feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -22,10 +22,28 @@ var ErrInvalid = errors.New("vkauth: invalid vk launch params")
|
||||
|
||||
// Identity is the user extracted from verified VK launch params. ExternalID is the
|
||||
// vk_user_id used as the identities external_id; Language is the vk_language hint that
|
||||
// seeds a brand-new account's preferred language.
|
||||
// seeds a brand-new account's preferred language; Platform is the raw signed
|
||||
// vk_platform value (e.g. "mobile_iphone", "desktop_web"), from which Subtype derives
|
||||
// the trusted device family.
|
||||
type Identity struct {
|
||||
ExternalID string
|
||||
Language string
|
||||
Platform string
|
||||
}
|
||||
|
||||
// Subtype maps the signed vk_platform to the trusted device family recorded on the
|
||||
// session — ios (iPhone/iPad, the store-frozen case), android, or web (desktop/mobile
|
||||
// web and anything unrecognised). Because vk_platform rides inside the verified
|
||||
// signature, this subtype is trustworthy, unlike a client-reported one.
|
||||
func (i Identity) Subtype() string {
|
||||
switch {
|
||||
case strings.Contains(i.Platform, "android"):
|
||||
return "android"
|
||||
case strings.Contains(i.Platform, "iphone"), strings.Contains(i.Platform, "ipad"):
|
||||
return "ios"
|
||||
default:
|
||||
return "web"
|
||||
}
|
||||
}
|
||||
|
||||
// Verify checks the `sign` of a VK Mini App launch query string against secret and
|
||||
@@ -68,5 +86,5 @@ func Verify(params, secret string) (Identity, error) {
|
||||
if externalID == "" {
|
||||
return Identity{}, ErrInvalid
|
||||
}
|
||||
return Identity{ExternalID: externalID, Language: values.Get("vk_language")}, nil
|
||||
return Identity{ExternalID: externalID, Language: values.Get("vk_language"), Platform: values.Get("vk_platform")}, nil
|
||||
}
|
||||
|
||||
@@ -47,6 +47,33 @@ func TestVerifyValid(t *testing.T) {
|
||||
if id.ExternalID != "494075" || id.Language != "ru" {
|
||||
t.Fatalf("identity = %+v, want ExternalID=494075 Language=ru", id)
|
||||
}
|
||||
if id.Platform != "android" || id.Subtype() != "android" {
|
||||
t.Fatalf("platform = %q subtype = %q, want android/android", id.Platform, id.Subtype())
|
||||
}
|
||||
}
|
||||
|
||||
// TestSubtype locks the vk_platform -> device-family mapping (the trusted subtype),
|
||||
// notably that iPhone and iPad both surface as the store-frozen "ios" and that any
|
||||
// unrecognised or empty value falls back to web.
|
||||
func TestSubtype(t *testing.T) {
|
||||
for _, tc := range []struct {
|
||||
platform string
|
||||
want string
|
||||
}{
|
||||
{"mobile_iphone", "ios"},
|
||||
{"mobile_ipad", "ios"},
|
||||
{"mobile_iphone_messenger", "ios"},
|
||||
{"mobile_android", "android"},
|
||||
{"android", "android"},
|
||||
{"desktop_web", "web"},
|
||||
{"mobile_web", "web"},
|
||||
{"", "web"},
|
||||
{"something_new", "web"},
|
||||
} {
|
||||
if got := (vkauth.Identity{Platform: tc.platform}).Subtype(); got != tc.want {
|
||||
t.Errorf("Subtype(%q) = %q, want %q", tc.platform, got, tc.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestVerifyCommaValue locks the URL-encoding of the one realistic special-char VK
|
||||
|
||||
Reference in New Issue
Block a user