feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -11,10 +11,11 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
// Resolver resolves a token to an account id and its guest flag at the backend
|
||||
// (the cache miss path). backendclient.Client satisfies it.
|
||||
// Resolver resolves a token to an account id, its guest flag and its trusted
|
||||
// platform ("<kind>/<subtype>", empty when untrusted) at the backend (the cache
|
||||
// miss path). backendclient.Client satisfies it.
|
||||
type Resolver interface {
|
||||
ResolveSession(ctx context.Context, token string) (string, bool, error)
|
||||
ResolveSession(ctx context.Context, token string) (string, bool, string, error)
|
||||
}
|
||||
|
||||
// Cache resolves session tokens to account ids, caching hits for ttl.
|
||||
@@ -29,9 +30,10 @@ type Cache struct {
|
||||
}
|
||||
|
||||
type entry struct {
|
||||
userID string
|
||||
isGuest bool
|
||||
expires time.Time
|
||||
userID string
|
||||
isGuest bool
|
||||
platform string
|
||||
expires time.Time
|
||||
}
|
||||
|
||||
// NewCache constructs a Cache over backend with the given TTL and maximum size.
|
||||
@@ -48,19 +50,19 @@ func NewCache(backend Resolver, ttl time.Duration, max int) *Cache {
|
||||
}
|
||||
}
|
||||
|
||||
// Resolve returns the account id and guest flag for token, consulting the cache
|
||||
// first and the backend on a miss (caching the result). An empty token is rejected
|
||||
// by the backend like any unknown token.
|
||||
func (c *Cache) Resolve(ctx context.Context, token string) (string, bool, error) {
|
||||
if uid, guest, ok := c.lookup(token); ok {
|
||||
return uid, guest, nil
|
||||
// Resolve returns the account id, guest flag and trusted platform for token,
|
||||
// consulting the cache first and the backend on a miss (caching the result). An
|
||||
// empty token is rejected by the backend like any unknown token.
|
||||
func (c *Cache) Resolve(ctx context.Context, token string) (string, bool, string, error) {
|
||||
if uid, guest, platform, ok := c.lookup(token); ok {
|
||||
return uid, guest, platform, nil
|
||||
}
|
||||
uid, guest, err := c.backend.ResolveSession(ctx, token)
|
||||
uid, guest, platform, err := c.backend.ResolveSession(ctx, token)
|
||||
if err != nil {
|
||||
return "", false, err
|
||||
return "", false, "", err
|
||||
}
|
||||
c.store(token, uid, guest)
|
||||
return uid, guest, nil
|
||||
c.store(token, uid, guest, platform)
|
||||
return uid, guest, platform, nil
|
||||
}
|
||||
|
||||
// Invalidate drops a token from the cache (e.g. after a revoke).
|
||||
@@ -70,26 +72,26 @@ func (c *Cache) Invalidate(token string) {
|
||||
delete(c.entries, token)
|
||||
}
|
||||
|
||||
// lookup returns a live cached account id and guest flag for token.
|
||||
func (c *Cache) lookup(token string) (string, bool, bool) {
|
||||
// lookup returns a live cached account id, guest flag and platform for token.
|
||||
func (c *Cache) lookup(token string) (string, bool, string, bool) {
|
||||
c.mu.Lock()
|
||||
defer c.mu.Unlock()
|
||||
e, ok := c.entries[token]
|
||||
if !ok || !c.now().Before(e.expires) {
|
||||
return "", false, false
|
||||
return "", false, "", false
|
||||
}
|
||||
return e.userID, e.isGuest, true
|
||||
return e.userID, e.isGuest, e.platform, true
|
||||
}
|
||||
|
||||
// store caches token -> (userID, isGuest), sweeping expired entries and bounding
|
||||
// the size.
|
||||
func (c *Cache) store(token, userID string, isGuest bool) {
|
||||
// store caches token -> (userID, isGuest, platform), sweeping expired entries and
|
||||
// bounding the size.
|
||||
func (c *Cache) store(token, userID string, isGuest bool, platform string) {
|
||||
c.mu.Lock()
|
||||
defer c.mu.Unlock()
|
||||
if len(c.entries) >= c.max {
|
||||
c.evictLocked()
|
||||
}
|
||||
c.entries[token] = entry{userID: userID, isGuest: isGuest, expires: c.now().Add(c.ttl)}
|
||||
c.entries[token] = entry{userID: userID, isGuest: isGuest, platform: platform, expires: c.now().Add(c.ttl)}
|
||||
}
|
||||
|
||||
// evictLocked removes expired entries and, if still at capacity, drops arbitrary
|
||||
|
||||
Reference in New Issue
Block a user