feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s

Record the execution platform (kind vk|telegram|direct + device subtype
ios|android|web) on each session, captured at creation and carried
gateway->backend as a trusted X-Platform header, so the upcoming
store-compliance gate has an unforgeable execution context.

- backend.sessions gains nullable platform_kind/platform_subtype columns
  (migration 00011, CHECK-constrained, jet regenerated); session.Platform
  captures them at mint, resolve returns them, middleware exposes platform(c).
  kind is derived from the establish endpoint, never a client field; the
  account-merge session mint inherits the caller's platform.
- gateway derives the platform (VK subtype from the signed vk_platform via
  vkauth, Telegram/direct best-effort from the client) and injects X-Platform
  on every authenticated backend call through the request context.
- ui submits a best-effort device subtype on the telegram/guest/email login
  requests (new FBS subtype field); VK is server-derived from the signed params.
- an unattributed session is untrusted (view-only); VK/TG self-heal on the next
  cold-start re-mint, direct/email on re-login.

Signal plumbing only, no user-visible change; X-Platform is inert until the
gate consumes it.
This commit is contained in:
Ilia Denisov
2026-07-08 03:31:51 +02:00
parent 07815c5a30
commit 92633f935e
39 changed files with 970 additions and 221 deletions
+26 -24
View File
@@ -11,10 +11,11 @@ import (
"time"
)
// Resolver resolves a token to an account id and its guest flag at the backend
// (the cache miss path). backendclient.Client satisfies it.
// Resolver resolves a token to an account id, its guest flag and its trusted
// platform ("<kind>/<subtype>", empty when untrusted) at the backend (the cache
// miss path). backendclient.Client satisfies it.
type Resolver interface {
ResolveSession(ctx context.Context, token string) (string, bool, error)
ResolveSession(ctx context.Context, token string) (string, bool, string, error)
}
// Cache resolves session tokens to account ids, caching hits for ttl.
@@ -29,9 +30,10 @@ type Cache struct {
}
type entry struct {
userID string
isGuest bool
expires time.Time
userID string
isGuest bool
platform string
expires time.Time
}
// NewCache constructs a Cache over backend with the given TTL and maximum size.
@@ -48,19 +50,19 @@ func NewCache(backend Resolver, ttl time.Duration, max int) *Cache {
}
}
// Resolve returns the account id and guest flag for token, consulting the cache
// first and the backend on a miss (caching the result). An empty token is rejected
// by the backend like any unknown token.
func (c *Cache) Resolve(ctx context.Context, token string) (string, bool, error) {
if uid, guest, ok := c.lookup(token); ok {
return uid, guest, nil
// Resolve returns the account id, guest flag and trusted platform for token,
// consulting the cache first and the backend on a miss (caching the result). An
// empty token is rejected by the backend like any unknown token.
func (c *Cache) Resolve(ctx context.Context, token string) (string, bool, string, error) {
if uid, guest, platform, ok := c.lookup(token); ok {
return uid, guest, platform, nil
}
uid, guest, err := c.backend.ResolveSession(ctx, token)
uid, guest, platform, err := c.backend.ResolveSession(ctx, token)
if err != nil {
return "", false, err
return "", false, "", err
}
c.store(token, uid, guest)
return uid, guest, nil
c.store(token, uid, guest, platform)
return uid, guest, platform, nil
}
// Invalidate drops a token from the cache (e.g. after a revoke).
@@ -70,26 +72,26 @@ func (c *Cache) Invalidate(token string) {
delete(c.entries, token)
}
// lookup returns a live cached account id and guest flag for token.
func (c *Cache) lookup(token string) (string, bool, bool) {
// lookup returns a live cached account id, guest flag and platform for token.
func (c *Cache) lookup(token string) (string, bool, string, bool) {
c.mu.Lock()
defer c.mu.Unlock()
e, ok := c.entries[token]
if !ok || !c.now().Before(e.expires) {
return "", false, false
return "", false, "", false
}
return e.userID, e.isGuest, true
return e.userID, e.isGuest, e.platform, true
}
// store caches token -> (userID, isGuest), sweeping expired entries and bounding
// the size.
func (c *Cache) store(token, userID string, isGuest bool) {
// store caches token -> (userID, isGuest, platform), sweeping expired entries and
// bounding the size.
func (c *Cache) store(token, userID string, isGuest bool, platform string) {
c.mu.Lock()
defer c.mu.Unlock()
if len(c.entries) >= c.max {
c.evictLocked()
}
c.entries[token] = entry{userID: userID, isGuest: isGuest, expires: c.now().Add(c.ttl)}
c.entries[token] = entry{userID: userID, isGuest: isGuest, platform: platform, expires: c.now().Add(c.ttl)}
}
// evictLocked removes expired entries and, if still at capacity, drops arbitrary
+20 -19
View File
@@ -8,18 +8,19 @@ import (
)
type fakeResolver struct {
uid string
guest bool
err error
calls int
uid string
guest bool
platform string
err error
calls int
}
func (f *fakeResolver) ResolveSession(_ context.Context, _ string) (string, bool, error) {
func (f *fakeResolver) ResolveSession(_ context.Context, _ string) (string, bool, string, error) {
f.calls++
if f.err != nil {
return "", false, f.err
return "", false, "", f.err
}
return f.uid, f.guest, nil
return f.uid, f.guest, f.platform, nil
}
func TestResolveCachesBackendHit(t *testing.T) {
@@ -27,7 +28,7 @@ func TestResolveCachesBackendHit(t *testing.T) {
c := NewCache(r, time.Minute, 10)
for i := 0; i < 3; i++ {
uid, _, err := c.Resolve(context.Background(), "tok")
uid, _, _, err := c.Resolve(context.Background(), "tok")
if err != nil || uid != "user-1" {
t.Fatalf("resolve #%d = (%q, %v)", i, uid, err)
}
@@ -37,24 +38,24 @@ func TestResolveCachesBackendHit(t *testing.T) {
}
}
func TestResolveCarriesAndCachesGuestFlag(t *testing.T) {
r := &fakeResolver{uid: "guest-1", guest: true}
func TestResolveCarriesAndCachesGuestFlagAndPlatform(t *testing.T) {
r := &fakeResolver{uid: "guest-1", guest: true, platform: "vk/ios"}
c := NewCache(r, time.Minute, 10)
for i := 0; i < 2; i++ {
uid, guest, err := c.Resolve(context.Background(), "tok")
if err != nil || uid != "guest-1" || !guest {
t.Fatalf("resolve #%d = (%q, guest=%v, %v)", i, uid, guest, err)
uid, guest, platform, err := c.Resolve(context.Background(), "tok")
if err != nil || uid != "guest-1" || !guest || platform != "vk/ios" {
t.Fatalf("resolve #%d = (%q, guest=%v, platform=%q, %v)", i, uid, guest, platform, err)
}
}
if r.calls != 1 {
t.Fatalf("backend calls = %d, want 1 (guest flag cached)", r.calls)
t.Fatalf("backend calls = %d, want 1 (guest flag + platform cached)", r.calls)
}
}
func TestResolvePropagatesBackendError(t *testing.T) {
r := &fakeResolver{err: errors.New("nope")}
c := NewCache(r, time.Minute, 10)
if _, _, err := c.Resolve(context.Background(), "tok"); err == nil {
if _, _, _, err := c.Resolve(context.Background(), "tok"); err == nil {
t.Fatal("expected backend error to propagate")
}
}
@@ -65,11 +66,11 @@ func TestResolveReResolvesAfterTTL(t *testing.T) {
base := time.Now()
c.now = func() time.Time { return base }
if _, _, err := c.Resolve(context.Background(), "tok"); err != nil {
if _, _, _, err := c.Resolve(context.Background(), "tok"); err != nil {
t.Fatal(err)
}
c.now = func() time.Time { return base.Add(2 * time.Minute) } // past TTL
if _, _, err := c.Resolve(context.Background(), "tok"); err != nil {
if _, _, _, err := c.Resolve(context.Background(), "tok"); err != nil {
t.Fatal(err)
}
if r.calls != 2 {
@@ -80,9 +81,9 @@ func TestResolveReResolvesAfterTTL(t *testing.T) {
func TestInvalidateForcesReResolve(t *testing.T) {
r := &fakeResolver{uid: "user-1"}
c := NewCache(r, time.Minute, 10)
_, _, _ = c.Resolve(context.Background(), "tok")
_, _, _, _ = c.Resolve(context.Background(), "tok")
c.Invalidate("tok")
_, _, _ = c.Resolve(context.Background(), "tok")
_, _, _, _ = c.Resolve(context.Background(), "tok")
if r.calls != 2 {
t.Fatalf("backend calls = %d, want 2 after invalidate", r.calls)
}