SHA-256 of the bearer token.
|
||||
// SHA-256 of the bearer token. Platform is the trusted execution context captured
|
||||
// at creation; its zero value marks an untrusted session (see Platform).
|
||||
type Session struct {
|
||||
ID uuid.UUID
|
||||
AccountID uuid.UUID
|
||||
@@ -34,6 +35,7 @@ type Session struct {
|
||||
CreatedAt time.Time
|
||||
LastSeenAt *time.Time
|
||||
RevokedAt *time.Time
|
||||
Platform Platform
|
||||
}
|
||||
|
||||
// Store is the Postgres-backed query surface for backend.sessions.
|
||||
@@ -46,9 +48,10 @@ func NewStore(db *sql.DB) *Store {
|
||||
return &Store{db: db}
|
||||
}
|
||||
|
||||
// Insert persists a new active session for accountID carrying tokenHash and
|
||||
// returns the persisted row.
|
||||
func (s *Store) Insert(ctx context.Context, accountID uuid.UUID, tokenHash string) (Session, error) {
|
||||
// Insert persists a new active session for accountID carrying tokenHash and the
|
||||
// captured platform, and returns the persisted row. An empty platform Kind/Subtype
|
||||
// is written as SQL NULL, so an untrusted session records no platform.
|
||||
func (s *Store) Insert(ctx context.Context, accountID uuid.UUID, tokenHash string, platform Platform) (Session, error) {
|
||||
id, err := uuid.NewV7()
|
||||
if err != nil {
|
||||
return Session{}, fmt.Errorf("session: new id: %w", err)
|
||||
@@ -57,7 +60,9 @@ func (s *Store) Insert(ctx context.Context, accountID uuid.UUID, tokenHash strin
|
||||
table.Sessions.SessionID,
|
||||
table.Sessions.AccountID,
|
||||
table.Sessions.TokenHash,
|
||||
).VALUES(id, accountID, tokenHash).RETURNING(table.Sessions.AllColumns)
|
||||
table.Sessions.PlatformKind,
|
||||
table.Sessions.PlatformSubtype,
|
||||
).VALUES(id, accountID, tokenHash, stringOrNull(platform.Kind), stringOrNull(platform.Subtype)).RETURNING(table.Sessions.AllColumns)
|
||||
|
||||
var row model.Sessions
|
||||
if err := stmt.QueryContext(ctx, s.db, &row); err != nil {
|
||||
@@ -173,5 +178,20 @@ func modelToSession(row model.Sessions) Session {
|
||||
t := *row.RevokedAt
|
||||
s.RevokedAt = &t
|
||||
}
|
||||
if row.PlatformKind != nil {
|
||||
s.Platform.Kind = *row.PlatformKind
|
||||
}
|
||||
if row.PlatformSubtype != nil {
|
||||
s.Platform.Subtype = *row.PlatformSubtype
|
||||
}
|
||||
return s
|
||||
}
|
||||
|
||||
// stringOrNull maps an empty string to a SQL NULL literal and any other value to a
|
||||
// string literal, so an untrusted session's absent platform is stored as NULL.
|
||||
func stringOrNull(s string) postgres.Expression {
|
||||
if s == "" {
|
||||
return postgres.NULL
|
||||
}
|
||||
return postgres.String(s)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user