feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s
Record the execution platform (kind vk|telegram|direct + device subtype ios|android|web) on each session, captured at creation and carried gateway->backend as a trusted X-Platform header, so the upcoming store-compliance gate has an unforgeable execution context. - backend.sessions gains nullable platform_kind/platform_subtype columns (migration 00011, CHECK-constrained, jet regenerated); session.Platform captures them at mint, resolve returns them, middleware exposes platform(c). kind is derived from the establish endpoint, never a client field; the account-merge session mint inherits the caller's platform. - gateway derives the platform (VK subtype from the signed vk_platform via vkauth, Telegram/direct best-effort from the client) and injects X-Platform on every authenticated backend call through the request context. - ui submits a best-effort device subtype on the telegram/guest/email login requests (new FBS subtype field); VK is server-derived from the signed params. - an unattributed session is untrusted (view-only); VK/TG self-heal on the next cold-start re-mint, direct/email on re-login. Signal plumbing only, no user-visible change; X-Platform is inert until the gate consumes it.
This commit is contained in:
@@ -106,6 +106,9 @@ table MoveRecord {
|
||||
table TelegramLoginRequest {
|
||||
init_data:string;
|
||||
browser_tz:string;
|
||||
// Client-reported device family (ios/android/web). Telegram's initData does not sign it, so
|
||||
// the server records it best-effort and the payments gate never relies on it.
|
||||
subtype:string;
|
||||
}
|
||||
|
||||
// VKLoginRequest carries a VK Mini App launch. params is the raw query string of the
|
||||
@@ -128,6 +131,9 @@ table VKLoginRequest {
|
||||
table GuestLoginRequest {
|
||||
locale:string;
|
||||
browser_tz:string;
|
||||
// Client-reported device family (ios/android/web) of this direct session; best-effort
|
||||
// (a direct session has no external signer).
|
||||
subtype:string;
|
||||
}
|
||||
|
||||
// EmailRequestRequest asks the backend to send a login confirm-code to email. It
|
||||
@@ -150,6 +156,8 @@ table EmailRequestRequest {
|
||||
table EmailLoginRequest {
|
||||
email:string;
|
||||
code:string;
|
||||
// Client-reported device family (ios/android/web) of this direct session; best-effort.
|
||||
subtype:string;
|
||||
}
|
||||
|
||||
// EmailConfirmLinkRequest verifies a one-tap deeplink token from a confirmation
|
||||
|
||||
Reference in New Issue
Block a user