feat(payments): trusted platform signal on the session
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m7s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m42s

Record the execution platform (kind vk|telegram|direct + device subtype
ios|android|web) on each session, captured at creation and carried
gateway->backend as a trusted X-Platform header, so the upcoming
store-compliance gate has an unforgeable execution context.

- backend.sessions gains nullable platform_kind/platform_subtype columns
  (migration 00011, CHECK-constrained, jet regenerated); session.Platform
  captures them at mint, resolve returns them, middleware exposes platform(c).
  kind is derived from the establish endpoint, never a client field; the
  account-merge session mint inherits the caller's platform.
- gateway derives the platform (VK subtype from the signed vk_platform via
  vkauth, Telegram/direct best-effort from the client) and injects X-Platform
  on every authenticated backend call through the request context.
- ui submits a best-effort device subtype on the telegram/guest/email login
  requests (new FBS subtype field); VK is server-derived from the signed params.
- an unattributed session is untrusted (view-only); VK/TG self-heal on the next
  cold-start re-mint, direct/email on re-login.

Signal plumbing only, no user-visible change; X-Platform is inert until the
gate consumes it.
This commit is contained in:
Ilia Denisov
2026-07-08 03:31:51 +02:00
parent 07815c5a30
commit 92633f935e
39 changed files with 970 additions and 221 deletions
+4 -2
View File
@@ -110,16 +110,18 @@ describe('codec', () => {
it('carries the detected browser zone on every account-creating auth request', () => {
const tg = fb.TelegramLoginRequest.getRootAsTelegramLoginRequest(
new ByteBuffer(encodeTelegramLogin('init-data-blob', '+03:00')),
new ByteBuffer(encodeTelegramLogin('init-data-blob', '+03:00', 'ios')),
);
expect(tg.initData()).toBe('init-data-blob');
expect(tg.browserTz()).toBe('+03:00');
expect(tg.subtype()).toBe('ios');
const guest = fb.GuestLoginRequest.getRootAsGuestLoginRequest(
new ByteBuffer(encodeGuestLogin('ru', '-05:30')),
new ByteBuffer(encodeGuestLogin('ru', '-05:30', 'android')),
);
expect(guest.locale()).toBe('ru');
expect(guest.browserTz()).toBe('-05:30');
expect(guest.subtype()).toBe('android');
const email = fb.EmailRequestRequest.getRootAsEmailRequestRequest(
new ByteBuffer(encodeEmailRequest('a@example.com', '+00:00', 'en', true)),
+17 -3
View File
@@ -182,13 +182,19 @@ export function encodeChatPost(gameId: string, body: string): Uint8Array {
return finish(b, fb.ChatPostRequest.endChatPostRequest(b));
}
export function encodeTelegramLogin(initData: string, browserTz: string): Uint8Array {
export function encodeTelegramLogin(
initData: string,
browserTz: string,
subtype: string,
): Uint8Array {
const b = new Builder(512);
const d = b.createString(initData);
const tz = b.createString(browserTz);
const st = b.createString(subtype);
fb.TelegramLoginRequest.startTelegramLoginRequest(b);
fb.TelegramLoginRequest.addInitData(b, d);
fb.TelegramLoginRequest.addBrowserTz(b, tz);
fb.TelegramLoginRequest.addSubtype(b, st);
return finish(b, fb.TelegramLoginRequest.endTelegramLoginRequest(b));
}
@@ -204,13 +210,19 @@ export function encodeVKLogin(params: string, browserTz: string, displayName: st
return finish(b, fb.VKLoginRequest.endVKLoginRequest(b));
}
export function encodeGuestLogin(locale: string, browserTz: string): Uint8Array {
export function encodeGuestLogin(
locale: string,
browserTz: string,
subtype: string,
): Uint8Array {
const b = new Builder(64);
const l = b.createString(locale);
const tz = b.createString(browserTz);
const st = b.createString(subtype);
fb.GuestLoginRequest.startGuestLoginRequest(b);
fb.GuestLoginRequest.addLocale(b, l);
fb.GuestLoginRequest.addBrowserTz(b, tz);
fb.GuestLoginRequest.addSubtype(b, st);
return finish(b, fb.GuestLoginRequest.endGuestLoginRequest(b));
}
@@ -232,13 +244,15 @@ export function encodeEmailRequest(
return finish(b, fb.EmailRequestRequest.endEmailRequestRequest(b));
}
export function encodeEmailLogin(email: string, code: string): Uint8Array {
export function encodeEmailLogin(email: string, code: string, subtype: string): Uint8Array {
const b = new Builder(128);
const e = b.createString(email);
const c = b.createString(code);
const st = b.createString(subtype);
fb.EmailLoginRequest.startEmailLoginRequest(b);
fb.EmailLoginRequest.addEmail(b, e);
fb.EmailLoginRequest.addCode(b, c);
fb.EmailLoginRequest.addSubtype(b, st);
return finish(b, fb.EmailLoginRequest.endEmailLoginRequest(b));
}
+31
View File
@@ -0,0 +1,31 @@
import { describe, expect, it } from 'vitest';
import { normalizeSubtype } from './platform';
describe('normalizeSubtype', () => {
it('maps iPhone and iPad variants to the store-frozen ios', () => {
expect(normalizeSubtype('ios')).toBe('ios');
expect(normalizeSubtype('iphone')).toBe('ios');
expect(normalizeSubtype('mobile_iphone')).toBe('ios');
expect(normalizeSubtype('mobile_ipad')).toBe('ios');
});
it('maps android variants to android', () => {
expect(normalizeSubtype('android')).toBe('android');
expect(normalizeSubtype('mobile_android')).toBe('android');
expect(normalizeSubtype('android_x')).toBe('android');
});
it('is case-insensitive', () => {
expect(normalizeSubtype('IPhone')).toBe('ios');
expect(normalizeSubtype('Android')).toBe('android');
});
it('defaults desktop, tdesktop, web, empty and unknown values to web', () => {
expect(normalizeSubtype('web')).toBe('web');
expect(normalizeSubtype('mobile_web')).toBe('web');
expect(normalizeSubtype('desktop_web')).toBe('web');
expect(normalizeSubtype('tdesktop')).toBe('web');
expect(normalizeSubtype('')).toBe('web');
expect(normalizeSubtype('something_new')).toBe('web');
});
});
+30
View File
@@ -0,0 +1,30 @@
// Platform subtype (device family) derivation for the trusted platform signal. The
// server records the wrapper kind (vk / telegram / direct) itself, from the validated
// establish path; the client supplies only this device subtype. For VK it is ignored
// server-side (the gateway derives a trusted subtype from the signed vk_platform); for
// Telegram and a direct (web/native) session it is client-reported and best-effort.
import { insideTelegram, telegramPlatform } from './telegram';
import { clientChannel } from './channel';
export type Subtype = 'ios' | 'android' | 'web';
// normalizeSubtype coerces a raw device string (Telegram's WebApp.platform, a
// Capacitor platform, VK's vk_platform, …) to the ios/android/web wire subtype,
// mapping any iPhone/iPad variant to ios and defaulting anything unrecognised —
// desktop, tdesktop, an empty value — to web.
export function normalizeSubtype(raw: string): Subtype {
const s = raw.toLowerCase();
if (s.includes('android')) return 'android';
if (s.includes('iphone') || s.includes('ipad') || s === 'ios') return 'ios';
return 'web';
}
// platformSubtype reports this client's best-effort device family for the current
// launch: Telegram's reported platform inside a Mini App, otherwise the Capacitor /
// web channel for a direct session. VK does not use it (server-derived from the signed
// launch params).
export function platformSubtype(): Subtype {
if (insideTelegram()) return normalizeSubtype(telegramPlatform());
return normalizeSubtype(clientChannel());
}
+4 -3
View File
@@ -11,6 +11,7 @@ import { Gateway } from '../gen/edge/v1/edge_pb';
import { GatewayError, type GatewayClient } from './client';
import * as codec from './codec';
import { browserOffset } from './profileValidation';
import { platformSubtype } from './platform';
import { registerProbe, reportOffline, reportOnline } from './connection.svelte';
import { offlineMode } from './offline.svelte';
import { maintenanceRecovered, registerMaintenanceProbe, reportMaintenance } from './maintenance.svelte';
@@ -124,13 +125,13 @@ export function createTransport(baseUrl: string): GatewayClient {
},
async authTelegram(initData) {
return codec.decodeSession(await exec('auth.telegram', codec.encodeTelegramLogin(initData, browserOffset())));
return codec.decodeSession(await exec('auth.telegram', codec.encodeTelegramLogin(initData, browserOffset(), platformSubtype())));
},
async authVK(params, displayName) {
return codec.decodeSession(await exec('auth.vk', codec.encodeVKLogin(params, browserOffset(), displayName)));
},
async authGuest(locale) {
return codec.decodeSession(await exec('auth.guest', codec.encodeGuestLogin(locale ?? '', browserOffset())));
return codec.decodeSession(await exec('auth.guest', codec.encodeGuestLogin(locale ?? '', browserOffset(), platformSubtype())));
},
async authEmailRequest(email, language, pwa) {
await exec('auth.email.request', codec.encodeEmailRequest(email, browserOffset(), language, pwa));
@@ -139,7 +140,7 @@ export function createTransport(baseUrl: string): GatewayClient {
return codec.decodeConfirmLinkResult(await exec('auth.email.confirm_link', codec.encodeEmailConfirmLink(token)));
},
async authEmailLogin(email, code) {
return codec.decodeSession(await exec('auth.email.login', codec.encodeEmailLogin(email, code)));
return codec.decodeSession(await exec('auth.email.login', codec.encodeEmailLogin(email, code, platformSubtype())));
},
async profileGet() {