Compare commits
327 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 516ffbe5f0 | |||
| 3ce460f72a | |||
| 4ba9da6721 | |||
| ad1cc361e9 | |||
| 2c2316fb5e | |||
| bb71e7b1c7 | |||
| 5c1f64c7d1 | |||
| b3cf024e9e | |||
| 6e120bdaa7 | |||
| 40acbcccdd | |||
| b54371845f | |||
| b6c2598710 | |||
| 6badc20078 | |||
| a241e43d79 | |||
| 8ce986922a | |||
| 3469278260 | |||
| c66bf1eceb | |||
| 7b4d2421e2 | |||
| bf46b9492d | |||
| 1e1117c28e | |||
| 77a690fcf6 | |||
| 0ca01133b5 | |||
| 2683103fc1 | |||
| 2d2dd2bc47 | |||
| 45f0b34881 | |||
| df9eace09f | |||
| 0a0a9e5a8d | |||
| 0c9678c42b | |||
| e40adfb0c7 | |||
| 3306a016a0 | |||
| e45167041f | |||
| ed53e25e57 | |||
| 2e5136b22a | |||
| 1bf612a087 | |||
| ec5c6afa23 | |||
| 82648a4398 | |||
| d2d6955cbf | |||
| c3eecf16b3 | |||
| 0036b55618 | |||
| aabb32081e | |||
| e089a0a997 | |||
| 00d1bd33e3 | |||
| 7ce8101cfa | |||
| b5c8a04f0b | |||
| 2ce80c241d | |||
| 13be7c3d9a | |||
| e08d3301bd | |||
| 9acf6ab3b4 | |||
| dbd76d53e8 | |||
| 68c937f3b6 | |||
| 21fb14facf | |||
| ee9924c313 | |||
| e10f3beed5 | |||
| 55dbb1005e | |||
| 219fc7c827 | |||
| 6e03ce0131 | |||
| 5612bb624d | |||
| 8230253142 | |||
| 890a887257 | |||
| e33b9864c8 | |||
| f6aa0ba4b0 | |||
| f48ebf2151 | |||
| 3bb9f10fad | |||
| 3e0763463f | |||
| 96adf98e1d | |||
| 3367cc2bf1 | |||
| 04435a3283 | |||
| be0e4995f3 | |||
| 936a70ab94 | |||
| 4f6c22d669 | |||
| 2a6dc5a304 | |||
| a66a5bfa08 | |||
| 36a5730e52 | |||
| 7860efce48 | |||
| ca60025fbe | |||
| 0bdc034f7a | |||
| 625fc3135a | |||
| a118c63411 | |||
| 7123ba439d | |||
| 18785efc8c | |||
| 850884d077 | |||
| a58f2ce0e4 | |||
| e922f5f3b9 | |||
| 04976a64e8 | |||
| 4aa6174968 | |||
| 41f4fd3497 | |||
| 1c06d1d0d1 | |||
| 711fabe9cc | |||
| 92633f935e | |||
| 07815c5a30 | |||
| bab57343e1 | |||
| ce8b5026c1 | |||
| d9bc7596c6 | |||
| 3ad3b1dd7f | |||
| 4d1f389cf1 | |||
| 4c7bc7baa9 | |||
| 780ff68ec2 | |||
| ca48b3e18e | |||
| a7f483792f | |||
| 80cc2a76e8 | |||
| 1e087be90a | |||
| 84d0385c95 | |||
| 0ed34c7720 | |||
| 52d0c559f9 | |||
| beda6ccd3d | |||
| c1ac77bc6a | |||
| cafe67e9c8 | |||
| 3adc4e32c9 | |||
| 903de7d41d | |||
| baa9961c3e | |||
| 66278e34b7 | |||
| 452a686e07 | |||
| 4ddc690c38 | |||
| 6216359c6f | |||
| 8c67d679d9 | |||
| 69673e7727 | |||
| d7f3d93c6c | |||
| 16cd3d0411 | |||
| ef8a32bb82 | |||
| 53311cbc95 | |||
| 7fc1301b31 | |||
| ee7ff06403 | |||
| 537a265409 | |||
| 8c991429c6 | |||
| 359af83c34 | |||
| ff486c80f8 | |||
| 42a6308261 | |||
| 08792dad3d | |||
| e9f4cb0178 | |||
| 8fbbb3c5ef | |||
| 30770a759b | |||
| 05c445e4da | |||
| d43a740eb6 | |||
| 350013acd9 | |||
| 3ad66f49c7 | |||
| 09c5a5e72e | |||
| fffc6030ce | |||
| fc8143758a | |||
| e0d28733ff | |||
| ccd65f61b8 | |||
| 5bc2ad3b6d | |||
| 2a4b0fb25e | |||
| 2a7c632840 | |||
| 3a72bc29ba | |||
| 020742fad3 | |||
| fd225564a3 | |||
| fdf14d5897 | |||
| 1a456c4847 | |||
| 2a045a5b37 | |||
| 19e7ea5da0 | |||
| 54d701fd8a | |||
| ec0c13bebc | |||
| 5643c8be10 | |||
| 2f70ef1b85 | |||
| ef832b823d | |||
| 99f0a545be | |||
| 1a95a5f2cb | |||
| 8abd8b2ae6 | |||
| 2f867b8e6c | |||
| a692024b4e | |||
| 8349e222fc | |||
| 68ecd881d9 | |||
| d80d28a402 | |||
| 1654131904 | |||
| 9ecbe480db | |||
| 32298595f2 | |||
| 2847412b5b | |||
| 4fa77bf82c | |||
| afa44d41b4 | |||
| e4cf143e9f | |||
| 543cbe56b9 | |||
| a9c8f1ecfe | |||
| d694ead7b6 | |||
| 8c5995c076 | |||
| cedc9ffae1 | |||
| c334a9d7b7 | |||
| 57ff2d03f8 | |||
| 3a85f64726 | |||
| 00bb66ba0f | |||
| a2c79c149a | |||
| 061366da5a | |||
| d19609f87d | |||
| 51147a1429 | |||
| a9d0986e74 | |||
| d61ba68e9b | |||
| 6db9178449 | |||
| ac383880b7 | |||
| 16349f5ad9 | |||
| 101a3f118c | |||
| 400b6ac2a5 | |||
| fb7490f1df | |||
| c1805e5b7c | |||
| 45957bdcd6 | |||
| fcedadcb5b | |||
| 2feb638329 | |||
| 4dfedd02a3 | |||
| 829e29a726 | |||
| 44117e906c | |||
| c90331b189 | |||
| 399508f2f0 | |||
| 0dfecc2af7 | |||
| 446ea2ac45 | |||
| 01a9249002 | |||
| 7dcd62fdd7 | |||
| d67e582c03 | |||
| 75fe07865a | |||
| 597e200f37 | |||
| 3ef18d33b6 | |||
| c8601c0115 | |||
| a0021d1994 | |||
| 4b4dcab9b6 | |||
| 7f85362288 | |||
| 72e9b600b0 | |||
| 0eefbfd6a4 | |||
| c680e695d3 | |||
| 2c465c01d2 | |||
| 60faa4f064 | |||
| 854c4b3005 | |||
| ec1bdfca00 | |||
| 70f0f9e36a | |||
| 55f6176538 | |||
| 8d2cd97e17 | |||
| f1a12c2f44 | |||
| 4cc37e5760 | |||
| 3faca690dd | |||
| c2a8426b74 | |||
| 251c7af3f6 | |||
| cabcd94d92 | |||
| aa2290b7b4 | |||
| fcde7d3db6 | |||
| d889edfdb9 | |||
| 52e6378f40 | |||
| 12af378b18 | |||
| 1598646021 | |||
| 710ab06333 | |||
| 61c7da271c | |||
| 029aa2d4cc | |||
| 3f4792a39b | |||
| 150660819a | |||
| 912096a0f1 | |||
| e4fc7f033d | |||
| b918217497 | |||
| a3eb4719de | |||
| 3a823ca7ef | |||
| 76e7916ff6 | |||
| 54af644429 | |||
| 356bf1a5ba | |||
| 1dca6741f1 | |||
| 77a18a3cc1 | |||
| 5804f7266e | |||
| 65f2c87a74 | |||
| 409462fc09 | |||
| 762155a55e | |||
| 25d80bc31d | |||
| d5b4bba018 | |||
| 638c147cc0 | |||
| c702f1bdac | |||
| 01d02fcef6 | |||
| 9e0f929e40 | |||
| a29e00ee13 | |||
| 2207ac6132 | |||
| 3877b23894 | |||
| d5fbaa3034 | |||
| 16a4431158 | |||
| 422e3ccc2a | |||
| 946420db93 | |||
| a0eacf3011 | |||
| 622d3965a7 | |||
| 2ab01ed8f7 | |||
| 1ed624eaf1 | |||
| f3e2a6822b | |||
| 65063621a9 | |||
| 4e169c368d | |||
| aec915d5c1 | |||
| 5f574a765d | |||
| db17287113 | |||
| c864147982 | |||
| 2e8fa83814 | |||
| 5f87b3fa43 | |||
| 5689f7f6a3 | |||
| f0399e1bbc | |||
| e6c5198caa | |||
| 84cc56198e | |||
| 5f9b4a7a38 | |||
| 4458f0e545 | |||
| 41f26da9a7 | |||
| cf1d773c18 | |||
| 88b6761e28 | |||
| f4dbb545e0 | |||
| 71c3411276 | |||
| f9acea1d9a | |||
| adf7c55695 | |||
| 6636d7c309 | |||
| 90f2427fa7 | |||
| d0f860a33e | |||
| d1ceccf033 | |||
| 373aa2aa6d | |||
| 4a6fe318be | |||
| 3a18e683ca | |||
| 00441e3657 | |||
| 3b7c7c077e | |||
| e900d592f8 | |||
| d76f1f4026 | |||
| 0ea9764a0d | |||
| 6a5ce12fab | |||
| da17c18895 | |||
| 303348ed39 | |||
| a06dfe00fc | |||
| a88678c5c6 | |||
| 500a01cf97 | |||
| d9ede77e2f | |||
| 65c194264c | |||
| 13c22734ee | |||
| 7dabcd1317 | |||
| 93d086a8a3 | |||
| b03e012011 | |||
| 2495446a47 | |||
| 35705f7d1e | |||
| 4f0cc81dfb | |||
| 2ba7cc3086 | |||
| 29b6c7e4d8 | |||
| 8de9fb1ecd | |||
| 8a5a5d6c4d | |||
| ea931c6680 | |||
| d0f60ee41d | |||
| b84bd1297e | |||
| 0fb6004a8b |
@@ -0,0 +1,89 @@
|
||||
---
|
||||
name: deploy-check
|
||||
description: "Use before any deploy-touching change to this repo — phrases like '/deploy-check', 'is this prod-safe', 'before we deploy', 'deploy safety review', 'проверь перед деплоем', 'это безопасно для прода'. Runs a pre-deploy checklist of this project's hard-won runtime constraints against the current diff, so the crash classes that have bitten live environments get caught before shipping instead of after."
|
||||
---
|
||||
|
||||
# Pre-deploy runtime-constraint check
|
||||
|
||||
Triggered before shipping anything that touches the deploy contour (Dockerfiles,
|
||||
`deploy/`, Caddyfile, compose, migrations, boot guards, the Telegram side-service,
|
||||
edge config). The worst frictions in this repo were never logic bugs — they were
|
||||
**environment mismatches that crashed a live env and forced a redesign**. Run this
|
||||
list against the diff first; turn crash-and-redesign into a single pass.
|
||||
|
||||
This checklist is a prompt, **not** the source of truth. The canonical detail
|
||||
lives in `deploy/README.md`, `docs/ARCHITECTURE.md`, `docs/EDGE_HTTP3.md`, and the
|
||||
agent memory files referenced below — read them when an item is in play, and add a
|
||||
new class here when a new incident teaches one.
|
||||
|
||||
## How to run it
|
||||
|
||||
1. `git diff <base>...HEAD --stat` to see what the change actually touches.
|
||||
2. For every risk class below that the diff touches, perform the **Check** and
|
||||
report PASS / FAIL with the exact file:line to fix. Skip classes the diff does
|
||||
not touch — say which you skipped and why.
|
||||
3. Remember: **deploy-job green ≠ healthy**. CI's deploy probe has historically
|
||||
passed with a dead backend (it only checked static landing+gateway). Verify the
|
||||
real feature live (`/readyz`, the actual flow) after deploy, not just the green.
|
||||
|
||||
## Risk classes
|
||||
|
||||
### 1. Container user — distroless nonroot UID 65532
|
||||
- **Bit us:** TLS keys `chmod 600` for the host owner crash-looped gateway + bot at
|
||||
boot with "permission denied" — service images run UID 65532.
|
||||
- **Check:** any new/changed mounted secret, key, or config file must be readable by
|
||||
UID 65532 (`0644`, not `0600`). Scan the diff for file modes, `chmod`, and new
|
||||
volume mounts. (memory: `distroless-nonroot-mounted-secrets`)
|
||||
|
||||
### 2. Caddy header pipeline ordering
|
||||
- **Bit us:** `header_up delete` after `set` nulled the value (the honeypot tag went
|
||||
empty); it passed CI and only showed up live.
|
||||
- **Check:** in any Caddyfile change, verify the `set` / `delete` / `header_up`
|
||||
ordering for every affected route, and test the tripwire/route on the live
|
||||
contour, not just CI.
|
||||
|
||||
### 3. Edge Alt-Svc / HTTP3
|
||||
- **Bit us:** edge advertised `Alt-Svc: h3` while UDP/443 was never exposed
|
||||
(docker tcp-only + ufw tcp-only); clients cached it 30 days and stalled on dead
|
||||
QUIC before falling back to h2 — Mini App "hangs on load".
|
||||
- **Check:** any edge/caddy change keeps `Alt-Svc: clear` (or only advertises h3 if
|
||||
UDP/443 is genuinely exposed). (memory: `tg-app-load-stall-dead-http3-altsvc`,
|
||||
`docs/EDGE_HTTP3.md`)
|
||||
|
||||
### 4. Prod caddy config recreate
|
||||
- **Bit us:** prod rolling deploy did **not** recreate caddy on a config-only change
|
||||
(pinned `caddy:2-alpine` + `admin off`), so a new Caddyfile deployed GREEN but
|
||||
stayed inert until a manual `docker restart`.
|
||||
- **Check:** a config-only edge change must `--force-recreate` caddy in
|
||||
`prod-deploy.sh` `roll()`; never trust deploy-green for edge config.
|
||||
(memory: `prod-deploy-caddy-config-recreate`)
|
||||
|
||||
### 5. DICT_VERSION / dictionary boot
|
||||
- **Bit us:** an early `DICT_VERSION` refuse-boot guard was wrong and crashed the
|
||||
live env when bumped on a seeded volume; it had to be redesigned to "marker-wins".
|
||||
- **Check:** any change touching `DICT_VERSION`, dict load, or the boot guard must
|
||||
keep marker-wins semantics and survive a seeded volume **and** an image rollback.
|
||||
`DICT_VERSION` is a required build-arg (no default), single-sourced. A new dict
|
||||
goes live via the admin console upload, not a redeploy. (memory:
|
||||
`dict-version-deploy-verify`, `contour-schema-change-wipe`)
|
||||
|
||||
### 6. Migrations — expand-contract + rollback safety
|
||||
- **Bit us / risk:** a non-backward-compatible migration breaks image rollback (DB
|
||||
ahead of rolled-back code).
|
||||
- **Check:** migrations must be **expand-contract** (backward-compatible). A schema
|
||||
change adds the maintenance window + a consistent `pg_dump` in prod-deploy. On the
|
||||
**test contour**, a schema/wire-label change needs `DROP SCHEMA backend CASCADE` +
|
||||
backend restart (new code vs old persisted DB), else the contour breaks. (memory:
|
||||
`contour-schema-change-wipe`)
|
||||
|
||||
### 7. Telegram permission model
|
||||
- **Bit us:** permissions are an **AND-intersection** — default-allow with explicit
|
||||
denies, not default-deny; inverting it broke access.
|
||||
- **Check:** any change to the Telegram permission / relay logic preserves the
|
||||
AND-intersection default-allow shape. (memory: `telegram-forum-relay-gotchas`)
|
||||
|
||||
## Output
|
||||
|
||||
A short PASS/FAIL table over the classes the diff touches, each FAIL with the exact
|
||||
file:line and the fix. If every touched class passes, say so plainly and name the
|
||||
post-deploy live check to run (not just "CI green").
|
||||
@@ -0,0 +1,175 @@
|
||||
# VK Mini App / VK Games — integration reference
|
||||
|
||||
Captured research + our implementation map, so a future session does not need to re-fetch
|
||||
the VK docs. Authoritative external source: <https://dev.vk.com/> (the `dev.vk.com` portal
|
||||
does not render via plain HTTP fetch; the facts below were cross-checked against the VKCOM
|
||||
reference repos cited at the end and verified against our own Go implementation).
|
||||
|
||||
A VK **game** is technically a **VK Mini App**: an HTML5 SPA VK loads in an **iframe inside
|
||||
vk.com** (desktop + mobile web) and in a **WebView** inside the VK mobile apps (iOS/Android).
|
||||
We serve our existing SPA under a dedicated `/vk/` path, mirroring the Telegram `/telegram/`
|
||||
entry — the single-origin, path-routed model.
|
||||
|
||||
## 1. Embedding model
|
||||
|
||||
- VK loads the app at the **Web iframe URL** configured in the app settings (HTTPS + valid
|
||||
cert required), appending the signed launch parameters as the **URL query string**.
|
||||
- An optional separate **Mobile iframe URL** is used by the VK mobile apps (we use the same).
|
||||
- No special `X-Frame-Options` / CSP `frame-ancestors` is required from us — VK frames the
|
||||
configured origin. (Our edge sets **no** framing headers today, so VK works as-is; see the
|
||||
clickjacking note in §Security.)
|
||||
- URL must match the settings exactly (scheme, host, no stray `www`/whitespace).
|
||||
|
||||
## 2. Launch parameters (URL query)
|
||||
|
||||
VK appends these to the iframe `src`. The `vk_*` set is what the signature covers.
|
||||
|
||||
| Param | Meaning |
|
||||
| --- | --- |
|
||||
| `vk_user_id` | signed-in VK user numeric id — **the identity** |
|
||||
| `vk_app_id` | our registered app id |
|
||||
| `vk_is_app_user` | 0/1 — user authorized/installed the app |
|
||||
| `vk_are_notifications_enabled` | 0/1 |
|
||||
| `vk_language` | 2-letter UI language (`ru`, `en`, …) |
|
||||
| `vk_platform` | `mobile_iphone` \| `mobile_android` \| `mobile_web` \| `desktop_web` \| … |
|
||||
| `vk_ts` | unix seconds when VK generated the params |
|
||||
| `vk_ref` | where the app was opened from (`catalog`, `feed`, …) |
|
||||
| `vk_access_token_settings` | comma-separated granted scopes (often empty) |
|
||||
| `vk_group_id`, `vk_viewer_group_role`, `vk_is_favorite`, `vk_client` | optional/contextual |
|
||||
| `sign` | **the signature** (see §3) — NOT part of the signed set |
|
||||
|
||||
Always present: `vk_user_id`, `vk_app_id`, `vk_platform`, `vk_ts`, `sign`.
|
||||
|
||||
The user's **name is NOT in the launch params** (only `vk_user_id`). Read it client-side via
|
||||
`VKWebAppGetUserInfo` (see §4) — unsigned, so treat it as a cosmetic display seed only.
|
||||
|
||||
## 3. Signature verification (`sign`) — CONFIRMED base64url, not hex
|
||||
|
||||
Algorithm (verified against our `gateway/internal/vkauth` + an independent Python reference):
|
||||
|
||||
1. Collect the query params whose key starts with `vk_` (exclude `sign`).
|
||||
2. Sort by key (alphabetical).
|
||||
3. Serialize as a URL-encoded query string `k=v&k=v…` (Go `url.Values.Encode()` matches VK's
|
||||
reference serialization for the constrained launch-param charset).
|
||||
4. `HMAC-SHA256(serialized, secret)` where `secret` = the app's **«Защищённый ключ»**
|
||||
(protected / secure key, a.k.a. client_secret) from the app settings.
|
||||
5. **base64url, no padding** (`+`→`-`, `/`→`_`, strip `=`).
|
||||
6. Constant-time compare against `sign`.
|
||||
|
||||
VK launch params have **no built-in expiry** (unlike Telegram's `auth_date`). We do NOT enforce
|
||||
freshness — the minted server session is the short-lived credential; a replay only
|
||||
re-authenticates the same `vk_user_id`.
|
||||
|
||||
Verified against the official doc <https://dev.vk.com/ru/mini-apps/development/launch-params-sign>
|
||||
(prose + PHP example: base64url = `strtr('+/','-_')` + `rtrim('=')`) and reproduced identically by
|
||||
independent Node `crypto` + Python references. **Doc-example caveat**: that page shows secret
|
||||
`wvl68m4dR1UpLrVRli` → sign `exTIBP…`, but the secret is a **placeholder** — recomputing with it does
|
||||
NOT yield the shown sign (it was made with the real, unshown key). Don't chase the mismatch; our
|
||||
`vkauth.Verify` is correct (`gateway/internal/vkauth/vkauth_test.go` carries cross-checked vectors,
|
||||
incl. the `%2C` comma case for `vk_access_token_settings`).
|
||||
|
||||
## 4. VK Bridge (client SDK)
|
||||
|
||||
`@vkontakte/vk-bridge` (npm, v3.x; bundled — `default` export `bridge`). Methods we use / may use:
|
||||
|
||||
- `VKWebAppInit` — **required**: tells VK the Mini App loaded (dismisses VK's loading cover).
|
||||
- `VKWebAppGetUserInfo` — `{ id, first_name, last_name, photo_200, … }`; no extra scope needed.
|
||||
- `VKWebAppGetLaunchParams` — parsed `vk_*` **without** `sign` (so NOT usable for our server
|
||||
verification — read `window.location.search` instead, which carries `sign`).
|
||||
- `VKWebAppGetAuthToken` — OAuth access token for VK API calls (only if we ever call VK API).
|
||||
- `VKWebAppShare` — native share dialog (the friend-code invite uses it; `navigator.share` is absent
|
||||
in the desktop VK iframe). **Used.**
|
||||
- `VKWebAppCopyText` — clipboard copy that works inside the VK iframe, where `navigator.clipboard` is
|
||||
blocked. **Used** as the copy-code / copy-link path.
|
||||
- `VKWebAppUpdateConfig` (subscribe) — light/dark scheme; the app follows it while the theme pref is
|
||||
"auto" (the VK webview's prefers-color-scheme does not track it). **Used.**
|
||||
- `VKWebAppSetViewSettings` / `VKWebAppSetSwipeSettings` — viewport / swipe-back (mobile); not used.
|
||||
- `VKWebAppUpdateInsets` (+ `VKWebAppUpdateConfig`) — device safe-area insets; the app **max'es** them
|
||||
with CSS `env(safe-area-inset-*)` (viewport-fit=cover) so the bottom home bar is cleared. The bridge
|
||||
value is needed on Android, where the VK webview exposes no `env()` inset. **Used.**
|
||||
|
||||
The bridge talks to the embedding VK client over postMessage; it is NOT an external fetch, so
|
||||
it has no telegram.org-style load-hang risk. The SDK reads browser globals at import — we import
|
||||
it **lazily** so the pure URL helpers stay node-test-importable.
|
||||
|
||||
**Deep links — NOT possible on VK (confirmed on the contour).** The VK iframe receives ONLY the signed
|
||||
`vk_*` launch params (+ `sign`); VK strips any custom data from the app link. The documented
|
||||
`vk.com/app<id>#<payload>` form is eaten by the vk.com SPA (which owns the URL hash), and a
|
||||
`vk.com/app<id>?hash=<payload>` query is dropped (the diagnostic showed `rawSearch` with only `vk_*`
|
||||
and an empty `hash`). So the friend-code invite link is just `vk.com/app<id>` (`vkShareLink`, app id
|
||||
from `vk_app_id`); the recipient enters the **copied code by hand** (`VKWebAppCopyText` works). The
|
||||
`vkStartParam` reader + the `bootVK` routing stay as a no-op today, ready if a post-moderation VK
|
||||
channel (e.g. an invite API) ever delivers a payload.
|
||||
|
||||
## 5. Test mode (to verify before moderation)
|
||||
|
||||
1. App already registered (we have the App ID).
|
||||
2. In the app settings (dev.vk.com / `vk.com/editapp?act=settings&app_id=<id>`):
|
||||
- Category = **Игра** (Game).
|
||||
- **Web iframe URL** = our public HTTPS `/vk/` (the test-contour origin for contour testing,
|
||||
prod `https://erudit-game.ru/vk/` later). Mobile iframe URL = same.
|
||||
- Copy the **«Защищённый ключ»** → set as `GATEWAY_VK_APP_SECRET` (Gitea `TEST_`/`PROD_` secret).
|
||||
- Add own VK id to **testers**; open in test mode.
|
||||
3. Test mode = visible only to admins/testers, no payments processed.
|
||||
|
||||
## 6. Auth / identity (our model)
|
||||
|
||||
- `vk_user_id` (from verified params) → backend identity `kind='vk'`, `external_id=vk_user_id`,
|
||||
auto-confirmed (a platform identity). First contact seeds language from `vk_language` and the
|
||||
display name from the client-supplied `VKWebAppGetUserInfo` name (placeholder if empty).
|
||||
- No VK access token / VK API call needed for the launch+login MVP.
|
||||
|
||||
## 7. Payments / monetization
|
||||
|
||||
VK Pay / «голоса» (votes) are **optional**, not required to publish a free game. Not planned.
|
||||
|
||||
## 8. ToS / moderation (pre-publish, analyzed — no blocker for a free «Эрудит»)
|
||||
|
||||
- **Trademark**: "Scrabble" is trademarked. Our public brand is **«Эрудит»** (erudit-game.ru),
|
||||
a generic Russian word-game name → fine. Ensure the VK-registered app name is «Эрудит»/word-game,
|
||||
NOT "Scrabble". The repo name is internal and irrelevant to moderation.
|
||||
- **Pre-publish requirements**: public **Privacy Policy** + **ToS** URLs (disclose collected data:
|
||||
`vk_user_id`, language; mention VK), **age rating** (likely 6+/12+), icon, description.
|
||||
- **Dictionary**: standard word lists; VK may expect offensive-word filtering — likely fine for a
|
||||
dictionary game, flag if moderation asks.
|
||||
- **In-game chat (UGC)**: we already have a moderated chat + support relay → covered.
|
||||
- Moderation reviews after submission (commonly ~24–72h); rejects on violence/hate/sexual/illegal
|
||||
content or IP infringement — none apply.
|
||||
|
||||
## 9. Platforms
|
||||
|
||||
Desktop web (iframe), mobile web (iframe), VK iOS app (WKWebView), VK Android app (WebView). Bridge
|
||||
methods behave per-platform; the app's own back chevron + app-shell document-pin cover navigation
|
||||
without VK-specific code. Theme/viewport fine-tuning is best verified live in the real VK client
|
||||
(not reproducible in Playwright — like the iOS gesture caveats).
|
||||
|
||||
## 10. Our implementation map (what to touch for VK)
|
||||
|
||||
- **Wire**: `pkg/fbs/scrabble.fbs` → `VKLoginRequest{ params, browser_tz, display_name }`
|
||||
(regen: `make -C pkg fbs` + `pnpm -C ui codegen`).
|
||||
- **Gateway**: `internal/vkauth/` (the §3 verify), `internal/transcode` op `auth.vk`
|
||||
(registered via `WithVKAuth(secret)` option; `DomainCode` → `invalid_vk_params`),
|
||||
`internal/backendclient` `VKAuth` → `POST /api/v1/internal/sessions/vk`,
|
||||
config `GATEWAY_VK_APP_SECRET`, SPA mount `/vk/` in `internal/connectsrv/server.go`.
|
||||
- **Backend**: `internal/account` `KindVK` + `ProvisionVK`/`vkSeed` + `confirmed` for platform
|
||||
kinds; `internal/server/handlers_auth.go` `handleVKAuth` + route; migration
|
||||
`00005_vk_identity.sql` (widen `identities_kind_chk` to include `'vk'`, expand-contract).
|
||||
- **UI**: `src/lib/vk.ts` (`onVKPath`/`vkLaunchParams`/`insideVK`/`vkInit`/`vkUserName` plus `vkAppId`/
|
||||
`vkStartParam`/`vkShare`/`vkCopyText`/`vkOnScheme`), `app.svelte.ts` `bootVK` (+ deep-link routing
|
||||
and VK scheme→theme) + the `/vk/` dispatch branch + shared `retryMiniAppBoot`, `codec.ts`
|
||||
`encodeVKLogin`, `transport.ts`/`client.ts`/`mock/client.ts` `authVK`, `deeplink.ts` `vkShareLink`,
|
||||
`Friends.svelte` (VK share/copy), `app.css` `--tg-safe-*` defaulting to `env(safe-area-inset-*)`.
|
||||
- **Edge/deploy**: `deploy/caddy/Caddyfile` `/vk` path; `GATEWAY_VK_APP_SECRET` in
|
||||
`docker-compose.yml` + `.env.example` + `ci.yaml` (`TEST_…` secret) + `prod-deploy.yaml`
|
||||
(`PROD_…` secret, deploy-main).
|
||||
- **Deferred**: payments (VK Pay / votes), native (Capacitor) VK, account-linking a vk identity to an
|
||||
existing account, VK push. (Done after the launch+auth MVP — Group B: native share + clipboard via
|
||||
the bridge, the friend-code deep link, the auto-theme follow, and the home-bar safe area.)
|
||||
|
||||
## Sources
|
||||
|
||||
- VKCOM/vk-bridge — <https://github.com/VKCOM/vk-bridge>
|
||||
- VKCOM/vk-apps-launch-params (canonical signature examples) — <https://github.com/VKCOM/vk-apps-launch-params>
|
||||
- kravetsone/vk-launch-params — <https://github.com/kravetsone/vk-launch-params>
|
||||
- SevereCloud/vksdk `vkapps.ParamsVerify` (Go reference) — <https://pkg.go.dev/github.com/SevereCloud/vksdk/v2/vkapps>
|
||||
- VK Mini Apps API — <https://github.com/VKCOM/vk-mini-apps-api>
|
||||
+243
-19
@@ -26,12 +26,12 @@ on:
|
||||
push:
|
||||
branches: [development]
|
||||
|
||||
# The dictionary release the test suite validates against — the current
|
||||
# scrabble-dictionary release. Centralised here so a release bump is one edit; the
|
||||
# unit/integration jobs inherit it. The deploy job overrides it per contour with
|
||||
# vars.TEST_DICT_VERSION (the seed for a fresh volume), see deploy/README.md.
|
||||
# The dictionary release. One Gitea variable is the single source of truth: the
|
||||
# test suite validates against it here (inherited by the unit/integration jobs) and
|
||||
# both contours' deploy jobs seed a fresh volume with the same value. A release bump
|
||||
# is one edit (the variable). See deploy/README.md.
|
||||
env:
|
||||
DICT_VERSION: v1.3.0
|
||||
DICT_VERSION: ${{ vars.DICT_VERSION }}
|
||||
|
||||
jobs:
|
||||
# changes detects which areas a PR/push touched, so the test jobs can skip when
|
||||
@@ -73,6 +73,9 @@ jobs:
|
||||
go=false; ui=false
|
||||
if echo "$files" | grep -qE '^(backend/|pkg/|gateway/|platform/|loadtest/|go\.work)'; then go=true; fi
|
||||
if echo "$files" | grep -qE '^ui/'; then ui=true; fi
|
||||
# The render sidecar bundles ui/src/lib, so its dir rides the ui lane (the
|
||||
# deploy's compose build picks it up either way).
|
||||
if echo "$files" | grep -qE '^renderer/'; then ui=true; fi
|
||||
# A workflow or deploy change re-runs everything as a safety net.
|
||||
if echo "$files" | grep -qE '^(\.gitea/workflows/|deploy/)'; then go=true; ui=true; fi
|
||||
else
|
||||
@@ -199,19 +202,96 @@ jobs:
|
||||
- name: Bundle-size budget
|
||||
run: node scripts/bundle-size.mjs
|
||||
|
||||
# The render sidecar executes the shared ui/src/lib/gameimage.ts on skia-canvas;
|
||||
# its smoke test guards the bundling + skia seam (docs/TESTING.md).
|
||||
- name: Render sidecar test
|
||||
working-directory: renderer
|
||||
run: |
|
||||
pnpm install --frozen-lockfile
|
||||
pnpm test
|
||||
|
||||
- name: Install Playwright browsers
|
||||
run: pnpm exec playwright install chromium webkit
|
||||
timeout-minutes: 5
|
||||
|
||||
# The offline e2e plays a real local vs_ai game, so it needs the per-variant dawgs; fetch the
|
||||
# release the same way the Go jobs do and point the mock preview's copy step (scripts/
|
||||
# e2e-dict.mjs, via E2E_DICT_DIR below) at it.
|
||||
- name: Fetch dictionary DAWGs
|
||||
run: |
|
||||
mkdir -p "${GITHUB_WORKSPACE}/dawg"
|
||||
curl -fsSL -o /tmp/dawg.tar.gz "https://gitea.iliadenisov.ru/developer/scrabble-dictionary/releases/download/${DICT_VERSION}/scrabble-dawg-${DICT_VERSION}.tar.gz"
|
||||
tar xzf /tmp/dawg.tar.gz -C "${GITHUB_WORKSPACE}/dawg"
|
||||
ls -la "${GITHUB_WORKSPACE}/dawg"
|
||||
|
||||
- name: E2E smoke (mock)
|
||||
run: pnpm run test:e2e
|
||||
timeout-minutes: 5
|
||||
env:
|
||||
E2E_DICT_DIR: ${{ github.workspace }}/dawg
|
||||
|
||||
# conformance proves the client's local move preview (the ported dawg reader +
|
||||
# validator, ui/src/lib/dict) byte-for-byte against the authoritative Go engine:
|
||||
# a Go step generates golden parity vectors from the release dictionaries, then the
|
||||
# gated Vitest suite replays them. It spans both toolchains, so it runs whenever the
|
||||
# Go engine side or the UI side changed.
|
||||
conformance:
|
||||
needs: changes
|
||||
if: ${{ needs.changes.outputs.go == 'true' || needs.changes.outputs.ui == 'true' }}
|
||||
runs-on: ubuntu-latest
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
env:
|
||||
GOPRIVATE: gitea.iliadenisov.ru/*
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Fetch dictionary DAWGs
|
||||
run: |
|
||||
mkdir -p "${GITHUB_WORKSPACE}/dawg"
|
||||
curl -fsSL -o /tmp/dawg.tar.gz "https://gitea.iliadenisov.ru/developer/scrabble-dictionary/releases/download/${DICT_VERSION}/scrabble-dawg-${DICT_VERSION}.tar.gz"
|
||||
tar xzf /tmp/dawg.tar.gz -C "${GITHUB_WORKSPACE}/dawg"
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version-file: go.work
|
||||
cache: true
|
||||
|
||||
- name: Generate golden parity vectors
|
||||
run: |
|
||||
go run ./backend/cmd/dictgen -dawg-dir "${GITHUB_WORKSPACE}/dawg" -out /tmp/dictgold
|
||||
go run ./backend/cmd/validategen -dawg-dir "${GITHUB_WORKSPACE}/dawg" -out /tmp/validgold
|
||||
go run ./backend/cmd/movegen -dawg-dir "${GITHUB_WORKSPACE}/dawg" -out "${GITHUB_WORKSPACE}/movegold"
|
||||
|
||||
- name: Set up Node
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 22
|
||||
|
||||
- name: Install pnpm
|
||||
run: npm install -g pnpm@11.0.9
|
||||
|
||||
- name: Install deps
|
||||
working-directory: ui
|
||||
run: pnpm install --frozen-lockfile
|
||||
|
||||
- name: Local-eval conformance (reader + validator vs the Go engine)
|
||||
working-directory: ui
|
||||
env:
|
||||
DICT_DAWG_DIR: ${{ github.workspace }}/dawg
|
||||
DICT_GOLD_DIR: /tmp/dictgold
|
||||
DICT_VALID_DIR: /tmp/validgold
|
||||
DICT_MOVEGEN_DIR: ${{ github.workspace }}/movegold
|
||||
run: pnpm exec vitest run src/lib/dict/
|
||||
|
||||
# gate is the single branch-protection required check. It always runs and passes
|
||||
# only when each upstream job succeeded or was skipped (a path-filtered no-op),
|
||||
# failing the merge if any actually failed or was cancelled.
|
||||
gate:
|
||||
needs: [unit, integration, ui]
|
||||
needs: [unit, integration, ui, conformance]
|
||||
if: always()
|
||||
runs-on: ubuntu-latest
|
||||
defaults:
|
||||
@@ -221,7 +301,7 @@ jobs:
|
||||
- name: Aggregate required checks
|
||||
run: |
|
||||
fail=
|
||||
for r in "unit:${{ needs.unit.result }}" "integration:${{ needs.integration.result }}" "ui:${{ needs.ui.result }}"; do
|
||||
for r in "unit:${{ needs.unit.result }}" "integration:${{ needs.integration.result }}" "ui:${{ needs.ui.result }}" "conformance:${{ needs.conformance.result }}"; do
|
||||
name="${r%%:*}"; res="${r#*:}"
|
||||
echo "$name = $res"
|
||||
case "$res" in
|
||||
@@ -236,9 +316,13 @@ jobs:
|
||||
# Auto test-deploy on a PR into development and on the push that merges it.
|
||||
# A PR into master is test-only (this job is skipped); prod deploy is manual.
|
||||
# Gates on `gate` (so a real test failure blocks the deploy) but runs even when
|
||||
# some test jobs were path-skipped.
|
||||
needs: [gate]
|
||||
if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/development') || (github.event_name == 'pull_request' && github.base_ref == 'development') }}
|
||||
# some test jobs were path-skipped. Skipped entirely when neither the Go nor the
|
||||
# UI side changed (e.g. a docs-only change): the contour image is unchanged, so
|
||||
# there is nothing to redeploy. `changes` still defaults both to true when the
|
||||
# diff is uncomputable, and a workflow/deploy edit forces both true, so an
|
||||
# ambiguous or infra change still deploys as a safety net.
|
||||
needs: [changes, gate]
|
||||
if: ${{ (needs.changes.outputs.go == 'true' || needs.changes.outputs.ui == 'true') && ((github.event_name == 'push' && github.ref == 'refs/heads/development') || (github.event_name == 'pull_request' && github.base_ref == 'development')) }}
|
||||
runs-on: ubuntu-latest
|
||||
defaults:
|
||||
run:
|
||||
@@ -261,10 +345,51 @@ jobs:
|
||||
GRAFANA_ADMIN_PASSWORD: ${{ secrets.TEST_GRAFANA_ADMIN_PASSWORD }}
|
||||
TELEGRAM_BOT_TOKEN: ${{ secrets.TEST_TELEGRAM_BOT_TOKEN }}
|
||||
TELEGRAM_PROMO_BOT_TOKEN: ${{ secrets.TEST_TELEGRAM_PROMO_BOT_TOKEN }}
|
||||
# VK Mini App protected key (offline HMAC for the launch-param signature); empty
|
||||
# leaves the VK auth path (auth.vk) disabled until the operator sets the secret.
|
||||
# One VK Mini App serves every contour -> unprefixed secret.
|
||||
GATEWAY_VK_APP_SECRET: ${{ secrets.GATEWAY_VK_APP_SECRET }}
|
||||
# VK ID web login (browser VK-identity linking): the VK ID "Web" app's protected key
|
||||
# for the server-side confidential code exchange — a SEPARATE VK app from the Mini
|
||||
# App above. One VK ID "Web" app serves every contour -> unprefixed secret.
|
||||
GATEWAY_VK_ID_CLIENT_SECRET: ${{ secrets.GATEWAY_VK_ID_CLIENT_SECRET }}
|
||||
# Planted honeytoken bearer: presenting it flags the caller (logs + a ban metric on
|
||||
# test where the IP ban is off; a 24h IP ban on prod). Per-contour secret; empty = trap off.
|
||||
GATEWAY_HONEYTOKEN: ${{ secrets.TEST_GATEWAY_HONEYTOKEN }}
|
||||
# Signs the finished-game export download URLs (backend + compose interpolation).
|
||||
EXPORT_SIGN_KEY: ${{ secrets.TEST_EXPORT_SIGN_KEY }}
|
||||
# Transactional email via the shared Selectel relay: one account for every
|
||||
# contour -> unprefixed host/port/tls/user/pass. Empty host leaves the backend
|
||||
# on the log mailer (email disabled) but the contour still boots.
|
||||
SMTP_RELAY_USER: ${{ secrets.SMTP_RELAY_USER }}
|
||||
SMTP_RELAY_PASS: ${{ secrets.SMTP_RELAY_PASS }}
|
||||
SMTP_RELAY_HOST: ${{ vars.SMTP_RELAY_HOST }}
|
||||
SMTP_RELAY_PORT: ${{ vars.SMTP_RELAY_PORT }}
|
||||
SMTP_RELAY_TLS: ${{ vars.SMTP_RELAY_TLS }}
|
||||
# Direct-rail (Robokassa) sandbox intake on the contour: the test shop's merchant login +
|
||||
# Password1/Password2. IsTest is forced to 1 below so the contour can never take real money
|
||||
# (independent of the shop's own mode). Empty login leaves the direct rail off.
|
||||
ROBOKASSA_MERCHANT_LOGIN: ${{ secrets.TEST_BACKEND_ROBOKASSA_MERCHANT_LOGIN }}
|
||||
ROBOKASSA_PASSWORD1: ${{ secrets.TEST_BACKEND_ROBOKASSA_PASSWORD1 }}
|
||||
ROBOKASSA_PASSWORD2: ${{ secrets.TEST_BACKEND_ROBOKASSA_PASSWORD2 }}
|
||||
ROBOKASSA_TEST: "1"
|
||||
SMTP_RELAY_FROM: ${{ vars.TEST_SMTP_RELAY_FROM }}
|
||||
# Operator alerts: backend admin emails (new feedback / complaints) + Grafana
|
||||
# infra alerts. Distinct senders + recipients; Grafana uses the relay's STARTTLS
|
||||
# host:port. Empty leaves the alert worker off and Grafana SMTP disabled.
|
||||
SMTP_RELAY_ADMIN_FROM: ${{ vars.TEST_SMTP_RELAY_ADMIN_FROM }}
|
||||
ADMIN_EMAIL: ${{ vars.TEST_ADMIN_EMAIL }}
|
||||
SMTP_RELAY_SERVICE_FROM: ${{ vars.TEST_SMTP_RELAY_SERVICE_FROM }}
|
||||
SERVICE_EMAIL: ${{ vars.TEST_SERVICE_EMAIL }}
|
||||
GRAFANA_SMTP_PORT: ${{ vars.GRAFANA_SMTP_PORT }}
|
||||
GF_SMTP_ENABLED: ${{ vars.TEST_GF_SMTP_ENABLED }}
|
||||
# Canonical public origin for links in the email (this contour's URL);
|
||||
# required by the backend whenever SMTP_RELAY_HOST is set.
|
||||
PUBLIC_BASE_URL: ${{ vars.TEST_PUBLIC_BASE_URL }}
|
||||
GM_BASICAUTH_USER: ${{ vars.TEST_GM_BASICAUTH_USER }}
|
||||
GRAFANA_ROOT_URL: ${{ vars.TEST_GRAFANA_ROOT_URL }}
|
||||
CADDY_SITE_ADDRESS: ${{ vars.TEST_CADDY_SITE_ADDRESS }}
|
||||
TELEGRAM_MINIAPP_URL: ${{ vars.TEST_TELEGRAM_MINIAPP_URL }}
|
||||
# TELEGRAM_MINIAPP_URL, GRAFANA_ROOT_URL and VITE_VK_ID_REDIRECT_URL are derived
|
||||
# from PUBLIC_BASE_URL in the run step below, not stored as their own variables.
|
||||
TELEGRAM_GAME_CHANNEL_ID: ${{ vars.TEST_TELEGRAM_GAME_CHANNEL_ID }}
|
||||
TELEGRAM_CHAT_ID: ${{ vars.TEST_TELEGRAM_CHAT_ID }}
|
||||
TELEGRAM_SUPPORT_CHAT_ID: ${{ vars.TEST_TELEGRAM_SUPPORT_CHAT_ID }}
|
||||
@@ -277,11 +402,19 @@ jobs:
|
||||
VITE_TELEGRAM_BOT_ID: ${{ vars.TEST_VITE_TELEGRAM_BOT_ID }}
|
||||
VITE_TELEGRAM_LINK: ${{ vars.TEST_VITE_TELEGRAM_LINK }}
|
||||
VITE_TELEGRAM_GAME_CHANNEL_NAME: ${{ vars.TEST_VITE_TELEGRAM_GAME_CHANNEL_NAME }}
|
||||
VITE_GATEWAY_URL: ${{ vars.TEST_VITE_GATEWAY_URL }}
|
||||
# Unset vars render empty -> the compose ":-" defaults apply.
|
||||
# VK Mini App landing link + VK ID "Web" app id: one value each serves every
|
||||
# contour -> unprefixed. VITE_VK_APP_ID also feeds the gateway (GATEWAY_VK_ID_APP_ID);
|
||||
# the VK ID redirect URL is derived from PUBLIC_BASE_URL in the run step below.
|
||||
VITE_VK_APP_LINK: ${{ vars.VITE_VK_APP_LINK }}
|
||||
VITE_VK_APP_ID: ${{ vars.VITE_VK_APP_ID }}
|
||||
# Rewarded-ad test stub: set TEST_VITE_ADS_STUB=1 to swap real ads for a toast on the
|
||||
# contour (empty = real ads, for capturing the real VK ad result). Prod never sets it.
|
||||
VITE_ADS_STUB: ${{ vars.TEST_VITE_ADS_STUB }}
|
||||
# VITE_GATEWAY_URL omitted: the SPA is served same-origin, so it stays the
|
||||
# compose ":-" empty default. Other unset vars likewise fall to their defaults.
|
||||
POSTGRES_DB: ${{ vars.TEST_POSTGRES_DB }}
|
||||
POSTGRES_USER: ${{ vars.TEST_POSTGRES_USER }}
|
||||
DICT_VERSION: ${{ vars.TEST_DICT_VERSION }}
|
||||
DICT_VERSION: ${{ vars.DICT_VERSION }}
|
||||
LOG_LEVEL: ${{ vars.TEST_LOG_LEVEL }}
|
||||
run: |
|
||||
# Seed the config files to a stable host path. The runner checks out into
|
||||
@@ -292,8 +425,34 @@ jobs:
|
||||
conf="$HOME/.scrabble-deploy"
|
||||
rm -rf "$conf"
|
||||
mkdir -p "$conf"
|
||||
cp -r caddy otelcol prometheus tempo grafana "$conf"/
|
||||
cp -r caddy otelcol prometheus tempo grafana blackbox "$conf"/
|
||||
export SCRABBLE_CONFIG_DIR="$conf"
|
||||
# Maintenance page for the redeploy window, mirroring prod-deploy.sh so the SPA
|
||||
# overlay is exercised on the test contour too (not only prod). Raised just before
|
||||
# the recreate and lowered once caddy is back (below); the trap clears it if the
|
||||
# step fails so the contour never sticks in maintenance (and the reseed above wipes a
|
||||
# stale flag anyway). The caddy-routed probes run in the NEXT step, after it is lowered.
|
||||
maint_flag="$conf/caddy/on"
|
||||
trap 'rm -f "$maint_flag"' EXIT
|
||||
# Derive the public URLs from the one canonical origin instead of storing each as
|
||||
# its own variable (paths are structural SPA routes / the Caddy /_gm sub-path).
|
||||
# Exported before build so the VK ID redirect is baked into the SPA.
|
||||
base="${PUBLIC_BASE_URL%/}"
|
||||
export TELEGRAM_MINIAPP_URL="$base/telegram/"
|
||||
export GRAFANA_ROOT_URL="$base/_gm/grafana/"
|
||||
export VITE_VK_ID_REDIRECT_URL="$base/app/"
|
||||
# Grafana's SMTP from_address must be a BARE address (it rejects the "Name" <addr>
|
||||
# form the backend go-mail accepts) and validates it even when SMTP is disabled — a
|
||||
# bad value crash-loops Grafana. Split the display-format SERVICE From into a bare
|
||||
# address + name for Grafana; the backend keeps the full form.
|
||||
svc_from="${SMTP_RELAY_SERVICE_FROM:-}"
|
||||
case "$svc_from" in
|
||||
*"<"*">"*)
|
||||
export GRAFANA_SMTP_FROM_ADDRESS="$(printf '%s' "$svc_from" | sed -E 's/.*<([^>]+)>.*/\1/')"
|
||||
export GRAFANA_SMTP_FROM_NAME="$(printf '%s' "$svc_from" | sed -E 's/[[:space:]]*<[^>]*>.*$//; s/^"//; s/"$//')" ;;
|
||||
*)
|
||||
export GRAFANA_SMTP_FROM_ADDRESS="$svc_from" ;;
|
||||
esac
|
||||
# Bot-link mTLS material for the test contour: a private CA + gateway/bot
|
||||
# leaves (CN=gateway, the service name the bot dials). Prod supplies these
|
||||
# from PROD_ secrets instead. Regenerated each deploy; both ends redeploy
|
||||
@@ -306,12 +465,23 @@ jobs:
|
||||
# bot on its own host instead (deploy/docker-compose.bot.yml), and the prod
|
||||
# main host omits both. Without the profile they would not start here.
|
||||
docker compose --ansi never --profile telegram-local build --progress plain
|
||||
# Raise the maintenance page, THEN bring caddy onto the reseeded config mount so it
|
||||
# actually carries the flag: the running caddy sits on the stale pre-reseed mount (the
|
||||
# dir was rm'd + recreated — see the force-recreate note below), so a flag written to
|
||||
# the new dir is invisible until caddy is recreated. With the fresh caddy up, an open
|
||||
# SPA sees the 503 marker + overlay for the whole recreate window, not a bare reconnect.
|
||||
: > "$maint_flag"
|
||||
docker compose --ansi never up -d --force-recreate --no-deps caddy
|
||||
docker compose --ansi never --profile telegram-local up -d --remove-orphans
|
||||
# The config-only services bind-mount the reseeded config dir. A plain `up -d`
|
||||
# leaves them on the previous bind mount (the dir was rm'd + recreated), so a
|
||||
# changed Caddyfile or Grafana dashboard is ignored — force-recreate them to
|
||||
# pick up the fresh config.
|
||||
docker compose --ansi never up -d --force-recreate --no-deps caddy otelcol prometheus tempo grafana
|
||||
# changed Grafana dashboard is ignored — force-recreate them to pick up the fresh
|
||||
# config. (Caddy was already recreated above so it would carry the maintenance flag.)
|
||||
docker compose --ansi never up -d --force-recreate --no-deps otelcol prometheus tempo grafana
|
||||
# Lower the maintenance page: services are back. An open SPA's poll now gets through
|
||||
# (once the gateway finishes booting) and reloads into the fresh client; the caddy
|
||||
# probes in the next step see 200. The EXIT trap is a backstop if we failed earlier.
|
||||
rm -f "$maint_flag"
|
||||
|
||||
- name: Probe the landing, gateway and backend
|
||||
run: |
|
||||
@@ -337,6 +507,60 @@ jobs:
|
||||
docker logs --tail 50 scrabble-backend || true
|
||||
exit 1
|
||||
|
||||
- name: Probe the /offer/ public offer page is served
|
||||
run: |
|
||||
set -u
|
||||
# /offer/ is rendered by the render sidecar: it splices the live catalog price list
|
||||
# (fetched from the backend's internal endpoint) into the committed ui/legal/offer_ru.md.
|
||||
# If the @offer caddy route is missing, the request falls to the landing shell (also 200),
|
||||
# and if the backend fetch fails the sidecar returns 502 — so assert offer-specific content
|
||||
# (the seller INN, §11) AND that the pricing marker was substituted (proves the fetch +
|
||||
# splice ran), never just the status. Data-independent: an empty catalog still substitutes
|
||||
# the marker with nothing, so "pricing_template" must be absent either way.
|
||||
out="$(docker run --rm --network edge alpine:3.20 wget -q -O - http://scrabble/offer/ 2>&1 || true)"
|
||||
if echo "$out" | grep -q "290210610742" && ! echo "$out" | grep -q "pricing_template"; then
|
||||
echo "ok: /offer/ serves the rendered offer with the price list spliced in"
|
||||
else
|
||||
echo "FAIL: /offer/ did not serve the rendered offer (route fell through, or the price splice failed)"
|
||||
docker logs --tail 50 scrabble-renderer || true
|
||||
docker logs --tail 50 scrabble-backend || true
|
||||
docker logs --tail 50 scrabble-landing || true
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Probe the /pay/ callback route reaches the gateway
|
||||
run: |
|
||||
set -u
|
||||
# /pay/robokassa/result must reach the gateway, not fall to the landing catch-all. An
|
||||
# unsigned probe is rejected downstream, so the gateway answers a 4xx/5xx (never a 200 or
|
||||
# a 404 landing.html), which proves the edge route is wired.
|
||||
out="$(docker run --rm --network edge alpine:3.20 wget -S -q -O /dev/null http://scrabble/pay/robokassa/result 2>&1 || true)"
|
||||
echo "$out" | grep -E "HTTP/" || true
|
||||
if echo "$out" | grep -qE "HTTP/1\.1 (4|5)[0-9][0-9]"; then
|
||||
echo "ok: /pay/ reaches the gateway (non-landing response)"
|
||||
else
|
||||
echo "FAIL: /pay/robokassa/result did not reach the gateway (landing catch-all?)"
|
||||
docker logs --tail 50 scrabble-gateway || true
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Probe the /dict edge route reaches the gateway
|
||||
run: |
|
||||
set -u
|
||||
# The client fetches each game's dictionary blob at {edge}/dict/{variant}/{version}
|
||||
# for the local move preview. If caddy does not route /dict to the gateway the request
|
||||
# falls to the static landing and the client silently gets a non-dawg blob. Probed
|
||||
# unauthenticated it must be the gateway's 401 (the route reaches the gateway), never a
|
||||
# 404/200 from the landing catch-all.
|
||||
out="$(docker run --rm --network edge alpine:3.20 wget -S -q -O /dev/null http://scrabble/dict/scrabble_en/v1 2>&1 || true)"
|
||||
echo "$out" | grep -E "HTTP/" || true
|
||||
if echo "$out" | grep -q " 401"; then
|
||||
echo "ok: /dict reaches the gateway (401 unauthenticated)"
|
||||
else
|
||||
echo "FAIL: /dict did not reach the gateway (expected 401) — caddy route missing?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Probe the Telegram validator and bot liveness
|
||||
run: |
|
||||
set -u
|
||||
|
||||
@@ -40,11 +40,22 @@ jobs:
|
||||
VITE_TELEGRAM_BOT_ID: ${{ vars.PROD_VITE_TELEGRAM_BOT_ID }}
|
||||
VITE_TELEGRAM_LINK: ${{ vars.PROD_VITE_TELEGRAM_LINK }}
|
||||
VITE_TELEGRAM_GAME_CHANNEL_NAME: ${{ vars.PROD_VITE_TELEGRAM_GAME_CHANNEL_NAME }}
|
||||
VITE_GATEWAY_URL: ${{ vars.PROD_VITE_GATEWAY_URL }}
|
||||
# VK Mini App link + VK ID "Web" app id: one value each serves every contour.
|
||||
VITE_VK_APP_LINK: ${{ vars.VITE_VK_APP_LINK }}
|
||||
VITE_VK_APP_ID: ${{ vars.VITE_VK_APP_ID }}
|
||||
# VITE_GATEWAY_URL omitted: the SPA is served same-origin (compose ":-" default).
|
||||
POSTGRES_PASSWORD: ${{ secrets.PROD_POSTGRES_PASSWORD }}
|
||||
GM_BASICAUTH_HASH: ${{ secrets.PROD_GM_BASICAUTH_HASH }}
|
||||
TELEGRAM_MINIAPP_URL: ${{ vars.PROD_TELEGRAM_MINIAPP_URL }}
|
||||
DICT_VERSION: ${{ vars.PROD_DICT_VERSION }}
|
||||
# `docker compose build` interpolates the WHOLE compose file, so every :?-guarded
|
||||
# runtime var must be present at build even though it is not a build-arg — incl. the
|
||||
# backend's EXPORT_SIGN_KEY (added with the finished-game export after v1.7.0, which is
|
||||
# why the first v1.8.0 build tripped on it). POSTGRES_PASSWORD/GM_BASICAUTH_HASH above
|
||||
# are here for the same reason; DICT_VERSION + the derived Mini App URL cover the rest.
|
||||
EXPORT_SIGN_KEY: ${{ secrets.PROD_EXPORT_SIGN_KEY }}
|
||||
# PUBLIC_BASE_URL drives the derived VK ID redirect (baked into the SPA) and the
|
||||
# Mini App URL; both are computed in the build step, not stored variables.
|
||||
PUBLIC_BASE_URL: ${{ vars.PROD_PUBLIC_BASE_URL }}
|
||||
DICT_VERSION: ${{ vars.DICT_VERSION }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
@@ -58,10 +69,15 @@ jobs:
|
||||
working-directory: deploy
|
||||
run: |
|
||||
export TAG="${{ steps.ver.outputs.tag }}" APP_VERSION="${{ steps.ver.outputs.tag }}" SCRABBLE_CONFIG_DIR=.
|
||||
# The four main-stack images via compose (reuses the build args, incl. VERSION);
|
||||
# Derive the public URLs from the one canonical origin: the VK ID redirect is a
|
||||
# build-arg baked into the SPA, and the Mini App URL satisfies the (profiled-out)
|
||||
# bot service's compose ":?" guard during parse. See deploy/write-prod-env.sh.
|
||||
base="${PUBLIC_BASE_URL%/}"
|
||||
export VITE_VK_ID_REDIRECT_URL="$base/app/" TELEGRAM_MINIAPP_URL="$base/telegram/"
|
||||
# The main-stack images via compose (reuses the build args, incl. VERSION);
|
||||
# the bot separately, since it is profiled out of the prod compose.
|
||||
docker compose -f docker-compose.yml -f docker-compose.prod.yml build
|
||||
docker compose -f docker-compose.yml -f docker-compose.prod.yml push backend gateway landing validator
|
||||
docker compose -f docker-compose.yml -f docker-compose.prod.yml push postgres backend gateway landing validator renderer
|
||||
docker build -f ../platform/telegram/Dockerfile --target bot --build-arg VERSION="$TAG" -t "$REGISTRY/scrabble-telegram-bot:$TAG" ..
|
||||
docker push "$REGISTRY/scrabble-telegram-bot:$TAG"
|
||||
|
||||
@@ -82,17 +98,70 @@ jobs:
|
||||
GM_BASICAUTH_HASH: ${{ secrets.PROD_GM_BASICAUTH_HASH }}
|
||||
GRAFANA_ADMIN_PASSWORD: ${{ secrets.PROD_GRAFANA_ADMIN_PASSWORD }}
|
||||
TELEGRAM_BOT_TOKEN: ${{ secrets.PROD_TELEGRAM_BOT_TOKEN }}
|
||||
GATEWAY_VK_APP_SECRET: ${{ secrets.GATEWAY_VK_APP_SECRET }}
|
||||
# Robokassa direct-rail (backend BACKEND_ROBOKASSA_*): the prod shop login + the pass phrases
|
||||
# that sign the launch request / verify the Result callback, and the test-mode flag — a var so
|
||||
# go-live is a flag flip, not a secret redeploy ("1" runs test payments against the test
|
||||
# passwords; empty/"0" is live). An empty login leaves the direct rail disabled.
|
||||
ROBOKASSA_MERCHANT_LOGIN: ${{ secrets.PROD_BACKEND_ROBOKASSA_MERCHANT_LOGIN }}
|
||||
ROBOKASSA_PASSWORD1: ${{ secrets.PROD_BACKEND_ROBOKASSA_PASSWORD1 }}
|
||||
ROBOKASSA_PASSWORD2: ${{ secrets.PROD_BACKEND_ROBOKASSA_PASSWORD2 }}
|
||||
ROBOKASSA_TEST: ${{ vars.PROD_BACKEND_ROBOKASSA_TEST }}
|
||||
# VK ID web login: the "Web" app id (the gateway reuses it as GATEWAY_VK_ID_APP_ID at
|
||||
# runtime) + the app's protected key. Both shared across contours. The redirect URL is
|
||||
# derived from PUBLIC_BASE_URL in deploy/write-prod-env.sh.
|
||||
VITE_VK_APP_ID: ${{ vars.VITE_VK_APP_ID }}
|
||||
GATEWAY_VK_ID_CLIENT_SECRET: ${{ secrets.GATEWAY_VK_ID_CLIENT_SECRET }}
|
||||
# Planted honeytoken bearer: presenting it earns a 24h IP ban + a high-severity alarm.
|
||||
# Per-contour secret; empty = trap off. Rendered by deploy/write-prod-env.sh.
|
||||
GATEWAY_HONEYTOKEN: ${{ secrets.PROD_GATEWAY_HONEYTOKEN }}
|
||||
# Community IP blocklist (Spamhaus DROP): opt-in. Set _ENABLED=true + _URL (the feed) once
|
||||
# verified; _ALLOW is a comma-separated never-block set (own infra). Empty ⇒ off.
|
||||
GATEWAY_BLOCKLIST_ENABLED: ${{ vars.PROD_GATEWAY_BLOCKLIST_ENABLED }}
|
||||
GATEWAY_BLOCKLIST_URL: ${{ vars.PROD_GATEWAY_BLOCKLIST_URL }}
|
||||
GATEWAY_BLOCKLIST_ALLOW: ${{ vars.PROD_GATEWAY_BLOCKLIST_ALLOW }}
|
||||
# Signs the finished-game export download URLs (backend BACKEND_EXPORT_SIGN_KEY).
|
||||
EXPORT_SIGN_KEY: ${{ secrets.PROD_EXPORT_SIGN_KEY }}
|
||||
# Transactional email via the shared Selectel relay (confirm-codes): one account for
|
||||
# every contour -> unprefixed host/port/tls/user/pass.
|
||||
SMTP_RELAY_USER: ${{ secrets.SMTP_RELAY_USER }}
|
||||
SMTP_RELAY_PASS: ${{ secrets.SMTP_RELAY_PASS }}
|
||||
SMTP_RELAY_HOST: ${{ vars.SMTP_RELAY_HOST }}
|
||||
SMTP_RELAY_PORT: ${{ vars.SMTP_RELAY_PORT }}
|
||||
SMTP_RELAY_TLS: ${{ vars.SMTP_RELAY_TLS }}
|
||||
SMTP_RELAY_FROM: ${{ vars.PROD_SMTP_RELAY_FROM }}
|
||||
# Operator alerts: backend admin emails + Grafana infra alerts (distinct senders +
|
||||
# recipients; Grafana uses the relay's STARTTLS host:port).
|
||||
SMTP_RELAY_ADMIN_FROM: ${{ vars.PROD_SMTP_RELAY_ADMIN_FROM }}
|
||||
ADMIN_EMAIL: ${{ vars.PROD_ADMIN_EMAIL }}
|
||||
SMTP_RELAY_SERVICE_FROM: ${{ vars.PROD_SMTP_RELAY_SERVICE_FROM }}
|
||||
SERVICE_EMAIL: ${{ vars.PROD_SERVICE_EMAIL }}
|
||||
GRAFANA_SMTP_PORT: ${{ vars.GRAFANA_SMTP_PORT }}
|
||||
GF_SMTP_ENABLED: ${{ vars.PROD_GF_SMTP_ENABLED }}
|
||||
PUBLIC_BASE_URL: ${{ vars.PROD_PUBLIC_BASE_URL }}
|
||||
PROD_BOTLINK_CA: ${{ secrets.PROD_BOTLINK_CA }}
|
||||
PROD_BOTLINK_GATEWAY_CERT: ${{ secrets.PROD_BOTLINK_GATEWAY_CERT }}
|
||||
PROD_BOTLINK_GATEWAY_KEY: ${{ secrets.PROD_BOTLINK_GATEWAY_KEY }}
|
||||
GM_BASICAUTH_USER: ${{ vars.PROD_GM_BASICAUTH_USER }}
|
||||
GRAFANA_ROOT_URL: ${{ vars.PROD_GRAFANA_ROOT_URL }}
|
||||
CADDY_SITE_ADDRESS: ${{ vars.PROD_CADDY_SITE_ADDRESS }}
|
||||
LOG_LEVEL: ${{ vars.PROD_LOG_LEVEL }}
|
||||
DICT_VERSION: ${{ vars.PROD_DICT_VERSION }}
|
||||
DICT_VERSION: ${{ vars.DICT_VERSION }}
|
||||
POSTGRES_DB: ${{ vars.PROD_POSTGRES_DB }}
|
||||
POSTGRES_USER: ${{ vars.PROD_POSTGRES_USER }}
|
||||
TELEGRAM_MINIAPP_URL: ${{ vars.PROD_TELEGRAM_MINIAPP_URL }}
|
||||
# Point-in-time recovery (pgBackRest -> S3), prod main host only. Endpoint/bucket/
|
||||
# region + the archive-mode switch are variables; the S3 keys + the repository cipher
|
||||
# passphrase are secrets. All empty/off until the operator arms archiving; flipping
|
||||
# PROD_PGBACKREST_ARCHIVE_MODE=on activates it (deploy/README.md, arming).
|
||||
PGBACKREST_ARCHIVE_MODE: ${{ vars.PROD_PGBACKREST_ARCHIVE_MODE }}
|
||||
PGBACKREST_S3_ENDPOINT: ${{ vars.PROD_PGBACKREST_S3_ENDPOINT }}
|
||||
PGBACKREST_S3_PORT: ${{ vars.PROD_PGBACKREST_S3_PORT }}
|
||||
PGBACKREST_S3_BUCKET: ${{ vars.PROD_PGBACKREST_S3_BUCKET }}
|
||||
PGBACKREST_S3_REGION: ${{ vars.PROD_PGBACKREST_S3_REGION }}
|
||||
PGBACKREST_S3_KEY: ${{ secrets.PROD_PGBACKREST_S3_KEY }}
|
||||
PGBACKREST_S3_KEY_SECRET: ${{ secrets.PROD_PGBACKREST_S3_KEY_SECRET }}
|
||||
PGBACKREST_CIPHER_PASS: ${{ secrets.PROD_PGBACKREST_CIPHER_PASS }}
|
||||
# TELEGRAM_MINIAPP_URL and GRAFANA_ROOT_URL are derived from PUBLIC_BASE_URL in
|
||||
# deploy/write-prod-env.sh, not stored variables.
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
@@ -120,24 +189,8 @@ jobs:
|
||||
run: |
|
||||
umask 077
|
||||
mkdir -p stage/certs-main
|
||||
cat > stage/env.sh <<EOF
|
||||
export REGISTRY='$REGISTRY'
|
||||
export SCRABBLE_CONFIG_DIR='/opt/scrabble'
|
||||
export POSTGRES_DB='${POSTGRES_DB:-scrabble}'
|
||||
export POSTGRES_USER='${POSTGRES_USER:-scrabble}'
|
||||
export POSTGRES_PASSWORD='$POSTGRES_PASSWORD'
|
||||
export GM_BASICAUTH_USER='${GM_BASICAUTH_USER:-gm}'
|
||||
export GM_BASICAUTH_HASH='$GM_BASICAUTH_HASH'
|
||||
export GRAFANA_ADMIN_PASSWORD='$GRAFANA_ADMIN_PASSWORD'
|
||||
export GRAFANA_ROOT_URL='$GRAFANA_ROOT_URL'
|
||||
export CADDY_SITE_ADDRESS='$CADDY_SITE_ADDRESS'
|
||||
export LOG_LEVEL='${LOG_LEVEL:-info}'
|
||||
export DICT_VERSION='$DICT_VERSION'
|
||||
export APP_VERSION='$TAG'
|
||||
export TELEGRAM_BOT_TOKEN='$TELEGRAM_BOT_TOKEN'
|
||||
export TELEGRAM_MINIAPP_URL='$TELEGRAM_MINIAPP_URL'
|
||||
export GATEWAY_ABUSE_BAN_ENABLED='true'
|
||||
EOF
|
||||
# Shared with prod-rollback so the two paths render an identical runtime env.
|
||||
APP_VERSION="$TAG" bash deploy/write-prod-env.sh stage/env.sh
|
||||
printf '%s\n' "$PROD_BOTLINK_CA" > stage/certs-main/ca.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_GATEWAY_CERT" > stage/certs-main/gateway.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_GATEWAY_KEY" > stage/certs-main/gateway.key
|
||||
@@ -148,7 +201,7 @@ jobs:
|
||||
ssh_main 'mkdir -p /opt/scrabble/compose'
|
||||
tar -C deploy -czf - docker-compose.yml docker-compose.prod.yml prod-deploy.sh \
|
||||
| ssh_main 'tar -C /opt/scrabble/compose -xzf -'
|
||||
tar -C deploy -czf - caddy otelcol prometheus tempo grafana \
|
||||
tar -C deploy -czf - caddy otelcol prometheus tempo grafana blackbox \
|
||||
| ssh_main 'tar -C /opt/scrabble -xzf -'
|
||||
tar -C stage -czf - certs-main \
|
||||
| ssh_main 'rm -rf /opt/scrabble/certs && mkdir -p /opt/scrabble/certs && tar -C /opt/scrabble/certs --strip-components=1 -xzf -'
|
||||
@@ -176,7 +229,8 @@ jobs:
|
||||
PROD_BOTLINK_BOT_CERT: ${{ secrets.PROD_BOTLINK_BOT_CERT }}
|
||||
PROD_BOTLINK_BOT_KEY: ${{ secrets.PROD_BOTLINK_BOT_KEY }}
|
||||
LOG_LEVEL: ${{ vars.PROD_LOG_LEVEL }}
|
||||
TELEGRAM_MINIAPP_URL: ${{ vars.PROD_TELEGRAM_MINIAPP_URL }}
|
||||
# PUBLIC_BASE_URL drives the derived Mini App URL in deploy/write-prod-bot-env.sh.
|
||||
PUBLIC_BASE_URL: ${{ vars.PROD_PUBLIC_BASE_URL }}
|
||||
TELEGRAM_GAME_CHANNEL_ID: ${{ vars.PROD_TELEGRAM_GAME_CHANNEL_ID }}
|
||||
TELEGRAM_CHAT_ID: ${{ vars.PROD_TELEGRAM_CHAT_ID }}
|
||||
TELEGRAM_SUPPORT_CHAT_ID: ${{ vars.PROD_TELEGRAM_SUPPORT_CHAT_ID }}
|
||||
@@ -193,20 +247,8 @@ jobs:
|
||||
run: |
|
||||
umask 077
|
||||
mkdir -p stage/certs-bot
|
||||
cat > stage/env.bot.sh <<EOF
|
||||
export SCRABBLE_CONFIG_DIR='/opt/scrabble'
|
||||
export BOT_IMAGE='$REGISTRY/scrabble-telegram-bot:$TAG'
|
||||
export BOTLINK_GATEWAY_ADDR='$MAIN_HOST:9443'
|
||||
export TELEGRAM_BOT_TOKEN='$TELEGRAM_BOT_TOKEN'
|
||||
export TELEGRAM_MINIAPP_URL='$TELEGRAM_MINIAPP_URL'
|
||||
export TELEGRAM_GAME_CHANNEL_ID='$TELEGRAM_GAME_CHANNEL_ID'
|
||||
export TELEGRAM_CHAT_ID='$TELEGRAM_CHAT_ID'
|
||||
export TELEGRAM_SUPPORT_CHAT_ID='$TELEGRAM_SUPPORT_CHAT_ID'
|
||||
export TELEGRAM_PROMO_BOT_TOKEN='$TELEGRAM_PROMO_BOT_TOKEN'
|
||||
export TELEGRAM_BOT_USERNAME='$TELEGRAM_BOT_USERNAME'
|
||||
export TELEGRAM_BOT_LINK='$TELEGRAM_BOT_LINK'
|
||||
export LOG_LEVEL='${LOG_LEVEL:-info}'
|
||||
EOF
|
||||
# Shared with prod-rollback so the two paths render an identical bot env.
|
||||
BOT_IMAGE="$REGISTRY/scrabble-telegram-bot:$TAG" bash deploy/write-prod-bot-env.sh stage/env.bot.sh
|
||||
printf '%s\n' "$PROD_BOTLINK_CA" > stage/certs-bot/ca.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_BOT_CERT" > stage/certs-bot/bot.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_BOT_KEY" > stage/certs-bot/bot.key
|
||||
|
||||
@@ -51,13 +51,52 @@ jobs:
|
||||
PROD_BOTLINK_GATEWAY_CERT: ${{ secrets.PROD_BOTLINK_GATEWAY_CERT }}
|
||||
PROD_BOTLINK_GATEWAY_KEY: ${{ secrets.PROD_BOTLINK_GATEWAY_KEY }}
|
||||
GM_BASICAUTH_USER: ${{ vars.PROD_GM_BASICAUTH_USER }}
|
||||
GRAFANA_ROOT_URL: ${{ vars.PROD_GRAFANA_ROOT_URL }}
|
||||
CADDY_SITE_ADDRESS: ${{ vars.PROD_CADDY_SITE_ADDRESS }}
|
||||
LOG_LEVEL: ${{ vars.PROD_LOG_LEVEL }}
|
||||
DICT_VERSION: ${{ vars.PROD_DICT_VERSION }}
|
||||
DICT_VERSION: ${{ vars.DICT_VERSION }}
|
||||
POSTGRES_DB: ${{ vars.PROD_POSTGRES_DB }}
|
||||
POSTGRES_USER: ${{ vars.PROD_POSTGRES_USER }}
|
||||
TELEGRAM_MINIAPP_URL: ${{ vars.PROD_TELEGRAM_MINIAPP_URL }}
|
||||
PUBLIC_BASE_URL: ${{ vars.PROD_PUBLIC_BASE_URL }}
|
||||
# Full runtime env — parity with prod-deploy's deploy-main so a rollback re-renders
|
||||
# the SAME env.sh (email / VK login / Grafana alerts survive a rollback). TELEGRAM_MINIAPP_URL
|
||||
# and GRAFANA_ROOT_URL are derived from PUBLIC_BASE_URL in deploy/write-prod-env.sh.
|
||||
GATEWAY_VK_APP_SECRET: ${{ secrets.GATEWAY_VK_APP_SECRET }}
|
||||
# Robokassa direct-rail: the rollback re-renders the same runtime env (write-prod-env.sh), so
|
||||
# it must carry the same credentials or the direct rail goes dark after a rollback.
|
||||
ROBOKASSA_MERCHANT_LOGIN: ${{ secrets.PROD_BACKEND_ROBOKASSA_MERCHANT_LOGIN }}
|
||||
ROBOKASSA_PASSWORD1: ${{ secrets.PROD_BACKEND_ROBOKASSA_PASSWORD1 }}
|
||||
ROBOKASSA_PASSWORD2: ${{ secrets.PROD_BACKEND_ROBOKASSA_PASSWORD2 }}
|
||||
ROBOKASSA_TEST: ${{ vars.PROD_BACKEND_ROBOKASSA_TEST }}
|
||||
VITE_VK_APP_ID: ${{ vars.VITE_VK_APP_ID }}
|
||||
GATEWAY_VK_ID_CLIENT_SECRET: ${{ secrets.GATEWAY_VK_ID_CLIENT_SECRET }}
|
||||
GATEWAY_HONEYTOKEN: ${{ secrets.PROD_GATEWAY_HONEYTOKEN }}
|
||||
# Community IP blocklist — rendered on rollback too so a rollback keeps the same edge policy.
|
||||
GATEWAY_BLOCKLIST_ENABLED: ${{ vars.PROD_GATEWAY_BLOCKLIST_ENABLED }}
|
||||
GATEWAY_BLOCKLIST_URL: ${{ vars.PROD_GATEWAY_BLOCKLIST_URL }}
|
||||
GATEWAY_BLOCKLIST_ALLOW: ${{ vars.PROD_GATEWAY_BLOCKLIST_ALLOW }}
|
||||
EXPORT_SIGN_KEY: ${{ secrets.PROD_EXPORT_SIGN_KEY }}
|
||||
SMTP_RELAY_USER: ${{ secrets.SMTP_RELAY_USER }}
|
||||
SMTP_RELAY_PASS: ${{ secrets.SMTP_RELAY_PASS }}
|
||||
SMTP_RELAY_HOST: ${{ vars.SMTP_RELAY_HOST }}
|
||||
SMTP_RELAY_PORT: ${{ vars.SMTP_RELAY_PORT }}
|
||||
SMTP_RELAY_TLS: ${{ vars.SMTP_RELAY_TLS }}
|
||||
SMTP_RELAY_FROM: ${{ vars.PROD_SMTP_RELAY_FROM }}
|
||||
SMTP_RELAY_ADMIN_FROM: ${{ vars.PROD_SMTP_RELAY_ADMIN_FROM }}
|
||||
ADMIN_EMAIL: ${{ vars.PROD_ADMIN_EMAIL }}
|
||||
SMTP_RELAY_SERVICE_FROM: ${{ vars.PROD_SMTP_RELAY_SERVICE_FROM }}
|
||||
SERVICE_EMAIL: ${{ vars.PROD_SERVICE_EMAIL }}
|
||||
GRAFANA_SMTP_PORT: ${{ vars.GRAFANA_SMTP_PORT }}
|
||||
GF_SMTP_ENABLED: ${{ vars.PROD_GF_SMTP_ENABLED }}
|
||||
# PITR archiving parity: a rollback must re-render the SAME env.sh, else it would
|
||||
# silently disarm WAL archiving (PGBACKREST_ARCHIVE_MODE would fall back to off).
|
||||
PGBACKREST_ARCHIVE_MODE: ${{ vars.PROD_PGBACKREST_ARCHIVE_MODE }}
|
||||
PGBACKREST_S3_ENDPOINT: ${{ vars.PROD_PGBACKREST_S3_ENDPOINT }}
|
||||
PGBACKREST_S3_PORT: ${{ vars.PROD_PGBACKREST_S3_PORT }}
|
||||
PGBACKREST_S3_BUCKET: ${{ vars.PROD_PGBACKREST_S3_BUCKET }}
|
||||
PGBACKREST_S3_REGION: ${{ vars.PROD_PGBACKREST_S3_REGION }}
|
||||
PGBACKREST_S3_KEY: ${{ secrets.PROD_PGBACKREST_S3_KEY }}
|
||||
PGBACKREST_S3_KEY_SECRET: ${{ secrets.PROD_PGBACKREST_S3_KEY_SECRET }}
|
||||
PGBACKREST_CIPHER_PASS: ${{ secrets.PROD_PGBACKREST_CIPHER_PASS }}
|
||||
INPUT_TARGET: ${{ inputs.target_version }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
@@ -89,24 +128,9 @@ jobs:
|
||||
run: |
|
||||
umask 077
|
||||
mkdir -p stage/certs-main
|
||||
cat > stage/env.sh <<EOF
|
||||
export REGISTRY='$REGISTRY'
|
||||
export SCRABBLE_CONFIG_DIR='/opt/scrabble'
|
||||
export POSTGRES_DB='${POSTGRES_DB:-scrabble}'
|
||||
export POSTGRES_USER='${POSTGRES_USER:-scrabble}'
|
||||
export POSTGRES_PASSWORD='$POSTGRES_PASSWORD'
|
||||
export GM_BASICAUTH_USER='${GM_BASICAUTH_USER:-gm}'
|
||||
export GM_BASICAUTH_HASH='$GM_BASICAUTH_HASH'
|
||||
export GRAFANA_ADMIN_PASSWORD='$GRAFANA_ADMIN_PASSWORD'
|
||||
export GRAFANA_ROOT_URL='$GRAFANA_ROOT_URL'
|
||||
export CADDY_SITE_ADDRESS='$CADDY_SITE_ADDRESS'
|
||||
export LOG_LEVEL='${LOG_LEVEL:-info}'
|
||||
export DICT_VERSION='$DICT_VERSION'
|
||||
export APP_VERSION='$TARGET'
|
||||
export TELEGRAM_BOT_TOKEN='$TELEGRAM_BOT_TOKEN'
|
||||
export TELEGRAM_MINIAPP_URL='$TELEGRAM_MINIAPP_URL'
|
||||
export GATEWAY_ABUSE_BAN_ENABLED='true'
|
||||
EOF
|
||||
# Same writer as prod-deploy's deploy-main -> the rollback re-renders the FULL
|
||||
# runtime env (not a subset), so email / VK login / Grafana alerts survive it.
|
||||
APP_VERSION="$TARGET" bash deploy/write-prod-env.sh stage/env.sh
|
||||
printf '%s\n' "$PROD_BOTLINK_CA" > stage/certs-main/ca.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_GATEWAY_CERT" > stage/certs-main/gateway.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_GATEWAY_KEY" > stage/certs-main/gateway.key
|
||||
@@ -147,9 +171,11 @@ jobs:
|
||||
PROD_BOTLINK_BOT_CERT: ${{ secrets.PROD_BOTLINK_BOT_CERT }}
|
||||
PROD_BOTLINK_BOT_KEY: ${{ secrets.PROD_BOTLINK_BOT_KEY }}
|
||||
LOG_LEVEL: ${{ vars.PROD_LOG_LEVEL }}
|
||||
TELEGRAM_MINIAPP_URL: ${{ vars.PROD_TELEGRAM_MINIAPP_URL }}
|
||||
# PUBLIC_BASE_URL drives the derived Mini App URL; SUPPORT_CHAT_ID for parity with deploy.
|
||||
PUBLIC_BASE_URL: ${{ vars.PROD_PUBLIC_BASE_URL }}
|
||||
TELEGRAM_GAME_CHANNEL_ID: ${{ vars.PROD_TELEGRAM_GAME_CHANNEL_ID }}
|
||||
TELEGRAM_CHAT_ID: ${{ vars.PROD_TELEGRAM_CHAT_ID }}
|
||||
TELEGRAM_SUPPORT_CHAT_ID: ${{ vars.PROD_TELEGRAM_SUPPORT_CHAT_ID }}
|
||||
TELEGRAM_BOT_USERNAME: ${{ vars.PROD_TELEGRAM_BOT_USERNAME }}
|
||||
TELEGRAM_BOT_LINK: ${{ vars.PROD_VITE_TELEGRAM_LINK }}
|
||||
steps:
|
||||
@@ -163,19 +189,8 @@ jobs:
|
||||
run: |
|
||||
umask 077
|
||||
mkdir -p stage/certs-bot
|
||||
cat > stage/env.bot.sh <<EOF
|
||||
export SCRABBLE_CONFIG_DIR='/opt/scrabble'
|
||||
export BOT_IMAGE='$REGISTRY/scrabble-telegram-bot:$TARGET'
|
||||
export BOTLINK_GATEWAY_ADDR='$MAIN_HOST:9443'
|
||||
export TELEGRAM_BOT_TOKEN='$TELEGRAM_BOT_TOKEN'
|
||||
export TELEGRAM_MINIAPP_URL='$TELEGRAM_MINIAPP_URL'
|
||||
export TELEGRAM_GAME_CHANNEL_ID='$TELEGRAM_GAME_CHANNEL_ID'
|
||||
export TELEGRAM_CHAT_ID='$TELEGRAM_CHAT_ID'
|
||||
export TELEGRAM_PROMO_BOT_TOKEN='$TELEGRAM_PROMO_BOT_TOKEN'
|
||||
export TELEGRAM_BOT_USERNAME='$TELEGRAM_BOT_USERNAME'
|
||||
export TELEGRAM_BOT_LINK='$TELEGRAM_BOT_LINK'
|
||||
export LOG_LEVEL='${LOG_LEVEL:-info}'
|
||||
EOF
|
||||
# Same writer as prod-deploy's deploy-bot (parity; includes TELEGRAM_SUPPORT_CHAT_ID).
|
||||
BOT_IMAGE="$REGISTRY/scrabble-telegram-bot:$TARGET" bash deploy/write-prod-bot-env.sh stage/env.bot.sh
|
||||
printf '%s\n' "$PROD_BOTLINK_CA" > stage/certs-bot/ca.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_BOT_CERT" > stage/certs-bot/bot.crt
|
||||
printf '%s\n' "$PROD_BOTLINK_BOT_KEY" > stage/certs-bot/bot.key
|
||||
|
||||
@@ -125,9 +125,10 @@ gateway/ # module scrabble/gateway: Connect-RPC edge, embeds
|
||||
ui/ # Svelte + Vite SPA + landing (Node project, not in go.work)
|
||||
pkg/ # shared: telemetry, version, wire/FlatBuffers, proto, mtls
|
||||
platform/telegram/ # Telegram side-service: cmd/validator (HMAC, no VPN) + cmd/bot (Bot API; dials gateway over reverse mTLS bot-link)
|
||||
renderer/ # image-render sidecar (Node + skia-canvas): runs ui/src/lib/gameimage.ts server-side for the finished-game PNG export
|
||||
loadtest/ # module scrabble/loadtest: the load/stress harness
|
||||
docs/ .gitea/workflows/ CLAUDE.md README.md
|
||||
backend/Dockerfile gateway/Dockerfile platform/telegram/Dockerfile loadtest/Dockerfile # multi-stage distroless; gateway/Dockerfile has the `landing` target, platform/telegram/Dockerfile has `validator`+`bot` targets
|
||||
backend/Dockerfile gateway/Dockerfile platform/telegram/Dockerfile loadtest/Dockerfile renderer/Dockerfile # multi-stage distroless (renderer: node:22-slim + skia-canvas + fonts); gateway/Dockerfile has the `landing` target, platform/telegram/Dockerfile has `validator`+`bot` targets
|
||||
deploy/ # docker-compose (+ prod overlay + bot host) + ansible provisioning + caddy + landing + otelcol (OTLP + docker_stats) + prometheus/tempo/grafana + node_exporter + postgres_exporter; prod-deploy.sh
|
||||
```
|
||||
|
||||
@@ -143,6 +144,7 @@ go run ./backend/cmd/backend # /healthz, /readyz on :8080
|
||||
|
||||
cd ui && pnpm install && pnpm check && pnpm test:unit && pnpm build # the UI
|
||||
pnpm start # UI mock mode: lobby -> game, no backend
|
||||
cd renderer && pnpm install && pnpm test # image-render sidecar (bundles ui/src/lib/gameimage.ts, skia smoke)
|
||||
|
||||
docker build --build-arg DICT_VERSION=v1.3.0 -f backend/Dockerfile -t scrabble-backend . # DICT_VERSION required (no default); gateway embeds the SPA
|
||||
docker build -f gateway/Dockerfile --target gateway -t scrabble-gateway .
|
||||
|
||||
@@ -0,0 +1,909 @@
|
||||
# PLAN — monetization implementation
|
||||
|
||||
Technical, step-by-step implementation of the monetization domain. Business mechanics and
|
||||
the rationale for every rule live in [`docs/PAYMENTS.md`](docs/PAYMENTS.md) (RU mirror
|
||||
[`docs/PAYMENTS_ru.md`](docs/PAYMENTS_ru.md)); the frozen owner agreements they both derive
|
||||
from (the `D1`–`D41` decisions log) live in
|
||||
[`docs/PAYMENTS_DECISIONS_ru.md`](docs/PAYMENTS_DECISIONS_ru.md) — the authority when a rule
|
||||
is disputed. This file is the *how*. Each stage is written to be self-sufficient: returning
|
||||
to it gives full context — goal, exact touch-points, tests, done-criteria, and current
|
||||
status — without re-deriving decisions.
|
||||
|
||||
## How to use this file
|
||||
|
||||
- **Stage granularity (E0–E9) is fixed.** Do not split or merge stages. Plan each stage
|
||||
densely enough to execute whole.
|
||||
- **Never leak stage ids into the product.** Code, comments, commit messages, PR
|
||||
titles/descriptions must read as finalized feature copy — never "E5", "stage 3", etc.
|
||||
Stage ids exist only in this file.
|
||||
- **Deviations are allowed** when new unknowns surface, but the plan is then edited **whole
|
||||
and in agreement** (not piecemeal), keeping it coherent, and `docs/PAYMENTS.md` updated in
|
||||
step.
|
||||
- **Status marks:** each stage header carries `Status: TODO | WIP | DONE`. When a stage
|
||||
lands, flip it to DONE and note the PR. The **Progress** table is the at-a-glance index.
|
||||
- **Per-change discipline** (repo `CLAUDE.md`): update tests at the layers `docs/TESTING.md`
|
||||
calls out, bake doc updates into the same PR, run local full verification before pushing,
|
||||
feature branch → PR into `development`.
|
||||
|
||||
## Progress
|
||||
|
||||
| Stage | Title | Release | Status |
|
||||
|-------|-------|---------|--------|
|
||||
| E0 | Payments data foundation | 1 | DONE |
|
||||
| E1 | Trusted platform signal | 1 | DONE |
|
||||
| E2 | Currency + benefit core | 1 | DONE |
|
||||
| E3 | Wallet UI | 1 | DONE |
|
||||
| E4 | Durability (PITR) | 2 | DONE |
|
||||
| E5 | Payment intake | 2 | DONE |
|
||||
| E6 | Ads | 2 | DONE |
|
||||
| E7 | Admin, reports & catalog | 2 | DONE |
|
||||
| E8 | Guest limits | — | DONE |
|
||||
| E9 | Tournament fee | future | TODO |
|
||||
|
||||
**Release 1** = full mechanics with no real money, exercised via `admin_grant` (E0→E1→E2→E3).
|
||||
**Release 2** = money (E4→E5→E6→E7). E8 is standalone (game-behaviour change, can run in
|
||||
parallel). E9 is future.
|
||||
|
||||
---
|
||||
|
||||
## Architecture baseline (applies to all stages)
|
||||
|
||||
Read once; individual stages assume it.
|
||||
|
||||
### Schema & isolation
|
||||
|
||||
- The payments domain owns its **own Postgres schema `payments`** in the shared instance
|
||||
(`scrabble` DB). All payments tables are `payments.*`. `backend` schema is untouched
|
||||
except for the deprecation of two legacy columns (E2).
|
||||
- **DB role.** A dedicated **NOLOGIN** role holds ALL privileges on `payments.*` and
|
||||
**nothing** on `backend` — grant-based confinement, asserted by a `SET ROLE` isolation
|
||||
test. The application still connects on its single (superuser) pool, so these grants are a
|
||||
stepping-stone to a real separate login/process, not the runtime wall. The **runtime wall
|
||||
is code-level**: only the `internal/payments` package imports the payments jet code and
|
||||
issues `payments.*` SQL (an **import-boundary test** enforces it); every other domain
|
||||
reaches payments through the narrow Go interface.
|
||||
- **No cross-schema link at all.** There is **no** foreign key from `payments.*` to
|
||||
`backend.accounts`: `account_id` is a plain `uuid`, kept referentially honest in code and
|
||||
joined to the tombstoned account / `retained_identities` dossier by the stable id. This
|
||||
keeps the spend transaction (ledger INSERT + balance UPDATE + benefit UPDATE) fully
|
||||
**within `payments`** and the domain extractable into its own database later. Benefits move
|
||||
**into** `payments` (they no longer live on `accounts` — see E2); game code reads them
|
||||
through the payments **Go interface**, never via SQL.
|
||||
- **Money.** Monetary amounts are a single **`bigint` in the currency's minor units** (RUB
|
||||
kopecks; Votes/Stars/chips are whole units, scale 1) carried in Go by the `payments.Money`
|
||||
value type — the sole constructor/formatter/arithmetic, so **no `float64` ever touches an
|
||||
amount** and a whole-unit currency structurally cannot hold a fraction. `chip_rate` is not a
|
||||
table: a chip pack is a product, so its per-method rate **is** `product_price`.
|
||||
|
||||
### Domain boundary
|
||||
|
||||
- New package `backend/internal/payments/` — `payments.go` (types + `Service`),
|
||||
`store.go` (`type Store struct{ db *sql.DB }`, go-jet against `internal/postgres/jet/
|
||||
payments`), following the `ads` domain shape (`backend/internal/ads/{ads,service,store}.go`).
|
||||
- Wired in `backend/cmd/backend/main.go` `run()` (construct after `account`, before
|
||||
`server.New`), handed into `server.Deps` (`server.go`), routes registered in
|
||||
`registerRoutes` gated `if s.payments != nil`, admin section in `registerConsole` gated
|
||||
`if s.payments != nil`.
|
||||
- Game/other domains depend on payments only through a **narrow interface** (e.g.
|
||||
`AdFree(ctx, account, platform, present) bool`, `SpendHint(ctx, account, platform, present)
|
||||
error`, `Balances(ctx, account, platform, present) …`), where `present` is the set of
|
||||
identity sources the account currently holds (`vk`→vk, `telegram`→telegram, `email`→direct;
|
||||
`robot` ignored), computed by the caller from `account.Identities` — payments carries no
|
||||
cross-schema identity knowledge, so unlink/re-link availability (D14) falls out live. Keep
|
||||
the surface small; this is the seam that lets payments become a separate process later
|
||||
without touching callers.
|
||||
- **Read model.** Hot reads (`AdFree`/`HintsAvailable`/`Balances` and the gate) are served
|
||||
from an in-process, account-keyed, write-through cache inside the payments package
|
||||
(mirroring `account/suspension.go`), invalidated on every payments mutation
|
||||
(spend/grant/fund/refund/merge); the payments DB is touched only on a cache miss, so the
|
||||
steady-state hot path issues no query to the `payments` schema. The D39 materialized
|
||||
`balances`/`benefits` tables stay the in-transaction write target the cache fronts.
|
||||
Single-instance, matching the deployment (a multi-instance backend would need a shared
|
||||
cache).
|
||||
|
||||
### Migrations & codegen
|
||||
|
||||
- Migrations: same goose dir `backend/internal/postgres/migrations/`, sequential
|
||||
`0000N_*.sql`, `-- +goose Up/Down`, schema-qualified, **expand-contract mandatory**
|
||||
(image rollback must stay DB-safe). First payments migration does `CREATE SCHEMA IF NOT
|
||||
EXISTS payments`, creates the role, grants.
|
||||
- **jetgen** (`backend/cmd/jetgen/main.go`) is currently hardwired to `schema=backend`.
|
||||
Extend it to also generate `schema=payments` into `internal/postgres/jet/payments/
|
||||
{model,table}` (committed). Regenerate only after a payments migration; revert unrelated
|
||||
`backend`-schema churn (jetgen may reorder untouched tables — commit only intended diffs).
|
||||
- Transactions: reuse the local `withTx(ctx, db, fn)` idiom. Balance/benefit mutations are
|
||||
guarded single-row atomic UPDATEs (mirror `account.SpendHint`); the ledger INSERT +
|
||||
materialized-cache UPDATE go in one `withTx`. Default Read-Committed is sufficient given
|
||||
the guarded updates + unique idempotency keys; do not reach for Serializable without a
|
||||
demonstrated need.
|
||||
|
||||
### Transport
|
||||
|
||||
- client ↔ gateway: Connect-RPC + FlatBuffers (h2c). gateway ↔ backend: REST/JSON +
|
||||
`X-User-ID` via `gateway/internal/backendclient`. Any user-facing payments call needs the
|
||||
full chain: backend REST handler (`u := s.user` group) → `backendclient` method →
|
||||
Connect-RPC method + transcode (`gateway/internal/transcode/`) → FlatBuffers schema
|
||||
(`pkg/fbs/…`, regen with `make -C pkg fbs` + `pnpm -C ui codegen`).
|
||||
- Provider webhooks (Robokassa/VK) do NOT use the Connect path — model on the existing
|
||||
public HMAC-signed route `s.public.GET("/dl/:id/:kind", …)` (`handlers.go`): a public
|
||||
route with signature verification, proxied by the gateway/Caddy `@gateway` matcher
|
||||
(`deploy/caddy/Caddyfile` — a new edge route MUST be added there or it falls to the
|
||||
landing catch-all).
|
||||
|
||||
### Testing layers (`docs/TESTING.md`)
|
||||
|
||||
- **unit** (Go `_test.go`, TS vitest): gate-by-context, no-ads stacking, priority draw,
|
||||
rate math, idempotency keys, catalog snapshotting. UI logic must be extracted out of
|
||||
`.svelte` into `ui/src/lib/*` to be unit-testable.
|
||||
- **integration** (`backend/internal/inttest/`, `//go:build integration`, Postgres-backed):
|
||||
atomic chip↔benefit spend, callback idempotency, order-flow, TG outbox delivery, merge/
|
||||
unlink of segments.
|
||||
- **UI** (Playwright mock e2e, Chromium+WebKit): Wallet screen, warnings, guest-hidden, GP
|
||||
stub. Mock e2e bypasses codec — wire bugs need codec unit tests.
|
||||
- Local full verification before push: integration (`-tags=integration` + DAWG sibling +
|
||||
Ryuk-off), UI check/test/build, codegen (`make -C pkg proto fbs`, `pnpm -C ui codegen`).
|
||||
|
||||
---
|
||||
|
||||
## E0 — Payments data foundation
|
||||
|
||||
**Status:** DONE · **Release 1** · depends on: none · mechanics: PAYMENTS §14, §7, §11.
|
||||
|
||||
**Goal.** Stand up the `payments` schema, its confinement role, the jetgen target, the domain
|
||||
package skeleton and all core tables — nothing wired to real money yet. This is the substrate
|
||||
every later stage builds on.
|
||||
|
||||
**Migration `00010_payments_foundation.sql` (`payments` schema).**
|
||||
|
||||
- `CREATE SCHEMA payments`; an idempotent `DO $$` block creates a **NOLOGIN** `payments` role;
|
||||
`GRANT USAGE` + `GRANT ALL ON ALL TABLES` (+ `ALTER DEFAULT PRIVILEGES … GRANT ALL`) confine it
|
||||
to `payments.*` with nothing on `backend`. No `REFERENCES` grant (there is no cross-schema FK).
|
||||
- `payments.ledger` — append-only. `ledger_id` (uuid PK, app-generated v7), `account_id` (plain
|
||||
`uuid`, **no FK**), `kind` (`fund|spend|admin_grant|refund`), `source`/`origin` (nullable,
|
||||
`vk|telegram|direct`), `chips_delta` (signed int, 0 for a grant), `product_id` (nullable
|
||||
FK→product), `order_id` (nullable FK→orders), `provider` + `provider_payment_id` (nullable),
|
||||
`snapshot` (jsonb, written from E2), `created_at`. Immutability is a **`BEFORE UPDATE OR DELETE`
|
||||
trigger** (a superuser bypasses a privilege REVOKE). Unique **partial** index on `(provider,
|
||||
provider_payment_id) WHERE provider_payment_id IS NOT NULL` — the idempotency key.
|
||||
- `payments.balances` — `(account_id, source)` PK, `chips int CHECK (>=0)`, `updated_at`. Created
|
||||
**lazily** on first fund (up to three rows/account, absent = zero).
|
||||
- `payments.benefits` — `(account_id, origin)` PK, `ads_paid_until timestamptz` null,
|
||||
`ads_forever bool`, `hints int CHECK (>=0)`, `updated_at`. Created lazily.
|
||||
- `payments.catalog_atom` — `atom_type` PK (`chips|hints|noads_days|tournament`); the four atoms
|
||||
are **seeded** here (the `tournament` atom is provisioned for E9).
|
||||
- `payments.product` (`product_id` PK, `title`, `active bool` soft-delete, timestamps);
|
||||
`payments.product_item` (`(product_id, atom_type)` PK → `quantity`); `payments.product_price`
|
||||
(`(product_id, COALESCE(method,''), currency)` unique → `amount bigint` minor units): a chip
|
||||
pack carries a money price per `method` (`vk|telegram|direct`), a value carries one
|
||||
`currency='CHIP', method=NULL` row. `currency ∈ {RUB, VOTE, XTR, CHIP}`; `amount CHECK (>=0)`.
|
||||
- `payments.config` — a single typed row (`only_row bool PK CHECK`): `rewarded_payout_chips`,
|
||||
`cooldown_global_seconds` (300), `cooldown_vs_ai_seconds` (1800), `cooldown_hint_seconds` (60),
|
||||
`order_ttl_seconds` (1800). No `chip_rate` table — the pack rate is `product_price`.
|
||||
- `payments.orders` — `order_id` (uuid PK), `account_id`, `platform`, `product_id` (FK),
|
||||
`expected_amount bigint` + `currency`, `origin`, `status` (`pending|paid|expired`), `provider`,
|
||||
`provider_payment_id` (nullable), timestamps. Index `(status, created_at)` for the pending sweep.
|
||||
- `payments.payment_events` — `event_id` (uuid PK), `account_id`, `order_id` (nullable FK), `type`
|
||||
(`succeeded|failed|refunded`), `payload jsonb`, `created_at`, `dispatched_at` (nullable, partial
|
||||
index for the dispatch queue).
|
||||
- Full `-- +goose Down` (DROP SCHEMA CASCADE + DROP OWNED BY + DROP ROLE); expand-contract, proven
|
||||
reversible by an integration test.
|
||||
|
||||
**Backend.**
|
||||
|
||||
- `backend/internal/payments/{payments,service,store}.go` — the `Money` value type + `Currency`
|
||||
(bigint minor units, exact, no float); `Store{db *sql.DB}` with a `Ping` health read via jet;
|
||||
`Service` over the store. (`withTx` arrives with E2's first transaction.)
|
||||
- `cmd/jetgen` generates the `payments` schema into `internal/postgres/jet/payments/` (a second
|
||||
`GenerateDB` call); committed. Constructed in `cmd/backend/main.go` and passed to `server.Deps`
|
||||
(`Payments`) with a boot-time reachability check; its routes are registered from E2.
|
||||
|
||||
**Legacy deprecation (expand phase only).** A `--` header note marks `accounts.hint_balance` and
|
||||
`accounts.paid_account` deprecated; they are **not** dropped (the DROP is the contract phase after
|
||||
E2 flips reads and after Release 2). Reads still use the old columns until E2.
|
||||
|
||||
**Tests.**
|
||||
|
||||
- integration (`inttest`): schema + role + seeds present; `SET ROLE payments` cannot read
|
||||
`backend.accounts` (grant confinement); ledger rejects UPDATE/DELETE (trigger); idempotency
|
||||
partial index holds (NULL-keyed rows repeat); balance/benefit/amount/enum CHECKs bite; migration
|
||||
applies forward **and backward** on a throwaway PG.
|
||||
- unit: `Money` — exact round-trip, per-currency scale, no-float parse rejecting a fraction for a
|
||||
whole-unit currency, arithmetic, formatting. Import-boundary test: only `internal/payments`
|
||||
imports the payments jet code.
|
||||
|
||||
**Done-criteria (met).** Migrations apply forward+backward on a throwaway PG 17; `go build
|
||||
./backend/...` + `go vet` + `gofmt -l .` clean; committed `jet/payments/`; all tests green; no
|
||||
behaviour change for users.
|
||||
|
||||
**Notes.** jetgen regenerates the whole `backend` schema; its committed jet had drifted from the
|
||||
migrations (`robot_blocks`, `robot_friend_requests`, the `feedback_messages` `app_version` /
|
||||
`browser_tz` columns, and `UseSchema` gaps), so this change also **regenerates and commits
|
||||
`jet/backend`** to bring it back in sync (additive only — all suites stay green). The `payments`
|
||||
role creation is idempotent (`DO $$` / `IF NOT EXISTS`) for fresh volumes.
|
||||
|
||||
---
|
||||
|
||||
## E1 — Trusted platform signal
|
||||
|
||||
**Status:** DONE · **Release 1** · depends on: none (parallel to E0) · mechanics: PAYMENTS §8.
|
||||
|
||||
**Goal.** Make the server know the execution platform from a trusted, unforgeable source,
|
||||
carried on the session. This is the foundation the gate (E2) stands on; without it the gate is
|
||||
meaningless. Signal plumbing only — no user-visible change.
|
||||
|
||||
**Model.** `platform = {kind: vk|telegram|direct, subtype: ios|android|web}` is a property of
|
||||
the **session**, captured at creation. `kind` is always trusted — the gateway derives it from
|
||||
the validated establish path (VK launch / TG initData / a web-native session), never a client
|
||||
field. `subtype` is **cryptographically trusted only for VK** (it rides inside the signed
|
||||
`vk_platform` launch param); for telegram and direct it is client-reported best-effort, and the
|
||||
gate never relies on it (only the VK-iOS-frozen case is compliance-critical, and VK subtype is
|
||||
trusted). VK/TG re-mint a session on **every cold start**, so their platform is re-captured each
|
||||
launch; web/direct/email reuse the stored token, so their platform is captured once at creation
|
||||
(`direct` needs no signature).
|
||||
|
||||
**Validation stays at the gateway.** Both wrapper verifiers already live there and the backend
|
||||
cannot import either (separate modules under `internal/`, and the VK app secret is gateway-only):
|
||||
VK launch params via the in-process `gateway/internal/vkauth.Verify` (HMAC-SHA256 over the signed
|
||||
`vk_*` params under `GATEWAY_VK_APP_SECRET`, extended here to expose the signed `vk_platform` →
|
||||
a trusted `Subtype()`), TG `initData` via the validator RPC. The gateway hands the derived
|
||||
platform to the backend at establish; the backend persists it and returns it on resolve.
|
||||
|
||||
**Backend.**
|
||||
|
||||
- `backend.sessions` gains nullable `platform_kind` + `platform_subtype` columns (migration
|
||||
`00011`, CHECK-constrained, jet regenerated). A `session.Platform` value type + `session.Create`
|
||||
captures it; `Session` carries it through the store and the warm cache.
|
||||
- `handleResolveSession` → `resolveResponse` (`dto.go`) returns the platform; the establish
|
||||
handlers set `kind` from their own endpoint (`/sessions/telegram|vk|guest|email/*`) and
|
||||
`subtype` from the request (VK: gateway-extracted from the signed params; TG/direct: the client
|
||||
best-effort field, defaulting web). The account-merge session mint (`link.merge`) inherits the
|
||||
caller's platform from the request context.
|
||||
- Middleware (`middleware.go`) parses the gateway-injected `X-Platform` into the request context
|
||||
on the `s.user` group; `platform(c)` exposes it. Absent ⇒ untrusted (fail-closed).
|
||||
|
||||
**Gateway.**
|
||||
|
||||
- `backendclient.WithPlatform(ctx, "<kind>/<subtype>")` + `do`/`getRaw` inject `X-Platform` on
|
||||
every authenticated backend call; `connectsrv.Execute` enriches the request context from the
|
||||
resolved session's platform (carried through the gateway session cache + `ResolveSession`).
|
||||
Never from a client request body.
|
||||
|
||||
**Client (`ui/`).** `platformSubtype()` (`ui/src/lib/platform.ts`) supplies a best-effort device
|
||||
subtype on the `auth.telegram` / `auth.guest` / `auth.email.login` requests (new FBS `subtype`
|
||||
field): Telegram's `WebApp.platform` inside a Mini App, else the Capacitor/web channel. VK sends
|
||||
nothing (the gateway derives the trusted subtype from the signed launch params).
|
||||
|
||||
**Tests.**
|
||||
|
||||
- unit (Go): `vkauth` exposes the signed `vk_platform` and maps iPhone/iPad → ios (the frozen
|
||||
case); the `X-Platform` middleware round-trips + reports untrusted when absent; the backend
|
||||
client injects `X-Platform` from the context and omits it when untrusted.
|
||||
- integration: a session carries its platform through create + a cold-cache (DB) resolve for each
|
||||
kind; an unattributed session is untrusted; the CHECK constraints bite; migration `00011`
|
||||
applies forward **and backward** on a throwaway PG.
|
||||
- UI: subtype normalization (vitest) + the new `subtype` field on the wire (codec unit test).
|
||||
|
||||
**Done-criteria (met).** A VK/TG session resolves to a trusted `{kind, subtype}`; a forged body
|
||||
cannot change `kind` (nor the VK subtype); `direct` sessions resolve to `direct`; the untrusted
|
||||
path is reachable and observable via `platform(c)`. No user-visible change; all layers green.
|
||||
|
||||
**Notes/risks.** High blast-radius (auth/session table + broad gateway header threading): additive
|
||||
migration, no mixed-in refactors, `X-Platform` inert until E2 consumes it. **Sessions minted before
|
||||
E1 carry no platform → untrusted (view-only) until re-login**; VK/TG self-heal on the next
|
||||
cold-start re-mint, direct/email do not (accepted: Release 1 has no money, sessions cycle by
|
||||
Release 2). TG/direct subtype is not cryptographically trusted — E2 must keep the gate on `kind`
|
||||
+ the trusted VK subtype only.
|
||||
|
||||
---
|
||||
|
||||
## E2 — Currency + benefit core
|
||||
|
||||
**Status:** DONE · **Release 1** · depends on: E0, E1 · mechanics: PAYMENTS §2–§6, §11.
|
||||
|
||||
**Goal.** The full internal money mechanic, exercisable end-to-end **without real money**
|
||||
via `admin_grant`: chip balances, spend→benefit atomically, the compliance gate by context,
|
||||
benefit application (no-ads stacking, hints per-origin), the legacy migration, and the
|
||||
`SpendHint` rewrite. This is the heart.
|
||||
|
||||
**Payments service (Go).** Every read/gate method also takes `present` (the account's live
|
||||
identity sources, see *Domain boundary*) and is served from the read cache.
|
||||
|
||||
- `Balances(ctx, account, platform, present)` → per-segment `{source, chips, spendable}` for
|
||||
the context (VK→vk spendable, direct/tg hidden; TG→tg; direct→direct+vk+tg by priority;
|
||||
VK-iOS→vk shown as a **frozen** number, none spendable; untrusted→view-only, none spendable).
|
||||
- `Spend(ctx, account, platform, present, productID)` → gate-checked purchase of a **value**
|
||||
(CHIP price, `method=NULL`; never a chip pack) with chips: resolve spendable segments by
|
||||
context, draw by priority direct→vk→tg, write a `spend` ledger row (+ a catalog **snapshot**
|
||||
of atoms+price) + decrement balance + apply benefit (extend `ads_paid_until[origin]` from
|
||||
`max(now,end)` / set `ads_forever` / add hints) **in one tx**, stamping `origin` = platform
|
||||
context. Refuse if untrusted (fail-closed) or funds insufficient.
|
||||
- `Grant(ctx, account, origin, atoms)` → a **0-price sale of a value**: an `admin_grant`
|
||||
ledger row (`chips_delta=0`, + snapshot), same benefit application; concrete values only,
|
||||
never chips (no chips move — it neither requires nor touches a balance). Origin chosen by
|
||||
the admin. In E2 this is the Go service method only, exercised by tests; the admin grant UI
|
||||
+ catalog editor are E7.
|
||||
- `AdFree(ctx, account, platform, present)` / `HintsAvailable(…)` / `SpendHint(…)` → apply
|
||||
the one-directional origin rule: in context P, usable origins = {P} plus, when P is
|
||||
web/native, {vk,tg} (relaxation outward); in VK only vk; in TG only tg. Hint consumption
|
||||
draws by the same priority direct→vk→tg.
|
||||
- `Merge` / `Unlink` hooks: extend `accountmerge` to merge segments **and** benefits by origin
|
||||
(same-origin add — chips sum, terms extend per origin; different origins coexist) in the
|
||||
caller's tx (`MergeTx`), and make **both** segment *and* benefit availability follow
|
||||
identity presence — unlink sleeps the balance *and* the benefit, re-link wakes them (D14),
|
||||
resolved live from `present`. Warn-before-unlink surfaces the balance via the interface; the
|
||||
warning UI itself is not E2.
|
||||
|
||||
**Backend wiring & migration.**
|
||||
|
||||
- Deprecate-and-flip `accounts.hint_balance` / `accounts.paid_account`: E0 added the tables;
|
||||
here, move reads/writes to `payments.benefits`. `SpendHint` (`game/service.go` ~:1147) and
|
||||
`ads.Eligible` (`ads/ads.go` :107) call the payments interface instead of the account
|
||||
columns. Legacy values were never set in prod → zero them; the DROP is the contract phase
|
||||
(guarded, after Release 2 — keep columns until then for rollback safety).
|
||||
- `vs_ai` hints stay free/unlimited (unchanged 30-min gate); only online-game hint spend
|
||||
routes through the segmented, context-aware path.
|
||||
|
||||
**API (user-facing, Connect chain).** Read-only wallet view + spend:
|
||||
`GET /api/v1/user/wallet` (balances+benefits for the context), `POST /api/v1/user/wallet/
|
||||
buy` (spend chips on a product). Add the backend handlers (`u := s.user`), `backendclient`
|
||||
methods, Connect methods + transcode + FBS. Admin grant is internal/admin (E7 UI).
|
||||
|
||||
**Tests.**
|
||||
|
||||
- unit (Go): gate-by-context matrix (every row of PAYMENTS §4, incl. VK-iOS frozen +
|
||||
untrusted); priority draw; no-ads stacking (`+=` from max(now,end)) + forever override;
|
||||
per-origin hint applicability + direct→vk→tg draw; merge/unlink segment+benefit math;
|
||||
catalog snapshotting; read-cache invalidation on each mutation.
|
||||
- integration: atomic spend (ledger+balance+benefit in one tx; failure rolls all back);
|
||||
admin_grant credits values not chips; legacy migration zeroes and flips reads; merge/
|
||||
unlink over Postgres.
|
||||
- UI: none new (E3 builds the screen); wallet DTO covered by codec unit tests.
|
||||
|
||||
**Done-criteria.** `admin_grant` applies no-ads/hints directly (a 0-price sale of a value —
|
||||
no chips involved); the player chip-spend path (`Spend`) is proven by unit/integration tests
|
||||
(balance seeded in-test, since a legitimate chip source arrives only with Release 2); the gate
|
||||
blocks cross-context spend and cross-origin application; the ads gate reads the new benefit;
|
||||
`SpendHint` uses segments; the hot read paths hit the read cache, not the `payments` schema;
|
||||
all layers green; **compliance regression** (a `direct` benefit never activates inside VK/TG)
|
||||
is a named test.
|
||||
|
||||
**Notes/risks.** This is the high-blast-radius core (money semantics + a live path
|
||||
`SpendHint`/`ads.Eligible`). Minimize surface, keep the interface narrow, no mixed-in
|
||||
refactors. The legacy flip is expand-contract: reads move first, DROP much later.
|
||||
|
||||
---
|
||||
|
||||
## E3 — Wallet UI
|
||||
|
||||
**Status:** DONE · **Release 1** · depends on: E2 · mechanics: PAYMENTS §1, §7, §6, §13, §4.
|
||||
|
||||
**Goal.** The user-facing "Кошелёк" (Wallet) section: balances + active benefits + the
|
||||
catalog storefront, honouring guest-hidden, GP-stub, and the web-spend warning.
|
||||
|
||||
**Backend + wire (catalog read — new).** E2 shipped `wallet.get` / `wallet.buy` (segments +
|
||||
benefits + a chip spend) but no way to *list* the catalog; the storefront needs one, so E3 adds a
|
||||
read path following the E2 shape:
|
||||
|
||||
- `payments.Service.Catalog(ctx, cxt)` + `store.loadCatalog` (`internal/payments/{catalog,
|
||||
store_catalog}.go`) read every **active** product with atoms and prices and project them to the
|
||||
context (`projectCatalog`, pure + unit-tested): a **value** (no `chips` atom) carries its CHIP
|
||||
price and shows everywhere; a **chip pack** (`chips` atom) carries the money price for the
|
||||
context method (`cxt.Kind`: vk→VOTE, telegram→XTR, direct→RUB) and shows only where that method
|
||||
is priced. Read **uncached** (the catalog is small and rarely edited — unlike the per-account
|
||||
balances/benefits the read cache fronts).
|
||||
- REST `GET /api/v1/user/wallet/catalog` (`handleWalletCatalog`, gated by `walletGate`) →
|
||||
`catalogDTO`; gateway op `wallet.catalog` (`transcode.go` + `encodeCatalog`), `backendclient.
|
||||
Catalog`; FBS `Catalog`/`CatalogProduct`/`CatalogAtom` (`pkg/fbs/scrabble.fbs`), client
|
||||
`decodeCatalog`.
|
||||
|
||||
**UI (`ui/`).**
|
||||
|
||||
- New `'wallet'` tab in `ui/src/screens/SettingsHub.svelte` — `SettingsTab` union, tab button
|
||||
**between Friends and About** (guest-hidden like Friends, offline-disabled like Profile/Friends),
|
||||
body branch, `'wallet'` route in `ui/src/lib/routeparse.ts` + `ui/src/App.svelte`.
|
||||
- `Wallet.svelte` screen: context-available chip balances + active benefits (no-ads until date /
|
||||
forever, hints count). **No history feed** (PAYMENTS §11 — noise). Storefront: values priced in
|
||||
chips (buyable with `wallet.buy`), chip packs priced per method.
|
||||
- **Guest:** section hidden entirely (durable-only).
|
||||
- **GP build:** the chip-pack purchases are hidden behind a RuStore stub; spending earned chips on
|
||||
values still works (PAYMENTS §13). Detected by a build-time flag `VITE_GP_BUILD`
|
||||
(`ui/src/lib/distribution.ts`), forcible under the mock e2e with `?gp`.
|
||||
- **Web-spend warning:** before a value spend that would draw vk/tg chips in a direct context, an
|
||||
own `Modal` (not `showPopup`) warns the benefit will be web/native-only. The context is inferred
|
||||
client-side (`executionContext` — VK/Telegram/direct); the server enforces the real gate on
|
||||
`wallet.buy` (fail-closed), so no wallet-DTO change was needed.
|
||||
- Logic extracted to `ui/src/lib/{wallet,distribution}.ts` (unit-testable); `.svelte` stays thin.
|
||||
|
||||
**Pack purchase is display-only in E3.** Buying a chip pack needs the money order flow, which is
|
||||
**E5**; here a pack card shows its price with a disabled **"Soon"** action. E5 replaces that with the
|
||||
launch/order CTA. Value spends are wired now (E2 `wallet.buy`), though a Release-1 durable account
|
||||
has 0 chips until funding exists (E5/E6), so a real value spend returns insufficient-funds until then.
|
||||
|
||||
**Tests.**
|
||||
|
||||
- unit (Go): `projectCatalog` context matrix (value everywhere; pack per context method; misconfig
|
||||
omitted). unit (vitest): money/price formatting, spendable-segment selection, warning trigger,
|
||||
the GP flag; `decodeCatalog` codec round-trip (mock e2e bypasses the codec).
|
||||
- integration (`inttest`): `/wallet/catalog` returns active products with the context-correct price
|
||||
over Postgres; soft-deleted excluded.
|
||||
- UI (Playwright mock, Chromium+WebKit): Wallet renders between Friends/About; guest hides it
|
||||
(`?guest` seam); GP stub (`?gp`); warning modal on a vk-drawing web spend, no warning on a
|
||||
direct-covered spend. Mock overlay stays instant under `MODE==='mock'` (or it intercepts taps).
|
||||
|
||||
**Done-criteria (met).** Balances/benefits/storefront render per context; guest/GP/warning paths
|
||||
verified by unit + integration + mock e2e on both engines. **A *populated* contour review depends
|
||||
on later stages** (no products until the E7 catalog editor, no chip funding until E5/E6, no grant
|
||||
UI until E7): on the contour E3 shows the correct **empty** wallet/storefront states; the populated
|
||||
UI is proven by the mock e2e. (This replaces the earlier "demonstrable end-to-end via `admin_grant`"
|
||||
line — the grant UI is E7.)
|
||||
|
||||
**Notes/risks.** No global `.btn`/`.ghost` in `ui/` — styled per-component with scoped CSS + tokens
|
||||
(mirror NewGame `.invite`). Product titles are single-language catalog data (E0 `product.title`),
|
||||
shown verbatim; currency/chip words are i18n, counts follow the app's label+number convention (no
|
||||
noun agreement). Svelte whitespace/`$state` naming gotchas apply.
|
||||
|
||||
---
|
||||
|
||||
## E4 — Durability (PITR)
|
||||
|
||||
**Status:** DONE — armed + restore-drilled on prod (v1.13.0, 2026-07-09). · **Release 2** ·
|
||||
depends on: E0 (schema exists) · mechanics: PAYMENTS §14 (D4).
|
||||
|
||||
**Goal.** Continuous WAL archiving with point-in-time recovery, armed **before the first
|
||||
real money** is accepted (E5 prod). Protects both money and game data.
|
||||
|
||||
**Locked decisions (this stage).**
|
||||
|
||||
- **Tool: pgBackRest.** **Destination: Selectel S3** object storage (encrypted AES-256-CBC,
|
||||
path-style addressing), **prod main host only** — the test contour never archives. (D4 left
|
||||
the tool + destination open; resolved here. Warm replica stays deferred, per D4.)
|
||||
- **Retention 30 days**, **daily full base backup** (a systemd timer) + continuous WAL
|
||||
(`archive_command`, a 5-minute forced switch bounds the recovery point). Assessment
|
||||
(owner-reviewed prod gate): measured prod WAL **~0.77 MB/day**, DB **~9.6 MB** → archive
|
||||
**< 1 ₽/month** on Selectel S3, **negligible** perf impact. Recorded in `deploy/README.md`.
|
||||
- **Archiving ships gated OFF** (`PGBACKREST_ARCHIVE_MODE` on the DB, `pitr_enabled` for the
|
||||
timer — both default off), so the merged/redeployed artifact is inert until armed and an
|
||||
un-armed prod deploy **cannot** pile WAL onto the disk.
|
||||
|
||||
**Work (landed in the artifacts PR into `development`).**
|
||||
|
||||
- pgBackRest in the DB image (`deploy/postgres/Dockerfile`); postgres becomes a built + pushed
|
||||
image (prod overlay `image:` + `prod-deploy.yaml` build/push list).
|
||||
- Repository config + `archive_mode` via `PGBACKREST_*` env on the prod-overlay postgres
|
||||
service; secrets/vars rendered by `deploy/write-prod-env.sh` from the `PROD_PGBACKREST_*`
|
||||
Gitea set; **parity added to `prod-rollback.yaml`** (a rollback must not disarm archiving).
|
||||
- Daily base-backup systemd timer (Ansible `main` role, gated by `pitr_enabled`).
|
||||
- Two Grafana alerts on the exporter's `pg_stat_archiver` metrics (failing / stalled),
|
||||
absent/NaN-safe on the contour.
|
||||
- Belt-and-braces `pg_dump` fixed to dump the **whole DB** (`deploy/prod-deploy.sh` was
|
||||
`-n backend`, silently excluding `payments`); manual-restore runbook updated.
|
||||
- Full PITR runbook + arming sequence + recorded assessment in `deploy/README.md`.
|
||||
|
||||
**Prod arming (completed 2026-07-09 with the v1.13.0 release).** Owner created the Selectel S3
|
||||
bucket (`erudite`, ru-6) + the `PROD_PGBACKREST_*` secrets/variables (incl. `ARCHIVE_MODE=on`);
|
||||
promoted `development → master` → `prod-deploy` (archive_mode on behind the maintenance window),
|
||||
then `stanza-create` + first base backup (31.9 MB cluster → 3.7 MB in the repo) + `check`, the
|
||||
Ansible `-e pitr_enabled=true` timer, and a restore drill on an isolated one-shot target (data
|
||||
intact, then wiped). Exact steps: `deploy/README.md` (point-in-time recovery — arming).
|
||||
|
||||
**Tests.** Restore drill on an isolated one-shot instance (base + WAL → target timestamp),
|
||||
recorded in `deploy/README.md`. No app-level tests. Local verification: `docker compose config`
|
||||
valid + the custom PG image builds (archiving inert on the contour).
|
||||
|
||||
**Done-criteria (met).** WAL archiving live on prod PG (v1.13.0); a restore verified on an
|
||||
isolated one-shot target; cost + perf assessment reviewed; runbook current in
|
||||
`deploy/README.md`.
|
||||
|
||||
**Notes/risks.** The repository **cipher passphrase is unrecoverable if lost** — stored apart
|
||||
from the S3 keys. Manual/timer pgBackRest runs use `docker exec -u postgres … --pg1-user=scrabble`
|
||||
(docker exec is root; the DB superuser role is `scrabble`, not `postgres`) — the systemd timer
|
||||
+ the runbook carry this. Enabling `archive_mode` restarts postgres (rode the prod-deploy
|
||||
maintenance window). Migrations stay expand-contract so image rollback remains DB-safe with PITR.
|
||||
|
||||
---
|
||||
|
||||
## E5 — Payment intake
|
||||
|
||||
**Status:** DONE · **Release 2** · depends on: E0, E1, E2, E4 · mechanics: PAYMENTS §9, §12.
|
||||
|
||||
**Delivery & baked decisions.** Shipped as a linear PR stack (owner's choice), Robokassa first.
|
||||
Resolved: match the order by a Robokassa **`Shp_order`** custom parameter, not the numeric `InvId`
|
||||
(an order id is a uuid); idempotency key = the order id (`provider_payment_id = order_id`); the НПД
|
||||
receipt is formed **shop-side in the Robokassa cabinet**, so no `Receipt` parameter is sent; a
|
||||
chargeback **never drives the balance negative** (D27 stands, `balances_chips_chk` kept), so E5 is
|
||||
**schema-free** (no migration, no contour wipe). Delivered on `feature/payment-intake-robokassa`:
|
||||
the offer page (`/offer/`), the order/`fund` engine (idempotent, honours an expired order), the
|
||||
`internal/robokassa` adapter, the `POST /wallet/order` + internal Result-callback handlers (a D36
|
||||
confirmed-email gate on `direct`), the pending reaper, the `wallet.order` edge wire + the public
|
||||
`/pay/*` routes, the Wallet purchase CTA, the contour deploy env (IsTest forced), and the
|
||||
`payment_events` dispatcher — an in-app wallet-refresh push (KindNotification `"payment"`) with a
|
||||
self-closing provider-return page (the payment opens in a separate window) and a return-focus
|
||||
refetch fallback. The **VK Votes rail** is delivered too: the client opens
|
||||
`VKWebAppShowOrderBox({item: order_id})`; a two-phase signed server callback (`get_item` → the pack
|
||||
title + vote price; a chargeable `order_status_change` → the same `Fund` with source=`vk`, idempotent
|
||||
on VK's own order id) is verified at the gateway with the app protected key (`GATEWAY_VK_APP_SECRET`,
|
||||
already deployed) and proxied to the backend intake. The **Telegram Stars rail** is delivered on
|
||||
`feature/payment-intake-tg-stars`: only the bot reaches Telegram, so the **invoice is minted by the
|
||||
bot** — on the `wallet.order` path the gateway sends a new `CreateInvoice` command over the reverse
|
||||
bot-link and the bot returns the `createInvoiceLink` (XTR) in its Ack, handed to the client's
|
||||
`WebApp.openInvoice`. The bot answers `pre_checkout_query` via a new bot→gateway **`ValidatePreCheckout`**
|
||||
unary (backed by the backend: the order must exist, be still creditable and **not already paid** — the
|
||||
reusable-invoice double-pay guard — with a matching amount); the decline reason is localised to the
|
||||
order account's language. A completed `successful_payment` is persisted to a pure-Go **SQLite outbox**
|
||||
(`modernc.org/sqlite`) then forwarded by a new bot→gateway **`ForwardPayment`** unary into the same
|
||||
`Fund` (source=`telegram`, idempotent on `telegram_payment_charge_id`, honours an expired order),
|
||||
re-driven at startup and every 30 s. The rail is wired by `TELEGRAM_STARS_OUTBOX_DIR` (defaults to the
|
||||
bot `/data` volume) but stays **inert until a chip pack carries an XTR price**, so seeding a Stars price
|
||||
in the admin is the go-live. Finally **refunds** are delivered on `feature/payment-intake-refunds`: a
|
||||
single `Refund` engine (`internal/payments`) reverses a paid order best-effort, exactly once —
|
||||
idempotent on `(provider, provider_refund_id)`, revoking the funded chips **floored at 0** (never
|
||||
negative, D27), and recording the unrecoverable remainder (chips already spent) as a per-account
|
||||
**loss + abuse flag** in the new additive `payments.account_risk` table (read by the E7 report). The
|
||||
refund ledger row's chip delta is what was actually reclaimed (the ledger stays reconcilable); the
|
||||
full reversal rides in its snapshot; the order stays `paid`. **No rail pushes an unsolicited refund**
|
||||
— all are admin-triggered (E7): Robokassa refund API / cabinet (auto-polling deferred — a worker not
|
||||
worth it at low chargeback volume), VK via support, Telegram `refundStarPayment`. `failed` events are
|
||||
not wired (no rail signals a hard post-charge server decline). The migration is **additive** (a new
|
||||
table only), so E5 stays rollback-safe / no contour wipe. That closes E5. Deferred to a later stage:
|
||||
hiding the ad banner on a no-ads purchase (a spend-path `NotifyBanner`, with the owner's agreement).
|
||||
|
||||
**Goal.** Accept real money on all three rails into the payments domain: order-flow,
|
||||
verified provider callbacks, idempotency, the TG bot SQLite outbox, the event dispatcher,
|
||||
receipts, and refunds.
|
||||
|
||||
**Order-flow & intake (single writer).**
|
||||
|
||||
- `POST /api/v1/user/wallet/order` → create `order(pending)` (account/platform/product/
|
||||
expected amount/origin), return the provider-specific launch payload with `order_id`
|
||||
threaded in (Robokassa `InvId` / TG `invoice_payload` / VK `item`). The storefront's chip-pack
|
||||
card wires its purchase CTA to this here, **replacing the disabled "Soon" placeholder E3 left**
|
||||
(`ui/src/screens/Wallet.svelte`).
|
||||
- Robokassa + VK **public webhooks**: new edge routes (add to `deploy/caddy/Caddyfile`
|
||||
`@gateway` matcher — or they fall to the landing catch-all), signature/HMAC verified,
|
||||
proxied into a payments intake handler. Match by `order_id`, verify amount, credit
|
||||
(ledger `fund` + balance UPDATE in one tx), mark order `paid`, emit `payment_event`.
|
||||
Idempotent by `(provider, provider_payment_id)`.
|
||||
- **Pending sweep:** background reaper expires pending orders after the configured timeout
|
||||
(~30 min). Expiry is cosmetic — a later valid callback still credits (revive/honour).
|
||||
|
||||
**TG bot outbox (`platform/telegram/`).**
|
||||
|
||||
- The bot receives `successful_payment` (and `pre_checkout_query`) via Bot API. A **SQLite**
|
||||
store on the bot's disk (`internal/outbox`): on receipt, persist → forward over the reverse
|
||||
mTLS bot-link to the **gateway** (a `ForwardPayment` unary; the bot cannot dial the backend
|
||||
directly) → the gateway proxies to the backend payments-intake REST → on a durable response,
|
||||
mark `forwarded`. Re-drive undelivered on startup and on a 30 s tick. Backend intake dedups by
|
||||
`telegram_payment_charge_id`.
|
||||
- Invoice creation (Stars) is minted by the bot (`createInvoiceLink`, XTR) on the gateway's
|
||||
`CreateInvoice` bot-link command, returned to the Mini App as the `openInvoice` link.
|
||||
|
||||
**Events & notifications.**
|
||||
|
||||
- `payment_events` dispatcher: `succeeded`/`failed`/`refunded` → live gRPC stream if the
|
||||
user is connected, else `botlink` push / email relay (existing). "failed" = an active
|
||||
provider decline (not an abandoned pending) surfaced to the user; "succeeded" hook
|
||||
(email/bot message).
|
||||
|
||||
**Receipts (§12).** Robokassa self-employed НПД receipt on payment (provider config); VK
|
||||
handles Votes tax itself; TG Stars — no receipt.
|
||||
|
||||
**Refunds (§9).** ToS non-refundable. **All refunds are admin-triggered** (E7): no rail pushes an
|
||||
unsolicited refund — Robokassa refund API / cabinet (auto-polling deferred as a low-value worker),
|
||||
VK via support, Telegram `refundStarPayment`. One `Refund` engine reverses a paid order best-effort,
|
||||
exactly once (idempotent on `(provider, provider_refund_id)`): revoke floored at 0 (never negative),
|
||||
unrecoverable remainder → per-account loss + abuse flag (`payments.account_risk`), a `refund` ledger
|
||||
row (chip delta = revoked, full reversal in the snapshot). `failed` events are not wired (no rail
|
||||
signals a hard post-charge server decline). Ledger export-ready (reconciliation not built).
|
||||
|
||||
**Tests.**
|
||||
|
||||
- unit: signature/HMAC verifiers per rail; order-id matching; idempotency-key dedup.
|
||||
- integration: full order→callback→credit per rail; duplicate callback credits once; expired
|
||||
order still honoured on late callback; TG outbox store→forward→ack→cleanup + restart
|
||||
re-drive; refund revoke best-effort/never-negative.
|
||||
- UI: purchase flow reaches the provider launch (mock); success/failure surfaced.
|
||||
|
||||
**Done-criteria.** A real (sandbox) payment on each rail credits chips exactly once; a
|
||||
replayed callback does not double-credit; the TG outbox survives a bot restart mid-flight;
|
||||
failed/succeeded events reach the user; refund path exercised. **PITR (E4) armed and the
|
||||
cost/perf assessment reviewed before this goes to prod.**
|
||||
|
||||
**Notes/risks.** Manual `docker run -p` boot tests fail from the shell — verify the runnable
|
||||
artifact via the testcontainers integration suite. Distroless services run UID 65532;
|
||||
bind-mounted secrets must be 0644. Edge routes silently fall through if not added to the
|
||||
Caddyfile — add a CI probe. The prod rolling deploy skips caddy on config-only changes —
|
||||
force-recreate when the Caddyfile changes.
|
||||
|
||||
---
|
||||
|
||||
## E6 — Ads
|
||||
|
||||
**Status:** DONE · **Release 2** · depends on: E2 (chips), E5 (rewarded credits via intake) ·
|
||||
mechanics: PAYMENTS §10.
|
||||
|
||||
**Delivery & baked decisions.** Shipped as a linear PR stack (owner's choice): **rewarded first**,
|
||||
then interstitial. Baked: the interstitial cooldowns already exist in `payments.config` (E0) and the
|
||||
per-origin banner suppression is already done (E2 `AdFree`), so E6 is the two ad DISPLAY paths + the
|
||||
rewarded credit. **VK reality (checked live in the VK docs via Playwright):** VK Mini App ads
|
||||
(`VKWebAppShowNativeAds`, both `reward` and `interstitial`) expose **only a client-side `data.result`
|
||||
boolean** — no server verify, no signature. So **D29 is amended**: rewarded is **client-attested**,
|
||||
guarded by a server **daily + hourly cap** (config `reward_daily_cap` / `reward_hourly_cap`, default
|
||||
50 / 10) that is both anti-abuse and an economic conversion lever (limits free chips so players buy);
|
||||
the cooldown state for the interstitial is **client-mirrored** (owner's pick). Delivered on
|
||||
`feature/ads-rewarded` (the **rewarded** slice): the ads-network abstraction (`ui/src/lib/ads.ts`, VK
|
||||
impl) + the VK bridge (`vkRewardedReady` / `vkShowRewarded`), the backend `CreditReward` (VK-only,
|
||||
order-less, idempotent on a client nonce, floored by the caps, payout from config
|
||||
`rewarded_payout_chips` default 0 = off), the `wallet.reward` edge op returning the updated wallet
|
||||
(with `reward_chips` gating the "watch for chips" CTA), and a **contour test stub** (`VITE_ADS_STUB` →
|
||||
a toast instead of a real ad; prod always real). A temporary diagnostic confirmed on the contour that
|
||||
VK returns **only `{result:true}`** (no token/signature) — client-attested is final, no hardening
|
||||
possible; the diagnostic is removed. The slice also **corrects the VK-iOS freeze to purchase-only**
|
||||
(rewarded on VK-iOS earns chips, which the old blanket "spend freeze" then blocked from spending —
|
||||
Apple forbids only *buying* in-app values, not spending or earning them; `vkFrozen()` now gates only
|
||||
`CreateOrder`, not `spendableSources`, so VK-wallet chips spend on VK-iOS). Delivered on
|
||||
`feature/ads-interstitial` (the **interstitial + D31** slice): the post-move fullscreen interstitial
|
||||
as a **client-mirrored** gate — the backend `adsFor` puts the config cooldowns + a `suppressed` flag
|
||||
(the no-ads / `no_banner` gate, same as the banner) on the profile (`Profile.ads`), and
|
||||
`ui/src/lib/ads.ts` `maybeShowInterstitial` self-gates on the last-shown time per kind in
|
||||
`localStorage`, showing a VK interstitial (`vkShowInterstitial`) after a **confirmed play or a hint
|
||||
only** (never a pass / exchange / resign), VK-only, offline banner-only, with the same `VITE_ADS_STUB`
|
||||
toast on the contour. The slice also lands **D31 step 1 (contract-code)**: the domain no longer reads
|
||||
or writes the deprecated `accounts.hint_balance` / `paid_account` columns — the `Account` fields, the
|
||||
dead `account.SpendHint`, `account.GrantHints` and the admin **grant-hints** action are removed, and
|
||||
the in-game hint display now comes wholly from the payments benefit (`HintsAvailable`). The **columns
|
||||
stay** (no migration → image rollback is DB-safe); a later contract-PR does the `DROP` once E6 is
|
||||
stable on prod.
|
||||
|
||||
**Goal.** VK video ads: the post-move interstitial (frequency-gated) and the rewarded video
|
||||
(credits chips via server verify), plus extending the existing banner suppression to
|
||||
per-origin.
|
||||
|
||||
**Work.**
|
||||
|
||||
- **Provider abstraction:** a small ads-network interface (VK impl now) so a future network
|
||||
for other platforms slots in without rework. VK integration via `ui/src/lib/vk.ts`.
|
||||
- **Rewarded:** voluntary view → the network's **server verify callback** → payments intake
|
||||
credits chips to the `vk` segment (client not believed, like a payment). On-launch
|
||||
anti-fraud = provider verify only (no own daily cap; abstraction allows later).
|
||||
- **Interstitial** (post-move fullscreen), configurable server values (from `payments`
|
||||
config): global per-user cooldown across all games (default 5 min); `vs_ai` 30 min; a hint
|
||||
application triggers a post-move interstitial independently with its own 1-min cooldown;
|
||||
offline banner-only; respect VK's own frequency caps. Cooldown state is **client-mirrored**
|
||||
(the chosen option): the server sends the cooldowns + `suppressed` on the profile and the
|
||||
client self-gates on a per-kind last-shown time in `localStorage` — no per-move round-trip.
|
||||
- **Banner suppression:** extend `ads.Eligible` (`backend/internal/ads/ads.go` :107) to gate
|
||||
on the **origin benefit applicable in the current context** (E2 interface) instead of the
|
||||
single legacy flag. No-ads suppresses banner + interstitial; rewarded never suppressed.
|
||||
|
||||
**Tests.**
|
||||
|
||||
- unit: cooldown logic (global 5m / vs_ai 30m / hint-trigger 1m independence); rewarded
|
||||
credit path; banner eligibility per context.
|
||||
- integration: rewarded verify → credit exactly once (idempotent like a payment).
|
||||
- UI: interstitial shows/respects cooldown (mock); rewarded button; no-ads hides banner +
|
||||
interstitial; rewarded still available under no-ads.
|
||||
|
||||
**Done-criteria.** VK rewarded credits chips once per verified view; interstitial respects
|
||||
all cooldowns incl. the hint trigger; no-ads suppresses banner+interstitial but not
|
||||
rewarded; offline shows banner only.
|
||||
|
||||
**Notes/risks.** Crypto-payout networks stay rejected. Rewarded-without-payout is pointless —
|
||||
only enable where the network pays (VK). Keep the interstitial frequency as server config so
|
||||
it tunes without a store release.
|
||||
|
||||
---
|
||||
|
||||
## E7 — Admin, reports & catalog
|
||||
|
||||
**Status:** DONE · **Release 2** · depends on: E2 (ledger/grant/spend), E5 (payments/refunds),
|
||||
E6 (D31 retired the legacy `hint_balance`/`paid_account`) · mechanics: PAYMENTS §11, §12, D32.
|
||||
|
||||
**Delivery & baked decisions (this planning round).** A linear PR stack into `development`.
|
||||
|
||||
- **Archived product = the existing `product.active` flag** (no new column, no migration):
|
||||
`active=false` **is** "archived". Its three behaviours already hold — hidden from the user
|
||||
storefront (`store_catalog.go` filters `active`), an **in-flight external payment still
|
||||
credits** (the `fund` credit path resolves the order and never re-checks `active`; only order
|
||||
*creation* / chip *spend* require `active`), and a product with any order/ledger row **cannot
|
||||
be hard-deleted** (FK `orders→product` / `ledger→product` are RESTRICT). The admin toggle is
|
||||
labelled **Archive / Unarchive**.
|
||||
- **Delete vs archive:** the editor offers a hard **Delete** only for a product with **no
|
||||
orders and no ledger rows** (never transacted — the FK is the DB backstop); a transacted
|
||||
product is **archive-only**.
|
||||
- **Admin grant = raw atoms + by-product.** Keep the quick raw-atom grant (N hints / no-ads
|
||||
days / forever) AND add grant-by-product: pick a defined product (including archived "reward"
|
||||
bundles) and grant its atoms. Both write an `admin_grant` ledger row; by-product records
|
||||
`product_id` + the snapshot. **Both refuse any set containing `chips`** (admin never grants
|
||||
currency) **or `tournament`** (no credit target until E9) — an explicit refusal, never a
|
||||
silent no-op.
|
||||
- **Manual refund = full order only** for now (the E5 `Refund` engine takes an amount; partial
|
||||
is a later add if needed).
|
||||
- **Tournament stays atom-only (E0); its entry economy is E9.** The catalog editor can compose
|
||||
products carrying the `tournament` atom (archived templates for E9), but granting/spending a
|
||||
`tournament` atom is refused until E9 designs the storage (recurring types, each its own
|
||||
benefit + price) — see E9. Adding a `benefits.tournament` counter now was rejected: the model
|
||||
is multi-type, so a single column would be wrong and force a second DB break.
|
||||
- The admin grant **no longer mirrors `grant-hints`** (E6/D31 removed that action); it is a
|
||||
fresh action on `payments.Grant`.
|
||||
|
||||
**Goal.** The admin console financial surface — per-user report, admin grant, manual refund,
|
||||
ledger export — plus the **configurable product catalog editor** (D32).
|
||||
|
||||
**Work (`/_gm`, `handlers_admin_console.go` + `adminconsole/`, `internal/payments/`).**
|
||||
|
||||
- **Per-user financial panel** on the user card (`consoleUserDetail`, `UserDetailView`): segment
|
||||
chip balances `(account, source)`, benefits `(account, origin)` (hints, no-ads until/forever),
|
||||
and the full append-only ledger (fund/spend/admin_grant/refund — amount, origin, product,
|
||||
provider, snapshot) from the ledger + materialized cache. Replaces the retired
|
||||
`PaidAccount`/`HintBalance` fields with the segmented view.
|
||||
- **Catalog editor** (`/_gm/catalog`): list every product (active + archived) with its atoms and
|
||||
per-method/currency prices; create/edit (title, atom items `atom_type→quantity`, price rows
|
||||
`method+currency→amount`); **Archive/Unarchive** (`active`); **Delete** (never-transacted
|
||||
only). Enforce the projection's shape: a **pack** (carries `chips`) needs a money price per
|
||||
method; a **value** (no `chips`) needs a single `CHIP` price. A `tournament`-bearing product is
|
||||
allowed in composition but cannot be activated for sale until E9.
|
||||
- **Admin grant** action: raw atoms (hints / no-ads days / forever) and by-product (a value
|
||||
product, incl. archived); **origin picker**; refuses `chips`/`tournament`; `admin_grant` ledger
|
||||
row (+ `product_id`/snapshot for by-product) via `payments.Grant`.
|
||||
- **Manual refund** action: refund a specific paid order **in full** — a `refund` ledger row +
|
||||
best-effort floor-0 benefit revoke (E5 `Refund`).
|
||||
- **Ledger export**: CSV/JSON for tax + future Robokassa reconciliation (export-ready;
|
||||
reconciliation itself not built).
|
||||
- Auth unchanged: gateway Basic-Auth in front of `/_gm` + backend same-origin CSRF on POSTs.
|
||||
|
||||
**Tests.**
|
||||
|
||||
- unit: panel view assembly; catalog pack/value shape projection; grant refuses chips + tournament;
|
||||
editor validation (pack⇒money price, value⇒CHIP price); export shape.
|
||||
- integration: grant (raw + by-product) writes the right `admin_grant` row + benefit; refund writes
|
||||
a `refund` row + floor-0 revoke; catalog CRUD round-trips (create→edit→archive→delete-if-clean);
|
||||
delete refused on a transacted product; panel reflects balances + benefits + history.
|
||||
|
||||
**Done-criteria.** An operator can: see a user's full financial picture; create/edit/archive
|
||||
products + prices and delete only never-transacted ones; grant concrete values raw or by-product
|
||||
(origin-picked, never chips/tournament); refund an order in full; export the ledger.
|
||||
|
||||
**PR stack (linear into `development`, all merged).**
|
||||
|
||||
1. ~~**Per-user financial panel**~~ (#230) — read-only ledger/segments/benefits on the user card;
|
||||
retired the `PaidAccount`/`HintBalance` display.
|
||||
2. ~~**Catalog editor**~~ (#231) — product/atom/price CRUD + archive/unarchive + delete-if-clean +
|
||||
shape validation.
|
||||
3. ~~**Admin grant**~~ (#232, + the D31 hint-wallet wire cleanup that surfaced there) — raw +
|
||||
by-product, refuse chips/tournament, origin-picked, `admin_grant` + snapshot.
|
||||
4. ~~**Manual refund** (full order via E5 `Refund`) + **ledger CSV export**~~ — `RefundOrderFull`
|
||||
(idempotent, floor-0 revoke) on each fund row; `/_gm/ledger.csv`.
|
||||
|
||||
**Notes/risks.** High-blast-radius (money, ledger — append-only, trigger-enforced). No mixed-in
|
||||
refactors. The catalog editor becomes the source of truth for products; the contour SQL seeds
|
||||
become bootstrap-only.
|
||||
|
||||
---
|
||||
|
||||
## E8 — Guest limits
|
||||
|
||||
**Status:** DONE · **standalone** (game-behaviour change) · depends on: none · mechanics: PAYMENTS §6.
|
||||
|
||||
**Goal.** A registration funnel: cap what a guest can do, enforced **server-side** (today UI-only),
|
||||
with configurable per-tier × per-kind limits so the pressure tunes without a release.
|
||||
|
||||
**Finding (verified).** Two gaps. (a) The friend/invitation paths do **not** check `is_guest` on the
|
||||
server — only the UI hides them: `social/friends.go`, `robotfriends.go`, `friendcodes.go`,
|
||||
`lobby/invitations.go`. A guest with a valid `X-User-ID` can call them. (b) A **pre-existing** flat
|
||||
cap already existed: `game.MaxActiveQuickGames`=10 — a **combined** cap on `active`+`open` quick
|
||||
games (vs_ai+random together, friend games excluded), counted by `CountActiveQuickGames`, enforced at
|
||||
the handler (`ensureUnderGameLimit`) with **409 `game_limit_reached`**, surfaced as `at_game_limit`.
|
||||
E8's per-tier × per-kind config **subsumes and replaces** it (decided: option A).
|
||||
|
||||
**Delivery & baked decisions (this planning round).** A linear PR stack; E8 is game-behaviour, no
|
||||
payments mixed in.
|
||||
|
||||
- **`games.game_kind smallint DEFAULT 0`** (0=unknown — pre-E8 games, never gated; 1=vs_ai; 2=random;
|
||||
3=friends), set on creation (`StartVsAI`=1, `Enqueue`=2, a friend invitation=3). Existing games
|
||||
stay 0 and fall outside the gate.
|
||||
- **Limits are per-tier × per-kind**, in a **new single-row `backend.config`** table:
|
||||
`guest_{vs_ai,random,friends}_limit` + `durable_{vs_ai,random,friends}_limit` (smallint,
|
||||
**`-1`=unlimited**), seeded `(1,1,0, 10,10,10)`. A guest is capped at 1 vs_ai + 1 random (friends
|
||||
is moot — the guest gate blocks friend games); a durable account is **10 per kind** — the old flat
|
||||
MaxActiveQuickGames=10, now split per kind. Editable in the admin.
|
||||
- **The old flat cap is removed** (option A, owner-agreed): `MaxActiveQuickGames`,
|
||||
`CountActiveQuickGames`, `atGameLimit` deleted; the per-tier/kind config is the single mechanism,
|
||||
enforced at the **same handler gate** (`ensureUnderGameLimit(kind)` for `enqueue`
|
||||
random/vs_ai) plus the durable **friends cap** inside `CreateInvitation`. The gate stays out of the
|
||||
game domain — `game.Service.AtGameLimit(account, kind)` only resolves tier + counts.
|
||||
- **A hot in-memory cache** fronts the config (read once on start, invalidated on the admin edit —
|
||||
mirrors the payments read-cache) so a login / game-create never queries it.
|
||||
- **"Active" = `open` + `active`** (an open, unmatched random game holds a slot); the limit is on
|
||||
**creation** — an existing game is grandfathered, never interrupted.
|
||||
- **Limits ride the wire (forward-compat, no double break):** `Profile.game_limits`
|
||||
(`GameLimits{vs_ai, random, friends}` — the caller's tier resolved server-side) + `GameView.kind`,
|
||||
so the client counts active games **per kind** from its lobby and locks the right start button. On
|
||||
a guest → durable upgrade (register / link) the client **re-fetches the profile** so the new
|
||||
(durable) limits apply. The client picks the lock's message by tier: a **guest** → the login funnel;
|
||||
a **durable** account at its cap → a plain "finish a current game first" notice.
|
||||
|
||||
**Work.**
|
||||
|
||||
- ~~**PR1 — backend + admin (server-side)** — DONE.~~ The migration (`game_kind` + `backend.config`,
|
||||
seeded `1,1,0 / 10,10,10` + jetgen); `game_kind` set on creation and projected onto `game.Game`;
|
||||
the **guest gate** (`ErrGuestForbidden`, mapped to **403 `guest_forbidden`**) on friend-request /
|
||||
redeem-code / befriend-in-game / invitation-create; the **active-limit enforce** — the old flat
|
||||
`MaxActiveQuickGames` mechanism removed and replaced by `ensureUnderGameLimit(kind)` on `enqueue`
|
||||
(random/vs_ai) plus the durable friends cap in `CreateInvitation`, keyed off
|
||||
`game.Service.AtGameLimit`; the **`internal/gamelimits` config + hot cache** (loaded at boot,
|
||||
invalidated on edit); the admin **kind column** in both game lists (`/_gm/games` + the user card)
|
||||
and a **config editor** (`/_gm/limits`) for the six limits.
|
||||
- ~~**PR2 — wire + client** — DONE.~~ `Profile.game_limits` (the caller's tier) + `GameView.kind` (FBS
|
||||
+ gateway transcode + client codec, committed regen); the client counts active games per kind from
|
||||
the lobby cache (`gamelimits.ts`) and locks a capped new-game start — an **outline 🔒** button that
|
||||
opens `GameLimitModal` instead of a game, native (Telegram `showPopup`) or the in-app `Modal`
|
||||
elsewhere, with two messages by tier: a **guest** sign-in funnel ("Войдите или создайте учётную
|
||||
запись…", Отмена / Вход→`/settings`) and, for a **durable** account at its cap, a plain notice
|
||||
("Вы достигли лимита одновременных игр, сначала завершите текущие", ОК). The lock lifts via the
|
||||
existing profile re-fetch after a guest→durable upgrade.
|
||||
- **Decision (owner-agreed): the lobby's old `at_game_limit` New-Game tab-disable + notice is
|
||||
removed.** The `at_game_limit` flag (now the random-kind cap) conflicted with the per-kind lock —
|
||||
it hid the New-Game screen where the lock lives, and wrongly blocked starting an unfulfilled kind.
|
||||
The tab is always enabled; the per-kind lock on the start button is the only gate. The wire field
|
||||
`GameList.at_game_limit` stays (unused by the client) for a later cleanup.
|
||||
|
||||
**Tests.**
|
||||
|
||||
- integration (PR1, done): `game_kind` persisted per path; guest refused friend/redeem/invitation
|
||||
(domain + HTTP 403); guest blocked from a 2nd vs_ai / 2nd random (+ `at_game_limit`); durable on the
|
||||
higher tier; the durable friends cap + config cache reflecting an admin edit; accept stays exempt.
|
||||
- unit (PR1, done): the per-tier/kind limit resolution (`Cap`, `LimitsFor`).
|
||||
- unit + UI (PR2, done): the client lock logic (`gamelimits.ts` — count/cap/lock), the codec kind +
|
||||
game_limits roundtrip, the gateway transcode game_limits encode, the popup builders, and a mock e2e
|
||||
(`gamelimit.spec.ts`) — a capped start shows 🔒, opens the modal without navigating, and the lock
|
||||
clears when the profile refetch lifts the cap.
|
||||
|
||||
**Done-criteria.** A guest is server-capped (default 1 vs_ai + 1 random, configurable) and cannot
|
||||
friend/invite; a durable account is capped at 10 per kind (configurable); the client shows the lock +
|
||||
the tier-appropriate modal and the cap lifts on registration; durable flows otherwise unchanged.
|
||||
|
||||
**Notes/risks.** Game-behaviour change — own PRs, own tests, no payments mixed in. The limit is on
|
||||
creation (existing games grandfathered). The config cache is single-instance (matching the deploy).
|
||||
|
||||
---
|
||||
|
||||
## E9 — Tournament fee (future)
|
||||
|
||||
**Status:** TODO · **future** · depends on: E0 (atom provisioned), tournament feature ·
|
||||
mechanics: PAYMENTS §5, §7.
|
||||
|
||||
**Goal.** A chip entry economy for tournaments. The `tournament` atom is provisioned (E0) and
|
||||
E7's catalog editor can compose tournament products; E7 deliberately **defers the entry storage
|
||||
+ credit/spend** here, to avoid guessing the schema.
|
||||
|
||||
**Design to settle here (not before — avoid a double DB break).** Tournaments are expected in
|
||||
**several recurring types** (daily / weekly / monthly …), each its **own benefit with its own
|
||||
price** — so a single `benefits.tournament` counter is wrong. Model the entry store as
|
||||
**per-tournament-type** (e.g. a `tournament_type` catalog + a per-`(account, type)` entry
|
||||
balance), design the pricing, then:
|
||||
|
||||
- lift E7's **refusal** of granting/spending the `tournament` atom (admin grant by-product +
|
||||
chip spend);
|
||||
- add the **spend** (charge an entry) reusing E2 `Spend`;
|
||||
- wire the coupling to the actual tournament feature (out of scope until it exists).
|
||||
|
||||
**Done-criteria.** Deferred — revisit when tournaments are built; this stage owns the
|
||||
tournament-entry storage + pricing design.
|
||||
|
||||
---
|
||||
|
||||
## Verification & CI (all stages)
|
||||
|
||||
- Per-stage tests at the layers above; **compliance-gate regression is mandatory** (a
|
||||
`direct` benefit must never activate inside VK/TG) and runs from E2 onward.
|
||||
- Local full verification before every push: `go build/vet ./backend/... && gofmt -l .`,
|
||||
integration (`-tags=integration` + DAWG sibling + Ryuk-off), `pnpm -C ui check/test:unit/
|
||||
build`, Playwright mock e2e, codegen (`make -C pkg proto fbs`, `pnpm -C ui codegen`).
|
||||
- Contour: each PR into `development` auto-deploys the test contour; owner does visual sign-
|
||||
off there (not local). Keep a multi-PR batch a linear stack (one shared contour,
|
||||
last-deploy-wins).
|
||||
- Prod (Release 2): expand-contract migrations only (image rollback DB-safe); PITR armed +
|
||||
the E4 cost/perf assessment reviewed **before** the first money; new edge routes added to
|
||||
the Caddyfile with a CI probe; caddy force-recreated on config-only changes.
|
||||
- Release framing: **shipped docs/code/commits/PRs carry no stage ids** — finalize copy for
|
||||
the release, not the plan.
|
||||
@@ -0,0 +1,41 @@
|
||||
# Erudit — site icons + Open Graph card
|
||||
|
||||
The favicon set and the `og:image` link-preview card for the public landing
|
||||
(`ui/landing.html`) and the SPA shell (`ui/index.html`). Same design language as the
|
||||
[VK loading-screen logo](../vk/README.md): the wooden Erudit «Э» tile (score `8`),
|
||||
with the wordmark on the app's dark board green (`ui/src/app.css` tokens).
|
||||
|
||||
| Output (committed to `ui/public/`) | Purpose |
|
||||
|------|---------|
|
||||
| `favicon.svg` | Vector favicon, transparent; tile + «Э» only (the score is illegible below ~32 px). |
|
||||
| `favicon.ico` | 32×32 PNG-in-ICO fallback (also answers the browsers' blind `/favicon.ico` probe). |
|
||||
| `apple-touch-icon.png` | 180×180 opaque full-bleed tile; iOS masks its own corners. |
|
||||
| `og-image.png` | 1200×630 card: tile + «Эрудит / Скрэббл — игра в слова». Referenced absolutely as `https://erudit-game.ru/og-image.png`. |
|
||||
|
||||
## How it works
|
||||
|
||||
`build/extract.js` extracts the needed glyph outlines (tile glyphs + every wordmark
|
||||
character) from LiberationSans (Arial-metric, the game's font stack) with their
|
||||
advance widths into `build/glyphs.json` (committed). `build/generate.js` composes
|
||||
plain SVG from those outlines — no font is needed at generation time — writes
|
||||
`favicon.svg` and rasterises the PNG/ICO outputs by screenshotting the SVGs with the
|
||||
`ui` package's Playwright chromium (`@playwright/test`); the `.ico` container is
|
||||
assembled in-script (a single PNG entry). Raster bytes therefore depend on the
|
||||
installed chromium version; the SVG sources are deterministic.
|
||||
|
||||
## Regenerate
|
||||
|
||||
Requirements: Node ≥ 18, `ui` installed (`pnpm install`, provides Playwright).
|
||||
`extract.js` additionally needs `opentype.js` (`npm i opentype.js`); **`generate.js`
|
||||
needs no extra packages**.
|
||||
|
||||
```sh
|
||||
cd assets/icons
|
||||
|
||||
# 1. (optional) re-extract the glyphs — only if the font or the wordmark changes:
|
||||
# default font: /usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf
|
||||
node build/extract.js [/path/to/font.ttf] # -> build/glyphs.json
|
||||
|
||||
# 2. regenerate everything in ui/public/:
|
||||
node build/generate.js
|
||||
```
|
||||
@@ -0,0 +1,78 @@
|
||||
'use strict';
|
||||
// Extract the glyph outlines the site icons and the og-image wordmark need from a
|
||||
// grotesque font (LiberationSans = Arial-metric, matching the game's system-ui/Arial
|
||||
// stack) and emit cubic-bezier contours per character, baseline at y=0, y-down,
|
||||
// plus the advance width so generate.js can lay out words without the font.
|
||||
// Same outline conversion as ../../vk/build/extract.js, generalised to a char set.
|
||||
const opentype = require('opentype.js');
|
||||
const fs = require('fs');
|
||||
|
||||
const FONT = process.argv[2] || '/usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf';
|
||||
const b = fs.readFileSync(FONT);
|
||||
const font = opentype.parse(b.buffer.slice(b.byteOffset, b.byteOffset + b.byteLength));
|
||||
const FS = 1000; // em scale
|
||||
|
||||
// The tile glyphs («Э», «8») + every character of the og-image wordmark lines
|
||||
// («Эрудит», «Скрэббл — игра в слова»). The space carries only an advance.
|
||||
const CHARS = [...new Set('Э8рудитСкэббл—игра в слова')];
|
||||
|
||||
function glyphData(ch) {
|
||||
const g = font.charToGlyph(ch);
|
||||
const p = g.getPath(0, 0, FS); // baseline at y=0, y-down
|
||||
const contours = [];
|
||||
let cur = null, prev = null;
|
||||
for (const c of p.commands) {
|
||||
if (c.type === 'M') {
|
||||
if (cur) contours.push(cur);
|
||||
cur = [{ v: [c.x, c.y], i: [c.x, c.y], o: [c.x, c.y] }];
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'L') {
|
||||
cur.push({ v: [c.x, c.y], i: [c.x, c.y], o: [c.x, c.y] });
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'C') {
|
||||
cur[cur.length - 1].o = [c.x1, c.y1];
|
||||
cur.push({ v: [c.x, c.y], i: [c.x2, c.y2], o: [c.x, c.y] });
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'Q') {
|
||||
const c1 = [prev.x + 2 / 3 * (c.x1 - prev.x), prev.y + 2 / 3 * (c.y1 - prev.y)];
|
||||
const c2 = [c.x + 2 / 3 * (c.x1 - c.x), c.y + 2 / 3 * (c.y1 - c.y)];
|
||||
cur[cur.length - 1].o = c1;
|
||||
cur.push({ v: [c.x, c.y], i: c2, o: [c.x, c.y] });
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'Z') {
|
||||
if (cur && cur.length > 1) {
|
||||
const last = cur[cur.length - 1], first = cur[0];
|
||||
if (Math.hypot(last.v[0] - first.v[0], last.v[1] - first.v[1]) < 1e-3) {
|
||||
first.i = last.i; // fold the duplicate closing point into the first
|
||||
cur.pop();
|
||||
}
|
||||
}
|
||||
if (cur) { contours.push(cur); cur = null; }
|
||||
}
|
||||
}
|
||||
if (cur) contours.push(cur);
|
||||
|
||||
let minx = Infinity, miny = Infinity, maxx = -Infinity, maxy = -Infinity;
|
||||
const out = contours.map(ct => {
|
||||
const v = [], i = [], o = [];
|
||||
ct.forEach(pt => {
|
||||
v.push(pt.v);
|
||||
i.push([pt.i[0] - pt.v[0], pt.i[1] - pt.v[1]]);
|
||||
o.push([pt.o[0] - pt.v[0], pt.o[1] - pt.v[1]]);
|
||||
minx = Math.min(minx, pt.v[0]); maxx = Math.max(maxx, pt.v[0]);
|
||||
miny = Math.min(miny, pt.v[1]); maxy = Math.max(maxy, pt.v[1]);
|
||||
});
|
||||
return { i, o, v, c: true };
|
||||
});
|
||||
const bbox = out.length
|
||||
? { x: minx, y: miny, w: maxx - minx, h: maxy - miny }
|
||||
: { x: 0, y: 0, w: 0, h: 0 }; // the space has no outline
|
||||
return { adv: g.advanceWidth * (FS / font.unitsPerEm), bbox, contours: out };
|
||||
}
|
||||
|
||||
const glyphs = {};
|
||||
for (const ch of CHARS) glyphs[ch] = glyphData(ch);
|
||||
|
||||
const out = __dirname + '/glyphs.json';
|
||||
fs.writeFileSync(out, JSON.stringify({ em: FS, glyphs }));
|
||||
console.log('wrote', out, fs.statSync(out).size, 'bytes;', CHARS.length, 'glyphs:', CHARS.join(''));
|
||||
@@ -0,0 +1,128 @@
|
||||
'use strict';
|
||||
// Site icons + the Open Graph card for the public landing, drawn from the same
|
||||
// design as ../../vk (the wooden Erudit tile: face «Э», score «8») and the app's
|
||||
// board palette (ui/src/app.css). Everything is composed as SVG from the committed
|
||||
// glyph outlines (build/extract.js -> glyphs.json), so no font is needed at build
|
||||
// time; the PNG/ICO rasters are screenshots taken with the ui package's Playwright
|
||||
// chromium (@playwright/test re-exports the browser API). Outputs go straight to
|
||||
// ui/public/:
|
||||
// favicon.svg 96 viewBox, transparent, tile + «Э» (the score is illegible small)
|
||||
// favicon.ico 32x32 PNG-in-ICO render of the same
|
||||
// apple-touch-icon.png 180x180 opaque full-bleed tile (iOS masks its own corners)
|
||||
// og-image.png 1200x630 card: tile + wordmark on the board green
|
||||
const fs = require('fs');
|
||||
const path = require('path');
|
||||
|
||||
const G = JSON.parse(fs.readFileSync(path.join(__dirname, 'glyphs.json'), 'utf8'));
|
||||
const UI = path.resolve(__dirname, '../../../ui');
|
||||
const OUT = path.join(UI, 'public');
|
||||
|
||||
// ---- palette (vk loader tile + app.css board tokens) ------------------------
|
||||
const FACE = '#D9B978', BORDER = '#B49559', GLYPH = '#1A1A1A';
|
||||
const BOARD_DARK = '#2a3330', TEXT = '#e7ece8', TEXT_MUTED = '#cdd6cf';
|
||||
|
||||
// ---- glyph outlines -> SVG path data ----------------------------------------
|
||||
const r2 = n => Math.round(n * 100) / 100;
|
||||
// pathD renders one glyph's contours scaled by sc and translated by (tx, ty).
|
||||
function pathD(g, sc, tx, ty) {
|
||||
const pt = (v, d) => `${r2(v[0] * sc + tx + d[0] * sc)} ${r2(v[1] * sc + ty + d[1] * sc)}`;
|
||||
const Z = [0, 0];
|
||||
return g.contours.map(ct => {
|
||||
const n = ct.v.length;
|
||||
let d = `M${pt(ct.v[0], Z)}`;
|
||||
for (let k = 1; k <= n; k++) {
|
||||
const a = k - 1, b = k % n;
|
||||
d += `C${pt(ct.v[a], ct.o[a])} ${pt(ct.v[b], ct.i[b])} ${pt(ct.v[b], Z)}`;
|
||||
}
|
||||
return d + 'Z';
|
||||
}).join('');
|
||||
}
|
||||
// glyphAt centres a glyph's bbox at (cx, cy) with the given pixel cap height, the
|
||||
// same placement rule as the vk loader's glyph(). stroke fattens it slightly.
|
||||
function glyphAt(ch, capPx, cx, cy, stroke, colour) {
|
||||
const g = G.glyphs[ch], sc = capPx / g.bbox.h;
|
||||
const d = pathD(g, sc, cx - (g.bbox.x + g.bbox.w / 2) * sc, cy - (g.bbox.y + g.bbox.h / 2) * sc);
|
||||
return `<path d="${d}" fill="${colour}" stroke="${colour}" stroke-width="${r2(stroke)}"/>`;
|
||||
}
|
||||
// textLine lays out a string on a baseline from the per-glyph advances; capPx sets
|
||||
// the capital height (measured on «Э»). Returns the combined path + the width.
|
||||
function textLine(str, capPx, x, y, colour) {
|
||||
const sc = capPx / G.glyphs['Э'].bbox.h;
|
||||
let d = '', w = 0;
|
||||
for (const ch of str) {
|
||||
const g = G.glyphs[ch];
|
||||
if (g.contours.length) d += pathD(g, sc, x + w, y);
|
||||
w += g.adv * sc;
|
||||
}
|
||||
return { svg: `<path d="${d}" fill="${colour}"/>`, width: w };
|
||||
}
|
||||
// tile draws the rounded wooden tile centred at (cx, cy): size px wide/high, with
|
||||
// the vk loader's corner (6/52) and rim proportions, «Э» and optionally the «8».
|
||||
function tile(cx, cy, size, withScore) {
|
||||
const h = size / 2, rx = size * (6 / 52), rim = size * (1.8 / 52);
|
||||
let s = `<rect x="${r2(cx - h + rim / 2)}" y="${r2(cy - h + rim / 2)}" width="${r2(size - rim)}" height="${r2(size - rim)}" rx="${r2(rx)}" fill="${FACE}" stroke="${BORDER}" stroke-width="${r2(rim)}"/>`;
|
||||
s += glyphAt('Э', size * (32 / 52), cx, cy - size * (1 / 52), size * (1 / 52), GLYPH);
|
||||
if (withScore) s += glyphAt('8', size * (8.5 / 52), cx + size * (19.5 / 52), cy + size * (18.5 / 52), size * (0.5 / 52), GLYPH);
|
||||
return s;
|
||||
}
|
||||
const svg = (w, h, body) => `<svg xmlns="http://www.w3.org/2000/svg" width="${w}" height="${h}" viewBox="0 0 ${w} ${h}">${body}</svg>`;
|
||||
|
||||
// ---- favicon.svg (the committed vector master) -------------------------------
|
||||
const favicon = svg(96, 96, tile(48, 48, 88, false)) + '\n';
|
||||
|
||||
// ---- apple-touch-icon: opaque full bleed, iOS applies its own corner mask ----
|
||||
const appleTouch = svg(180, 180,
|
||||
`<rect width="180" height="180" fill="${FACE}"/>` +
|
||||
`<rect x="8" y="8" width="164" height="164" rx="18" fill="none" stroke="${BORDER}" stroke-width="4"/>` +
|
||||
glyphAt('Э', 100, 90, 88, 3, GLYPH) +
|
||||
glyphAt('8', 26, 146, 142, 1.5, GLYPH));
|
||||
|
||||
// ---- og-image: tile + wordmark, centred as one group on the board green ------
|
||||
function ogImage() {
|
||||
const W = 1200, H = 630, tileSize = 340, gap = 84;
|
||||
const l1 = textLine('Эрудит', 112, 0, 0, TEXT);
|
||||
const l2 = textLine('Скрэббл — игра в слова', 44, 0, 0, TEXT_MUTED);
|
||||
const textW = Math.max(l1.width, l2.width);
|
||||
const left = (W - (tileSize + gap + textW)) / 2;
|
||||
const tx = left + tileSize + gap;
|
||||
// Two baselines around the vertical centre; the tile centre sits between them.
|
||||
const b1 = 295, b2 = 408;
|
||||
const body =
|
||||
`<rect width="${W}" height="${H}" fill="${BOARD_DARK}"/>` +
|
||||
tile(left + tileSize / 2, H / 2, tileSize, true) +
|
||||
textLine('Эрудит', 112, tx, b1, TEXT).svg +
|
||||
textLine('Скрэббл — игра в слова', 44, tx, b2, TEXT_MUTED).svg;
|
||||
console.log(`og-image: text ${Math.round(textW)}px wide, group left ${Math.round(left)}px`);
|
||||
return svg(W, H, body);
|
||||
}
|
||||
|
||||
// ---- rasterisation (Playwright chromium from ui/node_modules) ----------------
|
||||
async function shoot(page, markup, w, h, transparent) {
|
||||
await page.setViewportSize({ width: w, height: h });
|
||||
await page.setContent(`<body style="margin:0">${markup}</body>`);
|
||||
return page.screenshot({ omitBackground: transparent });
|
||||
}
|
||||
// icoFromPNG wraps one PNG as a single-entry .ico (ICONDIR + ICONDIRENTRY + PNG).
|
||||
function icoFromPNG(png, sizePx) {
|
||||
const h = Buffer.alloc(22);
|
||||
h.writeUInt16LE(0, 0); h.writeUInt16LE(1, 2); h.writeUInt16LE(1, 4); // icon, 1 image
|
||||
h.writeUInt8(sizePx, 6); h.writeUInt8(sizePx, 7); // 32x32
|
||||
h.writeUInt16LE(1, 10); h.writeUInt16LE(32, 12); // planes, 32bpp
|
||||
h.writeUInt32LE(png.length, 14); h.writeUInt32LE(22, 18); // size, offset
|
||||
return Buffer.concat([h, png]);
|
||||
}
|
||||
|
||||
(async () => {
|
||||
fs.writeFileSync(path.join(OUT, 'favicon.svg'), favicon);
|
||||
const { chromium } = require(path.join(UI, 'node_modules', '@playwright/test'));
|
||||
const browser = await chromium.launch();
|
||||
const page = await browser.newPage();
|
||||
const fav32 = await shoot(page, svg(32, 32, tile(16, 16, 29.33, false)), 32, 32, true);
|
||||
fs.writeFileSync(path.join(OUT, 'favicon.ico'), icoFromPNG(fav32, 32));
|
||||
fs.writeFileSync(path.join(OUT, 'apple-touch-icon.png'), await shoot(page, appleTouch, 180, 180, false));
|
||||
fs.writeFileSync(path.join(OUT, 'og-image.png'), await shoot(page, ogImage(), 1200, 630, false));
|
||||
await browser.close();
|
||||
for (const f of ['favicon.svg', 'favicon.ico', 'apple-touch-icon.png', 'og-image.png']) {
|
||||
console.log('wrote', path.join(OUT, f), fs.statSync(path.join(OUT, f)).size, 'bytes');
|
||||
}
|
||||
})();
|
||||
File diff suppressed because one or more lines are too long
@@ -0,0 +1,115 @@
|
||||
# Erudit — VK loading-screen logo (Lottie)
|
||||
|
||||
Animated logo for the **VK app loading screen** (shown before the SPA assets load).
|
||||
The Erudit «Э» tile (score `8`) **drops in under gravity, lands with a soft squash —
|
||||
its left/right edges bulging into a cushion — then springs back up**, looping. A light
|
||||
"glint" is caught at the moment of the bounce.
|
||||
|
||||
| File | Purpose |
|
||||
|------|---------|
|
||||
| `erudit-loader.json` | The Lottie to upload to VK. |
|
||||
| `erudit-loader-preview.gif` | Looping preview. Rendered on a green "baize" background **only in the preview** — the real asset has a **transparent** background. |
|
||||
| `build/` | The reproducible build pipeline (see *Regenerate*). |
|
||||
|
||||
**VK requirements met:** 96×96 px · vector Lottie JSON · ≤ 24 KB (~11 KB) · seamless
|
||||
~1.1 s loop · transparent background.
|
||||
|
||||
Design reference: a photo of the physical wooden Erudit tile.
|
||||
|
||||
---
|
||||
|
||||
## How it works
|
||||
|
||||
A single flat layer holds the tile — a rounded-rect **face path**, the two glyphs, and
|
||||
a thin border — and everything is driven by that layer's transform plus a few colour /
|
||||
shape tracks. The anchor sits on the tile's **bottom edge**, so the squash happens
|
||||
against the floor.
|
||||
|
||||
### Bounce (gravity)
|
||||
`position.y` of the bottom edge goes apex → floor → apex with **no dwell** (the apex is
|
||||
an instantaneous turn-around). The fall uses a strong **ease-in** (accelerate) and the
|
||||
rise a strong **ease-out** (decelerate), so it reads as real gravity. While falling fast
|
||||
the tile slightly **stretches** (tall+thin); that is the squash-and-stretch setup.
|
||||
|
||||
### Soft cushion (squash)
|
||||
On contact the layer **squashes** (scaleY↓, scaleX↑) about the bottom anchor, with a
|
||||
touch of skew. Crucially the squash/cushion is **decoupled from the fall speed** — it
|
||||
eases in and out *slowly* (`ES`), so the landing feels soft even though the fall is
|
||||
fast. The squash is deliberately gentle (≈ 86 % / 112 %).
|
||||
|
||||
### The cushion shape (the hard part)
|
||||
The face is **not** a plain rounded rect — it is a path whose left/right contour bows
|
||||
out into a convex cushion on impact:
|
||||
- the rest rounded-rect outline is sampled (fine corner arcs + edge mids), and on impact
|
||||
every point is pushed outward by a smooth **barrel** profile `f(y) = b·(1 − (y/HH)²)`
|
||||
(max at the middle, fading to zero at the top/bottom);
|
||||
- so the **whole side — corners included — bows out as one piece**, never just the
|
||||
straight middle;
|
||||
- bezier handles are computed as a **chordal spline** (handle length ∝ the adjacent
|
||||
chord), which stays smooth across the uneven corner/edge point spacing. This is what
|
||||
keeps the corner↔cushion junction kink-free — both at rest and fully bulged — which a
|
||||
naïve uniform Catmull-Rom (or moving discrete points with fixed tangents) does not.
|
||||
|
||||
### Glint
|
||||
At the bounce the face flashes a little lighter (`FACE_GLINT`) and the glyphs warm
|
||||
toward brown-red (`BLACK_LIT`), then settle back. A cheap, warm "catch the light".
|
||||
|
||||
### Border & background
|
||||
The tile carries a thin static **border** a touch darker than the face (`BORDER`) so it
|
||||
reads on any background. The **green baize background is added only when rendering the
|
||||
preview GIF** — the Lottie itself is transparent.
|
||||
|
||||
### Player compatibility
|
||||
Only plain 2-D shapes (`ddd:0`) — no 3-D layers, expressions or effects — so every
|
||||
Lottie player (lottie-web on the web, rlottie on native) renders it identically.
|
||||
|
||||
---
|
||||
|
||||
## Glyphs
|
||||
|
||||
`Э` (U+042D) and `8` are **real outlines from LiberationSans-Regular** — metric-
|
||||
compatible with Arial, matching the game's `--font: system-ui … Arial` stack
|
||||
(see `ui/src/app.css`). `build/extract.js` pulls the contours into `build/glyphs.json`
|
||||
as Lottie cubic paths; a hair of same-colour stroke adds a touch of weight.
|
||||
|
||||
---
|
||||
|
||||
## Regenerate
|
||||
|
||||
Requirements: Node ≥ 18. `extract.js` additionally needs `opentype.js`
|
||||
(`npm i opentype.js`); **`generate.js` has no dependencies**.
|
||||
|
||||
```sh
|
||||
cd assets/vk
|
||||
|
||||
# 1. (optional) re-extract the glyphs — only if you change the font:
|
||||
# default font: /usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf
|
||||
node build/extract.js [/path/to/font.ttf] # -> build/glyphs.json
|
||||
|
||||
# 2. build the animation (reads build/glyphs.json):
|
||||
node build/generate.js erudit-loader.json # -> erudit-loader.json
|
||||
|
||||
# 3. (optional) live preview — needs lottie-web (npm i lottie-web):
|
||||
node build/build-preview.js erudit-loader.json preview.html
|
||||
# then open preview.html in a browser.
|
||||
```
|
||||
|
||||
The preview GIF is assembled by rendering the Lottie frame-by-frame (lottie-web canvas,
|
||||
filled with the green baize) and stitching with `ffmpeg`; the live HTML preview is the
|
||||
quickest way to eyeball changes.
|
||||
|
||||
## Tunables (top of `build/generate.js`)
|
||||
|
||||
| Symbol | Meaning |
|
||||
|--------|---------|
|
||||
| `OP`, `FR` | loop length (frames) / fps — overall speed |
|
||||
| `T_HIT / T_PEAK / T_LIFT / T_REC` | beats: contact / squash peak / lift-off / cushion recovered |
|
||||
| `EI / EO / ES` | easings: fast fall / fast rise / slow soft cushion |
|
||||
| `APEX`, `FLOOR` | bottom-edge screen-y at the top of the bounce / at rest |
|
||||
| `HW`, `HH`, `CR` | tile half-width / half-height / corner radius |
|
||||
| `scl` squash values | the squash amount (scaleX↑ / scaleY↓) |
|
||||
| `bulge` `b` | cushion depth (how far the sides bow out) |
|
||||
| `FACE / FACE_GLINT` | wood face / glint flash |
|
||||
| `BORDER` | tile rim colour |
|
||||
| `BLACK / BLACK_LIT` | glyph / glyph-at-glint (brown-red) |
|
||||
| preview bg `#3C7858` | the green-baize colour used **only** in the GIF |
|
||||
@@ -0,0 +1,31 @@
|
||||
'use strict';
|
||||
const fs = require('fs');
|
||||
const data = fs.readFileSync(process.argv[2] || 'erudit.json', 'utf8');
|
||||
const lottiePath = __dirname + '/node_modules/lottie-web/build/player/lottie.min.js';
|
||||
const html = `<!doctype html><html><head><meta charset="utf8"><style>
|
||||
body{margin:0;background:#2b2b2b;font-family:sans-serif;color:#ccc}
|
||||
.row{display:flex;gap:18px;padding:18px;align-items:flex-end;flex-wrap:wrap}
|
||||
.cell{text-align:center}
|
||||
.chk{background-image:linear-gradient(45deg,#8a8a8a 25%,transparent 25%),linear-gradient(-45deg,#8a8a8a 25%,transparent 25%),linear-gradient(45deg,transparent 75%,#8a8a8a 75%),linear-gradient(-45deg,transparent 75%,#8a8a8a 75%);background-size:16px 16px;background-position:0 0,0 8px,8px -8px,-8px 0;background-color:#b5b5b5}
|
||||
.s96{width:96px;height:96px}.big{width:336px;height:336px}small{font-size:11px}
|
||||
</style></head><body><div class="row" id="row"></div>
|
||||
<script src="./lottie.min.js"></script>
|
||||
<script>
|
||||
const animationData=${data};window.AD=animationData;
|
||||
const row=document.getElementById('row');window.anims=[];
|
||||
function make(cls,frame,label){
|
||||
const cell=document.createElement('div');cell.className='cell';
|
||||
const box=document.createElement('div');box.className='chk '+cls;cell.appendChild(box);
|
||||
cell.appendChild(document.createElement('br'));
|
||||
const cap=document.createElement('small');cap.textContent=label;cell.appendChild(cap);
|
||||
row.appendChild(cell);
|
||||
const a=lottie.loadAnimation({container:box,renderer:'svg',loop:false,autoplay:false,animationData:JSON.parse(JSON.stringify(animationData))});
|
||||
a.addEventListener('DOMLoaded',()=>a.goToAndStop(frame,true));
|
||||
window.anims.push(a);
|
||||
}
|
||||
[0,22,45,68].forEach(f=>make('s96',f,'f'+f));
|
||||
make('big',22,'f22 x3.5');
|
||||
window.__ready=true;
|
||||
</script></body></html>`;
|
||||
fs.writeFileSync(process.argv[3] || 'preview.html', html);
|
||||
console.log('wrote', process.argv[3] || 'preview.html');
|
||||
@@ -0,0 +1,67 @@
|
||||
'use strict';
|
||||
// Extract the Cyrillic "Э" (U+042D) and the digit "8" outlines from a grotesque
|
||||
// font (LiberationSans = Arial-metric, matching the game's system-ui/Arial stack)
|
||||
// and emit Lottie cubic-bezier contours, centred at the origin, y-down.
|
||||
const opentype = require('opentype.js');
|
||||
const fs = require('fs');
|
||||
|
||||
const FONT = process.argv[2] || '/usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf';
|
||||
const b = fs.readFileSync(FONT);
|
||||
const font = opentype.parse(b.buffer.slice(b.byteOffset, b.byteOffset + b.byteLength));
|
||||
const FS = 1000; // em scale
|
||||
|
||||
function glyphContours(ch) {
|
||||
const p = font.charToGlyph(ch).getPath(0, 0, FS); // baseline at y=0, y-down
|
||||
const contours = [];
|
||||
let cur = null, prev = null;
|
||||
for (const c of p.commands) {
|
||||
if (c.type === 'M') {
|
||||
if (cur) contours.push(cur);
|
||||
cur = [{ v: [c.x, c.y], i: [c.x, c.y], o: [c.x, c.y] }];
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'L') {
|
||||
cur.push({ v: [c.x, c.y], i: [c.x, c.y], o: [c.x, c.y] });
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'C') {
|
||||
cur[cur.length - 1].o = [c.x1, c.y1];
|
||||
cur.push({ v: [c.x, c.y], i: [c.x2, c.y2], o: [c.x, c.y] });
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'Q') {
|
||||
const c1 = [prev.x + 2 / 3 * (c.x1 - prev.x), prev.y + 2 / 3 * (c.y1 - prev.y)];
|
||||
const c2 = [c.x + 2 / 3 * (c.x1 - c.x), c.y + 2 / 3 * (c.y1 - c.y)];
|
||||
cur[cur.length - 1].o = c1;
|
||||
cur.push({ v: [c.x, c.y], i: c2, o: [c.x, c.y] });
|
||||
prev = { x: c.x, y: c.y };
|
||||
} else if (c.type === 'Z') {
|
||||
if (cur && cur.length > 1) {
|
||||
const last = cur[cur.length - 1], first = cur[0];
|
||||
if (Math.hypot(last.v[0] - first.v[0], last.v[1] - first.v[1]) < 1e-3) {
|
||||
first.i = last.i; // fold the duplicate closing point into the first
|
||||
cur.pop();
|
||||
}
|
||||
}
|
||||
if (cur) { contours.push(cur); cur = null; }
|
||||
}
|
||||
}
|
||||
if (cur) contours.push(cur);
|
||||
|
||||
let minx = Infinity, miny = Infinity, maxx = -Infinity, maxy = -Infinity;
|
||||
const out = contours.map(ct => {
|
||||
const v = [], i = [], o = [];
|
||||
ct.forEach(pt => {
|
||||
v.push(pt.v);
|
||||
i.push([pt.i[0] - pt.v[0], pt.i[1] - pt.v[1]]);
|
||||
o.push([pt.o[0] - pt.v[0], pt.o[1] - pt.v[1]]);
|
||||
minx = Math.min(minx, pt.v[0]); maxx = Math.max(maxx, pt.v[0]);
|
||||
miny = Math.min(miny, pt.v[1]); maxy = Math.max(maxy, pt.v[1]);
|
||||
});
|
||||
return { i, o, v, c: true };
|
||||
});
|
||||
return { contours: out, bbox: { x: minx, y: miny, w: maxx - minx, h: maxy - miny } };
|
||||
}
|
||||
|
||||
const E = glyphContours('Э');
|
||||
const D8 = glyphContours('8');
|
||||
fs.writeFileSync('glyphs.json', JSON.stringify({ em: FS, E, D8 }));
|
||||
console.log('Э bbox', E.bbox, 'contours', E.contours.map(c => c.v.length));
|
||||
console.log('8 bbox', D8.bbox, 'contours', D8.contours.map(c => c.v.length));
|
||||
@@ -0,0 +1,153 @@
|
||||
'use strict';
|
||||
// VK preloader Lottie: a flat wooden Erudit tile ("Э" + score "8") that drops in
|
||||
// under gravity, squashes on impact (convex cushion bulging out the left/right edges
|
||||
// + a touch of skew), and springs back up — looping. A light "glint" is caught at the
|
||||
// moment of the bounce. Pure 2D shapes (ddd:0). Glyphs are real LiberationSans
|
||||
// outlines (Arial-metric, = the game's font stack); see extract.js -> glyphs.json.
|
||||
const fs = require('fs');
|
||||
const G = JSON.parse(fs.readFileSync(__dirname + '/glyphs.json', 'utf8'));
|
||||
|
||||
// ---- canvas / timing -------------------------------------------------------
|
||||
const W = 96, H = 96, cx = 48;
|
||||
const FR = 30, OP = 34; // ~1.13 s loop (dynamic, 25% faster)
|
||||
// keyframe beats (frames): fast fall -> soft squash -> lift -> fast rise -> apex (no dwell)
|
||||
const T_HIT = 13, T_PEAK = 18, T_LIFT = 19, T_REC = 28;
|
||||
|
||||
// ---- geometry --------------------------------------------------------------
|
||||
const HW = 26, HH = 26, CR = 6; // tile half-width / half-height / corner radius
|
||||
const FLOOR = 90, APEX = 60; // bottom-centre screen-y at rest / at the top of the bounce
|
||||
|
||||
// ---- palette ---------------------------------------------------------------
|
||||
const col = h => [parseInt(h.slice(1,3),16)/255, parseInt(h.slice(3,5),16)/255, parseInt(h.slice(5,7),16)/255];
|
||||
const FACE = col('#D9B978'); // wood face (flat)
|
||||
const FACE_GLINT = col('#E7CD95'); // face flash caught on impact (gentle, not blinding)
|
||||
const BORDER = col('#B49559'); // tile rim: a touch darker than the face, reads on any bg
|
||||
const BLACK = col('#1A1A1A');
|
||||
const BLACK_LIT = col('#421A0B'); // glyph warms to brown-red on the glint
|
||||
const lerp = (a, b, t) => a.map((v, i) => v + (b[i] - v) * t);
|
||||
|
||||
// ---- property / easing helpers ---------------------------------------------
|
||||
const still = v => ({ a: 0, k: v });
|
||||
const EI = { o: { x: [0.82], y: [0] }, i: { x: [1], y: [1] } }; // strong accelerate (gravity fall)
|
||||
const EO = { o: { x: [0], y: [0] }, i: { x: [0.18], y: [1] } }; // strong decelerate (rise to apex)
|
||||
const ES = { o: { x: [0.42], y: [0] }, i: { x: [0.58], y: [1] } }; // soft/slow (the cushion)
|
||||
function anim(samples) { // samples: {t, v, e?} ; e = easing toward the NEXT key
|
||||
return { a: 1, k: samples.map((s, idx) => {
|
||||
const kf = { t: s.t, s: s.v };
|
||||
if (idx < samples.length - 1) { const e = s.e || ES; kf.o = e.o; kf.i = e.i; }
|
||||
return kf;
|
||||
}) };
|
||||
}
|
||||
const animColor = s => anim(s.map(x => ({ t: x.t, v: [...x.v, 1], e: x.e })));
|
||||
|
||||
// ---- shape helpers ---------------------------------------------------------
|
||||
const tr = () => ({ ty: 'tr', p: still([0,0]), a: still([0,0]), s: still([100,100]), r: still(0), o: still(100) });
|
||||
const grp = (items, nm) => ({ ty: 'gr', it: [...items, tr()], nm });
|
||||
const fill = c => ({ ty: 'fl', c, o: still(100), r: 1, bm: 0 });
|
||||
const stroke = (c,w) => ({ ty: 'st', c: still(c), o: still(100), w: still(w), lc: 2, lj: 2, ml: 4, bm: 0 });
|
||||
function glyph(gd, hpx, px, py, bold, colour, nm) { // font glyph -> filled+stroked group
|
||||
const sc = hpx / gd.bbox.h;
|
||||
const bcx = gd.bbox.x + gd.bbox.w / 2, bcy = gd.bbox.y + gd.bbox.h / 2;
|
||||
const shapes = gd.contours.map(ct => ({
|
||||
ty: 'sh', d: 1, ks: still({
|
||||
i: ct.i.map(p => [p[0]*sc, p[1]*sc]), o: ct.o.map(p => [p[0]*sc, p[1]*sc]),
|
||||
v: ct.v.map(p => [(p[0]-bcx)*sc + px, (p[1]-bcy)*sc + py]), c: true,
|
||||
}),
|
||||
}));
|
||||
return grp([...shapes, fill(colour), stroke(BLACK, bold)], nm);
|
||||
}
|
||||
|
||||
// Sample the rest rounded-rect outline (clockwise): fine corner arcs + one mid point
|
||||
// per straight edge, so a smooth interpolant reproduces it cleanly.
|
||||
function arc(ccx, ccy, a0, a1, n) {
|
||||
const out = [];
|
||||
for (let i = 0; i < n; i++) { const a = (a0 + (a1 - a0) * i / (n - 1)) * Math.PI / 180; out.push([ccx + CR*Math.cos(a), ccy + CR*Math.sin(a)]); }
|
||||
return out;
|
||||
}
|
||||
const REST = (() => {
|
||||
const NC = 7, yi = HH - CR, xi = HW - CR;
|
||||
const C = [ arc(xi,-yi,-90,0,NC), arc(xi,yi,0,90,NC), arc(-xi,yi,90,180,NC), arc(-xi,-yi,180,270,NC) ];
|
||||
const pts = [];
|
||||
for (let k = 0; k < 4; k++) {
|
||||
pts.push(...C[k]);
|
||||
const a = C[k][NC-1], b = C[(k+1)%4][0];
|
||||
pts.push([(a[0]+b[0])/2, (a[1]+b[1])/2]); // straight-edge mid point (keeps the edge straight)
|
||||
}
|
||||
return pts;
|
||||
})();
|
||||
// The whole left/right contour (corners + side) bows out by one smooth barrel profile;
|
||||
// Catmull-Rom tangents (from neighbours) make every junction C1-smooth -> no kink, the
|
||||
// corners follow the cushion and the cushion melts into the corners, bulged or not.
|
||||
function facePath(b) {
|
||||
const f = y => b * (1 - (y/HH) * (y/HH)); // 0 at top/bottom, max at the middle
|
||||
const V = REST.map(([x, y]) => [x + Math.sign(x) * f(y), y]); // push the sides out, top/bottom stay
|
||||
const n = V.length, I = [], O = [];
|
||||
for (let k = 0; k < n; k++) {
|
||||
const p0 = V[(k-1+n)%n], p1 = V[k], p2 = V[(k+1)%n];
|
||||
let dx = p2[0]-p0[0], dy = p2[1]-p0[1]; // tangent direction (neighbours)
|
||||
const dl = Math.hypot(dx, dy) || 1; dx /= dl; dy /= dl;
|
||||
const ln = Math.hypot(p2[0]-p1[0], p2[1]-p1[1]) / 3; // handles ~ 1/3 of the adjacent chord
|
||||
const lp = Math.hypot(p1[0]-p0[0], p1[1]-p0[1]) / 3; // -> chordal spline, no overshoot/facets
|
||||
O.push([dx*ln, dy*ln]); I.push([-dx*lp, -dy*lp]);
|
||||
}
|
||||
return { i: I, o: O, v: V, c: true };
|
||||
}
|
||||
const facePathKeys = samples => ({ a: 1, k: samples.map((s, idx) => {
|
||||
const kf = { t: s.t, s: [facePath(s.b)] };
|
||||
if (idx < samples.length - 1) { const e = s.e || ES; kf.o = e.o; kf.i = e.i; }
|
||||
return kf;
|
||||
}) });
|
||||
|
||||
// ---- animation tracks ------------------------------------------------------
|
||||
// bottom-centre screen-y (the tile rests/squashes on its bottom edge)
|
||||
const posY = anim([
|
||||
{ t: 0, v: [cx, APEX, 0], e: EI }, // apex -> immediately falls (no dwell)
|
||||
{ t: T_HIT, v: [cx, FLOOR, 0], e: ES }, // FAST fall (accelerate) -> floor
|
||||
{ t: T_LIFT, v: [cx, FLOOR, 0], e: EO }, // sit on the floor while the cushion absorbs
|
||||
{ t: OP, v: [cx, APEX, 0] }, // FAST rise (decelerate) -> apex = loop start
|
||||
]);
|
||||
// scale about the bottom anchor: stretch while falling, gentle/slow cushion squash on impact
|
||||
const scl = anim([
|
||||
{ t: 0, v: [100, 100, 100], e: ES },
|
||||
{ t: T_HIT-5, v: [95, 106, 100], e: ES }, // stretch while falling fast
|
||||
{ t: T_HIT, v: [104, 95, 100], e: ES }, // touch down
|
||||
{ t: T_PEAK, v: [112, 86, 100], e: ES }, // soft squash peak (gentler, less plче)
|
||||
{ t: T_REC, v: [100, 100, 100], e: ES }, // slow cushion release -> soft landing
|
||||
{ t: OP, v: [100, 100, 100] },
|
||||
]);
|
||||
// a touch of skew through the squash (organic deform), back to 0
|
||||
const skw = anim([
|
||||
{ t: T_HIT, v: [0], e: ES }, { t: T_PEAK, v: [4], e: ES }, { t: T_REC, v: [0] }, { t: OP, v: [0] },
|
||||
]);
|
||||
// left/right cushion bulge: 0 -> gentle peak -> 0 (never inward)
|
||||
const bulge = facePathKeys([
|
||||
{ t: T_HIT, b: 0, e: ES }, { t: T_PEAK, b: 4, e: ES }, { t: T_REC, b: 0 }, { t: OP, b: 0 },
|
||||
]);
|
||||
// glint: face + glyph catch the light at the bounce
|
||||
const faceCol = animColor([
|
||||
{ t: T_HIT-2, v: FACE, e: ES }, { t: T_PEAK, v: FACE_GLINT, e: ES }, { t: T_REC, v: FACE }, { t: OP, v: FACE },
|
||||
]);
|
||||
const glyphCol = animColor([
|
||||
{ t: T_HIT-2, v: BLACK, e: ES }, { t: T_PEAK, v: BLACK_LIT, e: ES }, { t: T_REC, v: BLACK }, { t: OP, v: BLACK },
|
||||
]);
|
||||
|
||||
// ---- layer (face + glyphs share the bounce/squash transform) ---------------
|
||||
const faceShape = grp([ { ty: 'sh', d: 1, ks: bulge }, fill(faceCol), stroke(BORDER, 1.8) ], 'face');
|
||||
const glyphE = glyph(G.E, 32, 0, -1, 1.0, glyphCol, 'E'); // centred Э
|
||||
const glyph8 = glyph(G.D8, 8.5, HW-6.5, HH-7.5, 0.5, glyphCol, 'score'); // 8 in the corner
|
||||
|
||||
const tile = {
|
||||
ddd: 0, ind: 1, ty: 4, nm: 'tile', sr: 1,
|
||||
ks: { o: still(100), r: still(0), p: posY, a: still([0, HH, 0]), s: scl, sk: skw, sa: still(0) },
|
||||
ao: 0, shapes: [ glyph8, glyphE, faceShape ], ip: 0, op: OP, st: 0, bm: 0,
|
||||
};
|
||||
|
||||
const root = {
|
||||
v: '5.7.4', fr: FR, ip: 0, op: OP, w: W, h: H, nm: 'erudit-vk-loader', ddd: 0,
|
||||
assets: [], layers: [ tile ], markers: [],
|
||||
};
|
||||
|
||||
const out = process.argv[2] || 'erudit.json';
|
||||
const round = (k, v) => (typeof v === 'number' ? Math.round(v * 100) / 100 : v);
|
||||
fs.writeFileSync(out, JSON.stringify(root, round));
|
||||
console.log('wrote', out, fs.statSync(out).size, 'bytes');
|
||||
File diff suppressed because one or more lines are too long
Binary file not shown.
|
After Width: | Height: | Size: 91 KiB |
File diff suppressed because one or more lines are too long
+48
-19
@@ -33,18 +33,25 @@ real game seating the caller with an **empty opponent seat** (status `open`) or,
|
||||
another player already waits for the same variant and per-turn word rule, seats the
|
||||
caller into that open game and starts it — and
|
||||
friend-game invitations (invite → accept, starting a 2–4 player game once every
|
||||
invitee accepts). A **simultaneous-game cap** (`game.MaxActiveQuickGames` = 10) limits a
|
||||
player's active quick games — status `active`/`open`, excluding invitation-linked friend
|
||||
games (`game.Service.CountActiveQuickGames`); the server refuses `lobby/enqueue` and
|
||||
`invitations` creation with **409 `game_limit_reached`** at the cap (accepting an invitation
|
||||
is exempt), and the `games.list` response carries an `at_game_limit` flag for the lobby.
|
||||
invitee accepts). **Per-tier, per-kind active-game caps** limit a player's simultaneous
|
||||
unfinished games by kind — `vs_ai`, `random` (quick auto-match), `friends` — with separate
|
||||
guest and durable-account tiers held in the single-row `backend.config` table (a `-1` means
|
||||
unlimited), read through an in-memory cache (`internal/gamelimits`) and tuned live in the admin
|
||||
(`/_gm/limits`, no redeploy). Each game is tagged with its `games.game_kind` on creation;
|
||||
`game.Service.AtGameLimit` counts the account's `active`/`open` games of a kind against the
|
||||
tier's cap. The server refuses `lobby/enqueue` (random/vs_ai) with **409 `game_limit_reached`**
|
||||
at the cap, and the `invitations` (friends) path enforces the durable friends cap and refuses a
|
||||
**guest** outright (guests cannot use friends); accepting an invitation is exempt. The
|
||||
`games.list` response carries an `at_game_limit` flag (the random-kind cap) for the lobby.
|
||||
`internal/social` owns the friend graph (request/accept),
|
||||
per-user blocks, and per-game chat with nudges folded in as a message kind; chat
|
||||
messages are length-capped, content-filtered (no links/emails/phone numbers,
|
||||
including obfuscated forms) and stored with the sender's IP. Each message carries an
|
||||
`unread_seats` read bitmask (a set bit per recipient seat still to read it); `MarkRead`
|
||||
clears a reader's bit when they open the move history or chat, and a wired `NudgeClearer`
|
||||
clears a nudge when its recipient moves — both record the publish-to-read latency.
|
||||
clears a reader's bit when they open the move history or chat, a wired `NudgeClearer`
|
||||
clears a nudge when its recipient moves, and a wired `NudgeExpirer` clears **all** of a game's
|
||||
nudges when it finishes (any completion path) — the first two record the publish-to-read latency,
|
||||
the completion expiry does not (it is not a read); chat messages stay unread on completion.
|
||||
A friend request (or block) aimed at a **disguised pooled robot** is recorded per game+seat
|
||||
in `robot_friend_requests` / `robot_blocks`, never against the shared robot account; a
|
||||
background reaper drops a robot friend request once its game has been finished for **7 days**.
|
||||
@@ -98,7 +105,10 @@ state, lobby enqueue, chat). The social/account/history operations under
|
||||
`/api/v1/user`: `friends/*` (request/respond/cancel/unfriend,
|
||||
list/incoming, the one-time `code` issue/redeem), `blocks/*`, `invitations/*`
|
||||
(create/accept/decline/cancel/list), `PUT profile`, `email/{request,confirm}`,
|
||||
`stats`, and `games/:id/gcg` (finished-only). The `internal/notify` hub feeds a
|
||||
`stats`, `games/:id/gcg` (finished-only), and the payments `wallet` /
|
||||
`wallet/catalog` (`GET` — the context-visible chip segments + benefits, and the
|
||||
storefront catalog) / `wallet/buy` (`POST` — a chip spend on a value), served by
|
||||
`internal/payments` behind the store-compliance gate. The `internal/notify` hub feeds a
|
||||
second listener — `internal/pushgrpc`, a gRPC server (`BACKEND_GRPC_ADDR`) streaming
|
||||
live events (your-turn, opponent-moved, chat, nudge, match-found, notify) to the
|
||||
gateway. The gateway-only `POST /api/v1/internal/push-target` (a user's
|
||||
@@ -130,21 +140,38 @@ so `/internal/push-target` returns the recipient's `preferred_language` as the r
|
||||
language for out-of-app push; no per-bot routing remains. The console also manages the **advertising banner** (`/_gm/banners` +
|
||||
`/_gm/banner-settings`, `internal/ads`): operator campaigns with a percent weight, an optional
|
||||
window and bilingual messages, plus the global display timings. `GET /api/v1/user/profile` attaches
|
||||
the resolved, weighted campaign feed for an **eligible** viewer (`!paid_account && hint_balance == 0
|
||||
&& !no_banner` role, the message language picked by `preferred_language`); changing those inputs
|
||||
publishes a `notify` `banner` re-poll signal so the client shows/hides it in place. The shared wire
|
||||
the resolved, weighted campaign feed for an **eligible** viewer (no active **no-ads** benefit
|
||||
applicable in the current context and no **`no_banner`** role; the message language picked by
|
||||
`preferred_language`); changing those inputs
|
||||
publishes a `notify` `banner` re-poll signal so the client shows/hides it in place.
|
||||
The same gate drives the post-move interstitial config (`Profile.ads`, `adsFor`). The user card
|
||||
also carries a **finance panel** (`payments.AccountStatement`): the account's chip balances per
|
||||
funding segment, benefits per origin, the recorded refund risk, and the append-only ledger history
|
||||
(newest first) — read straight from the payments tables, uncached. The **catalog editor**
|
||||
(`/_gm/catalog`, `handlers_admin_catalog.go`) is the source of truth for products (D32): create /
|
||||
edit / archive-unarchive (the `product.active` flag) products, their atoms and per-rail prices, and
|
||||
hard-delete only a **never-transacted** product (an order/ledger reference forces archive-only,
|
||||
backed by the FK); a `tournament`-bearing product is composable but not sellable yet. The user card
|
||||
also carries an admin **grant** panel: grant raw benefit atoms (hints / no-ads days / forever) or a
|
||||
defined **value product** (a reward bundle, including an archived one), origin-picked; both write an
|
||||
`admin_grant` ledger row via `payments.Grant` / `GrantProduct` and **refuse** a chips or `tournament`
|
||||
atom (never grant currency; no tournament target yet). Each fund row in the panel carries a **Refund**
|
||||
action (`payments.RefundOrderFull`): a full-order refund the operator records after refunding on the
|
||||
rail — a `refund` ledger row + a floor-0 chip revoke, idempotent. A **ledger CSV export**
|
||||
(`/_gm/ledger.csv`, `payments.LedgerExport`) dumps the whole append-only ledger for tax +
|
||||
reconciliation. The shared wire
|
||||
contracts live in the sibling [`../pkg`](../pkg) module.
|
||||
|
||||
**Account linking & merge** (`/api/v1/user/link/*`). `internal/link`
|
||||
orchestrates it: an email confirm-code or a gateway-validated Telegram identity is
|
||||
attached to the current account, and when the identity already has its own account
|
||||
the two are merged in one transaction (`internal/accountmerge`) — stats and the hint
|
||||
wallet summed, `paid_account` ORed, identities/games/chat/complaints transferred,
|
||||
the two are merged in one transaction (`internal/accountmerge`) — stats summed,
|
||||
identities/games/chat/complaints transferred,
|
||||
friends/blocks de-duplicated, the secondary kept as a `merged_into` tombstone (so a
|
||||
shared finished game's foreign keys hold); a shared **active** game blocks the merge.
|
||||
The current account is primary, except a guest initiator whose linked identity has a
|
||||
durable owner — then the durable account wins and a fresh session is minted for it.
|
||||
The `accounts.paid_account`/`merged_into`/`merged_at` columns back this. This supersedes the
|
||||
The `accounts.merged_into`/`merged_at` columns back this. This supersedes the
|
||||
former `email.bind.*` edge surface (the `RequestCode`/`ConfirmCode` primitives stay).
|
||||
|
||||
Rate-limit observability: the gateway posts its periodic rejection
|
||||
@@ -212,11 +239,13 @@ internal/banview/ # gateway active-ban mirror: the console's Active IP bans p
|
||||
| `BACKEND_LOBBY_ROBOT_WAIT` | `10s` | Auto-match wait before a robot is substituted for a missing human. |
|
||||
| `BACKEND_LOBBY_REAPER_INTERVAL` | `1s` | How often the substitution reaper scans for over-waited players. |
|
||||
| `BACKEND_ROBOT_DRIVE_INTERVAL` | `30s` | How often the robot driver scans for due robot turns. |
|
||||
| `BACKEND_SMTP_HOST` | — | Email relay host. **Empty selects the development log mailer** (the confirm-code is logged, not sent). |
|
||||
| `BACKEND_SMTP_PORT` | `587` | Email relay port. |
|
||||
| `BACKEND_SMTP_USERNAME` | — | SMTP user; empty relays without authentication. |
|
||||
| `BACKEND_SMTP_PASSWORD` | — | SMTP password. |
|
||||
| `BACKEND_SMTP_FROM` | `no-reply@localhost` | Envelope/From address for confirm-codes. |
|
||||
| `BACKEND_SMTP_HOST` | — | Confirm-code relay host. **Empty selects the development log mailer** (the code is logged, not sent). |
|
||||
| `BACKEND_SMTP_PORT` | `587` | Relay port. No client certificate is needed (the server cert is validated against the system roots). |
|
||||
| `BACKEND_SMTP_TLS` | — | Transport security: `ssl` (implicit TLS from connect) or `starttls`. Empty derives it from the port (implicit on `465`, STARTTLS otherwise); set it for a relay on a non-standard port (e.g. Selectel's `1127` = SSL, `1126` = STARTTLS). |
|
||||
| `BACKEND_SMTP_USERNAME` | — | SMTP AUTH user; empty relays without authentication. |
|
||||
| `BACKEND_SMTP_PASSWORD` | — | SMTP AUTH password. |
|
||||
| `BACKEND_SMTP_FROM` | `no-reply@localhost` | From address. A deployed contour must use the prod domain (the relay only accepts its verified sender domain). |
|
||||
| `BACKEND_PUBLIC_BASE_URL` | — | Canonical public origin (scheme + host) for links in the email. **Required when `BACKEND_SMTP_HOST` is set.** Never derived from a request Host header (anti-injection). |
|
||||
| `BACKEND_CONNECTOR_ADDR` | — | the gateway bot-link relay gRPC address for admin-console operator broadcasts. Empty disables broadcasts. |
|
||||
| `BACKEND_GUEST_REAP_INTERVAL` | `1h` | How often the abandoned-guest reaper sweeps. |
|
||||
| `BACKEND_GUEST_RETENTION` | `720h` | Account age past which a guest with no game seat is deleted. |
|
||||
|
||||
+134
-3
@@ -20,6 +20,7 @@ import (
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/accountmerge"
|
||||
"scrabble/backend/internal/adminalert"
|
||||
"scrabble/backend/internal/ads"
|
||||
"scrabble/backend/internal/banview"
|
||||
"scrabble/backend/internal/config"
|
||||
@@ -27,12 +28,15 @@ import (
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/feedback"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/link"
|
||||
"scrabble/backend/internal/lobby"
|
||||
"scrabble/backend/internal/notify"
|
||||
"scrabble/backend/internal/payments"
|
||||
"scrabble/backend/internal/postgres"
|
||||
"scrabble/backend/internal/pushgrpc"
|
||||
"scrabble/backend/internal/ratewatch"
|
||||
"scrabble/backend/internal/render"
|
||||
"scrabble/backend/internal/robot"
|
||||
"scrabble/backend/internal/server"
|
||||
"scrabble/backend/internal/session"
|
||||
@@ -43,6 +47,10 @@ import (
|
||||
// telemetryShutdownTimeout bounds the OpenTelemetry flush during process exit.
|
||||
const telemetryShutdownTimeout = 5 * time.Second
|
||||
|
||||
// adminAlertInterval is how often the operator-alert worker checks for new feedback /
|
||||
// complaints; a burst within one interval coalesces into a single digest email.
|
||||
const adminAlertInterval = 5 * time.Minute
|
||||
|
||||
func main() {
|
||||
cfg, err := config.Load()
|
||||
if err != nil {
|
||||
@@ -149,6 +157,17 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
logger.Info("active dictionary version", zap.String("version", games.ActiveVersion()))
|
||||
games.SetNotifier(hub)
|
||||
games.SetMetrics(tel.MeterProvider().Meter("scrabble/backend/game"))
|
||||
|
||||
// Active-game limit config: the per-tier, per-kind caps in backend.config, read once into an
|
||||
// in-memory cache at boot and refreshed when the admin edits them. A boot-time load fails fast if
|
||||
// the single config row is missing; the game domain reads the cache on every new-game gate.
|
||||
gameLimits := gamelimits.NewService(gamelimits.NewStore(db))
|
||||
if err := gameLimits.Load(ctx); err != nil {
|
||||
return fmt.Errorf("load game-limit config: %w", err)
|
||||
}
|
||||
games.SetGameLimits(gameLimits)
|
||||
logger.Info("game-limit config loaded")
|
||||
|
||||
go games.RunSweeper(ctx, cfg.Game.TimeoutSweepInterval)
|
||||
logger.Info("game turn-timeout sweeper started",
|
||||
zap.Duration("interval", cfg.Game.TimeoutSweepInterval))
|
||||
@@ -161,6 +180,15 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
zap.Duration("interval", cfg.GuestReapInterval),
|
||||
zap.Duration("retention", cfg.GuestRetention))
|
||||
|
||||
// Purge the account-deletion legal dossier past its retention TTL: the
|
||||
// retained-identities journal, and the feedback thread + dossier PII of long-deleted
|
||||
// accounts (chat is kept). Checked daily; the TTL is a two-year policy constant.
|
||||
retentionReaper := account.NewRetentionReaper(accounts, account.RetentionTTL, logger)
|
||||
go retentionReaper.Run(ctx, 24*time.Hour)
|
||||
logger.Info("retention reaper started",
|
||||
zap.Duration("interval", 24*time.Hour),
|
||||
zap.Duration("retention", account.RetentionTTL))
|
||||
|
||||
// Re-evaluate moderated-chat write access when a temporary block self-expires:
|
||||
// no operator action fires then, so the sweeper emits the chat-access-changed
|
||||
// event for lapsed blocks and the gateway re-pushes the chat-gate command.
|
||||
@@ -173,15 +201,21 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
// Lobby & social domains. Their REST and stream surface lives in the gateway,
|
||||
// so they are handed to the server (like the route groups) for the handlers.
|
||||
mailer := newMailer(cfg.SMTP, logger)
|
||||
emails := account.NewEmailService(accounts, mailer)
|
||||
emails := account.NewEmailService(accounts, mailer, cfg.PublicBaseURL)
|
||||
// Throttle confirm-code sends per recipient: at most one per minute and five per
|
||||
// rolling hour, guarding against email bombing and the relay's own quota.
|
||||
emails.SetSendLimiter(account.NewSendLimiter(time.Minute, 5))
|
||||
// Account linking & merge: the orchestrator over the account, merge and
|
||||
// session layers. Wired to the /api/v1/user/link REST surface below.
|
||||
links := link.NewService(emails, accounts, accountmerge.NewMerger(db), sessions)
|
||||
merger := accountmerge.NewMerger(db)
|
||||
links := link.NewService(emails, accounts, merger, sessions)
|
||||
socialSvc := social.NewService(social.NewStore(db), accounts, games)
|
||||
socialSvc.SetNotifier(hub)
|
||||
socialSvc.SetMetrics(tel.MeterProvider().Meter("scrabble/backend/social"))
|
||||
// A nudge the recipient answered by moving is marked read on the move path.
|
||||
// A nudge the recipient answered by moving is marked read on the move path; every nudge in a
|
||||
// game is marked read when the game finishes (a stale badge), on any completion path.
|
||||
games.SetNudgeClearer(socialSvc.ClearNudges)
|
||||
games.SetNudgeExpirer(socialSvc.ExpireNudges)
|
||||
// Reap per-game disguised-robot friend requests once their game is long finished
|
||||
// (the robot ignores them; the row only pins the in-game "request sent" state).
|
||||
robotReqReaper := social.NewRobotFriendRequestReaper(socialSvc, logger)
|
||||
@@ -192,6 +226,16 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
feedbackSvc := feedback.NewService(feedback.NewStore(db), accounts)
|
||||
feedbackSvc.SetNotifier(hub)
|
||||
|
||||
// Operator alert emails on new feedback / word complaints, coalesced into one digest
|
||||
// per interval. Inert unless a distinct admin sender and recipient are configured.
|
||||
if cfg.SMTP.AdminFrom != "" && cfg.SMTP.AdminTo != "" {
|
||||
// The alert digest carries no admin-console link on purpose — an admin URL must not
|
||||
// travel in an email (a mail provider could cache or index it); see adminalert.New.
|
||||
alerts := adminalert.New(mailer, feedbackSvc, games, cfg.SMTP.AdminFrom, cfg.SMTP.AdminTo, logger)
|
||||
go alerts.Run(ctx, adminAlertInterval)
|
||||
logger.Info("admin alert worker started", zap.Duration("interval", adminAlertInterval))
|
||||
}
|
||||
|
||||
// Robot opponent: provision its durable account pool (a hard startup
|
||||
// dependency, like the dictionaries) and start its move driver. The matchmaker
|
||||
// substitutes a pooled robot for a missing human after the wait window.
|
||||
@@ -230,6 +274,35 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
// block and the banner admin console section.
|
||||
adsSvc := ads.NewService(ads.NewStore(db))
|
||||
|
||||
// In-game currency domain (data foundation): the payments schema behind a
|
||||
// narrow interface. A boot-time reachability check fails fast if the schema
|
||||
// did not migrate; the wallet routes are registered when that surface lands.
|
||||
paymentsSvc := payments.NewService(payments.NewStore(db))
|
||||
if err := paymentsSvc.Ping(ctx); err != nil {
|
||||
return fmt.Errorf("payments schema unreachable: %w", err)
|
||||
}
|
||||
logger.Info("payments domain ready")
|
||||
|
||||
// Warm the public-offer price list cache so /offer/ serves the current catalog from the first
|
||||
// request; it is reprojected lazily thereafter on any catalog edit. Non-fatal — a transient
|
||||
// failure here only defers the projection to the first read.
|
||||
if _, err := paymentsSvc.OfferPricing(ctx); err != nil {
|
||||
logger.Warn("offer pricing warm failed; will project on first request", zap.Error(err))
|
||||
}
|
||||
|
||||
// Wire the payments surface into the domains that consume it: the online-game hint wallet
|
||||
// and the account-merge wallet fold. Done after the reachability check so a broken payments
|
||||
// schema fails boot before anything depends on it.
|
||||
games.SetHintWallet(paymentsSvc)
|
||||
merger.SetPayments(paymentsSvc)
|
||||
|
||||
// The image-render sidecar client for the PNG export artifact; nil (PNG
|
||||
// download answers 404) when BACKEND_RENDERER_URL is unset.
|
||||
var renderer *render.Client
|
||||
if cfg.RendererURL != "" {
|
||||
renderer = render.New(cfg.RendererURL)
|
||||
}
|
||||
|
||||
srv := server.New(cfg.HTTPAddr, server.Deps{
|
||||
Logger: logger,
|
||||
DB: db,
|
||||
@@ -250,7 +323,12 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
RateWatch: rateWatch,
|
||||
BanView: banView,
|
||||
Ads: adsSvc,
|
||||
Payments: paymentsSvc,
|
||||
GameLimits: gameLimits,
|
||||
Notifier: hub,
|
||||
ExportSignKey: cfg.ExportSignKey,
|
||||
Renderer: renderer,
|
||||
Robokassa: cfg.Robokassa,
|
||||
})
|
||||
pushSrv := pushgrpc.NewServer(cfg.GRPCAddr, hub, logger)
|
||||
|
||||
@@ -259,6 +337,13 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
logger.Info("servers starting",
|
||||
zap.String("http_addr", cfg.HTTPAddr),
|
||||
zap.String("grpc_addr", cfg.GRPCAddr))
|
||||
// Sweep expired pending payment orders on a cadence (cosmetic hygiene; a late valid callback
|
||||
// still credits). Runs until ctx is cancelled.
|
||||
go runOrderReaper(ctx, paymentsSvc, logger)
|
||||
// Deliver pending payment_events to connected clients as an in-app wallet-refresh push (the
|
||||
// credit already landed in the ledger; a return-focus poll is the client-side fallback).
|
||||
go runPaymentDispatcher(ctx, paymentsSvc, hub, logger)
|
||||
|
||||
errc := make(chan error, 2)
|
||||
go func() { errc <- pushSrv.Run(ctx) }()
|
||||
go func() { errc <- srv.Run(ctx) }()
|
||||
@@ -268,6 +353,52 @@ func run(ctx context.Context, cfg config.Config, logger *zap.Logger) error {
|
||||
return err
|
||||
}
|
||||
|
||||
// runOrderReaper periodically expires pending payment orders past their configured lifetime, until
|
||||
// ctx is cancelled. Expiry is cosmetic: a later valid provider callback still credits an expired
|
||||
// order.
|
||||
func runOrderReaper(ctx context.Context, p *payments.Service, log *zap.Logger) {
|
||||
t := time.NewTicker(5 * time.Minute)
|
||||
defer t.Stop()
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
case <-t.C:
|
||||
if n, err := p.ExpireOrders(ctx); err != nil {
|
||||
log.Warn("order reaper: sweep failed", zap.Error(err))
|
||||
} else if n > 0 {
|
||||
log.Info("order reaper: expired pending orders", zap.Int("count", n))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// runPaymentDispatcher delivers pending payment_events to connected clients as a wallet-refresh
|
||||
// signal (KindNotification / "payment"), marking each delivered, until ctx is cancelled. The credit
|
||||
// already committed to the ledger; this is only the in-app push so an open wallet updates in place.
|
||||
func runPaymentDispatcher(ctx context.Context, p *payments.Service, pub notify.Publisher, log *zap.Logger) {
|
||||
t := time.NewTicker(3 * time.Second)
|
||||
defer t.Stop()
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
case <-t.C:
|
||||
evs, err := p.UndispatchedEvents(ctx, 50)
|
||||
if err != nil {
|
||||
log.Warn("payment dispatcher: read failed", zap.Error(err))
|
||||
continue
|
||||
}
|
||||
for _, e := range evs {
|
||||
pub.Publish(notify.Notification(e.AccountID, notify.NotifyPayment))
|
||||
if err := p.MarkEventDispatched(ctx, e.EventID); err != nil {
|
||||
log.Warn("payment dispatcher: mark failed", zap.String("event", e.EventID.String()), zap.Error(err))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// newMailer builds the confirm-code mailer: an SMTP relay when a host is
|
||||
// configured, otherwise the development log mailer (the code is logged, not sent).
|
||||
func newMailer(cfg account.SMTPConfig, logger *zap.Logger) account.Mailer {
|
||||
|
||||
@@ -0,0 +1,193 @@
|
||||
// Command dictgen dumps golden parity vectors from the committed dawg
|
||||
// dictionaries so the TypeScript dawg reader can be checked byte-for-byte
|
||||
// against the authoritative Go dafsa reader.
|
||||
//
|
||||
// For each *.dawg file it writes, into the output directory:
|
||||
//
|
||||
// - <name>.words.bin — every stored word as alphabet-index bytes, in index
|
||||
// order, framed as [1-byte length][length index bytes]. The word at stream
|
||||
// position k has IndexOfB == k.
|
||||
// - <name>.neg.bin — negative lookups (sequences whose IndexOfB is -1), same
|
||||
// framing, to exercise the not-found path at varying depths.
|
||||
// - <name>.meta.json — NumAdded/NumNodes/NumEdges plus the alphabet size, for
|
||||
// a header-parse sanity cross-check on the TS side.
|
||||
//
|
||||
// It is a development tool (not built into any service), analogous to
|
||||
// cmd/jetgen. Run it from the repository root:
|
||||
//
|
||||
// go run ./backend/cmd/dictgen -dawg-dir ../scrabble-solver/dawg -out <dir>
|
||||
package main
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
dawg "github.com/iliadenisov/dafsa"
|
||||
)
|
||||
|
||||
// meta is the per-dictionary sanity payload cross-checked by the TS reader.
|
||||
type meta struct {
|
||||
NumAdded int `json:"numAdded"`
|
||||
NumNodes int `json:"numNodes"`
|
||||
NumEdges int `json:"numEdges"`
|
||||
Alphabet int `json:"alphabet"`
|
||||
}
|
||||
|
||||
func main() {
|
||||
dawgDir := flag.String("dawg-dir", "../scrabble-solver/dawg", "directory holding the .dawg files")
|
||||
outDir := flag.String("out", "", "output directory for the golden files (required)")
|
||||
negCount := flag.Int("neg", 20000, "number of negative lookups to emit per dictionary")
|
||||
flag.Parse()
|
||||
|
||||
if *outDir == "" {
|
||||
fail("-out is required")
|
||||
}
|
||||
if err := os.MkdirAll(*outDir, 0o755); err != nil {
|
||||
fail("mkdir out: %v", err)
|
||||
}
|
||||
|
||||
files, err := filepath.Glob(filepath.Join(*dawgDir, "*.dawg"))
|
||||
if err != nil {
|
||||
fail("glob: %v", err)
|
||||
}
|
||||
sort.Strings(files)
|
||||
if len(files) == 0 {
|
||||
fail("no .dawg files in %s", *dawgDir)
|
||||
}
|
||||
|
||||
for _, f := range files {
|
||||
if err := process(f, *outDir, *negCount); err != nil {
|
||||
fail("%s: %v", filepath.Base(f), err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// process emits the golden files for a single dawg dictionary.
|
||||
func process(path, outDir string, negCount int) error {
|
||||
name := strings.TrimSuffix(filepath.Base(path), ".dawg")
|
||||
|
||||
data, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
finder, err := dawg.Read(bytes.NewReader(data), 0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read dawg: %w", err)
|
||||
}
|
||||
defer finder.Close()
|
||||
|
||||
// Stream every stored word in index order; keep a decimated sample and the
|
||||
// maximum alphabet index for negative generation.
|
||||
wf, err := os.Create(filepath.Join(outDir, name+".words.bin"))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
bw := bufio.NewWriter(wf)
|
||||
|
||||
var (
|
||||
count int
|
||||
maxIx byte
|
||||
sample [][]byte
|
||||
)
|
||||
finder.EnumerateB(func(index int, word []byte, final bool) int {
|
||||
if !final {
|
||||
return 0 // Continue
|
||||
}
|
||||
if index != count {
|
||||
panic(fmt.Sprintf("%s: enumerate index gap: got %d want %d", name, index, count))
|
||||
}
|
||||
writeWord(bw, word)
|
||||
for _, b := range word {
|
||||
if b > maxIx {
|
||||
maxIx = b
|
||||
}
|
||||
}
|
||||
if count%4 == 0 && len(sample) < 60000 {
|
||||
sample = append(sample, append([]byte(nil), word...))
|
||||
}
|
||||
count++
|
||||
return 0 // Continue
|
||||
})
|
||||
if err := bw.Flush(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := wf.Close(); err != nil {
|
||||
return err
|
||||
}
|
||||
if count != finder.NumAdded() {
|
||||
return fmt.Errorf("word count %d != NumAdded %d", count, finder.NumAdded())
|
||||
}
|
||||
|
||||
alphabet := int(maxIx) + 1
|
||||
|
||||
// Negatives: mutate sampled real words and keep the ones the reader rejects.
|
||||
nf, err := os.Create(filepath.Join(outDir, name+".neg.bin"))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
nbw := bufio.NewWriter(nf)
|
||||
rng := rand.New(rand.NewSource(1))
|
||||
neg := 0
|
||||
for neg < negCount && len(sample) > 0 {
|
||||
base := sample[rng.Intn(len(sample))]
|
||||
cand := append([]byte(nil), base...)
|
||||
switch rng.Intn(3) {
|
||||
case 0: // extend by one index
|
||||
cand = append(cand, byte(rng.Intn(alphabet)))
|
||||
case 1: // flip one index
|
||||
if len(cand) > 0 {
|
||||
cand[rng.Intn(len(cand))] = byte(rng.Intn(alphabet))
|
||||
}
|
||||
case 2: // drop the tail and flip the new last index
|
||||
if len(cand) > 1 {
|
||||
cand = cand[:len(cand)-1]
|
||||
cand[len(cand)-1] = byte(rng.Intn(alphabet))
|
||||
}
|
||||
}
|
||||
if finder.IndexOfB(cand) == -1 {
|
||||
writeWord(nbw, cand)
|
||||
neg++
|
||||
}
|
||||
}
|
||||
if err := nbw.Flush(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := nf.Close(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
m := meta{NumAdded: finder.NumAdded(), NumNodes: finder.NumNodes(), NumEdges: finder.NumEdges(), Alphabet: alphabet}
|
||||
mb, err := json.MarshalIndent(m, "", " ")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.WriteFile(filepath.Join(outDir, name+".meta.json"), mb, 0o644); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
fmt.Printf("%-12s words=%d negatives=%d alphabet=%d nodes=%d edges=%d\n",
|
||||
name, count, neg, alphabet, finder.NumNodes(), finder.NumEdges())
|
||||
return nil
|
||||
}
|
||||
|
||||
// writeWord frames one index-byte word as [length][bytes].
|
||||
func writeWord(w *bufio.Writer, word []byte) {
|
||||
if len(word) > 255 {
|
||||
panic(fmt.Sprintf("word too long to frame: %d", len(word)))
|
||||
}
|
||||
w.WriteByte(byte(len(word)))
|
||||
w.Write(word)
|
||||
}
|
||||
|
||||
func fail(format string, args ...any) {
|
||||
fmt.Fprintf(os.Stderr, "dictgen: "+format+"\n", args...)
|
||||
os.Exit(1)
|
||||
}
|
||||
@@ -9,7 +9,8 @@
|
||||
// 1. start a postgres:17-alpine container via testcontainers-go
|
||||
// 2. open it with search_path=backend and apply the embedded goose migrations
|
||||
// 3. drop goose's bookkeeping table so jet does not generate a model for it
|
||||
// 4. run jet's PostgreSQL generator for schema=backend into internal/postgres/jet
|
||||
// 4. run jet's PostgreSQL generator for the backend and payments schemas into
|
||||
// internal/postgres/jet (one subdirectory per schema)
|
||||
package main
|
||||
|
||||
import (
|
||||
@@ -36,6 +37,7 @@ const (
|
||||
superuserPassword = "scrabble"
|
||||
superuserDatabase = "scrabble_backend"
|
||||
backendSchema = "backend"
|
||||
paymentsSchema = "payments"
|
||||
containerStartup = 90 * time.Second
|
||||
jetOutputDirSuffix = "internal/postgres/jet"
|
||||
)
|
||||
@@ -105,11 +107,16 @@ func run(ctx context.Context) error {
|
||||
return fmt.Errorf("drop goose_db_version: %w", err)
|
||||
}
|
||||
|
||||
if err := jetpostgres.GenerateDB(db, backendSchema, outputDir); err != nil {
|
||||
return fmt.Errorf("jet generate: %w", err)
|
||||
// Each schema generates into its own jet/<schema>/ subdirectory (the
|
||||
// generator wipes only that subtree), so the two calls do not clobber each
|
||||
// other. GenerateDB takes the schema explicitly, so the connection's
|
||||
// search_path=backend does not affect the payments introspection.
|
||||
for _, schema := range []string{backendSchema, paymentsSchema} {
|
||||
if err := jetpostgres.GenerateDB(db, schema, outputDir); err != nil {
|
||||
return fmt.Errorf("jet generate schema=%s: %w", schema, err)
|
||||
}
|
||||
log.Printf("jetgen: generated jet code into %s (schema=%s)", outputDir, schema)
|
||||
}
|
||||
|
||||
log.Printf("jetgen: generated jet code into %s (schema=%s)", outputDir, backendSchema)
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,417 @@
|
||||
// Command movegen emits golden conformance fixtures for the client-side move
|
||||
// generator port (ui/src/lib/dict). It is a dev tool, run by hand; its output is
|
||||
// committed so the TypeScript parity tests run without a Go toolchain.
|
||||
//
|
||||
// For each small sample dictionary (English and Russian — the latter reaches
|
||||
// alphabet index 32, exercising the 33-letter cross-set boundary) it writes:
|
||||
//
|
||||
// - sample_<tag>.dawg the serialized dictionary (the reader/cursor fixture)
|
||||
// - sample_<tag>.words.json the stored words + their alphabet indexes
|
||||
// - sample_<tag>.gen.json ranked move-generation results from the real solver,
|
||||
// for a handful of positions, plus the ruleset the TS
|
||||
// side rebuilds to score identically
|
||||
//
|
||||
// Positions are built with only the solver's public API: an empty board, and
|
||||
// two-ply positions reached by applying the solver's own top move (so no internal
|
||||
// encoding is needed). Regenerate with:
|
||||
//
|
||||
// go run ./backend/cmd/movegen -out ui/src/lib/dict/testdata
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/board"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/rack"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/rules"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/scrabble"
|
||||
dawg "github.com/iliadenisov/dafsa"
|
||||
)
|
||||
|
||||
// sampleWordsEN is the English sample dictionary, in strictly increasing
|
||||
// alphabet-index order (the builder requires it). Shared prefixes (car/care/cars),
|
||||
// shared suffixes (cats/dogs), internal-final nodes (do, an) and a one-letter word.
|
||||
var sampleWordsEN = []string{
|
||||
"a", "an", "and", "ant",
|
||||
"car", "care", "cared", "cares", "cars", "cat", "cats",
|
||||
"do", "doe", "does", "dog", "dogs", "done", "dot",
|
||||
}
|
||||
|
||||
// sampleWordsRU is the Russian sample dictionary, in strictly increasing index
|
||||
// order. It deliberately includes words starting with я (index 32) so the ported
|
||||
// cross-set handles alphabet indexes past JS's 31-bit shift boundary.
|
||||
var sampleWordsRU = []string{"ад", "ар", "оса", "я", "яд", "яр"}
|
||||
|
||||
// sampleFixture is the JSON committed with the .dawg so the TypeScript cursor test
|
||||
// knows the exact word set (as alphabet indexes) to expect from enumeration.
|
||||
type sampleFixture struct {
|
||||
Alphabet string `json:"alphabet"`
|
||||
NumAdded int `json:"numAdded"`
|
||||
Words []string `json:"words"`
|
||||
Indexes [][]int `json:"indexes"`
|
||||
}
|
||||
|
||||
// genFixture is the move-generation golden set for one sample dictionary.
|
||||
type genFixture struct {
|
||||
Ruleset genRuleset `json:"ruleset"`
|
||||
Cases []genCase `json:"cases"`
|
||||
}
|
||||
|
||||
// genRuleset is the scoring data the TS side rebuilds so evaluate() matches the Go
|
||||
// solver: letter values, premium multipliers per square, the centre, rack size and bonus.
|
||||
type genRuleset struct {
|
||||
Size int `json:"size"`
|
||||
Cols int `json:"cols"`
|
||||
Center int `json:"center"`
|
||||
RackSize int `json:"rackSize"`
|
||||
Bingo int `json:"bingo"`
|
||||
Values []int `json:"values"`
|
||||
LetterMult [][]int `json:"letterMult"`
|
||||
WordMult [][]int `json:"wordMult"`
|
||||
}
|
||||
|
||||
// genTile is one placed tile (a board tile or a move placement).
|
||||
type genTile struct {
|
||||
Row int `json:"row"`
|
||||
Col int `json:"col"`
|
||||
Letter int `json:"letter"`
|
||||
Blank bool `json:"blank"`
|
||||
}
|
||||
|
||||
// genRack is a rack as a multiset of letter indexes plus a blank count.
|
||||
type genRack struct {
|
||||
Letters []int `json:"letters"`
|
||||
Blanks int `json:"blanks"`
|
||||
}
|
||||
|
||||
// genMove is one ranked generated play: its orientation, placed tiles and total score.
|
||||
type genMove struct {
|
||||
Dir int `json:"dir"`
|
||||
Tiles []genTile `json:"tiles"`
|
||||
Score int `json:"score"`
|
||||
}
|
||||
|
||||
// genCase is one generation position: the tiles already on the board (empty when
|
||||
// none), the rack, the mode/rule and the ranked moves the solver returns.
|
||||
type genCase struct {
|
||||
Name string `json:"name"`
|
||||
Placed []genTile `json:"placed"`
|
||||
Rack genRack `json:"rack"`
|
||||
Mode int `json:"mode"`
|
||||
IgnoreCrossWords bool `json:"ignoreCrossWords"`
|
||||
Moves []genMove `json:"moves"`
|
||||
}
|
||||
|
||||
func main() {
|
||||
out := flag.String("out", "ui/src/lib/dict/testdata", "output directory for fixtures")
|
||||
dawgDir := flag.String("dawg-dir", "", "when set, emit real-dictionary move-gen golden from the .dawg files in this dir (conformance mode) instead of the committed samples")
|
||||
flag.Parse()
|
||||
|
||||
if err := os.MkdirAll(*out, 0o755); err != nil {
|
||||
log.Fatalf("movegen: mkdir %s: %v", *out, err)
|
||||
}
|
||||
|
||||
if *dawgDir != "" {
|
||||
buildReal(*dawgDir, *out)
|
||||
return
|
||||
}
|
||||
|
||||
emitRulesets()
|
||||
|
||||
buildSample(*out, "en", rules.English(), sampleWordsEN, []genCase{
|
||||
emptyCase("empty-cared", englishRack("caredts", 0), scrabble.Both, false),
|
||||
emptyCase("empty-dogs", englishRack("dogsent", 0), scrabble.Both, false),
|
||||
emptyCase("empty-blank", englishRack("caret", 1), scrabble.Both, false),
|
||||
emptyCase("empty-single-word", englishRack("caredts", 0), scrabble.Both, true),
|
||||
})
|
||||
|
||||
buildSample(*out, "ru", rules.RussianScrabble(), sampleWordsRU, []genCase{
|
||||
emptyCase("empty-yad", russianRack("ядрасо", 0), scrabble.Both, false),
|
||||
})
|
||||
}
|
||||
|
||||
// buildSample writes the dawg, the word fixture and the generation golden set for
|
||||
// one sample dictionary. Two-ply cases are appended: the solver's own top move from
|
||||
// the first non-empty result is applied, then generation runs again on the new rack.
|
||||
func buildSample(out, tag string, rs *rules.Ruleset, words []string, cases []genCase) {
|
||||
idx := rs.Alphabet
|
||||
b := dawg.New(idx)
|
||||
indexes := make([][]int, 0, len(words))
|
||||
for _, w := range words {
|
||||
if err := b.Add(w); err != nil {
|
||||
log.Fatalf("movegen[%s]: add %q: %v", tag, w, err)
|
||||
}
|
||||
enc, err := idx.Encode(w)
|
||||
if err != nil {
|
||||
log.Fatalf("movegen[%s]: encode %q: %v", tag, w, err)
|
||||
}
|
||||
ints := make([]int, len(enc))
|
||||
for i, x := range enc {
|
||||
ints[i] = int(x)
|
||||
}
|
||||
indexes = append(indexes, ints)
|
||||
}
|
||||
finder := b.Finish()
|
||||
|
||||
writeJSON(filepath.Join(out, "sample_"+tag+".words.json"), sampleFixture{
|
||||
Alphabet: tag, NumAdded: finder.NumAdded(), Words: words, Indexes: indexes,
|
||||
})
|
||||
dawgPath := filepath.Join(out, "sample_"+tag+".dawg")
|
||||
if _, err := finder.Save(dawgPath); err != nil {
|
||||
log.Fatalf("movegen[%s]: save %s: %v", tag, dawgPath, err)
|
||||
}
|
||||
|
||||
s := scrabble.NewSolver(rs, finder)
|
||||
for i := range cases {
|
||||
runCase(s, rs, &cases[i], nil)
|
||||
}
|
||||
// A two-ply position from the first standard case that produced a move.
|
||||
if two := twoPly(s, rs, cases); two != nil {
|
||||
cases = append(cases, *two)
|
||||
}
|
||||
|
||||
writeJSON(filepath.Join(out, "sample_"+tag+".gen.json"), genFixture{
|
||||
Ruleset: rulesetOf(rs), Cases: cases,
|
||||
})
|
||||
log.Printf("movegen[%s]: %d words, %d cases", tag, finder.NumAdded(), len(cases))
|
||||
}
|
||||
|
||||
// realVariant maps a shipped dictionary file to the ruleset that scores it and the racks
|
||||
// the conformance positions use. smallRack/blankRack keep the first-move (empty board)
|
||||
// lists bounded on a dense dictionary; fullRack drives a deep 7-tile mid-game position,
|
||||
// kept small by the anchors around the already-placed word.
|
||||
type realVariant struct {
|
||||
file, variant, smallRack, blankRack, fullRack string
|
||||
rs *rules.Ruleset
|
||||
}
|
||||
|
||||
// buildReal emits move-generation golden from the real shipped dictionaries in dawgDir —
|
||||
// the full alphabets and deep graphs the tiny samples cannot reach — one
|
||||
// <variant>.movegen.json per variant. Like the dictgen/validategen vectors it is
|
||||
// regenerated in CI and never committed, so it pins no dictionary version into the repo.
|
||||
func buildReal(dawgDir, out string) {
|
||||
reals := []realVariant{
|
||||
{"en_sowpods", "scrabble_en", "aine", "ain", "aeinrst", rules.English()},
|
||||
{"ru_scrabble", "scrabble_ru", "аеин", "аен", "аеиноср", rules.RussianScrabble()},
|
||||
{"ru_erudit", "erudit_ru", "аеин", "аен", "аеиноср", rules.Erudit()},
|
||||
}
|
||||
for _, v := range reals {
|
||||
data, err := os.ReadFile(filepath.Join(dawgDir, v.file+".dawg"))
|
||||
if err != nil {
|
||||
log.Fatalf("movegen[%s]: read dawg: %v", v.variant, err)
|
||||
}
|
||||
finder, err := dawg.Read(bytes.NewReader(data), 0)
|
||||
if err != nil {
|
||||
log.Fatalf("movegen[%s]: parse dawg: %v", v.variant, err)
|
||||
}
|
||||
s := scrabble.NewSolver(v.rs, finder)
|
||||
|
||||
cases := []genCase{
|
||||
emptyCase("first-move", encRack(v.rs, v.smallRack, 0), scrabble.Both, false),
|
||||
emptyCase("first-move-blank", encRack(v.rs, v.blankRack, 1), scrabble.Both, false),
|
||||
}
|
||||
for i := range cases {
|
||||
runCase(s, v.rs, &cases[i], nil)
|
||||
}
|
||||
// A deep 7-tile mid-game: place the top first move, then generate again. The
|
||||
// anchors around the placed word bound the list while still exercising a full rack,
|
||||
// deep left/right extension and wide cross-sets over the real graph.
|
||||
full := encRack(v.rs, v.fullRack, 0)
|
||||
b := board.New(v.rs.Rows, v.rs.Cols)
|
||||
if m1 := s.GenerateMovesOpts(b, toRack(v.rs.Size(), full), scrabble.Both, scrabble.PlayOptions{}); len(m1) > 0 {
|
||||
mid := genCase{Name: "mid-game", Rack: full, Mode: int(scrabble.Both)}
|
||||
runCase(s, v.rs, &mid, tilesOf(m1[0].Tiles))
|
||||
cases = append(cases, mid)
|
||||
}
|
||||
|
||||
writeJSON(filepath.Join(out, v.variant+".movegen.json"), genFixture{Ruleset: rulesetOf(v.rs), Cases: cases})
|
||||
total := 0
|
||||
for _, c := range cases {
|
||||
total += len(c.Moves)
|
||||
}
|
||||
_ = finder.Close()
|
||||
log.Printf("movegen[%s]: %d cases, %d golden moves", v.variant, len(cases), total)
|
||||
}
|
||||
}
|
||||
|
||||
// encRack encodes a rack given as the variant's letters (plus a blank count) into the
|
||||
// index-based genRack the fixtures carry.
|
||||
func encRack(rs *rules.Ruleset, letters string, blanks int) genRack {
|
||||
enc, err := rs.Alphabet.Encode(letters)
|
||||
if err != nil {
|
||||
log.Fatalf("movegen: encode rack %q: %v", letters, err)
|
||||
}
|
||||
idx := make([]int, len(enc))
|
||||
for i, b := range enc {
|
||||
idx[i] = int(b)
|
||||
}
|
||||
return genRack{Letters: idx, Blanks: blanks}
|
||||
}
|
||||
|
||||
// runCase fills a case's Moves by generating on a board holding the given placed
|
||||
// tiles (nil = empty board).
|
||||
func runCase(s *scrabble.Solver, rs *rules.Ruleset, c *genCase, placed []genTile) {
|
||||
bd := board.New(rs.Rows, rs.Cols)
|
||||
for _, t := range placed {
|
||||
bd.Set(t.Row, t.Col, cellByte(t.Letter, t.Blank))
|
||||
}
|
||||
c.Placed = placed
|
||||
rk := toRack(rs.Size(), c.Rack)
|
||||
moves := s.GenerateMovesOpts(bd, rk, scrabble.Mode(c.Mode), scrabble.PlayOptions{IgnoreCrossWords: c.IgnoreCrossWords})
|
||||
c.Moves = movesOf(moves)
|
||||
}
|
||||
|
||||
// twoPly reaches a mid-game position by applying the top move of the first standard
|
||||
// case that generated one, then generates again with a fresh rack of the same tiles.
|
||||
func twoPly(s *scrabble.Solver, rs *rules.Ruleset, cases []genCase) *genCase {
|
||||
for _, c := range cases {
|
||||
if c.IgnoreCrossWords || len(c.Moves) == 0 {
|
||||
continue
|
||||
}
|
||||
placed := c.Moves[0].Tiles
|
||||
next := genCase{Name: "two-ply", Rack: c.Rack, Mode: int(scrabble.Both)}
|
||||
runCase(s, rs, &next, placed)
|
||||
return &next
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// cellByte encodes a board cell the way internal/encoding.Cell does (bits 0-5 hold
|
||||
// letter+1, bit 7 marks a blank). Duplicated here because that package is internal
|
||||
// to the solver module and cannot be imported.
|
||||
func cellByte(letter int, blank bool) byte {
|
||||
v := byte(letter+1) & 0x3f
|
||||
if blank {
|
||||
v |= 0x80
|
||||
}
|
||||
return v
|
||||
}
|
||||
|
||||
func toRack(size int, r genRack) rack.Rack {
|
||||
rk := rack.New(size)
|
||||
for _, l := range r.Letters {
|
||||
rk.Add(byte(l))
|
||||
}
|
||||
for i := 0; i < r.Blanks; i++ {
|
||||
rk.AddBlank()
|
||||
}
|
||||
return rk
|
||||
}
|
||||
|
||||
func rulesetOf(rs *rules.Ruleset) genRuleset {
|
||||
lm := make([][]int, rs.Rows)
|
||||
wm := make([][]int, rs.Rows)
|
||||
for r := 0; r < rs.Rows; r++ {
|
||||
lm[r] = make([]int, rs.Cols)
|
||||
wm[r] = make([]int, rs.Cols)
|
||||
for c := 0; c < rs.Cols; c++ {
|
||||
p := rs.Premium(r, c)
|
||||
lm[r][c] = p.LetterMult()
|
||||
wm[r][c] = p.WordMult()
|
||||
}
|
||||
}
|
||||
return genRuleset{
|
||||
Size: rs.Size(), Cols: rs.Cols, Center: rs.Center, RackSize: rs.RackSize,
|
||||
Bingo: rs.Bingo, Values: rs.Values, LetterMult: lm, WordMult: wm,
|
||||
}
|
||||
}
|
||||
|
||||
func movesOf(ms []scrabble.Move) []genMove {
|
||||
out := make([]genMove, len(ms))
|
||||
for i, m := range ms {
|
||||
out[i] = genMove{Dir: int(m.Dir), Tiles: tilesOf(m.Tiles), Score: m.Score}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func tilesOf(ps []scrabble.Placement) []genTile {
|
||||
out := make([]genTile, len(ps))
|
||||
for i, p := range ps {
|
||||
out[i] = genTile{Row: p.Row, Col: p.Col, Letter: int(p.Letter), Blank: p.Blank}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// emptyCase builds an empty-board case (Moves filled later by runCase).
|
||||
func emptyCase(name string, r genRack, mode scrabble.Mode, ignoreCross bool) genCase {
|
||||
return genCase{Name: name, Rack: r, Mode: int(mode), IgnoreCrossWords: ignoreCross}
|
||||
}
|
||||
|
||||
// englishRack builds a rack from lowercase a-z letters (index = letter-'a').
|
||||
func englishRack(letters string, blanks int) genRack {
|
||||
idx := make([]int, 0, len(letters))
|
||||
for _, ch := range letters {
|
||||
idx = append(idx, int(ch-'a'))
|
||||
}
|
||||
return genRack{Letters: idx, Blanks: blanks}
|
||||
}
|
||||
|
||||
// russianRack builds a rack from the Russian sample letters used above.
|
||||
func russianRack(letters string, blanks int) genRack {
|
||||
m := map[rune]int{'а': 0, 'д': 4, 'о': 15, 'р': 17, 'с': 18, 'я': 32}
|
||||
idx := make([]int, 0, len([]rune(letters)))
|
||||
for _, ch := range letters {
|
||||
i, ok := m[ch]
|
||||
if !ok {
|
||||
log.Fatalf("movegen: russianRack: no index for %q", string(ch))
|
||||
}
|
||||
idx = append(idx, i)
|
||||
}
|
||||
return genRack{Letters: idx, Blanks: blanks}
|
||||
}
|
||||
|
||||
// emitRulesets writes the per-variant static ruleset data (tile values, bag counts, blanks,
|
||||
// bingo, rack size) the offline engine mirrors in ui/src/lib/localgame/ruleset.ts, so a TS
|
||||
// parity test can pin that hand-copied table to the Go rulesets (scrabble-solver/rules).
|
||||
func emitRulesets() {
|
||||
type rsFix struct {
|
||||
Size int `json:"size"`
|
||||
RackSize int `json:"rackSize"`
|
||||
Bingo int `json:"bingo"`
|
||||
Blanks int `json:"blanks"`
|
||||
Values []int `json:"values"`
|
||||
Counts []int `json:"counts"`
|
||||
Letters []string `json:"letters"`
|
||||
}
|
||||
out := map[string]rsFix{}
|
||||
for _, v := range []struct {
|
||||
name string
|
||||
rs *rules.Ruleset
|
||||
}{
|
||||
{"scrabble_en", rules.English()},
|
||||
{"scrabble_ru", rules.RussianScrabble()},
|
||||
{"erudit_ru", rules.Erudit()},
|
||||
} {
|
||||
letters := make([]string, v.rs.Size())
|
||||
for i := range letters {
|
||||
ch, err := v.rs.Alphabet.Character(byte(i))
|
||||
if err != nil {
|
||||
log.Fatalf("movegen: %s letter %d: %v", v.name, i, err)
|
||||
}
|
||||
letters[i] = strings.ToUpper(ch)
|
||||
}
|
||||
out[v.name] = rsFix{Size: v.rs.Size(), RackSize: v.rs.RackSize, Bingo: v.rs.Bingo, Blanks: v.rs.Blanks, Values: v.rs.Values, Counts: v.rs.Counts, Letters: letters}
|
||||
}
|
||||
dir := filepath.Join("ui", "src", "lib", "localgame", "testdata")
|
||||
if err := os.MkdirAll(dir, 0o755); err != nil {
|
||||
log.Fatalf("movegen: mkdir %s: %v", dir, err)
|
||||
}
|
||||
writeJSON(filepath.Join(dir, "rulesets.json"), out)
|
||||
log.Printf("movegen: wrote %s (3 variants)", filepath.Join(dir, "rulesets.json"))
|
||||
}
|
||||
|
||||
func writeJSON(path string, v any) {
|
||||
data, err := json.MarshalIndent(v, "", " ")
|
||||
if err != nil {
|
||||
log.Fatalf("movegen: marshal %s: %v", path, err)
|
||||
}
|
||||
if err := os.WriteFile(path, append(data, '\n'), 0o644); err != nil {
|
||||
log.Fatalf("movegen: write %s: %v", path, err)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,486 @@
|
||||
// Command validategen produces golden conformance fixtures for the TypeScript
|
||||
// move validator (ui/src/lib/dict/validate.ts). For each variant it self-plays
|
||||
// greedy games with the authoritative scrabble-solver engine to build realistic
|
||||
// board positions, then records a battery of candidate plays — the engine's own
|
||||
// top move, letter-mutated variants, random scatters and (on the empty board) an
|
||||
// off-centre translation — each paired with the ground-truth result of
|
||||
// ValidatePlayOpts (legal, score, the words formed). The TS conformance test
|
||||
// replays these and must agree exactly.
|
||||
//
|
||||
// It is a development tool (not built into any service), analogous to
|
||||
// cmd/dictgen. Run it from the repository root:
|
||||
//
|
||||
// go run ./backend/cmd/validategen -dawg-dir ../scrabble-solver/dawg -out <dir>
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/board"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/rack"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/rules"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/scrabble"
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/selfplay"
|
||||
dawg "github.com/iliadenisov/dafsa"
|
||||
)
|
||||
|
||||
// blankTile marks a blank tile in a drawn hand (matches selfplay).
|
||||
const blankTile byte = 0xff
|
||||
|
||||
// variantSpec pairs a variant label with its ruleset and dawg file.
|
||||
type variantSpec struct {
|
||||
name string
|
||||
rules *rules.Ruleset
|
||||
dawg string
|
||||
}
|
||||
|
||||
// cell is an occupied board square or a placement (alphabet-index letter).
|
||||
type cell struct {
|
||||
R, C, Letter int
|
||||
Blank bool
|
||||
}
|
||||
|
||||
// word mirrors scrabble.Word in index space.
|
||||
type word struct {
|
||||
Row, Col, Dir int
|
||||
Letters []int
|
||||
Blanks []bool
|
||||
Score int
|
||||
}
|
||||
|
||||
// fixture is one candidate play with the engine's ground-truth verdict.
|
||||
type fixture struct {
|
||||
Board int `json:"board"` // index into the boards list
|
||||
Dir int `json:"dir"`
|
||||
IgnoreCrossWords bool `json:"ignoreCrossWords"`
|
||||
Tiles []cell `json:"tiles"`
|
||||
Legal bool `json:"legal"`
|
||||
Score int `json:"score"`
|
||||
Bonus int `json:"bonus"`
|
||||
Main *word `json:"main,omitempty"`
|
||||
Cross []word `json:"cross,omitempty"`
|
||||
}
|
||||
|
||||
// alphaEntry mirrors one row of the per-variant alphabet table the server sends the
|
||||
// client (index, concrete letter as the ruleset emits it, tile value), so the adapter
|
||||
// cross-test can drive the letter-space client path exactly as production does.
|
||||
type alphaEntry struct {
|
||||
Index int `json:"index"`
|
||||
Letter string `json:"letter"`
|
||||
Value int `json:"value"`
|
||||
}
|
||||
|
||||
// variantFile is the whole conformance payload for one variant.
|
||||
type variantFile struct {
|
||||
Variant string `json:"variant"`
|
||||
Rows int `json:"rows"`
|
||||
Cols int `json:"cols"`
|
||||
Center int `json:"center"`
|
||||
RackSize int `json:"rackSize"`
|
||||
Bingo int `json:"bingo"`
|
||||
Values []int `json:"values"`
|
||||
Premiums []int `json:"premiums"` // row-major rules.Premium codes
|
||||
Alphabet []alphaEntry `json:"alphabet"`
|
||||
Boards [][]cell `json:"boards"`
|
||||
Fixtures []fixture `json:"fixtures"`
|
||||
}
|
||||
|
||||
func main() {
|
||||
dawgDir := flag.String("dawg-dir", "../scrabble-solver/dawg", "directory holding the .dawg files")
|
||||
outDir := flag.String("out", "", "output directory for the fixture files (required)")
|
||||
games := flag.Int("games", 6, "self-play games per (variant, rule)")
|
||||
plies := flag.Int("plies", 40, "maximum plies captured per game")
|
||||
flag.Parse()
|
||||
if *outDir == "" {
|
||||
fail("-out is required")
|
||||
}
|
||||
if err := os.MkdirAll(*outDir, 0o755); err != nil {
|
||||
fail("mkdir out: %v", err)
|
||||
}
|
||||
|
||||
specs := []variantSpec{
|
||||
{"scrabble_en", rules.English(), "en_sowpods.dawg"},
|
||||
{"scrabble_ru", rules.RussianScrabble(), "ru_scrabble.dawg"},
|
||||
{"erudit_ru", rules.Erudit(), "ru_erudit.dawg"},
|
||||
}
|
||||
for _, sp := range specs {
|
||||
if err := generate(sp, *dawgDir, *outDir, *games, *plies); err != nil {
|
||||
fail("%s: %v", sp.name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func generate(sp variantSpec, dawgDir, outDir string, games, plies int) error {
|
||||
data, err := os.ReadFile(filepath.Join(dawgDir, sp.dawg))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
finder, err := dawg.Read(bytes.NewReader(data), 0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read dawg: %w", err)
|
||||
}
|
||||
defer finder.Close()
|
||||
|
||||
rs := sp.rules
|
||||
solver := scrabble.NewSolver(rs, finder)
|
||||
|
||||
out := variantFile{
|
||||
Variant: sp.name, Rows: rs.Rows, Cols: rs.Cols, Center: rs.Center,
|
||||
RackSize: rs.RackSize, Bingo: rs.Bingo, Values: rs.Values,
|
||||
Premiums: premiumCodes(rs), Alphabet: alphabetOf(rs),
|
||||
}
|
||||
|
||||
// Capture under both the standard rule and the single-word rule, building the
|
||||
// board with the same rule so positions are reachable under it.
|
||||
for _, ignore := range []bool{false, true} {
|
||||
opts := scrabble.PlayOptions{IgnoreCrossWords: ignore}
|
||||
for g := range games {
|
||||
seed := int64(g*1000) + boolseed(ignore) + variantSeed(sp.name)
|
||||
playAndCapture(&out, rs, solver, opts, seed, plies)
|
||||
}
|
||||
}
|
||||
|
||||
b, err := json.Marshal(&out)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.WriteFile(filepath.Join(outDir, sp.name+".fixtures.json"), b, 0o644); err != nil {
|
||||
return err
|
||||
}
|
||||
fmt.Printf("%-12s boards=%d fixtures=%d\n", sp.name, len(out.Boards), len(out.Fixtures))
|
||||
return nil
|
||||
}
|
||||
|
||||
// playAndCapture greedily self-plays one game, recording candidate plays against
|
||||
// each board position along the way.
|
||||
func playAndCapture(out *variantFile, rs *rules.Ruleset, solver *scrabble.Solver, opts scrabble.PlayOptions, seed int64, plies int) {
|
||||
rng := rand.New(rand.NewSource(seed))
|
||||
bag := selfplay.NewBag(rs, seed)
|
||||
b := board.New(rs.Rows, rs.Cols)
|
||||
hands := [2][]byte{bag.Draw(rs.RackSize), bag.Draw(rs.RackSize)}
|
||||
|
||||
passes := 0
|
||||
for turn := range plies {
|
||||
p := turn % 2
|
||||
rk := rackOf(hands[p], rs.Size())
|
||||
moves := solver.GenerateMovesOpts(b, rk, scrabble.Both, opts)
|
||||
if len(moves) == 0 {
|
||||
if passes++; passes >= 4 {
|
||||
break
|
||||
}
|
||||
continue
|
||||
}
|
||||
passes = 0
|
||||
top := moves[0]
|
||||
|
||||
boardIdx := len(out.Boards)
|
||||
out.Boards = append(out.Boards, boardCells(b))
|
||||
captureCandidates(out, rs, solver, opts, b, boardIdx, top, rng)
|
||||
|
||||
scrabble.Apply(b, top)
|
||||
hands[p] = removeUsed(hands[p], top)
|
||||
if need := rs.RackSize - len(hands[p]); need > 0 {
|
||||
hands[p] = append(hands[p], bag.Draw(need)...)
|
||||
}
|
||||
if len(hands[p]) == 0 && bag.Len() == 0 {
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// captureCandidates records the engine's top move plus derived candidates for one
|
||||
// board, each with its ValidatePlayOpts verdict.
|
||||
func captureCandidates(out *variantFile, rs *rules.Ruleset, solver *scrabble.Solver, opts scrabble.PlayOptions, b *board.Board, boardIdx int, top scrabble.Move, rng *rand.Rand) {
|
||||
size := rs.Size()
|
||||
record := func(tiles []scrabble.Placement) {
|
||||
if len(tiles) == 0 {
|
||||
return
|
||||
}
|
||||
out.Fixtures = append(out.Fixtures, makeFixture(solver, opts, b, boardIdx, tiles))
|
||||
}
|
||||
|
||||
// The engine's own top move (legal).
|
||||
record(top.Tiles)
|
||||
|
||||
// Letter-mutated variants: usually reject on the dictionary, occasionally form
|
||||
// a different legal word.
|
||||
for range 3 {
|
||||
mut := clonePlacements(top.Tiles)
|
||||
i := rng.Intn(len(mut))
|
||||
mut[i].Letter = byte((int(mut[i].Letter) + 1 + rng.Intn(size-1)) % size)
|
||||
record(mut)
|
||||
}
|
||||
|
||||
// Random scatters: exercise geometry, dictionary and connectivity paths.
|
||||
for range 3 {
|
||||
record(randomScatter(b, size, 2+rng.Intn(4), rng))
|
||||
}
|
||||
|
||||
// Single tiles abutting the board exercise the direction inference — a single
|
||||
// tile is ambiguous, its orientation resolved from which axis it extends.
|
||||
for range 3 {
|
||||
if t, ok := randomAdjacentSingle(b, size, rng); ok {
|
||||
record([]scrabble.Placement{t})
|
||||
}
|
||||
}
|
||||
|
||||
// On the empty board, an off-centre translation of the first move exercises the
|
||||
// first-move centre rule.
|
||||
if b.IsEmpty() {
|
||||
shifted := clonePlacements(top.Tiles)
|
||||
ok := true
|
||||
for i := range shifted {
|
||||
shifted[i].Row++
|
||||
shifted[i].Col++
|
||||
if !b.InBounds(shifted[i].Row, shifted[i].Col) {
|
||||
ok = false
|
||||
break
|
||||
}
|
||||
}
|
||||
if ok {
|
||||
record(shifted)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// makeFixture validates a candidate against board b and serializes it with its
|
||||
// ground truth. Word breakdown is recorded only for legal plays (the TS test
|
||||
// checks words only then); an illegal play records legal=false alone.
|
||||
func makeFixture(solver *scrabble.Solver, opts scrabble.PlayOptions, b *board.Board, boardIdx int, tiles []scrabble.Placement) fixture {
|
||||
// Infer the orientation exactly as the backend evaluate does (dir-less), so the
|
||||
// fixture matches the real eval path and pins the client's ported inference.
|
||||
dir := playDirectionMirror(solver, b, tiles, opts)
|
||||
fx := fixture{
|
||||
Board: boardIdx,
|
||||
Dir: int(dir),
|
||||
IgnoreCrossWords: opts.IgnoreCrossWords,
|
||||
Tiles: placementCells(tiles),
|
||||
}
|
||||
m, err := solver.ValidatePlayOpts(b, dir, tiles, opts)
|
||||
if err == nil {
|
||||
fx.Legal = true
|
||||
fx.Score = m.Score
|
||||
fx.Bonus = m.Bonus
|
||||
fx.Main = toWord(m.Main)
|
||||
for _, cw := range m.Cross {
|
||||
fx.Cross = append(fx.Cross, *toWord(cw))
|
||||
}
|
||||
}
|
||||
return fx
|
||||
}
|
||||
|
||||
func placementCells(ts []scrabble.Placement) []cell {
|
||||
cs := make([]cell, len(ts))
|
||||
for i, t := range ts {
|
||||
cs[i] = cell{R: t.Row, C: t.Col, Letter: int(t.Letter), Blank: t.Blank}
|
||||
}
|
||||
return cs
|
||||
}
|
||||
|
||||
func toWord(w scrabble.Word) *word {
|
||||
letters := make([]int, len(w.Letters))
|
||||
for i, l := range w.Letters {
|
||||
letters[i] = int(l)
|
||||
}
|
||||
return &word{
|
||||
Row: w.Row, Col: w.Col, Dir: int(w.Dir),
|
||||
Letters: letters, Blanks: append([]bool(nil), w.Blanks...), Score: w.Score,
|
||||
}
|
||||
}
|
||||
|
||||
func alphabetOf(rs *rules.Ruleset) []alphaEntry {
|
||||
n := rs.Alphabet.Size()
|
||||
out := make([]alphaEntry, n)
|
||||
for i := range n {
|
||||
ch, _ := rs.Alphabet.Character(byte(i))
|
||||
out[i] = alphaEntry{Index: i, Letter: ch, Value: rs.Values[i]}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func premiumCodes(rs *rules.Ruleset) []int {
|
||||
codes := make([]int, rs.Rows*rs.Cols)
|
||||
for i := range codes {
|
||||
codes[i] = int(rs.PremiumAt(i))
|
||||
}
|
||||
return codes
|
||||
}
|
||||
|
||||
func boardCells(b *board.Board) []cell {
|
||||
var cs []cell
|
||||
for r := 0; r < b.Rows(); r++ {
|
||||
for c := 0; c < b.Cols(); c++ {
|
||||
if b.Filled(r, c) {
|
||||
v := b.At(r, c)
|
||||
cs = append(cs, cell{R: r, C: c, Letter: int(v&0x3f) - 1, Blank: v&0x80 != 0})
|
||||
}
|
||||
}
|
||||
}
|
||||
return cs
|
||||
}
|
||||
|
||||
func clonePlacements(ts []scrabble.Placement) []scrabble.Placement {
|
||||
return append([]scrabble.Placement(nil), ts...)
|
||||
}
|
||||
|
||||
// randomScatter picks n distinct empty in-bounds squares with random letters.
|
||||
func randomScatter(b *board.Board, size, n int, rng *rand.Rand) []scrabble.Placement {
|
||||
seen := map[[2]int]bool{}
|
||||
var ts []scrabble.Placement
|
||||
for tries := 0; tries < n*20 && len(ts) < n; tries++ {
|
||||
r := rng.Intn(b.Rows())
|
||||
c := rng.Intn(b.Cols())
|
||||
if seen[[2]int{r, c}] || b.Filled(r, c) {
|
||||
continue
|
||||
}
|
||||
seen[[2]int{r, c}] = true
|
||||
ts = append(ts, scrabble.Placement{Row: r, Col: c, Letter: byte(rng.Intn(size)), Blank: rng.Intn(10) == 0})
|
||||
}
|
||||
return ts
|
||||
}
|
||||
|
||||
// randomAdjacentSingle picks a random empty in-bounds square abutting at least one
|
||||
// filled square, with a random letter — a single-tile play whose orientation the
|
||||
// inference must resolve. It returns ok=false on an empty board.
|
||||
func randomAdjacentSingle(b *board.Board, size int, rng *rand.Rand) (scrabble.Placement, bool) {
|
||||
var cands [][2]int
|
||||
for r := 0; r < b.Rows(); r++ {
|
||||
for c := 0; c < b.Cols(); c++ {
|
||||
if b.Filled(r, c) {
|
||||
continue
|
||||
}
|
||||
if b.Filled(r-1, c) || b.Filled(r+1, c) || b.Filled(r, c-1) || b.Filled(r, c+1) {
|
||||
cands = append(cands, [2]int{r, c})
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(cands) == 0 {
|
||||
return scrabble.Placement{}, false
|
||||
}
|
||||
rc := cands[rng.Intn(len(cands))]
|
||||
return scrabble.Placement{Row: rc[0], Col: rc[1], Letter: byte(rng.Intn(size)), Blank: rng.Intn(10) == 0}, true
|
||||
}
|
||||
|
||||
// playDirectionMirror mirrors engine (*Game).playDirection: the geometric
|
||||
// resolution, except a single tile under the single-word rule tries both
|
||||
// orientations through the solver and keeps the higher-scoring legal one (H wins
|
||||
// ties). It reproduces the orientation the backend evaluate infers.
|
||||
func playDirectionMirror(solver *scrabble.Solver, b *board.Board, placements []scrabble.Placement, opts scrabble.PlayOptions) scrabble.Direction {
|
||||
geo := resolveDirectionMirror(b, placements)
|
||||
if len(placements) != 1 || !opts.IgnoreCrossWords {
|
||||
return geo
|
||||
}
|
||||
best, found, bestScore := geo, false, 0
|
||||
for _, dir := range [...]scrabble.Direction{scrabble.Horizontal, scrabble.Vertical} {
|
||||
m, err := solver.ValidatePlayOpts(b, dir, placements, opts)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if !found || m.Score > bestScore {
|
||||
best, found, bestScore = dir, true, m.Score
|
||||
}
|
||||
}
|
||||
return best
|
||||
}
|
||||
|
||||
// resolveDirectionMirror mirrors engine.resolveDirection.
|
||||
func resolveDirectionMirror(b *board.Board, placements []scrabble.Placement) scrabble.Direction {
|
||||
if len(placements) >= 2 {
|
||||
row := placements[0].Row
|
||||
for _, p := range placements[1:] {
|
||||
if p.Row != row {
|
||||
return scrabble.Vertical
|
||||
}
|
||||
}
|
||||
return scrabble.Horizontal
|
||||
}
|
||||
if len(placements) == 1 {
|
||||
p := placements[0]
|
||||
h := runLengthMirror(b, p.Row, p.Col, scrabble.Horizontal)
|
||||
v := runLengthMirror(b, p.Row, p.Col, scrabble.Vertical)
|
||||
if v >= 2 && v > h {
|
||||
return scrabble.Vertical
|
||||
}
|
||||
if h >= 2 {
|
||||
return scrabble.Horizontal
|
||||
}
|
||||
if v >= 2 {
|
||||
return scrabble.Vertical
|
||||
}
|
||||
}
|
||||
return scrabble.Horizontal
|
||||
}
|
||||
|
||||
// runLengthMirror mirrors engine.runLength.
|
||||
func runLengthMirror(b *board.Board, row, col int, dir scrabble.Direction) int {
|
||||
dr, dc := 0, 1
|
||||
if dir == scrabble.Vertical {
|
||||
dr, dc = 1, 0
|
||||
}
|
||||
n := 1
|
||||
for r, c := row-dr, col-dc; b.Filled(r, c); r, c = r-dr, c-dc {
|
||||
n++
|
||||
}
|
||||
for r, c := row+dr, col+dc; b.Filled(r, c); r, c = r+dr, c+dc {
|
||||
n++
|
||||
}
|
||||
return n
|
||||
}
|
||||
|
||||
// rackOf builds a generation rack from a hand of tiles (reimplemented from the
|
||||
// unexported selfplay helper).
|
||||
func rackOf(tiles []byte, size int) rack.Rack {
|
||||
r := rack.New(size)
|
||||
for _, t := range tiles {
|
||||
if t == blankTile {
|
||||
r.AddBlank()
|
||||
} else {
|
||||
r.Add(t)
|
||||
}
|
||||
}
|
||||
return r
|
||||
}
|
||||
|
||||
// removeUsed returns the hand with the tiles consumed by m removed.
|
||||
func removeUsed(tiles []byte, m scrabble.Move) []byte {
|
||||
out := append([]byte(nil), tiles...)
|
||||
for _, p := range m.Tiles {
|
||||
want := p.Letter
|
||||
if p.Blank {
|
||||
want = blankTile
|
||||
}
|
||||
for i, t := range out {
|
||||
if t == want {
|
||||
out = append(out[:i], out[i+1:]...)
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func boolseed(b bool) int64 {
|
||||
if b {
|
||||
return 500000
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
func variantSeed(name string) int64 {
|
||||
var s int64
|
||||
for _, r := range name {
|
||||
s = s*131 + int64(r)
|
||||
}
|
||||
return s
|
||||
}
|
||||
|
||||
func fail(format string, args ...any) {
|
||||
fmt.Fprintf(os.Stderr, "validategen: "+format+"\n", args...)
|
||||
os.Exit(1)
|
||||
}
|
||||
+2
-1
@@ -13,6 +13,7 @@ require (
|
||||
github.com/pressly/goose/v3 v3.27.1
|
||||
github.com/testcontainers/testcontainers-go v0.42.0
|
||||
github.com/testcontainers/testcontainers-go/modules/postgres v0.42.0
|
||||
github.com/wneessen/go-mail v0.7.3
|
||||
go.opentelemetry.io/otel v1.43.0
|
||||
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0
|
||||
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0
|
||||
@@ -109,7 +110,7 @@ require (
|
||||
golang.org/x/net v0.53.0 // indirect
|
||||
golang.org/x/sync v0.20.0 // indirect
|
||||
golang.org/x/sys v0.43.0 // indirect
|
||||
golang.org/x/text v0.36.0 // indirect
|
||||
golang.org/x/text v0.37.0 // indirect
|
||||
google.golang.org/grpc v1.80.0
|
||||
google.golang.org/protobuf v1.36.11 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
|
||||
@@ -279,6 +279,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
|
||||
github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
|
||||
github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
|
||||
github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
|
||||
github.com/wneessen/go-mail v0.7.3 h1:g3DravXC5SMlVdboFrQA8Jx95A8sOzoBeS5F+vzNRK0=
|
||||
github.com/wneessen/go-mail v0.7.3/go.mod h1:QGhBX0yNbc1J+Mkjcu7z2rpj4B4l+BmDY8gYznPC9sk=
|
||||
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
|
||||
github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
|
||||
github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
|
||||
@@ -400,6 +402,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
|
||||
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
|
||||
golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
|
||||
golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
|
||||
golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||
|
||||
@@ -22,12 +22,13 @@ import (
|
||||
"scrabble/backend/internal/postgres/jet/backend/table"
|
||||
)
|
||||
|
||||
// Identity kinds recognised by the backend. Email is modelled as an identity
|
||||
// alongside platform identities; its confirmed flag is driven by the email
|
||||
// confirm-code flow. Robot is a synthetic kind: each pooled
|
||||
// robot opponent is a durable account bound to one robot identity.
|
||||
// Identity kinds recognised by the backend. Telegram and VK are platform identities,
|
||||
// auto-confirmed on first contact. Email is modelled as an identity alongside them; its
|
||||
// confirmed flag is driven by the email confirm-code flow. Robot is a synthetic kind:
|
||||
// each pooled robot opponent is a durable account bound to one robot identity.
|
||||
const (
|
||||
KindTelegram = "telegram"
|
||||
KindVK = "vk"
|
||||
KindEmail = "email"
|
||||
KindRobot = "robot"
|
||||
)
|
||||
@@ -42,9 +43,7 @@ var ErrNotFound = errors.New("account: not found")
|
||||
// local-time window (in TimeZone) during which the player is asleep, so the
|
||||
// turn-timeout sweeper does not auto-resign them inside it. (The robot opponent's
|
||||
// own sleep is anchored to its human opponent's timezone with a per-game drift,
|
||||
// computed in internal/robot, not from a robot account's away window.) HintBalance
|
||||
// is the player's wallet of purchasable hints, spent after a game's per-seat
|
||||
// allowance.
|
||||
// computed in internal/robot, not from a robot account's away window.)
|
||||
type Account struct {
|
||||
ID uuid.UUID
|
||||
DisplayName string
|
||||
@@ -52,7 +51,6 @@ type Account struct {
|
||||
TimeZone string
|
||||
AwayStart time.Time
|
||||
AwayEnd time.Time
|
||||
HintBalance int
|
||||
BlockChat bool
|
||||
BlockFriendRequests bool
|
||||
// VariantPreferences is the set of game variants (engine.Variant stable labels:
|
||||
@@ -68,10 +66,6 @@ type Account struct {
|
||||
// true (the default): the platform side-service skips out-of-app push for the
|
||||
// account.
|
||||
NotificationsInAppOnly bool
|
||||
// PaidAccount marks a lifetime one-time-payment account. It is a service field
|
||||
// (no purchase flow yet); an account linking & merge ORs it so a paid status is
|
||||
// never lost when accounts are consolidated.
|
||||
PaidAccount bool
|
||||
// MergedInto is the primary account a retired (merged) secondary points at, or
|
||||
// uuid.Nil for a live account. A tombstone keeps the row so the no-cascade
|
||||
// foreign keys of a shared finished game stay valid.
|
||||
@@ -120,13 +114,44 @@ func (s *Store) ProvisionByIdentity(ctx context.Context, kind, externalID string
|
||||
}
|
||||
|
||||
// ProvisionEmail returns the account owning the email identity externalID, creating
|
||||
// it (unconfirmed) on first contact with browserTZ — the client's detected "±HH:MM"
|
||||
// UTC offset — seeded into its time zone. Like ProvisionByIdentity it is race-safe
|
||||
// and leaves an existing account untouched, so a returning user's saved zone is never
|
||||
// overwritten. The email account is created here (the code-request step), not at the
|
||||
// later login, so this is where its zone is seeded.
|
||||
func (s *Store) ProvisionEmail(ctx context.Context, externalID, browserTZ string) (Account, error) {
|
||||
return s.provision(ctx, KindEmail, externalID, provisionSeed{timeZone: seedZone(browserTZ)})
|
||||
// it on first contact with browserTZ — the client's detected "±HH:MM" UTC offset —
|
||||
// seeded into its time zone, language seeded from the client's UI language, and its
|
||||
// display name seeded from the email's local part (so it is not left nameless). Like
|
||||
// ProvisionByIdentity it is race-safe and leaves an existing account untouched, so a
|
||||
// returning user's saved zone, language and name are never overwritten. The email account is
|
||||
// created here (the code-request step), not at the later login, so this is where its
|
||||
// zone and language are seeded. It is created flagged is_guest with an unconfirmed
|
||||
// email identity: an abandoned, never-confirmed login is then reaped like any guest,
|
||||
// freeing the reserved address, and confirming the code clears the guest flag.
|
||||
func (s *Store) ProvisionEmail(ctx context.Context, externalID, browserTZ, language string) (Account, error) {
|
||||
return s.provision(ctx, KindEmail, externalID, provisionSeed{
|
||||
displayName: emailDisplayName(externalID),
|
||||
timeZone: seedZone(browserTZ),
|
||||
preferredLanguage: supportedLanguage(language),
|
||||
isGuest: true,
|
||||
})
|
||||
}
|
||||
|
||||
// emailDisplayName derives a display name from an email address — the local part
|
||||
// before '@', trimmed and capped to the column width — so a new email account is not
|
||||
// left nameless. It is only the first-contact seed; the user can rename it later.
|
||||
func emailDisplayName(email string) string {
|
||||
local, _, _ := strings.Cut(email, "@")
|
||||
local = strings.TrimSpace(local)
|
||||
if r := []rune(local); len(r) > maxDisplayName {
|
||||
local = strings.TrimRight(string(r[:maxDisplayName]), " ")
|
||||
}
|
||||
return local
|
||||
}
|
||||
|
||||
// supportedLanguage returns code normalised to a supported UI language ("en" or
|
||||
// "ru"), or "" when it maps to neither, so a new account keeps the 'en' default. It
|
||||
// accepts region-tagged codes ("ru-RU").
|
||||
func supportedLanguage(code string) string {
|
||||
if lang, _, _ := strings.Cut(strings.ToLower(strings.TrimSpace(code)), "-"); lang == "en" || lang == "ru" {
|
||||
return lang
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// ProvisionRobot provisions (or finds) the durable account backing a robot pool
|
||||
@@ -185,6 +210,28 @@ func (s *Store) ProvisionTelegram(ctx context.Context, externalID, languageCode,
|
||||
return acc, created, err
|
||||
}
|
||||
|
||||
// ProvisionVK provisions (or finds) the account bound to a VK identity, reporting
|
||||
// whether this call created it (first contact). On first contact only, it seeds the new
|
||||
// account's preferred language from the VK languageCode (vk_language, when it maps to a
|
||||
// supported language) and its display name sanitized from displayName — the name read
|
||||
// client-side via VKWebAppGetUserInfo, since VK omits it from the signed launch params —
|
||||
// falling back to a generated placeholder when it yields no letters; an already-existing
|
||||
// account is returned unchanged, so a later profile edit is never overwritten.
|
||||
func (s *Store) ProvisionVK(ctx context.Context, externalID, languageCode, displayName, browserTZ string) (Account, bool, error) {
|
||||
// Pre-check whether the identity already exists so the caller can act on first
|
||||
// contact (mirrors ProvisionTelegram); a create race only mis-reports created for
|
||||
// that one call.
|
||||
_, err := s.findByIdentity(ctx, KindVK, externalID)
|
||||
created := errors.Is(err, ErrNotFound)
|
||||
if err != nil && !created {
|
||||
return Account{}, false, err
|
||||
}
|
||||
seed := vkSeed(languageCode, displayName)
|
||||
seed.timeZone = seedZone(browserTZ)
|
||||
acc, err := s.provision(ctx, KindVK, externalID, seed)
|
||||
return acc, created, err
|
||||
}
|
||||
|
||||
// provision finds the account for (kind, externalID) or creates it with seed,
|
||||
// collapsing a concurrent-create race on the identity unique constraint into a
|
||||
// re-read of the winner's account.
|
||||
@@ -216,6 +263,11 @@ type provisionSeed struct {
|
||||
preferredLanguage string
|
||||
displayName string
|
||||
timeZone string
|
||||
// isGuest creates the account flagged is_guest. It is set for an email-login
|
||||
// account, which stays a guest until the address is confirmed (so an abandoned,
|
||||
// never-confirmed login is reaped and its address freed); confirming clears the
|
||||
// flag. Platform identities (telegram/vk) are durable from creation.
|
||||
isGuest bool
|
||||
}
|
||||
|
||||
// seedZone returns browserTZ when it is a well-formed zone to persist at account
|
||||
@@ -258,6 +310,24 @@ func telegramSeed(languageCode, username, firstName string) provisionSeed {
|
||||
return seed
|
||||
}
|
||||
|
||||
// vkSeed derives the create-time seed from VK launch fields: a supported preferred
|
||||
// language from languageCode (vk_language, normally a 2-letter code) and a display name
|
||||
// from displayName (sanitized to the editable format), falling back to a generated
|
||||
// placeholder in the seeded language when the name yields no usable letters. Unlike
|
||||
// telegramSeed there is no @username fallback — VK provides only the name.
|
||||
func vkSeed(languageCode, displayName string) provisionSeed {
|
||||
var seed provisionSeed
|
||||
if lang, _, _ := strings.Cut(strings.ToLower(strings.TrimSpace(languageCode)), "-"); lang == "en" || lang == "ru" {
|
||||
seed.preferredLanguage = lang
|
||||
}
|
||||
name := sanitizeDisplayName(displayName)
|
||||
if name == "" {
|
||||
name = placeholderDisplayName(seed.preferredLanguage)
|
||||
}
|
||||
seed.displayName = name
|
||||
return seed
|
||||
}
|
||||
|
||||
// GetByID loads the account identified by id, or ErrNotFound when it is absent.
|
||||
func (s *Store) GetByID(ctx context.Context, id uuid.UUID) (Account, error) {
|
||||
stmt := postgres.SELECT(table.Accounts.AllColumns).
|
||||
@@ -316,6 +386,21 @@ func (s *Store) Identities(ctx context.Context, accountID uuid.UUID) ([]Identity
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// HasConfirmedEmail reports whether the account owns a confirmed email identity — the direct-rail
|
||||
// recovery anchor a first purchase requires (D36).
|
||||
func (s *Store) HasConfirmedEmail(ctx context.Context, accountID uuid.UUID) (bool, error) {
|
||||
ids, err := s.Identities(ctx, accountID)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
for _, id := range ids {
|
||||
if id.Kind == "email" && id.Confirmed {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// ListAccounts returns accounts for the admin user list, newest first, paginated
|
||||
// by limit and offset.
|
||||
func (s *Store) ListAccounts(ctx context.Context, limit, offset int) ([]Account, error) {
|
||||
@@ -406,8 +491,8 @@ func (s *Store) create(ctx context.Context, kind, externalID string, seed provis
|
||||
tz = "UTC"
|
||||
}
|
||||
insertAccount := table.Accounts.
|
||||
INSERT(table.Accounts.AccountID, table.Accounts.DisplayName, table.Accounts.PreferredLanguage, table.Accounts.TimeZone).
|
||||
VALUES(accountID, seed.displayName, lang, tz).
|
||||
INSERT(table.Accounts.AccountID, table.Accounts.DisplayName, table.Accounts.PreferredLanguage, table.Accounts.TimeZone, table.Accounts.IsGuest).
|
||||
VALUES(accountID, seed.displayName, lang, tz, seed.isGuest).
|
||||
RETURNING(table.Accounts.AllColumns)
|
||||
|
||||
var row model.Accounts
|
||||
@@ -421,7 +506,7 @@ func (s *Store) create(ctx context.Context, kind, externalID string, seed provis
|
||||
table.Identities.Kind,
|
||||
table.Identities.ExternalID,
|
||||
table.Identities.Confirmed,
|
||||
).VALUES(identityID, accountID, kind, externalID, kind == KindTelegram)
|
||||
).VALUES(identityID, accountID, kind, externalID, kind == KindTelegram || kind == KindVK)
|
||||
if _, err := insertIdentity.ExecContext(ctx, tx); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -471,52 +556,6 @@ func (s *Store) ProvisionGuest(ctx context.Context, browserTZ string) (Account,
|
||||
return modelToAccount(row), nil
|
||||
}
|
||||
|
||||
// SpendHint atomically decrements the account's hint wallet by one, returning
|
||||
// true when a hint was spent and false when the balance was already empty. The
|
||||
// guarded UPDATE keeps it safe under concurrent spends across the player's games.
|
||||
func (s *Store) SpendHint(ctx context.Context, id uuid.UUID) (bool, error) {
|
||||
stmt := table.Accounts.
|
||||
UPDATE(table.Accounts.HintBalance, table.Accounts.UpdatedAt).
|
||||
SET(table.Accounts.HintBalance.SUB(postgres.Int(1)), postgres.TimestampzT(time.Now().UTC())).
|
||||
WHERE(
|
||||
table.Accounts.AccountID.EQ(postgres.UUID(id)).
|
||||
AND(table.Accounts.HintBalance.GT(postgres.Int(0))),
|
||||
)
|
||||
res, err := stmt.ExecContext(ctx, s.db)
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("account: spend hint %s: %w", id, err)
|
||||
}
|
||||
n, err := res.RowsAffected()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("account: spend hint rows %s: %w", id, err)
|
||||
}
|
||||
return n > 0, nil
|
||||
}
|
||||
|
||||
// GrantHints adds n hints to the account's wallet and returns the new balance. n must be
|
||||
// positive: the additive update can only raise the balance, never lower it, so it enforces the
|
||||
// admin console's raise-only rule by construction and stays correct under a concurrent SpendHint.
|
||||
// It returns ErrNotFound when no account matches.
|
||||
func (s *Store) GrantHints(ctx context.Context, id uuid.UUID, n int) (int, error) {
|
||||
if n <= 0 {
|
||||
return 0, fmt.Errorf("account: grant hints %s: n must be positive, got %d", id, n)
|
||||
}
|
||||
stmt := table.Accounts.
|
||||
UPDATE(table.Accounts.HintBalance, table.Accounts.UpdatedAt).
|
||||
SET(table.Accounts.HintBalance.ADD(postgres.Int(int64(n))), postgres.TimestampzT(time.Now().UTC())).
|
||||
WHERE(table.Accounts.AccountID.EQ(postgres.UUID(id))).
|
||||
RETURNING(table.Accounts.HintBalance)
|
||||
|
||||
var row model.Accounts
|
||||
if err := stmt.QueryContext(ctx, s.db, &row); err != nil {
|
||||
if errors.Is(err, qrm.ErrNoRows) {
|
||||
return 0, ErrNotFound
|
||||
}
|
||||
return 0, fmt.Errorf("account: grant hints %s: %w", id, err)
|
||||
}
|
||||
return int(row.HintBalance), nil
|
||||
}
|
||||
|
||||
// FlagHighRate stamps the soft "suspected high-rate" marker with at, only when
|
||||
// the account is not already flagged — the first sustained episode wins, and a
|
||||
// re-flag after an operator clear starts a fresh timestamp. An infra marker, not
|
||||
@@ -572,12 +611,10 @@ func modelToAccount(row model.Accounts) Account {
|
||||
TimeZone: row.TimeZone,
|
||||
AwayStart: row.AwayStart,
|
||||
AwayEnd: row.AwayEnd,
|
||||
HintBalance: int(row.HintBalance),
|
||||
BlockChat: row.BlockChat,
|
||||
BlockFriendRequests: row.BlockFriendRequests,
|
||||
IsGuest: row.IsGuest,
|
||||
NotificationsInAppOnly: row.NotificationsInAppOnly,
|
||||
PaidAccount: row.PaidAccount,
|
||||
MergedInto: mergedInto,
|
||||
FlaggedHighRateAt: flaggedHighRateAt,
|
||||
CreatedAt: row.CreatedAt,
|
||||
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
crand "crypto/rand"
|
||||
"crypto/sha256"
|
||||
"database/sql"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
@@ -26,6 +27,22 @@ const (
|
||||
emailCodeTTL = 15 * time.Minute
|
||||
// emailCodeMaxAttempts caps wrong-code submissions before a code is dead.
|
||||
emailCodeMaxAttempts = 5
|
||||
// linkTokenBytes is the entropy of a confirm deeplink token: 256 bits.
|
||||
linkTokenBytes = 32
|
||||
// emailConfirmPath is the SPA route the one-tap confirm deeplink opens (the token
|
||||
// is appended). The SPA is served under /app/ behind a hash router.
|
||||
emailConfirmPath = "/app/#/confirm/"
|
||||
)
|
||||
|
||||
// Confirmation purposes recorded on a pending confirm-code row. They select what
|
||||
// verifying the code or the deeplink token does: sign in (login), link/confirm the
|
||||
// address on the current account (link), or replace the account's confirmed email with
|
||||
// a new address (change). Account deletion adds a further purpose in a later stage.
|
||||
const (
|
||||
purposeLogin = "login"
|
||||
purposeLink = "link"
|
||||
purposeChange = "change"
|
||||
purposeDelete = "delete"
|
||||
)
|
||||
|
||||
// Errors returned by the email confirm-code flow.
|
||||
@@ -46,6 +63,12 @@ var (
|
||||
ErrTooManyAttempts = errors.New("account: too many confirmation attempts")
|
||||
// ErrCodeMismatch is returned when the submitted code does not match.
|
||||
ErrCodeMismatch = errors.New("account: confirmation code does not match")
|
||||
// ErrTooManyRequests is returned when confirm-code sends to an address are being
|
||||
// requested too frequently (the resend cooldown or the rolling-hour cap).
|
||||
ErrTooManyRequests = errors.New("account: too many code requests")
|
||||
// ErrNoEmail is returned when an email-code step-up is requested for an account that
|
||||
// holds no confirmed email (the caller must use the typed-phrase path instead).
|
||||
ErrNoEmail = errors.New("account: no confirmed email")
|
||||
)
|
||||
|
||||
// EmailService runs the email confirm-code flow: it issues a 6-digit code over a
|
||||
@@ -55,14 +78,82 @@ var (
|
||||
// account is refused (ErrEmailTaken) — merging two accounts is the link/merge flow —
|
||||
// and using an email as a login reuses this mechanism.
|
||||
type EmailService struct {
|
||||
store *Store
|
||||
mailer Mailer
|
||||
now func() time.Time
|
||||
store *Store
|
||||
mailer Mailer
|
||||
baseURL string
|
||||
limiter *SendLimiter
|
||||
now func() time.Time
|
||||
}
|
||||
|
||||
// NewEmailService constructs an EmailService over store, sending via mailer.
|
||||
func NewEmailService(store *Store, mailer Mailer) *EmailService {
|
||||
return &EmailService{store: store, mailer: mailer, now: func() time.Time { return time.Now().UTC() }}
|
||||
// NewEmailService constructs an EmailService over store, sending via mailer. baseURL
|
||||
// is the canonical public origin (scheme + host) used to build the one-tap confirm
|
||||
// deeplink and the email footer landing link; an empty baseURL omits the deeplink
|
||||
// (development / log mailer).
|
||||
func NewEmailService(store *Store, mailer Mailer, baseURL string) *EmailService {
|
||||
return &EmailService{store: store, mailer: mailer, baseURL: baseURL, now: func() time.Time { return time.Now().UTC() }}
|
||||
}
|
||||
|
||||
// SetSendLimiter installs a per-recipient send throttle. When unset (nil), sends are
|
||||
// not throttled — production wires a limiter; tests leave it off.
|
||||
func (s *EmailService) SetSendLimiter(l *SendLimiter) { s.limiter = l }
|
||||
|
||||
// allowSend reports whether a confirm-code send to email is permitted now, recording
|
||||
// it when so. A nil limiter permits every send.
|
||||
func (s *EmailService) allowSend(email string) bool {
|
||||
return s.limiter == nil || s.limiter.Allow(email)
|
||||
}
|
||||
|
||||
// issueCode generates a fresh confirm-code and one-tap deeplink token for (accountID,
|
||||
// email), replaces any prior pending confirmation, and mails the branded code in
|
||||
// locale; purpose selects the email wording and what verifying does. omitLink drops the
|
||||
// one-tap deeplink from the email (account deletion, or a login requested from an installed
|
||||
// PWA). Only the SHA-256 hashes of the code and token are stored.
|
||||
func (s *EmailService) issueCode(ctx context.Context, accountID uuid.UUID, email, purpose, locale string, omitLink bool) error {
|
||||
code, codeHash, err := generateCode()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
token, tokenHash, err := generateLinkToken()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.store.replacePendingConfirmation(ctx, accountID, email, codeHash, tokenHash, purpose, s.now().Add(emailCodeTTL)); err != nil {
|
||||
return err
|
||||
}
|
||||
// Omit the one-tap deeplink when asked: for a login from an installed PWA (the link would
|
||||
// open in a separate browser whose minted session cannot reach the PWA), or for account
|
||||
// deletion (a prefetch or stray click must not delete an account — the delete code is entered
|
||||
// in the app only, and ConfirmByToken refuses a delete token).
|
||||
deeplink := s.confirmURL(token, locale)
|
||||
if purpose == purposeDelete || omitLink {
|
||||
deeplink = ""
|
||||
}
|
||||
msg, err := renderConfirmationEmail(purpose, code, deeplink, s.baseURL, locale)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
msg.To = email
|
||||
return s.mailer.Send(ctx, msg)
|
||||
}
|
||||
|
||||
// confirmURL builds the absolute one-tap confirm deeplink for token in locale, or ""
|
||||
// when no public base URL is configured. The locale rides the fragment as ?lang so the
|
||||
// confirm screen (opened in a browser with no session) renders in the email's language.
|
||||
func (s *EmailService) confirmURL(token, locale string) string {
|
||||
if s.baseURL == "" {
|
||||
return ""
|
||||
}
|
||||
return strings.TrimRight(s.baseURL, "/") + emailConfirmPath + token + "?lang=" + normalizeLocale(locale)
|
||||
}
|
||||
|
||||
// accountLocale returns the account's preferred UI language for localising email,
|
||||
// defaulting to "en" when the account cannot be loaded.
|
||||
func (s *EmailService) accountLocale(ctx context.Context, accountID uuid.UUID) string {
|
||||
acc, err := s.store.GetByID(ctx, accountID)
|
||||
if err != nil {
|
||||
return "en"
|
||||
}
|
||||
return acc.PreferredLanguage
|
||||
}
|
||||
|
||||
// RequestCode issues a fresh confirm-code for email to accountID and mails it,
|
||||
@@ -73,6 +164,9 @@ func (s *EmailService) RequestCode(ctx context.Context, accountID uuid.UUID, ema
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !s.allowSend(addr) {
|
||||
return ErrTooManyRequests
|
||||
}
|
||||
owner, ok, err := s.store.confirmedEmailAccount(ctx, addr)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -83,16 +177,7 @@ func (s *EmailService) RequestCode(ctx context.Context, accountID uuid.UUID, ema
|
||||
}
|
||||
return ErrEmailTaken
|
||||
}
|
||||
code, hash, err := generateCode()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.store.replacePendingConfirmation(ctx, accountID, addr, hash, s.now().Add(emailCodeTTL)); err != nil {
|
||||
return err
|
||||
}
|
||||
subject := "Your Scrabble confirmation code"
|
||||
body := fmt.Sprintf("Your confirmation code is %s. It expires in %d minutes.", code, int(emailCodeTTL/time.Minute))
|
||||
return s.mailer.Send(ctx, addr, subject, body)
|
||||
return s.issueCode(ctx, accountID, addr, purposeLink, s.accountLocale(ctx, accountID), false)
|
||||
}
|
||||
|
||||
// ConfirmCode verifies code for accountID and email. On success it attaches a
|
||||
@@ -123,36 +208,38 @@ func (s *EmailService) ConfirmCode(ctx context.Context, accountID uuid.UUID, ema
|
||||
if err := s.store.confirmEmailIdentity(ctx, conf.id, accountID, addr, s.now()); err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
// Binding the first confirmed email promotes a guest to a durable account, matching the
|
||||
// link and deeplink flows (defence-in-depth: no confirmed-email path leaves is_guest set).
|
||||
if err := s.store.ClearGuest(ctx, accountID); err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
return s.store.GetByID(ctx, accountID)
|
||||
}
|
||||
|
||||
// RequestLoginCode issues a login confirm-code to the account that owns email,
|
||||
// provisioning a fresh (unconfirmed) durable account when the email is new. It is
|
||||
// the unauthenticated email-login entry point and, unlike RequestCode,
|
||||
// does not refuse an already-confirmed email — that is the ordinary returning-user
|
||||
// login. The code is mailed to the address, so only its real owner can complete
|
||||
// the login. On first contact browserTZ (the client's detected "±HH:MM" UTC offset)
|
||||
// seeds the new account's time zone. It returns the target account id for the
|
||||
// subsequent LoginWithCode.
|
||||
func (s *EmailService) RequestLoginCode(ctx context.Context, email, browserTZ string) (uuid.UUID, error) {
|
||||
// provisioning a fresh (unconfirmed) guest account when the email is new — it becomes
|
||||
// durable once the code is confirmed. It is the unauthenticated email-login entry
|
||||
// point and, unlike RequestCode, does not refuse an already-confirmed email — that is
|
||||
// the ordinary returning-user login. The code is mailed to the address, so only its
|
||||
// real owner can complete the login. On first contact browserTZ (the client's
|
||||
// detected "±HH:MM" UTC offset) seeds the new account's time zone and language its UI
|
||||
// language. When pwa is set (the request came from an installed PWA) the login email omits the
|
||||
// one-tap confirm link — it would open in a separate browser, out of the PWA's reach — so the
|
||||
// code is entered in the same window. It returns the target account id for the subsequent
|
||||
// LoginWithCode.
|
||||
func (s *EmailService) RequestLoginCode(ctx context.Context, email, browserTZ, language string, pwa bool) (uuid.UUID, error) {
|
||||
addr, err := normalizeEmail(email)
|
||||
if err != nil {
|
||||
return uuid.UUID{}, err
|
||||
}
|
||||
acc, err := s.store.ProvisionEmail(ctx, addr, browserTZ)
|
||||
if !s.allowSend(addr) {
|
||||
return uuid.UUID{}, ErrTooManyRequests
|
||||
}
|
||||
acc, err := s.store.ProvisionEmail(ctx, addr, browserTZ, language)
|
||||
if err != nil {
|
||||
return uuid.UUID{}, err
|
||||
}
|
||||
code, hash, err := generateCode()
|
||||
if err != nil {
|
||||
return uuid.UUID{}, err
|
||||
}
|
||||
if err := s.store.replacePendingConfirmation(ctx, acc.ID, addr, hash, s.now().Add(emailCodeTTL)); err != nil {
|
||||
return uuid.UUID{}, err
|
||||
}
|
||||
subject := "Your Scrabble login code"
|
||||
body := fmt.Sprintf("Your login code is %s. It expires in %d minutes.", code, int(emailCodeTTL/time.Minute))
|
||||
if err := s.mailer.Send(ctx, addr, subject, body); err != nil {
|
||||
if err := s.issueCode(ctx, acc.ID, addr, purposeLogin, language, pwa); err != nil {
|
||||
return uuid.UUID{}, err
|
||||
}
|
||||
return acc.ID, nil
|
||||
@@ -191,9 +278,104 @@ func (s *EmailService) LoginWithCode(ctx context.Context, email, code string) (A
|
||||
if err := s.store.confirmEmailLogin(ctx, conf.id, acc.ID, addr, s.now()); err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
if err := s.store.ClearGuest(ctx, acc.ID); err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
return s.store.GetByID(ctx, acc.ID)
|
||||
}
|
||||
|
||||
// LinkConfirmation is the outcome of confirming a one-tap deeplink token: what the
|
||||
// transport layer must finish. Purpose is the pending row's purpose. For a login,
|
||||
// Account is the account to sign in. For a link, Account is the account the email was
|
||||
// (or would be) attached to; NeedsMerge is set when another account (MergeOwner)
|
||||
// already owns the address, so the caller drives the interactive merge instead of a
|
||||
// plain link — the token is left unconsumed for that merge step.
|
||||
type LinkConfirmation struct {
|
||||
Purpose string
|
||||
Account uuid.UUID
|
||||
NeedsMerge bool
|
||||
MergeOwner uuid.UUID
|
||||
}
|
||||
|
||||
// IsLogin reports whether the confirmation is a login (the caller mints a session)
|
||||
// rather than a link (attach the identity, or drive a merge).
|
||||
func (r LinkConfirmation) IsLogin() bool { return r.Purpose == purposeLogin }
|
||||
|
||||
// ConfirmByToken verifies a one-tap deeplink token and performs its purpose. A login
|
||||
// confirms the email identity, clears the guest flag and returns the account to sign
|
||||
// in. A link attaches the confirmed email to the pending account when the address is
|
||||
// free, or reports NeedsMerge when another account already owns it (leaving the token
|
||||
// live so the caller's merge step can re-verify). It returns ErrNoPendingCode when the
|
||||
// token matches no live confirmation and ErrCodeExpired when it has lapsed. The token
|
||||
// is high-entropy, so there is no wrong-attempt counter.
|
||||
func (s *EmailService) ConfirmByToken(ctx context.Context, token string) (LinkConfirmation, error) {
|
||||
pend, err := s.store.pendingByTokenHash(ctx, hashCode(token))
|
||||
if err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
if s.now().After(pend.expiresAt) {
|
||||
return LinkConfirmation{}, ErrCodeExpired
|
||||
}
|
||||
switch pend.purpose {
|
||||
case purposeLogin:
|
||||
if err := s.store.confirmEmailLogin(ctx, pend.id, pend.accountID, pend.email, s.now()); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
if err := s.store.ClearGuest(ctx, pend.accountID); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
return LinkConfirmation{Purpose: purposeLogin, Account: pend.accountID}, nil
|
||||
case purposeLink:
|
||||
owner, ok, err := s.store.confirmedEmailAccount(ctx, pend.email)
|
||||
if err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
if ok {
|
||||
if owner == pend.accountID {
|
||||
if err := s.store.consumeConfirmation(ctx, pend.id, s.now()); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
return LinkConfirmation{Purpose: purposeLink, Account: pend.accountID}, nil
|
||||
}
|
||||
return LinkConfirmation{Purpose: purposeLink, Account: pend.accountID, NeedsMerge: true, MergeOwner: owner}, nil
|
||||
}
|
||||
if err := s.store.confirmEmailIdentity(ctx, pend.id, pend.accountID, pend.email, s.now()); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
// Binding the first email promotes a guest to a durable account, matching the
|
||||
// code-based link flow (which clears the guest flag in the link service).
|
||||
if err := s.store.ClearGuest(ctx, pend.accountID); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
return LinkConfirmation{Purpose: purposeLink, Account: pend.accountID}, nil
|
||||
case purposeChange:
|
||||
owner, ok, err := s.store.confirmedEmailAccount(ctx, pend.email)
|
||||
if err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
if ok && owner != pend.accountID {
|
||||
// The new address is confirmed by a different account: refuse without
|
||||
// disclosing it (anti-enumeration). Unlike a link, a change never merges.
|
||||
return LinkConfirmation{}, ErrEmailTaken
|
||||
}
|
||||
if ok && owner == pend.accountID {
|
||||
if err := s.store.consumeConfirmation(ctx, pend.id, s.now()); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
return LinkConfirmation{Purpose: purposeChange, Account: pend.accountID}, nil
|
||||
}
|
||||
if err := s.store.replaceEmailIdentity(ctx, pend.id, pend.accountID, pend.email, s.now()); err != nil {
|
||||
return LinkConfirmation{}, err
|
||||
}
|
||||
return LinkConfirmation{Purpose: purposeChange, Account: pend.accountID}, nil
|
||||
case purposeDelete:
|
||||
// Deletion is confirmed in the app with the code, never via a one-tap link.
|
||||
return LinkConfirmation{}, fmt.Errorf("account: deletion cannot be confirmed by link")
|
||||
default:
|
||||
return LinkConfirmation{}, fmt.Errorf("account: unsupported confirmation purpose %q", pend.purpose)
|
||||
}
|
||||
}
|
||||
|
||||
// emailConfirmation is a pending confirm-code row in domain form.
|
||||
type emailConfirmation struct {
|
||||
id uuid.UUID
|
||||
@@ -222,9 +404,30 @@ func (s *Store) confirmedEmailAccount(ctx context.Context, email string) (uuid.U
|
||||
return row.AccountID, true, nil
|
||||
}
|
||||
|
||||
// confirmedEmailOf returns the account's confirmed email address and true, or ("", false)
|
||||
// when it holds none. It backs the deletion step-up, which mails a code to the account's
|
||||
// own address.
|
||||
func (s *Store) confirmedEmailOf(ctx context.Context, accountID uuid.UUID) (string, bool, error) {
|
||||
stmt := postgres.SELECT(table.Identities.ExternalID).
|
||||
FROM(table.Identities).
|
||||
WHERE(
|
||||
table.Identities.AccountID.EQ(postgres.UUID(accountID)).
|
||||
AND(table.Identities.Kind.EQ(postgres.String(KindEmail))).
|
||||
AND(table.Identities.Confirmed.EQ(postgres.Bool(true))),
|
||||
).LIMIT(1)
|
||||
var row model.Identities
|
||||
if err := stmt.QueryContext(ctx, s.db, &row); err != nil {
|
||||
if errors.Is(err, qrm.ErrNoRows) {
|
||||
return "", false, nil
|
||||
}
|
||||
return "", false, fmt.Errorf("account: confirmed email of %s: %w", accountID, err)
|
||||
}
|
||||
return row.ExternalID, true, nil
|
||||
}
|
||||
|
||||
// replacePendingConfirmation clears any pending code for (accountID, email) and
|
||||
// inserts a fresh one, inside one transaction.
|
||||
func (s *Store) replacePendingConfirmation(ctx context.Context, accountID uuid.UUID, email, codeHash string, expiresAt time.Time) error {
|
||||
func (s *Store) replacePendingConfirmation(ctx context.Context, accountID uuid.UUID, email, codeHash, linkTokenHash, purpose string, expiresAt time.Time) error {
|
||||
id, err := uuid.NewV7()
|
||||
if err != nil {
|
||||
return fmt.Errorf("account: new confirmation id: %w", err)
|
||||
@@ -241,7 +444,8 @@ func (s *Store) replacePendingConfirmation(ctx context.Context, accountID uuid.U
|
||||
ins := table.EmailConfirmations.INSERT(
|
||||
table.EmailConfirmations.ConfirmationID, table.EmailConfirmations.AccountID,
|
||||
table.EmailConfirmations.Email, table.EmailConfirmations.CodeHash, table.EmailConfirmations.ExpiresAt,
|
||||
).VALUES(id, accountID, email, codeHash, expiresAt)
|
||||
table.EmailConfirmations.LinkTokenHash, table.EmailConfirmations.Purpose,
|
||||
).VALUES(id, accountID, email, codeHash, expiresAt, linkTokenHash, purpose)
|
||||
if _, err := ins.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("insert confirmation: %w", err)
|
||||
}
|
||||
@@ -274,6 +478,54 @@ func (s *Store) latestPendingConfirmation(ctx context.Context, accountID uuid.UU
|
||||
}, nil
|
||||
}
|
||||
|
||||
// pendingConfirmation is a pending confirm-code row loaded by its deeplink token, in
|
||||
// domain form.
|
||||
type pendingConfirmation struct {
|
||||
id uuid.UUID
|
||||
accountID uuid.UUID
|
||||
email string
|
||||
purpose string
|
||||
expiresAt time.Time
|
||||
}
|
||||
|
||||
// pendingByTokenHash loads the unconsumed confirmation whose deeplink token hashes to
|
||||
// tokenHash, or ErrNoPendingCode. The high-entropy token needs no attempt counter, so
|
||||
// a partial-unique index guarantees at most one match.
|
||||
func (s *Store) pendingByTokenHash(ctx context.Context, tokenHash string) (pendingConfirmation, error) {
|
||||
stmt := postgres.SELECT(table.EmailConfirmations.AllColumns).
|
||||
FROM(table.EmailConfirmations).
|
||||
WHERE(
|
||||
table.EmailConfirmations.LinkTokenHash.EQ(postgres.String(tokenHash)).
|
||||
AND(table.EmailConfirmations.ConsumedAt.IS_NULL()),
|
||||
).LIMIT(1)
|
||||
var row model.EmailConfirmations
|
||||
if err := stmt.QueryContext(ctx, s.db, &row); err != nil {
|
||||
if errors.Is(err, qrm.ErrNoRows) {
|
||||
return pendingConfirmation{}, ErrNoPendingCode
|
||||
}
|
||||
return pendingConfirmation{}, fmt.Errorf("account: load confirmation by token: %w", err)
|
||||
}
|
||||
return pendingConfirmation{
|
||||
id: row.ConfirmationID,
|
||||
accountID: row.AccountID,
|
||||
email: row.Email,
|
||||
purpose: row.Purpose,
|
||||
expiresAt: row.ExpiresAt,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// consumeConfirmation marks a confirmation consumed without writing an identity, used
|
||||
// for the idempotent already-linked deeplink path.
|
||||
func (s *Store) consumeConfirmation(ctx context.Context, id uuid.UUID, now time.Time) error {
|
||||
upd := table.EmailConfirmations.UPDATE(table.EmailConfirmations.ConsumedAt).
|
||||
SET(postgres.TimestampzT(now)).
|
||||
WHERE(table.EmailConfirmations.ConfirmationID.EQ(postgres.UUID(id)))
|
||||
if _, err := upd.ExecContext(ctx, s.db); err != nil {
|
||||
return fmt.Errorf("account: consume confirmation: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// bumpConfirmationAttempts increments a code's wrong-attempt counter by one.
|
||||
func (s *Store) bumpConfirmationAttempts(ctx context.Context, id uuid.UUID) error {
|
||||
stmt := table.EmailConfirmations.
|
||||
@@ -320,6 +572,69 @@ func (s *Store) confirmEmailIdentity(ctx context.Context, confirmationID, accoun
|
||||
return nil
|
||||
}
|
||||
|
||||
// replaceEmailIdentity consumes the confirmation, deletes the account's existing email
|
||||
// identity (freeing the old address) and inserts newEmail as its confirmed email, inside
|
||||
// one transaction. It backs the change-email flow. A unique-constraint violation — the
|
||||
// new address was confirmed elsewhere in the meantime — surfaces as ErrEmailTaken. When
|
||||
// the account holds no email identity yet the delete is a no-op, so this doubles as an
|
||||
// attach.
|
||||
func (s *Store) replaceEmailIdentity(ctx context.Context, confirmationID, accountID uuid.UUID, newEmail string, now time.Time) error {
|
||||
identityID, err := uuid.NewV7()
|
||||
if err != nil {
|
||||
return fmt.Errorf("account: new identity id: %w", err)
|
||||
}
|
||||
err = withTx(ctx, s.db, func(tx *sql.Tx) error {
|
||||
upd := table.EmailConfirmations.
|
||||
UPDATE(table.EmailConfirmations.ConsumedAt).
|
||||
SET(postgres.TimestampzT(now)).
|
||||
WHERE(table.EmailConfirmations.ConfirmationID.EQ(postgres.UUID(confirmationID)))
|
||||
if _, err := upd.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("consume confirmation: %w", err)
|
||||
}
|
||||
// Journal the outgoing email before replacing it, so the legal dossier keeps the
|
||||
// address the account used to hold (see retention.go).
|
||||
var old model.Identities
|
||||
sel := postgres.SELECT(
|
||||
table.Identities.ExternalID, table.Identities.Confirmed, table.Identities.CreatedAt,
|
||||
).FROM(table.Identities).WHERE(
|
||||
table.Identities.AccountID.EQ(postgres.UUID(accountID)).
|
||||
AND(table.Identities.Kind.EQ(postgres.String(KindEmail))),
|
||||
).LIMIT(1)
|
||||
switch err := sel.QueryContext(ctx, tx, &old); {
|
||||
case err == nil:
|
||||
if err := retainIdentityTx(ctx, tx, accountID, KindEmail, old.ExternalID, old.Confirmed, old.CreatedAt, retainChange); err != nil {
|
||||
return err
|
||||
}
|
||||
case errors.Is(err, qrm.ErrNoRows):
|
||||
// No prior email (this doubles as an attach); nothing to retain.
|
||||
default:
|
||||
return fmt.Errorf("load outgoing email identity: %w", err)
|
||||
}
|
||||
del := table.Identities.DELETE().WHERE(
|
||||
table.Identities.AccountID.EQ(postgres.UUID(accountID)).
|
||||
AND(table.Identities.Kind.EQ(postgres.String(KindEmail))),
|
||||
)
|
||||
if _, err := del.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("delete old email identity: %w", err)
|
||||
}
|
||||
ins := table.Identities.INSERT(
|
||||
table.Identities.IdentityID, table.Identities.AccountID, table.Identities.Kind,
|
||||
table.Identities.ExternalID, table.Identities.Confirmed,
|
||||
).VALUES(identityID, accountID, KindEmail, newEmail, true)
|
||||
if _, err := ins.ExecContext(ctx, tx); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
if isUniqueViolation(err) {
|
||||
return ErrEmailTaken
|
||||
}
|
||||
return fmt.Errorf("account: replace email identity: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// confirmEmailLogin consumes the login code and marks the existing email
|
||||
// identity confirmed, inside one transaction. The identity already exists (a
|
||||
// login provisioned it), so this updates rather than inserts and is idempotent
|
||||
@@ -367,6 +682,18 @@ func generateCode() (code, hash string, err error) {
|
||||
return code, hashCode(code), nil
|
||||
}
|
||||
|
||||
// generateLinkToken returns a fresh opaque one-tap confirm deeplink token (URL-safe
|
||||
// base64, 256-bit) and its hex SHA-256 hash. Only the hash is stored; the token
|
||||
// travels only in the emailed link, mirroring the session-token model.
|
||||
func generateLinkToken() (token, hash string, err error) {
|
||||
buf := make([]byte, linkTokenBytes)
|
||||
if _, err := crand.Read(buf); err != nil {
|
||||
return "", "", fmt.Errorf("account: generate link token: %w", err)
|
||||
}
|
||||
token = base64.RawURLEncoding.EncodeToString(buf)
|
||||
return token, hashCode(token), nil
|
||||
}
|
||||
|
||||
// hashCode returns the hex-encoded SHA-256 of a confirm-code.
|
||||
func hashCode(code string) string {
|
||||
sum := sha256.Sum256([]byte(code))
|
||||
|
||||
@@ -0,0 +1,239 @@
|
||||
package account
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"html/template"
|
||||
"strings"
|
||||
tmpltext "text/template"
|
||||
"time"
|
||||
)
|
||||
|
||||
// emailBrandColor is the single accent used in the confirmation email — a calm
|
||||
// tile green, matching the "no riot of colours" brief.
|
||||
const emailBrandColor = "#2f7d4f"
|
||||
|
||||
// confirmEmailView is the fully-localised data the confirmation email templates
|
||||
// render. Every string is resolved before rendering, so the templates carry no
|
||||
// localisation logic.
|
||||
type confirmEmailView struct {
|
||||
Brand string
|
||||
Heading string
|
||||
Intro string
|
||||
Code string
|
||||
Expiry string
|
||||
CTALabel string
|
||||
DeeplinkURL string
|
||||
FooterIgnore string
|
||||
LandingURL string
|
||||
LandingLabel string
|
||||
Preheader string
|
||||
Locale string
|
||||
Accent string
|
||||
}
|
||||
|
||||
// emailCopy is the purpose- and locale-specific wording of a confirmation email.
|
||||
type emailCopy struct {
|
||||
Subject string
|
||||
Preheader string
|
||||
Heading string
|
||||
Intro string
|
||||
CTALabel string
|
||||
FooterIgnore string
|
||||
}
|
||||
|
||||
// confirmEmailCopy holds the wording per (purpose, locale). Unknown purposes fall
|
||||
// back to the neutral link wording and unknown locales fall back to English.
|
||||
var confirmEmailCopy = map[string]map[string]emailCopy{
|
||||
purposeLogin: {
|
||||
"en": {
|
||||
Subject: "Your Erudit sign-in code",
|
||||
Preheader: "Your sign-in code",
|
||||
Heading: "Sign in to Erudit",
|
||||
Intro: "Enter this code to sign in:",
|
||||
CTALabel: "Sign in with one tap",
|
||||
FooterIgnore: "If you didn't request this email, you can safely ignore it.",
|
||||
},
|
||||
"ru": {
|
||||
Subject: "Код для входа в Эрудит",
|
||||
Preheader: "Ваш код для входа",
|
||||
Heading: "Вход в Эрудит",
|
||||
Intro: "Введите этот код, чтобы войти в игру:",
|
||||
CTALabel: "Войти одним нажатием",
|
||||
FooterIgnore: "Если вы не запрашивали это письмо, просто проигнорируйте его.",
|
||||
},
|
||||
},
|
||||
purposeLink: {
|
||||
"en": {
|
||||
Subject: "Your Erudit confirmation code",
|
||||
Preheader: "Your confirmation code",
|
||||
Heading: "Confirm your e-mail",
|
||||
Intro: "Enter this code to confirm your address:",
|
||||
CTALabel: "Confirm with one tap",
|
||||
FooterIgnore: "If you didn't request this email, you can safely ignore it.",
|
||||
},
|
||||
"ru": {
|
||||
Subject: "Код подтверждения Эрудит",
|
||||
Preheader: "Ваш код подтверждения",
|
||||
Heading: "Подтверждение e-mail",
|
||||
Intro: "Введите этот код, чтобы подтвердить адрес:",
|
||||
CTALabel: "Подтвердить одним нажатием",
|
||||
FooterIgnore: "Если вы не запрашивали это письмо, просто проигнорируйте его.",
|
||||
},
|
||||
},
|
||||
purposeChange: {
|
||||
"en": {
|
||||
Subject: "Confirm your new Erudit e-mail",
|
||||
Preheader: "Confirm your new address",
|
||||
Heading: "Confirm your new e-mail",
|
||||
Intro: "Enter this code to switch your account to this address:",
|
||||
CTALabel: "Confirm with one tap",
|
||||
FooterIgnore: "If you didn't request this change, you can safely ignore it — your address stays the same.",
|
||||
},
|
||||
"ru": {
|
||||
Subject: "Подтвердите новый e-mail в Эрудит",
|
||||
Preheader: "Подтвердите новый адрес",
|
||||
Heading: "Смена e-mail",
|
||||
Intro: "Введите этот код, чтобы привязать аккаунт к новому адресу:",
|
||||
CTALabel: "Подтвердить одним нажатием",
|
||||
FooterIgnore: "Если вы не запрашивали смену, просто проигнорируйте письмо — адрес останется прежним.",
|
||||
},
|
||||
},
|
||||
purposeDelete: {
|
||||
"en": {
|
||||
Subject: "Confirm your Erudit account deletion",
|
||||
Preheader: "Confirm account deletion",
|
||||
Heading: "Delete your account",
|
||||
Intro: "Enter this code in the app to permanently delete your account:",
|
||||
CTALabel: "",
|
||||
FooterIgnore: "If you didn't request this, ignore it — your account stays as it is.",
|
||||
},
|
||||
"ru": {
|
||||
Subject: "Подтвердите удаление аккаунта Эрудит",
|
||||
Preheader: "Подтверждение удаления аккаунта",
|
||||
Heading: "Удаление аккаунта",
|
||||
Intro: "Введите этот код в приложении, чтобы удалить аккаунт без восстановления:",
|
||||
CTALabel: "",
|
||||
FooterIgnore: "Если вы не запрашивали удаление, проигнорируйте письмо — аккаунт останется.",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// emailBrand is the brand wordmark per locale.
|
||||
var emailBrand = map[string]string{"en": "Erudit", "ru": "Эрудит"}
|
||||
|
||||
// emailExpiry formats the code-lifetime line per locale (abbreviated minutes to
|
||||
// avoid plural agreement).
|
||||
func emailExpiry(locale string, d time.Duration) string {
|
||||
min := int(d / time.Minute)
|
||||
if locale == "ru" {
|
||||
return fmt.Sprintf("Код действует %d мин.", min)
|
||||
}
|
||||
return fmt.Sprintf("The code is valid for %d minutes.", min)
|
||||
}
|
||||
|
||||
// normalizeLocale maps an account language to a supported email locale, defaulting
|
||||
// to English.
|
||||
func normalizeLocale(locale string) string {
|
||||
if locale == "ru" {
|
||||
return "ru"
|
||||
}
|
||||
return "en"
|
||||
}
|
||||
|
||||
// renderConfirmationEmail builds the branded confirmation email for purpose in
|
||||
// locale: a large readable code plus a one-tap deeplink button, with an
|
||||
// ignore-notice footer and a landing link. Both a plain-text body and an HTML
|
||||
// alternative are produced. deeplinkURL is the absolute /confirm link and
|
||||
// landingURL the public landing origin.
|
||||
func renderConfirmationEmail(purpose, code, deeplinkURL, landingURL, locale string) (Message, error) {
|
||||
loc := normalizeLocale(locale)
|
||||
byLocale, ok := confirmEmailCopy[purpose]
|
||||
if !ok {
|
||||
byLocale = confirmEmailCopy[purposeLink]
|
||||
}
|
||||
cp := byLocale[loc]
|
||||
view := confirmEmailView{
|
||||
Brand: emailBrand[loc],
|
||||
Heading: cp.Heading,
|
||||
Intro: cp.Intro,
|
||||
Code: code,
|
||||
Expiry: emailExpiry(loc, emailCodeTTL),
|
||||
CTALabel: cp.CTALabel,
|
||||
DeeplinkURL: deeplinkURL,
|
||||
FooterIgnore: cp.FooterIgnore,
|
||||
LandingURL: landingURL,
|
||||
LandingLabel: emailBrand[loc],
|
||||
Preheader: cp.Preheader,
|
||||
Locale: loc,
|
||||
Accent: emailBrandColor,
|
||||
}
|
||||
var html strings.Builder
|
||||
if err := confirmEmailHTML.Execute(&html, view); err != nil {
|
||||
return Message{}, fmt.Errorf("account: render confirmation email (html): %w", err)
|
||||
}
|
||||
var text strings.Builder
|
||||
if err := confirmEmailText.Execute(&text, view); err != nil {
|
||||
return Message{}, fmt.Errorf("account: render confirmation email (text): %w", err)
|
||||
}
|
||||
return Message{Subject: cp.Subject, Text: text.String(), HTML: html.String()}, nil
|
||||
}
|
||||
|
||||
// confirmEmailHTML is a compact, image-free, mobile-friendly HTML email. Layout is
|
||||
// table-based for broad mail-client compatibility and all styling is inlined
|
||||
// because clients strip <style> blocks.
|
||||
var confirmEmailHTML = template.Must(template.New("confirmEmailHTML").Parse(`<!DOCTYPE html>
|
||||
<html lang="{{.Locale}}">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<title>{{.Brand}}</title>
|
||||
</head>
|
||||
<body style="margin:0;padding:0;background:#f4f5f7;">
|
||||
<span style="display:none;max-height:0;overflow:hidden;opacity:0;">{{.Preheader}}</span>
|
||||
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#f4f5f7;padding:24px 12px;">
|
||||
<tr><td align="center">
|
||||
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="max-width:460px;background:#ffffff;border:1px solid #e5e7eb;border-radius:14px;overflow:hidden;font-family:-apple-system,'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
|
||||
<tr><td style="padding:28px 32px 4px;">
|
||||
<div style="font-size:15px;font-weight:700;letter-spacing:.04em;color:{{.Accent}};">{{.Brand}}</div>
|
||||
</td></tr>
|
||||
<tr><td style="padding:8px 32px 0;">
|
||||
<h1 style="margin:0;font-size:20px;line-height:1.3;color:#111827;font-weight:600;">{{.Heading}}</h1>
|
||||
<p style="margin:12px 0 0;font-size:15px;line-height:1.5;color:#374151;">{{.Intro}}</p>
|
||||
</td></tr>
|
||||
<tr><td style="padding:18px 32px 0;">
|
||||
<div style="font-size:34px;font-weight:700;letter-spacing:8px;text-align:center;color:#111827;background:#f3f4f6;border-radius:10px;padding:18px 0;font-family:'SFMono-Regular',Consolas,Menlo,monospace;">{{.Code}}</div>
|
||||
<p style="margin:10px 0 0;font-size:13px;line-height:1.5;color:#6b7280;text-align:center;">{{.Expiry}}</p>
|
||||
</td></tr>
|
||||
{{if .DeeplinkURL}}<tr><td style="padding:22px 32px 0;" align="center">
|
||||
<a href="{{.DeeplinkURL}}" style="display:inline-block;background:{{.Accent}};color:#ffffff;text-decoration:none;font-size:15px;font-weight:600;padding:12px 26px;border-radius:9px;">{{.CTALabel}}</a>
|
||||
</td></tr>
|
||||
{{end}}<tr><td style="padding:26px 32px 28px;">
|
||||
<hr style="border:none;border-top:1px solid #eceef1;margin:0 0 16px;">
|
||||
<p style="margin:0;font-size:12px;line-height:1.6;color:#9ca3af;">{{.FooterIgnore}}</p>
|
||||
<p style="margin:10px 0 0;font-size:12px;color:#9ca3af;"><a href="{{.LandingURL}}" style="color:#6b7280;text-decoration:none;">{{.LandingLabel}}</a></p>
|
||||
</td></tr>
|
||||
</table>
|
||||
</td></tr>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
||||
`))
|
||||
|
||||
// confirmEmailText is the plain-text alternative (and multipart fallback).
|
||||
var confirmEmailText = tmpltext.Must(tmpltext.New("confirmEmailText").Parse(`{{.Brand}}
|
||||
|
||||
{{.Heading}}
|
||||
|
||||
{{.Intro}}
|
||||
|
||||
{{.Code}}
|
||||
|
||||
{{.Expiry}}
|
||||
|
||||
{{if .DeeplinkURL}}{{.CTALabel}}:
|
||||
{{.DeeplinkURL}}
|
||||
|
||||
{{end}}—
|
||||
{{.FooterIgnore}}
|
||||
{{.LandingLabel}} — {{.LandingURL}}
|
||||
`))
|
||||
@@ -0,0 +1,54 @@
|
||||
package account
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// TestRenderConfirmationEmail checks that each (purpose, locale) renders a localised
|
||||
// subject, embeds the code and the one-tap deeplink in both bodies, and produces HTML.
|
||||
func TestRenderConfirmationEmail(t *testing.T) {
|
||||
const deeplink = "https://erudit-game.ru/app/#/confirm/tok123"
|
||||
cases := []struct {
|
||||
name, purpose, locale, subjectSub string
|
||||
}{
|
||||
{"login ru", purposeLogin, "ru", "вход"},
|
||||
{"login en", purposeLogin, "en", "sign-in"},
|
||||
{"link ru", purposeLink, "ru", "подтвержд"},
|
||||
{"link en", purposeLink, "en", "confirmation"},
|
||||
{"change ru", purposeChange, "ru", "новый"},
|
||||
{"change en", purposeChange, "en", "new"},
|
||||
}
|
||||
for _, c := range cases {
|
||||
t.Run(c.name, func(t *testing.T) {
|
||||
msg, err := renderConfirmationEmail(c.purpose, "123456", deeplink, "https://erudit-game.ru", c.locale)
|
||||
if err != nil {
|
||||
t.Fatalf("render: %v", err)
|
||||
}
|
||||
if !strings.Contains(strings.ToLower(msg.Subject), c.subjectSub) {
|
||||
t.Errorf("subject %q does not contain %q", msg.Subject, c.subjectSub)
|
||||
}
|
||||
if !strings.Contains(msg.Text, "123456") || !strings.Contains(msg.HTML, "123456") {
|
||||
t.Error("code missing from a body")
|
||||
}
|
||||
if !strings.Contains(msg.Text, deeplink) || !strings.Contains(msg.HTML, "confirm/tok123") {
|
||||
t.Error("deeplink missing from a body")
|
||||
}
|
||||
if !strings.Contains(msg.HTML, "<html") {
|
||||
t.Error("HTML body is not HTML")
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestRenderConfirmationEmailUnknownLocaleDefaultsEnglish falls back to English for an
|
||||
// unsupported locale rather than erroring or emitting an empty subject.
|
||||
func TestRenderConfirmationEmailUnknownLocaleDefaultsEnglish(t *testing.T) {
|
||||
msg, err := renderConfirmationEmail(purposeLogin, "000000", "", "https://erudit-game.ru", "de")
|
||||
if err != nil {
|
||||
t.Fatalf("render: %v", err)
|
||||
}
|
||||
if !strings.Contains(strings.ToLower(msg.Subject), "sign-in") {
|
||||
t.Errorf("unknown locale should default to English, got subject %q", msg.Subject)
|
||||
}
|
||||
}
|
||||
@@ -2,6 +2,7 @@ package account
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
@@ -16,6 +17,68 @@ import (
|
||||
// belongs to another account; the caller turns it into a merge.
|
||||
var ErrIdentityTaken = errors.New("account: identity already linked to another account")
|
||||
|
||||
// ErrLastIdentity is returned when removing an identity would leave the account with
|
||||
// none, making it unreachable after logout. The admin email-erase refuses it.
|
||||
var ErrLastIdentity = errors.New("account: cannot remove the last identity")
|
||||
|
||||
// RemoveIdentity deletes the account's identity of the given kind (and, for an email,
|
||||
// any pending confirmations for it), freeing it for reuse. It refuses when that is the
|
||||
// account's only identity (ErrLastIdentity) — which would leave the account
|
||||
// unreachable — and returns ErrNotFound when the account has no identity of that kind.
|
||||
// It backs the profile Unlink control and the admin "erase email" action.
|
||||
func (s *Store) RemoveIdentity(ctx context.Context, accountID uuid.UUID, kind string) error {
|
||||
ids, err := s.Identities(ctx, accountID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var toRetain []Identity
|
||||
others := 0
|
||||
for _, id := range ids {
|
||||
if id.Kind == kind {
|
||||
toRetain = append(toRetain, id)
|
||||
} else {
|
||||
others++
|
||||
}
|
||||
}
|
||||
if len(toRetain) == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
if others == 0 {
|
||||
return ErrLastIdentity
|
||||
}
|
||||
return withTx(ctx, s.db, func(tx *sql.Tx) error {
|
||||
// Journal the detached credential before removing it, so the legal dossier
|
||||
// survives while the identity frees for reuse (see retention.go).
|
||||
for _, id := range toRetain {
|
||||
if err := retainIdentityTx(ctx, tx, accountID, id.Kind, id.ExternalID, id.Confirmed, id.CreatedAt, retainUnlink); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
delID := table.Identities.DELETE().WHERE(
|
||||
table.Identities.AccountID.EQ(postgres.UUID(accountID)).
|
||||
AND(table.Identities.Kind.EQ(postgres.String(kind))),
|
||||
)
|
||||
if _, err := delID.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("account: delete %s identity %s: %w", kind, accountID, err)
|
||||
}
|
||||
if kind == KindEmail {
|
||||
delConf := table.EmailConfirmations.DELETE().WHERE(
|
||||
table.EmailConfirmations.AccountID.EQ(postgres.UUID(accountID)),
|
||||
)
|
||||
if _, err := delConf.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("account: delete email confirmations %s: %w", accountID, err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveEmailIdentity erases the account's email identity. It backs the admin console's
|
||||
// "erase email" action; the user-facing profile never unlinks email (it is changed).
|
||||
func (s *Store) RemoveEmailIdentity(ctx context.Context, accountID uuid.UUID) error {
|
||||
return s.RemoveIdentity(ctx, accountID, KindEmail)
|
||||
}
|
||||
|
||||
// RequestLinkCode issues and mails a confirm-code for email to accountID,
|
||||
// replacing any prior pending code. Unlike RequestCode it never refuses up front
|
||||
// (taken or already-confirmed): possession of the address is the authorization for
|
||||
@@ -26,16 +89,10 @@ func (s *EmailService) RequestLinkCode(ctx context.Context, accountID uuid.UUID,
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
code, hash, err := generateCode()
|
||||
if err != nil {
|
||||
return err
|
||||
if !s.allowSend(addr) {
|
||||
return ErrTooManyRequests
|
||||
}
|
||||
if err := s.store.replacePendingConfirmation(ctx, accountID, addr, hash, s.now().Add(emailCodeTTL)); err != nil {
|
||||
return err
|
||||
}
|
||||
subject := "Your Scrabble confirmation code"
|
||||
body := fmt.Sprintf("Your confirmation code is %s. It expires in %d minutes.", code, int(emailCodeTTL/time.Minute))
|
||||
return s.mailer.Send(ctx, addr, subject, body)
|
||||
return s.issueCode(ctx, accountID, addr, purposeLink, s.accountLocale(ctx, accountID), false)
|
||||
}
|
||||
|
||||
// ConfirmLink verifies code for (accountID, email) and reports the address's
|
||||
@@ -70,6 +127,100 @@ func (s *EmailService) ConfirmLink(ctx context.Context, accountID uuid.UUID, ema
|
||||
return accountID, true, nil
|
||||
}
|
||||
|
||||
// RequestChangeCode issues and mails a confirm-code to newEmail for an authenticated
|
||||
// email change on accountID, replacing any prior pending code. Like RequestLinkCode it
|
||||
// never refuses up front on "taken" (anti-enumeration): possession of newEmail is the
|
||||
// authorization, and a conflict with another account is revealed only at confirm — as a
|
||||
// non-disclosing refusal, never a merge.
|
||||
func (s *EmailService) RequestChangeCode(ctx context.Context, accountID uuid.UUID, newEmail string) error {
|
||||
addr, err := normalizeEmail(newEmail)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !s.allowSend(addr) {
|
||||
return ErrTooManyRequests
|
||||
}
|
||||
return s.issueCode(ctx, accountID, addr, purposeChange, s.accountLocale(ctx, accountID), false)
|
||||
}
|
||||
|
||||
// ConfirmChange verifies code for (accountID, newEmail) and atomically replaces the
|
||||
// account's confirmed email with newEmail, freeing the old address. When newEmail is
|
||||
// already confirmed by another account it refuses with ErrEmailTaken (surfaced to the
|
||||
// user as a non-disclosing "check the address or contact support"), never merging; when
|
||||
// the account already owns newEmail it is an idempotent no-op. It returns the usual
|
||||
// confirm-code errors (ErrNoPendingCode, ErrCodeExpired, ErrTooManyAttempts,
|
||||
// ErrCodeMismatch) and the updated account on success.
|
||||
func (s *EmailService) ConfirmChange(ctx context.Context, accountID uuid.UUID, newEmail, code string) (Account, error) {
|
||||
addr, err := normalizeEmail(newEmail)
|
||||
if err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
conf, err := s.verifyPendingCode(ctx, accountID, addr, code)
|
||||
if err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
owner, ok, err := s.store.confirmedEmailAccount(ctx, addr)
|
||||
if err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
if ok && owner != accountID {
|
||||
return Account{}, ErrEmailTaken
|
||||
}
|
||||
if ok && owner == accountID {
|
||||
if err := s.store.consumeConfirmation(ctx, conf.id, s.now()); err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
return s.store.GetByID(ctx, accountID)
|
||||
}
|
||||
if err := s.store.replaceEmailIdentity(ctx, conf.id, accountID, addr, s.now()); err != nil {
|
||||
return Account{}, err
|
||||
}
|
||||
return s.store.GetByID(ctx, accountID)
|
||||
}
|
||||
|
||||
// HasEmail reports whether accountID owns a confirmed email. The account-deletion step-up
|
||||
// mails a confirm-code when it does, and falls back to a typed phrase otherwise.
|
||||
func (s *EmailService) HasEmail(ctx context.Context, accountID uuid.UUID) (bool, error) {
|
||||
_, ok, err := s.store.confirmedEmailOf(ctx, accountID)
|
||||
return ok, err
|
||||
}
|
||||
|
||||
// RequestDeleteCode mails an account-deletion confirm-code to the account's own confirmed
|
||||
// email (no deeplink — deletion is confirmed in the app). It returns ErrNoEmail when the
|
||||
// account holds no email, ErrTooManyRequests when throttled.
|
||||
func (s *EmailService) RequestDeleteCode(ctx context.Context, accountID uuid.UUID) error {
|
||||
addr, ok, err := s.store.confirmedEmailOf(ctx, accountID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !ok {
|
||||
return ErrNoEmail
|
||||
}
|
||||
if !s.allowSend(addr) {
|
||||
return ErrTooManyRequests
|
||||
}
|
||||
return s.issueCode(ctx, accountID, addr, purposeDelete, s.accountLocale(ctx, accountID), false)
|
||||
}
|
||||
|
||||
// VerifyDeleteCode verifies the account-deletion code against the account's own email and
|
||||
// consumes it on success. It returns ErrNoEmail (no email), the usual confirm-code errors
|
||||
// (ErrNoPendingCode, ErrCodeExpired, ErrTooManyAttempts, ErrCodeMismatch), or nil when the
|
||||
// code is valid — the caller then performs the deletion.
|
||||
func (s *EmailService) VerifyDeleteCode(ctx context.Context, accountID uuid.UUID, code string) error {
|
||||
addr, ok, err := s.store.confirmedEmailOf(ctx, accountID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !ok {
|
||||
return ErrNoEmail
|
||||
}
|
||||
conf, err := s.verifyPendingCode(ctx, accountID, addr, code)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return s.store.consumeConfirmation(ctx, conf.id, s.now())
|
||||
}
|
||||
|
||||
// verifyPendingCode loads and checks the pending confirm-code for (accountID,
|
||||
// addr), counting a wrong attempt. It returns the confirmation on success.
|
||||
func (s *EmailService) verifyPendingCode(ctx context.Context, accountID uuid.UUID, addr, code string) (emailConfirmation, error) {
|
||||
|
||||
@@ -3,33 +3,99 @@ package account
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/smtp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/wneessen/go-mail"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
// Message is a transactional email to send through a Mailer. Text is the
|
||||
// required plain-text body and doubles as the multipart/alternative fallback;
|
||||
// HTML, when non-empty, is the preferred body a capable client renders instead.
|
||||
type Message struct {
|
||||
// To is the recipient address, or several comma-separated (all get the one message).
|
||||
To string
|
||||
// From, when non-empty, overrides the configured sender for this message — the admin
|
||||
// alert path uses a distinct From from the user-facing confirm-code sender.
|
||||
From string
|
||||
Subject string
|
||||
Text string
|
||||
HTML string
|
||||
}
|
||||
|
||||
// Mailer delivers a transactional email. It is the seam behind which the email
|
||||
// confirm-code flow sends codes, so the relay is swappable and unit tests use a
|
||||
// fixture (see docs/TESTING.md: no real network in tests). The context is offered
|
||||
// for cancellation; the standard-library SMTP implementation sends synchronously
|
||||
// and ignores it.
|
||||
// fixture (see docs/TESTING.md: no real network in tests). The context bounds the
|
||||
// delivery and is honoured by the SMTP implementation.
|
||||
type Mailer interface {
|
||||
Send(ctx context.Context, to, subject, body string) error
|
||||
Send(ctx context.Context, msg Message) error
|
||||
}
|
||||
|
||||
// splitAddrs splits a comma-separated recipient list into trimmed, non-empty addresses.
|
||||
func splitAddrs(list string) []string {
|
||||
parts := strings.Split(list, ",")
|
||||
out := make([]string, 0, len(parts))
|
||||
for _, p := range parts {
|
||||
if a := strings.TrimSpace(p); a != "" {
|
||||
out = append(out, a)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// SMTPConfig configures the SMTP relay. An empty Host selects the LogMailer
|
||||
// instead, so a deployment without a relay still runs (the code lands in the log).
|
||||
// TLS is always used and no client certificate is required — only the server
|
||||
// certificate is validated against the system roots.
|
||||
type SMTPConfig struct {
|
||||
Host string
|
||||
Port string
|
||||
Username string
|
||||
Password string
|
||||
From string
|
||||
// TLS selects the transport security: "ssl" for implicit TLS from connect, or
|
||||
// "starttls" to upgrade a plaintext connection. Empty derives the mode from the
|
||||
// port (implicit TLS on 465, STARTTLS otherwise); set it explicitly for a relay on
|
||||
// a non-standard port (e.g. Selectel's 1127 = SSL, 1126 = STARTTLS).
|
||||
TLS string
|
||||
// AdminFrom / AdminTo drive the operator alert emails (new feedback / word complaints),
|
||||
// distinct from the user-facing confirm-code sender. AdminTo may be several
|
||||
// comma-separated addresses. Both empty disables the alert worker.
|
||||
AdminFrom string
|
||||
AdminTo string
|
||||
}
|
||||
|
||||
// SMTPMailer sends mail through an SMTP relay using the standard library. When a
|
||||
// username is set it authenticates with PLAIN; otherwise it relays unauthenticated.
|
||||
const (
|
||||
// SMTP transport-security modes for SMTPConfig.TLS.
|
||||
smtpTLSImplicit = "ssl"
|
||||
smtpTLSSTARTTLS = "starttls"
|
||||
// smtpDialTimeout bounds a single relay connect-and-send. The confirm-code send
|
||||
// is synchronous on the request path, so an unreachable relay must fail fast
|
||||
// rather than hold the request open.
|
||||
smtpDialTimeout = 15 * time.Second
|
||||
)
|
||||
|
||||
// tlsMode resolves the transport-security mode for the relay: the explicitly
|
||||
// configured SMTPConfig.TLS, or — when unset — implicit TLS on the conventional SSL
|
||||
// port 465 and STARTTLS on any other port.
|
||||
func (cfg SMTPConfig) tlsMode(port int) string {
|
||||
switch strings.ToLower(strings.TrimSpace(cfg.TLS)) {
|
||||
case smtpTLSImplicit, "tls":
|
||||
return smtpTLSImplicit
|
||||
case smtpTLSSTARTTLS:
|
||||
return smtpTLSSTARTTLS
|
||||
}
|
||||
if port == 465 {
|
||||
return smtpTLSImplicit
|
||||
}
|
||||
return smtpTLSSTARTTLS
|
||||
}
|
||||
|
||||
// SMTPMailer sends mail through an SMTP relay using go-mail. When a username is
|
||||
// set it authenticates, auto-discovering the strongest mechanism the relay
|
||||
// advertises; otherwise it relays unauthenticated.
|
||||
type SMTPMailer struct {
|
||||
cfg SMTPConfig
|
||||
}
|
||||
@@ -39,29 +105,55 @@ func NewSMTPMailer(cfg SMTPConfig) SMTPMailer {
|
||||
return SMTPMailer{cfg: cfg}
|
||||
}
|
||||
|
||||
// Send delivers a plain-text UTF-8 message to to via the configured relay.
|
||||
func (m SMTPMailer) Send(_ context.Context, to, subject, body string) error {
|
||||
addr := net.JoinHostPort(m.cfg.Host, m.cfg.Port)
|
||||
var auth smtp.Auth
|
||||
if m.cfg.Username != "" {
|
||||
auth = smtp.PlainAuth("", m.cfg.Username, m.cfg.Password, m.cfg.Host)
|
||||
// Send delivers a UTF-8 message to msg.To via the configured relay. When msg.HTML
|
||||
// is set the message is multipart/alternative (plain text plus HTML); otherwise
|
||||
// it is plain text only.
|
||||
func (m SMTPMailer) Send(ctx context.Context, msg Message) error {
|
||||
port, err := strconv.Atoi(m.cfg.Port)
|
||||
if err != nil {
|
||||
return fmt.Errorf("account: invalid SMTP port %q: %w", m.cfg.Port, err)
|
||||
}
|
||||
if err := smtp.SendMail(addr, auth, m.cfg.From, []string{to}, message(m.cfg.From, to, subject, body)); err != nil {
|
||||
return fmt.Errorf("account: send mail to %s: %w", to, err)
|
||||
opts := []mail.Option{mail.WithPort(port), mail.WithTimeout(smtpDialTimeout)}
|
||||
if m.cfg.tlsMode(port) == smtpTLSImplicit {
|
||||
opts = append(opts, mail.WithSSL())
|
||||
} else {
|
||||
opts = append(opts, mail.WithTLSPortPolicy(mail.TLSMandatory))
|
||||
}
|
||||
if m.cfg.Username != "" {
|
||||
opts = append(opts,
|
||||
mail.WithSMTPAuth(mail.SMTPAuthAutoDiscover),
|
||||
mail.WithUsername(m.cfg.Username),
|
||||
mail.WithPassword(m.cfg.Password),
|
||||
)
|
||||
}
|
||||
client, err := mail.NewClient(m.cfg.Host, opts...)
|
||||
if err != nil {
|
||||
return fmt.Errorf("account: build mail client: %w", err)
|
||||
}
|
||||
out := mail.NewMsg()
|
||||
from := m.cfg.From
|
||||
if msg.From != "" {
|
||||
from = msg.From
|
||||
}
|
||||
if err := out.From(from); err != nil {
|
||||
return fmt.Errorf("account: set From %q: %w", from, err)
|
||||
}
|
||||
// To may carry several comma-separated recipients; go-mail wants them as separate
|
||||
// arguments (a single joined string parses as one malformed address).
|
||||
if err := out.To(splitAddrs(msg.To)...); err != nil {
|
||||
return fmt.Errorf("account: set To %q: %w", msg.To, err)
|
||||
}
|
||||
out.Subject(msg.Subject)
|
||||
out.SetBodyString(mail.TypeTextPlain, msg.Text)
|
||||
if msg.HTML != "" {
|
||||
out.AddAlternativeString(mail.TypeTextHTML, msg.HTML)
|
||||
}
|
||||
if err := client.DialAndSendWithContext(ctx, out); err != nil {
|
||||
return fmt.Errorf("account: send mail to %s: %w", msg.To, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// message renders a minimal RFC 5322 plain-text email.
|
||||
func message(from, to, subject, body string) []byte {
|
||||
return []byte("From: " + from + "\r\n" +
|
||||
"To: " + to + "\r\n" +
|
||||
"Subject: " + subject + "\r\n" +
|
||||
"MIME-Version: 1.0\r\n" +
|
||||
"Content-Type: text/plain; charset=UTF-8\r\n" +
|
||||
"\r\n" + body + "\r\n")
|
||||
}
|
||||
|
||||
// LogMailer logs the message instead of sending it. It is the default when no
|
||||
// SMTP relay is configured and is intended for development only: it logs the body,
|
||||
// which carries the confirm-code, so it must not be used in production.
|
||||
@@ -74,11 +166,12 @@ func NewLogMailer(log *zap.Logger) LogMailer {
|
||||
return LogMailer{log: log}
|
||||
}
|
||||
|
||||
// Send logs the message at info level and reports success.
|
||||
func (m LogMailer) Send(_ context.Context, to, subject, body string) error {
|
||||
// Send logs the message at info level and reports success. It logs the plain-text
|
||||
// body only (which carries the confirm-code); the HTML alternative is omitted.
|
||||
func (m LogMailer) Send(_ context.Context, msg Message) error {
|
||||
if m.log != nil {
|
||||
m.log.Info("email not sent (log mailer)",
|
||||
zap.String("to", to), zap.String("subject", subject), zap.String("body", body))
|
||||
zap.String("to", msg.To), zap.String("subject", msg.Subject), zap.String("body", msg.Text))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
package account
|
||||
|
||||
import (
|
||||
"slices"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// TestSplitAddrs covers the comma-separated recipient parsing used for the admin alert
|
||||
// To (several operator mailboxes in one message), including trimming and empty entries.
|
||||
func TestSplitAddrs(t *testing.T) {
|
||||
cases := []struct {
|
||||
in string
|
||||
want []string
|
||||
}{
|
||||
{"a@x.ru", []string{"a@x.ru"}},
|
||||
{"a@x.ru, b@y.ru", []string{"a@x.ru", "b@y.ru"}},
|
||||
{" a@x.ru ,, b@y.ru ,", []string{"a@x.ru", "b@y.ru"}},
|
||||
{"", nil},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if got := splitAddrs(c.in); !slices.Equal(got, c.want) {
|
||||
t.Errorf("splitAddrs(%q) = %v, want %v", c.in, got, c.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestSMTPTLSMode covers the explicit TLS mode and the port-based fallback, including
|
||||
// the non-standard Selectel ports (1127 = SSL, 1126 = STARTTLS) that the 465 heuristic
|
||||
// alone cannot classify.
|
||||
func TestSMTPTLSMode(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
tls string
|
||||
port int
|
||||
want string
|
||||
}{
|
||||
{"explicit ssl on a custom port (Selectel 1127)", "ssl", 1127, smtpTLSImplicit},
|
||||
{"explicit starttls on a custom port (Selectel 1126)", "starttls", 1126, smtpTLSSTARTTLS},
|
||||
{"tls is an alias for ssl", "TLS", 2525, smtpTLSImplicit},
|
||||
{"empty derives implicit TLS on 465", "", 465, smtpTLSImplicit},
|
||||
{"empty derives STARTTLS on 587", "", 587, smtpTLSSTARTTLS},
|
||||
{"an unknown value falls back to the port heuristic", "bogus", 465, smtpTLSImplicit},
|
||||
}
|
||||
for _, c := range cases {
|
||||
t.Run(c.name, func(t *testing.T) {
|
||||
if got := (SMTPConfig{TLS: c.tls}).tlsMode(c.port); got != c.want {
|
||||
t.Errorf("tlsMode(TLS=%q, port=%d) = %q, want %q", c.tls, c.port, got, c.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -75,3 +75,55 @@ func TestTelegramSeedTruncatesLongName(t *testing.T) {
|
||||
t.Errorf("display name rune count = %d, want %d", n, maxDisplayName)
|
||||
}
|
||||
}
|
||||
|
||||
// TestVKSeed covers the pure mapping from VK launch fields to the create-time account
|
||||
// seed: supported-language detection from vk_language (bare and region-tagged) and the
|
||||
// display name sanitized from the client-supplied name. Unlike Telegram there is no
|
||||
// @username fallback — VK provides only the name.
|
||||
func TestVKSeed(t *testing.T) {
|
||||
cases := map[string]struct {
|
||||
languageCode, displayName string
|
||||
wantLang, wantName string
|
||||
}{
|
||||
"ru bare": {"ru", "Иван", "ru", "Иван"},
|
||||
"en region-tagged": {"en-US", "John", "en", "John"},
|
||||
"full name kept": {"ru", "Иван Петров", "ru", "Иван Петров"},
|
||||
"unknown language": {"uk", "Тарас", "", "Тарас"},
|
||||
"empty language": {"", "Neo", "", "Neo"},
|
||||
"trimmed": {" RU ", " Anna ", "ru", "Anna"},
|
||||
"emoji stripped": {"en", "🎮Kaya🎮", "en", "Kaya"},
|
||||
}
|
||||
for name, tc := range cases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
got := vkSeed(tc.languageCode, tc.displayName)
|
||||
if got.preferredLanguage != tc.wantLang {
|
||||
t.Errorf("preferredLanguage = %q, want %q", got.preferredLanguage, tc.wantLang)
|
||||
}
|
||||
if got.displayName != tc.wantName {
|
||||
t.Errorf("displayName = %q, want %q", got.displayName, tc.wantName)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestVKSeedPlaceholder checks a VK name with no usable letters falls back to a
|
||||
// generated placeholder in the seeded language ("Player-NNNNN" / "Игрок-NNNNN").
|
||||
func TestVKSeedPlaceholder(t *testing.T) {
|
||||
cases := map[string]struct {
|
||||
languageCode, displayName string
|
||||
wantRe string
|
||||
}{
|
||||
"en empty": {"en", "", `^Player-\d{5}$`},
|
||||
"ru empty": {"ru", "", `^Игрок-\d{5}$`},
|
||||
"default en": {"uk", "", `^Player-\d{5}$`},
|
||||
"name garbage": {"ru", "123!@#", `^Игрок-\d{5}$`},
|
||||
}
|
||||
for name, tc := range cases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
got := vkSeed(tc.languageCode, tc.displayName).displayName
|
||||
if !regexp.MustCompile(tc.wantRe).MatchString(got) {
|
||||
t.Errorf("displayName = %q, want match %s", got, tc.wantRe)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,66 @@
|
||||
package account
|
||||
|
||||
import (
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
// SendLimiter throttles confirm-code sends per recipient address: it enforces a
|
||||
// minimum cooldown between two sends and a cap over a rolling hour. It guards against
|
||||
// email bombing and protects the relay's own quota. State is in-memory (per process,
|
||||
// reset on restart) and keyed by the normalised recipient address, which is adequate
|
||||
// for the single-instance backend. Safe for concurrent use.
|
||||
type SendLimiter struct {
|
||||
mu sync.Mutex
|
||||
cooldown time.Duration
|
||||
perHour int
|
||||
now func() time.Time
|
||||
sends map[string][]time.Time
|
||||
}
|
||||
|
||||
// NewSendLimiter returns a SendLimiter allowing at most one send per cooldown and at
|
||||
// most perHour sends over any rolling hour, to the same recipient.
|
||||
func NewSendLimiter(cooldown time.Duration, perHour int) *SendLimiter {
|
||||
return &SendLimiter{
|
||||
cooldown: cooldown,
|
||||
perHour: perHour,
|
||||
now: func() time.Time { return time.Now() },
|
||||
sends: make(map[string][]time.Time),
|
||||
}
|
||||
}
|
||||
|
||||
// Allow reports whether a send to key is permitted now, recording the send when it is.
|
||||
// It is denied when the last send was within the cooldown or the rolling-hour cap is
|
||||
// already reached.
|
||||
func (l *SendLimiter) Allow(key string) bool {
|
||||
l.mu.Lock()
|
||||
defer l.mu.Unlock()
|
||||
now := l.now()
|
||||
cutoff := now.Add(-time.Hour)
|
||||
kept := l.sends[key][:0]
|
||||
for _, t := range l.sends[key] {
|
||||
if t.After(cutoff) {
|
||||
kept = append(kept, t)
|
||||
}
|
||||
}
|
||||
if n := len(kept); n > 0 && now.Sub(kept[n-1]) < l.cooldown {
|
||||
l.set(key, kept)
|
||||
return false
|
||||
}
|
||||
if len(kept) >= l.perHour {
|
||||
l.set(key, kept)
|
||||
return false
|
||||
}
|
||||
l.set(key, append(kept, now))
|
||||
return true
|
||||
}
|
||||
|
||||
// set stores the retained send times for key, dropping the entry entirely once empty
|
||||
// so the map stays bounded to recipients active within the last hour.
|
||||
func (l *SendLimiter) set(key string, times []time.Time) {
|
||||
if len(times) == 0 {
|
||||
delete(l.sends, key)
|
||||
return
|
||||
}
|
||||
l.sends[key] = times
|
||||
}
|
||||
@@ -0,0 +1,43 @@
|
||||
package account
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
// TestSendLimiter checks the per-recipient cooldown and the rolling-hour cap, and
|
||||
// that recipients are throttled independently.
|
||||
func TestSendLimiter(t *testing.T) {
|
||||
base := time.Now()
|
||||
now := base
|
||||
l := NewSendLimiter(time.Minute, 3)
|
||||
l.now = func() time.Time { return now }
|
||||
|
||||
if !l.Allow("a") {
|
||||
t.Fatal("send 1 should be allowed")
|
||||
}
|
||||
if l.Allow("a") {
|
||||
t.Fatal("immediate resend must be blocked by the cooldown")
|
||||
}
|
||||
if !l.Allow("b") {
|
||||
t.Fatal("a different recipient is independent")
|
||||
}
|
||||
|
||||
now = base.Add(time.Minute)
|
||||
if !l.Allow("a") {
|
||||
t.Fatal("send 2 after the cooldown should be allowed")
|
||||
}
|
||||
now = base.Add(2 * time.Minute)
|
||||
if !l.Allow("a") {
|
||||
t.Fatal("send 3 should be allowed")
|
||||
}
|
||||
now = base.Add(3 * time.Minute)
|
||||
if l.Allow("a") {
|
||||
t.Fatal("send 4 within the hour must be blocked by the cap")
|
||||
}
|
||||
|
||||
now = base.Add(time.Hour + time.Minute)
|
||||
if !l.Allow("a") {
|
||||
t.Fatal("after the rolling hour the cap resets")
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,224 @@
|
||||
package account
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/go-jet/jet/v2/postgres"
|
||||
"github.com/go-jet/jet/v2/qrm"
|
||||
"github.com/google/uuid"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"scrabble/backend/internal/postgres/jet/backend/model"
|
||||
"scrabble/backend/internal/postgres/jet/backend/table"
|
||||
)
|
||||
|
||||
// RetentionTTL bounds how long the account-deletion legal dossier is kept before the
|
||||
// reaper purges it: two years from the detach/deletion event (owner policy, 2026-07-03).
|
||||
const RetentionTTL = 2 * 365 * 24 * time.Hour
|
||||
|
||||
// Reasons recorded on a retained_identities row: what detached the credential from its
|
||||
// account (unlink / email change / account deletion here; an account merge that drops a
|
||||
// same-kind colliding identity writes reason "merge" from the accountmerge package). The
|
||||
// row is written just before the live identities row is removed, preserving the legal
|
||||
// dossier (which email/vk/tg was linked, and when) even as the identity frees for reuse.
|
||||
// See docs/ARCHITECTURE.md §9.1.
|
||||
const (
|
||||
retainUnlink = "unlink"
|
||||
retainChange = "change"
|
||||
retainDelete = "delete"
|
||||
)
|
||||
|
||||
// retainIdentityTx appends a retention-journal row for one identity being detached, inside
|
||||
// tx. linkedAt is the identity's original creation time; detached_at defaults to now(). It
|
||||
// must run in the same transaction as the identity removal, so the dossier and the live
|
||||
// state can never diverge.
|
||||
func retainIdentityTx(ctx context.Context, tx *sql.Tx, accountID uuid.UUID, kind, externalID string, confirmed bool, linkedAt time.Time, reason string) error {
|
||||
id, err := uuid.NewV7()
|
||||
if err != nil {
|
||||
return fmt.Errorf("account: new retained id: %w", err)
|
||||
}
|
||||
ins := table.RetainedIdentities.INSERT(
|
||||
table.RetainedIdentities.RetainedID, table.RetainedIdentities.AccountID,
|
||||
table.RetainedIdentities.Kind, table.RetainedIdentities.ExternalID,
|
||||
table.RetainedIdentities.Confirmed, table.RetainedIdentities.LinkedAt,
|
||||
table.RetainedIdentities.Reason,
|
||||
).VALUES(id, accountID, kind, externalID, confirmed, linkedAt, reason)
|
||||
if _, err := ins.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("account: retain identity (%s, %s): %w", kind, externalID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// StampLastLogin records the account's last cold-load time and client IP, but only when
|
||||
// the stored value is missing or older than an hour — so it costs at most one write per
|
||||
// account per hour (its caller, the profile fetch, runs once per cold app-load). It is a
|
||||
// best-effort audit signal that feeds the account-deletion dossier.
|
||||
func (s *Store) StampLastLogin(ctx context.Context, accountID uuid.UUID, ip string) error {
|
||||
now := time.Now().UTC()
|
||||
upd := table.Accounts.UPDATE(table.Accounts.LastLoginAt, table.Accounts.LastLoginIP).
|
||||
SET(postgres.TimestampzT(now), postgres.String(ip)).
|
||||
WHERE(
|
||||
table.Accounts.AccountID.EQ(postgres.UUID(accountID)).
|
||||
AND(
|
||||
table.Accounts.LastLoginAt.IS_NULL().
|
||||
OR(table.Accounts.LastLoginAt.LT(postgres.TimestampzT(now.Add(-time.Hour)))),
|
||||
),
|
||||
)
|
||||
if _, err := upd.ExecContext(ctx, s.db); err != nil {
|
||||
return fmt.Errorf("account: stamp last login %s: %w", accountID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ReapExpiredRetention purges retention data whose event is older than cutoff: every
|
||||
// retained_identities row by its detached_at (covering unlink/change on live accounts as
|
||||
// well as deleted ones), plus — for accounts tombstoned before cutoff — the retained
|
||||
// feedback thread and the dossier PII (deleted_display_name, last_login_ip). Chat is kept
|
||||
// (a shared game artifact), and the tombstone account row itself stays (its no-cascade
|
||||
// foreign keys). It returns how many journal rows and feedback messages were removed.
|
||||
func (s *Store) ReapExpiredRetention(ctx context.Context, cutoff time.Time) (identities, feedback int64, err error) {
|
||||
cut := postgres.TimestampzT(cutoff)
|
||||
delJournal := table.RetainedIdentities.DELETE().
|
||||
WHERE(table.RetainedIdentities.DetachedAt.LT(cut))
|
||||
res, err := delJournal.ExecContext(ctx, s.db)
|
||||
if err != nil {
|
||||
return 0, 0, fmt.Errorf("account: reap retained identities: %w", err)
|
||||
}
|
||||
identities, _ = res.RowsAffected()
|
||||
|
||||
expired := postgres.SELECT(table.Accounts.AccountID).
|
||||
FROM(table.Accounts).
|
||||
WHERE(table.Accounts.DeletedAt.IS_NOT_NULL().AND(table.Accounts.DeletedAt.LT(cut)))
|
||||
delFeedback := table.FeedbackMessages.DELETE().
|
||||
WHERE(table.FeedbackMessages.AccountID.IN(expired))
|
||||
fbRes, err := delFeedback.ExecContext(ctx, s.db)
|
||||
if err != nil {
|
||||
return identities, 0, fmt.Errorf("account: reap deleted feedback: %w", err)
|
||||
}
|
||||
feedback, _ = fbRes.RowsAffected()
|
||||
|
||||
clearPII := table.Accounts.UPDATE(table.Accounts.DeletedDisplayName, table.Accounts.LastLoginIP).
|
||||
SET(postgres.NULL, postgres.NULL).
|
||||
WHERE(
|
||||
table.Accounts.DeletedAt.IS_NOT_NULL().
|
||||
AND(table.Accounts.DeletedAt.LT(cut)).
|
||||
AND(table.Accounts.DeletedDisplayName.IS_NOT_NULL().
|
||||
OR(table.Accounts.LastLoginIP.IS_NOT_NULL())),
|
||||
)
|
||||
if _, err := clearPII.ExecContext(ctx, s.db); err != nil {
|
||||
return identities, feedback, fmt.Errorf("account: clear expired dossier PII: %w", err)
|
||||
}
|
||||
return identities, feedback, nil
|
||||
}
|
||||
|
||||
// RetainedIdentity is one row of the retention journal, for the admin dossier.
|
||||
type RetainedIdentity struct {
|
||||
Kind string
|
||||
ExternalID string
|
||||
Reason string
|
||||
Confirmed bool
|
||||
LinkedAt time.Time
|
||||
DetachedAt time.Time
|
||||
}
|
||||
|
||||
// RetainedIdentities returns the account's retention-journal rows (the legal dossier of
|
||||
// detached credentials), newest detach first, for the admin console.
|
||||
func (s *Store) RetainedIdentities(ctx context.Context, accountID uuid.UUID) ([]RetainedIdentity, error) {
|
||||
var rows []model.RetainedIdentities
|
||||
err := postgres.SELECT(table.RetainedIdentities.AllColumns).
|
||||
FROM(table.RetainedIdentities).
|
||||
WHERE(table.RetainedIdentities.AccountID.EQ(postgres.UUID(accountID))).
|
||||
ORDER_BY(table.RetainedIdentities.DetachedAt.DESC()).
|
||||
QueryContext(ctx, s.db, &rows)
|
||||
if err != nil && !errors.Is(err, qrm.ErrNoRows) {
|
||||
return nil, fmt.Errorf("account: retained identities %s: %w", accountID, err)
|
||||
}
|
||||
out := make([]RetainedIdentity, 0, len(rows))
|
||||
for _, r := range rows {
|
||||
out = append(out, RetainedIdentity{
|
||||
Kind: r.Kind, ExternalID: r.ExternalID, Reason: r.Reason,
|
||||
Confirmed: r.Confirmed, LinkedAt: r.LinkedAt, DetachedAt: r.DetachedAt,
|
||||
})
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// DeletionInfo is a tombstoned account's dossier header, for the admin console.
|
||||
type DeletionInfo struct {
|
||||
DeletedAt *time.Time
|
||||
DeletedDisplayName string
|
||||
LastLoginAt *time.Time
|
||||
LastLoginIP string
|
||||
}
|
||||
|
||||
// DeletionInfo reads the account's deletion tombstone + last-login dossier fields.
|
||||
func (s *Store) DeletionInfo(ctx context.Context, accountID uuid.UUID) (DeletionInfo, error) {
|
||||
var row model.Accounts
|
||||
err := postgres.SELECT(
|
||||
table.Accounts.DeletedAt, table.Accounts.DeletedDisplayName,
|
||||
table.Accounts.LastLoginAt, table.Accounts.LastLoginIP,
|
||||
).FROM(table.Accounts).
|
||||
WHERE(table.Accounts.AccountID.EQ(postgres.UUID(accountID))).
|
||||
QueryContext(ctx, s.db, &row)
|
||||
if err != nil {
|
||||
if errors.Is(err, qrm.ErrNoRows) {
|
||||
return DeletionInfo{}, ErrNotFound
|
||||
}
|
||||
return DeletionInfo{}, fmt.Errorf("account: deletion info %s: %w", accountID, err)
|
||||
}
|
||||
info := DeletionInfo{DeletedAt: row.DeletedAt, LastLoginAt: row.LastLoginAt}
|
||||
if row.DeletedDisplayName != nil {
|
||||
info.DeletedDisplayName = *row.DeletedDisplayName
|
||||
}
|
||||
if row.LastLoginIP != nil {
|
||||
info.LastLoginIP = *row.LastLoginIP
|
||||
}
|
||||
return info, nil
|
||||
}
|
||||
|
||||
// RetentionReaper periodically purges expired account-deletion retention data via
|
||||
// Store.ReapExpiredRetention, mirroring GuestReaper: one background goroutine started once
|
||||
// from main.
|
||||
type RetentionReaper struct {
|
||||
store *Store
|
||||
ttl time.Duration
|
||||
clock func() time.Time
|
||||
log *zap.Logger
|
||||
}
|
||||
|
||||
// NewRetentionReaper constructs a reaper purging retention data older than ttl. log may be
|
||||
// nil.
|
||||
func NewRetentionReaper(store *Store, ttl time.Duration, log *zap.Logger) *RetentionReaper {
|
||||
if log == nil {
|
||||
log = zap.NewNop()
|
||||
}
|
||||
return &RetentionReaper{
|
||||
store: store,
|
||||
ttl: ttl,
|
||||
clock: func() time.Time { return time.Now().UTC() },
|
||||
log: log,
|
||||
}
|
||||
}
|
||||
|
||||
// Run purges expired retention data on each tick until ctx is cancelled.
|
||||
func (r *RetentionReaper) Run(ctx context.Context, interval time.Duration) {
|
||||
ticker := time.NewTicker(interval)
|
||||
defer ticker.Stop()
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
case <-ticker.C:
|
||||
idn, fb, err := r.store.ReapExpiredRetention(ctx, r.clock().Add(-r.ttl))
|
||||
if err != nil {
|
||||
r.log.Warn("retention reap failed", zap.Error(err))
|
||||
} else if idn > 0 || fb > 0 {
|
||||
r.log.Info("reaped expired retention", zap.Int64("identities", idn), zap.Int64("feedback", fb))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -19,6 +19,9 @@ type UserListItem struct {
|
||||
PreferredLanguage string
|
||||
IsGuest bool
|
||||
IsRobot bool
|
||||
// IsDeleted marks a tombstoned account (deleted_at set), shown as a badge — a search
|
||||
// spans both lists, so a result can be either live or deleted.
|
||||
IsDeleted bool
|
||||
// FlaggedHighRateAt is the soft high-rate marker (zero when unflagged), shown
|
||||
// as a badge in the console list.
|
||||
FlaggedHighRateAt time.Time
|
||||
@@ -26,13 +29,17 @@ type UserListItem struct {
|
||||
}
|
||||
|
||||
// UserFilter narrows the admin user list: Robots selects robot accounts (otherwise the
|
||||
// non-robot "people"); NameMask and ExternalIDMask are glob masks ('*' = any run, '?' =
|
||||
// one char) matched case-insensitively against the display name / any identity's external
|
||||
// id. An empty mask means no filter on that field.
|
||||
// non-robot "people"); Deleted selects tombstoned accounts (every other scope hides them);
|
||||
// NameMask and ExternalIDMask are glob masks ('*' = any run, '?' = one char) matched
|
||||
// case-insensitively against the display name / any identity's external id; EmailExact is a
|
||||
// strict (exact) match against an account's email identity. An empty value means no filter
|
||||
// on that field.
|
||||
type UserFilter struct {
|
||||
Robots bool
|
||||
Deleted bool
|
||||
NameMask string
|
||||
ExternalIDMask string
|
||||
EmailExact string
|
||||
}
|
||||
|
||||
// robotExists is the correlated subquery testing whether account a is a robot.
|
||||
@@ -51,17 +58,42 @@ func (s *Store) IsRobot(ctx context.Context, accountID uuid.UUID) (bool, error)
|
||||
return ok, nil
|
||||
}
|
||||
|
||||
// userListWhere builds the shared WHERE clause and its positional args (from $1).
|
||||
// userListWhere builds the shared WHERE clause and its positional args (from $1). On the
|
||||
// Robots tab it lists/searches robots only. Otherwise a search (any of the name /
|
||||
// external-id / email filters) spans live and deleted people alike — never robots — so the
|
||||
// operator finds a match from one query regardless of the People / Deleted tab; the search
|
||||
// also looks in the retention journal, so a deleted account is still found by the email /
|
||||
// external id it held (those rows moved from identities to retained_identities on deletion)
|
||||
// and by its retained real name. With no search, the People / Deleted tab scope applies.
|
||||
func userListWhere(f UserFilter) (string, []any) {
|
||||
args := []any{f.Robots}
|
||||
where := robotExists + ` = $1`
|
||||
if name := LikePattern(f.NameMask); name != "" {
|
||||
args = append(args, name)
|
||||
where += fmt.Sprintf(` AND a.display_name ILIKE $%d ESCAPE '\'`, len(args))
|
||||
name := LikePattern(f.NameMask)
|
||||
ext := LikePattern(f.ExternalIDMask)
|
||||
email := strings.ToLower(strings.TrimSpace(f.EmailExact))
|
||||
searching := name != "" || ext != "" || email != ""
|
||||
|
||||
var args []any
|
||||
var where string
|
||||
switch {
|
||||
case f.Robots:
|
||||
where = robotExists + ` = true`
|
||||
case searching:
|
||||
where = robotExists + ` = false`
|
||||
case f.Deleted:
|
||||
where = robotExists + ` = false AND a.deleted_at IS NOT NULL`
|
||||
default:
|
||||
where = robotExists + ` = false AND a.deleted_at IS NULL`
|
||||
}
|
||||
if ext := LikePattern(f.ExternalIDMask); ext != "" {
|
||||
if name != "" {
|
||||
args = append(args, name)
|
||||
where += fmt.Sprintf(` AND (a.display_name ILIKE $%d ESCAPE '\' OR a.deleted_display_name ILIKE $%d ESCAPE '\')`, len(args), len(args))
|
||||
}
|
||||
if ext != "" {
|
||||
args = append(args, ext)
|
||||
where += fmt.Sprintf(` AND EXISTS (SELECT 1 FROM backend.identities i WHERE i.account_id = a.account_id AND i.external_id ILIKE $%d ESCAPE '\')`, len(args))
|
||||
where += fmt.Sprintf(` AND (EXISTS (SELECT 1 FROM backend.identities i WHERE i.account_id = a.account_id AND i.external_id ILIKE $%d ESCAPE '\') OR EXISTS (SELECT 1 FROM backend.retained_identities r WHERE r.account_id = a.account_id AND r.external_id ILIKE $%d ESCAPE '\'))`, len(args), len(args))
|
||||
}
|
||||
if email != "" {
|
||||
args = append(args, email)
|
||||
where += fmt.Sprintf(` AND (EXISTS (SELECT 1 FROM backend.identities i WHERE i.account_id = a.account_id AND i.kind = 'email' AND i.external_id = $%d) OR EXISTS (SELECT 1 FROM backend.retained_identities r WHERE r.account_id = a.account_id AND r.kind = 'email' AND r.external_id = $%d))`, len(args), len(args))
|
||||
}
|
||||
return where, args
|
||||
}
|
||||
@@ -69,7 +101,7 @@ func userListWhere(f UserFilter) (string, []any) {
|
||||
// ListUsers returns the filtered admin user list, newest first, paginated.
|
||||
func (s *Store) ListUsers(ctx context.Context, f UserFilter, limit, offset int) ([]UserListItem, error) {
|
||||
where, args := userListWhere(f)
|
||||
q := `SELECT a.account_id, a.display_name, a.preferred_language, a.is_guest, a.flagged_high_rate_at, a.created_at, ` + robotExists + ` AS is_robot
|
||||
q := `SELECT a.account_id, a.display_name, a.preferred_language, a.is_guest, a.flagged_high_rate_at, a.created_at, ` + robotExists + ` AS is_robot, (a.deleted_at IS NOT NULL) AS is_deleted
|
||||
FROM backend.accounts a WHERE ` + where +
|
||||
fmt.Sprintf(` ORDER BY a.created_at DESC LIMIT $%d OFFSET $%d`, len(args)+1, len(args)+2)
|
||||
args = append(args, limit, offset)
|
||||
@@ -82,7 +114,7 @@ FROM backend.accounts a WHERE ` + where +
|
||||
for rows.Next() {
|
||||
var it UserListItem
|
||||
var flagged sql.NullTime
|
||||
if err := rows.Scan(&it.ID, &it.DisplayName, &it.PreferredLanguage, &it.IsGuest, &flagged, &it.CreatedAt, &it.IsRobot); err != nil {
|
||||
if err := rows.Scan(&it.ID, &it.DisplayName, &it.PreferredLanguage, &it.IsGuest, &flagged, &it.CreatedAt, &it.IsRobot, &it.IsDeleted); err != nil {
|
||||
return nil, fmt.Errorf("account: scan user: %w", err)
|
||||
}
|
||||
if flagged.Valid {
|
||||
|
||||
@@ -0,0 +1,223 @@
|
||||
// Package accountdelete deactivates an account as legal retention, not erasure: it keeps
|
||||
// the account row as a tombstone (its chat/complaint foreign keys have no cascade, so a
|
||||
// hard delete is impossible) while journalling and freeing the account's credentials,
|
||||
// anonymising the live surfaces, and dropping the account's own social/ephemeral rows.
|
||||
// The retained_identities journal plus the tombstone (deleted_at, deleted_display_name,
|
||||
// last_login_at/ip) form the admin/legal dossier; messages are deliberately kept. Session
|
||||
// revocation and active-game forfeit are orchestrated one layer up (they need the session
|
||||
// cache and the game service). See docs/ARCHITECTURE.md §9.1 and the retention TTL reaper.
|
||||
package accountdelete
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/go-jet/jet/v2/postgres"
|
||||
"github.com/go-jet/jet/v2/qrm"
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/postgres/jet/backend/model"
|
||||
"scrabble/backend/internal/postgres/jet/backend/table"
|
||||
)
|
||||
|
||||
// AnonymizedName is the label a deleted account shows to opponents. Display names are
|
||||
// stored strings resolved identically for every viewer (no per-viewer localisation in this
|
||||
// codebase), so a single canonical label is used. The brackets are deliberate: the
|
||||
// editable-name rule (account.displayNameRe) forbids them, so a live player can never set a
|
||||
// name that impersonates a deleted account.
|
||||
const AnonymizedName = "[Deleted]"
|
||||
|
||||
// retainDelete is the retained_identities reason written when a credential is journalled
|
||||
// because its account is being deleted.
|
||||
const retainDelete = "delete"
|
||||
|
||||
// Deleter performs the SQL-atomic part of account deletion over a Postgres handle.
|
||||
type Deleter struct {
|
||||
db *sql.DB
|
||||
now func() time.Time
|
||||
}
|
||||
|
||||
// NewDeleter constructs a Deleter over db.
|
||||
func NewDeleter(db *sql.DB) *Deleter {
|
||||
return &Deleter{db: db, now: func() time.Time { return time.Now().UTC() }}
|
||||
}
|
||||
|
||||
// AnonymizeAndTombstone retires accountID atomically: it journals every live identity into
|
||||
// retained_identities (reason=delete) then removes them so the credentials free for reuse,
|
||||
// snapshots the real display name into deleted_display_name and scrubs the live one to
|
||||
// AnonymizedName, sets deleted_at, anonymises the account's game-seat snapshots, and drops
|
||||
// its friendships, blocks, invitations, friend codes, drafts and pending codes. Chat,
|
||||
// feedback and complaints are kept (the surviving tombstone keeps their no-cascade foreign
|
||||
// keys valid). It is idempotent-safe on an already-tombstoned account (re-journalling
|
||||
// nothing, since the identities are already gone).
|
||||
func (d *Deleter) AnonymizeAndTombstone(ctx context.Context, accountID uuid.UUID) error {
|
||||
now := d.now()
|
||||
return withTx(ctx, d.db, func(tx *sql.Tx) error {
|
||||
if err := journalAndDropIdentities(ctx, tx, accountID, now); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := tombstone(ctx, tx, accountID, now); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := table.GamePlayers.UPDATE(table.GamePlayers.DisplayName).
|
||||
SET(postgres.String(AnonymizedName)).
|
||||
WHERE(table.GamePlayers.AccountID.EQ(postgres.UUID(accountID))).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: anonymise seats: %w", err)
|
||||
}
|
||||
return dropSocialAndEphemerals(ctx, tx, accountID)
|
||||
})
|
||||
}
|
||||
|
||||
// dropAllRobotGamesSQL deletes every game in which the account plays and no other seat is a
|
||||
// human — a robot seat is one whose account holds a 'robot' identity, so this covers both
|
||||
// honest vs-AI games and disguised auto-match substitutes. The game rows are deleted; their
|
||||
// moves/chat/players/complaints fall away through ON DELETE CASCADE.
|
||||
const dropAllRobotGamesSQL = `
|
||||
DELETE FROM games g
|
||||
WHERE EXISTS (
|
||||
SELECT 1 FROM game_players p WHERE p.game_id = g.game_id AND p.account_id = $1
|
||||
) AND NOT EXISTS (
|
||||
SELECT 1 FROM game_players o
|
||||
WHERE o.game_id = g.game_id AND o.account_id <> $1
|
||||
AND NOT EXISTS (
|
||||
SELECT 1 FROM identities i WHERE i.account_id = o.account_id AND i.kind = 'robot'
|
||||
)
|
||||
)`
|
||||
|
||||
// DropAllRobotGames deletes the account's games that have no human opponent (solo vs-AI or
|
||||
// auto-match-robot games), returning how many were removed. Games with any human seat are
|
||||
// kept — their seat is anonymised by AnonymizeAndTombstone instead. Run it after the
|
||||
// account's active games are resigned, so no live game is removed under the robot driver.
|
||||
func (d *Deleter) DropAllRobotGames(ctx context.Context, accountID uuid.UUID) (int64, error) {
|
||||
res, err := d.db.ExecContext(ctx, dropAllRobotGamesSQL, accountID)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("accountdelete: drop all-robot games: %w", err)
|
||||
}
|
||||
n, err := res.RowsAffected()
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("accountdelete: dropped games count: %w", err)
|
||||
}
|
||||
return n, nil
|
||||
}
|
||||
|
||||
// journalAndDropIdentities copies the account's live identities into the retention journal
|
||||
// (reason=delete) and then removes them, freeing each (kind, external_id) for reuse.
|
||||
func journalAndDropIdentities(ctx context.Context, tx *sql.Tx, accountID uuid.UUID, now time.Time) error {
|
||||
var ids []model.Identities
|
||||
err := postgres.SELECT(table.Identities.AllColumns).
|
||||
FROM(table.Identities).
|
||||
WHERE(table.Identities.AccountID.EQ(postgres.UUID(accountID))).
|
||||
QueryContext(ctx, tx, &ids)
|
||||
if err != nil && !errors.Is(err, qrm.ErrNoRows) {
|
||||
return fmt.Errorf("accountdelete: load identities: %w", err)
|
||||
}
|
||||
for _, id := range ids {
|
||||
rid, err := uuid.NewV7()
|
||||
if err != nil {
|
||||
return fmt.Errorf("accountdelete: new retained id: %w", err)
|
||||
}
|
||||
ins := table.RetainedIdentities.INSERT(
|
||||
table.RetainedIdentities.RetainedID, table.RetainedIdentities.AccountID,
|
||||
table.RetainedIdentities.Kind, table.RetainedIdentities.ExternalID,
|
||||
table.RetainedIdentities.Confirmed, table.RetainedIdentities.LinkedAt,
|
||||
table.RetainedIdentities.DetachedAt, table.RetainedIdentities.Reason,
|
||||
).VALUES(rid, accountID, id.Kind, id.ExternalID, id.Confirmed, id.CreatedAt, now, retainDelete)
|
||||
if _, err := ins.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: retain identity %s: %w", id.Kind, err)
|
||||
}
|
||||
}
|
||||
if _, err := table.Identities.DELETE().
|
||||
WHERE(table.Identities.AccountID.EQ(postgres.UUID(accountID))).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete identities: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// tombstone marks the account deleted, snapshotting the real display name into
|
||||
// deleted_display_name (evaluated from the old row) before scrubbing the live one.
|
||||
func tombstone(ctx context.Context, tx *sql.Tx, accountID uuid.UUID, now time.Time) error {
|
||||
upd := table.Accounts.UPDATE(
|
||||
table.Accounts.DeletedAt, table.Accounts.DeletedDisplayName,
|
||||
table.Accounts.DisplayName, table.Accounts.UpdatedAt,
|
||||
).SET(
|
||||
postgres.TimestampzT(now), table.Accounts.DisplayName,
|
||||
postgres.String(AnonymizedName), postgres.TimestampzT(now),
|
||||
).WHERE(table.Accounts.AccountID.EQ(postgres.UUID(accountID)))
|
||||
if _, err := upd.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: tombstone account: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// dropSocialAndEphemerals removes the account's own friendships, blocks, invitations
|
||||
// (as inviter and as invitee), friend codes, drafts and pending confirm-codes. These are
|
||||
// the deleting user's private data with no dossier value; chat and feedback are kept.
|
||||
func dropSocialAndEphemerals(ctx context.Context, tx *sql.Tx, accountID uuid.UUID) error {
|
||||
id := postgres.UUID(accountID)
|
||||
// Friendships and blocks are two-account edges keyed on either endpoint.
|
||||
if _, err := table.Friendships.DELETE().
|
||||
WHERE(table.Friendships.RequesterID.EQ(id).OR(table.Friendships.AddresseeID.EQ(id))).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete friendships: %w", err)
|
||||
}
|
||||
if _, err := table.Blocks.DELETE().
|
||||
WHERE(table.Blocks.BlockerID.EQ(id).OR(table.Blocks.BlockedID.EQ(id))).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete blocks: %w", err)
|
||||
}
|
||||
// Invitations: drop the account's invitee rows, then its own invitations' invitees and
|
||||
// the invitations themselves (children first, to respect the foreign key).
|
||||
if _, err := table.GameInvitationInvitees.DELETE().
|
||||
WHERE(table.GameInvitationInvitees.AccountID.EQ(id)).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete invitee rows: %w", err)
|
||||
}
|
||||
ownInvitations := postgres.SELECT(table.GameInvitations.InvitationID).
|
||||
FROM(table.GameInvitations).
|
||||
WHERE(table.GameInvitations.InviterID.EQ(id))
|
||||
if _, err := table.GameInvitationInvitees.DELETE().
|
||||
WHERE(table.GameInvitationInvitees.InvitationID.IN(ownInvitations)).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete own invitation invitees: %w", err)
|
||||
}
|
||||
if _, err := table.GameInvitations.DELETE().
|
||||
WHERE(table.GameInvitations.InviterID.EQ(id)).
|
||||
ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete invitations: %w", err)
|
||||
}
|
||||
// Ephemerals: friend codes, move drafts, pending confirm-codes.
|
||||
if _, err := table.FriendCodes.DELETE().
|
||||
WHERE(table.FriendCodes.AccountID.EQ(id)).ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete friend codes: %w", err)
|
||||
}
|
||||
if _, err := table.GameDrafts.DELETE().
|
||||
WHERE(table.GameDrafts.AccountID.EQ(id)).ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete drafts: %w", err)
|
||||
}
|
||||
if _, err := table.EmailConfirmations.DELETE().
|
||||
WHERE(table.EmailConfirmations.AccountID.EQ(id)).ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountdelete: delete confirmations: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// withTx runs fn inside a transaction, committing on success and rolling back on error.
|
||||
func withTx(ctx context.Context, db *sql.DB, fn func(tx *sql.Tx) error) error {
|
||||
tx, err := db.BeginTx(ctx, nil)
|
||||
if err != nil {
|
||||
return fmt.Errorf("accountdelete: begin tx: %w", err)
|
||||
}
|
||||
if err := fn(tx); err != nil {
|
||||
_ = tx.Rollback()
|
||||
return err
|
||||
}
|
||||
if err := tx.Commit(); err != nil {
|
||||
return fmt.Errorf("accountdelete: commit tx: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -27,6 +27,11 @@ import (
|
||||
// without taking a dependency on the game package.
|
||||
const statusActive = "active"
|
||||
|
||||
// retainReasonMerge is the retained_identities.reason for a credential dropped by a merge
|
||||
// collision (both accounts held the same kind). It mirrors the account package's retain
|
||||
// reasons, kept local to avoid importing that package's unexported constants.
|
||||
const retainReasonMerge = "merge"
|
||||
|
||||
// Friendship statuses, highest precedence first, mirroring internal/social.
|
||||
const (
|
||||
friendAccepted = "accepted"
|
||||
@@ -46,8 +51,24 @@ var ErrSameAccount = errors.New("accountmerge: primary and secondary are the sam
|
||||
type Merger struct {
|
||||
db *sql.DB
|
||||
now func() time.Time
|
||||
// payments, when set, merges the two accounts' chip segments and benefits by origin inside
|
||||
// the merge transaction (SetPayments). Nil leaves payments untouched (tests that do not
|
||||
// exercise the wallet).
|
||||
payments PaymentsMerger
|
||||
}
|
||||
|
||||
// PaymentsMerger is the payments surface the account merge enlists: fold the secondary's
|
||||
// segments and benefits into the primary within the merge transaction, then invalidate the
|
||||
// affected read caches after the commit. *payments.Service satisfies it.
|
||||
type PaymentsMerger interface {
|
||||
MergeTx(ctx context.Context, tx *sql.Tx, primary, secondary uuid.UUID) error
|
||||
Invalidate(ids ...uuid.UUID)
|
||||
}
|
||||
|
||||
// SetPayments installs the payments merge hook. It must be called during startup wiring; the
|
||||
// default (nil) merges no wallet state.
|
||||
func (m *Merger) SetPayments(p PaymentsMerger) { m.payments = p }
|
||||
|
||||
// NewMerger constructs a Merger over db.
|
||||
func NewMerger(db *sql.DB) *Merger {
|
||||
return &Merger{db: db, now: func() time.Time { return time.Now().UTC() }}
|
||||
@@ -62,7 +83,7 @@ func (m *Merger) Merge(ctx context.Context, primary, secondary uuid.UUID) error
|
||||
return ErrSameAccount
|
||||
}
|
||||
now := m.now()
|
||||
return withTx(ctx, m.db, func(tx *sql.Tx) error {
|
||||
if err := withTx(ctx, m.db, func(tx *sql.Tx) error {
|
||||
if err := guardActiveSharedGame(ctx, tx, primary, secondary); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -75,6 +96,9 @@ func (m *Merger) Merge(ctx context.Context, primary, secondary uuid.UUID) error
|
||||
if err := mergeAccountFields(ctx, tx, primary, secondary, now); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := dedupeIdentities(ctx, tx, primary, secondary); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := reassignColumn(ctx, tx, table.Identities, table.Identities.AccountID, primary, secondary); err != nil {
|
||||
return fmt.Errorf("accountmerge: identities: %w", err)
|
||||
}
|
||||
@@ -99,8 +123,21 @@ func (m *Merger) Merge(ctx context.Context, primary, secondary uuid.UUID) error
|
||||
if err := deleteEphemerals(ctx, tx, secondary); err != nil {
|
||||
return err
|
||||
}
|
||||
if m.payments != nil {
|
||||
if err := m.payments.MergeTx(ctx, tx, primary, secondary); err != nil {
|
||||
return fmt.Errorf("accountmerge: payments: %w", err)
|
||||
}
|
||||
}
|
||||
return tombstone(ctx, tx, primary, secondary, now)
|
||||
})
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
// The payments read cache is invalidated only after the merge commits, so a read racing the
|
||||
// transaction cannot re-cache pre-merge state (both accounts' rows are moved or dropped).
|
||||
if m.payments != nil {
|
||||
m.payments.Invalidate(primary, secondary)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// guardActiveSharedGame returns ErrActiveGameConflict when primary and secondary
|
||||
@@ -240,25 +277,16 @@ func mergeBestMoves(ctx context.Context, tx *sql.Tx, primary, secondary uuid.UUI
|
||||
return nil
|
||||
}
|
||||
|
||||
// mergeAccountFields adds secondary's hint wallet to primary and ORs the paid flag;
|
||||
// all other profile fields stay the primary's.
|
||||
func mergeAccountFields(ctx context.Context, tx *sql.Tx, primary, secondary uuid.UUID, now time.Time) error {
|
||||
var sec model.Accounts
|
||||
if err := postgres.SELECT(table.Accounts.AllColumns).
|
||||
FROM(table.Accounts).
|
||||
WHERE(table.Accounts.AccountID.EQ(postgres.UUID(secondary))).
|
||||
QueryContext(ctx, tx, &sec); err != nil {
|
||||
return fmt.Errorf("accountmerge: load secondary account: %w", err)
|
||||
}
|
||||
upd := table.Accounts.UPDATE(
|
||||
table.Accounts.HintBalance, table.Accounts.PaidAccount, table.Accounts.UpdatedAt,
|
||||
).SET(
|
||||
table.Accounts.HintBalance.ADD(postgres.Int(int64(sec.HintBalance))),
|
||||
table.Accounts.PaidAccount.OR(postgres.Bool(sec.PaidAccount)),
|
||||
postgres.TimestampzT(now),
|
||||
).WHERE(table.Accounts.AccountID.EQ(postgres.UUID(primary)))
|
||||
// mergeAccountFields bumps the primary account's updated_at to reflect the merge. The former
|
||||
// hint-wallet and paid-flag merge moved to the payments domain, where segments and benefits
|
||||
// merge by origin (see the payments MergeTx step and docs/PAYMENTS.md §6); the legacy
|
||||
// accounts.hint_balance / paid_account columns are deprecated and no longer read or written.
|
||||
func mergeAccountFields(ctx context.Context, tx *sql.Tx, primary, _ uuid.UUID, now time.Time) error {
|
||||
upd := table.Accounts.UPDATE(table.Accounts.UpdatedAt).
|
||||
SET(postgres.TimestampzT(now)).
|
||||
WHERE(table.Accounts.AccountID.EQ(postgres.UUID(primary)))
|
||||
if _, err := upd.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountmerge: update primary account: %w", err)
|
||||
return fmt.Errorf("accountmerge: touch primary account: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -300,6 +328,77 @@ func reassignColumn(ctx context.Context, tx *sql.Tx, tbl postgres.Table, col pos
|
||||
return err
|
||||
}
|
||||
|
||||
// dedupeIdentities resolves a same-kind identity collision before the blanket identity
|
||||
// reassign: when both accounts already hold an identity of the same kind (e.g. each has a
|
||||
// confirmed email — reachable when two email-bearing accounts merge), the primary keeps
|
||||
// its own and the secondary's is journaled to retained_identities (reason=merge) and
|
||||
// removed. Without this the blanket reassign would leave the survivor with two identities
|
||||
// of one kind (there is no per-account-kind unique on identities), which the profile and
|
||||
// the retention dossier both treat as singular. Non-colliding identities are untouched and
|
||||
// move with the blanket reassign.
|
||||
func dedupeIdentities(ctx context.Context, tx *sql.Tx, primary, secondary uuid.UUID) error {
|
||||
var prows []model.Identities
|
||||
if err := postgres.SELECT(table.Identities.Kind).
|
||||
FROM(table.Identities).
|
||||
WHERE(table.Identities.AccountID.EQ(postgres.UUID(primary))).
|
||||
QueryContext(ctx, tx, &prows); err != nil && !errors.Is(err, qrm.ErrNoRows) {
|
||||
return fmt.Errorf("accountmerge: primary identity kinds: %w", err)
|
||||
}
|
||||
occupied := make(map[string]struct{}, len(prows))
|
||||
for _, r := range prows {
|
||||
occupied[r.Kind] = struct{}{}
|
||||
}
|
||||
if len(occupied) == 0 {
|
||||
return nil
|
||||
}
|
||||
var srows []model.Identities
|
||||
if err := postgres.SELECT(
|
||||
table.Identities.Kind, table.Identities.ExternalID,
|
||||
table.Identities.Confirmed, table.Identities.CreatedAt,
|
||||
).FROM(table.Identities).
|
||||
WHERE(table.Identities.AccountID.EQ(postgres.UUID(secondary))).
|
||||
QueryContext(ctx, tx, &srows); err != nil && !errors.Is(err, qrm.ErrNoRows) {
|
||||
return fmt.Errorf("accountmerge: secondary identities: %w", err)
|
||||
}
|
||||
for _, s := range srows {
|
||||
if _, dup := occupied[s.Kind]; !dup {
|
||||
continue
|
||||
}
|
||||
if err := retainMergedIdentity(ctx, tx, secondary, s); err != nil {
|
||||
return err
|
||||
}
|
||||
del := table.Identities.DELETE().WHERE(
|
||||
table.Identities.AccountID.EQ(postgres.UUID(secondary)).
|
||||
AND(table.Identities.Kind.EQ(postgres.String(s.Kind))).
|
||||
AND(table.Identities.ExternalID.EQ(postgres.String(s.ExternalID))),
|
||||
)
|
||||
if _, err := del.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountmerge: drop colliding %s identity: %w", s.Kind, err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// retainMergedIdentity appends a retained_identities row for a secondary identity dropped
|
||||
// by a merge collision (reason=merge), preserving it in the legal dossier. It mirrors
|
||||
// account.retainIdentityTx, which is unexported; detached_at falls to the column default.
|
||||
func retainMergedIdentity(ctx context.Context, tx *sql.Tx, accountID uuid.UUID, id model.Identities) error {
|
||||
rid, err := uuid.NewV7()
|
||||
if err != nil {
|
||||
return fmt.Errorf("accountmerge: new retained id: %w", err)
|
||||
}
|
||||
ins := table.RetainedIdentities.INSERT(
|
||||
table.RetainedIdentities.RetainedID, table.RetainedIdentities.AccountID,
|
||||
table.RetainedIdentities.Kind, table.RetainedIdentities.ExternalID,
|
||||
table.RetainedIdentities.Confirmed, table.RetainedIdentities.LinkedAt,
|
||||
table.RetainedIdentities.Reason,
|
||||
).VALUES(rid, accountID, id.Kind, id.ExternalID, id.Confirmed, id.CreatedAt, retainReasonMerge)
|
||||
if _, err := ins.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("accountmerge: retain merged %s identity: %w", id.Kind, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// friendRank ranks a friendship status for dedupe precedence (higher wins).
|
||||
func friendRank(status string) int {
|
||||
switch status {
|
||||
|
||||
@@ -0,0 +1,115 @@
|
||||
// Package adminalert emails the operator when new player feedback or word complaints
|
||||
// arrive, coalescing a burst into a single digest per interval so a flood is one email,
|
||||
// not N. It is inert unless an admin sender and recipient are configured. The sender is
|
||||
// distinct from the user-facing confirm-code From, and the recipient may be several
|
||||
// comma-separated addresses (the mailer splits them).
|
||||
package adminalert
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"go.uber.org/zap"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
)
|
||||
|
||||
// FeedbackCounter counts feedback created since a time (satisfied by feedback.Service).
|
||||
type FeedbackCounter interface {
|
||||
CountSince(ctx context.Context, since time.Time) (int, error)
|
||||
}
|
||||
|
||||
// ComplaintCounter counts word complaints filed since a time (satisfied by game.Service).
|
||||
type ComplaintCounter interface {
|
||||
CountComplaintsSince(ctx context.Context, since time.Time) (int, error)
|
||||
}
|
||||
|
||||
// Notifier polls for new feedback and complaints and emails the operator a digest.
|
||||
type Notifier struct {
|
||||
mailer account.Mailer
|
||||
feedback FeedbackCounter
|
||||
complaints ComplaintCounter
|
||||
from string
|
||||
to string
|
||||
clock func() time.Time
|
||||
log *zap.Logger
|
||||
last time.Time
|
||||
}
|
||||
|
||||
// New constructs a Notifier. from and to are the alert sender and recipient(s); log may be
|
||||
// nil. The watermark starts at "now", so only items arriving after start-up are reported. The
|
||||
// digest deliberately carries no admin-console link — an admin URL must never travel in an
|
||||
// email, where a mail provider could cache or index it.
|
||||
func New(mailer account.Mailer, fb FeedbackCounter, cp ComplaintCounter, from, to string, log *zap.Logger) *Notifier {
|
||||
if log == nil {
|
||||
log = zap.NewNop()
|
||||
}
|
||||
return &Notifier{
|
||||
mailer: mailer, feedback: fb, complaints: cp, from: from, to: to,
|
||||
clock: func() time.Time { return time.Now().UTC() }, log: log, last: time.Now().UTC(),
|
||||
}
|
||||
}
|
||||
|
||||
// Run polls on each tick until ctx is cancelled.
|
||||
func (n *Notifier) Run(ctx context.Context, interval time.Duration) {
|
||||
ticker := time.NewTicker(interval)
|
||||
defer ticker.Stop()
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
case <-ticker.C:
|
||||
n.tick(ctx)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// tick counts what arrived since the last watermark and, if anything did, emails one
|
||||
// digest. The watermark only advances after a successful send (or a quiet tick), so a
|
||||
// transient send failure is retried on the next tick — the counts simply grow.
|
||||
func (n *Notifier) tick(ctx context.Context) {
|
||||
now := n.clock()
|
||||
fb, err := n.feedback.CountSince(ctx, n.last)
|
||||
if err != nil {
|
||||
n.log.Warn("admin alert: count feedback failed", zap.Error(err))
|
||||
return
|
||||
}
|
||||
cp, err := n.complaints.CountComplaintsSince(ctx, n.last)
|
||||
if err != nil {
|
||||
n.log.Warn("admin alert: count complaints failed", zap.Error(err))
|
||||
return
|
||||
}
|
||||
if fb == 0 && cp == 0 {
|
||||
n.last = now
|
||||
return
|
||||
}
|
||||
if err := n.mailer.Send(ctx, n.digest(fb, cp)); err != nil {
|
||||
n.log.Warn("admin alert: send failed", zap.Error(err))
|
||||
return
|
||||
}
|
||||
n.log.Info("admin alert sent", zap.Int("feedback", fb), zap.Int("complaints", cp))
|
||||
n.last = now
|
||||
}
|
||||
|
||||
// digest builds the operator alert email for fb new feedback and cp new complaints.
|
||||
func (n *Notifier) digest(fb, cp int) account.Message {
|
||||
var parts []string
|
||||
if fb > 0 {
|
||||
parts = append(parts, fmt.Sprintf("%d new feedback message(s)", fb))
|
||||
}
|
||||
if cp > 0 {
|
||||
parts = append(parts, fmt.Sprintf("%d new word complaint(s)", cp))
|
||||
}
|
||||
summary := strings.Join(parts, ", ")
|
||||
// No admin-console link in the body: an admin URL must never travel in an email (a mail
|
||||
// provider could cache or index it). The operator opens the console directly.
|
||||
text := summary + "."
|
||||
return account.Message{
|
||||
From: n.from,
|
||||
To: n.to,
|
||||
Subject: "Erudit — " + summary,
|
||||
Text: text,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
package adminalert
|
||||
|
||||
import (
|
||||
"context"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
)
|
||||
|
||||
// The fakes ignore the watermark and return a fixed count, which is all the digest logic
|
||||
// needs.
|
||||
type fbCounter struct{ n int }
|
||||
|
||||
func (f fbCounter) CountSince(context.Context, time.Time) (int, error) { return f.n, nil }
|
||||
|
||||
type cpCounter struct{ n int }
|
||||
|
||||
func (c cpCounter) CountComplaintsSince(context.Context, time.Time) (int, error) { return c.n, nil }
|
||||
|
||||
type recordingMailer struct{ sent []account.Message }
|
||||
|
||||
func (m *recordingMailer) Send(_ context.Context, msg account.Message) error {
|
||||
m.sent = append(m.sent, msg)
|
||||
return nil
|
||||
}
|
||||
|
||||
func TestNotifierSkipsWhenNothingNew(t *testing.T) {
|
||||
mailer := &recordingMailer{}
|
||||
n := New(mailer, fbCounter{0}, cpCounter{0}, "alerts@erudit-game.ru", "op@x.ru", nil)
|
||||
n.tick(context.Background())
|
||||
if len(mailer.sent) != 0 {
|
||||
t.Fatalf("sent %d emails, want 0 when nothing is new", len(mailer.sent))
|
||||
}
|
||||
}
|
||||
|
||||
func TestNotifierDigestsNewItems(t *testing.T) {
|
||||
mailer := &recordingMailer{}
|
||||
n := New(mailer, fbCounter{2}, cpCounter{1}, "alerts@erudit-game.ru", "op@x.ru, two@x.ru", nil)
|
||||
n.tick(context.Background())
|
||||
if len(mailer.sent) != 1 {
|
||||
t.Fatalf("sent %d emails, want 1 digest", len(mailer.sent))
|
||||
}
|
||||
msg := mailer.sent[0]
|
||||
if msg.From != "alerts@erudit-game.ru" || msg.To != "op@x.ru, two@x.ru" {
|
||||
t.Errorf("digest addressing = From %q To %q", msg.From, msg.To)
|
||||
}
|
||||
if !strings.Contains(msg.Subject, "2 new feedback") || !strings.Contains(msg.Subject, "1 new word complaint") {
|
||||
t.Errorf("digest subject = %q, want the feedback + complaint counts", msg.Subject)
|
||||
}
|
||||
// The digest must never carry an admin-console link — an admin URL in an email is a leak
|
||||
// (mail providers cache/index it).
|
||||
if strings.Contains(msg.Text, "/_gm") || strings.Contains(strings.ToLower(msg.Text), "admin console") {
|
||||
t.Errorf("digest body = %q, must not carry an admin-console link", msg.Text)
|
||||
}
|
||||
}
|
||||
@@ -193,3 +193,24 @@ code { background: var(--bg); padding: 0.05rem 0.3rem; border-radius: 4px; }
|
||||
.replay-log { margin: 0.4rem 0 0; padding-left: 1.4rem; max-height: 14rem; overflow: auto; font-size: 0.85rem; }
|
||||
.replay-log li { color: var(--ink-dim); padding: 0.1rem 0; }
|
||||
.replay-log li.cur { color: var(--ink); font-weight: 600; }
|
||||
|
||||
/* Banner colour override editor + live preview (banner_detail). The override
|
||||
fieldsets group the enable toggle with the native colour swatches; the preview
|
||||
renders a sample strip on both themes from those inputs (see the inline script). */
|
||||
.ovr { border: 1px solid var(--line); border-radius: 6px; padding: 0.3rem 0.8rem 0.7rem; margin: 0.2rem 0; }
|
||||
.ovr legend { padding: 0 0.3rem; font-size: 0.85rem; color: var(--ink); }
|
||||
.ovr legend label { flex-direction: row; align-items: center; gap: 0.4rem; color: var(--ink); }
|
||||
.ovr .note { margin: 0.2rem 0 0.4rem; }
|
||||
.ovr .swatches { display: flex; flex-wrap: wrap; gap: 1rem; }
|
||||
.ovr .swatches label { flex-direction: column; gap: 0.25rem; align-items: flex-start; }
|
||||
.ovr input[type=color] { width: 3rem; height: 1.8rem; padding: 0; border: 1px solid var(--line); border-radius: 4px; background: var(--bg); cursor: pointer; }
|
||||
.ovr input[type=color]:disabled { opacity: 0.4; cursor: default; }
|
||||
.ovr .hex { font-size: 0.72rem; color: var(--ink-dim); font-variant-numeric: tabular-nums; }
|
||||
.banner-preview { display: flex; flex-wrap: wrap; gap: 0.8rem; margin: 0.7rem 0 0.2rem; }
|
||||
.banner-preview .bp { flex: 1 1 18rem; }
|
||||
.banner-preview .bp-label { display: block; font-size: 0.75rem; color: var(--ink-dim); margin-bottom: 0.25rem; }
|
||||
.ad-frame { padding: 0.7rem; border-radius: 6px; border: 1px solid var(--line); }
|
||||
.ad-frame.light { background: #f4f6f9; }
|
||||
.ad-frame.dark { background: #0f1420; }
|
||||
.ad-sample { padding: 0.35rem 0.7rem; font-size: 0.85rem; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
|
||||
.ad-sample .ad-link { text-decoration: underline; }
|
||||
|
||||
@@ -24,6 +24,7 @@ func TestRendererRendersEveryPage(t *testing.T) {
|
||||
{"dashboard", DashboardView{Accounts: 3, Variants: []VariantVersions{{Variant: "scrabble_en", Latest: "v1", Versions: []string{"v1"}}}}, "Dashboard"},
|
||||
{"users", UsersView{Items: []UserRow{{ID: "a1", DisplayName: "Kaya", FlaggedHighRate: true}}, Pager: NewPager(1, 50, 1)}, "high-rate"},
|
||||
{"user_detail", UserDetailView{ID: "a1", DisplayName: "Kaya", HasStats: true, Stats: StatsRow{Wins: 2}, TelegramID: "123", ConnectorEnabled: true}, "Send Telegram message"},
|
||||
{"user_detail", UserDetailView{ID: "a1", DisplayName: "Kaya", VKID: "494075"}, "vk.com/id494075"},
|
||||
{"user_detail", UserDetailView{ID: "a1", DisplayName: "Kaya", FlaggedHighRateAt: "2026-06-10 12:00"}, "Clear high-rate flag"},
|
||||
{"user_detail", UserDetailView{ID: "a1", DisplayName: "Kaya", Roles: []string{"feedback_banned"}, KnownRoles: []string{"feedback_banned"}}, "feedback_banned"},
|
||||
{"user_detail", UserDetailView{ID: "a1", DisplayName: "Kaya",
|
||||
|
||||
@@ -15,12 +15,14 @@
|
||||
<a href="/_gm/"{{if eq .ActiveNav "dashboard"}} class="active"{{end}}>Dashboard</a>
|
||||
<a href="/_gm/users"{{if eq .ActiveNav "users"}} class="active"{{end}}>Users</a>
|
||||
<a href="/_gm/games"{{if eq .ActiveNav "games"}} class="active"{{end}}>Games</a>
|
||||
<a href="/_gm/limits"{{if eq .ActiveNav "limits"}} class="active"{{end}}>Limits</a>
|
||||
<a href="/_gm/complaints"{{if eq .ActiveNav "complaints"}} class="active"{{end}}>Complaints</a>
|
||||
<a href="/_gm/feedback"{{if eq .ActiveNav "feedback"}} class="active"{{end}}>Feedback</a>
|
||||
<a href="/_gm/messages"{{if eq .ActiveNav "messages"}} class="active"{{end}}>Messages</a>
|
||||
<a href="/_gm/throttled"{{if eq .ActiveNav "throttled"}} class="active"{{end}}>Throttled</a>
|
||||
<a href="/_gm/reasons"{{if eq .ActiveNav "reasons"}} class="active"{{end}}>Reasons</a>
|
||||
<a href="/_gm/banners"{{if eq .ActiveNav "banners"}} class="active"{{end}}>Banners</a>
|
||||
<a href="/_gm/catalog"{{if eq .ActiveNav "catalog"}} class="active"{{end}}>Catalog</a>
|
||||
<a href="/_gm/dictionary"{{if eq .ActiveNav "dictionary"}} class="active"{{end}}>Dictionary</a>
|
||||
<a href="/_gm/broadcast"{{if eq .ActiveNav "broadcast"}} class="active"{{end}}>Broadcast</a>
|
||||
<a href="/_gm/grafana/">Grafana ↗</a>
|
||||
|
||||
@@ -11,10 +11,72 @@
|
||||
<label>Starts (UTC) <input type="datetime-local" name="starts_at" value="{{.StartsAt}}"></label>
|
||||
<label>Ends (UTC) <input type="datetime-local" name="ends_at" value="{{.EndsAt}}"></label>
|
||||
<label><input type="checkbox" name="enabled"{{if .Enabled}} checked{{end}}> Enabled</label>
|
||||
<fieldset class="ovr">
|
||||
<legend><label><input type="checkbox" name="urgent"{{if .Urgent}} checked{{end}}> Urgent</label></legend>
|
||||
<p class="note">Shows to <em>everyone</em>, always — bypassing paid accounts, hint wallets and the no-banner role. While any urgent campaign is live it is the only thing the strip shows (other campaigns and the default are suppressed). For system alerts.</p>
|
||||
</fieldset>
|
||||
<fieldset class="ovr" data-ovr-group>
|
||||
<legend><label><input type="checkbox" name="override_all_on" data-ovr="all"{{if .OverrideAllOn}} checked{{end}}> Colour override — all themes</label></legend>
|
||||
<div class="swatches">
|
||||
<label>Background <input type="color" name="override_bg" value="{{.AllBg}}" data-ovr-color{{if not .OverrideAllOn}} disabled{{end}}><span class="hex"></span></label>
|
||||
<label>Text <input type="color" name="override_fg" value="{{.AllFg}}" data-ovr-color{{if not .OverrideAllOn}} disabled{{end}}><span class="hex"></span></label>
|
||||
<label>Link <input type="color" name="override_link" value="{{.AllLink}}" data-ovr-color{{if not .OverrideAllOn}} disabled{{end}}><span class="hex"></span></label>
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset class="ovr" data-ovr-group>
|
||||
<legend><label><input type="checkbox" name="override_dark_on" data-ovr="dark"{{if .OverrideDarkOn}} checked{{end}}> Colour override — dark theme only</label></legend>
|
||||
<div class="swatches">
|
||||
<label>Background <input type="color" name="override_bg_dark" value="{{.DarkBg}}" data-ovr-color{{if not .OverrideDarkOn}} disabled{{end}}><span class="hex"></span></label>
|
||||
<label>Text <input type="color" name="override_fg_dark" value="{{.DarkFg}}" data-ovr-color{{if not .OverrideDarkOn}} disabled{{end}}><span class="hex"></span></label>
|
||||
<label>Link <input type="color" name="override_link_dark" value="{{.DarkLink}}" data-ovr-color{{if not .OverrideDarkOn}} disabled{{end}}><span class="hex"></span></label>
|
||||
</div>
|
||||
</fieldset>
|
||||
{{end}}
|
||||
<div><button type="submit">Save</button></div>
|
||||
</form>
|
||||
{{if not .IsDefault}}
|
||||
<div class="banner-preview">
|
||||
<div class="bp"><span class="bp-label">Light theme</span><div class="ad-frame light"><div class="ad-sample" id="prev-light"><span>Sample banner text — <span class="ad-link">a link</span></span></div></div></div>
|
||||
<div class="bp"><span class="bp-label">Dark theme</span><div class="ad-frame dark"><div class="ad-sample" id="prev-dark"><span>Sample banner text — <span class="ad-link">a link</span></span></div></div></div>
|
||||
</div>
|
||||
<p class="note">Live preview of the strip on both themes. An empty override falls back to the neutral theme colours; the top/bottom border is derived from the background.</p>
|
||||
<script>
|
||||
(function(){
|
||||
// Neutral fallbacks — mirror ui/src/app.css (--ad-bg / --text-muted / --accent).
|
||||
var TOK={light:{bg:'#e3e7ee',fg:'#6b7280',link:'#2f6df6'},dark:{bg:'#272f3c',fg:'#9aa3b2',link:'#5b8cff'}};
|
||||
function byName(n){return document.querySelector('[name="'+n+'"]');}
|
||||
var allOn=byName('override_all_on'), darkOn=byName('override_dark_on');
|
||||
if(!allOn||!darkOn){return;}
|
||||
var f={ab:byName('override_bg'),af:byName('override_fg'),al:byName('override_link'),db:byName('override_bg_dark'),df:byName('override_fg_dark'),dl:byName('override_link_dark')};
|
||||
var lightEl=document.getElementById('prev-light'), darkEl=document.getElementById('prev-dark');
|
||||
function hexToRgb(h){h=h.replace('#','');return [parseInt(h.slice(0,2),16),parseInt(h.slice(2,4),16),parseInt(h.slice(4,6),16)];}
|
||||
function pad(x){x=Math.max(0,Math.min(255,Math.round(x))).toString(16);return x.length<2?'0'+x:x;}
|
||||
function rgbToHex(r){return '#'+pad(r[0])+pad(r[1])+pad(r[2]);}
|
||||
function mix(a,b,t){return [a[0]+(b[0]-a[0])*t,a[1]+(b[1]-a[1])*t,a[2]+(b[2]-a[2])*t];}
|
||||
function lum(r){return (0.2126*r[0]+0.7152*r[1]+0.0722*r[2])/255;}
|
||||
// Derived border: nudge the background 14% toward black on a light bg, toward white on a dark bg.
|
||||
function border(bg){var r=hexToRgb(bg);return rgbToHex(mix(r, lum(r)>0.5?[0,0,0]:[255,255,255], 0.14));}
|
||||
function paint(el,c){
|
||||
el.style.background=c.bg; el.style.color=c.fg;
|
||||
el.style.borderTop='1px solid '+border(c.bg); el.style.borderBottom='1px solid '+border(c.bg);
|
||||
var a=el.querySelector('.ad-link'); if(a){a.style.color=c.link;}
|
||||
}
|
||||
function resolve(){
|
||||
var light=allOn.checked?{bg:f.ab.value,fg:f.af.value,link:f.al.value}:TOK.light;
|
||||
var dark=darkOn.checked?{bg:f.db.value,fg:f.df.value,link:f.dl.value}
|
||||
:(allOn.checked?{bg:f.ab.value,fg:f.af.value,link:f.al.value}:TOK.dark);
|
||||
paint(lightEl,light); paint(darkEl,dark);
|
||||
document.querySelectorAll('.ovr .swatches label').forEach(function(lab){
|
||||
var inp=lab.querySelector('input[type=color]'), hx=lab.querySelector('.hex');
|
||||
if(inp&&hx){hx.textContent=inp.value;}
|
||||
});
|
||||
}
|
||||
function toggleGroup(chk){chk.closest('fieldset').querySelectorAll('[data-ovr-color]').forEach(function(inp){inp.disabled=!chk.checked;});}
|
||||
[allOn,darkOn].forEach(function(chk){chk.addEventListener('change',function(){toggleGroup(chk);resolve();});});
|
||||
Object.keys(f).forEach(function(k){f[k].addEventListener('input',resolve);});
|
||||
resolve();
|
||||
})();
|
||||
</script>
|
||||
<form class="form" method="post" action="/_gm/banners/{{.ID}}/delete" onsubmit="return confirm('Delete this campaign and its messages?')">
|
||||
<button type="submit" class="danger">Delete campaign</button>
|
||||
</form>
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
{{define "content" -}}
|
||||
<h1>Product catalog</h1>
|
||||
{{with .Data}}
|
||||
<p class="note">A <strong>pack</strong> funds chips (a money price per rail — RUB via direct, VOTE via vk, XTR via telegram); a <strong>value</strong> buys benefits with chips (a CHIP price). Archived products are hidden from players but still credit an in-flight payment and can be granted. A product with transactions can only be archived, not deleted. Amounts are in minor units (RUB kopecks; VOTE/XTR/CHIP whole). The <code>tournament</code> atom is not sellable yet — keep such a product archived.</p>
|
||||
<section class="panel"><h2>Add product</h2>
|
||||
<form class="form col" method="post" action="/_gm/catalog">
|
||||
<label>Title <input type="text" name="title" maxlength="120" required></label>
|
||||
<fieldset><legend>Atoms (quantity; blank = none)</legend>
|
||||
<label>Chips <input type="number" name="chips" min="0"></label>
|
||||
<label>Hints <input type="number" name="hints" min="0"></label>
|
||||
<label>No-ads days <input type="number" name="noads" min="0"></label>
|
||||
<label>Tournament <input type="number" name="tournament" min="0"></label>
|
||||
</fieldset>
|
||||
<fieldset><legend>Prices (minor units; blank = none)</legend>
|
||||
<label>RUB — direct (kopecks) <input type="number" name="price_rub" min="0"></label>
|
||||
<label>VOTE — vk <input type="number" name="price_vote" min="0"></label>
|
||||
<label>XTR — telegram <input type="number" name="price_star" min="0"></label>
|
||||
<label>CHIP — value <input type="number" name="price_chip" min="0"></label>
|
||||
</fieldset>
|
||||
<label><input type="checkbox" name="active" value="true"> Active (on sale)</label>
|
||||
<div><button type="submit">Add</button></div>
|
||||
</form>
|
||||
</section>
|
||||
<section class="panel"><h2>Products</h2>
|
||||
<table class="list">
|
||||
<thead><tr><th>Title</th><th>Status</th><th>Atoms</th><th>Prices</th><th></th></tr></thead>
|
||||
<tbody>
|
||||
{{range .Products}}
|
||||
<tr>
|
||||
<td><a href="/_gm/catalog/{{.ID}}">{{.Title}}</a></td>
|
||||
<td>{{if .Active}}<span class="ok">active</span>{{else}}<span class="warn">archived</span>{{end}}{{if .Transacted}} <span class="pill">transacted</span>{{end}}</td>
|
||||
<td>{{range .Atoms}}<code>{{.Atom}}×{{.Quantity}}</code> {{end}}</td>
|
||||
<td>{{range .Prices}}<code>{{.Currency}}{{if .Method}}/{{.Method}}{{end}} {{.Amount}}</code> {{end}}</td>
|
||||
<td class="row-actions">
|
||||
<form class="form" method="post" action="/_gm/catalog/{{.ID}}/archive"><input type="hidden" name="active" value="{{if .Active}}false{{else}}true{{end}}"><button type="submit">{{if .Active}}Archive{{else}}Unarchive{{end}}</button></form>
|
||||
{{if not .Transacted}}<form class="form" method="post" action="/_gm/catalog/{{.ID}}/delete" onsubmit="return confirm('Delete this product? It has never been transacted, so this is safe and permanent.')"><button type="submit">Delete</button></form>{{end}}
|
||||
</td>
|
||||
</tr>
|
||||
{{else}}<tr><td colspan="5"><span class="note">no products</span></td></tr>{{end}}
|
||||
</tbody>
|
||||
</table>
|
||||
</section>
|
||||
{{end}}
|
||||
{{- end}}
|
||||
@@ -8,6 +8,7 @@
|
||||
<li><b>Dictionary</b> {{.DictVersion}}</li>
|
||||
<li><b>Status</b> {{.Status}}{{if .EndReason}} ({{.EndReason}}){{end}}</li>
|
||||
<li><b>AI game</b> {{if .VsAI}}🤖 yes{{else}}no{{end}}</li>
|
||||
<li><b>Word rule</b> {{if .MultipleWordsPerTurn}}multiple words per turn{{else}}single word per turn{{end}}</li>
|
||||
<li><b>Players</b> {{.Players}}</li>
|
||||
<li><b>To move</b> seat {{.ToMove}}</li>
|
||||
<li><b>Moves</b> {{.MoveCount}}</li>
|
||||
|
||||
@@ -8,11 +8,11 @@
|
||||
<a href="/_gm/games?status=finished"{{if eq .Status "finished"}} class="active"{{end}}>finished</a>
|
||||
</nav>
|
||||
<table class="list">
|
||||
<thead><tr><th>Game</th><th>Variant</th><th>Status</th><th>🤖</th><th class="num">Players</th><th>Updated</th></tr></thead>
|
||||
<thead><tr><th>Game</th><th>Variant</th><th>Kind</th><th>Status</th><th>🤖</th><th class="num">Players</th><th>Updated</th></tr></thead>
|
||||
<tbody>
|
||||
{{range .Items}}
|
||||
<tr><td><a href="/_gm/games/{{.ID}}">{{.ID}}</a></td><td>{{.Variant}}</td><td>{{.Status}}</td><td>{{if .VsAI}}🤖{{end}}</td><td class="num">{{.Players}}</td><td>{{.UpdatedAt}}</td></tr>
|
||||
{{else}}<tr><td colspan="6"><span class="note">no games</span></td></tr>{{end}}
|
||||
<tr><td><a href="/_gm/games/{{.ID}}">{{.ID}}</a></td><td>{{.Variant}}</td><td>{{.Kind}}</td><td>{{.Status}}</td><td>{{if .VsAI}}🤖{{end}}</td><td class="num">{{.Players}}</td><td>{{.UpdatedAt}}</td></tr>
|
||||
{{else}}<tr><td colspan="7"><span class="note">no games</span></td></tr>{{end}}
|
||||
</tbody>
|
||||
</table>
|
||||
<nav class="pager">
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
{{define "content" -}}
|
||||
<h1>Active-game limits</h1>
|
||||
{{with .Data}}
|
||||
<p class="note">Per-tier, per-kind caps on a player's simultaneous unfinished games. <strong>-1</strong> = unlimited, <strong>0</strong> = the kind is blocked, a positive number caps concurrent games of that kind. Guests are additionally blocked from friend games outright. Changes apply immediately (no redeploy); games already in progress are never affected.</p>
|
||||
<section class="panel">
|
||||
<form class="form col" method="post" action="/_gm/limits">
|
||||
<h2>Guest</h2>
|
||||
<label>vs AI <input type="number" name="guest_vs_ai" min="-1" value="{{.GuestVsAI}}" required></label>
|
||||
<label>Random <input type="number" name="guest_random" min="-1" value="{{.GuestRandom}}" required></label>
|
||||
<label>Friends <input type="number" name="guest_friends" min="-1" value="{{.GuestFriends}}" required></label>
|
||||
<h2>Durable account</h2>
|
||||
<label>vs AI <input type="number" name="durable_vs_ai" min="-1" value="{{.DurableVsAI}}" required></label>
|
||||
<label>Random <input type="number" name="durable_random" min="-1" value="{{.DurableRandom}}" required></label>
|
||||
<label>Friends <input type="number" name="durable_friends" min="-1" value="{{.DurableFriends}}" required></label>
|
||||
<div><button type="submit">Save</button></div>
|
||||
</form>
|
||||
</section>
|
||||
{{end}}
|
||||
{{- end}}
|
||||
@@ -0,0 +1,25 @@
|
||||
{{define "content" -}}
|
||||
{{with .Data}}
|
||||
<p class="note"><a href="/_gm/catalog">← all products</a></p>
|
||||
<h1>{{.Title}} {{if .Active}}<span class="ok">active</span>{{else}}<span class="warn">archived</span>{{end}}{{if .Transacted}} <span class="pill">transacted</span>{{end}}</h1>
|
||||
<section class="panel"><h2>Edit</h2>
|
||||
<p class="note">A zero quantity / blank price removes that atom / price. Amounts are in minor units. Saving revalidates the sellable shape when the product is active. Archive / unarchive from the <a href="/_gm/catalog">catalog list</a>.</p>
|
||||
<form class="form col" method="post" action="/_gm/catalog/{{.ID}}">
|
||||
<label>Title <input type="text" name="title" value="{{.Title}}" maxlength="120" required></label>
|
||||
<fieldset><legend>Atoms (quantity; 0 = none)</legend>
|
||||
<label>Chips <input type="number" name="chips" min="0" value="{{.Chips}}"></label>
|
||||
<label>Hints <input type="number" name="hints" min="0" value="{{.Hints}}"></label>
|
||||
<label>No-ads days <input type="number" name="noads" min="0" value="{{.NoAds}}"></label>
|
||||
<label>Tournament <input type="number" name="tournament" min="0" value="{{.Tournament}}"></label>
|
||||
</fieldset>
|
||||
<fieldset><legend>Prices (minor units; 0 = none)</legend>
|
||||
<label>RUB — direct (kopecks) <input type="number" name="price_rub" min="0" value="{{.PriceRUB}}"></label>
|
||||
<label>VOTE — vk <input type="number" name="price_vote" min="0" value="{{.PriceVote}}"></label>
|
||||
<label>XTR — telegram <input type="number" name="price_star" min="0" value="{{.PriceStar}}"></label>
|
||||
<label>CHIP — value <input type="number" name="price_chip" min="0" value="{{.PriceChip}}"></label>
|
||||
</fieldset>
|
||||
<div><button type="submit">Save</button></div>
|
||||
</form>
|
||||
</section>
|
||||
{{end}}
|
||||
{{- end}}
|
||||
@@ -10,8 +10,6 @@
|
||||
<li><b>Timezone</b> {{.TimeZone}}</li>
|
||||
<li><b>Guest</b> {{if .Guest}}yes{{else}}no{{end}}</li>
|
||||
<li><b>Push</b> {{if .NotificationsInAppOnly}}in-app only{{else}}out-of-app{{end}}</li>
|
||||
<li><b>Paid</b> {{if .PaidAccount}}yes{{else}}no{{end}}</li>
|
||||
<li><b>Hint wallet</b> {{.HintBalance}}</li>
|
||||
{{if .MergedInto}}<li><b>Merged into</b> {{.MergedInto}}</li>{{end}}
|
||||
{{if .FlaggedHighRateAt}}<li><b>High-rate flag</b> <span class="warn">{{.FlaggedHighRateAt}}</span></li>{{end}}
|
||||
<li><b>Created</b> {{.CreatedAt}}</li>
|
||||
@@ -21,10 +19,6 @@
|
||||
<button type="submit">Clear high-rate flag</button>
|
||||
</form>
|
||||
{{end}}
|
||||
<form class="form" method="post" action="/_gm/users/{{.ID}}/grant-hints">
|
||||
<label>Add hints <input type="number" name="amount" min="1" max="{{.HintGrantMax}}" value="1"></label>
|
||||
<button type="submit">Grant</button>
|
||||
</form>
|
||||
</section>
|
||||
<section class="panel"><h2>Statistics</h2>
|
||||
{{if .HasStats}}
|
||||
@@ -69,6 +63,51 @@
|
||||
<div><button type="submit">{{if .Suspension.Blocked}}Re-block{{else}}Block{{end}}</button></div>
|
||||
</form>
|
||||
</section>
|
||||
<section class="panel"><h2>Finance</h2>
|
||||
{{if .Finance.Present}}
|
||||
{{if or .Finance.Segments .Finance.Benefits .Finance.Abuse .Finance.Loss}}
|
||||
<ul class="kv">
|
||||
{{range .Finance.Segments}}<li><b>Chips ({{.Source}})</b> {{.Chips}}</li>{{end}}
|
||||
{{range .Finance.Benefits}}<li><b>Benefits ({{.Origin}})</b> {{.Hints}} hints{{if .Forever}} · no-ads forever{{else if .AdsUntil}} · no-ads until {{.AdsUntil}} (UTC){{end}}</li>{{end}}
|
||||
{{if or .Finance.Abuse .Finance.Loss}}<li><b>Refund risk</b> <span class="warn">{{if .Finance.Abuse}}abuse-flagged{{end}}{{if .Finance.Loss}} · loss {{.Finance.Loss}} chips{{end}}</span></li>{{end}}
|
||||
</ul>
|
||||
{{else}}<p class="note">no balances or benefits</p>{{end}}
|
||||
<h3>Ledger</h3>
|
||||
{{$uid := .ID}}
|
||||
{{if .Finance.Ledger}}
|
||||
<table class="list">
|
||||
<thead><tr><th>Time</th><th>Kind</th><th>Source</th><th>Origin</th><th>Chips</th><th>Order</th><th>Provider</th><th>Detail</th><th></th></tr></thead>
|
||||
<tbody>
|
||||
{{range .Finance.Ledger}}
|
||||
<tr><td>{{.At}}</td><td>{{.Kind}}</td><td>{{.Source}}</td><td>{{.Origin}}</td><td>{{.ChipsDelta}}</td><td>{{if .Order}}<code>{{.Order}}</code>{{end}}</td><td>{{.Provider}}</td><td>{{if .Snapshot}}<code>{{.Snapshot}}</code>{{end}}</td>
|
||||
<td>{{if and (eq .Kind "fund") .Order}}<form class="form" method="post" action="/_gm/users/{{$uid}}/refund" onsubmit="return confirm('Refund this order in full? Record the money refund on the rail first; this revokes the chips (floored at 0).')"><input type="hidden" name="order_id" value="{{.Order}}"><button type="submit">Refund</button></form>{{end}}</td></tr>
|
||||
{{end}}
|
||||
</tbody>
|
||||
</table>
|
||||
<p class="note"><a href="/_gm/ledger.csv">Export the full ledger (CSV)</a> — all accounts, for tax + reconciliation.</p>
|
||||
{{else}}<p class="note">no ledger entries</p>{{end}}
|
||||
{{else}}<p class="note">payments not enabled</p>{{end}}
|
||||
</section>
|
||||
<section class="panel"><h2>Grant benefits</h2>
|
||||
{{if .Grant.Present}}
|
||||
<p class="note">A zero-price admin sale of a value — <strong>never chips</strong>. The origin is your compliance choice. The by-product grant applies a defined bundle, including an archived reward product.</p>
|
||||
<form class="form col" method="post" action="/_gm/users/{{.ID}}/grant">
|
||||
<label>Origin <select name="origin">{{range .Grant.Origins}}<option value="{{.}}">{{.}}</option>{{end}}</select></label>
|
||||
<label>Hints <input type="number" name="hints" min="0" value="0"></label>
|
||||
<label>No-ads days <input type="number" name="noads" min="0" value="0"></label>
|
||||
<label><input type="checkbox" name="forever" value="true"> No-ads forever</label>
|
||||
<div><button type="submit">Grant</button></div>
|
||||
</form>
|
||||
{{if .Grant.Products}}
|
||||
<h3>Grant a product</h3>
|
||||
<form class="form col" method="post" action="/_gm/users/{{.ID}}/grant-product">
|
||||
<label>Origin <select name="origin">{{range .Grant.Origins}}<option value="{{.}}">{{.}}</option>{{end}}</select></label>
|
||||
<label>Product <select name="product_id">{{range .Grant.Products}}<option value="{{.ID}}">{{.Title}} ({{.Summary}}){{if .Archived}} — archived{{end}}</option>{{end}}</select></label>
|
||||
<div><button type="submit">Grant product</button></div>
|
||||
</form>
|
||||
{{else}}<p class="note">no grantable products — create a value product in the <a href="/_gm/catalog">catalog</a></p>{{end}}
|
||||
{{else}}<p class="note">payments not enabled</p>{{end}}
|
||||
</section>
|
||||
<section class="panel"><h2>Roles</h2>
|
||||
{{$id := .ID}}
|
||||
{{if .Roles}}
|
||||
@@ -101,6 +140,29 @@
|
||||
{{else}}<tr><td colspan="4"><span class="note">no identities (guest)</span></td></tr>{{end}}
|
||||
</tbody>
|
||||
</table>
|
||||
{{if .HasEmail}}
|
||||
<form class="form" method="post" action="/_gm/users/{{.ID}}/remove-email" onsubmit="return confirm('Erase the email identity from this account? The address will be freed.')">
|
||||
<button type="submit">Erase email</button>
|
||||
</form>
|
||||
{{end}}
|
||||
</section>
|
||||
<section class="panel"><h2>Deletion & retention</h2>
|
||||
{{if .LastLoginAt}}<p class="note">Last login: {{.LastLoginAt}}{{if .LastLoginIP}} — <code>{{.LastLoginIP}}</code>{{end}}</p>{{end}}
|
||||
{{if .Deleted}}<p><span class="warn">Deleted</span> at {{.DeletedAt}}{{if .DeletedName}} — was <code>{{.DeletedName}}</code>{{end}}</p>{{end}}
|
||||
{{if .Retained}}
|
||||
<h3>Retention journal (legal dossier of detached credentials)</h3>
|
||||
<table class="list">
|
||||
<thead><tr><th>Kind</th><th>Credential</th><th>Reason</th><th>Detached</th></tr></thead>
|
||||
<tbody>
|
||||
{{range .Retained}}<tr><td>{{.Kind}}</td><td><code>{{.ExternalID}}</code></td><td>{{.Reason}}</td><td>{{.DetachedAt}}</td></tr>{{end}}
|
||||
</tbody>
|
||||
</table>
|
||||
{{end}}
|
||||
{{if not .Deleted}}
|
||||
<form class="form" method="post" action="/_gm/users/{{.ID}}/delete" onsubmit="return confirm('Delete this account? Its credentials are journalled and freed, its data anonymised, and its sessions revoked. This cannot be undone.')">
|
||||
<button type="submit">Delete user</button>
|
||||
</form>
|
||||
{{end}}
|
||||
</section>
|
||||
<section class="panel"><h2>Friends</h2>
|
||||
<table class="list">
|
||||
@@ -142,13 +204,18 @@
|
||||
{{else}}<p class="note">connector not configured (set BACKEND_CONNECTOR_ADDR)</p>{{end}}
|
||||
</section>
|
||||
{{end}}
|
||||
{{if .VKID}}
|
||||
<section class="panel"><h2>VK</h2>
|
||||
<p>VK ID: <code>{{.VKID}}</code> · <a href="https://vk.com/id{{.VKID}}" target="_blank" rel="noopener">open profile</a></p>
|
||||
</section>
|
||||
{{end}}
|
||||
<section class="panel"><h2>Games</h2>
|
||||
<table class="list">
|
||||
<thead><tr><th>Game</th><th>Variant</th><th>Status</th><th class="num">Players</th><th>Updated</th></tr></thead>
|
||||
<thead><tr><th>Game</th><th>Variant</th><th>Kind</th><th>Status</th><th class="num">Players</th><th>Updated</th></tr></thead>
|
||||
<tbody>
|
||||
{{range .Games}}
|
||||
<tr><td><a href="/_gm/games/{{.ID}}">{{.ID}}</a></td><td>{{.Variant}}</td><td>{{.Status}}</td><td class="num">{{.Players}}</td><td>{{.UpdatedAt}}</td></tr>
|
||||
{{else}}<tr><td colspan="5"><span class="note">no games</span></td></tr>{{end}}
|
||||
<tr><td><a href="/_gm/games/{{.ID}}">{{.ID}}</a></td><td>{{.Variant}}</td><td>{{.Kind}}</td><td>{{.Status}}</td><td class="num">{{.Players}}</td><td>{{.UpdatedAt}}</td></tr>
|
||||
{{else}}<tr><td colspan="6"><span class="note">no games</span></td></tr>{{end}}
|
||||
</tbody>
|
||||
</table>
|
||||
</section>
|
||||
|
||||
@@ -2,13 +2,15 @@
|
||||
<h1>Users</h1>
|
||||
{{with .Data}}
|
||||
<nav class="subnav">
|
||||
<a href="/_gm/users"{{if not .Robots}} class="active"{{end}}>People</a> ·
|
||||
<a href="/_gm/users"{{if and (not .Robots) (not .Deleted)}} class="active"{{end}}>People</a> ·
|
||||
<a href="/_gm/users?kind=deleted"{{if .Deleted}} class="active"{{end}}>Deleted</a> ·
|
||||
<a href="/_gm/users?kind=robots"{{if .Robots}} class="active"{{end}}>Robots</a>
|
||||
</nav>
|
||||
<form class="form" method="get" action="/_gm/users">
|
||||
{{if .Robots}}<input type="hidden" name="kind" value="robots">{{end}}
|
||||
{{if .Robots}}<input type="hidden" name="kind" value="robots">{{end}}{{if .Deleted}}<input type="hidden" name="kind" value="deleted">{{end}}
|
||||
<input name="name" value="{{.NameMask}}" placeholder="display name mask (* ?)">
|
||||
<input name="ext" value="{{.ExternalIDMask}}" placeholder="external id mask (* ?)">
|
||||
<input name="email" value="{{.EmailExact}}" placeholder="email (exact)" type="search">
|
||||
<button type="submit">Filter</button>
|
||||
</form>
|
||||
<table class="list">
|
||||
@@ -17,7 +19,7 @@
|
||||
{{range .Items}}
|
||||
<tr>
|
||||
<td><a href="/_gm/users/{{.ID}}">{{.ID}}</a></td>
|
||||
<td>{{.DisplayName}}{{if .Guest}} <span class="pill">guest</span>{{end}}{{if .FlaggedHighRate}} <span class="pill">high-rate</span>{{end}}</td>
|
||||
<td>{{.DisplayName}}{{if .Deleted}} <span class="pill">deleted</span>{{end}}{{if .Guest}} <span class="pill">guest</span>{{end}}{{if .FlaggedHighRate}} <span class="pill">high-rate</span>{{end}}</td>
|
||||
<td>{{.Kind}}</td>
|
||||
<td>{{.Language}}</td>
|
||||
<td>{{.CreatedAt}}</td>
|
||||
|
||||
@@ -60,8 +60,10 @@ type UsersView struct {
|
||||
// be emitted verbatim — interpolated as a plain string it would have its "=" and "&"
|
||||
// percent-encoded again by the contextual escaper.
|
||||
Robots bool
|
||||
Deleted bool
|
||||
NameMask string
|
||||
ExternalIDMask string
|
||||
EmailExact string
|
||||
FilterQuery template.URL
|
||||
}
|
||||
|
||||
@@ -74,6 +76,7 @@ type UserRow struct {
|
||||
Kind string
|
||||
Language string
|
||||
Guest bool
|
||||
Deleted bool
|
||||
FlaggedHighRate bool
|
||||
CreatedAt string
|
||||
HasMoveStats bool
|
||||
@@ -146,23 +149,33 @@ type UserDetailView struct {
|
||||
TimeZone string
|
||||
Guest bool
|
||||
NotificationsInAppOnly bool
|
||||
PaidAccount bool
|
||||
// MergedInto is the primary account id when this account has been retired by a
|
||||
// merge, or empty for a live account.
|
||||
MergedInto string
|
||||
// The account-deletion dossier. Deleted marks a tombstoned account; DeletedAt and
|
||||
// DeletedName are its deletion time and retained real name; LastLoginAt/IP are the
|
||||
// last cold-load stamp (shown for any account); Retained is the credential journal.
|
||||
Deleted bool
|
||||
DeletedAt string
|
||||
DeletedName string
|
||||
LastLoginAt string
|
||||
LastLoginIP string
|
||||
Retained []RetainedRow
|
||||
// FlaggedHighRateAt is the pre-formatted soft high-rate marker timestamp,
|
||||
// empty for an unflagged account; the card shows it with the Clear action.
|
||||
FlaggedHighRateAt string
|
||||
HintBalance int
|
||||
// HintGrantMax is the per-grant cap the operator's "add hints" form enforces (it mirrors the
|
||||
// server's maxHintGrant), passed through so the policy value lives in one place.
|
||||
HintGrantMax int
|
||||
CreatedAt string
|
||||
HasStats bool
|
||||
Stats StatsRow
|
||||
Identities []IdentityRow
|
||||
Games []GameRow
|
||||
CreatedAt string
|
||||
HasStats bool
|
||||
Stats StatsRow
|
||||
Identities []IdentityRow
|
||||
// HasEmail gates the "Erase email" action; set when the account carries an email identity.
|
||||
HasEmail bool
|
||||
Games []GameRow
|
||||
// TelegramID and VKID are the account's platform external ids (empty when absent).
|
||||
// TelegramID gates the "Send Telegram message" operator action; VKID surfaces the VK
|
||||
// user id with a link to the VK profile (there is no VK messaging to drive).
|
||||
TelegramID string
|
||||
VKID string
|
||||
ConnectorEnabled bool
|
||||
// MoveChart is the pre-rendered inline SVG of the account's per-move-number think
|
||||
// time (min/mean/max), empty when the account has no timed move.
|
||||
@@ -182,6 +195,55 @@ type UserDetailView struct {
|
||||
Blocks []RelationRow
|
||||
BlockedBy []RelationRow
|
||||
Friends []RelationRow
|
||||
// Finance is the account's payments picture (balances, benefits, refund risk, ledger). Present
|
||||
// is false when the payments domain is unwired.
|
||||
Finance FinanceView
|
||||
// Grant is the admin-grant panel (origin picker + grantable products). Present is false when the
|
||||
// payments domain is unwired.
|
||||
Grant GrantFormView
|
||||
}
|
||||
|
||||
// FinanceView is the account's payments picture on the user card: chip balances per funding
|
||||
// segment, benefits per origin, the recorded refund risk, and the append-only ledger history
|
||||
// (newest first). Present is false when the payments domain is unwired.
|
||||
type FinanceView struct {
|
||||
Present bool
|
||||
Segments []SegmentRow
|
||||
Benefits []BenefitRow
|
||||
// Abuse is the refund abuse flag; Loss is the unrecoverable chip loss from floor-0 refunds.
|
||||
Abuse bool
|
||||
Loss int
|
||||
Ledger []LedgerRow
|
||||
}
|
||||
|
||||
// SegmentRow is one funding segment's chip balance.
|
||||
type SegmentRow struct {
|
||||
Source string
|
||||
Chips int
|
||||
}
|
||||
|
||||
// BenefitRow is one origin's benefit: the hint wallet, the ad-free expiry (pre-formatted, empty
|
||||
// when none) and the lifetime ad-free flag.
|
||||
type BenefitRow struct {
|
||||
Origin string
|
||||
Hints int
|
||||
AdsUntil string
|
||||
Forever bool
|
||||
}
|
||||
|
||||
// LedgerRow is one append-only ledger entry: its kind, funding source / benefit origin, signed chip
|
||||
// delta, the product / order / provider it references (empty when none), the raw snapshot JSON and
|
||||
// the pre-formatted time.
|
||||
type LedgerRow struct {
|
||||
Kind string
|
||||
Source string
|
||||
Origin string
|
||||
ChipsDelta int
|
||||
Product string
|
||||
Order string
|
||||
Provider string
|
||||
Snapshot string
|
||||
At string
|
||||
}
|
||||
|
||||
// RelationRow is one cross-linked account in the user card's blocks / blocked-by / friends
|
||||
@@ -230,6 +292,17 @@ type IdentityRow struct {
|
||||
CreatedAt string
|
||||
}
|
||||
|
||||
// RetainedRow is one credential in the account-deletion retention journal (the legal
|
||||
// dossier of detached credentials): what was detached, when, and why.
|
||||
type RetainedRow struct {
|
||||
Kind string
|
||||
ExternalID string
|
||||
Reason string
|
||||
Confirmed bool
|
||||
LinkedAt string
|
||||
DetachedAt string
|
||||
}
|
||||
|
||||
// GameRow is one game row in a list.
|
||||
type GameRow struct {
|
||||
ID string
|
||||
@@ -239,6 +312,8 @@ type GameRow struct {
|
||||
UpdatedAt string
|
||||
// VsAI marks an honest-AI game (rendered as 🤖 in the list's AI column).
|
||||
VsAI bool
|
||||
// Kind is the game's origin tag label: vs_ai / random / friends / unknown.
|
||||
Kind string
|
||||
}
|
||||
|
||||
// GamesView is the paginated games list, optionally filtered by status.
|
||||
@@ -248,6 +323,17 @@ type GamesView struct {
|
||||
Pager Pager
|
||||
}
|
||||
|
||||
// GameLimitsView is the per-tier, per-kind active-game limit form: each field is a cap where -1
|
||||
// is unlimited, 0 blocks the kind, and a positive value caps concurrent games of that kind.
|
||||
type GameLimitsView struct {
|
||||
GuestVsAI int
|
||||
GuestRandom int
|
||||
GuestFriends int
|
||||
DurableVsAI int
|
||||
DurableRandom int
|
||||
DurableFriends int
|
||||
}
|
||||
|
||||
// GameDetailView is one game with its seats.
|
||||
type GameDetailView struct {
|
||||
ID string
|
||||
@@ -262,8 +348,12 @@ type GameDetailView struct {
|
||||
UpdatedAt string
|
||||
FinishedAt string
|
||||
// VsAI marks an honest-AI game (shown as a 🤖 flag in the summary).
|
||||
VsAI bool
|
||||
Seats []SeatRow
|
||||
VsAI bool
|
||||
// MultipleWordsPerTurn is the game's cross-word rule: true = standard Scrabble (every cross-word
|
||||
// is validated and scored), false = the single-word rule (only the main word along the play
|
||||
// direction counts). Shown in the summary so an operator can tell the rule at a glance.
|
||||
MultipleWordsPerTurn bool
|
||||
Seats []SeatRow
|
||||
// HasRobot is true when any seat is a robot, gating the robot-target caption;
|
||||
// RobotTargetPct is the configured global play-to-win rate, in percent.
|
||||
HasRobot bool
|
||||
@@ -469,15 +559,30 @@ type BannerCampaignRow struct {
|
||||
|
||||
// BannerDetailView is the campaign detail/edit page. StartsAt/EndsAt are the
|
||||
// "YYYY-MM-DDTHH:MM" (UTC) values for the datetime-local inputs, empty when open.
|
||||
//
|
||||
// The colour-override and urgent fields drive the non-default campaign's editor:
|
||||
// OverrideAllOn/OverrideDarkOn report whether each colour set is active, and the
|
||||
// six *Bg/*Fg/*Link values seed the native colour inputs — the stored override
|
||||
// when a set is on, otherwise the neutral theme token so the picker starts from a
|
||||
// sensible colour and the live preview shows the real fallback.
|
||||
type BannerDetailView struct {
|
||||
ID string
|
||||
Name string
|
||||
Weight int
|
||||
IsDefault bool
|
||||
Enabled bool
|
||||
StartsAt string
|
||||
EndsAt string
|
||||
Messages []BannerMessageRow
|
||||
ID string
|
||||
Name string
|
||||
Weight int
|
||||
IsDefault bool
|
||||
Enabled bool
|
||||
StartsAt string
|
||||
EndsAt string
|
||||
Urgent bool
|
||||
OverrideAllOn bool
|
||||
AllBg string
|
||||
AllFg string
|
||||
AllLink string
|
||||
OverrideDarkOn bool
|
||||
DarkBg string
|
||||
DarkFg string
|
||||
DarkLink string
|
||||
Messages []BannerMessageRow
|
||||
}
|
||||
|
||||
// BannerMessageRow is one bilingual message of a campaign. First/Last drive the
|
||||
@@ -568,3 +673,69 @@ type FeedbackDetailView struct {
|
||||
UserTZ string
|
||||
Banned bool
|
||||
}
|
||||
|
||||
// CatalogView is the product-catalog list page.
|
||||
type CatalogView struct {
|
||||
Products []ProductRow
|
||||
}
|
||||
|
||||
// ProductRow is one product in the catalog list: its composition, prices, the archived flag
|
||||
// (Active) and the transacted flag (which forbids a hard delete).
|
||||
type ProductRow struct {
|
||||
ID string
|
||||
Title string
|
||||
Active bool
|
||||
Atoms []AtomRow
|
||||
Prices []PriceRow
|
||||
Transacted bool
|
||||
}
|
||||
|
||||
// AtomRow is one atom line of a product row.
|
||||
type AtomRow struct {
|
||||
Atom string
|
||||
Quantity int
|
||||
}
|
||||
|
||||
// PriceRow is one price of a product: the method ("" for a value's CHIP price), the currency, and
|
||||
// the amount in that currency's minor units.
|
||||
type PriceRow struct {
|
||||
Method string
|
||||
Currency string
|
||||
Amount int64
|
||||
}
|
||||
|
||||
// ProductFormView is the product edit form, pre-filled from the current composition. Atom quantities
|
||||
// and prices are flattened to the fixed fields the form offers (0 = absent); Transacted disables the
|
||||
// delete action.
|
||||
type ProductFormView struct {
|
||||
ID string
|
||||
Title string
|
||||
Active bool
|
||||
Chips int
|
||||
Hints int
|
||||
NoAds int
|
||||
Tournament int
|
||||
PriceRUB int64
|
||||
PriceVote int64
|
||||
PriceStar int64
|
||||
PriceChip int64
|
||||
Transacted bool
|
||||
}
|
||||
|
||||
// GrantFormView is the admin-grant panel on the user card: the origin picker and the grantable
|
||||
// products (value bundles — hints / no-ads days — including archived ones; chips and tournament
|
||||
// products are excluded). Present is false when the payments domain is unwired.
|
||||
type GrantFormView struct {
|
||||
Present bool
|
||||
Origins []string
|
||||
Products []GrantProductOption
|
||||
}
|
||||
|
||||
// GrantProductOption is one grantable product in the by-product picker: its id, title, an atom
|
||||
// summary, and whether it is archived (the common case for a non-public reward bundle).
|
||||
type GrantProductOption struct {
|
||||
ID string
|
||||
Title string
|
||||
Summary string
|
||||
Archived bool
|
||||
}
|
||||
|
||||
+77
-21
@@ -30,6 +30,15 @@ var ErrDefaultImmutable = errors.New("ads: the default campaign cannot be modifi
|
||||
// window or message body).
|
||||
var ErrValidation = errors.New("ads: validation")
|
||||
|
||||
// ColorSet is an optional per-campaign colour override for the banner strip:
|
||||
// background, foreground (text) and link, each a "#rrggbb" hex string. The three
|
||||
// are set together or the whole set is absent (a nil *ColorSet).
|
||||
type ColorSet struct {
|
||||
Bg string
|
||||
Fg string
|
||||
Link string
|
||||
}
|
||||
|
||||
// Campaign is one advertising placement order with its messages.
|
||||
type Campaign struct {
|
||||
ID uuid.UUID // uuid.Nil on create
|
||||
@@ -40,6 +49,16 @@ type Campaign struct {
|
||||
StartsAt *time.Time // nil = open-ended start; always nil for the default
|
||||
EndsAt *time.Time // nil = open-ended end; always nil for the default
|
||||
Messages []Message
|
||||
// OverrideAll paints the strip on every theme; OverrideDark, when set, further
|
||||
// overrides the dark theme (the client resolves dark ← dark ?? all ?? token,
|
||||
// light ← all ?? token). Both are nil for the default campaign and for a
|
||||
// campaign that keeps the neutral theme tokens. Non-default only.
|
||||
OverrideAll *ColorSet
|
||||
OverrideDark *ColorSet
|
||||
// Urgent forces the banner on every viewer (bypassing eligibility) and, while
|
||||
// any urgent campaign is active, suppresses every non-urgent campaign and the
|
||||
// default remainder. Non-default only; always false for the default campaign.
|
||||
Urgent bool
|
||||
CreatedAt time.Time
|
||||
UpdatedAt time.Time
|
||||
}
|
||||
@@ -70,29 +89,32 @@ type Timings struct {
|
||||
|
||||
// ActiveCampaign is one campaign in the resolved rotation feed sent to a client:
|
||||
// its GCD-reduced show weight and its messages, already resolved to the viewer's
|
||||
// language and in display (round-robin) order.
|
||||
// language and in display (round-robin) order, plus the optional colour overrides
|
||||
// the client applies to the strip (nil = the neutral theme tokens). Urgency is not
|
||||
// carried here: it is resolved server-side into the set's membership and the
|
||||
// eligibility bypass, so the client only ever renders what it is sent.
|
||||
type ActiveCampaign struct {
|
||||
Weight int
|
||||
Messages []string
|
||||
}
|
||||
|
||||
// Eligible reports whether an account should be shown the advertising banner: a
|
||||
// free account (not paid) with an empty hint wallet and without the no_banner
|
||||
// role. The no_banner role suppresses the banner unconditionally; buying a paid
|
||||
// account or any hints also removes it.
|
||||
func Eligible(paidAccount bool, hintBalance int, hasNoBanner bool) bool {
|
||||
return !paidAccount && hintBalance <= 0 && !hasNoBanner
|
||||
Weight int
|
||||
Messages []string
|
||||
OverrideAll *ColorSet
|
||||
OverrideDark *ColorSet
|
||||
}
|
||||
|
||||
// computeActiveSet builds the resolved rotation feed from the enabled campaigns
|
||||
// at time now, in language lang. Campaigns outside their validity window, and
|
||||
// campaigns with no messages, are dropped. The default campaign's effective
|
||||
// weight is the remainder up to 100% — max(0, 100 - sum of active timed
|
||||
// weights) — so it fills unsold inventory and is dropped entirely when timed
|
||||
// campaigns already reach 100%. Weights are then reduced by their GCD so the
|
||||
// fair rotation cycle stays short. The input is expected to be the enabled
|
||||
// campaigns (ActiveCampaigns); disabled ones must already be excluded.
|
||||
func computeActiveSet(campaigns []Campaign, now time.Time, lang string) []ActiveCampaign {
|
||||
// at time now, in language lang, and reports whether the feed is an urgent one.
|
||||
// Campaigns outside their validity window, and campaigns with no messages, are
|
||||
// dropped.
|
||||
//
|
||||
// While any active campaign is urgent, the feed is the urgent campaigns alone —
|
||||
// every non-urgent timed campaign and the default remainder are suppressed for
|
||||
// the duration (and the caller shows the feed to every viewer, bypassing
|
||||
// eligibility). Otherwise the default campaign's effective weight is the
|
||||
// remainder up to 100% — max(0, 100 - sum of active timed weights) — so it fills
|
||||
// unsold inventory and is dropped entirely when timed campaigns already reach
|
||||
// 100%. Weights are then reduced by their GCD so the fair rotation cycle stays
|
||||
// short. The input is expected to be the enabled campaigns (ActiveCampaigns);
|
||||
// disabled ones must already be excluded.
|
||||
func computeActiveSet(campaigns []Campaign, now time.Time, lang string) ([]ActiveCampaign, bool) {
|
||||
var timed []Campaign
|
||||
var def *Campaign
|
||||
for i := range campaigns {
|
||||
@@ -108,20 +130,54 @@ func computeActiveSet(campaigns []Campaign, now time.Time, lang string) []Active
|
||||
timed = append(timed, c)
|
||||
}
|
||||
}
|
||||
if urgent := filterUrgent(timed); len(urgent) > 0 {
|
||||
out := make([]ActiveCampaign, 0, len(urgent))
|
||||
for _, c := range urgent {
|
||||
out = append(out, activeFrom(c, lang))
|
||||
}
|
||||
reduceByGCD(out)
|
||||
return out, true
|
||||
}
|
||||
sumTimed := 0
|
||||
for _, c := range timed {
|
||||
sumTimed += c.Weight
|
||||
}
|
||||
out := make([]ActiveCampaign, 0, len(timed)+1)
|
||||
for _, c := range timed {
|
||||
out = append(out, ActiveCampaign{Weight: c.Weight, Messages: resolveBodies(c.Messages, lang)})
|
||||
out = append(out, activeFrom(c, lang))
|
||||
}
|
||||
if def != nil {
|
||||
if dw := 100 - sumTimed; dw > 0 {
|
||||
out = append(out, ActiveCampaign{Weight: dw, Messages: resolveBodies(def.Messages, lang)})
|
||||
a := activeFrom(*def, lang)
|
||||
a.Weight = dw // the default's stored weight is nominal; it fills the remainder
|
||||
out = append(out, a)
|
||||
}
|
||||
}
|
||||
reduceByGCD(out)
|
||||
return out, false
|
||||
}
|
||||
|
||||
// activeFrom projects a campaign to its rotation-feed entry: its show weight, its
|
||||
// language-resolved messages and its colour overrides (carried through by
|
||||
// reference, they are read-only).
|
||||
func activeFrom(c Campaign, lang string) ActiveCampaign {
|
||||
return ActiveCampaign{
|
||||
Weight: c.Weight,
|
||||
Messages: resolveBodies(c.Messages, lang),
|
||||
OverrideAll: c.OverrideAll,
|
||||
OverrideDark: c.OverrideDark,
|
||||
}
|
||||
}
|
||||
|
||||
// filterUrgent returns the urgent campaigns among cs, preserving order. It is the
|
||||
// preempt selector: a non-empty result makes the whole feed urgent.
|
||||
func filterUrgent(cs []Campaign) []Campaign {
|
||||
var out []Campaign
|
||||
for _, c := range cs {
|
||||
if c.Urgent {
|
||||
out = append(out, c)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
|
||||
@@ -6,30 +6,6 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestEligible(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
paidAccount bool
|
||||
hintBalance int
|
||||
hasNoBanner bool
|
||||
want bool
|
||||
}{
|
||||
{name: "free, empty wallet, no role", want: true},
|
||||
{name: "paid", paidAccount: true, want: false},
|
||||
{name: "has hints", hintBalance: 3, want: false},
|
||||
{name: "no_banner role", hasNoBanner: true, want: false},
|
||||
{name: "paid and has hints", paidAccount: true, hintBalance: 5, want: false},
|
||||
{name: "no_banner overrides everything", hasNoBanner: true, want: false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := Eligible(tt.paidAccount, tt.hintBalance, tt.hasNoBanner); got != tt.want {
|
||||
t.Errorf("Eligible(%v,%d,%v) = %v, want %v", tt.paidAccount, tt.hintBalance, tt.hasNoBanner, got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestComputeActiveSet(t *testing.T) {
|
||||
now := time.Date(2026, 6, 15, 12, 0, 0, 0, time.UTC)
|
||||
past := now.Add(-24 * time.Hour)
|
||||
@@ -46,12 +22,19 @@ func TestComputeActiveSet(t *testing.T) {
|
||||
timed := func(name string, weight int, starts, ends *time.Time, msgs []Message) Campaign {
|
||||
return Campaign{Name: name, Weight: weight, Enabled: true, StartsAt: starts, EndsAt: ends, Messages: msgs}
|
||||
}
|
||||
urgent := func(name string, weight int, msgs []Message) Campaign {
|
||||
c := timed(name, weight, nil, nil, msgs)
|
||||
c.Urgent = true
|
||||
return c
|
||||
}
|
||||
red := &ColorSet{Bg: "#aa0000", Fg: "#ffffff", Link: "#ffdd00"}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
campaigns []Campaign
|
||||
lang string
|
||||
want []ActiveCampaign
|
||||
name string
|
||||
campaigns []Campaign
|
||||
lang string
|
||||
want []ActiveCampaign
|
||||
wantUrgent bool
|
||||
}{
|
||||
{
|
||||
name: "default only reduces to weight 1",
|
||||
@@ -152,22 +135,71 @@ func TestComputeActiveSet(t *testing.T) {
|
||||
lang: "en",
|
||||
want: []ActiveCampaign{{Weight: 1, Messages: []string{"one-en", "two-en"}}},
|
||||
},
|
||||
{
|
||||
name: "urgent preempts default and normal timed",
|
||||
campaigns: []Campaign{
|
||||
def(msg("house")),
|
||||
timed("promo", 40, nil, nil, msg("promo")),
|
||||
urgent("alert", 50, msg("alert")),
|
||||
},
|
||||
lang: "en",
|
||||
// only the urgent campaign survives; a lone weight reduces to 1.
|
||||
want: []ActiveCampaign{{Weight: 1, Messages: []string{"alert-en"}}},
|
||||
wantUrgent: true,
|
||||
},
|
||||
{
|
||||
name: "multiple urgent share the feed by gcd",
|
||||
campaigns: []Campaign{
|
||||
def(msg("house")),
|
||||
urgent("a", 60, msg("a")),
|
||||
urgent("b", 40, msg("b")),
|
||||
},
|
||||
lang: "en",
|
||||
// default and any non-urgent dropped; gcd(60,40)=20 -> 3 and 2.
|
||||
want: []ActiveCampaign{
|
||||
{Weight: 3, Messages: []string{"a-en"}},
|
||||
{Weight: 2, Messages: []string{"b-en"}},
|
||||
},
|
||||
wantUrgent: true,
|
||||
},
|
||||
{
|
||||
name: "out-of-window urgent does not preempt",
|
||||
campaigns: []Campaign{
|
||||
def(msg("house")),
|
||||
func() Campaign { c := urgent("future", 50, msg("future")); c.StartsAt = &future; return c }(),
|
||||
},
|
||||
lang: "en",
|
||||
// the urgent campaign is not yet live, so the normal default feed stands.
|
||||
want: []ActiveCampaign{{Weight: 1, Messages: []string{"house-en"}}},
|
||||
},
|
||||
{
|
||||
name: "colour overrides ride the active campaign",
|
||||
campaigns: []Campaign{
|
||||
def(msg("house")),
|
||||
func() Campaign { c := timed("promo", 100, nil, nil, msg("promo")); c.OverrideAll = red; return c }(),
|
||||
},
|
||||
lang: "en",
|
||||
want: []ActiveCampaign{{Weight: 1, Messages: []string{"promo-en"}, OverrideAll: red}},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got := computeActiveSet(tt.campaigns, now, tt.lang)
|
||||
got, gotUrgent := computeActiveSet(tt.campaigns, now, tt.lang)
|
||||
if !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("computeActiveSet() =\n %#v\nwant\n %#v", got, tt.want)
|
||||
}
|
||||
if gotUrgent != tt.wantUrgent {
|
||||
t.Errorf("computeActiveSet() urgent = %v, want %v", gotUrgent, tt.wantUrgent)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestComputeActiveSetEmpty(t *testing.T) {
|
||||
// No campaigns at all yields an empty (non-nil-or-nil) feed without panicking.
|
||||
if got := computeActiveSet(nil, time.Now(), "en"); len(got) != 0 {
|
||||
t.Errorf("computeActiveSet(nil) = %#v, want empty", got)
|
||||
if got, urgent := computeActiveSet(nil, time.Now(), "en"); len(got) != 0 || urgent {
|
||||
t.Errorf("computeActiveSet(nil) = %#v urgent=%v, want empty non-urgent", got, urgent)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@ package ads
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"regexp"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -40,17 +41,20 @@ func NewService(store *Store) *Service { return &Service{store: store} }
|
||||
// ActiveSet returns the resolved rotation feed for a viewer in language lang
|
||||
// (en/ru) together with the global display timings: the currently-active
|
||||
// campaigns, each with its GCD-reduced show weight and its messages resolved to
|
||||
// lang, ready for the client's weighted round-robin.
|
||||
func (s *Service) ActiveSet(ctx context.Context, lang string) ([]ActiveCampaign, Timings, error) {
|
||||
// lang, ready for the client's weighted round-robin. The bool result reports
|
||||
// whether the feed is urgent — an urgent feed is shown to every viewer
|
||||
// regardless of eligibility (the caller skips the eligibility gate for it).
|
||||
func (s *Service) ActiveSet(ctx context.Context, lang string) ([]ActiveCampaign, Timings, bool, error) {
|
||||
campaigns, err := s.store.ActiveCampaigns(ctx)
|
||||
if err != nil {
|
||||
return nil, Timings{}, err
|
||||
return nil, Timings{}, false, err
|
||||
}
|
||||
timings, err := s.store.Settings(ctx)
|
||||
if err != nil {
|
||||
return nil, Timings{}, err
|
||||
return nil, Timings{}, false, err
|
||||
}
|
||||
return computeActiveSet(campaigns, time.Now().UTC(), lang), timings, nil
|
||||
set, urgent := computeActiveSet(campaigns, time.Now().UTC(), lang)
|
||||
return set, timings, urgent, nil
|
||||
}
|
||||
|
||||
// ListCampaigns returns every campaign with its messages, for the admin console.
|
||||
@@ -76,8 +80,13 @@ func (s *Service) CreateCampaign(ctx context.Context, c Campaign) (uuid.UUID, er
|
||||
if err := validWindow(c.StartsAt, c.EndsAt); err != nil {
|
||||
return uuid.Nil, err
|
||||
}
|
||||
all, dark, err := validOverrides(c.OverrideAll, c.OverrideDark)
|
||||
if err != nil {
|
||||
return uuid.Nil, err
|
||||
}
|
||||
return s.store.CreateCampaign(ctx, Campaign{
|
||||
Name: name, Weight: c.Weight, Enabled: c.Enabled, StartsAt: c.StartsAt, EndsAt: c.EndsAt,
|
||||
OverrideAll: all, OverrideDark: dark, Urgent: c.Urgent,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -99,6 +108,7 @@ func (s *Service) UpdateCampaign(ctx context.Context, c Campaign) error {
|
||||
upd.Enabled = true
|
||||
upd.StartsAt = nil
|
||||
upd.EndsAt = nil
|
||||
// The default (house) campaign stays plain: no colour overrides, never urgent.
|
||||
} else {
|
||||
if err := validWeight(c.Weight); err != nil {
|
||||
return err
|
||||
@@ -106,10 +116,17 @@ func (s *Service) UpdateCampaign(ctx context.Context, c Campaign) error {
|
||||
if err := validWindow(c.StartsAt, c.EndsAt); err != nil {
|
||||
return err
|
||||
}
|
||||
all, dark, err := validOverrides(c.OverrideAll, c.OverrideDark)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
upd.Weight = c.Weight
|
||||
upd.Enabled = c.Enabled
|
||||
upd.StartsAt = c.StartsAt
|
||||
upd.EndsAt = c.EndsAt
|
||||
upd.OverrideAll = all
|
||||
upd.OverrideDark = dark
|
||||
upd.Urgent = c.Urgent
|
||||
}
|
||||
return s.store.UpdateCampaign(ctx, upd)
|
||||
}
|
||||
@@ -254,6 +271,46 @@ func validWindow(starts, ends *time.Time) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// hexColor matches a "#rrggbb" colour — the format the console's native colour
|
||||
// input emits and the wire carries.
|
||||
var hexColor = regexp.MustCompile(`^#[0-9a-fA-F]{6}$`)
|
||||
|
||||
// validOverrides validates the two optional colour sets together and returns
|
||||
// their normalised copies (nil when a set is absent), so a caller can store them
|
||||
// directly.
|
||||
func validOverrides(all, dark *ColorSet) (*ColorSet, *ColorSet, error) {
|
||||
va, err := validColorSet(all)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
vd, err := validColorSet(dark)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
return va, vd, nil
|
||||
}
|
||||
|
||||
// validColorSet validates one optional colour override: a nil set passes (no
|
||||
// override); otherwise all three colours must be present and "#rrggbb". It
|
||||
// returns a trimmed, lower-cased copy.
|
||||
func validColorSet(cs *ColorSet) (*ColorSet, error) {
|
||||
if cs == nil {
|
||||
return nil, nil
|
||||
}
|
||||
bg := strings.TrimSpace(cs.Bg)
|
||||
fg := strings.TrimSpace(cs.Fg)
|
||||
link := strings.TrimSpace(cs.Link)
|
||||
if bg == "" || fg == "" || link == "" {
|
||||
return nil, fmt.Errorf("%w: a colour override needs all of background, text and link", ErrValidation)
|
||||
}
|
||||
for _, h := range []string{bg, fg, link} {
|
||||
if !hexColor.MatchString(h) {
|
||||
return nil, fmt.Errorf("%w: colours must be #rrggbb hex", ErrValidation)
|
||||
}
|
||||
}
|
||||
return &ColorSet{Bg: strings.ToLower(bg), Fg: strings.ToLower(fg), Link: strings.ToLower(link)}, nil
|
||||
}
|
||||
|
||||
// validBodies trims and bounds both mandatory language bodies of a message.
|
||||
func validBodies(bodyEn, bodyRu string) (string, string, error) {
|
||||
en := strings.TrimSpace(bodyEn)
|
||||
|
||||
@@ -90,15 +90,23 @@ func (s *Store) Campaign(ctx context.Context, id uuid.UUID) (Campaign, error) {
|
||||
func (s *Store) CreateCampaign(ctx context.Context, c Campaign) (uuid.UUID, error) {
|
||||
id := uuid.New()
|
||||
now := time.Now().UTC()
|
||||
abg, afg, alink := colorCols(c.OverrideAll)
|
||||
dbg, dfg, dlink := colorCols(c.OverrideDark)
|
||||
stmt := table.AdCampaigns.INSERT(
|
||||
table.AdCampaigns.CampaignID, table.AdCampaigns.Name, table.AdCampaigns.Weight,
|
||||
table.AdCampaigns.IsDefault, table.AdCampaigns.Enabled,
|
||||
table.AdCampaigns.StartsAt, table.AdCampaigns.EndsAt,
|
||||
table.AdCampaigns.OverrideBg, table.AdCampaigns.OverrideFg, table.AdCampaigns.OverrideLink,
|
||||
table.AdCampaigns.OverrideBgDark, table.AdCampaigns.OverrideFgDark, table.AdCampaigns.OverrideLinkDark,
|
||||
table.AdCampaigns.Urgent,
|
||||
table.AdCampaigns.CreatedAt, table.AdCampaigns.UpdatedAt,
|
||||
).VALUES(
|
||||
postgres.UUID(id), postgres.String(c.Name), postgres.Int(int64(c.Weight)),
|
||||
postgres.Bool(false), postgres.Bool(c.Enabled),
|
||||
tsOrNull(c.StartsAt), tsOrNull(c.EndsAt),
|
||||
abg, afg, alink,
|
||||
dbg, dfg, dlink,
|
||||
postgres.Bool(c.Urgent),
|
||||
postgres.TimestampzT(now), postgres.TimestampzT(now),
|
||||
)
|
||||
if _, err := stmt.ExecContext(ctx, s.db); err != nil {
|
||||
@@ -111,12 +119,20 @@ func (s *Store) CreateCampaign(ctx context.Context, c Campaign) (uuid.UUID, erro
|
||||
// window. The default flag is never touched here. Returns ErrNotFound when no
|
||||
// campaign matches.
|
||||
func (s *Store) UpdateCampaign(ctx context.Context, c Campaign) error {
|
||||
abg, afg, alink := colorCols(c.OverrideAll)
|
||||
dbg, dfg, dlink := colorCols(c.OverrideDark)
|
||||
stmt := table.AdCampaigns.UPDATE(
|
||||
table.AdCampaigns.Name, table.AdCampaigns.Weight, table.AdCampaigns.Enabled,
|
||||
table.AdCampaigns.StartsAt, table.AdCampaigns.EndsAt, table.AdCampaigns.UpdatedAt,
|
||||
table.AdCampaigns.StartsAt, table.AdCampaigns.EndsAt,
|
||||
table.AdCampaigns.OverrideBg, table.AdCampaigns.OverrideFg, table.AdCampaigns.OverrideLink,
|
||||
table.AdCampaigns.OverrideBgDark, table.AdCampaigns.OverrideFgDark, table.AdCampaigns.OverrideLinkDark,
|
||||
table.AdCampaigns.Urgent, table.AdCampaigns.UpdatedAt,
|
||||
).SET(
|
||||
postgres.String(c.Name), postgres.Int(int64(c.Weight)), postgres.Bool(c.Enabled),
|
||||
tsOrNull(c.StartsAt), tsOrNull(c.EndsAt), postgres.TimestampzT(time.Now().UTC()),
|
||||
tsOrNull(c.StartsAt), tsOrNull(c.EndsAt),
|
||||
abg, afg, alink,
|
||||
dbg, dfg, dlink,
|
||||
postgres.Bool(c.Urgent), postgres.TimestampzT(time.Now().UTC()),
|
||||
).WHERE(table.AdCampaigns.CampaignID.EQ(postgres.UUID(c.ID)))
|
||||
return execOne(ctx, s.db, stmt, "update campaign")
|
||||
}
|
||||
@@ -257,18 +273,40 @@ func execOne(ctx context.Context, db qrm.Executable, stmt postgres.Statement, wh
|
||||
|
||||
func modelToCampaign(r model.AdCampaigns) Campaign {
|
||||
return Campaign{
|
||||
ID: r.CampaignID,
|
||||
Name: r.Name,
|
||||
Weight: int(r.Weight),
|
||||
IsDefault: r.IsDefault,
|
||||
Enabled: r.Enabled,
|
||||
StartsAt: r.StartsAt,
|
||||
EndsAt: r.EndsAt,
|
||||
CreatedAt: r.CreatedAt,
|
||||
UpdatedAt: r.UpdatedAt,
|
||||
ID: r.CampaignID,
|
||||
Name: r.Name,
|
||||
Weight: int(r.Weight),
|
||||
IsDefault: r.IsDefault,
|
||||
Enabled: r.Enabled,
|
||||
StartsAt: r.StartsAt,
|
||||
EndsAt: r.EndsAt,
|
||||
OverrideAll: colorSetFrom(r.OverrideBg, r.OverrideFg, r.OverrideLink),
|
||||
OverrideDark: colorSetFrom(r.OverrideBgDark, r.OverrideFgDark, r.OverrideLinkDark),
|
||||
Urgent: r.Urgent,
|
||||
CreatedAt: r.CreatedAt,
|
||||
UpdatedAt: r.UpdatedAt,
|
||||
}
|
||||
}
|
||||
|
||||
// colorSetFrom rebuilds an optional ColorSet from three nullable colour columns.
|
||||
// The all-or-nothing CHECK keeps the trio consistent, so a nil in any one means
|
||||
// the set is absent.
|
||||
func colorSetFrom(bg, fg, link *string) *ColorSet {
|
||||
if bg == nil || fg == nil || link == nil {
|
||||
return nil
|
||||
}
|
||||
return &ColorSet{Bg: *bg, Fg: *fg, Link: *link}
|
||||
}
|
||||
|
||||
// colorCols renders a *ColorSet as its three column value-expressions in
|
||||
// bg, fg, link order — NULL for each when the set is absent.
|
||||
func colorCols(cs *ColorSet) (bg, fg, link postgres.Expression) {
|
||||
if cs == nil {
|
||||
return postgres.NULL, postgres.NULL, postgres.NULL
|
||||
}
|
||||
return postgres.String(cs.Bg), postgres.String(cs.Fg), postgres.String(cs.Link)
|
||||
}
|
||||
|
||||
func modelToMessage(r model.AdMessages) Message {
|
||||
return Message{
|
||||
ID: r.MessageID,
|
||||
|
||||
@@ -4,6 +4,7 @@ package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/url"
|
||||
"os"
|
||||
"strconv"
|
||||
"time"
|
||||
@@ -13,6 +14,7 @@ import (
|
||||
"scrabble/backend/internal/lobby"
|
||||
"scrabble/backend/internal/postgres"
|
||||
"scrabble/backend/internal/ratewatch"
|
||||
"scrabble/backend/internal/robokassa"
|
||||
"scrabble/backend/internal/robot"
|
||||
"scrabble/backend/internal/telemetry"
|
||||
)
|
||||
@@ -42,6 +44,12 @@ type Config struct {
|
||||
// SMTP configures the email relay used for confirm-codes. An empty Host
|
||||
// selects the development log mailer (the code is logged, not sent).
|
||||
SMTP account.SMTPConfig
|
||||
// PublicBaseURL is the canonical public origin (scheme + host, e.g.
|
||||
// https://erudit-game.ru) used to build absolute links in outgoing email — the
|
||||
// confirm deeplink and the footer landing link. It is deliberately not derived
|
||||
// from a request Host header, which would let an attacker inject a phishing link
|
||||
// into the email. Required whenever an SMTP relay is configured.
|
||||
PublicBaseURL string
|
||||
// ConnectorAddr is the gRPC address of the Telegram platform connector
|
||||
// side-service, used by the admin console to send operator broadcasts. Empty
|
||||
// disables broadcasts (the admin broadcast actions report "not configured").
|
||||
@@ -51,6 +59,15 @@ type Config struct {
|
||||
// GuestRetention is the account age past which an unused guest (no game seat)
|
||||
// is eligible for deletion by the reaper.
|
||||
GuestRetention time.Duration
|
||||
// ExportSignKey signs the finished-game export download URLs. Empty leaves
|
||||
// the export-URL endpoints disabled (503 on mint, 404 on download).
|
||||
ExportSignKey string
|
||||
// RendererURL is the base URL of the internal image-render sidecar (e.g.
|
||||
// http://renderer:8090). Empty disables the PNG export artifact.
|
||||
RendererURL string
|
||||
// Robokassa configures the direct-rail (RUB) payment provider. An empty MerchantLogin
|
||||
// leaves the direct order and Result-callback endpoints unregistered.
|
||||
Robokassa robokassa.Config
|
||||
}
|
||||
|
||||
// Defaults applied when the corresponding environment variable is unset.
|
||||
@@ -130,11 +147,21 @@ func Load() (Config, error) {
|
||||
}
|
||||
|
||||
smtp := account.SMTPConfig{
|
||||
Host: os.Getenv("BACKEND_SMTP_HOST"),
|
||||
Port: envOr("BACKEND_SMTP_PORT", "587"),
|
||||
Username: os.Getenv("BACKEND_SMTP_USERNAME"),
|
||||
Password: os.Getenv("BACKEND_SMTP_PASSWORD"),
|
||||
From: envOr("BACKEND_SMTP_FROM", "no-reply@localhost"),
|
||||
Host: os.Getenv("BACKEND_SMTP_HOST"),
|
||||
Port: envOr("BACKEND_SMTP_PORT", "587"),
|
||||
Username: os.Getenv("BACKEND_SMTP_USERNAME"),
|
||||
Password: os.Getenv("BACKEND_SMTP_PASSWORD"),
|
||||
From: envOr("BACKEND_SMTP_FROM", "no-reply@localhost"),
|
||||
TLS: os.Getenv("BACKEND_SMTP_TLS"),
|
||||
AdminFrom: os.Getenv("BACKEND_SMTP_ADMIN_FROM"),
|
||||
AdminTo: os.Getenv("BACKEND_ADMIN_EMAIL"),
|
||||
}
|
||||
|
||||
robo := robokassa.Config{
|
||||
MerchantLogin: os.Getenv("BACKEND_ROBOKASSA_MERCHANT_LOGIN"),
|
||||
Password1: os.Getenv("BACKEND_ROBOKASSA_PASSWORD1"),
|
||||
Password2: os.Getenv("BACKEND_ROBOKASSA_PASSWORD2"),
|
||||
IsTest: os.Getenv("BACKEND_ROBOKASSA_TEST") == "1",
|
||||
}
|
||||
|
||||
c := Config{
|
||||
@@ -148,9 +175,13 @@ func Load() (Config, error) {
|
||||
Robot: rb,
|
||||
RateWatch: rw,
|
||||
SMTP: smtp,
|
||||
PublicBaseURL: os.Getenv("BACKEND_PUBLIC_BASE_URL"),
|
||||
ConnectorAddr: os.Getenv("BACKEND_CONNECTOR_ADDR"),
|
||||
GuestReapInterval: guestReapInterval,
|
||||
GuestRetention: guestRetention,
|
||||
ExportSignKey: os.Getenv("BACKEND_EXPORT_SIGN_KEY"),
|
||||
RendererURL: os.Getenv("BACKEND_RENDERER_URL"),
|
||||
Robokassa: robo,
|
||||
}
|
||||
if err := c.validate(); err != nil {
|
||||
return Config{}, err
|
||||
@@ -195,6 +226,17 @@ func (c Config) validate() error {
|
||||
if c.GuestRetention <= 0 {
|
||||
return fmt.Errorf("config: BACKEND_GUEST_RETENTION must be positive")
|
||||
}
|
||||
if c.SMTP.Host != "" {
|
||||
if c.PublicBaseURL == "" {
|
||||
return fmt.Errorf("config: BACKEND_PUBLIC_BASE_URL must be set when BACKEND_SMTP_HOST is configured")
|
||||
}
|
||||
if u, err := url.Parse(c.PublicBaseURL); err != nil || u.Scheme == "" || u.Host == "" {
|
||||
return fmt.Errorf("config: BACKEND_PUBLIC_BASE_URL %q must be an absolute URL (scheme://host)", c.PublicBaseURL)
|
||||
}
|
||||
}
|
||||
if c.Robokassa.MerchantLogin != "" && (c.Robokassa.Password1 == "" || c.Robokassa.Password2 == "") {
|
||||
return fmt.Errorf("config: BACKEND_ROBOKASSA_PASSWORD1 and BACKEND_ROBOKASSA_PASSWORD2 must be set when BACKEND_ROBOKASSA_MERCHANT_LOGIN is")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,123 @@
|
||||
package engine
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"gitea.iliadenisov.ru/developer/scrabble-solver/rules"
|
||||
)
|
||||
|
||||
// The offline engine (ui/src/lib/localgame) reproduces the end-of-game rack settlement and the
|
||||
// winner rule so a local game finishes with the same scores as the server. These golden fixtures
|
||||
// pin the ported pure functions (applyEndAdjustment / winner / rackValue) to the real Go engine.
|
||||
// Being in-package, this emitter constructs Game values directly and drives the unexported
|
||||
// end-game math on chosen positions.
|
||||
|
||||
type endCaseIn struct {
|
||||
Name string `json:"name"`
|
||||
Variant string `json:"variant"`
|
||||
Reason string `json:"reason"`
|
||||
Hands [][]int `json:"hands"`
|
||||
Scores []int `json:"scores"`
|
||||
Resigned []bool `json:"resigned"`
|
||||
ToMove int `json:"toMove"`
|
||||
}
|
||||
|
||||
type endCaseOut struct {
|
||||
endCaseIn
|
||||
ScoresAfter []int `json:"scoresAfter"`
|
||||
Winner int `json:"winner"`
|
||||
}
|
||||
|
||||
func rulesetFor(variant string) *rules.Ruleset {
|
||||
switch variant {
|
||||
case "scrabble_ru":
|
||||
return rules.RussianScrabble()
|
||||
case "erudit_ru":
|
||||
return rules.Erudit()
|
||||
default:
|
||||
return rules.English()
|
||||
}
|
||||
}
|
||||
|
||||
func reasonFor(s string) EndReason {
|
||||
switch s {
|
||||
case "out_of_tiles":
|
||||
return EndOutOfTiles
|
||||
case "scoreless":
|
||||
return EndScoreless
|
||||
case "resign":
|
||||
return EndResign
|
||||
case "aborted":
|
||||
return EndAborted
|
||||
}
|
||||
return EndNotOver
|
||||
}
|
||||
|
||||
func handsBytes(hands [][]int) [][]byte {
|
||||
out := make([][]byte, len(hands))
|
||||
for i, h := range hands {
|
||||
b := make([]byte, len(h))
|
||||
for j, x := range h {
|
||||
b[j] = byte(x)
|
||||
}
|
||||
out[i] = b
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// TestEmitEndgameFixtures regenerates ui/src/lib/localgame/testdata/endgame.json. Gated by
|
||||
// EMIT_ENGINE_FIXTURES. Regenerate with:
|
||||
//
|
||||
// EMIT_ENGINE_FIXTURES=1 go test ./backend/internal/engine -run TestEmitEndgameFixtures
|
||||
func TestEmitEndgameFixtures(t *testing.T) {
|
||||
if os.Getenv("EMIT_ENGINE_FIXTURES") == "" {
|
||||
t.Skip("set EMIT_ENGINE_FIXTURES=1 to regenerate ui/src/lib/localgame/testdata/endgame.json")
|
||||
}
|
||||
|
||||
cases := []endCaseIn{
|
||||
{"out-basic", "scrabble_en", "out_of_tiles", [][]int{{}, {0, 1, 2}}, []int{50, 40}, []bool{false, false}, 0},
|
||||
{"out-blank", "scrabble_en", "out_of_tiles", [][]int{{}, {255, 0}}, []int{30, 30}, []bool{false, false}, 0},
|
||||
{"out-erudit-yo", "erudit_ru", "out_of_tiles", [][]int{{}, {6, 32}}, []int{10, 10}, []bool{false, false}, 0},
|
||||
{"out-tie", "scrabble_en", "out_of_tiles", [][]int{{}, {}}, []int{30, 30}, []bool{false, false}, 0},
|
||||
{"out-3p", "scrabble_ru", "out_of_tiles", [][]int{{}, {0, 1}, {2}}, []int{10, 10, 10}, []bool{false, false, false}, 0},
|
||||
{"scoreless", "scrabble_en", "scoreless", [][]int{{0, 1}, {2, 3}}, []int{20, 20}, []bool{false, false}, 0},
|
||||
{"resign-2p", "scrabble_en", "resign", [][]int{{}, {0}}, []int{100, 10}, []bool{true, false}, 1},
|
||||
{"resign-3p", "scrabble_en", "resign", [][]int{{}, {}, {}}, []int{50, 60, 40}, []bool{false, true, false}, 0},
|
||||
{"aborted", "scrabble_en", "aborted", [][]int{{0}, {1}}, []int{40, 30}, []bool{false, false}, 0},
|
||||
}
|
||||
|
||||
out := make([]endCaseOut, 0, len(cases))
|
||||
for _, c := range cases {
|
||||
rs := rulesetFor(c.Variant)
|
||||
scores := append([]int(nil), c.Scores...)
|
||||
g := &Game{
|
||||
rules: rs,
|
||||
hands: handsBytes(c.Hands),
|
||||
scores: scores,
|
||||
resigned: c.Resigned,
|
||||
toMove: c.ToMove,
|
||||
}
|
||||
reason := reasonFor(c.Reason)
|
||||
g.over = true
|
||||
g.reason = reason
|
||||
g.applyEndAdjustment(reason)
|
||||
out = append(out, endCaseOut{endCaseIn: c, ScoresAfter: g.scores, Winner: g.winner()})
|
||||
}
|
||||
|
||||
dir := filepath.Join("..", "..", "..", "ui", "src", "lib", "localgame", "testdata")
|
||||
if err := os.MkdirAll(dir, 0o755); err != nil {
|
||||
t.Fatalf("mkdir %s: %v", dir, err)
|
||||
}
|
||||
data, err := json.MarshalIndent(map[string]any{"cases": out}, "", " ")
|
||||
if err != nil {
|
||||
t.Fatalf("marshal: %v", err)
|
||||
}
|
||||
path := filepath.Join(dir, "endgame.json")
|
||||
if err := os.WriteFile(path, append(data, '\n'), 0o644); err != nil {
|
||||
t.Fatalf("write %s: %v", path, err)
|
||||
}
|
||||
t.Logf("wrote %s (%d cases)", path, len(out))
|
||||
}
|
||||
@@ -21,11 +21,13 @@ var dictFiles = map[Variant]string{
|
||||
VariantErudit: "ru_erudit.dawg",
|
||||
}
|
||||
|
||||
// entry is one resident dictionary: the loaded finder and the solver built over
|
||||
// it. The finder is retained so Close can release it.
|
||||
// entry is one resident dictionary: the loaded finder, the solver built over it
|
||||
// and the file it was loaded from. The finder is retained so Close can release
|
||||
// it; path is retained so the raw bytes can be re-read for the client download.
|
||||
type entry struct {
|
||||
finder dawg.Finder
|
||||
solver *scrabble.Solver
|
||||
path string
|
||||
}
|
||||
|
||||
// Registry holds the dictionaries resident in memory, addressed by variant and
|
||||
@@ -130,7 +132,7 @@ func (r *Registry) Load(v Variant, version, dir string) error {
|
||||
if old, ok := r.entries[v][version]; ok {
|
||||
_ = old.finder.Close()
|
||||
}
|
||||
r.entries[v][version] = entry{finder: finder, solver: scrabble.NewSolver(rs, finder)}
|
||||
r.entries[v][version] = entry{finder: finder, solver: scrabble.NewSolver(rs, finder), path: path}
|
||||
r.latest[v] = version
|
||||
return nil
|
||||
}
|
||||
@@ -202,6 +204,30 @@ func (r *Registry) Versions(v Variant) []string {
|
||||
return versions
|
||||
}
|
||||
|
||||
// DictBytes returns the raw serialized DAWG for the (variant, version) pair,
|
||||
// re-read from the file it was loaded from — the same immutable bytes the solver
|
||||
// holds. It backs the client-side dictionary download for the local move
|
||||
// preview. It returns ErrUnknownVariant or ErrUnknownVersion when that dictionary
|
||||
// is not resident, and wraps any read error. The file is read outside the lock.
|
||||
func (r *Registry) DictBytes(v Variant, version string) ([]byte, error) {
|
||||
r.mu.RLock()
|
||||
versions, ok := r.entries[v]
|
||||
if !ok {
|
||||
r.mu.RUnlock()
|
||||
return nil, fmt.Errorf("%w: %s", ErrUnknownVariant, v)
|
||||
}
|
||||
e, ok := versions[version]
|
||||
r.mu.RUnlock()
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("%w: %s/%s", ErrUnknownVersion, v, version)
|
||||
}
|
||||
data, err := os.ReadFile(e.path)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("engine: read %s/%s dictionary bytes from %s: %w", v, version, e.path, err)
|
||||
}
|
||||
return data, nil
|
||||
}
|
||||
|
||||
// Lookup reports whether word is present in the (variant, version) dictionary,
|
||||
// backing the unlimited word-check tool. It returns ErrUnknownVariant or
|
||||
// ErrUnknownVersion when that dictionary is not resident, and an error when word
|
||||
|
||||
@@ -195,6 +195,11 @@ func (svc *Service) CountUnread(ctx context.Context) (int, error) {
|
||||
return svc.store.CountUnread(ctx)
|
||||
}
|
||||
|
||||
// CountSince counts feedback created after since, for the operator alert worker.
|
||||
func (svc *Service) CountSince(ctx context.Context, since time.Time) (int, error) {
|
||||
return svc.store.CountSince(ctx, since)
|
||||
}
|
||||
|
||||
// Attachment returns a message's file name and bytes, reporting false when absent.
|
||||
func (svc *Service) Attachment(ctx context.Context, id uuid.UUID) (string, []byte, bool, error) {
|
||||
return svc.store.Attachment(ctx, id)
|
||||
|
||||
@@ -386,3 +386,15 @@ func (s *Store) CountUnread(ctx context.Context) (int, error) {
|
||||
}
|
||||
return n, nil
|
||||
}
|
||||
|
||||
// CountSince counts feedback messages created strictly after since — the operator alert
|
||||
// worker's "new since the last check" signal.
|
||||
func (s *Store) CountSince(ctx context.Context, since time.Time) (int, error) {
|
||||
var n int
|
||||
if err := s.db.QueryRowContext(ctx,
|
||||
`SELECT COUNT(*) FROM backend.feedback_messages WHERE created_at > $1`, since,
|
||||
).Scan(&n); err != nil {
|
||||
return 0, fmt.Errorf("feedback: count since: %w", err)
|
||||
}
|
||||
return n, nil
|
||||
}
|
||||
|
||||
@@ -52,6 +52,7 @@ func gameSummary(g Game, names []string) notify.GameSummary {
|
||||
TurnTimeoutSecs: int(g.TurnTimeout.Seconds()),
|
||||
MultipleWordsPerTurn: g.MultipleWordsPerTurn,
|
||||
VsAI: g.VsAI,
|
||||
Kind: int(g.Kind),
|
||||
MoveCount: g.MoveCount,
|
||||
EndReason: g.EndReason,
|
||||
Seats: seats,
|
||||
@@ -74,7 +75,6 @@ func playerState(v StateView, names []string, includeAlphabet bool) (notify.Play
|
||||
Rack: rack,
|
||||
BagLen: v.BagLen,
|
||||
HintsRemaining: v.HintsRemaining,
|
||||
WalletBalance: v.WalletBalance,
|
||||
}
|
||||
if includeAlphabet {
|
||||
tab, err := engine.AlphabetTable(v.Game.Variant)
|
||||
|
||||
@@ -55,16 +55,39 @@ func TestPayloadExchangeRoundTrip(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestHintsRemaining(t *testing.T) {
|
||||
cases := []struct{ allowance, used, wallet, want int }{
|
||||
{1, 0, 3, 4},
|
||||
{1, 1, 3, 3},
|
||||
{1, 2, 3, 3}, // used past allowance clamps to 0
|
||||
{0, 0, 5, 5},
|
||||
{2, 1, 0, 1},
|
||||
cases := []struct{ allowance, used, want int }{
|
||||
{1, 0, 1},
|
||||
{1, 1, 0},
|
||||
{1, 2, 0}, // used past allowance clamps to 0
|
||||
{3, 1, 2},
|
||||
{0, 0, 0},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if got := hintsRemaining(c.allowance, c.used, c.wallet); got != c.want {
|
||||
t.Errorf("hintsRemaining(%d,%d,%d) = %d, want %d", c.allowance, c.used, c.wallet, got, c.want)
|
||||
if got := hintsRemaining(c.allowance, c.used); got != c.want {
|
||||
t.Errorf("hintsRemaining(%d,%d) = %d, want %d", c.allowance, c.used, got, c.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestHintUnlockLeftSeconds(t *testing.T) {
|
||||
now := time.Now()
|
||||
// A gated vs_ai game on the caller's turn, the robot having moved 10 min ago (turn started then).
|
||||
gated := Game{VsAI: true, ToMove: 0, MoveCount: 2, TurnStartedAt: now.Add(-10 * time.Minute)}
|
||||
cases := []struct {
|
||||
name string
|
||||
g Game
|
||||
seat int
|
||||
want int
|
||||
}{
|
||||
{"non-vs_ai is open", Game{VsAI: false, ToMove: 0, MoveCount: 2, TurnStartedAt: now.Add(-10 * time.Minute)}, 0, 0},
|
||||
{"not the caller's turn is open", gated, 1, 0},
|
||||
{"human first move (no robot move) is open", Game{VsAI: true, ToMove: 0, MoveCount: 0, TurnStartedAt: now}, 0, 0},
|
||||
{"robot moved 10 min ago leaves 20 min", gated, 0, 20 * 60},
|
||||
{"robot moved past the window is open", Game{VsAI: true, ToMove: 0, MoveCount: 2, TurnStartedAt: now.Add(-40 * time.Minute)}, 0, 0},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if got := hintUnlockLeftSeconds(c.g, c.seat, now); got != c.want {
|
||||
t.Errorf("%s: hintUnlockLeftSeconds = %d, want %d", c.name, got, c.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,7 +17,10 @@ import (
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/notify"
|
||||
"scrabble/backend/internal/payments"
|
||||
"scrabble/backend/internal/session"
|
||||
)
|
||||
|
||||
// Service is the game domain: it drives the engine over a single match, persists
|
||||
@@ -50,12 +53,26 @@ type Service struct {
|
||||
// its asynchronous TriggerMove); nil disables the fast path (the scan still covers
|
||||
// these games). Kept as a func so the game package never imports the robot package.
|
||||
aiTrigger func(gameID uuid.UUID)
|
||||
// hintWallet is the payments surface the online-game hint path spends against (the
|
||||
// segmented, context-aware hint balance). It is set by SetHintWallet during wiring; when
|
||||
// nil, only the free per-game allowance is served (no purchased hints). vs_ai hints are
|
||||
// wallet-free and never touch it.
|
||||
hintWallet HintWallet
|
||||
// limits is the per-tier active-game cap config (cached). Set by SetGameLimits during wiring;
|
||||
// when nil, no active-game limit is enforced (a game is always creatable).
|
||||
limits *gamelimits.Service
|
||||
// clearNudges, when set, marks the actor's pending nudges in a game read once they
|
||||
// have committed a move (a nudge answered by moving stops counting as unread). It is
|
||||
// best-effort and kept as a func so the game package never imports the social package.
|
||||
clearNudges func(ctx context.Context, gameID, accountID uuid.UUID) error
|
||||
metrics *gameMetrics
|
||||
log *zap.Logger
|
||||
// expireNudges, when set, marks every pending nudge in a game read once the game
|
||||
// finishes (the nudge badge is stale on a completed game). Unlike clearNudges it is
|
||||
// keyed by game alone — it clears all seats' nudges, not one mover's — and runs on
|
||||
// every completion path through commit. Best-effort; a func so the game package never
|
||||
// imports the social package.
|
||||
expireNudges func(ctx context.Context, gameID uuid.UUID) error
|
||||
metrics *gameMetrics
|
||||
log *zap.Logger
|
||||
}
|
||||
|
||||
// NewService constructs a Service. store and accounts wrap the same pool;
|
||||
@@ -99,6 +116,70 @@ func (svc *Service) SetAITrigger(trigger func(gameID uuid.UUID)) {
|
||||
svc.aiTrigger = trigger
|
||||
}
|
||||
|
||||
// HintWallet is the payments surface the online-game hint path uses: the context-aware hint
|
||||
// balance (HintsAvailable) and a one-hint spend (SpendHint), both keyed by the trusted execution
|
||||
// context and the account's present identity sources. *payments.Service satisfies it.
|
||||
type HintWallet interface {
|
||||
HintsAvailable(ctx context.Context, accountID uuid.UUID, cxt payments.Context, present []payments.Source) (int, error)
|
||||
SpendHint(ctx context.Context, accountID uuid.UUID, cxt payments.Context, present []payments.Source) (bool, error)
|
||||
}
|
||||
|
||||
// SetHintWallet installs the payments hint wallet the online-game hint path spends against. It
|
||||
// must be called during startup wiring; the default (nil) serves only the free per-game allowance.
|
||||
func (svc *Service) SetHintWallet(w HintWallet) {
|
||||
svc.hintWallet = w
|
||||
}
|
||||
|
||||
// SetGameLimits installs the active-game limit config (cached), enabling the per-tier caps. When
|
||||
// unset (nil), a game is always creatable.
|
||||
func (svc *Service) SetGameLimits(l *gamelimits.Service) {
|
||||
svc.limits = l
|
||||
}
|
||||
|
||||
// AtGameLimit reports whether accountID has reached its tier's active-game cap for kind — the
|
||||
// per-tier, per-kind limits held in backend.config, read from the in-memory cache. It resolves
|
||||
// the caller's tier (guest vs durable) from the account, then counts its open+active games of that
|
||||
// kind. It reports false (not at the limit) when the limits config is not wired, the account is nil,
|
||||
// or the resolved cap is gamelimits.Unlimited. It backs the new-game gate (the handler aborts 409
|
||||
// game_limit_reached) and the lobby's at-limit flag.
|
||||
func (svc *Service) AtGameLimit(ctx context.Context, accountID uuid.UUID, kind gamelimits.Kind) (bool, error) {
|
||||
if svc.limits == nil || accountID == uuid.Nil {
|
||||
return false, nil
|
||||
}
|
||||
acc, err := svc.accounts.GetByID(ctx, accountID)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
limit := svc.limits.LimitsFor(acc.IsGuest).Cap(kind)
|
||||
if limit == gamelimits.Unlimited {
|
||||
return false, nil
|
||||
}
|
||||
n, err := svc.store.CountActiveByKind(ctx, accountID, kind)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return n >= limit, nil
|
||||
}
|
||||
|
||||
// walletContext resolves the payments gate inputs for an account on the current request: the
|
||||
// trusted execution context (from the session platform carried on ctx; absent ⇒ untrusted) and
|
||||
// the account's present identity sources (which chip/benefit segments are awake, §6).
|
||||
func (svc *Service) walletContext(ctx context.Context, accountID uuid.UUID) (payments.Context, []payments.Source, error) {
|
||||
var cxt payments.Context
|
||||
if p, ok := session.PlatformFromContext(ctx); ok {
|
||||
cxt = payments.NewContext(p.Kind, p.Subtype)
|
||||
}
|
||||
ids, err := svc.accounts.Identities(ctx, accountID)
|
||||
if err != nil {
|
||||
return payments.Context{}, nil, err
|
||||
}
|
||||
kinds := make([]string, len(ids))
|
||||
for i, id := range ids {
|
||||
kinds[i] = id.Kind
|
||||
}
|
||||
return cxt, payments.PresentSources(kinds), nil
|
||||
}
|
||||
|
||||
// SetNudgeClearer installs the hook that marks a mover's pending nudges read after
|
||||
// their move commits. It must be called during startup wiring; the default (nil)
|
||||
// leaves nudges to be cleared only when the recipient opens the move history or chat.
|
||||
@@ -107,6 +188,15 @@ func (svc *Service) SetNudgeClearer(fn func(ctx context.Context, gameID, account
|
||||
svc.clearNudges = fn
|
||||
}
|
||||
|
||||
// SetNudgeExpirer installs the hook that marks every pending nudge in a game read once the
|
||||
// game finishes, on any completion path (a closing move, a resignation, a turn-timeout or a
|
||||
// forfeit). It must be called during startup wiring; the default (nil) leaves a finished
|
||||
// game's nudges to expire only when a recipient opens the move history or chat. The social
|
||||
// package wires its ExpireNudges here. Chat messages are deliberately left unread.
|
||||
func (svc *Service) SetNudgeExpirer(fn func(ctx context.Context, gameID uuid.UUID) error) {
|
||||
svc.expireNudges = fn
|
||||
}
|
||||
|
||||
// SetFirstMoveEntropy overrides the entropy source for the first-move draw
|
||||
// (docs/ARCHITECTURE.md §6). It must be called during wiring or test setup before any
|
||||
// game is created; the production default is crypto/rand and is never overridden.
|
||||
@@ -283,6 +373,7 @@ func (svc *Service) Create(ctx context.Context, params CreateParams) (Game, erro
|
||||
dropoutTiles: params.DropoutTiles.String(),
|
||||
multipleWordsPerTurn: params.MultipleWordsPerTurn,
|
||||
vsAI: params.VsAI,
|
||||
kind: params.Kind,
|
||||
}
|
||||
if err := svc.store.CreateGame(ctx, ins, seats, seeding.draws); err != nil {
|
||||
return Game{}, err
|
||||
@@ -346,6 +437,7 @@ func (svc *Service) OpenOrJoin(ctx context.Context, accountID uuid.UUID, params
|
||||
multipleWordsPerTurn: params.MultipleWordsPerTurn,
|
||||
status: StatusOpen,
|
||||
openDeadline: &deadline,
|
||||
kind: gamelimits.KindRandom,
|
||||
}
|
||||
// Decide the first move now by the official draw, with the not-yet-arrived opponent as a
|
||||
// synthetic placeholder (uuid.Nil): the draw fixes who sits at seat 0 — and so moves
|
||||
@@ -699,6 +791,16 @@ func (svc *Service) commit(ctx context.Context, gameID uuid.UUID, g *engine.Game
|
||||
}
|
||||
if c.finished {
|
||||
svc.cache.remove(gameID)
|
||||
// A finished game's nudges are stale, so clear them all here — every completion path
|
||||
// funnels through commit (a closing move, a resignation, a forfeit or a turn-timeout),
|
||||
// and only the move path also clears the mover's nudge on its own. Best-effort like
|
||||
// clearNudges: the finish has committed, so a cleanup failure is logged, not surfaced.
|
||||
// ExpireNudges leaves chat messages unread.
|
||||
if svc.expireNudges != nil {
|
||||
if err := svc.expireNudges(ctx, gameID); err != nil {
|
||||
svc.log.Warn("expire nudges on game finish", zap.Error(err))
|
||||
}
|
||||
}
|
||||
}
|
||||
post, err := svc.store.GetGame(ctx, gameID)
|
||||
if err != nil {
|
||||
@@ -983,6 +1085,12 @@ func (svc *Service) CountComplaints(ctx context.Context, status string) (int, er
|
||||
return svc.store.CountComplaints(ctx, status)
|
||||
}
|
||||
|
||||
// CountComplaintsSince counts word complaints filed after since, for the operator alert
|
||||
// worker.
|
||||
func (svc *Service) CountComplaintsSince(ctx context.Context, since time.Time) (int, error) {
|
||||
return svc.store.CountComplaintsSince(ctx, since)
|
||||
}
|
||||
|
||||
// ResolveComplaint closes a complaint with an operator disposition (reject /
|
||||
// accept_add / accept_remove) and an optional note. An accepted complaint then
|
||||
// appears in DictionaryChanges until a rebuilt dictionary is loaded and the
|
||||
@@ -1027,10 +1135,31 @@ func (svc *Service) MarkChangesApplied(ctx context.Context, variant engine.Varia
|
||||
return svc.store.MarkChangesApplied(ctx, variant.String(), version)
|
||||
}
|
||||
|
||||
// Hint reveals the top-scoring legal play for the requesting player on their
|
||||
// turn, spending one hint from their per-game allowance and then their profile
|
||||
// wallet. It returns ErrHintsDisabled, ErrNoHintsLeft or ErrNoHintAvailable as
|
||||
// appropriate.
|
||||
// hintIdleWindow is how long a vs_ai player must be stuck on a turn (since the robot's last move)
|
||||
// before the idle hint unlocks. Mirrors the offline client (lib/hints HINT_GATE_MS = 30 min).
|
||||
const hintIdleWindow = 30 * time.Minute
|
||||
|
||||
// hintUnlockLeftSeconds is the seconds until g's vs_ai idle hint unlocks for seat, measured from now:
|
||||
// the robot's last move (the current turn's start, on the human's turn) plus the window, floored at
|
||||
// 0 and ceiled to whole seconds. It is 0 for a non-vs_ai game, when it is not seat's turn, or on the
|
||||
// human's first move (MoveCount 0, no robot move yet) — the gate is an anti-frustration aid, not a
|
||||
// first-move tax. The client anchors a monotonic countdown to it, so a client clock cannot skew it.
|
||||
func hintUnlockLeftSeconds(g Game, seat int, now time.Time) int {
|
||||
if !g.VsAI || g.ToMove != seat || g.MoveCount < 1 {
|
||||
return 0
|
||||
}
|
||||
left := g.TurnStartedAt.Add(hintIdleWindow).Sub(now)
|
||||
if left <= 0 {
|
||||
return 0
|
||||
}
|
||||
return int((left + time.Second - 1) / time.Second) // ceil to whole seconds (no math import)
|
||||
}
|
||||
|
||||
// Hint reveals the top-scoring legal play for the requesting player on their turn. For a human game
|
||||
// it spends one hint from the per-game allowance then the profile wallet (ErrHintsDisabled /
|
||||
// ErrNoHintsLeft / ErrNoHintAvailable). For a vs_ai game the hint is unlimited and wallet-free but
|
||||
// idle-gated from the server clock (ErrHintLocked until the window elapses) and counts toward no
|
||||
// hint statistic.
|
||||
func (svc *Service) Hint(ctx context.Context, gameID, accountID uuid.UUID) (HintResult, error) {
|
||||
pre, err := svc.store.GetGame(ctx, gameID)
|
||||
if err != nil {
|
||||
@@ -1049,13 +1178,40 @@ func (svc *Service) Hint(ctx context.Context, gameID, accountID uuid.UUID) (Hint
|
||||
if !pre.HintsAllowed {
|
||||
return HintResult{}, ErrHintsDisabled
|
||||
}
|
||||
acc, err := svc.accounts.GetByID(ctx, accountID)
|
||||
if pre.VsAI {
|
||||
// vs_ai: unlimited and wallet-free, but idle-gated from the server clock — and counted toward
|
||||
// no hint statistic. Enforce the gate (the client normally pre-gates from the view's
|
||||
// HintUnlockLeftSeconds; this is the authoritative backstop), then serve the top move without
|
||||
// touching the allowance, the wallet or hints_used.
|
||||
if hintUnlockLeftSeconds(pre, seat, svc.clock()) > 0 {
|
||||
return HintResult{}, ErrHintLocked
|
||||
}
|
||||
unlock := svc.locks.lock(gameID)
|
||||
defer unlock()
|
||||
g, err := svc.liveGame(ctx, pre)
|
||||
if err != nil {
|
||||
return HintResult{}, err
|
||||
}
|
||||
move, ok := g.HintView()
|
||||
if !ok {
|
||||
return HintResult{}, ErrNoHintAvailable
|
||||
}
|
||||
return HintResult{Move: move}, nil
|
||||
}
|
||||
cxt, present, err := svc.walletContext(ctx, accountID)
|
||||
if err != nil {
|
||||
return HintResult{}, err
|
||||
}
|
||||
wallet := 0
|
||||
if svc.hintWallet != nil {
|
||||
wallet, err = svc.hintWallet.HintsAvailable(ctx, accountID, cxt, present)
|
||||
if err != nil {
|
||||
return HintResult{}, err
|
||||
}
|
||||
}
|
||||
used := pre.Seats[seat].HintsUsed
|
||||
fromAllowance := used < pre.HintsPerPlayer
|
||||
if !fromAllowance && acc.HintBalance <= 0 {
|
||||
if !fromAllowance && wallet <= 0 {
|
||||
return HintResult{}, ErrNoHintsLeft
|
||||
}
|
||||
|
||||
@@ -1070,9 +1226,9 @@ func (svc *Service) Hint(ctx context.Context, gameID, accountID uuid.UUID) (Hint
|
||||
return HintResult{}, ErrNoHintAvailable
|
||||
}
|
||||
|
||||
walletAfter := acc.HintBalance
|
||||
walletAfter := wallet
|
||||
if !fromAllowance {
|
||||
spent, err := svc.accounts.SpendHint(ctx, accountID)
|
||||
spent, err := svc.hintWallet.SpendHint(ctx, accountID, cxt, present)
|
||||
if err != nil {
|
||||
return HintResult{}, err
|
||||
}
|
||||
@@ -1088,7 +1244,7 @@ func (svc *Service) Hint(ctx context.Context, gameID, accountID uuid.UUID) (Hint
|
||||
return HintResult{}, err
|
||||
}
|
||||
used++
|
||||
return HintResult{Move: move, HintsRemaining: hintsRemaining(pre.HintsPerPlayer, used, walletAfter), WalletBalance: walletAfter}, nil
|
||||
return HintResult{Move: move, HintsRemaining: hintsRemaining(pre.HintsPerPlayer, used), WalletBalance: walletAfter}, nil
|
||||
}
|
||||
|
||||
// Candidates returns the to-move player's legal plays for a seated player on
|
||||
@@ -1153,10 +1309,6 @@ func (svc *Service) GameState(ctx context.Context, gameID, accountID uuid.UUID)
|
||||
if !ok {
|
||||
return StateView{}, ErrNotAPlayer
|
||||
}
|
||||
acc, err := svc.accounts.GetByID(ctx, accountID)
|
||||
if err != nil {
|
||||
return StateView{}, err
|
||||
}
|
||||
|
||||
unlock := svc.locks.lock(gameID)
|
||||
defer unlock()
|
||||
@@ -1171,12 +1323,15 @@ func (svc *Service) GameState(ctx context.Context, gameID, accountID uuid.UUID)
|
||||
}
|
||||
}
|
||||
return StateView{
|
||||
Game: pre,
|
||||
Seat: seat,
|
||||
Rack: g.Hand(seat),
|
||||
BagLen: g.BagLen(),
|
||||
HintsRemaining: hintsRemaining(pre.HintsPerPlayer, pre.Seats[seat].HintsUsed, acc.HintBalance),
|
||||
WalletBalance: acc.HintBalance,
|
||||
Game: pre,
|
||||
Seat: seat,
|
||||
Rack: g.Hand(seat),
|
||||
BagLen: g.BagLen(),
|
||||
// HintsRemaining is the per-seat allowance only; the purchasable wallet lives on the profile
|
||||
// (payments) and the client adds it (lib/hints.hintsLeft).
|
||||
HintsRemaining: hintsRemaining(pre.HintsPerPlayer, pre.Seats[seat].HintsUsed),
|
||||
// vs_ai idle-hint gate (seconds left; 0 for a human game / first move / not your turn).
|
||||
HintUnlockLeftSeconds: hintUnlockLeftSeconds(pre, seat, svc.clock()),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -1268,14 +1423,6 @@ func (svc *Service) ListForLobby(ctx context.Context, accountID uuid.UUID) ([]Ga
|
||||
return kept, nil
|
||||
}
|
||||
|
||||
// CountActiveQuickGames reports how many in-progress quick games the account holds —
|
||||
// the count the simultaneous-game limit (MaxActiveQuickGames) is checked against. It
|
||||
// counts active and still-open quick games (including honest-AI ones) and excludes
|
||||
// friend games created by invitation and finished games. See Store.CountActiveQuickGames.
|
||||
func (svc *Service) CountActiveQuickGames(ctx context.Context, accountID uuid.UUID) (int, error) {
|
||||
return svc.store.CountActiveQuickGames(ctx, accountID)
|
||||
}
|
||||
|
||||
// HideGame hides a finished game from accountID's own lobby (it stays visible to the other
|
||||
// players); it is irreversible by design. Only a player of a finished game may hide it
|
||||
// (ErrNotAPlayer / ErrGameActive otherwise); hiding an already-hidden game is a no-op.
|
||||
@@ -1338,30 +1485,53 @@ func (svc *Service) SetupDraws(ctx context.Context, gameID uuid.UUID) ([]SetupDr
|
||||
return svc.store.SetupDraws(ctx, gameID)
|
||||
}
|
||||
|
||||
// ExportGCG renders a game as GCG text from the journal alone (no dictionary). It
|
||||
// is allowed only on a finished game: exporting an in-progress game would leak the
|
||||
// full move journal mid-play, so an active game yields ErrGameActive.
|
||||
func (svc *Service) ExportGCG(ctx context.Context, gameID uuid.UUID) (string, error) {
|
||||
// ExportView returns a finished game with its journal and per-seat display names —
|
||||
// the material every export artifact (the GCG text, the PNG render payload) is built
|
||||
// from. It is allowed only on a finished game: exporting an in-progress game would
|
||||
// leak the full move journal mid-play, so an active game yields ErrGameActive. In an
|
||||
// honest-AI game the robot seat is labelled "AI", not its pool name.
|
||||
func (svc *Service) ExportView(ctx context.Context, gameID uuid.UUID) (Game, []HistoryMove, []string, error) {
|
||||
g, err := svc.store.GetGame(ctx, gameID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return Game{}, nil, nil, err
|
||||
}
|
||||
if g.Status != StatusFinished {
|
||||
return "", ErrGameActive
|
||||
return Game{}, nil, nil, ErrGameActive
|
||||
}
|
||||
moves, err := svc.store.GetJournal(ctx, gameID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return Game{}, nil, nil, err
|
||||
}
|
||||
names := svc.seatNames(ctx, g)
|
||||
if g.VsAI {
|
||||
// Label the robot seat "AI" in an honest-AI game's export, not its pool name.
|
||||
for _, s := range g.Seats {
|
||||
if robot, err := svc.accounts.IsRobot(ctx, s.AccountID); err == nil && robot {
|
||||
names[s.Seat] = aiPlayerName
|
||||
}
|
||||
}
|
||||
}
|
||||
return g, moves, names, nil
|
||||
}
|
||||
|
||||
// EnsureExportable reports whether a game may be exported (it exists and is
|
||||
// finished) without loading the journal — the export-URL mint check.
|
||||
func (svc *Service) EnsureExportable(ctx context.Context, gameID uuid.UUID) error {
|
||||
g, err := svc.store.GetGame(ctx, gameID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if g.Status != StatusFinished {
|
||||
return ErrGameActive
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ExportGCG renders a game as GCG text from the journal alone (no dictionary).
|
||||
func (svc *Service) ExportGCG(ctx context.Context, gameID uuid.UUID) (string, error) {
|
||||
g, moves, names, err := svc.ExportView(ctx, gameID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return writeGCG(g, names, moves), nil
|
||||
}
|
||||
|
||||
@@ -1440,13 +1610,24 @@ func (svc *Service) voidGame(ctx context.Context, pre Game, g *engine.Game) erro
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return svc.store.VoidGame(ctx, voidCommit{
|
||||
if err := svc.store.VoidGame(ctx, voidCommit{
|
||||
gameID: pre.ID,
|
||||
endReason: g.Reason().String(),
|
||||
scores: scores,
|
||||
now: svc.clock(),
|
||||
stats: buildStats(g, statSeats),
|
||||
})
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
// A voided game is finished (as a draw) but bypasses commit, so clear its now-stale nudges
|
||||
// here too. Best-effort, like the commit path: the void has persisted, so a cleanup failure
|
||||
// is logged, not surfaced.
|
||||
if svc.expireNudges != nil {
|
||||
if err := svc.expireNudges(ctx, pre.ID); err != nil {
|
||||
svc.log.Warn("expire nudges on voided game", zap.Error(err))
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// replayMove re-applies one journalled move to g through the decoded engine API.
|
||||
@@ -1613,10 +1794,18 @@ func (svc *Service) lookupWord(variant engine.Variant, version, word string) (bo
|
||||
return present, nil
|
||||
}
|
||||
|
||||
// hintsRemaining is a player's remaining hint budget: the unspent per-game
|
||||
// allowance plus the profile wallet.
|
||||
func hintsRemaining(allowance, used, wallet int) int {
|
||||
return max(0, allowance-used) + wallet
|
||||
// DictBytes returns the raw serialized dictionary for the (variant, version) pair
|
||||
// from the registry, backing the client-side dictionary download used by the
|
||||
// local move preview. It surfaces engine.ErrUnknownVariant /
|
||||
// engine.ErrUnknownVersion when that dictionary is not resident.
|
||||
func (svc *Service) DictBytes(variant engine.Variant, version string) ([]byte, error) {
|
||||
return svc.registry.DictBytes(variant, version)
|
||||
}
|
||||
|
||||
// hintsRemaining is the unspent per-game hint allowance. The purchasable wallet is separate,
|
||||
// carried on the profile (payments), and the client adds it (lib/hints.hintsLeft).
|
||||
func hintsRemaining(allowance, used int) int {
|
||||
return max(0, allowance-used)
|
||||
}
|
||||
|
||||
// allowedTimeout reports whether d is one of the offered move clocks.
|
||||
|
||||
@@ -15,6 +15,7 @@ import (
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/postgres/jet/backend/model"
|
||||
"scrabble/backend/internal/postgres/jet/backend/table"
|
||||
)
|
||||
@@ -45,6 +46,8 @@ type gameInsert struct {
|
||||
multipleWordsPerTurn bool
|
||||
// vsAI marks an honest-AI game (games.vs_ai).
|
||||
vsAI bool
|
||||
// kind tags the game's origin (games.game_kind) for the active-game limits.
|
||||
kind gamelimits.Kind
|
||||
// status is the lifecycle state to create the game in: StatusActive for a normal
|
||||
// seated game, StatusOpen for an auto-match game still awaiting an opponent. An
|
||||
// empty string defaults to StatusActive.
|
||||
@@ -138,6 +141,20 @@ func (s *Store) CreateGame(ctx context.Context, ins gameInsert, seats []seatInse
|
||||
})
|
||||
}
|
||||
|
||||
// CountActiveByKind counts the account's active (open or in-progress) games of the given kind — the
|
||||
// per-tier active-game limit is checked against it before a new game of that kind is created.
|
||||
func (s *Store) CountActiveByKind(ctx context.Context, accountID uuid.UUID, kind gamelimits.Kind) (int, error) {
|
||||
var n int
|
||||
if err := s.db.QueryRowContext(ctx,
|
||||
`SELECT count(*) FROM backend.games g
|
||||
JOIN backend.game_players p ON p.game_id = g.game_id
|
||||
WHERE p.account_id = $1 AND g.game_kind = $2 AND g.status IN ('open', 'active')`,
|
||||
accountID, int16(kind)).Scan(&n); err != nil {
|
||||
return 0, fmt.Errorf("game: count active by kind %s: %w", accountID, err)
|
||||
}
|
||||
return n, nil
|
||||
}
|
||||
|
||||
// insertGameTx inserts the games row and one game_players row per seat (seat 0
|
||||
// first) on tx, stamping each seat's display-name snapshot. A seat whose account id is
|
||||
// uuid.Nil is written with a NULL account_id (and an empty snapshot) — the still-empty
|
||||
@@ -155,9 +172,9 @@ func insertGameTx(ctx context.Context, tx *sql.Tx, ins gameInsert, seats []seatI
|
||||
table.Games.GameID, table.Games.Variant, table.Games.DictVersion, table.Games.Seed,
|
||||
table.Games.Status, table.Games.Players, table.Games.TurnTimeoutSecs,
|
||||
table.Games.HintsAllowed, table.Games.HintsPerPlayer, table.Games.OpenDeadlineAt,
|
||||
table.Games.DropoutTiles, table.Games.MultipleWordsPerTurn, table.Games.VsAi,
|
||||
table.Games.DropoutTiles, table.Games.MultipleWordsPerTurn, table.Games.VsAi, table.Games.GameKind,
|
||||
).VALUES(ins.id, ins.variant, ins.dictVersion, ins.seed, status, ins.players,
|
||||
ins.turnTimeoutSecs, ins.hintsAllowed, ins.hintsPerPlayer, deadline, ins.dropoutTiles, ins.multipleWordsPerTurn, ins.vsAI)
|
||||
ins.turnTimeoutSecs, ins.hintsAllowed, ins.hintsPerPlayer, deadline, ins.dropoutTiles, ins.multipleWordsPerTurn, ins.vsAI, int16(ins.kind))
|
||||
if _, err := gi.ExecContext(ctx, tx); err != nil {
|
||||
return fmt.Errorf("insert game: %w", err)
|
||||
}
|
||||
@@ -501,28 +518,6 @@ func (s *Store) ListGamesForAccount(ctx context.Context, accountID uuid.UUID) ([
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// CountActiveQuickGames counts the account's in-progress quick games — the ones the
|
||||
// simultaneous-game limit (MaxActiveQuickGames) is checked against. It includes both
|
||||
// active and still-open (awaiting-opponent) games, the honest-AI ones among them, and
|
||||
// excludes friend games (those linked to a game_invitations row) and finished games.
|
||||
// A hidden game still occupies a slot, so this is a dedicated count rather than a
|
||||
// filter over ListGamesForAccount (which drops hidden games). Joining on the account's
|
||||
// own seat counts each game once (an open game's empty opponent seat has no account).
|
||||
func (s *Store) CountActiveQuickGames(ctx context.Context, accountID uuid.UUID) (int, error) {
|
||||
// The status literals are game.StatusActive / game.StatusOpen, matching the
|
||||
// games.status CHECK in the baseline migration.
|
||||
const q = `
|
||||
SELECT COUNT(*) FROM backend.games g
|
||||
JOIN backend.game_players gp ON gp.game_id = g.game_id
|
||||
LEFT JOIN backend.game_invitations gi ON gi.game_id = g.game_id
|
||||
WHERE gp.account_id = $1 AND g.status IN ('active', 'open') AND gi.game_id IS NULL`
|
||||
var n int
|
||||
if err := s.db.QueryRowContext(ctx, q, accountID).Scan(&n); err != nil {
|
||||
return 0, fmt.Errorf("game: count active quick games: %w", err)
|
||||
}
|
||||
return n, nil
|
||||
}
|
||||
|
||||
// HideGame hides a game from the account's own lobby list (idempotent). The caller validates the
|
||||
// game is finished and the account is a player.
|
||||
func (s *Store) HideGame(ctx context.Context, accountID, gameID uuid.UUID) error {
|
||||
@@ -1040,6 +1035,19 @@ func (s *Store) CountComplaints(ctx context.Context, status string) (int, error)
|
||||
return int(dest.Count), nil
|
||||
}
|
||||
|
||||
// CountComplaintsSince counts word complaints filed strictly after since — the operator
|
||||
// alert worker's "new since the last check" signal.
|
||||
func (s *Store) CountComplaintsSince(ctx context.Context, since time.Time) (int, error) {
|
||||
stmt := postgres.SELECT(postgres.COUNT(table.Complaints.ComplaintID).AS("count")).
|
||||
FROM(table.Complaints).
|
||||
WHERE(table.Complaints.CreatedAt.GT(postgres.TimestampzT(since)))
|
||||
var dest struct{ Count int64 }
|
||||
if err := stmt.QueryContext(ctx, s.db, &dest); err != nil {
|
||||
return 0, fmt.Errorf("game: count complaints since: %w", err)
|
||||
}
|
||||
return int(dest.Count), nil
|
||||
}
|
||||
|
||||
// ActiveGames returns the turn clocks of every in-progress game; the sweeper
|
||||
// filters them against the per-move deadline and the player's away window.
|
||||
func (s *Store) ActiveGames(ctx context.Context) ([]activeGame, error) {
|
||||
@@ -1348,6 +1356,7 @@ func projectGame(g model.Games, seats []model.GamePlayers) (Game, error) {
|
||||
}
|
||||
out.MultipleWordsPerTurn = g.MultipleWordsPerTurn
|
||||
out.VsAI = g.VsAi
|
||||
out.Kind = gamelimits.Kind(g.GameKind)
|
||||
if g.EndReason != nil {
|
||||
out.EndReason = *g.EndReason
|
||||
}
|
||||
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
)
|
||||
|
||||
// Status values persisted in the games.status column.
|
||||
@@ -65,6 +66,10 @@ var (
|
||||
ErrNoHintsLeft = errors.New("game: no hints remaining")
|
||||
// ErrNoHintAvailable is returned when the player has no legal play to reveal.
|
||||
ErrNoHintAvailable = errors.New("game: no legal move to suggest")
|
||||
// ErrHintLocked is returned when a vs_ai game's idle hint is still gated (the player has not yet
|
||||
// been stuck the idle window since the robot's last move). The client normally pre-gates from
|
||||
// StateView.HintUnlockLeftSeconds, so this is the authoritative server-clock backstop.
|
||||
ErrHintLocked = errors.New("game: hint is not available yet")
|
||||
// ErrGameLimitReached is returned when an account already holds MaxActiveQuickGames
|
||||
// simultaneous quick games and tries to create another game (quick or by invitation).
|
||||
ErrGameLimitReached = errors.New("game: simultaneous game limit reached")
|
||||
@@ -90,15 +95,6 @@ const DefaultTurnTimeout = 24 * time.Hour
|
||||
// one of AllowedTurnTimeouts (never offered in the creation UI).
|
||||
const AIInactivityTimeout = 7 * 24 * time.Hour
|
||||
|
||||
// MaxActiveQuickGames is the cap on a player's simultaneous quick games (human
|
||||
// auto-match and honest-AI), counting both in-progress (StatusActive) and
|
||||
// still-open, awaiting-opponent (StatusOpen) games. Friend games created by
|
||||
// invitation are not counted. At the cap the backend refuses to create a new game
|
||||
// of any kind — quick or by invitation — and the lobby disables "New Game";
|
||||
// accepting an incoming invitation is always allowed. See
|
||||
// Store.CountActiveQuickGames.
|
||||
const MaxActiveQuickGames = 10
|
||||
|
||||
// aiPlayerName labels the robot seat in an honest-AI game's GCG export, so a downloaded
|
||||
// game file shows a clean "AI" rather than the robot's human-like pool name (the in-app
|
||||
// UI shows 🤖 from the game's vs_ai flag).
|
||||
@@ -121,6 +117,10 @@ type CreateParams struct {
|
||||
// robot is seated at once, the move clock is AIInactivityTimeout, and chat/nudge
|
||||
// and finish-time statistics are suppressed. Set by the lobby's AI-match path.
|
||||
VsAI bool
|
||||
// Kind tags the game's origin (games.game_kind) for the active-game limits: vs_ai / random /
|
||||
// friends. The lobby sets it; a zero (unknown) kind is never gated. The active-game limit itself
|
||||
// is enforced at the new-game handler (Server.ensureUnderGameLimit), not here.
|
||||
Kind gamelimits.Kind
|
||||
}
|
||||
|
||||
// Game is the persisted state of a match: the games row joined with its seats.
|
||||
@@ -147,6 +147,9 @@ type Game struct {
|
||||
// VsAI is true for an honest-AI game (games.vs_ai): the opponent is a robot the
|
||||
// player knowingly chose, shown as 🤖, with chat/nudge disabled and no statistics.
|
||||
VsAI bool
|
||||
// Kind is the game's origin tag (games.game_kind) for the active-game limits: vs_ai / random /
|
||||
// friends, or unknown for an untagged game. Read-only projection; set once on creation.
|
||||
Kind gamelimits.Kind
|
||||
}
|
||||
|
||||
// Seat is one player's standing in a game.
|
||||
@@ -207,10 +210,9 @@ type MoveResult struct {
|
||||
BagLen int
|
||||
}
|
||||
|
||||
// HintResult is a revealed hint and the requesting player's remaining hint
|
||||
// budget (per-seat allowance plus profile wallet) after spending one. WalletBalance is
|
||||
// the global wallet alone, so the client can keep its live wallet authoritative and
|
||||
// re-derive the per-game allowance (HintsRemaining - WalletBalance).
|
||||
// HintResult is a revealed hint with the per-seat allowance remaining (HintsRemaining) and the
|
||||
// purchasable hint wallet after spending one (WalletBalance, from payments). The client adopts
|
||||
// WalletBalance into the profile so the badge stays live across games (lib/hints).
|
||||
type HintResult struct {
|
||||
Move engine.MoveRecord
|
||||
HintsRemaining int
|
||||
@@ -237,9 +239,11 @@ type StateView struct {
|
||||
Rack []string
|
||||
BagLen int
|
||||
HintsRemaining int
|
||||
// WalletBalance is the player's global hint-wallet balance alone (HintsRemaining folds
|
||||
// it in with the per-game allowance), so the client keeps the wallet live across games.
|
||||
WalletBalance int
|
||||
// HintUnlockLeftSeconds is, for a vs_ai game on the requesting player's turn, the seconds left
|
||||
// until the idle hint unlocks (the robot's last move plus the idle window, from the server clock);
|
||||
// 0 for the human's first move, when it is not their turn, or a non-vs_ai game. The vs_ai hint is
|
||||
// unlimited and wallet-free; this idle gate replaces the allowance/wallet for it.
|
||||
HintUnlockLeftSeconds int
|
||||
}
|
||||
|
||||
// HistoryMove is one decoded journal row, independent of any dictionary.
|
||||
|
||||
@@ -0,0 +1,149 @@
|
||||
// Package gamelimits holds the per-tier, per-kind active-game caps (a guest funnel) with a hot
|
||||
// in-memory cache over the single-row backend.config, so a login or a game-create never queries it.
|
||||
package gamelimits
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"sync"
|
||||
|
||||
"github.com/go-jet/jet/v2/postgres"
|
||||
|
||||
"scrabble/backend/internal/postgres/jet/backend/model"
|
||||
"scrabble/backend/internal/postgres/jet/backend/table"
|
||||
)
|
||||
|
||||
// Kind is a game's kind, mirroring backend.games.game_kind. 0 (unknown) is an untagged game, never gated.
|
||||
type Kind int16
|
||||
|
||||
const (
|
||||
KindUnknown Kind = 0
|
||||
KindVsAI Kind = 1
|
||||
KindRandom Kind = 2
|
||||
KindFriends Kind = 3
|
||||
)
|
||||
|
||||
// String returns the kind's label for admin game lists and logs.
|
||||
func (k Kind) String() string {
|
||||
switch k {
|
||||
case KindVsAI:
|
||||
return "vs_ai"
|
||||
case KindRandom:
|
||||
return "random"
|
||||
case KindFriends:
|
||||
return "friends"
|
||||
default:
|
||||
return "unknown"
|
||||
}
|
||||
}
|
||||
|
||||
// Unlimited is the limit sentinel meaning no cap.
|
||||
const Unlimited = -1
|
||||
|
||||
// Limits is a tier's active-game caps per kind (-1 = unlimited).
|
||||
type Limits struct {
|
||||
VsAI int
|
||||
Random int
|
||||
Friends int
|
||||
}
|
||||
|
||||
// Cap returns the limit for kind; the unknown kind is never capped.
|
||||
func (l Limits) Cap(kind Kind) int {
|
||||
switch kind {
|
||||
case KindVsAI:
|
||||
return l.VsAI
|
||||
case KindRandom:
|
||||
return l.Random
|
||||
case KindFriends:
|
||||
return l.Friends
|
||||
default:
|
||||
return Unlimited
|
||||
}
|
||||
}
|
||||
|
||||
// Config is the per-tier limit config (the single backend.config row).
|
||||
type Config struct {
|
||||
Guest Limits
|
||||
Durable Limits
|
||||
}
|
||||
|
||||
// Store reads and writes the single-row backend.config.
|
||||
type Store struct{ db *sql.DB }
|
||||
|
||||
// NewStore constructs a Store over db.
|
||||
func NewStore(db *sql.DB) *Store { return &Store{db: db} }
|
||||
|
||||
func (s *Store) load(ctx context.Context) (Config, error) {
|
||||
var c model.Config
|
||||
if err := postgres.SELECT(table.Config.AllColumns).FROM(table.Config).LIMIT(1).
|
||||
QueryContext(ctx, s.db, &c); err != nil {
|
||||
return Config{}, fmt.Errorf("gamelimits: load config: %w", err)
|
||||
}
|
||||
return Config{
|
||||
Guest: Limits{VsAI: int(c.GuestVsAiLimit), Random: int(c.GuestRandomLimit), Friends: int(c.GuestFriendsLimit)},
|
||||
Durable: Limits{VsAI: int(c.DurableVsAiLimit), Random: int(c.DurableRandomLimit), Friends: int(c.DurableFriendsLimit)},
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *Store) save(ctx context.Context, c Config) error {
|
||||
if _, err := s.db.ExecContext(ctx,
|
||||
`UPDATE backend.config SET guest_vs_ai_limit=$1, guest_random_limit=$2, guest_friends_limit=$3,
|
||||
durable_vs_ai_limit=$4, durable_random_limit=$5, durable_friends_limit=$6 WHERE only_row`,
|
||||
c.Guest.VsAI, c.Guest.Random, c.Guest.Friends, c.Durable.VsAI, c.Durable.Random, c.Durable.Friends); err != nil {
|
||||
return fmt.Errorf("gamelimits: save config: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Service fronts the config with an in-memory cache (single-instance, matching the deploy). Load
|
||||
// once at startup; Update after an admin edit refreshes it in place.
|
||||
type Service struct {
|
||||
store *Store
|
||||
mu sync.RWMutex
|
||||
cfg Config
|
||||
}
|
||||
|
||||
// NewService constructs a Service over store. Call Load before serving.
|
||||
func NewService(store *Store) *Service { return &Service{store: store} }
|
||||
|
||||
// Load reads the config into the cache. Call once at startup.
|
||||
func (s *Service) Load(ctx context.Context) error {
|
||||
c, err := s.store.load(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
s.set(c)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *Service) set(c Config) {
|
||||
s.mu.Lock()
|
||||
s.cfg = c
|
||||
s.mu.Unlock()
|
||||
}
|
||||
|
||||
// Get returns the cached config.
|
||||
func (s *Service) Get() Config {
|
||||
s.mu.RLock()
|
||||
defer s.mu.RUnlock()
|
||||
return s.cfg
|
||||
}
|
||||
|
||||
// LimitsFor returns the cached limits for the account tier (guest or durable).
|
||||
func (s *Service) LimitsFor(isGuest bool) Limits {
|
||||
c := s.Get()
|
||||
if isGuest {
|
||||
return c.Guest
|
||||
}
|
||||
return c.Durable
|
||||
}
|
||||
|
||||
// Update saves the config and refreshes the cache in place (the admin edit).
|
||||
func (s *Service) Update(ctx context.Context, c Config) error {
|
||||
if err := s.store.save(ctx, c); err != nil {
|
||||
return err
|
||||
}
|
||||
s.set(c)
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,44 @@
|
||||
package gamelimits
|
||||
|
||||
import "testing"
|
||||
|
||||
// TestLimitsCap checks Cap maps each kind to its field and leaves the unknown kind uncapped, so a
|
||||
// untagged game (game_kind 0) is never gated.
|
||||
func TestLimitsCap(t *testing.T) {
|
||||
l := Limits{VsAI: 1, Random: 2, Friends: 3}
|
||||
for _, tc := range []struct {
|
||||
kind Kind
|
||||
want int
|
||||
}{
|
||||
{KindVsAI, 1},
|
||||
{KindRandom, 2},
|
||||
{KindFriends, 3},
|
||||
{KindUnknown, Unlimited},
|
||||
{Kind(99), Unlimited},
|
||||
} {
|
||||
if got := l.Cap(tc.kind); got != tc.want {
|
||||
t.Errorf("Cap(%d) = %d, want %d", tc.kind, got, tc.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestServiceLimitsForTier checks LimitsFor selects the guest or durable tier from the cached config.
|
||||
func TestServiceLimitsForTier(t *testing.T) {
|
||||
svc := NewService(nil)
|
||||
svc.set(Config{
|
||||
Guest: Limits{VsAI: 1, Random: 1, Friends: 0},
|
||||
Durable: Limits{VsAI: 10, Random: 10, Friends: 10},
|
||||
})
|
||||
|
||||
if got := svc.LimitsFor(true); got != (Limits{VsAI: 1, Random: 1, Friends: 0}) {
|
||||
t.Errorf("guest limits = %+v, want {1 1 0}", got)
|
||||
}
|
||||
if got := svc.LimitsFor(false); got != (Limits{VsAI: 10, Random: 10, Friends: 10}) {
|
||||
t.Errorf("durable limits = %+v, want {10 10 10}", got)
|
||||
}
|
||||
// The unlimited sentinel resolves through the tier too.
|
||||
svc.set(Config{Durable: Limits{VsAI: Unlimited, Random: Unlimited, Friends: Unlimited}})
|
||||
if got := svc.LimitsFor(false).Cap(KindVsAI); got != Unlimited {
|
||||
t.Errorf("durable vs_ai cap = %d, want unlimited (-1)", got)
|
||||
}
|
||||
}
|
||||
@@ -154,6 +154,53 @@ func TestProvisionTelegramSeedsNewAccountOnly(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestProvisionVKSeedsNewAccountOnly checks VK first contact seeds the new account's
|
||||
// language, display name and time zone from the launch fields / detected offset, records
|
||||
// the vk identity as confirmed (a platform identity), and never overwrites an existing
|
||||
// account on a later launch. It also exercises the widened identities.kind CHECK — a
|
||||
// 'vk' row must insert.
|
||||
func TestProvisionVKSeedsNewAccountOnly(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
ext := "vk-" + uuid.NewString()
|
||||
|
||||
acc, created, err := store.ProvisionVK(ctx, ext, "ru", "Иван Петров", "+03:00")
|
||||
if err != nil {
|
||||
t.Fatalf("provision vk: %v", err)
|
||||
}
|
||||
if !created {
|
||||
t.Error("created = false on first contact, want true")
|
||||
}
|
||||
if acc.PreferredLanguage != "ru" {
|
||||
t.Errorf("PreferredLanguage = %q, want ru", acc.PreferredLanguage)
|
||||
}
|
||||
if acc.DisplayName != "Иван Петров" {
|
||||
t.Errorf("DisplayName = %q, want Иван Петров", acc.DisplayName)
|
||||
}
|
||||
if acc.TimeZone != "+03:00" {
|
||||
t.Errorf("TimeZone = %q, want the seeded +03:00", acc.TimeZone)
|
||||
}
|
||||
// A VK identity is a platform identity: confirmed on insert.
|
||||
if !identityConfirmed(t, account.KindVK, ext) {
|
||||
t.Error("vk identity must be confirmed")
|
||||
}
|
||||
|
||||
// A later launch with different fields returns the same account, unchanged.
|
||||
again, created, err := store.ProvisionVK(ctx, ext, "en", "Other Name", "+09:00")
|
||||
if err != nil {
|
||||
t.Fatalf("re-provision vk: %v", err)
|
||||
}
|
||||
if created {
|
||||
t.Error("created = true on a repeat launch, want false")
|
||||
}
|
||||
if again.ID != acc.ID {
|
||||
t.Errorf("re-provision id = %s, want %s", again.ID, acc.ID)
|
||||
}
|
||||
if again.PreferredLanguage != "ru" || again.DisplayName != "Иван Петров" || again.TimeZone != "+03:00" {
|
||||
t.Errorf("existing account overwritten: lang=%q name=%q tz=%q", again.PreferredLanguage, again.DisplayName, again.TimeZone)
|
||||
}
|
||||
}
|
||||
|
||||
// TestProvisionSeedsTimeZone checks the create-time time-zone seed across paths: a
|
||||
// valid detected offset is stored verbatim (even "+00:00", which is deliberately
|
||||
// distinct from the unset "UTC" default), a guest is seeded the same way, and a
|
||||
|
||||
@@ -0,0 +1,79 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// benefitFor returns the account's benefit on the given origin from its statement.
|
||||
func benefitFor(t *testing.T, pay *payments.Service, id uuid.UUID, origin payments.Source) payments.OriginBenefit {
|
||||
t.Helper()
|
||||
stmt, err := pay.AccountStatement(context.Background(), id)
|
||||
if err != nil {
|
||||
t.Fatalf("statement: %v", err)
|
||||
}
|
||||
for _, b := range stmt.Benefits {
|
||||
if b.Origin == origin {
|
||||
return b
|
||||
}
|
||||
}
|
||||
return payments.OriginBenefit{}
|
||||
}
|
||||
|
||||
// TestConsoleAdminGrant drives the admin grant: a raw benefit grant, a by-product grant of a reward
|
||||
// bundle, and a refusal to grant a chips pack; the create is CSRF-guarded.
|
||||
func TestConsoleAdminGrant(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, _, pay := bannerServer(t)
|
||||
h := srv.Handler()
|
||||
id := provisionAccount(t)
|
||||
const origin = "http://admin.test"
|
||||
base := "http://admin.test/_gm/users/" + id.String()
|
||||
|
||||
// CSRF: a grant without the origin header is refused.
|
||||
if code, _ := consoleDo(h, http.MethodPost, base+"/grant", "origin=direct&hints=1", ""); code != http.StatusForbidden {
|
||||
t.Fatalf("grant without origin = %d, want 403", code)
|
||||
}
|
||||
|
||||
// Raw grant: 5 hints + 30 no-ads days to the direct origin.
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/grant", "origin=direct&hints=5&noads=30", origin); code != http.StatusOK || !strings.Contains(body, "Granted") {
|
||||
t.Fatalf("raw grant = %d, has 'Granted' = %v", code, strings.Contains(body, "Granted"))
|
||||
}
|
||||
if b := benefitFor(t, pay, id, payments.SourceDirect); b.Hints != 5 || b.AdsPaidUntil.IsZero() {
|
||||
t.Fatalf("after raw grant: hints=%d adsUntil-zero=%v, want 5 hints + a no-ads term", b.Hints, b.AdsPaidUntil.IsZero())
|
||||
}
|
||||
|
||||
// By-product grant: an archived reward bundle (3 hints) to vk.
|
||||
reward, err := pay.CreateProduct(ctx, payments.ProductInput{
|
||||
Title: "reward-3-hints", Atoms: []payments.AtomLine{{Atom: "hints", Quantity: 3}},
|
||||
}, false)
|
||||
if err != nil {
|
||||
t.Fatalf("create reward: %v", err)
|
||||
}
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/grant-product", "origin=vk&product_id="+reward.String(), origin); code != http.StatusOK || !strings.Contains(body, "Granted") {
|
||||
t.Fatalf("product grant = %d, has 'Granted' = %v", code, strings.Contains(body, "Granted"))
|
||||
}
|
||||
if b := benefitFor(t, pay, id, payments.SourceVK); b.Hints != 3 {
|
||||
t.Fatalf("after product grant: vk hints=%d, want 3", b.Hints)
|
||||
}
|
||||
|
||||
// A chips pack cannot be granted.
|
||||
pack, err := pay.CreateProduct(ctx, payments.ProductInput{
|
||||
Title: "grant-pack", Atoms: []payments.AtomLine{{Atom: "chips", Quantity: 100}},
|
||||
Prices: []payments.PriceLine{{Method: "direct", Currency: payments.CurrencyRUB, Amount: 14900}},
|
||||
}, true)
|
||||
if err != nil {
|
||||
t.Fatalf("create pack: %v", err)
|
||||
}
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/grant-product", "origin=direct&product_id="+pack.String(), origin); code != http.StatusOK || !strings.Contains(body, "cannot grant chips") {
|
||||
t.Fatalf("chips grant = %d, has 'cannot grant chips' = %v", code, strings.Contains(body, "cannot grant chips"))
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,77 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// TestConsoleRefundAndExport drives the manual refund and the ledger CSV export: a funded order is
|
||||
// refunded in full (chips revoked, a refund row), the refund is idempotent, and the export carries
|
||||
// the fund + refund rows; the refund POST is CSRF-guarded.
|
||||
func TestConsoleRefundAndExport(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, _, pay := bannerServer(t)
|
||||
h := srv.Handler()
|
||||
id := provisionAccount(t)
|
||||
const origin = "http://admin.test"
|
||||
base := "http://admin.test/_gm/users/" + id.String()
|
||||
|
||||
// Fund a pack: 100 chips + a fund ledger row.
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900})
|
||||
res, err := pay.CreateOrder(ctx, id, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("order: %v", err)
|
||||
}
|
||||
paid, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
if _, err := pay.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid); err != nil {
|
||||
t.Fatalf("fund: %v", err)
|
||||
}
|
||||
|
||||
// CSRF: a refund without the origin header is refused.
|
||||
if code, _ := consoleDo(h, http.MethodPost, base+"/refund", "order_id="+res.OrderID.String(), ""); code != http.StatusForbidden {
|
||||
t.Fatalf("refund without origin = %d, want 403", code)
|
||||
}
|
||||
|
||||
// Refund the order in full → 100 chips revoked (none spent).
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/refund", "order_id="+res.OrderID.String(), origin); code != http.StatusOK || !strings.Contains(body, "revoked 100 chips") {
|
||||
t.Fatalf("refund = %d, has 'revoked 100 chips' = %v", code, strings.Contains(body, "revoked 100 chips"))
|
||||
}
|
||||
stmt, err := pay.AccountStatement(ctx, id)
|
||||
if err != nil {
|
||||
t.Fatalf("statement: %v", err)
|
||||
}
|
||||
for _, sg := range stmt.Segments {
|
||||
if sg.Source == payments.SourceDirect && sg.Chips != 0 {
|
||||
t.Errorf("after refund: direct chips = %d, want 0", sg.Chips)
|
||||
}
|
||||
}
|
||||
kinds := map[string]int{}
|
||||
for _, e := range stmt.Ledger {
|
||||
kinds[e.Kind]++
|
||||
}
|
||||
if kinds["fund"] != 1 || kinds["refund"] != 1 {
|
||||
t.Errorf("ledger kinds = %v, want one fund + one refund", kinds)
|
||||
}
|
||||
|
||||
// A second refund of the same order is idempotent.
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/refund", "order_id="+res.OrderID.String(), origin); code != http.StatusOK || !strings.Contains(body, "Already refunded") {
|
||||
t.Fatalf("second refund = %d, has 'Already refunded' = %v", code, strings.Contains(body, "Already refunded"))
|
||||
}
|
||||
|
||||
// Export the whole ledger as CSV: the header, this account, and its fund + refund rows.
|
||||
code, body := consoleDo(h, http.MethodGet, "http://admin.test/_gm/ledger.csv", "", "")
|
||||
if code != http.StatusOK {
|
||||
t.Fatalf("export = %d, want 200", code)
|
||||
}
|
||||
for _, want := range []string{"created_at,account_id,kind", id.String(), ",fund,", ",refund,"} {
|
||||
if !strings.Contains(body, want) {
|
||||
t.Errorf("ledger CSV missing %q", want)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -4,7 +4,6 @@ package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
@@ -280,76 +279,6 @@ func TestConsoleThrottledViewAndFlagClear(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestConsoleGrantHints drives the admin hint-wallet grant end to end: the card shows the form,
|
||||
// the action is CSRF-guarded, a same-origin grant adds to the wallet, a second grant adds again
|
||||
// (rather than replacing), the inclusive per-grant cap is accepted, and an out-of-range or
|
||||
// non-numeric amount is refused without changing the balance.
|
||||
func TestConsoleGrantHints(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
accounts := account.NewStore(testDB)
|
||||
id := provisionAccount(t)
|
||||
srv := server.New(":0", server.Deps{
|
||||
Logger: zap.NewNop(), Accounts: accounts, Games: newGameService(), Registry: testRegistry, DictDir: dictDir(),
|
||||
})
|
||||
h := srv.Handler()
|
||||
base := "http://admin.test/_gm/users/" + id.String()
|
||||
|
||||
if code, body := consoleDo(h, http.MethodGet, base, "", ""); code != http.StatusOK || !strings.Contains(body, "Add hints") {
|
||||
t.Fatalf("user card = %d, has grant form = %v", code, strings.Contains(body, "Add hints"))
|
||||
}
|
||||
// The grant POST is CSRF-guarded like every console action.
|
||||
if code, _ := consoleDo(h, http.MethodPost, base+"/grant-hints", "amount=5", ""); code != http.StatusForbidden {
|
||||
t.Fatalf("grant without origin = %d, want 403", code)
|
||||
}
|
||||
// A same-origin grant adds to the wallet.
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/grant-hints", "amount=5", "http://admin.test"); code != http.StatusOK || !strings.Contains(body, "now 5") {
|
||||
t.Fatalf("grant 5 = %d, body has 'now 5' = %v", code, strings.Contains(body, "now 5"))
|
||||
}
|
||||
if acc, err := accounts.GetByID(ctx, id); err != nil || acc.HintBalance != 5 {
|
||||
t.Fatalf("after grant 5: balance=%d err=%v, want 5", acc.HintBalance, err)
|
||||
}
|
||||
// A second grant adds again rather than replacing.
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/grant-hints", "amount=3", "http://admin.test"); code != http.StatusOK || !strings.Contains(body, "now 8") {
|
||||
t.Fatalf("grant 3 = %d, body has 'now 8' = %v", code, strings.Contains(body, "now 8"))
|
||||
}
|
||||
// An out-of-range or non-numeric amount is refused; the balance is left untouched.
|
||||
for _, bad := range []string{"0", "-1", "101", "x", ""} {
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/grant-hints", "amount="+bad, "http://admin.test"); code != http.StatusOK || !strings.Contains(body, "Invalid amount") {
|
||||
t.Fatalf("grant %q = %d, has 'Invalid amount' = %v", bad, code, strings.Contains(body, "Invalid amount"))
|
||||
}
|
||||
}
|
||||
if acc, err := accounts.GetByID(ctx, id); err != nil || acc.HintBalance != 8 {
|
||||
t.Fatalf("after invalid grants: balance=%d err=%v, want 8", acc.HintBalance, err)
|
||||
}
|
||||
// The inclusive per-grant cap (100) is accepted.
|
||||
if code, _ := consoleDo(h, http.MethodPost, base+"/grant-hints", "amount=100", "http://admin.test"); code != http.StatusOK {
|
||||
t.Fatalf("grant 100 = %d, want 200", code)
|
||||
}
|
||||
if acc, err := accounts.GetByID(ctx, id); err != nil || acc.HintBalance != 108 {
|
||||
t.Fatalf("after grant 100: balance=%d err=%v, want 108", acc.HintBalance, err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestGrantHintsStore covers the wallet store method directly: an additive grant raises the
|
||||
// balance, a non-positive grant is rejected, and an unknown account yields ErrNotFound.
|
||||
func TestGrantHintsStore(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
accounts := account.NewStore(testDB)
|
||||
id := provisionAccount(t)
|
||||
if bal, err := accounts.GrantHints(ctx, id, 4); err != nil || bal != 4 {
|
||||
t.Fatalf("grant 4 = (%d, %v), want (4, nil)", bal, err)
|
||||
}
|
||||
if bal, err := accounts.GrantHints(ctx, id, 6); err != nil || bal != 10 {
|
||||
t.Fatalf("grant 6 = (%d, %v), want (10, nil)", bal, err)
|
||||
}
|
||||
if _, err := accounts.GrantHints(ctx, id, 0); err == nil {
|
||||
t.Error("grant 0 should be rejected (non-positive)")
|
||||
}
|
||||
if _, err := accounts.GrantHints(ctx, uuid.New(), 1); !errors.Is(err, account.ErrNotFound) {
|
||||
t.Errorf("grant unknown account = %v, want ErrNotFound", err)
|
||||
}
|
||||
}
|
||||
|
||||
// consoleDo issues a request to h, optionally with an Origin header, and returns
|
||||
// the status and body. Form bodies are sent as application/x-www-form-urlencoded.
|
||||
func consoleDo(h http.Handler, method, target, body, origin string) (int, string) {
|
||||
|
||||
@@ -0,0 +1,83 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
)
|
||||
|
||||
// TestRemoveEmailIdentity erases an account's email identity but refuses when the
|
||||
// email is the account's only identity (which would leave it unreachable).
|
||||
func TestRemoveEmailIdentity(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
|
||||
// Email is the only identity → refuse.
|
||||
solo, err := store.ProvisionEmail(ctx, "solo-"+uuid.NewString()+"@example.com", "", "en")
|
||||
if err != nil {
|
||||
t.Fatalf("provision email: %v", err)
|
||||
}
|
||||
if err := store.RemoveEmailIdentity(ctx, solo.ID); !errors.Is(err, account.ErrLastIdentity) {
|
||||
t.Fatalf("remove last identity = %v, want ErrLastIdentity", err)
|
||||
}
|
||||
|
||||
// Telegram + email → erase the email, keep Telegram.
|
||||
tg, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision telegram: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, tg.ID, account.KindEmail, "dual-"+uuid.NewString()+"@example.com", true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
if err := store.RemoveEmailIdentity(ctx, tg.ID); err != nil {
|
||||
t.Fatalf("remove email: %v", err)
|
||||
}
|
||||
ids, err := store.Identities(ctx, tg.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("identities: %v", err)
|
||||
}
|
||||
if len(ids) != 1 || ids[0].Kind != account.KindTelegram {
|
||||
t.Errorf("identities after erase = %+v, want only telegram", ids)
|
||||
}
|
||||
}
|
||||
|
||||
// TestListUsersEmailExact matches accounts strictly (exactly) by their email identity.
|
||||
func TestListUsersEmailExact(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
email := "find-" + uuid.NewString() + "@example.com"
|
||||
acc, err := store.ProvisionEmail(ctx, email, "", "en")
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
|
||||
items, err := store.ListUsers(ctx, account.UserFilter{EmailExact: email}, 50, 0)
|
||||
if err != nil {
|
||||
t.Fatalf("list: %v", err)
|
||||
}
|
||||
found := false
|
||||
for _, it := range items {
|
||||
if it.ID == acc.ID {
|
||||
found = true
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
t.Error("the exact email filter did not find the account")
|
||||
}
|
||||
|
||||
other, err := store.ListUsers(ctx, account.UserFilter{EmailExact: "nope-" + uuid.NewString() + "@example.com"}, 50, 0)
|
||||
if err != nil {
|
||||
t.Fatalf("list (no match): %v", err)
|
||||
}
|
||||
for _, it := range other {
|
||||
if it.ID == acc.ID {
|
||||
t.Error("a non-matching email filter must not return the account")
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -15,13 +15,15 @@ import (
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/ads"
|
||||
"scrabble/backend/internal/payments"
|
||||
"scrabble/backend/internal/server"
|
||||
)
|
||||
|
||||
// bannerServer assembles a console-capable server with the ads domain wired.
|
||||
func bannerServer(t *testing.T) (*server.Server, *ads.Service) {
|
||||
func bannerServer(t *testing.T) (*server.Server, *ads.Service, *payments.Service) {
|
||||
t.Helper()
|
||||
adsSvc := ads.NewService(ads.NewStore(testDB))
|
||||
paySvc := newPaymentsService()
|
||||
srv := server.New(":0", server.Deps{
|
||||
Logger: zap.NewNop(),
|
||||
Accounts: account.NewStore(testDB),
|
||||
@@ -29,8 +31,9 @@ func bannerServer(t *testing.T) (*server.Server, *ads.Service) {
|
||||
Registry: testRegistry,
|
||||
DictDir: dictDir(),
|
||||
Ads: adsSvc,
|
||||
Payments: paySvc,
|
||||
})
|
||||
return srv, adsSvc
|
||||
return srv, adsSvc, paySvc
|
||||
}
|
||||
|
||||
// findCampaign returns the id of the campaign with the given name, or fails.
|
||||
@@ -71,7 +74,7 @@ func defaultCampaign(t *testing.T, svc *ads.Service) ads.Campaign {
|
||||
// reorder/delete.
|
||||
func TestBannerConsoleCRUD(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, adsSvc := bannerServer(t)
|
||||
srv, adsSvc, _ := bannerServer(t)
|
||||
h := srv.Handler()
|
||||
base := "http://admin.test/_gm"
|
||||
const origin = "http://admin.test"
|
||||
@@ -151,7 +154,7 @@ func TestBannerConsoleCRUD(t *testing.T) {
|
||||
// unrelated campaign's URL must be refused.
|
||||
func TestBannerMessageOwnership(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, adsSvc := bannerServer(t)
|
||||
srv, adsSvc, _ := bannerServer(t)
|
||||
h := srv.Handler()
|
||||
base := "http://admin.test/_gm"
|
||||
const origin = "http://admin.test"
|
||||
@@ -188,17 +191,24 @@ func TestBannerMessageOwnership(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// profileBanner is the banner block of the profile.get JSON response.
|
||||
// profileBanner is the banner (and interstitial-ad) block of the profile.get JSON response.
|
||||
type profileBanner struct {
|
||||
Banner *struct {
|
||||
Campaigns []struct {
|
||||
Weight int `json:"weight"`
|
||||
Messages []string `json:"messages"`
|
||||
Weight int `json:"weight"`
|
||||
Messages []string `json:"messages"`
|
||||
OverrideBg string `json:"override_bg"`
|
||||
} `json:"campaigns"`
|
||||
Timings struct {
|
||||
HoldMs int `json:"hold_ms"`
|
||||
} `json:"timings"`
|
||||
} `json:"banner"`
|
||||
Ads *struct {
|
||||
CooldownGlobalS int `json:"cooldown_global_s"`
|
||||
CooldownVsAiS int `json:"cooldown_vs_ai_s"`
|
||||
CooldownHintS int `json:"cooldown_hint_s"`
|
||||
Suppressed bool `json:"suppressed"`
|
||||
} `json:"ads"`
|
||||
}
|
||||
|
||||
// TestBannerProfileEligibility checks the profile.get banner block follows
|
||||
@@ -206,10 +216,11 @@ type profileBanner struct {
|
||||
// wallet each suppress it.
|
||||
func TestBannerProfileEligibility(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, _ := bannerServer(t)
|
||||
srv, _, pay := bannerServer(t)
|
||||
accounts := account.NewStore(testDB)
|
||||
id := provisionAccount(t)
|
||||
|
||||
// getBanner fetches the profile banner with no platform header (an untrusted context).
|
||||
getBanner := func() profileBanner {
|
||||
t.Helper()
|
||||
rec := userGet(t, srv, "/api/v1/user/profile", id)
|
||||
@@ -222,10 +233,27 @@ func TestBannerProfileEligibility(t *testing.T) {
|
||||
}
|
||||
return p
|
||||
}
|
||||
// getBannerTG fetches the profile banner in a trusted Telegram context — the account's
|
||||
// telegram identity makes telegram the applicable origin for its benefits.
|
||||
getBannerTG := func() profileBanner {
|
||||
t.Helper()
|
||||
rec := httptest.NewRecorder()
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/user/profile", nil)
|
||||
req.Header.Set("X-User-ID", id.String())
|
||||
req.Header.Set("X-Platform", "telegram/android")
|
||||
srv.Handler().ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("profile = %d, want 200", rec.Code)
|
||||
}
|
||||
var p profileBanner
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &p); err != nil {
|
||||
t.Fatalf("decode profile: %v", err)
|
||||
}
|
||||
return p
|
||||
}
|
||||
|
||||
// A free account with an empty hint wallet and no role is eligible.
|
||||
p := getBanner()
|
||||
if p.Banner == nil || len(p.Banner.Campaigns) == 0 || p.Banner.Timings.HoldMs <= 0 {
|
||||
// A free account with no role and no benefit is eligible.
|
||||
if p := getBanner(); p.Banner == nil || len(p.Banner.Campaigns) == 0 || p.Banner.Timings.HoldMs <= 0 {
|
||||
t.Fatalf("eligible account: banner=%v", p.Banner)
|
||||
}
|
||||
|
||||
@@ -240,19 +268,106 @@ func TestBannerProfileEligibility(t *testing.T) {
|
||||
t.Fatalf("revoke role: %v", err)
|
||||
}
|
||||
|
||||
// A non-empty hint wallet suppresses it.
|
||||
if _, err := accounts.GrantHints(ctx, id, 5); err != nil {
|
||||
// A hint wallet no longer suppresses the banner — hints and no-ads are distinct benefits now.
|
||||
if err := pay.Grant(ctx, id, payments.SourceTelegram, 5, 0, false); err != nil {
|
||||
t.Fatalf("grant hints: %v", err)
|
||||
}
|
||||
if p := getBanner(); p.Banner != nil {
|
||||
t.Fatal("a non-empty hint wallet still shows the banner")
|
||||
if p := getBannerTG(); p.Banner == nil {
|
||||
t.Fatal("a hint wallet must NOT suppress the banner")
|
||||
}
|
||||
|
||||
// An active no-ads benefit applicable in the context suppresses the banner.
|
||||
if err := pay.Grant(ctx, id, payments.SourceTelegram, 0, 30, false); err != nil {
|
||||
t.Fatalf("grant no-ads: %v", err)
|
||||
}
|
||||
if p := getBannerTG(); p.Banner != nil {
|
||||
t.Fatal("an active no-ads benefit must suppress the banner")
|
||||
}
|
||||
// Fail-closed: without a trusted platform the same benefit does not apply, so the banner shows.
|
||||
if p := getBanner(); p.Banner == nil {
|
||||
t.Fatal("an untrusted context must not apply the no-ads benefit (banner should show)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestProfileAdsConfig checks the profile.get interstitial-ad block: the seeded config cooldowns are
|
||||
// carried through, and Suppressed follows the same no-ads / no_banner gate as the banner (the client
|
||||
// self-gates VK-only + online on top). The no_banner role is context-independent; the no-ads benefit
|
||||
// applies only in a trusted context where its segment is present.
|
||||
func TestProfileAdsConfig(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, _, pay := bannerServer(t)
|
||||
accounts := account.NewStore(testDB)
|
||||
id := provisionAccount(t)
|
||||
|
||||
get := func() profileBanner {
|
||||
t.Helper()
|
||||
rec := userGet(t, srv, "/api/v1/user/profile", id)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("profile = %d, want 200", rec.Code)
|
||||
}
|
||||
var p profileBanner
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &p); err != nil {
|
||||
t.Fatalf("decode profile: %v", err)
|
||||
}
|
||||
return p
|
||||
}
|
||||
getTG := func() profileBanner {
|
||||
t.Helper()
|
||||
rec := httptest.NewRecorder()
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/user/profile", nil)
|
||||
req.Header.Set("X-User-ID", id.String())
|
||||
req.Header.Set("X-Platform", "telegram/android")
|
||||
srv.Handler().ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("profile = %d, want 200", rec.Code)
|
||||
}
|
||||
var p profileBanner
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &p); err != nil {
|
||||
t.Fatalf("decode profile: %v", err)
|
||||
}
|
||||
return p
|
||||
}
|
||||
|
||||
// A free account: the ads block carries the seeded config cooldowns and is not suppressed.
|
||||
p := get()
|
||||
if p.Ads == nil {
|
||||
t.Fatal("free account: no ads block")
|
||||
}
|
||||
if p.Ads.CooldownGlobalS != 300 || p.Ads.CooldownVsAiS != 1800 || p.Ads.CooldownHintS != 60 {
|
||||
t.Fatalf("cooldowns = %d/%d/%d, want 300/1800/60", p.Ads.CooldownGlobalS, p.Ads.CooldownVsAiS, p.Ads.CooldownHintS)
|
||||
}
|
||||
if p.Ads.Suppressed {
|
||||
t.Fatal("free account: interstitials must not be suppressed")
|
||||
}
|
||||
|
||||
// The no_banner role suppresses interstitials too (context-independent).
|
||||
if err := accounts.GrantRole(ctx, id, account.RoleNoBanner); err != nil {
|
||||
t.Fatalf("grant role: %v", err)
|
||||
}
|
||||
if p := get(); p.Ads == nil || !p.Ads.Suppressed {
|
||||
t.Fatalf("no_banner role: ads=%v, want suppressed", p.Ads)
|
||||
}
|
||||
if err := accounts.RevokeRole(ctx, id, account.RoleNoBanner); err != nil {
|
||||
t.Fatalf("revoke role: %v", err)
|
||||
}
|
||||
|
||||
// An active no-ads benefit suppresses interstitials in a trusted context; an untrusted context
|
||||
// does not apply it (fail-closed to eligible, as for the banner).
|
||||
if err := pay.Grant(ctx, id, payments.SourceTelegram, 0, 30, false); err != nil {
|
||||
t.Fatalf("grant no-ads: %v", err)
|
||||
}
|
||||
if p := getTG(); p.Ads == nil || !p.Ads.Suppressed {
|
||||
t.Fatalf("no-ads benefit (trusted): ads=%v, want suppressed", p.Ads)
|
||||
}
|
||||
if p := get(); p.Ads == nil || p.Ads.Suppressed {
|
||||
t.Fatalf("no-ads benefit (untrusted): ads=%v, want NOT suppressed", p.Ads)
|
||||
}
|
||||
}
|
||||
|
||||
// TestBannerSurvivesProfileUpdate guards that a profile update (e.g. a language switch) returns the
|
||||
// banner block too, so the client's profile keeps the banner instead of losing it until reload.
|
||||
func TestBannerSurvivesProfileUpdate(t *testing.T) {
|
||||
srv, _ := bannerServer(t)
|
||||
srv, _, _ := bannerServer(t)
|
||||
id := provisionAccount(t)
|
||||
|
||||
body := `{"display_name":"Tester","preferred_language":"ru","time_zone":"UTC","away_start":"00:00",` +
|
||||
@@ -274,3 +389,136 @@ func TestBannerSurvivesProfileUpdate(t *testing.T) {
|
||||
t.Fatalf("profile update dropped the banner block: %v", p.Banner)
|
||||
}
|
||||
}
|
||||
|
||||
// TestBannerConsoleColorsAndUrgent drives the colour-override + urgent editor over
|
||||
// HTTP against real Postgres: an incomplete or malformed colour set is refused, a
|
||||
// full two-set override + urgent round-trips through the store (exercising the new
|
||||
// columns and CHECK constraints), clearing the sets removes the override, and the
|
||||
// default campaign stays plain (colours + urgent are ignored for it).
|
||||
func TestBannerConsoleColorsAndUrgent(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, adsSvc, _ := bannerServer(t)
|
||||
h := srv.Handler()
|
||||
base := "http://admin.test/_gm"
|
||||
const origin = "http://admin.test"
|
||||
|
||||
name := "Brand-" + uuid.NewString()[:8]
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/banners", "name="+name+"&weight=20&enabled=on", origin); code != http.StatusOK || !strings.Contains(body, "Created") {
|
||||
t.Fatalf("create = %d, has Created=%v", code, strings.Contains(body, "Created"))
|
||||
}
|
||||
id := findCampaign(t, adsSvc, name)
|
||||
t.Cleanup(func() { _ = adsSvc.DeleteCampaign(ctx, id) })
|
||||
detail := base + "/banners/" + id.String()
|
||||
|
||||
// A partial colour set (a missing colour) is refused by validation.
|
||||
partial := "name=" + name + "&weight=20&enabled=on&override_all_on=on&override_bg=%23aa0000&override_fg=&override_link=%23ffdd00"
|
||||
if code, b := consoleDo(h, http.MethodPost, detail, partial, origin); code != http.StatusOK || !strings.Contains(b, "Not saved") {
|
||||
t.Fatalf("partial colour = %d, has 'Not saved'=%v", code, strings.Contains(b, "Not saved"))
|
||||
}
|
||||
// A malformed hex is refused.
|
||||
badHex := "name=" + name + "&weight=20&enabled=on&override_all_on=on&override_bg=red&override_fg=%23ffffff&override_link=%23ffdd00"
|
||||
if code, b := consoleDo(h, http.MethodPost, detail, badHex, origin); code != http.StatusOK || !strings.Contains(b, "Not saved") {
|
||||
t.Fatalf("bad hex = %d, has 'Not saved'=%v", code, strings.Contains(b, "Not saved"))
|
||||
}
|
||||
// Both colour sets + urgent persist and round-trip through the store.
|
||||
full := "name=" + name + "&weight=20&enabled=on&urgent=on" +
|
||||
"&override_all_on=on&override_bg=%23aa0000&override_fg=%23ffffff&override_link=%23ffdd00" +
|
||||
"&override_dark_on=on&override_bg_dark=%23330000&override_fg_dark=%23eeeeee&override_link_dark=%23ffcc00"
|
||||
if code, b := consoleDo(h, http.MethodPost, detail, full, origin); code != http.StatusOK || !strings.Contains(b, "Saved") {
|
||||
t.Fatalf("full save = %d, has Saved=%v", code, strings.Contains(b, "Saved"))
|
||||
}
|
||||
cm, err := adsSvc.Campaign(ctx, id)
|
||||
if err != nil {
|
||||
t.Fatalf("read campaign: %v", err)
|
||||
}
|
||||
if cm.OverrideAll == nil || cm.OverrideAll.Bg != "#aa0000" || cm.OverrideAll.Fg != "#ffffff" || cm.OverrideAll.Link != "#ffdd00" {
|
||||
t.Fatalf("override all = %+v", cm.OverrideAll)
|
||||
}
|
||||
if cm.OverrideDark == nil || cm.OverrideDark.Bg != "#330000" || cm.OverrideDark.Fg != "#eeeeee" || cm.OverrideDark.Link != "#ffcc00" {
|
||||
t.Fatalf("override dark = %+v", cm.OverrideDark)
|
||||
}
|
||||
if !cm.Urgent {
|
||||
t.Fatal("urgent not persisted")
|
||||
}
|
||||
// Clearing the sets (both checkboxes off, urgent off) removes the override.
|
||||
if code, _ := consoleDo(h, http.MethodPost, detail, "name="+name+"&weight=20&enabled=on", origin); code != http.StatusOK {
|
||||
t.Fatalf("clear = %d", code)
|
||||
}
|
||||
if cm, _ := adsSvc.Campaign(ctx, id); cm.OverrideAll != nil || cm.OverrideDark != nil || cm.Urgent {
|
||||
t.Fatalf("override not cleared: all=%v dark=%v urgent=%v", cm.OverrideAll, cm.OverrideDark, cm.Urgent)
|
||||
}
|
||||
|
||||
// The default campaign stays plain: submitted colours + urgent are ignored for it.
|
||||
def := defaultCampaign(t, adsSvc)
|
||||
defForm := "name=Default+%28house%29&urgent=on&override_all_on=on&override_bg=%23aa0000&override_fg=%23ffffff&override_link=%23ffdd00"
|
||||
if code, _ := consoleDo(h, http.MethodPost, base+"/banners/"+def.ID.String(), defForm, origin); code != http.StatusOK {
|
||||
t.Fatalf("update default = %d", code)
|
||||
}
|
||||
if again := defaultCampaign(t, adsSvc); again.OverrideAll != nil || again.OverrideDark != nil || again.Urgent {
|
||||
t.Fatalf("default not plain: all=%v dark=%v urgent=%v", again.OverrideAll, again.OverrideDark, again.Urgent)
|
||||
}
|
||||
}
|
||||
|
||||
// TestBannerUrgentBypassesEligibility checks the urgent flag at the profile level:
|
||||
// an urgent campaign preempts the feed (only it shows, with its colours) and reaches
|
||||
// every viewer — including the no_banner role and a non-empty hint wallet that
|
||||
// otherwise suppress the banner.
|
||||
func TestBannerUrgentBypassesEligibility(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, adsSvc, _ := bannerServer(t)
|
||||
accounts := account.NewStore(testDB)
|
||||
id := provisionAccount(t)
|
||||
|
||||
urgentID, err := adsSvc.CreateCampaign(ctx, ads.Campaign{
|
||||
Name: "Alert-" + uuid.NewString()[:8], Weight: 10, Enabled: true, Urgent: true,
|
||||
OverrideAll: &ads.ColorSet{Bg: "#aa0000", Fg: "#ffffff", Link: "#ffdd00"},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("create urgent: %v", err)
|
||||
}
|
||||
t.Cleanup(func() { _ = adsSvc.DeleteCampaign(ctx, urgentID) })
|
||||
if _, err := adsSvc.AddMessage(ctx, urgentID, "System maintenance tonight", "Ночью тех.работы"); err != nil {
|
||||
t.Fatalf("add urgent message: %v", err)
|
||||
}
|
||||
|
||||
get := func() profileBanner {
|
||||
t.Helper()
|
||||
rec := userGet(t, srv, "/api/v1/user/profile", id)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("profile = %d", rec.Code)
|
||||
}
|
||||
var p profileBanner
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &p); err != nil {
|
||||
t.Fatalf("decode: %v", err)
|
||||
}
|
||||
return p
|
||||
}
|
||||
assertUrgentOnly := func(what string, p profileBanner) {
|
||||
t.Helper()
|
||||
if p.Banner == nil {
|
||||
t.Fatalf("%s: no banner", what)
|
||||
}
|
||||
if len(p.Banner.Campaigns) != 1 {
|
||||
t.Fatalf("%s: %d campaigns, want only the urgent one (default preempted)", what, len(p.Banner.Campaigns))
|
||||
}
|
||||
c := p.Banner.Campaigns[0]
|
||||
if len(c.Messages) != 1 || c.Messages[0] != "System maintenance tonight" {
|
||||
t.Fatalf("%s: messages = %v, want only the urgent one", what, c.Messages)
|
||||
}
|
||||
if c.OverrideBg != "#aa0000" {
|
||||
t.Fatalf("%s: override_bg = %q, want #aa0000", what, c.OverrideBg)
|
||||
}
|
||||
}
|
||||
|
||||
// A normal viewer sees only the urgent campaign (the default is preempted).
|
||||
assertUrgentOnly("eligible", get())
|
||||
|
||||
// The no_banner role no longer suppresses it — urgent reaches everyone.
|
||||
if err := accounts.GrantRole(ctx, id, account.RoleNoBanner); err != nil {
|
||||
t.Fatalf("grant role: %v", err)
|
||||
}
|
||||
assertUrgentOnly("no_banner", get())
|
||||
if err := accounts.RevokeRole(ctx, id, account.RoleNoBanner); err != nil {
|
||||
t.Fatalf("revoke role: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,97 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// productByTitle finds a catalog product by its (unique in the test) title.
|
||||
func productByTitle(t *testing.T, pay *payments.Service, title string) payments.AdminProduct {
|
||||
t.Helper()
|
||||
all, err := pay.AdminCatalog(context.Background())
|
||||
if err != nil {
|
||||
t.Fatalf("admin catalog: %v", err)
|
||||
}
|
||||
for _, p := range all {
|
||||
if p.Title == title {
|
||||
return p
|
||||
}
|
||||
}
|
||||
t.Fatalf("product %q not found", title)
|
||||
return payments.AdminProduct{}
|
||||
}
|
||||
|
||||
// TestConsoleCatalogEditor drives the catalog editor end to end: create is CSRF-guarded; a value and
|
||||
// a pack are created and edited; an invalid active product is refused; archive hides it; a
|
||||
// never-transacted product deletes; a transacted product is refused deletion (archive only).
|
||||
func TestConsoleCatalogEditor(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, _, pay := bannerServer(t)
|
||||
h := srv.Handler()
|
||||
const origin = "http://admin.test"
|
||||
const catalog = "http://admin.test/_gm/catalog"
|
||||
|
||||
// CSRF: a create without the origin header is refused.
|
||||
if code, _ := consoleDo(h, http.MethodPost, catalog, "title=x&hints=1&price_chip=10&active=true", ""); code != http.StatusForbidden {
|
||||
t.Fatalf("create without origin = %d, want 403", code)
|
||||
}
|
||||
|
||||
// Create a value product: 5 hints for 50 chips, active.
|
||||
if code, body := consoleDo(h, http.MethodPost, catalog, "title=cat-hints-5&hints=5&price_chip=50&active=true", origin); code != http.StatusOK || !strings.Contains(body, "Created") {
|
||||
t.Fatalf("create value = %d, has 'Created' = %v", code, strings.Contains(body, "Created"))
|
||||
}
|
||||
val := productByTitle(t, pay, "cat-hints-5")
|
||||
if !val.Active || len(val.Atoms) != 1 || val.Atoms[0].Atom != "hints" || val.Atoms[0].Quantity != 5 {
|
||||
t.Fatalf("created value = %+v", val)
|
||||
}
|
||||
|
||||
// An invalid active pack (chips, no money price) is refused.
|
||||
if code, body := consoleDo(h, http.MethodPost, catalog, "title=cat-bad&chips=100&active=true", origin); code != http.StatusOK || !strings.Contains(body, "Invalid product") {
|
||||
t.Fatalf("bad pack = %d, has 'Invalid product' = %v", code, strings.Contains(body, "Invalid product"))
|
||||
}
|
||||
if _, err := pay.AdminCatalog(ctx); err != nil {
|
||||
t.Fatalf("catalog: %v", err)
|
||||
}
|
||||
|
||||
// Edit the value: raise to 8 hints.
|
||||
base := catalog + "/" + val.ID.String()
|
||||
if code, _ := consoleDo(h, http.MethodPost, base, "title=cat-hints-8&hints=8&price_chip=50&active=true", origin); code != http.StatusOK {
|
||||
t.Fatalf("edit = %d", code)
|
||||
}
|
||||
if got := productByTitle(t, pay, "cat-hints-8"); len(got.Atoms) != 1 || got.Atoms[0].Quantity != 8 {
|
||||
t.Fatalf("after edit atoms = %+v, want 8 hints", got.Atoms)
|
||||
}
|
||||
|
||||
// Archive it → hidden from the storefront (the user Catalog filters active).
|
||||
if code, _ := consoleDo(h, http.MethodPost, base+"/archive", "active=false", origin); code != http.StatusOK {
|
||||
t.Fatalf("archive = %d", code)
|
||||
}
|
||||
if productByTitle(t, pay, "cat-hints-8").Active {
|
||||
t.Error("product still active after archive")
|
||||
}
|
||||
|
||||
// Delete the never-transacted product.
|
||||
if code, body := consoleDo(h, http.MethodPost, base+"/delete", "", origin); code != http.StatusOK || !strings.Contains(body, "Deleted") {
|
||||
t.Fatalf("delete clean = %d, has 'Deleted' = %v", code, strings.Contains(body, "Deleted"))
|
||||
}
|
||||
|
||||
// A transacted product cannot be deleted — only archived.
|
||||
if code, _ := consoleDo(h, http.MethodPost, catalog, "title=cat-pack&chips=100&price_rub=14900&active=true", origin); code != http.StatusOK {
|
||||
t.Fatal("create pack failed")
|
||||
}
|
||||
pack := productByTitle(t, pay, "cat-pack")
|
||||
if _, err := pay.CreateOrder(ctx, uuid.New(), payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, pack.ID, "robokassa"); err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
if code, body := consoleDo(h, http.MethodPost, catalog+"/"+pack.ID.String()+"/delete", "", origin); code != http.StatusOK || !strings.Contains(body, "Cannot delete") {
|
||||
t.Fatalf("delete transacted = %d, has 'Cannot delete' = %v", code, strings.Contains(body, "Cannot delete"))
|
||||
}
|
||||
}
|
||||
@@ -138,6 +138,65 @@ func TestNudgeClearedByMove(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestGameCompletionExpiresNudgesKeepsChat checks that finishing a game by turn-timeout marks every
|
||||
// pending nudge in it read — the lobby's nudge badge is stale once the game is over — while leaving
|
||||
// real chat messages unread. It reproduces the reported bug: the timeout path commits the finish
|
||||
// directly, bypassing the move path's per-mover nudge clear, so without a completion-driven expiry
|
||||
// the awaited seat's nudge lingered as a badge on the finished game.
|
||||
func TestGameCompletionExpiresNudgesKeepsChat(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
gameSvc := newGameService()
|
||||
socialSvc := newSocialService()
|
||||
gameSvc.SetNudgeExpirer(socialSvc.ExpireNudges)
|
||||
|
||||
seats := []uuid.UUID{provisionAccount(t), provisionAccount(t)}
|
||||
g, err := gameSvc.Create(ctx, game.CreateParams{
|
||||
Variant: engine.VariantEnglish, Seats: seats, TurnTimeout: time.Hour, Seed: openingSeed(t),
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("create: %v", err)
|
||||
}
|
||||
|
||||
// Seat 1 nudges the to-move seat 0 (the awaited player), and seat 0 posts a real chat message,
|
||||
// which seat 1 then holds unread. So before the timeout each side has exactly one unread entry:
|
||||
// seat 0 a nudge, seat 1 a message — letting HasUnread isolate each kind.
|
||||
if _, err := socialSvc.Nudge(ctx, g.ID, seats[1]); err != nil {
|
||||
t.Fatalf("nudge: %v", err)
|
||||
}
|
||||
if _, err := socialSvc.PostMessage(ctx, g.ID, seats[0], "good luck", ""); err != nil {
|
||||
t.Fatalf("post message: %v", err)
|
||||
}
|
||||
if unread, _ := socialSvc.HasUnread(ctx, g.ID, seats[0]); !unread {
|
||||
t.Fatal("seat 0 should hold the nudge unread before the timeout")
|
||||
}
|
||||
if unread, _ := socialSvc.HasUnread(ctx, g.ID, seats[1]); !unread {
|
||||
t.Fatal("seat 1 should hold the message unread before the timeout")
|
||||
}
|
||||
|
||||
// Age the turn past its deadline and time seat 0 out; an empty away window keeps this
|
||||
// deterministic regardless of the wall clock. The sweep finishes the game through the direct
|
||||
// commit path, never the move path.
|
||||
backdate(t, g.ID, time.Now().UTC().Add(-2*time.Hour))
|
||||
setAway(t, seats[0], "UTC", "00:00", "00:00")
|
||||
if n, err := gameSvc.SweepTimeouts(ctx, time.Now().UTC()); err != nil || n < 1 {
|
||||
t.Fatalf("sweep swept %d (err %v), want >= 1", n, err)
|
||||
}
|
||||
if status, reason := gameStatus(t, gameSvc, g.ID); status != game.StatusFinished || reason != "timeout" {
|
||||
t.Fatalf("game not timed out: status %q reason %q", status, reason)
|
||||
}
|
||||
|
||||
// The nudge is stale on a finished game and must be cleared; the chat message must survive.
|
||||
if unread, _ := socialSvc.HasUnread(ctx, g.ID, seats[0]); unread {
|
||||
t.Error("the nudge should be expired once the game has finished")
|
||||
}
|
||||
if unread, _ := socialSvc.HasUnread(ctx, g.ID, seats[1]); !unread {
|
||||
t.Error("a real chat message must stay unread after the game finishes")
|
||||
}
|
||||
if msg, _ := socialSvc.HasUnreadMessage(ctx, g.ID, seats[1]); !msg {
|
||||
t.Error("the chat message must remain flagged as an unread message after completion")
|
||||
}
|
||||
}
|
||||
|
||||
// TestChatToRobotIsBornRead checks a text message to a disguised robot opponent (a pooled
|
||||
// robot substituted into an ordinary, non-AI game) is born read: the robot never opens the
|
||||
// chat, so the message must not linger unread (skewing the count and the read metric).
|
||||
|
||||
@@ -0,0 +1,322 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/accountdelete"
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
)
|
||||
|
||||
// deletedFields reads a tombstoned account's retained real name and its deleted_at.
|
||||
func deletedFields(t *testing.T, accountID uuid.UUID) (name string, deletedAt sql.NullTime) {
|
||||
t.Helper()
|
||||
var dn sql.NullString
|
||||
err := testDB.QueryRowContext(context.Background(),
|
||||
"SELECT deleted_display_name, deleted_at FROM accounts WHERE account_id = $1", accountID).
|
||||
Scan(&dn, &deletedAt)
|
||||
if err != nil {
|
||||
t.Fatalf("read deleted fields %s: %v", accountID, err)
|
||||
}
|
||||
return dn.String, deletedAt
|
||||
}
|
||||
|
||||
// TestAnonymizeAndTombstone: deletion journals + frees the credentials, tombstones the
|
||||
// account, scrubs the live name while retaining the real one, and frees the creds for a
|
||||
// new account to reuse.
|
||||
func TestAnonymizeAndTombstone(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
deleter := accountdelete.NewDeleter(testDB)
|
||||
|
||||
acc, _, err := store.ProvisionTelegram(ctx, "tg-"+uuid.NewString(), "ru", "handle", "Иван", "+03:00")
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
email := "del-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, email, true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
before, err := store.GetByID(ctx, acc.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("load before: %v", err)
|
||||
}
|
||||
|
||||
if err := deleter.AnonymizeAndTombstone(ctx, acc.ID); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
|
||||
// The live identities are gone.
|
||||
if ids, err := store.Identities(ctx, acc.ID); err != nil || len(ids) != 0 {
|
||||
t.Fatalf("identities after delete = %+v (err %v), want none", ids, err)
|
||||
}
|
||||
// Both credentials are journalled with reason=delete.
|
||||
got := retainedRows(t, acc.ID)
|
||||
if len(got) != 2 {
|
||||
t.Fatalf("retained rows = %+v, want 2", got)
|
||||
}
|
||||
for _, r := range got {
|
||||
if r.reason != "delete" {
|
||||
t.Errorf("retained reason = %q, want delete", r.reason)
|
||||
}
|
||||
}
|
||||
// The live name is scrubbed; the real one is retained; deleted_at is set.
|
||||
after, err := store.GetByID(ctx, acc.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("load after: %v", err)
|
||||
}
|
||||
if after.DisplayName != accountdelete.AnonymizedName {
|
||||
t.Errorf("live display name = %q, want %q", after.DisplayName, accountdelete.AnonymizedName)
|
||||
}
|
||||
name, deletedAt := deletedFields(t, acc.ID)
|
||||
if name != before.DisplayName {
|
||||
t.Errorf("retained name = %q, want %q", name, before.DisplayName)
|
||||
}
|
||||
if !deletedAt.Valid || time.Since(deletedAt.Time) > time.Minute {
|
||||
t.Errorf("deleted_at = %+v, want a recent timestamp", deletedAt)
|
||||
}
|
||||
// The credentials are free: a new account can claim the same email.
|
||||
other, _, err := store.ProvisionTelegram(ctx, "tg-"+uuid.NewString(), "en", "", "Other", "")
|
||||
if err != nil {
|
||||
t.Fatalf("provision other: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, other.ID, account.KindEmail, email, true); err != nil {
|
||||
t.Fatalf("email should be free after deletion, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestDeletionDossierReaders: after deletion the admin readers expose the credential
|
||||
// journal and the tombstone dossier.
|
||||
func TestDeletionDossierReaders(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
deleter := accountdelete.NewDeleter(testDB)
|
||||
|
||||
acc, _, err := store.ProvisionTelegram(ctx, "tg-"+uuid.NewString(), "ru", "handle", "Иван", "+03:00")
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, "dos-"+uuid.NewString()+"@example.com", true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
if err := deleter.AnonymizeAndTombstone(ctx, acc.ID); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
|
||||
rets, err := store.RetainedIdentities(ctx, acc.ID)
|
||||
if err != nil || len(rets) != 2 {
|
||||
t.Fatalf("RetainedIdentities = (%+v, %v), want 2 rows", rets, err)
|
||||
}
|
||||
for _, r := range rets {
|
||||
if r.Reason != "delete" {
|
||||
t.Errorf("retained reason = %q, want delete", r.Reason)
|
||||
}
|
||||
}
|
||||
info, err := store.DeletionInfo(ctx, acc.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("DeletionInfo: %v", err)
|
||||
}
|
||||
if info.DeletedAt == nil {
|
||||
t.Error("DeletionInfo.DeletedAt should be set")
|
||||
}
|
||||
if info.DeletedDisplayName != "Иван" {
|
||||
t.Errorf("DeletionInfo.DeletedDisplayName = %q, want Иван", info.DeletedDisplayName)
|
||||
}
|
||||
}
|
||||
|
||||
// listHasID reports whether the user list contains accountID.
|
||||
func listHasID(items []account.UserListItem, id uuid.UUID) bool {
|
||||
for _, it := range items {
|
||||
if it.ID == id {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// TestUserListDeletedFilter: a tombstoned account is hidden from the default People list and
|
||||
// shown only under the Deleted scope.
|
||||
func TestUserListDeletedFilter(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
deleter := accountdelete.NewDeleter(testDB)
|
||||
|
||||
live, _, err := store.ProvisionTelegram(ctx, "tg-"+uuid.NewString(), "en", "", "Live", "")
|
||||
if err != nil {
|
||||
t.Fatalf("provision live: %v", err)
|
||||
}
|
||||
goneTg := "tg-" + uuid.NewString()
|
||||
gone, _, err := store.ProvisionTelegram(ctx, goneTg, "en", "", "Gone", "")
|
||||
if err != nil {
|
||||
t.Fatalf("provision gone: %v", err)
|
||||
}
|
||||
goneEmail := "gone-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, gone.ID, account.KindEmail, goneEmail, true); err != nil {
|
||||
t.Fatalf("attach gone email: %v", err)
|
||||
}
|
||||
if err := deleter.AnonymizeAndTombstone(ctx, gone.ID); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
|
||||
people, err := store.ListUsers(ctx, account.UserFilter{}, 5000, 0)
|
||||
if err != nil {
|
||||
t.Fatalf("list people: %v", err)
|
||||
}
|
||||
if listHasID(people, gone.ID) {
|
||||
t.Error("a deleted account must not appear in the default People list")
|
||||
}
|
||||
if !listHasID(people, live.ID) {
|
||||
t.Error("a live account must appear in the default People list")
|
||||
}
|
||||
deleted, err := store.ListUsers(ctx, account.UserFilter{Deleted: true}, 5000, 0)
|
||||
if err != nil {
|
||||
t.Fatalf("list deleted: %v", err)
|
||||
}
|
||||
if !listHasID(deleted, gone.ID) {
|
||||
t.Error("a deleted account must appear in the Deleted list")
|
||||
}
|
||||
if listHasID(deleted, live.ID) {
|
||||
t.Error("a live account must not appear in the Deleted list")
|
||||
}
|
||||
|
||||
// A search spans both lists and reaches the retention journal: a deleted account is
|
||||
// still found by the email and external id it held (both moved to retained_identities
|
||||
// on deletion, out of the live identities table).
|
||||
byEmail, err := store.ListUsers(ctx, account.UserFilter{EmailExact: goneEmail}, 5000, 0)
|
||||
if err != nil {
|
||||
t.Fatalf("search by email: %v", err)
|
||||
}
|
||||
if !listHasID(byEmail, gone.ID) {
|
||||
t.Error("a deleted account must be found by the email it held (retention journal)")
|
||||
}
|
||||
byExt, err := store.ListUsers(ctx, account.UserFilter{ExternalIDMask: goneTg}, 5000, 0)
|
||||
if err != nil {
|
||||
t.Fatalf("search by external id: %v", err)
|
||||
}
|
||||
if !listHasID(byExt, gone.ID) {
|
||||
t.Error("a deleted account must be found by the external id it held (retention journal)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestConfirmCodeClearsGuest: confirming an email on a guest via ConfirmCode promotes it to
|
||||
// a durable account (defence-in-depth — no confirmed-email path leaves is_guest set).
|
||||
func TestConfirmCodeClearsGuest(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
guest, err := store.ProvisionGuest(ctx, "")
|
||||
if err != nil {
|
||||
t.Fatalf("provision guest: %v", err)
|
||||
}
|
||||
email := "cc-" + uuid.NewString() + "@example.com"
|
||||
if err := svc.RequestCode(ctx, guest.ID, email); err != nil {
|
||||
t.Fatalf("request code: %v", err)
|
||||
}
|
||||
if _, err := svc.ConfirmCode(ctx, guest.ID, email, sixDigit.FindString(mailer.lastBody)); err != nil {
|
||||
t.Fatalf("confirm code: %v", err)
|
||||
}
|
||||
after, err := store.GetByID(ctx, guest.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("load: %v", err)
|
||||
}
|
||||
if after.IsGuest {
|
||||
t.Error("confirming an email must clear the guest flag")
|
||||
}
|
||||
}
|
||||
|
||||
// TestDropAllRobotGames drops the deletee's solo vs-AI game but keeps a game with a human
|
||||
// opponent.
|
||||
func TestDropAllRobotGames(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
gsvc := newGameService()
|
||||
robots := newRobotService(t, gsvc)
|
||||
if err := robots.EnsurePool(ctx); err != nil {
|
||||
t.Fatalf("ensure pool: %v", err)
|
||||
}
|
||||
mm := newMatchmaker(t, robots, time.Minute, 0)
|
||||
deleter := accountdelete.NewDeleter(testDB)
|
||||
|
||||
user := provisionAccount(t)
|
||||
other := provisionAccount(t)
|
||||
|
||||
aiRes, err := mm.StartVsAI(ctx, user, engine.VariantEnglish, true)
|
||||
if err != nil {
|
||||
t.Fatalf("start vs AI: %v", err)
|
||||
}
|
||||
humanGame, err := gsvc.Create(ctx, game.CreateParams{
|
||||
Variant: engine.VariantEnglish, Seats: []uuid.UUID{user, other}, TurnTimeout: time.Hour, Seed: 1,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("create human game: %v", err)
|
||||
}
|
||||
|
||||
n, err := deleter.DropAllRobotGames(ctx, user)
|
||||
if err != nil {
|
||||
t.Fatalf("drop: %v", err)
|
||||
}
|
||||
if n != 1 {
|
||||
t.Fatalf("dropped %d games, want 1 (the vs-AI game)", n)
|
||||
}
|
||||
if _, err := gsvc.GameByID(ctx, aiRes.Game.ID); err == nil {
|
||||
t.Error("the vs-AI game should be dropped")
|
||||
}
|
||||
if _, err := gsvc.GameByID(ctx, humanGame.ID); err != nil {
|
||||
t.Errorf("the human game should be kept, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestDeleteStepUpEmail: an email account's delete code verifies (wrong code rejected, no
|
||||
// deeplink in the mail); a platform-only account has no email and cannot request a code.
|
||||
func TestDeleteStepUpEmail(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, "del-"+uuid.NewString()+"@example.com", true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
if has, err := svc.HasEmail(ctx, acc.ID); err != nil || !has {
|
||||
t.Fatalf("HasEmail = (%v, %v), want true", has, err)
|
||||
}
|
||||
if err := svc.RequestDeleteCode(ctx, acc.ID); err != nil {
|
||||
t.Fatalf("request delete code: %v", err)
|
||||
}
|
||||
if strings.Contains(mailer.lastBody, "/confirm/") {
|
||||
t.Error("a delete email must not carry a one-tap deeplink")
|
||||
}
|
||||
code := sixDigit.FindString(mailer.lastBody)
|
||||
if err := svc.VerifyDeleteCode(ctx, acc.ID, "000000"); err == nil {
|
||||
t.Error("a wrong delete code must be rejected")
|
||||
}
|
||||
if err := svc.VerifyDeleteCode(ctx, acc.ID, code); err != nil {
|
||||
t.Fatalf("verify correct delete code: %v", err)
|
||||
}
|
||||
|
||||
noEmail, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision no-email: %v", err)
|
||||
}
|
||||
if has, _ := svc.HasEmail(ctx, noEmail.ID); has {
|
||||
t.Error("HasEmail must be false for a platform-only account")
|
||||
}
|
||||
if err := svc.RequestDeleteCode(ctx, noEmail.ID); !errors.Is(err, account.ErrNoEmail) {
|
||||
t.Errorf("request delete for no-email account = %v, want ErrNoEmail", err)
|
||||
}
|
||||
}
|
||||
@@ -19,8 +19,8 @@ import (
|
||||
// recover the confirm-code from the body.
|
||||
type capturingMailer struct{ lastBody string }
|
||||
|
||||
func (m *capturingMailer) Send(_ context.Context, _, _, body string) error {
|
||||
m.lastBody = body
|
||||
func (m *capturingMailer) Send(_ context.Context, msg account.Message) error {
|
||||
m.lastBody = msg.Text
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -32,7 +32,7 @@ func TestEmailConfirmFlow(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer)
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc := provisionAccount(t)
|
||||
email := "user-" + uuid.NewString() + "@example.com"
|
||||
@@ -67,7 +67,7 @@ func TestEmailAlreadyTakenByAnotherAccount(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer)
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
owner := provisionAccount(t)
|
||||
email := "taken-" + uuid.NewString() + "@example.com"
|
||||
@@ -89,7 +89,7 @@ func TestEmailCodeExpires(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer)
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc := provisionAccount(t)
|
||||
email := "expire-" + uuid.NewString() + "@example.com"
|
||||
@@ -111,7 +111,7 @@ func TestEmailTooManyAttempts(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer)
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc := provisionAccount(t)
|
||||
email := "lock-" + uuid.NewString() + "@example.com"
|
||||
@@ -203,10 +203,10 @@ func TestUpdateProfileOffsetTimezone(t *testing.T) {
|
||||
func TestEmailLoginFlow(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(account.NewStore(testDB), mailer)
|
||||
svc := account.NewEmailService(account.NewStore(testDB), mailer, "https://erudit-game.ru")
|
||||
email := "login-" + uuid.NewString() + "@example.com"
|
||||
|
||||
accountID, err := svc.RequestLoginCode(ctx, email, "+02:00")
|
||||
accountID, err := svc.RequestLoginCode(ctx, email, "+02:00", "en", false)
|
||||
if err != nil {
|
||||
t.Fatalf("request login code: %v", err)
|
||||
}
|
||||
@@ -233,7 +233,7 @@ func TestEmailLoginFlow(t *testing.T) {
|
||||
}
|
||||
|
||||
// A second login for the same email is the returning user: same account.
|
||||
if _, err := svc.RequestLoginCode(ctx, email, ""); err != nil {
|
||||
if _, err := svc.RequestLoginCode(ctx, email, "", "ru", false); err != nil {
|
||||
t.Fatalf("second request: %v", err)
|
||||
}
|
||||
acc2, err := svc.LoginWithCode(ctx, email, sixDigit.FindString(mailer.lastBody))
|
||||
@@ -244,3 +244,210 @@ func TestEmailLoginFlow(t *testing.T) {
|
||||
t.Errorf("returning login account = %s, want %s", acc2.ID, accountID)
|
||||
}
|
||||
}
|
||||
|
||||
// TestEmailLoginProvisionsGuestUntilConfirmed covers the squat fix: an email-login
|
||||
// account is a guest (reapable, so an abandoned never-confirmed login frees its
|
||||
// address) until the code is confirmed, which promotes it to a durable account.
|
||||
func TestEmailLoginProvisionsGuestUntilConfirmed(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
email := "squat-" + uuid.NewString() + "@example.com"
|
||||
|
||||
id, err := svc.RequestLoginCode(ctx, email, "", "en", false)
|
||||
if err != nil {
|
||||
t.Fatalf("request login code: %v", err)
|
||||
}
|
||||
before, err := store.GetByID(ctx, id)
|
||||
if err != nil {
|
||||
t.Fatalf("get before confirm: %v", err)
|
||||
}
|
||||
if !before.IsGuest {
|
||||
t.Error("an unconfirmed email-login account must be a guest so it is reapable")
|
||||
}
|
||||
|
||||
if _, err := svc.LoginWithCode(ctx, email, sixDigit.FindString(mailer.lastBody)); err != nil {
|
||||
t.Fatalf("login: %v", err)
|
||||
}
|
||||
after, err := store.GetByID(ctx, id)
|
||||
if err != nil {
|
||||
t.Fatalf("get after confirm: %v", err)
|
||||
}
|
||||
if after.IsGuest {
|
||||
t.Error("confirming the login must clear the guest flag (promote to durable)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestEmailLoginPWAOmitsLink: a login requested from an installed PWA (pwa=true) mails only the
|
||||
// code — no one-tap confirm link, which would otherwise open in a separate browser out of the
|
||||
// PWA's reach. A non-PWA request keeps the link.
|
||||
func TestEmailLoginPWAOmitsLink(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(account.NewStore(testDB), mailer, "https://erudit-game.ru")
|
||||
|
||||
pwaEmail := "pwa-login-" + uuid.NewString() + "@example.com"
|
||||
if _, err := svc.RequestLoginCode(ctx, pwaEmail, "", "en", true); err != nil {
|
||||
t.Fatalf("pwa request login: %v", err)
|
||||
}
|
||||
if sixDigit.FindString(mailer.lastBody) == "" {
|
||||
t.Errorf("pwa login mail must still carry the code, body %q", mailer.lastBody)
|
||||
}
|
||||
if confirmToken.MatchString(mailer.lastBody) {
|
||||
t.Errorf("pwa login mail must omit the one-tap confirm link, body %q", mailer.lastBody)
|
||||
}
|
||||
|
||||
webEmail := "web-login-" + uuid.NewString() + "@example.com"
|
||||
if _, err := svc.RequestLoginCode(ctx, webEmail, "", "en", false); err != nil {
|
||||
t.Fatalf("web request login: %v", err)
|
||||
}
|
||||
if !confirmToken.MatchString(mailer.lastBody) {
|
||||
t.Errorf("non-pwa login mail must keep the one-tap confirm link, body %q", mailer.lastBody)
|
||||
}
|
||||
}
|
||||
|
||||
// confirmToken extracts the one-tap deeplink token from the /app/#/confirm/<token> link
|
||||
// the branded email carries.
|
||||
var confirmToken = regexp.MustCompile(`/confirm/([A-Za-z0-9_-]+)`)
|
||||
|
||||
func tokenFromMail(t *testing.T, body string) string {
|
||||
t.Helper()
|
||||
m := confirmToken.FindStringSubmatch(body)
|
||||
if m == nil {
|
||||
t.Fatalf("no confirm token in mail body %q", body)
|
||||
}
|
||||
return m[1]
|
||||
}
|
||||
|
||||
// TestConfirmByTokenLogin: the one-tap deeplink token completes an email login,
|
||||
// clearing the guest flag.
|
||||
func TestConfirmByTokenLogin(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
email := "tok-login-" + uuid.NewString() + "@example.com"
|
||||
|
||||
id, err := svc.RequestLoginCode(ctx, email, "", "en", false)
|
||||
if err != nil {
|
||||
t.Fatalf("request login: %v", err)
|
||||
}
|
||||
res, err := svc.ConfirmByToken(ctx, tokenFromMail(t, mailer.lastBody))
|
||||
if err != nil {
|
||||
t.Fatalf("confirm by token: %v", err)
|
||||
}
|
||||
if !res.IsLogin() || res.Account != id {
|
||||
t.Fatalf("login result = %+v, want login for %s", res, id)
|
||||
}
|
||||
if !identityConfirmed(t, account.KindEmail, email) {
|
||||
t.Error("email identity must be confirmed after the token login")
|
||||
}
|
||||
if acc, _ := store.GetByID(ctx, id); acc.IsGuest {
|
||||
t.Error("the token login must clear the guest flag")
|
||||
}
|
||||
}
|
||||
|
||||
// TestConfirmByTokenLink: the token attaches a free email to the requesting account.
|
||||
func TestConfirmByTokenLink(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
acc := provisionAccount(t)
|
||||
email := "tok-link-" + uuid.NewString() + "@example.com"
|
||||
|
||||
if err := svc.RequestLinkCode(ctx, acc, email); err != nil {
|
||||
t.Fatalf("request link: %v", err)
|
||||
}
|
||||
res, err := svc.ConfirmByToken(ctx, tokenFromMail(t, mailer.lastBody))
|
||||
if err != nil {
|
||||
t.Fatalf("confirm by token: %v", err)
|
||||
}
|
||||
if res.IsLogin() || res.NeedsMerge || res.Account != acc {
|
||||
t.Fatalf("link result = %+v, want a plain link for %s", res, acc)
|
||||
}
|
||||
if !identityConfirmed(t, account.KindEmail, email) {
|
||||
t.Error("email identity must be confirmed after the token link")
|
||||
}
|
||||
}
|
||||
|
||||
// TestConfirmByTokenLinkMerge: a token for an address owned by another account signals
|
||||
// a merge (leaving the token unconsumed for the interactive step).
|
||||
func TestConfirmByTokenLinkMerge(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
email := "tok-merge-" + uuid.NewString() + "@example.com"
|
||||
|
||||
owner := provisionAccount(t)
|
||||
if err := svc.RequestCode(ctx, owner, email); err != nil {
|
||||
t.Fatalf("owner request: %v", err)
|
||||
}
|
||||
if _, err := svc.ConfirmCode(ctx, owner, email, sixDigit.FindString(mailer.lastBody)); err != nil {
|
||||
t.Fatalf("owner confirm: %v", err)
|
||||
}
|
||||
|
||||
other := provisionAccount(t)
|
||||
if err := svc.RequestLinkCode(ctx, other, email); err != nil {
|
||||
t.Fatalf("link request: %v", err)
|
||||
}
|
||||
res, err := svc.ConfirmByToken(ctx, tokenFromMail(t, mailer.lastBody))
|
||||
if err != nil {
|
||||
t.Fatalf("confirm by token: %v", err)
|
||||
}
|
||||
if !res.NeedsMerge || res.MergeOwner != owner {
|
||||
t.Fatalf("merge result = %+v, want NeedsMerge with owner=%s", res, owner)
|
||||
}
|
||||
}
|
||||
|
||||
// TestEmailAccountSeedsDisplayName seeds a new email account's display name from the
|
||||
// email's local part, so an email login is not left nameless.
|
||||
func TestEmailAccountSeedsDisplayName(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
svc := account.NewEmailService(store, &capturingMailer{}, "https://erudit-game.ru")
|
||||
local := "kaya-" + uuid.NewString()[:8]
|
||||
|
||||
id, err := svc.RequestLoginCode(ctx, local+"@example.com", "", "en", false)
|
||||
if err != nil {
|
||||
t.Fatalf("request login: %v", err)
|
||||
}
|
||||
acc, err := store.GetByID(ctx, id)
|
||||
if err != nil {
|
||||
t.Fatalf("get: %v", err)
|
||||
}
|
||||
if acc.DisplayName != local {
|
||||
t.Errorf("display name = %q, want the email local part %q", acc.DisplayName, local)
|
||||
}
|
||||
}
|
||||
|
||||
// TestConfirmByTokenLinkClearsGuest: binding an email to a guest via the deeplink
|
||||
// promotes the guest to a durable account (the deeplink path must match the
|
||||
// code-based link flow, which clears the guest flag).
|
||||
func TestConfirmByTokenLinkClearsGuest(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
guest, err := store.ProvisionGuest(ctx, "")
|
||||
if err != nil {
|
||||
t.Fatalf("provision guest: %v", err)
|
||||
}
|
||||
email := "guest-link-" + uuid.NewString() + "@example.com"
|
||||
|
||||
if err := svc.RequestLinkCode(ctx, guest.ID, email); err != nil {
|
||||
t.Fatalf("request link: %v", err)
|
||||
}
|
||||
if _, err := svc.ConfirmByToken(ctx, tokenFromMail(t, mailer.lastBody)); err != nil {
|
||||
t.Fatalf("confirm by token: %v", err)
|
||||
}
|
||||
acc, err := store.GetByID(ctx, guest.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("get: %v", err)
|
||||
}
|
||||
if acc.IsGuest {
|
||||
t.Error("linking an email via the deeplink must promote the guest to durable")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ package inttest
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
@@ -18,59 +19,119 @@ import (
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/lobby"
|
||||
"scrabble/backend/internal/server"
|
||||
"scrabble/backend/internal/social"
|
||||
)
|
||||
|
||||
// The game-limit suite covers the simultaneous quick-game cap (game.MaxActiveQuickGames):
|
||||
// the counting rule (Store/Service.CountActiveQuickGames) and the HTTP gate that refuses a
|
||||
// new game once the cap is reached, while accepting an incoming invitation stays allowed.
|
||||
// The game-limit suite covers the per-tier, per-kind active-game caps (backend.config): the
|
||||
// game_kind tag persisted per creation path, the tier resolution + counting rule
|
||||
// (game.Service.AtGameLimit), the HTTP gate + lobby at_game_limit flag, the guest gate on friend
|
||||
// actions, and the config hot-cache reflecting an admin edit. Accepting an invitation stays exempt.
|
||||
|
||||
// TestCountActiveQuickGames checks the count includes active and open quick games (the
|
||||
// honest-AI ones among them) and excludes finished games, friend games (created by
|
||||
// invitation) and games the account is not seated in.
|
||||
func TestCountActiveQuickGames(t *testing.T) {
|
||||
// newGameLimits builds a gamelimits service over the shared pool and loads the seeded config
|
||||
// (guest 1/1/0, durable 10/10/10).
|
||||
func newGameLimits(t *testing.T) *gamelimits.Service {
|
||||
t.Helper()
|
||||
gl := gamelimits.NewService(gamelimits.NewStore(testDB))
|
||||
if err := gl.Load(context.Background()); err != nil {
|
||||
t.Fatalf("load game limits: %v", err)
|
||||
}
|
||||
return gl
|
||||
}
|
||||
|
||||
// restoreDefaultLimits resets the single config row to the migration seed on cleanup, so a test that
|
||||
// edited it never leaks its values into another (the row is a shared singleton).
|
||||
func restoreDefaultLimits(t *testing.T, gl *gamelimits.Service) {
|
||||
t.Helper()
|
||||
t.Cleanup(func() {
|
||||
_ = gl.Update(context.Background(), gamelimits.Config{
|
||||
Guest: gamelimits.Limits{VsAI: 1, Random: 1, Friends: 0},
|
||||
Durable: gamelimits.Limits{VsAI: 10, Random: 10, Friends: 10},
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
// gameKind reads a game's persisted game_kind tag.
|
||||
func gameKind(t *testing.T, gameID uuid.UUID) int16 {
|
||||
t.Helper()
|
||||
var k int16
|
||||
if err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT game_kind FROM backend.games WHERE game_id=$1`, gameID).Scan(&k); err != nil {
|
||||
t.Fatalf("read game_kind: %v", err)
|
||||
}
|
||||
return k
|
||||
}
|
||||
|
||||
// mustCreateKind creates an active game seating the accounts, tagged with kind, and returns its id.
|
||||
func mustCreateKind(t *testing.T, games *game.Service, seats []uuid.UUID, kind gamelimits.Kind) uuid.UUID {
|
||||
t.Helper()
|
||||
g, err := games.Create(context.Background(), game.CreateParams{
|
||||
Variant: engine.VariantEnglish, Seats: seats, TurnTimeout: 24 * time.Hour, Kind: kind,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("create game (kind=%d): %v", kind, err)
|
||||
}
|
||||
return g.ID
|
||||
}
|
||||
|
||||
// startFriendGameID has inviter invite invitee to a friend game and the invitee accept, returning
|
||||
// the started game's id.
|
||||
func startFriendGameID(t *testing.T, inv *lobby.InvitationService, inviter, invitee uuid.UUID) uuid.UUID {
|
||||
t.Helper()
|
||||
ctx := context.Background()
|
||||
invitation, err := inv.CreateInvitation(ctx, inviter, []uuid.UUID{invitee}, englishInvite())
|
||||
if err != nil {
|
||||
t.Fatalf("create invitation: %v", err)
|
||||
}
|
||||
got, err := inv.RespondInvitation(ctx, invitation.ID, invitee, true)
|
||||
if err != nil {
|
||||
t.Fatalf("accept invitation: %v", err)
|
||||
}
|
||||
if got.GameID == nil {
|
||||
t.Fatal("accepted invitation has no game id")
|
||||
}
|
||||
return *got.GameID
|
||||
}
|
||||
|
||||
// TestGameKindPersisted checks each creation path stamps the right game_kind: random (auto-match)
|
||||
// =2, vs_ai =1, friend (by invitation) =3.
|
||||
func TestGameKindPersisted(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
clearOpenGames(t)
|
||||
games := newGameService()
|
||||
human := provisionAccount(t)
|
||||
opp := provisionAccount(t)
|
||||
inv := newInvitationService()
|
||||
human, opp := provisionAccount(t), provisionAccount(t)
|
||||
|
||||
if n := mustCount(t, games, human); n != 0 {
|
||||
t.Fatalf("fresh account count = %d, want 0", n)
|
||||
rnd, _, err := games.OpenOrJoin(ctx, human, game.CreateParams{Variant: engine.VariantEnglish, TurnTimeout: 24 * time.Hour}, time.Now().Add(time.Minute), nil)
|
||||
if err != nil {
|
||||
t.Fatalf("open random game: %v", err)
|
||||
}
|
||||
if k := gameKind(t, rnd.ID); k != int16(gamelimits.KindRandom) {
|
||||
t.Errorf("random game_kind = %d, want %d", k, gamelimits.KindRandom)
|
||||
}
|
||||
|
||||
// An open (awaiting-opponent) quick game counts.
|
||||
if _, _, err := games.OpenOrJoin(ctx, human, game.CreateParams{
|
||||
Variant: engine.VariantEnglish, TurnTimeout: 24 * time.Hour,
|
||||
}, time.Now().Add(time.Minute), nil); err != nil {
|
||||
t.Fatalf("open quick game: %v", err)
|
||||
ai := mustCreateKind(t, games, []uuid.UUID{human, opp}, gamelimits.KindVsAI)
|
||||
if k := gameKind(t, ai); k != int16(gamelimits.KindVsAI) {
|
||||
t.Errorf("vs_ai game_kind = %d, want %d", k, gamelimits.KindVsAI)
|
||||
}
|
||||
// An active quick game and an honest-AI quick game both count (neither has an invitation row).
|
||||
mustCreateQuick(t, games, []uuid.UUID{human, opp}, false, 1)
|
||||
mustCreateQuick(t, games, []uuid.UUID{human, opp}, true, 2)
|
||||
|
||||
// A finished quick game does NOT count.
|
||||
fin := mustCreateQuick(t, games, []uuid.UUID{human, opp}, false, 3)
|
||||
if _, err := testDB.ExecContext(ctx, `UPDATE backend.games SET status='finished' WHERE game_id=$1`, fin); err != nil {
|
||||
t.Fatalf("finish game: %v", err)
|
||||
}
|
||||
// A game the human is not seated in does NOT count.
|
||||
mustCreateQuick(t, games, []uuid.UUID{opp, provisionAccount(t)}, false, 4)
|
||||
// A friend game (created by invitation) does NOT count, even though it is active.
|
||||
startFriendGame(t, human)
|
||||
|
||||
if n := mustCount(t, games, human); n != 3 {
|
||||
t.Fatalf("active quick count = %d, want 3 (active + AI + open)", n)
|
||||
friend := startFriendGameID(t, inv, human, opp)
|
||||
if k := gameKind(t, friend); k != int16(gamelimits.KindFriends) {
|
||||
t.Errorf("friend game_kind = %d, want %d", k, gamelimits.KindFriends)
|
||||
}
|
||||
}
|
||||
|
||||
// TestGameLimitGate drives the cap through the assembled HTTP server: under the cap the lobby
|
||||
// reports at_game_limit false; at the cap it flips to true and both new-game endpoints (quick
|
||||
// enqueue and invitation creation) are refused with 409 game_limit_reached, while accepting an
|
||||
// incoming invitation is still allowed.
|
||||
func TestGameLimitGate(t *testing.T) {
|
||||
// TestGuestActiveGameLimitHTTP drives the guest random cap through the assembled server: the first
|
||||
// auto-match opens a game, the lobby then flags at_game_limit, and a second enqueue is refused 409
|
||||
// game_limit_reached. It also checks the guest vs_ai and friends caps resolve at the domain level.
|
||||
func TestGuestActiveGameLimitHTTP(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
clearOpenGames(t)
|
||||
gl := newGameLimits(t)
|
||||
games := newGameService()
|
||||
games.SetGameLimits(gl)
|
||||
srv := server.New(":0", server.Deps{
|
||||
Logger: zaptest.NewLogger(t),
|
||||
DB: testDB,
|
||||
@@ -78,88 +139,110 @@ func TestGameLimitGate(t *testing.T) {
|
||||
Games: games,
|
||||
Matchmaker: newMatchmaker(t, newRobotService(t, newGameService()), time.Minute, 0),
|
||||
Invitations: newInvitationService(),
|
||||
GameLimits: gl,
|
||||
})
|
||||
|
||||
human := provisionAccount(t)
|
||||
guest := provisionGuest(t)
|
||||
if gamesListAtLimit(t, srv, guest) {
|
||||
t.Fatal("a fresh guest must be under the random game limit")
|
||||
}
|
||||
// The first auto-match opens a random game (guest random cap = 1).
|
||||
if rec := userPost(t, srv, "/api/v1/user/lobby/enqueue", guest, `{"variant":"erudit_ru"}`); rec.Code != http.StatusOK {
|
||||
t.Fatalf("first enqueue = %d (%s), want 200", rec.Code, rec.Body.String())
|
||||
}
|
||||
// At the cap: the lobby flags it and a second enqueue is refused with the stable code.
|
||||
if !gamesListAtLimit(t, srv, guest) {
|
||||
t.Fatal("after one random game the guest must be at the limit")
|
||||
}
|
||||
if rec := userPost(t, srv, "/api/v1/user/lobby/enqueue", guest, `{"variant":"erudit_ru"}`); rec.Code != http.StatusConflict || errorCode(t, rec) != "game_limit_reached" {
|
||||
t.Fatalf("second enqueue = (%d, %q), want (409, game_limit_reached)", rec.Code, errorCode(t, rec))
|
||||
}
|
||||
|
||||
// A guest is refused the friends flow outright at the HTTP edge (403 guest_forbidden).
|
||||
opp := provisionAccount(t)
|
||||
|
||||
// Under the cap: the lobby reports the player is not limited.
|
||||
if gamesListAtLimit(t, srv, human) {
|
||||
t.Fatal("a fresh account must be under the game limit")
|
||||
}
|
||||
|
||||
// Reach the cap with active quick games seating the human (no invitation row → quick).
|
||||
for i := 0; i < game.MaxActiveQuickGames; i++ {
|
||||
mustCreateQuick(t, games, []uuid.UUID{human, opp}, false, int64(i+1))
|
||||
}
|
||||
|
||||
// At the cap: the lobby flags it and both create paths are refused with the stable code.
|
||||
if !gamesListAtLimit(t, srv, human) {
|
||||
t.Fatalf("at %d games at_game_limit must be true", game.MaxActiveQuickGames)
|
||||
}
|
||||
// erudit_ru is in the default variant preferences, so the variant gate passes and the
|
||||
// game-limit gate is what fires here.
|
||||
if rec := userPost(t, srv, "/api/v1/user/lobby/enqueue", human, `{"variant":"erudit_ru"}`); rec.Code != http.StatusConflict || errorCode(t, rec) != "game_limit_reached" {
|
||||
t.Fatalf("enqueue at limit = (%d, %q), want (409, game_limit_reached)", rec.Code, errorCode(t, rec))
|
||||
}
|
||||
invBody := fmt.Sprintf(`{"variant":"erudit_ru","invitee_ids":[%q]}`, opp.String())
|
||||
if rec := userPost(t, srv, "/api/v1/user/invitations", human, invBody); rec.Code != http.StatusConflict || errorCode(t, rec) != "game_limit_reached" {
|
||||
t.Fatalf("invitation at limit = (%d, %q), want (409, game_limit_reached)", rec.Code, errorCode(t, rec))
|
||||
if rec := userPost(t, srv, "/api/v1/user/invitations", guest, invBody); rec.Code != http.StatusForbidden || errorCode(t, rec) != "guest_forbidden" {
|
||||
t.Fatalf("guest invitation = (%d, %q), want (403, guest_forbidden)", rec.Code, errorCode(t, rec))
|
||||
}
|
||||
|
||||
// Accepting an incoming invitation is never blocked, even at the cap: another player invites
|
||||
// the capped human, who accepts over HTTP and the game starts (friend games do not count).
|
||||
inviter := provisionAccount(t)
|
||||
inv := newInvitationService()
|
||||
invitation, err := inv.CreateInvitation(ctx, inviter, []uuid.UUID{human}, englishInvite())
|
||||
if err != nil {
|
||||
t.Fatalf("create invitation: %v", err)
|
||||
// The guest vs_ai cap is 1: one vs_ai game puts the guest at the vs_ai limit.
|
||||
mustCreateKind(t, games, []uuid.UUID{guest, opp}, gamelimits.KindVsAI)
|
||||
if at, err := games.AtGameLimit(ctx, guest, gamelimits.KindVsAI); err != nil || !at {
|
||||
t.Fatalf("guest vs_ai at-limit = (%v, %v), want (true, nil)", at, err)
|
||||
}
|
||||
if rec := userPost(t, srv, "/api/v1/user/invitations/"+invitation.ID.String()+"/accept", human, ""); rec.Code != http.StatusOK {
|
||||
t.Fatalf("accept at limit = %d (%s), want 200 — accept must bypass the cap", rec.Code, rec.Body.String())
|
||||
// The guest friends cap is 0: a guest is always at the friends limit (the 403 gate blocks first).
|
||||
if at, err := games.AtGameLimit(ctx, guest, gamelimits.KindFriends); err != nil || !at {
|
||||
t.Fatalf("guest friends at-limit = (%v, %v), want (true, nil)", at, err)
|
||||
}
|
||||
}
|
||||
|
||||
// mustCount returns the account's active-quick-game count, failing on error.
|
||||
func mustCount(t *testing.T, games *game.Service, id uuid.UUID) int {
|
||||
t.Helper()
|
||||
n, err := games.CountActiveQuickGames(context.Background(), id)
|
||||
if err != nil {
|
||||
t.Fatalf("count active quick games: %v", err)
|
||||
}
|
||||
return n
|
||||
}
|
||||
|
||||
// mustCreateQuick creates an active quick game (no invitation) seating the given accounts and
|
||||
// returns its id; vsAI flags an honest-AI game (the service then applies the 7-day clock).
|
||||
func mustCreateQuick(t *testing.T, games *game.Service, seats []uuid.UUID, vsAI bool, seed int64) uuid.UUID {
|
||||
t.Helper()
|
||||
p := game.CreateParams{Variant: engine.VariantEnglish, Seats: seats, TurnTimeout: 24 * time.Hour, Seed: seed}
|
||||
if vsAI {
|
||||
p.VsAI = true
|
||||
p.TurnTimeout = 0 // the service applies the 7-day AI inactivity clock for vs_ai games
|
||||
}
|
||||
g, err := games.Create(context.Background(), p)
|
||||
if err != nil {
|
||||
t.Fatalf("create quick game (vsAI=%v): %v", vsAI, err)
|
||||
}
|
||||
return g.ID
|
||||
}
|
||||
|
||||
// startFriendGame has a fresh inviter invite the given account to a friend game and the invitee
|
||||
// accept it, so the (active) friend game exists with its game_invitations row.
|
||||
func startFriendGame(t *testing.T, invitee uuid.UUID) {
|
||||
t.Helper()
|
||||
// TestDurableTierHigherLimit checks a durable account resolves the durable tier, not the guest one:
|
||||
// one random game leaves it well under the durable cap (10).
|
||||
func TestDurableTierHigherLimit(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
gl := newGameLimits(t)
|
||||
games := newGameService()
|
||||
games.SetGameLimits(gl)
|
||||
durable, opp := provisionAccount(t), provisionAccount(t)
|
||||
|
||||
mustCreateKind(t, games, []uuid.UUID{durable, opp}, gamelimits.KindRandom)
|
||||
if at, err := games.AtGameLimit(ctx, durable, gamelimits.KindRandom); err != nil || at {
|
||||
t.Fatalf("durable random at-limit after one game = (%v, %v), want (false, nil)", at, err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestGuestForbiddenFriendActions checks a guest is refused every friend action server-side (the UI
|
||||
// hides them; this is the source of truth): creating an invitation, sending a friend request, and
|
||||
// redeeming a friend code.
|
||||
func TestGuestForbiddenFriendActions(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
guest := provisionGuest(t)
|
||||
other := provisionAccount(t)
|
||||
|
||||
inv := newInvitationService()
|
||||
if _, err := inv.CreateInvitation(ctx, guest, []uuid.UUID{other}, englishInvite()); !errors.Is(err, lobby.ErrGuestForbidden) {
|
||||
t.Fatalf("guest CreateInvitation err = %v, want ErrGuestForbidden", err)
|
||||
}
|
||||
|
||||
soc := newSocialService()
|
||||
if err := soc.SendFriendRequest(ctx, guest, other); !errors.Is(err, social.ErrGuestForbidden) {
|
||||
t.Fatalf("guest SendFriendRequest err = %v, want ErrGuestForbidden", err)
|
||||
}
|
||||
if _, err := soc.RedeemFriendCode(ctx, guest, "000000"); !errors.Is(err, social.ErrGuestForbidden) {
|
||||
t.Fatalf("guest RedeemFriendCode err = %v, want ErrGuestForbidden", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestDurableFriendsCapAndConfigCache lowers the durable friends cap to 1 through the service (the
|
||||
// admin-edit path), checks a durable inviter is refused a second friend game with 409, and that
|
||||
// accepting an incoming invitation is still exempt from the cap.
|
||||
func TestDurableFriendsCapAndConfigCache(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
gl := newGameLimits(t)
|
||||
restoreDefaultLimits(t, gl)
|
||||
cfg := gl.Get()
|
||||
cfg.Durable.Friends = 1
|
||||
if err := gl.Update(ctx, cfg); err != nil {
|
||||
t.Fatalf("update durable friends cap: %v", err)
|
||||
}
|
||||
games := newGameService()
|
||||
games.SetGameLimits(gl)
|
||||
inv := lobby.NewInvitationService(lobby.NewStore(testDB), games, account.NewStore(testDB), newSocialService())
|
||||
|
||||
inviter := provisionAccount(t)
|
||||
invitation, err := inv.CreateInvitation(ctx, inviter, []uuid.UUID{invitee}, englishInvite())
|
||||
if err != nil {
|
||||
t.Fatalf("create invitation: %v", err)
|
||||
d2, d3 := provisionAccount(t), provisionAccount(t)
|
||||
|
||||
// The inviter's first friend game reaches the (lowered) cap of 1.
|
||||
startFriendGameID(t, inv, inviter, d2)
|
||||
if at, err := games.AtGameLimit(ctx, inviter, gamelimits.KindFriends); err != nil || !at {
|
||||
t.Fatalf("inviter friends at-limit = (%v, %v), want (true, nil)", at, err)
|
||||
}
|
||||
if _, err := inv.RespondInvitation(ctx, invitation.ID, invitee, true); err != nil {
|
||||
t.Fatalf("accept invitation: %v", err)
|
||||
// A second invitation is refused: the cache reflects the edit.
|
||||
if _, err := inv.CreateInvitation(ctx, inviter, []uuid.UUID{d3}, englishInvite()); !errors.Is(err, game.ErrGameLimitReached) {
|
||||
t.Fatalf("second invitation err = %v, want ErrGameLimitReached", err)
|
||||
}
|
||||
// Accept stays exempt: someone else invites the capped inviter, who accepts and the game starts.
|
||||
startFriendGameID(t, inv, d3, inviter)
|
||||
}
|
||||
|
||||
// gamesListAtLimit fetches /api/v1/user/games and returns its at_game_limit flag.
|
||||
|
||||
@@ -14,6 +14,8 @@ import (
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/payments"
|
||||
"scrabble/backend/internal/session"
|
||||
)
|
||||
|
||||
// TestListForAccount checks the lobby "my games" query: it returns exactly the
|
||||
@@ -401,8 +403,13 @@ func gameStatus(t *testing.T, svc *game.Service, id uuid.UUID) (status, endReaso
|
||||
// TestHintPolicy exercises the per-game allowance, the profile wallet and the
|
||||
// disabled switch.
|
||||
func TestHintPolicy(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
// A trusted platform context so the online hint wallet (payments) is reachable; a provisioned
|
||||
// account carries a telegram identity, so the telegram origin is the applicable one here.
|
||||
ctx := session.WithPlatform(context.Background(),
|
||||
session.Platform{Kind: session.PlatformKindTelegram, Subtype: session.SubtypeAndroid})
|
||||
svc := newGameService()
|
||||
pay := newPaymentsService()
|
||||
svc.SetHintWallet(pay) // share the handle so a grant invalidates the wallet the game reads
|
||||
seats := []uuid.UUID{provisionAccount(t), provisionAccount(t)}
|
||||
seed := openingSeed(t)
|
||||
g, err := svc.Create(ctx, game.CreateParams{
|
||||
@@ -417,25 +424,30 @@ func TestHintPolicy(t *testing.T) {
|
||||
t.Fatalf("first hint: %v", err)
|
||||
}
|
||||
// The allowance is spent before the wallet: with an empty wallet, the state now reports no
|
||||
// hints left and a zero wallet, so the per-game allowance (HintsRemaining-WalletBalance) is 0.
|
||||
// per-game allowance left (HintsRemaining is the allowance alone; the wallet lives on the profile).
|
||||
st, err := svc.GameState(ctx, g.ID, seats[0])
|
||||
if err != nil {
|
||||
t.Fatalf("state: %v", err)
|
||||
}
|
||||
if st.HintsRemaining != 0 || st.WalletBalance != 0 {
|
||||
t.Errorf("after allowance hint: hints=%d wallet=%d, want 0/0", st.HintsRemaining, st.WalletBalance)
|
||||
if st.HintsRemaining != 0 {
|
||||
t.Errorf("after allowance hint: hints=%d, want 0", st.HintsRemaining)
|
||||
}
|
||||
if _, err := svc.Hint(ctx, g.ID, seats[0]); !errors.Is(err, game.ErrNoHintsLeft) {
|
||||
t.Fatalf("second hint = %v, want ErrNoHintsLeft", err)
|
||||
}
|
||||
setHintBalance(t, seats[0], 2)
|
||||
// Grant 2 hints on the telegram origin through the service so its read cache is invalidated
|
||||
// (a raw insert would leave the cache warmed at zero by the allowance hint above).
|
||||
if err := pay.Grant(ctx, seats[0], payments.SourceTelegram, 2, 0, false); err != nil {
|
||||
t.Fatalf("grant hints: %v", err)
|
||||
}
|
||||
res, err := svc.Hint(ctx, g.ID, seats[0]) // spends the wallet
|
||||
if err != nil {
|
||||
t.Fatalf("wallet hint: %v", err)
|
||||
}
|
||||
// The allowance stays exhausted; the wallet dropped 2->1, and WalletBalance carries it alone.
|
||||
if res.HintsRemaining != 1 || res.WalletBalance != 1 {
|
||||
t.Errorf("wallet hint: hints=%d wallet=%d, want 1/1", res.HintsRemaining, res.WalletBalance)
|
||||
// The allowance stays exhausted (HintsRemaining is the allowance alone, so 0); the wallet dropped
|
||||
// 2->1 and WalletBalance carries it (the client adopts it into the profile).
|
||||
if res.HintsRemaining != 0 || res.WalletBalance != 1 {
|
||||
t.Errorf("wallet hint: hints=%d wallet=%d, want 0/1", res.HintsRemaining, res.WalletBalance)
|
||||
}
|
||||
// game_players.hints_used counts BOTH hints (1 allowance + 1 wallet) — the per-game total
|
||||
// that feeds the player's lifetime hint statistics, not just the allowance.
|
||||
@@ -603,14 +615,6 @@ func setAway(t *testing.T, id uuid.UUID, tz, start, end string) {
|
||||
}
|
||||
}
|
||||
|
||||
func setHintBalance(t *testing.T, id uuid.UUID, n int) {
|
||||
t.Helper()
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
`UPDATE backend.accounts SET hint_balance = $1 WHERE account_id = $2`, n, id); err != nil {
|
||||
t.Fatalf("set hint balance: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func equalStrings(a, b []string) bool {
|
||||
if len(a) != len(b) {
|
||||
return false
|
||||
|
||||
@@ -17,6 +17,7 @@ import (
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/lobby"
|
||||
"scrabble/backend/internal/payments"
|
||||
"scrabble/backend/internal/robot"
|
||||
"scrabble/backend/internal/social"
|
||||
)
|
||||
@@ -42,9 +43,42 @@ func newGameService() *game.Service {
|
||||
zap.NewNop(),
|
||||
)
|
||||
svc.SetFirstMoveEntropy(seatZeroFirstMove)
|
||||
svc.SetHintWallet(newPaymentsService())
|
||||
return svc
|
||||
}
|
||||
|
||||
// newPaymentsService builds a payments service over the shared pool (its own in-process read
|
||||
// cache), for wiring the game hint wallet and the account-merge fold in the integration suite.
|
||||
func newPaymentsService() *payments.Service {
|
||||
return payments.NewService(payments.NewStore(testDB))
|
||||
}
|
||||
|
||||
// seedBenefit writes a payments benefit row for an account+origin directly (bypassing the
|
||||
// service), used to stand up wallet state a test then spends or merges. A non-zero hints count
|
||||
// and/or the forever flag are set; a caller wanting a no-ads term sets it via seedBenefitUntil.
|
||||
func seedBenefit(t *testing.T, id uuid.UUID, origin string, hints int, forever bool) {
|
||||
t.Helper()
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
`INSERT INTO payments.benefits (account_id, origin, hints, ads_forever) VALUES ($1,$2,$3,$4)
|
||||
ON CONFLICT (account_id, origin) DO UPDATE SET hints = EXCLUDED.hints, ads_forever = EXCLUDED.ads_forever`,
|
||||
id, origin, hints, forever); err != nil {
|
||||
t.Fatalf("seed benefit: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// readBenefit reads an account's benefit row for an origin: the hint count and the forever flag
|
||||
// (both zero/false when the row is absent).
|
||||
func readBenefit(t *testing.T, id uuid.UUID, origin string) (hints int, forever bool) {
|
||||
t.Helper()
|
||||
err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT hints, ads_forever FROM payments.benefits WHERE account_id=$1 AND origin=$2`, id, origin).
|
||||
Scan(&hints, &forever)
|
||||
if err != nil && !errors.Is(err, sql.ErrNoRows) {
|
||||
t.Fatalf("read benefit: %v", err)
|
||||
}
|
||||
return hints, forever
|
||||
}
|
||||
|
||||
// seatZeroFirstMove is a first-move-draw entropy factory that always elects the first
|
||||
// listed account as the leader, keeping the integration suite's turn order stable
|
||||
// despite the real draw's randomness: the first contender draws a blank — the best
|
||||
|
||||
@@ -0,0 +1,174 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
)
|
||||
|
||||
// emailOf returns the external id of the account's email identity, or "" when it has none.
|
||||
func emailOf(t *testing.T, store *account.Store, id uuid.UUID) string {
|
||||
t.Helper()
|
||||
ids, err := store.Identities(context.Background(), id)
|
||||
if err != nil {
|
||||
t.Fatalf("identities %s: %v", id, err)
|
||||
}
|
||||
for _, i := range ids {
|
||||
if i.Kind == account.KindEmail {
|
||||
return i.ExternalID
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// TestUnlinkProviderKeepsOthers detaches one provider from a multi-identity account and
|
||||
// refuses to remove the last remaining identity.
|
||||
func TestUnlinkProviderKeepsOthers(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision telegram: %v", err)
|
||||
}
|
||||
email := "unlink-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, email, true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
|
||||
// Removing a kind the account does not hold reports not-found.
|
||||
if err := store.RemoveIdentity(ctx, acc.ID, account.KindVK); !errors.Is(err, account.ErrNotFound) {
|
||||
t.Fatalf("remove absent vk = %v, want ErrNotFound", err)
|
||||
}
|
||||
|
||||
// Detach Telegram: the email identity remains.
|
||||
if err := store.RemoveIdentity(ctx, acc.ID, account.KindTelegram); err != nil {
|
||||
t.Fatalf("remove telegram: %v", err)
|
||||
}
|
||||
ids, err := store.Identities(ctx, acc.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("identities: %v", err)
|
||||
}
|
||||
if len(ids) != 1 || ids[0].Kind != account.KindEmail {
|
||||
t.Fatalf("identities after unlink = %+v, want only email", ids)
|
||||
}
|
||||
|
||||
// The email is now the last identity, so unlinking it is refused.
|
||||
if err := store.RemoveIdentity(ctx, acc.ID, account.KindEmail); !errors.Is(err, account.ErrLastIdentity) {
|
||||
t.Fatalf("remove last email = %v, want ErrLastIdentity", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestChangeEmailReplaces switches an account's confirmed email to a free address,
|
||||
// freeing the old one.
|
||||
func TestChangeEmailReplaces(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
oldAddr := "old-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, oldAddr, true); err != nil {
|
||||
t.Fatalf("attach old email: %v", err)
|
||||
}
|
||||
newAddr := "new-" + uuid.NewString() + "@example.com"
|
||||
|
||||
if err := svc.RequestChangeCode(ctx, acc.ID, newAddr); err != nil {
|
||||
t.Fatalf("request change: %v", err)
|
||||
}
|
||||
code := sixDigit.FindString(mailer.lastBody)
|
||||
if _, err := svc.ConfirmChange(ctx, acc.ID, newAddr, code); err != nil {
|
||||
t.Fatalf("confirm change: %v", err)
|
||||
}
|
||||
if got := emailOf(t, store, acc.ID); got != newAddr {
|
||||
t.Fatalf("email after change = %q, want %q", got, newAddr)
|
||||
}
|
||||
if !identityConfirmed(t, account.KindEmail, newAddr) {
|
||||
t.Error("the new email identity must be confirmed")
|
||||
}
|
||||
// The old address is freed: another account can now claim it.
|
||||
other, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision other: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, other.ID, account.KindEmail, oldAddr, true); err != nil {
|
||||
t.Fatalf("old address should be free after change, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestChangeEmailRefusesTaken refuses (without merging) a new address already confirmed by
|
||||
// another account, leaving the caller's email untouched.
|
||||
func TestChangeEmailRefusesTaken(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision caller: %v", err)
|
||||
}
|
||||
mine := "mine-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, mine, true); err != nil {
|
||||
t.Fatalf("attach caller email: %v", err)
|
||||
}
|
||||
other, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision other: %v", err)
|
||||
}
|
||||
taken := "taken-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, other.ID, account.KindEmail, taken, true); err != nil {
|
||||
t.Fatalf("attach other email: %v", err)
|
||||
}
|
||||
|
||||
if err := svc.RequestChangeCode(ctx, acc.ID, taken); err != nil {
|
||||
t.Fatalf("request change: %v", err)
|
||||
}
|
||||
code := sixDigit.FindString(mailer.lastBody)
|
||||
if _, err := svc.ConfirmChange(ctx, acc.ID, taken, code); !errors.Is(err, account.ErrEmailTaken) {
|
||||
t.Fatalf("confirm change to taken = %v, want ErrEmailTaken", err)
|
||||
}
|
||||
if got := emailOf(t, store, acc.ID); got != mine {
|
||||
t.Errorf("caller email after refused change = %q, want unchanged %q", got, mine)
|
||||
}
|
||||
}
|
||||
|
||||
// TestChangeEmailViaDeeplink switches the email through the one-tap confirm token.
|
||||
func TestChangeEmailViaDeeplink(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, "old-"+uuid.NewString()+"@example.com", true); err != nil {
|
||||
t.Fatalf("attach old email: %v", err)
|
||||
}
|
||||
newAddr := "dl-" + uuid.NewString() + "@example.com"
|
||||
if err := svc.RequestChangeCode(ctx, acc.ID, newAddr); err != nil {
|
||||
t.Fatalf("request change: %v", err)
|
||||
}
|
||||
res, err := svc.ConfirmByToken(ctx, tokenFromMail(t, mailer.lastBody))
|
||||
if err != nil {
|
||||
t.Fatalf("confirm by token: %v", err)
|
||||
}
|
||||
if res.IsLogin() || res.NeedsMerge || res.Account != acc.ID {
|
||||
t.Fatalf("deeplink change result = %+v, want a plain change for %s", res, acc.ID)
|
||||
}
|
||||
if got := emailOf(t, store, acc.ID); got != newAddr {
|
||||
t.Fatalf("email after deeplink change = %q, want %q", got, newAddr)
|
||||
}
|
||||
}
|
||||
@@ -58,14 +58,6 @@ func bestMoveCount(t *testing.T, id uuid.UUID) int {
|
||||
return n
|
||||
}
|
||||
|
||||
func setWallet(t *testing.T, id uuid.UUID, hints int, paid bool) {
|
||||
t.Helper()
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
`UPDATE backend.accounts SET hint_balance=$2, paid_account=$3 WHERE account_id=$1`, id, hints, paid); err != nil {
|
||||
t.Fatalf("set wallet: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func bindEmailIdentity(t *testing.T, acc uuid.UUID, email string) {
|
||||
t.Helper()
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
@@ -119,7 +111,7 @@ func seatGame(t *testing.T, seats []uuid.UUID, timeout time.Duration) uuid.UUID
|
||||
|
||||
func newLinkService(mailer account.Mailer) *link.Service {
|
||||
store := account.NewStore(testDB)
|
||||
emails := account.NewEmailService(store, mailer)
|
||||
emails := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
sessions := session.NewService(session.NewStore(testDB), session.NewCache())
|
||||
return link.NewService(emails, store, accountmerge.NewMerger(testDB), sessions)
|
||||
}
|
||||
@@ -131,6 +123,7 @@ func TestAccountMergeCore(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
merger := accountmerge.NewMerger(testDB)
|
||||
merger.SetPayments(newPaymentsService())
|
||||
|
||||
primary := provisionAccount(t)
|
||||
secondary := provisionAccount(t)
|
||||
@@ -140,8 +133,8 @@ func TestAccountMergeCore(t *testing.T) {
|
||||
setStats(t, secondary, 3, 1, 2, 400, 80)
|
||||
setStatsCounts(t, primary, 100, 5)
|
||||
setStatsCounts(t, secondary, 50, 8)
|
||||
setWallet(t, primary, 2, false)
|
||||
setWallet(t, secondary, 5, true)
|
||||
seedBenefit(t, primary, "telegram", 2, false)
|
||||
seedBenefit(t, secondary, "telegram", 5, true) // hints sum, forever OR-s on merge
|
||||
// Best moves: secondary's scrabble_en (80) beats primary's (50) and is kept; secondary's
|
||||
// scrabble_ru (30) is new to primary and carried over.
|
||||
setBestMove(t, primary, "scrabble_en", 50)
|
||||
@@ -165,15 +158,13 @@ func TestAccountMergeCore(t *testing.T) {
|
||||
t.Error("secondary stats row should be deleted after merge")
|
||||
}
|
||||
|
||||
acc, err := store.GetByID(ctx, primary)
|
||||
if err != nil {
|
||||
t.Fatalf("get primary: %v", err)
|
||||
// The payments wallet merged by origin: hints sum (2+5) and the forever flag OR-s; the
|
||||
// deprecated accounts.hint_balance / paid_account columns are no longer touched by a merge.
|
||||
if hints, forever := readBenefit(t, primary, "telegram"); hints != 7 || !forever {
|
||||
t.Errorf("merged telegram benefit = hints %d forever %v, want 7/true", hints, forever)
|
||||
}
|
||||
if acc.HintBalance != 7 {
|
||||
t.Errorf("hint balance = %d, want 7", acc.HintBalance)
|
||||
}
|
||||
if !acc.PaidAccount {
|
||||
t.Error("paid_account should be true (ORed from secondary)")
|
||||
if hints, _ := readBenefit(t, secondary, "telegram"); hints != 0 {
|
||||
t.Errorf("secondary benefit should be cleared after merge, got hints %d", hints)
|
||||
}
|
||||
|
||||
if owner, ok, _ := store.AccountIDByIdentity(ctx, account.KindEmail, email); !ok || owner != primary {
|
||||
@@ -251,6 +242,44 @@ func TestAccountMergeFinishedSharedGameKept(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestAccountMergeDedupesEmail keeps the primary's email when both accounts have one and
|
||||
// journals the secondary's to the dossier (reason=merge), so the survivor never ends up
|
||||
// with two email identities.
|
||||
func TestAccountMergeDedupesEmail(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
merger := accountmerge.NewMerger(testDB)
|
||||
|
||||
primary := provisionAccount(t)
|
||||
secondary := provisionAccount(t)
|
||||
primaryEmail := "keep-" + uuid.NewString() + "@example.com"
|
||||
secondaryEmail := "absorb-" + uuid.NewString() + "@example.com"
|
||||
bindEmailIdentity(t, primary, primaryEmail)
|
||||
bindEmailIdentity(t, secondary, secondaryEmail)
|
||||
|
||||
if err := merger.Merge(ctx, primary, secondary); err != nil {
|
||||
t.Fatalf("merge: %v", err)
|
||||
}
|
||||
|
||||
// The primary keeps its own email; the secondary's is gone from the live identities.
|
||||
if owner, ok, _ := store.AccountIDByIdentity(ctx, account.KindEmail, primaryEmail); !ok || owner != primary {
|
||||
t.Errorf("primary email owner = %s ok=%v, want primary %s", owner, ok, primary)
|
||||
}
|
||||
if _, ok, _ := store.AccountIDByIdentity(ctx, account.KindEmail, secondaryEmail); ok {
|
||||
t.Error("the secondary's email must be removed (no duplicate email on the survivor)")
|
||||
}
|
||||
// The absorbed email stays in the legal dossier, tagged reason=merge.
|
||||
var reason string
|
||||
if err := testDB.QueryRowContext(ctx,
|
||||
`SELECT reason FROM backend.retained_identities WHERE account_id=$1 AND kind='email' AND external_id=$2`,
|
||||
secondary, secondaryEmail).Scan(&reason); err != nil {
|
||||
t.Fatalf("retained email row: %v", err)
|
||||
}
|
||||
if reason != "merge" {
|
||||
t.Errorf("retained reason = %q, want merge", reason)
|
||||
}
|
||||
}
|
||||
|
||||
// TestAccountLinkFreeEmail binds a free email and promotes a guest to durable.
|
||||
func TestAccountLinkFreeEmail(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
@@ -355,3 +384,64 @@ func TestAccountLinkGuestInversion(t *testing.T) {
|
||||
t.Errorf("email owner = %s, want durable", owner)
|
||||
}
|
||||
}
|
||||
|
||||
// TestAccountLinkFreeVK binds a free VK identity (gateway-validated, no code) and
|
||||
// promotes a guest to durable — the ConfirmVK counterpart of the free-email case.
|
||||
func TestAccountLinkFreeVK(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
links := newLinkService(&capturingMailer{})
|
||||
|
||||
guest := provisionGuest(t)
|
||||
vkID := "vk-" + uuid.NewString()
|
||||
res, err := links.ConfirmVK(ctx, guest, vkID)
|
||||
if err != nil {
|
||||
t.Fatalf("confirm vk: %v", err)
|
||||
}
|
||||
if !res.Linked || res.MergeRequired {
|
||||
t.Fatalf("confirm = %+v, want linked", res)
|
||||
}
|
||||
if acc, _ := store.GetByID(ctx, guest); acc.IsGuest {
|
||||
t.Error("guest flag should clear once VK is linked")
|
||||
}
|
||||
if owner, ok, _ := store.AccountIDByIdentity(ctx, account.KindVK, vkID); !ok || owner != guest {
|
||||
t.Errorf("vk owner = %s, want the promoted guest %s", owner, guest)
|
||||
}
|
||||
}
|
||||
|
||||
// TestAccountLinkVKMergeIntoCaller merges the account owning a VK identity into the
|
||||
// current durable account: ConfirmVK previews the merge, MergeVK folds it, the caller
|
||||
// stays primary and keeps its session, and the VK identity repoints to the caller.
|
||||
func TestAccountLinkVKMergeIntoCaller(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
links := newLinkService(&capturingMailer{})
|
||||
|
||||
caller := provisionAccount(t)
|
||||
other := provisionAccount(t)
|
||||
vkID := "vk-" + uuid.NewString()
|
||||
if err := store.AttachIdentity(ctx, other, account.KindVK, vkID, true); err != nil {
|
||||
t.Fatalf("seed vk on other: %v", err)
|
||||
}
|
||||
|
||||
confirm, err := links.ConfirmVK(ctx, caller, vkID)
|
||||
if err != nil {
|
||||
t.Fatalf("confirm vk: %v", err)
|
||||
}
|
||||
if !confirm.MergeRequired || confirm.SecondaryID != other {
|
||||
t.Fatalf("confirm = %+v, want merge_required to other %s", confirm, other)
|
||||
}
|
||||
merge, err := links.MergeVK(ctx, caller, vkID)
|
||||
if err != nil {
|
||||
t.Fatalf("merge vk: %v", err)
|
||||
}
|
||||
if merge.PrimaryID != caller || merge.SwitchedToken != "" {
|
||||
t.Fatalf("merge = %+v, want primary caller and no session switch", merge)
|
||||
}
|
||||
if mergedInto(t, other) != caller {
|
||||
t.Error("other should be tombstoned into caller")
|
||||
}
|
||||
if owner, _, _ := store.AccountIDByIdentity(ctx, account.KindVK, vkID); owner != caller {
|
||||
t.Errorf("vk owner = %s, want caller after merge", owner)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,155 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// methodPrice is one per-method money price for a seeded chip pack.
|
||||
type methodPrice struct {
|
||||
method string
|
||||
currency string
|
||||
amount int64
|
||||
}
|
||||
|
||||
// seedPackProduct creates an active chip pack: a product carrying the chips atom and a money price
|
||||
// per method. It returns the product id.
|
||||
func seedPackProduct(t *testing.T, chips int, prices ...methodPrice) uuid.UUID {
|
||||
t.Helper()
|
||||
ctx := context.Background()
|
||||
prod := uuid.New()
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product (product_id, title, active) VALUES ($1,'test pack',true)`, prod); err != nil {
|
||||
t.Fatalf("seed pack product: %v", err)
|
||||
}
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product_item (product_id, atom_type, quantity) VALUES ($1,'chips',$2)`, prod, chips); err != nil {
|
||||
t.Fatalf("seed chips item: %v", err)
|
||||
}
|
||||
for _, p := range prices {
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product_price (product_id, method, currency, amount) VALUES ($1,$2,$3,$4)`,
|
||||
prod, p.method, p.currency, p.amount); err != nil {
|
||||
t.Fatalf("seed pack price %s: %v", p.method, err)
|
||||
}
|
||||
}
|
||||
return prod
|
||||
}
|
||||
|
||||
// findCatalogProduct returns the projected storefront product for id in the context (the catalog
|
||||
// is global, so tests assert by id rather than count — testDB is shared).
|
||||
func findCatalogProduct(t *testing.T, svc *payments.Service, cxt payments.Context, id uuid.UUID) (payments.CatalogProduct, bool) {
|
||||
t.Helper()
|
||||
view, err := svc.Catalog(context.Background(), cxt)
|
||||
if err != nil {
|
||||
t.Fatalf("catalog: %v", err)
|
||||
}
|
||||
for _, p := range view.Products {
|
||||
if p.ProductID == id.String() {
|
||||
return p, true
|
||||
}
|
||||
}
|
||||
return payments.CatalogProduct{}, false
|
||||
}
|
||||
|
||||
// TestPaymentsCatalogByContext verifies the storefront projects a value at its chip price in every
|
||||
// context and a chip pack at the context method's money price, over Postgres.
|
||||
func TestPaymentsCatalogByContext(t *testing.T) {
|
||||
svc := newPaymentsService()
|
||||
value := seedValueProduct(t, 500, 250, 0)
|
||||
pack := seedPackProduct(t, 100,
|
||||
methodPrice{"vk", "VOTE", 20},
|
||||
methodPrice{"telegram", "XTR", 25},
|
||||
methodPrice{"direct", "RUB", 14900},
|
||||
)
|
||||
|
||||
for _, kind := range []string{"vk", "telegram", "direct"} {
|
||||
v, ok := findCatalogProduct(t, svc, payments.NewContext(kind, "web"), value)
|
||||
if !ok {
|
||||
t.Fatalf("value missing in %s context", kind)
|
||||
}
|
||||
if v.Kind != "value" || v.Chips != 500 || v.MoneyCurrency != "" {
|
||||
t.Errorf("value in %s = %+v, want kind=value chips=500 no money", kind, v)
|
||||
}
|
||||
}
|
||||
|
||||
cases := []struct {
|
||||
kind string
|
||||
amount int64
|
||||
currency string
|
||||
}{
|
||||
{"vk", 20, "VOTE"},
|
||||
{"telegram", 25, "XTR"},
|
||||
{"direct", 14900, "RUB"},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
p, ok := findCatalogProduct(t, svc, payments.NewContext(tc.kind, "web"), pack)
|
||||
if !ok {
|
||||
t.Fatalf("pack missing in %s context", tc.kind)
|
||||
}
|
||||
if p.Kind != "pack" || p.Chips != 0 || p.MoneyAmount != tc.amount || p.MoneyCurrency != tc.currency {
|
||||
t.Errorf("pack in %s = %+v, want kind=pack amount=%d currency=%s", tc.kind, p, tc.amount, tc.currency)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsCatalogExcludesDeactivated verifies a soft-deleted product drops out of the storefront.
|
||||
func TestPaymentsCatalogExcludesDeactivated(t *testing.T) {
|
||||
svc := newPaymentsService()
|
||||
prod := seedValueProduct(t, 100, 10, 0)
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
`UPDATE payments.product SET active=false WHERE product_id=$1`, prod); err != nil {
|
||||
t.Fatalf("deactivate: %v", err)
|
||||
}
|
||||
if _, ok := findCatalogProduct(t, svc, payments.NewContext("direct", "web"), prod); ok {
|
||||
t.Error("deactivated product must not appear in the storefront")
|
||||
}
|
||||
}
|
||||
|
||||
// TestOfferPricingReflectsCatalogEdits verifies the public-offer price list (§4.4) is projected from
|
||||
// the live catalog and its cache is invalidated on a catalog mutation: a newly created pack appears
|
||||
// with its per-rail prices, and archiving it through the service drops it from the next read.
|
||||
func TestOfferPricingReflectsCatalogEdits(t *testing.T) {
|
||||
svc := newPaymentsService()
|
||||
ctx := context.Background()
|
||||
title := "OfferTest " + uuid.NewString()
|
||||
id, err := svc.CreateProduct(ctx, payments.ProductInput{
|
||||
Title: title,
|
||||
Atoms: []payments.AtomLine{{Atom: "chips", Quantity: 50}},
|
||||
Prices: []payments.PriceLine{
|
||||
{Method: "direct", Currency: payments.CurrencyRUB, Amount: 20000},
|
||||
{Method: "vk", Currency: payments.CurrencyVote, Amount: 30},
|
||||
{Method: "telegram", Currency: payments.CurrencyStar, Amount: 100},
|
||||
},
|
||||
}, true)
|
||||
if err != nil {
|
||||
t.Fatalf("create pack: %v", err)
|
||||
}
|
||||
|
||||
md, err := svc.OfferPricing(ctx)
|
||||
if err != nil {
|
||||
t.Fatalf("offer pricing: %v", err)
|
||||
}
|
||||
if row := "| " + title + " | 200.00 | 30 | 100 |"; !strings.Contains(md, row) {
|
||||
t.Fatalf("offer pricing missing the new pack row %q\n%s", row, md)
|
||||
}
|
||||
|
||||
// Archiving through the service marks the cache stale; the next read must reproject without it.
|
||||
if err := svc.SetProductActive(ctx, id, false); err != nil {
|
||||
t.Fatalf("archive: %v", err)
|
||||
}
|
||||
md, err = svc.OfferPricing(ctx)
|
||||
if err != nil {
|
||||
t.Fatalf("offer pricing after archive: %v", err)
|
||||
}
|
||||
if strings.Contains(md, title) {
|
||||
t.Errorf("archived pack must drop from the offer pricing:\n%s", md)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,563 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// orderStatus reads an order's status.
|
||||
func orderStatus(t *testing.T, orderID uuid.UUID) string {
|
||||
t.Helper()
|
||||
var status string
|
||||
if err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT status FROM payments.orders WHERE order_id=$1`, orderID).Scan(&status); err != nil {
|
||||
t.Fatalf("read order status: %v", err)
|
||||
}
|
||||
return status
|
||||
}
|
||||
|
||||
// readRisk reads an account's payment-risk row (abuse flag + accumulated loss), or (false, 0) when
|
||||
// none exists.
|
||||
func readRisk(t *testing.T, acc uuid.UUID) (abuse bool, loss int64) {
|
||||
t.Helper()
|
||||
err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT abuse, loss_chips FROM payments.account_risk WHERE account_id=$1`, acc).Scan(&abuse, &loss)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return false, 0
|
||||
}
|
||||
if err != nil {
|
||||
t.Fatalf("read risk: %v", err)
|
||||
}
|
||||
return abuse, loss
|
||||
}
|
||||
|
||||
// TestPaymentsOrderFundCreditsOnce verifies the intake path over Postgres: creating an order then
|
||||
// funding it credits the funded segment exactly once, and a replayed callback (the same order)
|
||||
// credits nothing more — the ledger idempotency index holds.
|
||||
func TestPaymentsOrderFundCreditsOnce(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900}) // 149.00 RUB funds 100 chips
|
||||
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
if res.Amount.Minor() != 14900 || res.Amount.Currency() != payments.CurrencyRUB {
|
||||
t.Fatalf("order amount = %s, want 149.00 RUB", res.Amount)
|
||||
}
|
||||
if orderStatus(t, res.OrderID) != "pending" {
|
||||
t.Errorf("new order status = %s, want pending", orderStatus(t, res.OrderID))
|
||||
}
|
||||
|
||||
paid, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
out, err := svc.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid)
|
||||
if err != nil {
|
||||
t.Fatalf("fund: %v", err)
|
||||
}
|
||||
if out.AlreadyCredited || out.Chips != 100 || out.Source != payments.SourceDirect {
|
||||
t.Fatalf("fund outcome = %+v, want 100 chips to direct, not already-credited", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 100 {
|
||||
t.Errorf("balance after fund = %d, want 100", got)
|
||||
}
|
||||
if ledgerRows(t, acc, "fund") != 1 {
|
||||
t.Errorf("fund ledger rows = %d, want 1", ledgerRows(t, acc, "fund"))
|
||||
}
|
||||
if orderStatus(t, res.OrderID) != "paid" {
|
||||
t.Errorf("order status after fund = %s, want paid", orderStatus(t, res.OrderID))
|
||||
}
|
||||
|
||||
// A replayed callback for the same order is rejected by the unique index: no second credit.
|
||||
out2, err := svc.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid)
|
||||
if err != nil {
|
||||
t.Fatalf("duplicate fund: %v", err)
|
||||
}
|
||||
if !out2.AlreadyCredited {
|
||||
t.Error("duplicate callback not flagged AlreadyCredited")
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 100 {
|
||||
t.Errorf("balance after duplicate = %d, want 100 (credited once)", got)
|
||||
}
|
||||
if ledgerRows(t, acc, "fund") != 1 {
|
||||
t.Error("duplicate callback wrote a second fund ledger row")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsVKOrderFundCredits exercises the VK Votes rail over Postgres: a VK order prices the
|
||||
// pack in votes; the get_item lookup returns its title and vote price; a chargeable
|
||||
// order_status_change credits the vk segment exactly once (idempotent on VK's own order id).
|
||||
func TestPaymentsVKOrderFundCredits(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 200, methodPrice{method: "vk", currency: "VOTE", amount: 30})
|
||||
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("vk", "web"), []payments.Source{payments.SourceVK}, prod, "vk")
|
||||
if err != nil {
|
||||
t.Fatalf("create vk order: %v", err)
|
||||
}
|
||||
if res.Amount.Currency() != payments.CurrencyVote || res.Amount.Minor() != 30 {
|
||||
t.Fatalf("vk order amount = %s, want 30 VOTE", res.Amount)
|
||||
}
|
||||
|
||||
// get_item phase: title + vote price.
|
||||
title, amount, err := svc.OrderItem(ctx, res.OrderID)
|
||||
if err != nil {
|
||||
t.Fatalf("order item: %v", err)
|
||||
}
|
||||
if title == "" || amount.Minor() != 30 || amount.Currency() != payments.CurrencyVote {
|
||||
t.Errorf("order item = %q / %s, want a title + 30 VOTE", title, amount)
|
||||
}
|
||||
|
||||
// order_status_change phase: VK's own order id is the idempotency key.
|
||||
paid, _ := payments.MoneyFromMinor(30, payments.CurrencyVote)
|
||||
out, err := svc.Fund(ctx, res.OrderID, "vk", "vk-order-777", paid)
|
||||
if err != nil {
|
||||
t.Fatalf("vk fund: %v", err)
|
||||
}
|
||||
if out.AlreadyCredited || out.Chips != 200 || out.Source != payments.SourceVK {
|
||||
t.Fatalf("vk fund outcome = %+v, want 200 chips credited to vk", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "vk"); got != 200 {
|
||||
t.Errorf("vk balance after fund = %d, want 200", got)
|
||||
}
|
||||
|
||||
// A duplicate VK callback (same VK order id) credits nothing more.
|
||||
out2, err := svc.Fund(ctx, res.OrderID, "vk", "vk-order-777", paid)
|
||||
if err != nil {
|
||||
t.Fatalf("duplicate vk fund: %v", err)
|
||||
}
|
||||
if !out2.AlreadyCredited {
|
||||
t.Error("duplicate VK callback not flagged AlreadyCredited")
|
||||
}
|
||||
if got := readBalance(t, acc, "vk"); got != 200 {
|
||||
t.Errorf("vk balance after duplicate = %d, want 200 (credited once)", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsTelegramStarsRail exercises the Telegram Stars rail over Postgres: an order prices the
|
||||
// pack in whole stars (XTR); a pre_checkout on the pending order is approved; the forwarded payment
|
||||
// credits the telegram segment exactly once (idempotent on the Telegram charge id); and a
|
||||
// pre_checkout after the order is paid is declined (a reusable invoice link paid twice).
|
||||
func TestPaymentsTelegramStarsRail(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 50, methodPrice{method: "telegram", currency: "XTR", amount: 40}) // 40 stars fund 50 chips
|
||||
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("telegram", "android"), []payments.Source{payments.SourceTelegram}, prod, "telegram")
|
||||
if err != nil {
|
||||
t.Fatalf("create telegram order: %v", err)
|
||||
}
|
||||
if res.Amount.Currency() != payments.CurrencyStar || res.Amount.Minor() != 40 {
|
||||
t.Fatalf("telegram order amount = %s, want 40 XTR", res.Amount)
|
||||
}
|
||||
|
||||
// pre_checkout on the pending order: approved, and it reports the account for reason localisation.
|
||||
starAmt, _ := payments.MoneyFromMinor(40, payments.CurrencyStar)
|
||||
pc, err := svc.ValidatePreCheckout(ctx, res.OrderID, starAmt)
|
||||
if err != nil {
|
||||
t.Fatalf("pre_checkout: %v", err)
|
||||
}
|
||||
if !pc.OK || pc.AccountID != acc {
|
||||
t.Fatalf("pre_checkout = %+v, want approved for account %s", pc, acc)
|
||||
}
|
||||
|
||||
// The forwarded successful_payment credits once, idempotent on the Telegram charge id.
|
||||
out, err := svc.Fund(ctx, res.OrderID, "telegram", "tg-charge-1", starAmt)
|
||||
if err != nil {
|
||||
t.Fatalf("telegram fund: %v", err)
|
||||
}
|
||||
if out.AlreadyCredited || out.Chips != 50 || out.Source != payments.SourceTelegram {
|
||||
t.Fatalf("telegram fund outcome = %+v, want 50 chips credited to telegram", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "telegram"); got != 50 {
|
||||
t.Errorf("telegram balance after fund = %d, want 50", got)
|
||||
}
|
||||
|
||||
// A retried forward (same charge id, e.g. a lost ack) credits nothing more.
|
||||
out2, err := svc.Fund(ctx, res.OrderID, "telegram", "tg-charge-1", starAmt)
|
||||
if err != nil {
|
||||
t.Fatalf("duplicate telegram fund: %v", err)
|
||||
}
|
||||
if !out2.AlreadyCredited {
|
||||
t.Error("retried forward not flagged AlreadyCredited")
|
||||
}
|
||||
if got := readBalance(t, acc, "telegram"); got != 50 {
|
||||
t.Errorf("telegram balance after retry = %d, want 50 (credited once)", got)
|
||||
}
|
||||
|
||||
// pre_checkout after the order is paid: declined (the reusable-link double-pay guard).
|
||||
pc2, err := svc.ValidatePreCheckout(ctx, res.OrderID, starAmt)
|
||||
if err != nil {
|
||||
t.Fatalf("pre_checkout after paid: %v", err)
|
||||
}
|
||||
if pc2.OK || pc2.Reason != payments.PreCheckoutAlreadyPaid {
|
||||
t.Errorf("pre_checkout after paid = %+v, want a decline with already_paid", pc2)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsTelegramPreCheckoutDeclines covers the pre_checkout decline reasons: an unknown order
|
||||
// and an amount that no longer matches.
|
||||
func TestPaymentsTelegramPreCheckoutDeclines(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
starAmt, _ := payments.MoneyFromMinor(40, payments.CurrencyStar)
|
||||
|
||||
// An unknown order id declines as gone, with no account to localise against.
|
||||
pc, err := svc.ValidatePreCheckout(ctx, uuid.New(), starAmt)
|
||||
if err != nil {
|
||||
t.Fatalf("pre_checkout unknown: %v", err)
|
||||
}
|
||||
if pc.OK || pc.Reason != payments.PreCheckoutGone || pc.AccountID != (uuid.UUID{}) {
|
||||
t.Errorf("pre_checkout unknown = %+v, want a gone decline with no account", pc)
|
||||
}
|
||||
|
||||
// A pending order validated at the wrong amount declines as price-changed.
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "telegram", currency: "XTR", amount: 80})
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("telegram", "android"), []payments.Source{payments.SourceTelegram}, prod, "telegram")
|
||||
if err != nil {
|
||||
t.Fatalf("create telegram order: %v", err)
|
||||
}
|
||||
wrong, _ := payments.MoneyFromMinor(40, payments.CurrencyStar)
|
||||
pc2, err := svc.ValidatePreCheckout(ctx, res.OrderID, wrong)
|
||||
if err != nil {
|
||||
t.Fatalf("pre_checkout mismatch: %v", err)
|
||||
}
|
||||
if pc2.OK || pc2.Reason != payments.PreCheckoutPriceChanged {
|
||||
t.Errorf("pre_checkout mismatch = %+v, want a price_changed decline", pc2)
|
||||
}
|
||||
}
|
||||
|
||||
// setRewardConfig sets the rewarded payout and caps on the shared config row, restoring the defaults
|
||||
// after the test (the row is a singleton shared across the sequential suite).
|
||||
func setRewardConfig(t *testing.T, payout, dailyCap, hourlyCap int) {
|
||||
t.Helper()
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
`UPDATE payments.config SET rewarded_payout_chips=$1, reward_daily_cap=$2, reward_hourly_cap=$3`,
|
||||
payout, dailyCap, hourlyCap); err != nil {
|
||||
t.Fatalf("set reward config: %v", err)
|
||||
}
|
||||
t.Cleanup(func() {
|
||||
_, _ = testDB.ExecContext(context.Background(),
|
||||
`UPDATE payments.config SET rewarded_payout_chips=0, reward_daily_cap=50, reward_hourly_cap=10`)
|
||||
})
|
||||
}
|
||||
|
||||
// TestPaymentsRewardCredit exercises the rewarded-video credit: a watched view credits the VK segment
|
||||
// the configured payout, a retried view (same nonce) credits once, and the hourly cap blocks the
|
||||
// third distinct view.
|
||||
func TestPaymentsRewardCredit(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
setRewardConfig(t, 5, 5, 2) // 5 chips/view, daily 5, hourly 2
|
||||
vk := payments.NewContext("vk", "web")
|
||||
present := []payments.Source{payments.SourceVK}
|
||||
|
||||
out, err := svc.CreditReward(ctx, acc, vk, present, "n1")
|
||||
if err != nil {
|
||||
t.Fatalf("credit: %v", err)
|
||||
}
|
||||
if out.Chips != 5 || out.Capped {
|
||||
t.Fatalf("reward outcome = %+v, want 5 chips, not capped", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "vk"); got != 5 {
|
||||
t.Errorf("vk balance = %d, want 5", got)
|
||||
}
|
||||
|
||||
// A retried view (same nonce) credits nothing more.
|
||||
out2, err := svc.CreditReward(ctx, acc, vk, present, "n1")
|
||||
if err != nil {
|
||||
t.Fatalf("retry: %v", err)
|
||||
}
|
||||
if !out2.AlreadyCredited {
|
||||
t.Error("retried view not flagged AlreadyCredited")
|
||||
}
|
||||
if got := readBalance(t, acc, "vk"); got != 5 {
|
||||
t.Errorf("vk balance after retry = %d, want 5 (credited once)", got)
|
||||
}
|
||||
|
||||
// A second distinct view credits again (2 total).
|
||||
if _, err := svc.CreditReward(ctx, acc, vk, present, "n2"); err != nil {
|
||||
t.Fatalf("credit 2: %v", err)
|
||||
}
|
||||
if got := readBalance(t, acc, "vk"); got != 10 {
|
||||
t.Errorf("vk balance = %d, want 10", got)
|
||||
}
|
||||
|
||||
// The third distinct view hits the hourly cap (2) — capped, no credit.
|
||||
out3, err := svc.CreditReward(ctx, acc, vk, present, "n3")
|
||||
if err != nil {
|
||||
t.Fatalf("credit 3: %v", err)
|
||||
}
|
||||
if !out3.Capped {
|
||||
t.Error("third view not capped (hourly cap 2)")
|
||||
}
|
||||
if got := readBalance(t, acc, "vk"); got != 10 {
|
||||
t.Errorf("vk balance after cap = %d, want 10 (capped view credited nothing)", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsRewardDisabledAndContext verifies rewarded is inert when unconfigured (0 payout) and
|
||||
// refused outside a VK context (rewarded is VK-only, D28).
|
||||
func TestPaymentsRewardDisabledAndContext(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
setRewardConfig(t, 0, 50, 10) // payout 0 = disabled
|
||||
|
||||
vk := payments.NewContext("vk", "web")
|
||||
out, err := svc.CreditReward(ctx, acc, vk, []payments.Source{payments.SourceVK}, "d1")
|
||||
if err != nil {
|
||||
t.Fatalf("credit (disabled): %v", err)
|
||||
}
|
||||
if out.Chips != 0 || out.Capped || out.AlreadyCredited {
|
||||
t.Fatalf("disabled reward outcome = %+v, want 0 chips, not capped", out)
|
||||
}
|
||||
|
||||
// A direct (non-VK) context is refused — rewarded is VK-only.
|
||||
direct := payments.NewContext("direct", "web")
|
||||
if _, err := svc.CreditReward(ctx, acc, direct, []payments.Source{payments.SourceDirect}, "d2"); !errors.Is(err, payments.ErrUntrusted) {
|
||||
t.Fatalf("direct-context reward = %v, want ErrUntrusted", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsFundAmountMismatch verifies a callback whose paid amount does not match the order is
|
||||
// refused and credits nothing (§9: verify the amount after matching by order id).
|
||||
func TestPaymentsFundAmountMismatch(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900})
|
||||
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
underpaid, _ := payments.MoneyFromMinor(100, payments.CurrencyRUB)
|
||||
if _, err := svc.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), underpaid); !errors.Is(err, payments.ErrAmountMismatch) {
|
||||
t.Fatalf("fund = %v, want ErrAmountMismatch", err)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 0 {
|
||||
t.Errorf("balance = %d, want 0 (nothing credited on mismatch)", got)
|
||||
}
|
||||
if ledgerRows(t, acc, "fund") != 0 {
|
||||
t.Error("fund ledger row written on an amount mismatch")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsEventDispatchDrain verifies the payment_events dispatcher queue: a recorded event is
|
||||
// returned as undispatched until marked, then drops out (so the dispatcher delivers it once).
|
||||
func TestPaymentsEventDispatchDrain(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
if err := svc.RecordPaymentEvent(ctx, acc, nil, "succeeded", []byte(`{"chips":10,"source":"direct"}`)); err != nil {
|
||||
t.Fatalf("record event: %v", err)
|
||||
}
|
||||
|
||||
// testDB is shared, so filter the queue to our account.
|
||||
find := func() *payments.PaymentEvent {
|
||||
evs, err := svc.UndispatchedEvents(ctx, 100)
|
||||
if err != nil {
|
||||
t.Fatalf("undispatched: %v", err)
|
||||
}
|
||||
for i := range evs {
|
||||
if evs[i].AccountID == acc {
|
||||
return &evs[i]
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
mine := find()
|
||||
if mine == nil {
|
||||
t.Fatal("recorded event not in the undispatched queue")
|
||||
}
|
||||
if mine.Type != "succeeded" {
|
||||
t.Errorf("event type = %s, want succeeded", mine.Type)
|
||||
}
|
||||
if err := svc.MarkEventDispatched(ctx, mine.EventID); err != nil {
|
||||
t.Fatalf("mark dispatched: %v", err)
|
||||
}
|
||||
if find() != nil {
|
||||
t.Error("event still undispatched after MarkEventDispatched")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsExpiredOrderStillCredits verifies an expired pending order is still honoured by a
|
||||
// later valid callback (§9/D23: expiry is cosmetic, the money is real).
|
||||
func TestPaymentsExpiredOrderStillCredits(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900})
|
||||
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
// Age the order well past the configured TTL, then sweep it to expired.
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`UPDATE payments.orders SET created_at = now() - interval '1 day' WHERE order_id=$1`, res.OrderID); err != nil {
|
||||
t.Fatalf("age order: %v", err)
|
||||
}
|
||||
if n, err := svc.ExpireOrders(ctx); err != nil || n < 1 {
|
||||
t.Fatalf("expire orders = %d (err %v), want at least 1", n, err)
|
||||
}
|
||||
if orderStatus(t, res.OrderID) != "expired" {
|
||||
t.Fatalf("order status = %s, want expired before the late callback", orderStatus(t, res.OrderID))
|
||||
}
|
||||
|
||||
paid, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
out, err := svc.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid)
|
||||
if err != nil {
|
||||
t.Fatalf("fund after expiry: %v", err)
|
||||
}
|
||||
if out.AlreadyCredited || out.Chips != 100 {
|
||||
t.Fatalf("fund outcome = %+v, want a fresh 100-chip credit", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 100 {
|
||||
t.Errorf("balance = %d, want 100 (expired order honoured)", got)
|
||||
}
|
||||
if orderStatus(t, res.OrderID) != "paid" {
|
||||
t.Errorf("order status = %s, want paid after the honoured callback", orderStatus(t, res.OrderID))
|
||||
}
|
||||
}
|
||||
|
||||
// fundedOrder creates and funds an order for chips in the direct rail, returning its id and account.
|
||||
func fundedOrder(t *testing.T, svc *payments.Service, chips int, priceMinor int64) (uuid.UUID, uuid.UUID) {
|
||||
t.Helper()
|
||||
ctx := context.Background()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, chips, methodPrice{method: "direct", currency: "RUB", amount: priceMinor})
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
paid, _ := payments.MoneyFromMinor(priceMinor, payments.CurrencyRUB)
|
||||
if _, err := svc.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid); err != nil {
|
||||
t.Fatalf("fund: %v", err)
|
||||
}
|
||||
return res.OrderID, acc
|
||||
}
|
||||
|
||||
// TestPaymentsRefundFull reverses a fully-unspent order: all chips are clawed back, no loss/abuse.
|
||||
func TestPaymentsRefundFull(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
orderID, acc := fundedOrder(t, svc, 100, 14900)
|
||||
|
||||
refunded, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
out, err := svc.Refund(ctx, orderID, "robokassa", "rk-refund-1", refunded)
|
||||
if err != nil {
|
||||
t.Fatalf("refund: %v", err)
|
||||
}
|
||||
if out.AlreadyRefunded || out.Revoked != 100 || out.Loss != 0 || out.Source != payments.SourceDirect {
|
||||
t.Fatalf("refund outcome = %+v, want 100 revoked, 0 loss", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 0 {
|
||||
t.Errorf("balance after refund = %d, want 0", got)
|
||||
}
|
||||
if ledgerRows(t, acc, "refund") != 1 {
|
||||
t.Errorf("refund ledger rows = %d, want 1", ledgerRows(t, acc, "refund"))
|
||||
}
|
||||
if abuse, loss := readRisk(t, acc); abuse || loss != 0 {
|
||||
t.Errorf("risk = (%v, %d), want (false, 0) — nothing was spent", abuse, loss)
|
||||
}
|
||||
// The order stays 'paid' — the refund lives in the ledger, not in the order status.
|
||||
if orderStatus(t, orderID) != "paid" {
|
||||
t.Errorf("order status = %s, want paid (refund is ledger-only)", orderStatus(t, orderID))
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsRefundAfterSpend reverses an order whose chips were partly spent: the reversal floors
|
||||
// at 0 (never negative), and the unrecoverable remainder is recorded as a loss + abuse flag.
|
||||
func TestPaymentsRefundAfterSpend(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
orderID, acc := fundedOrder(t, svc, 100, 14900)
|
||||
|
||||
// Simulate 70 chips already spent, leaving 30 in the funded segment.
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`UPDATE payments.balances SET chips = 30 WHERE account_id = $1 AND source = 'direct'`, acc); err != nil {
|
||||
t.Fatalf("simulate spend: %v", err)
|
||||
}
|
||||
|
||||
refunded, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
out, err := svc.Refund(ctx, orderID, "robokassa", "rk-refund-2", refunded)
|
||||
if err != nil {
|
||||
t.Fatalf("refund: %v", err)
|
||||
}
|
||||
if out.Revoked != 30 || out.Loss != 70 {
|
||||
t.Fatalf("refund outcome = %+v, want 30 revoked / 70 loss", out)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 0 {
|
||||
t.Errorf("balance after refund = %d, want 0 (floored, never negative)", got)
|
||||
}
|
||||
if abuse, loss := readRisk(t, acc); !abuse || loss != 70 {
|
||||
t.Errorf("risk = (%v, %d), want (true, 70)", abuse, loss)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsRefundIdempotent verifies a replayed refund (same provider refund id) reverses nothing
|
||||
// more — the ledger idempotency index holds.
|
||||
func TestPaymentsRefundIdempotent(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
orderID, acc := fundedOrder(t, svc, 100, 14900)
|
||||
refunded, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
|
||||
if _, err := svc.Refund(ctx, orderID, "robokassa", "rk-refund-dup", refunded); err != nil {
|
||||
t.Fatalf("first refund: %v", err)
|
||||
}
|
||||
// Re-credit the segment to prove the duplicate does not revoke again.
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`UPDATE payments.balances SET chips = 100 WHERE account_id = $1 AND source = 'direct'`, acc); err != nil {
|
||||
t.Fatalf("re-credit: %v", err)
|
||||
}
|
||||
out2, err := svc.Refund(ctx, orderID, "robokassa", "rk-refund-dup", refunded)
|
||||
if err != nil {
|
||||
t.Fatalf("duplicate refund: %v", err)
|
||||
}
|
||||
if !out2.AlreadyRefunded {
|
||||
t.Error("duplicate refund not flagged AlreadyRefunded")
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 100 {
|
||||
t.Errorf("balance after duplicate refund = %d, want 100 (not revoked twice)", got)
|
||||
}
|
||||
if ledgerRows(t, acc, "refund") != 1 {
|
||||
t.Errorf("refund ledger rows = %d, want 1 (duplicate wrote none)", ledgerRows(t, acc, "refund"))
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsRefundUnpaidOrder refuses to refund an order that was never funded.
|
||||
func TestPaymentsRefundUnpaidOrder(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900})
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
refunded, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
if _, err := svc.Refund(ctx, res.OrderID, "robokassa", "rk-refund-x", refunded); !errors.Is(err, payments.ErrOrderNotPaid) {
|
||||
t.Fatalf("refund of a pending order = %v, want ErrOrderNotPaid", err)
|
||||
}
|
||||
if abuse, loss := readRisk(t, acc); abuse || loss != 0 {
|
||||
t.Errorf("risk = (%v, %d), want (false, 0) — no reversal on an unpaid order", abuse, loss)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,101 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// TestAccountStatement checks the admin financial statement: a funded pack shows as a chip segment
|
||||
// + a fund ledger row, an admin grant as a benefit + an admin_grant row, the ledger is newest-first,
|
||||
// and a clean account carries no refund risk.
|
||||
func TestAccountStatement(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
|
||||
// A funded pack: 100 chips to the direct segment + a fund ledger row.
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900})
|
||||
res, err := svc.CreateOrder(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
paid, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
if _, err := svc.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid); err != nil {
|
||||
t.Fatalf("fund: %v", err)
|
||||
}
|
||||
// An admin grant: 5 hints to the direct origin + an admin_grant ledger row.
|
||||
if err := svc.Grant(ctx, acc, payments.SourceDirect, 5, 0, false); err != nil {
|
||||
t.Fatalf("grant: %v", err)
|
||||
}
|
||||
|
||||
stmt, err := svc.AccountStatement(ctx, acc)
|
||||
if err != nil {
|
||||
t.Fatalf("statement: %v", err)
|
||||
}
|
||||
|
||||
if len(stmt.Segments) != 1 || stmt.Segments[0].Source != payments.SourceDirect || stmt.Segments[0].Chips != 100 {
|
||||
t.Fatalf("segments = %+v, want 100 chips on direct", stmt.Segments)
|
||||
}
|
||||
if len(stmt.Benefits) != 1 || stmt.Benefits[0].Origin != payments.SourceDirect || stmt.Benefits[0].Hints != 5 {
|
||||
t.Fatalf("benefits = %+v, want 5 hints on direct", stmt.Benefits)
|
||||
}
|
||||
if len(stmt.Ledger) != 2 {
|
||||
t.Fatalf("ledger rows = %d, want 2 (fund + admin_grant)", len(stmt.Ledger))
|
||||
}
|
||||
// Newest-first ordering (the grant is the later write).
|
||||
if stmt.Ledger[0].CreatedAt.Before(stmt.Ledger[1].CreatedAt) {
|
||||
t.Error("ledger is not newest-first")
|
||||
}
|
||||
kinds := map[string]int{}
|
||||
for _, e := range stmt.Ledger {
|
||||
kinds[e.Kind]++
|
||||
if e.Kind == "fund" && e.ChipsDelta != 100 {
|
||||
t.Errorf("fund chips delta = %d, want 100", e.ChipsDelta)
|
||||
}
|
||||
}
|
||||
if kinds["fund"] != 1 || kinds["admin_grant"] != 1 {
|
||||
t.Fatalf("ledger kinds = %v, want one fund + one admin_grant", kinds)
|
||||
}
|
||||
if stmt.Risk.Present {
|
||||
t.Errorf("risk = %+v, want none for a clean account", stmt.Risk)
|
||||
}
|
||||
}
|
||||
|
||||
// TestConsoleFinancePanel checks the user card renders the finance panel: a funded pack + an admin
|
||||
// grant surface as the segment balance, the benefit and the ledger rows.
|
||||
func TestConsoleFinancePanel(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
srv, _, pay := bannerServer(t)
|
||||
id := provisionAccount(t)
|
||||
|
||||
prod := seedPackProduct(t, 100, methodPrice{method: "direct", currency: "RUB", amount: 14900})
|
||||
res, err := pay.CreateOrder(ctx, id, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod, "robokassa")
|
||||
if err != nil {
|
||||
t.Fatalf("create order: %v", err)
|
||||
}
|
||||
paid, _ := payments.MoneyFromMinor(14900, payments.CurrencyRUB)
|
||||
if _, err := pay.Fund(ctx, res.OrderID, "robokassa", res.OrderID.String(), paid); err != nil {
|
||||
t.Fatalf("fund: %v", err)
|
||||
}
|
||||
if err := pay.Grant(ctx, id, payments.SourceDirect, 5, 0, false); err != nil {
|
||||
t.Fatalf("grant: %v", err)
|
||||
}
|
||||
|
||||
code, body := consoleDo(srv.Handler(), http.MethodGet, "http://admin.test/_gm/users/"+id.String(), "", "")
|
||||
if code != http.StatusOK {
|
||||
t.Fatalf("user card = %d, want 200", code)
|
||||
}
|
||||
for _, want := range []string{"Finance", "Chips (direct)", "Benefits (direct)", "5 hints", "admin_grant", "fund"} {
|
||||
if !strings.Contains(body, want) {
|
||||
t.Errorf("finance panel missing %q", want)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,263 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
"github.com/jackc/pgx/v5/pgconn"
|
||||
"github.com/pressly/goose/v3"
|
||||
testcontainers "github.com/testcontainers/testcontainers-go"
|
||||
tcpostgres "github.com/testcontainers/testcontainers-go/modules/postgres"
|
||||
"github.com/testcontainers/testcontainers-go/wait"
|
||||
|
||||
"scrabble/backend/internal/postgres"
|
||||
"scrabble/backend/internal/postgres/migrations"
|
||||
)
|
||||
|
||||
// isPgCode reports whether err is a PostgreSQL server error with the given
|
||||
// SQLSTATE code.
|
||||
func isPgCode(err error, code string) bool {
|
||||
var pgErr *pgconn.PgError
|
||||
return errors.As(err, &pgErr) && pgErr.Code == code
|
||||
}
|
||||
|
||||
// TestPaymentsSchemaAndSeeds checks the payments schema, its role and the fixed
|
||||
// seed rows are present after migration.
|
||||
func TestPaymentsSchemaAndSeeds(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
var atoms int
|
||||
if err := testDB.QueryRowContext(ctx, "SELECT count(*) FROM payments.catalog_atom").Scan(&atoms); err != nil {
|
||||
t.Fatalf("count catalog_atom: %v", err)
|
||||
}
|
||||
if atoms != 4 {
|
||||
t.Errorf("catalog_atom rows = %d, want 4 (chips/hints/noads_days/tournament)", atoms)
|
||||
}
|
||||
|
||||
var cfg int
|
||||
if err := testDB.QueryRowContext(ctx, "SELECT count(*) FROM payments.config").Scan(&cfg); err != nil {
|
||||
t.Fatalf("count config: %v", err)
|
||||
}
|
||||
if cfg != 1 {
|
||||
t.Errorf("config rows = %d, want the single seeded row", cfg)
|
||||
}
|
||||
|
||||
var roleExists bool
|
||||
if err := testDB.QueryRowContext(ctx, "SELECT EXISTS(SELECT 1 FROM pg_roles WHERE rolname = 'payments')").Scan(&roleExists); err != nil {
|
||||
t.Fatalf("check payments role: %v", err)
|
||||
}
|
||||
if !roleExists {
|
||||
t.Error("payments role missing")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsRoleConfinement proves the payments role is confined to its own
|
||||
// schema: it can read payments.* but is denied on backend.*. The application
|
||||
// itself connects as a superuser (which bypasses this), so this asserts the
|
||||
// grants are correct as the stepping-stone to a real separate login; the runtime
|
||||
// wall for the superuser pool is the import-boundary test in the payments package.
|
||||
func TestPaymentsRoleConfinement(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
tx, err := testDB.BeginTx(ctx, nil)
|
||||
if err != nil {
|
||||
t.Fatalf("begin tx: %v", err)
|
||||
}
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
|
||||
if _, err := tx.ExecContext(ctx, "SET LOCAL ROLE payments"); err != nil {
|
||||
t.Fatalf("SET LOCAL ROLE payments: %v", err)
|
||||
}
|
||||
|
||||
// The payments role can read its own schema.
|
||||
var n int
|
||||
if err := tx.QueryRowContext(ctx, "SELECT count(*) FROM payments.config").Scan(&n); err != nil {
|
||||
t.Errorf("payments role denied on payments.config (grants wrong): %v", err)
|
||||
}
|
||||
|
||||
// The payments role must NOT reach the backend schema.
|
||||
err = tx.QueryRowContext(ctx, "SELECT count(*) FROM backend.accounts").Scan(&n)
|
||||
if err == nil {
|
||||
t.Fatal("payments role could read backend.accounts — cross-schema isolation broken")
|
||||
}
|
||||
if !isPgCode(err, "42501") {
|
||||
t.Errorf("reading backend.accounts as payments: got %v, want permission-denied (42501)", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsLedgerAppendOnly verifies the append-only trigger rejects any
|
||||
// UPDATE or DELETE on the ledger (a superuser is bound by the trigger, unlike a
|
||||
// mere privilege REVOKE).
|
||||
func TestPaymentsLedgerAppendOnly(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
id := uuid.New()
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.ledger (ledger_id, account_id, kind, chips_delta) VALUES ($1, $2, 'admin_grant', 0)`,
|
||||
id, uuid.New()); err != nil {
|
||||
t.Fatalf("insert ledger row: %v", err)
|
||||
}
|
||||
|
||||
if _, err := testDB.ExecContext(ctx, `UPDATE payments.ledger SET chips_delta = 1 WHERE ledger_id = $1`, id); err == nil {
|
||||
t.Error("UPDATE on payments.ledger succeeded — append-only violated")
|
||||
} else if !isPgCode(err, "P0001") {
|
||||
t.Errorf("UPDATE ledger: got %v, want the append-only exception (P0001)", err)
|
||||
}
|
||||
|
||||
if _, err := testDB.ExecContext(ctx, `DELETE FROM payments.ledger WHERE ledger_id = $1`, id); err == nil {
|
||||
t.Error("DELETE on payments.ledger succeeded — append-only violated")
|
||||
} else if !isPgCode(err, "P0001") {
|
||||
t.Errorf("DELETE ledger: got %v, want the append-only exception (P0001)", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsCheckConstraints verifies the domain CHECKs bite: non-negative
|
||||
// balances/hints/amount and the enum-like columns.
|
||||
func TestPaymentsCheckConstraints(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
prod := uuid.New()
|
||||
if _, err := testDB.ExecContext(ctx, `INSERT INTO payments.product (product_id, title) VALUES ($1, 'test')`, prod); err != nil {
|
||||
t.Fatalf("insert product: %v", err)
|
||||
}
|
||||
|
||||
cases := []struct {
|
||||
name string
|
||||
sql string
|
||||
args []any
|
||||
}{
|
||||
{"balances chips negative", `INSERT INTO payments.balances (account_id, source, chips) VALUES ($1, 'vk', -1)`, []any{uuid.New()}},
|
||||
{"balances bad source", `INSERT INTO payments.balances (account_id, source, chips) VALUES ($1, 'nope', 0)`, []any{uuid.New()}},
|
||||
{"benefits hints negative", `INSERT INTO payments.benefits (account_id, origin, hints) VALUES ($1, 'vk', -1)`, []any{uuid.New()}},
|
||||
{"ledger bad kind", `INSERT INTO payments.ledger (ledger_id, account_id, kind) VALUES ($1, $2, 'bogus')`, []any{uuid.New(), uuid.New()}},
|
||||
{"product_price amount negative", `INSERT INTO payments.product_price (product_id, method, currency, amount) VALUES ($1, 'direct', 'RUB', -1)`, []any{prod}},
|
||||
{"product_price bad currency", `INSERT INTO payments.product_price (product_id, method, currency, amount) VALUES ($1, 'direct', 'EUR', 100)`, []any{prod}},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if _, err := testDB.ExecContext(ctx, c.sql, c.args...); err == nil {
|
||||
t.Errorf("%s: insert succeeded, want a CHECK violation", c.name)
|
||||
} else if !isPgCode(err, "23514") {
|
||||
t.Errorf("%s: got %v, want check_violation (23514)", c.name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsLedgerIdempotencyIndex verifies the partial unique index makes a
|
||||
// (provider, provider_payment_id) pair collide once but leaves NULL-keyed rows
|
||||
// unconstrained.
|
||||
func TestPaymentsLedgerIdempotencyIndex(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
insert := func(ppid *string) error {
|
||||
_, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.ledger (ledger_id, account_id, kind, provider, provider_payment_id) VALUES ($1, $2, 'fund', 'robokassa', $3)`,
|
||||
uuid.New(), uuid.New(), ppid)
|
||||
return err
|
||||
}
|
||||
|
||||
ppid := "inv-" + uuid.NewString()
|
||||
if err := insert(&ppid); err != nil {
|
||||
t.Fatalf("first insert: %v", err)
|
||||
}
|
||||
if err := insert(&ppid); err == nil {
|
||||
t.Error("duplicate (provider, provider_payment_id) inserted — idempotency index missing")
|
||||
} else if !isPgCode(err, "23505") {
|
||||
t.Errorf("duplicate insert: got %v, want unique_violation (23505)", err)
|
||||
}
|
||||
|
||||
// A NULL provider_payment_id is outside the partial index — repeats allowed.
|
||||
if err := insert(nil); err != nil {
|
||||
t.Fatalf("first null-ppid insert: %v", err)
|
||||
}
|
||||
if err := insert(nil); err != nil {
|
||||
t.Errorf("second null-ppid insert should be allowed by the partial index: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsMigrationReversible proves the migration is expand-contract: it
|
||||
// applies, rolls fully back (schema, role, trigger and all), and re-applies
|
||||
// cleanly — so a backend image rollback stays DB-safe. It uses its own container
|
||||
// so the Down does not disturb the shared suite database.
|
||||
func TestPaymentsMigrationReversible(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
container, err := tcpostgres.Run(ctx, pgImage,
|
||||
tcpostgres.WithDatabase(pgDatabase),
|
||||
tcpostgres.WithUsername(pgUser),
|
||||
tcpostgres.WithPassword(pgPassword),
|
||||
testcontainers.WithWaitStrategy(
|
||||
wait.ForLog("database system is ready to accept connections").
|
||||
WithOccurrence(2).
|
||||
WithStartupTimeout(containerStartup),
|
||||
),
|
||||
)
|
||||
if err != nil {
|
||||
t.Fatalf("start container: %v", err)
|
||||
}
|
||||
defer func() { _ = container.Terminate(context.Background()) }()
|
||||
|
||||
baseDSN, err := container.ConnectionString(ctx, "sslmode=disable")
|
||||
if err != nil {
|
||||
t.Fatalf("connection string: %v", err)
|
||||
}
|
||||
dsn, err := withSearchPath(baseDSN, pgSchema)
|
||||
if err != nil {
|
||||
t.Fatalf("search path: %v", err)
|
||||
}
|
||||
cfg := postgres.DefaultConfig()
|
||||
cfg.DSN = dsn
|
||||
db, err := postgres.Open(ctx, cfg)
|
||||
if err != nil {
|
||||
t.Fatalf("open pool: %v", err)
|
||||
}
|
||||
defer func() { _ = db.Close() }()
|
||||
|
||||
// Up: apply every migration, including the payments foundation.
|
||||
if err := postgres.ApplyMigrations(ctx, db); err != nil {
|
||||
t.Fatalf("apply up: %v", err)
|
||||
}
|
||||
if !schemaExists(ctx, t, db, "payments") {
|
||||
t.Fatal("payments schema absent after up")
|
||||
}
|
||||
|
||||
// Down the payments migration and assert a clean teardown.
|
||||
goose.SetBaseFS(migrations.Migrations())
|
||||
defer goose.SetBaseFS(nil)
|
||||
if err := goose.SetDialect("postgres"); err != nil {
|
||||
t.Fatalf("set dialect: %v", err)
|
||||
}
|
||||
if err := goose.DownToContext(ctx, db, ".", 9); err != nil {
|
||||
t.Fatalf("down to 9: %v", err)
|
||||
}
|
||||
if schemaExists(ctx, t, db, "payments") {
|
||||
t.Error("payments schema survived the down migration")
|
||||
}
|
||||
var roleExists bool
|
||||
if err := db.QueryRowContext(ctx, "SELECT EXISTS(SELECT 1 FROM pg_roles WHERE rolname = 'payments')").Scan(&roleExists); err != nil {
|
||||
t.Fatalf("check role after down: %v", err)
|
||||
}
|
||||
if roleExists {
|
||||
t.Error("payments role survived the down migration")
|
||||
}
|
||||
|
||||
// Re-apply and assert it comes back cleanly.
|
||||
if err := goose.UpContext(ctx, db, "."); err != nil {
|
||||
t.Fatalf("re-apply up: %v", err)
|
||||
}
|
||||
if !schemaExists(ctx, t, db, "payments") {
|
||||
t.Fatal("payments schema absent after re-apply")
|
||||
}
|
||||
}
|
||||
|
||||
// schemaExists reports whether a schema of the given name is present.
|
||||
func schemaExists(ctx context.Context, t *testing.T, db *sql.DB, name string) bool {
|
||||
t.Helper()
|
||||
var exists bool
|
||||
if err := db.QueryRowContext(ctx,
|
||||
"SELECT EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name = $1)", name).Scan(&exists); err != nil {
|
||||
t.Fatalf("check schema %s: %v", name, err)
|
||||
}
|
||||
return exists
|
||||
}
|
||||
@@ -0,0 +1,279 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/payments"
|
||||
)
|
||||
|
||||
// seedBalance writes a chip balance for an account+source directly (payments has no FK to
|
||||
// accounts, so a bare uuid is a valid account id here).
|
||||
func seedBalance(t *testing.T, id uuid.UUID, source string, chips int) {
|
||||
t.Helper()
|
||||
if _, err := testDB.ExecContext(context.Background(),
|
||||
`INSERT INTO payments.balances (account_id, source, chips) VALUES ($1,$2,$3)
|
||||
ON CONFLICT (account_id, source) DO UPDATE SET chips = EXCLUDED.chips`,
|
||||
id, source, chips); err != nil {
|
||||
t.Fatalf("seed balance: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// readBalance reads an account's chip balance for a source (0 when the row is absent).
|
||||
func readBalance(t *testing.T, id uuid.UUID, source string) int {
|
||||
t.Helper()
|
||||
var chips int
|
||||
err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT chips FROM payments.balances WHERE account_id=$1 AND source=$2`, id, source).Scan(&chips)
|
||||
if err != nil && !errors.Is(err, sql.ErrNoRows) {
|
||||
t.Fatalf("read balance: %v", err)
|
||||
}
|
||||
return chips
|
||||
}
|
||||
|
||||
// benefitUntil reads an account's no-ads term end for an origin (nil when none).
|
||||
func benefitUntil(t *testing.T, id uuid.UUID, origin string) *time.Time {
|
||||
t.Helper()
|
||||
var until *time.Time
|
||||
err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT ads_paid_until FROM payments.benefits WHERE account_id=$1 AND origin=$2`, id, origin).Scan(&until)
|
||||
if err != nil && !errors.Is(err, sql.ErrNoRows) {
|
||||
t.Fatalf("read benefit until: %v", err)
|
||||
}
|
||||
return until
|
||||
}
|
||||
|
||||
// ledgerRows counts an account's ledger rows of a given kind.
|
||||
func ledgerRows(t *testing.T, id uuid.UUID, kind string) int {
|
||||
t.Helper()
|
||||
var n int
|
||||
if err := testDB.QueryRowContext(context.Background(),
|
||||
`SELECT count(*) FROM payments.ledger WHERE account_id=$1 AND kind=$2`, id, kind).Scan(&n); err != nil {
|
||||
t.Fatalf("ledger count: %v", err)
|
||||
}
|
||||
return n
|
||||
}
|
||||
|
||||
// seedValueProduct creates an active chip-priced value: a product with a CHIP price (method
|
||||
// NULL) and the given hint / no-ads-day atoms. It returns the product id.
|
||||
func seedValueProduct(t *testing.T, priceChips, hints, noAdsDays int) uuid.UUID {
|
||||
t.Helper()
|
||||
ctx := context.Background()
|
||||
prod := uuid.New()
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product (product_id, title, active) VALUES ($1,'test value',true)`, prod); err != nil {
|
||||
t.Fatalf("seed product: %v", err)
|
||||
}
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product_price (product_id, method, currency, amount) VALUES ($1, NULL, 'CHIP', $2)`,
|
||||
prod, priceChips); err != nil {
|
||||
t.Fatalf("seed price: %v", err)
|
||||
}
|
||||
if hints > 0 {
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product_item (product_id, atom_type, quantity) VALUES ($1,'hints',$2)`, prod, hints); err != nil {
|
||||
t.Fatalf("seed hints item: %v", err)
|
||||
}
|
||||
}
|
||||
if noAdsDays > 0 {
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO payments.product_item (product_id, atom_type, quantity) VALUES ($1,'noads_days',$2)`, prod, noAdsDays); err != nil {
|
||||
t.Fatalf("seed noads item: %v", err)
|
||||
}
|
||||
}
|
||||
return prod
|
||||
}
|
||||
|
||||
// TestPaymentsSpendAppliesAtomically verifies a chip spend writes the ledger row, decrements the
|
||||
// balance and applies the benefit together over Postgres.
|
||||
func TestPaymentsSpendAppliesAtomically(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
seedBalance(t, acc, "direct", 100)
|
||||
prod := seedValueProduct(t, 60, 3, 30)
|
||||
|
||||
if err := svc.Spend(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod); err != nil {
|
||||
t.Fatalf("spend: %v", err)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 40 {
|
||||
t.Errorf("balance after spend = %d, want 40", got)
|
||||
}
|
||||
if hints, _ := readBenefit(t, acc, "direct"); hints != 3 {
|
||||
t.Errorf("hints after spend = %d, want 3", hints)
|
||||
}
|
||||
if benefitUntil(t, acc, "direct") == nil {
|
||||
t.Error("no-ads term not applied by the spend")
|
||||
}
|
||||
if n := ledgerRows(t, acc, "spend"); n != 1 {
|
||||
t.Errorf("spend ledger rows = %d, want 1", n)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsSpendInsufficientNoWrite verifies an under-funded spend is refused and writes
|
||||
// nothing (the balance, benefit and ledger are untouched).
|
||||
func TestPaymentsSpendInsufficientNoWrite(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
seedBalance(t, acc, "direct", 10)
|
||||
prod := seedValueProduct(t, 60, 3, 0)
|
||||
|
||||
if err := svc.Spend(ctx, acc, payments.NewContext("direct", "web"), []payments.Source{payments.SourceDirect}, prod); !errors.Is(err, payments.ErrInsufficientChips) {
|
||||
t.Fatalf("spend = %v, want ErrInsufficientChips", err)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 10 {
|
||||
t.Errorf("balance changed to %d, want 10 (no write)", got)
|
||||
}
|
||||
if h, _ := readBenefit(t, acc, "direct"); h != 0 {
|
||||
t.Errorf("benefit applied on a refused spend: hints %d", h)
|
||||
}
|
||||
if ledgerRows(t, acc, "spend") != 0 {
|
||||
t.Error("spend ledger row written on a refused spend")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsSpendGuardRollsBack forces the in-transaction guard to bite: with a stale read
|
||||
// cache the draw plan looks affordable, but the guarded decrement matches no row and the whole
|
||||
// transaction rolls back — no ledger row, no benefit, balance unchanged.
|
||||
func TestPaymentsSpendGuardRollsBack(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
seedBalance(t, acc, "direct", 100)
|
||||
present := []payments.Source{payments.SourceDirect}
|
||||
cxt := payments.NewContext("direct", "web")
|
||||
if _, err := svc.Wallet(ctx, acc, cxt, present); err != nil { // warm the cache at 100
|
||||
t.Fatalf("warm: %v", err)
|
||||
}
|
||||
// Drain the real balance behind the cache's back (no invalidation), so the plan over-commits.
|
||||
if _, err := testDB.ExecContext(ctx, `UPDATE payments.balances SET chips = 10 WHERE account_id=$1 AND source='direct'`, acc); err != nil {
|
||||
t.Fatalf("drain: %v", err)
|
||||
}
|
||||
prod := seedValueProduct(t, 60, 3, 0)
|
||||
|
||||
if err := svc.Spend(ctx, acc, cxt, present, prod); !errors.Is(err, payments.ErrInsufficientChips) {
|
||||
t.Fatalf("spend = %v, want ErrInsufficientChips", err)
|
||||
}
|
||||
if got := readBalance(t, acc, "direct"); got != 10 {
|
||||
t.Errorf("balance = %d, want 10 (rolled back)", got)
|
||||
}
|
||||
if ledgerRows(t, acc, "spend") != 0 {
|
||||
t.Error("spend ledger row written despite the rollback")
|
||||
}
|
||||
if h, _ := readBenefit(t, acc, "direct"); h != 0 {
|
||||
t.Error("benefit applied despite the rollback")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsGrantCreditsValuesNotChips verifies admin_grant applies a benefit at price 0
|
||||
// without ever crediting chips (D16).
|
||||
func TestPaymentsGrantCreditsValuesNotChips(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
|
||||
if err := svc.Grant(ctx, acc, payments.SourceDirect, 5, 0, true); err != nil {
|
||||
t.Fatalf("grant: %v", err)
|
||||
}
|
||||
if hints, forever := readBenefit(t, acc, "direct"); hints != 5 || !forever {
|
||||
t.Errorf("granted benefit = hints %d forever %v, want 5/true", hints, forever)
|
||||
}
|
||||
if readBalance(t, acc, "direct") != 0 {
|
||||
t.Error("a grant must not credit chips")
|
||||
}
|
||||
if ledgerRows(t, acc, "admin_grant") != 1 {
|
||||
t.Error("admin_grant ledger row missing")
|
||||
}
|
||||
if ledgerRows(t, acc, "spend") != 0 || ledgerRows(t, acc, "fund") != 0 {
|
||||
t.Error("a grant wrote a non-grant ledger row")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsSpendHintByContext verifies a hint is drawn from an applicable origin, and that a
|
||||
// direct-origin hint is not usable inside a VK context (the compliance wall for hints).
|
||||
func TestPaymentsSpendHintByContext(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
seedBenefit(t, acc, "direct", 2, false)
|
||||
present := []payments.Source{payments.SourceDirect, payments.SourceVK}
|
||||
|
||||
if spent, err := svc.SpendHint(ctx, acc, payments.NewContext("direct", "web"), present); err != nil || !spent {
|
||||
t.Fatalf("web spend hint = %v (err %v), want true", spent, err)
|
||||
}
|
||||
if h, _ := readBenefit(t, acc, "direct"); h != 1 {
|
||||
t.Errorf("hints after spend = %d, want 1", h)
|
||||
}
|
||||
// Inside VK the applicable origins are {vk} only, so the direct-origin hint is untouched.
|
||||
if spent, _ := svc.SpendHint(ctx, acc, payments.NewContext("vk", "android"), present); spent {
|
||||
t.Error("direct-origin hint spent inside VK — compliance wall breached")
|
||||
}
|
||||
if h, _ := readBenefit(t, acc, "direct"); h != 1 {
|
||||
t.Errorf("direct hints changed inside VK = %d, want 1 (untouched)", h)
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsComplianceGateOverPostgres is the named compliance regression at the integration
|
||||
// layer: a direct-origin no-ads benefit applies on the web but never inside a store wrapper.
|
||||
func TestPaymentsComplianceGateOverPostgres(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
acc := uuid.New()
|
||||
if err := svc.Grant(ctx, acc, payments.SourceDirect, 0, 30, false); err != nil {
|
||||
t.Fatalf("grant: %v", err)
|
||||
}
|
||||
present := []payments.Source{payments.SourceDirect, payments.SourceVK}
|
||||
|
||||
if adFree, _ := svc.AdFree(ctx, acc, payments.NewContext("direct", "web"), present); !adFree {
|
||||
t.Error("direct no-ads should apply on web")
|
||||
}
|
||||
if adFree, _ := svc.AdFree(ctx, acc, payments.NewContext("vk", "android"), present); adFree {
|
||||
t.Error("direct no-ads must NOT apply inside VK (compliance wall)")
|
||||
}
|
||||
if adFree, _ := svc.AdFree(ctx, acc, payments.NewContext("telegram", "web"), present); adFree {
|
||||
t.Error("direct no-ads must NOT apply inside Telegram (compliance wall)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPaymentsMergeFoldsSegmentsAndBenefits verifies the merge folds chip segments (sum) and
|
||||
// benefits (hints sum, forever OR) by origin, and clears the secondary's rows, over Postgres.
|
||||
func TestPaymentsMergeFoldsSegmentsAndBenefits(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
svc := newPaymentsService()
|
||||
primary, secondary := uuid.New(), uuid.New()
|
||||
seedBalance(t, primary, "vk", 10)
|
||||
seedBalance(t, secondary, "vk", 25)
|
||||
seedBenefit(t, primary, "vk", 1, false)
|
||||
seedBenefit(t, secondary, "vk", 4, true)
|
||||
|
||||
tx, err := testDB.BeginTx(ctx, nil)
|
||||
if err != nil {
|
||||
t.Fatalf("begin: %v", err)
|
||||
}
|
||||
if err := svc.MergeTx(ctx, tx, primary, secondary); err != nil {
|
||||
_ = tx.Rollback()
|
||||
t.Fatalf("merge: %v", err)
|
||||
}
|
||||
if err := tx.Commit(); err != nil {
|
||||
t.Fatalf("commit: %v", err)
|
||||
}
|
||||
svc.Invalidate(primary, secondary)
|
||||
|
||||
if got := readBalance(t, primary, "vk"); got != 35 {
|
||||
t.Errorf("merged chips = %d, want 35", got)
|
||||
}
|
||||
if h, forever := readBenefit(t, primary, "vk"); h != 5 || !forever {
|
||||
t.Errorf("merged benefit = hints %d forever %v, want 5/true", h, forever)
|
||||
}
|
||||
if readBalance(t, secondary, "vk") != 0 {
|
||||
t.Error("secondary balance not cleared after merge")
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,192 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/accountdelete"
|
||||
)
|
||||
|
||||
// lastLoginIP reads an account's stamped last-login IP ("" when unset).
|
||||
func lastLoginIP(t *testing.T, accountID uuid.UUID) string {
|
||||
t.Helper()
|
||||
var ip sql.NullString
|
||||
err := testDB.QueryRowContext(context.Background(),
|
||||
"SELECT last_login_ip FROM accounts WHERE account_id = $1", accountID).Scan(&ip)
|
||||
if err != nil {
|
||||
t.Fatalf("read last_login_ip %s: %v", accountID, err)
|
||||
}
|
||||
return ip.String
|
||||
}
|
||||
|
||||
// retainedRow is one row of the retention journal, read directly for assertions.
|
||||
type retainedRow struct {
|
||||
kind, externalID, reason string
|
||||
}
|
||||
|
||||
// retainedRows reads the retention journal for an account, oldest detach first.
|
||||
func retainedRows(t *testing.T, accountID uuid.UUID) []retainedRow {
|
||||
t.Helper()
|
||||
rows, err := testDB.QueryContext(context.Background(),
|
||||
"SELECT kind, external_id, reason FROM retained_identities WHERE account_id = $1 ORDER BY detached_at",
|
||||
accountID)
|
||||
if err != nil {
|
||||
t.Fatalf("query retained_identities %s: %v", accountID, err)
|
||||
}
|
||||
defer rows.Close()
|
||||
var out []retainedRow
|
||||
for rows.Next() {
|
||||
var r retainedRow
|
||||
if err := rows.Scan(&r.kind, &r.externalID, &r.reason); err != nil {
|
||||
t.Fatalf("scan retained row: %v", err)
|
||||
}
|
||||
out = append(out, r)
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// TestUnlinkJournalsRetainedIdentity: detaching a provider records it in the retention
|
||||
// journal (reason=unlink) before the live identity is removed.
|
||||
func TestUnlinkJournalsRetainedIdentity(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
|
||||
tgExt := "tg-" + uuid.NewString()
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, tgExt)
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
email := "keep-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, email, true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
|
||||
if err := store.RemoveIdentity(ctx, acc.ID, account.KindTelegram); err != nil {
|
||||
t.Fatalf("unlink telegram: %v", err)
|
||||
}
|
||||
got := retainedRows(t, acc.ID)
|
||||
if len(got) != 1 || got[0].kind != account.KindTelegram || got[0].externalID != tgExt || got[0].reason != "unlink" {
|
||||
t.Fatalf("retained rows = %+v, want one unlink telegram %q", got, tgExt)
|
||||
}
|
||||
}
|
||||
|
||||
// TestChangeEmailJournalsOldAddress: an email change records the outgoing address in the
|
||||
// retention journal (reason=change).
|
||||
func TestChangeEmailJournalsOldAddress(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
mailer := &capturingMailer{}
|
||||
svc := account.NewEmailService(store, mailer, "https://erudit-game.ru")
|
||||
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
oldAddr := "old-" + uuid.NewString() + "@example.com"
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, oldAddr, true); err != nil {
|
||||
t.Fatalf("attach old email: %v", err)
|
||||
}
|
||||
newAddr := "new-" + uuid.NewString() + "@example.com"
|
||||
if err := svc.RequestChangeCode(ctx, acc.ID, newAddr); err != nil {
|
||||
t.Fatalf("request change: %v", err)
|
||||
}
|
||||
if _, err := svc.ConfirmChange(ctx, acc.ID, newAddr, sixDigit.FindString(mailer.lastBody)); err != nil {
|
||||
t.Fatalf("confirm change: %v", err)
|
||||
}
|
||||
got := retainedRows(t, acc.ID)
|
||||
if len(got) != 1 || got[0].kind != account.KindEmail || got[0].externalID != oldAddr || got[0].reason != "change" {
|
||||
t.Fatalf("retained rows = %+v, want one change email %q", got, oldAddr)
|
||||
}
|
||||
}
|
||||
|
||||
// TestStampLastLoginThrottles: the first cold-load stamp writes the IP; a second within
|
||||
// the hour is a no-op (throttled), so it costs at most one write per account per hour.
|
||||
func TestStampLastLoginThrottles(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
if err := store.StampLastLogin(ctx, acc.ID, "1.2.3.4"); err != nil {
|
||||
t.Fatalf("first stamp: %v", err)
|
||||
}
|
||||
if got := lastLoginIP(t, acc.ID); got != "1.2.3.4" {
|
||||
t.Fatalf("first stamp ip = %q, want 1.2.3.4", got)
|
||||
}
|
||||
if err := store.StampLastLogin(ctx, acc.ID, "9.9.9.9"); err != nil {
|
||||
t.Fatalf("second stamp: %v", err)
|
||||
}
|
||||
if got := lastLoginIP(t, acc.ID); got != "1.2.3.4" {
|
||||
t.Fatalf("throttled ip = %q, want unchanged 1.2.3.4", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestReapExpiredRetention: the reaper keeps journal rows newer than the cutoff and purges
|
||||
// older ones, and drops a long-deleted account's feedback thread + dossier PII.
|
||||
func TestReapExpiredRetention(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
store := account.NewStore(testDB)
|
||||
deleter := accountdelete.NewDeleter(testDB)
|
||||
|
||||
// An unlinked provider leaves a journal row detached "now".
|
||||
tgExt := "tg-" + uuid.NewString()
|
||||
acc, err := store.ProvisionByIdentity(ctx, account.KindTelegram, tgExt)
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
if err := store.AttachIdentity(ctx, acc.ID, account.KindEmail, "keep-"+uuid.NewString()+"@example.com", true); err != nil {
|
||||
t.Fatalf("attach email: %v", err)
|
||||
}
|
||||
if err := store.RemoveIdentity(ctx, acc.ID, account.KindTelegram); err != nil {
|
||||
t.Fatalf("unlink: %v", err)
|
||||
}
|
||||
// A cutoff before the detach keeps the row.
|
||||
if _, _, err := store.ReapExpiredRetention(ctx, time.Now().Add(-time.Hour)); err != nil {
|
||||
t.Fatalf("reap (early cutoff): %v", err)
|
||||
}
|
||||
if got := retainedRows(t, acc.ID); len(got) != 1 {
|
||||
t.Fatalf("journal after early-cutoff reap = %+v, want kept", got)
|
||||
}
|
||||
// A cutoff after the detach purges it.
|
||||
if _, _, err := store.ReapExpiredRetention(ctx, time.Now().Add(time.Hour)); err != nil {
|
||||
t.Fatalf("reap (late cutoff): %v", err)
|
||||
}
|
||||
if got := retainedRows(t, acc.ID); len(got) != 0 {
|
||||
t.Fatalf("journal after late-cutoff reap = %+v, want purged", got)
|
||||
}
|
||||
|
||||
// A deleted account past the cutoff loses its feedback thread and dossier PII.
|
||||
del, _, err := store.ProvisionTelegram(ctx, "tg-"+uuid.NewString(), "ru", "", "Иван", "")
|
||||
if err != nil {
|
||||
t.Fatalf("provision deletee: %v", err)
|
||||
}
|
||||
if _, err := testDB.ExecContext(ctx,
|
||||
"INSERT INTO feedback_messages (message_id, account_id, body, channel) VALUES ($1, $2, 'hi', 'web')",
|
||||
uuid.New(), del.ID); err != nil {
|
||||
t.Fatalf("insert feedback: %v", err)
|
||||
}
|
||||
if err := deleter.AnonymizeAndTombstone(ctx, del.ID); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
if _, fb, err := store.ReapExpiredRetention(ctx, time.Now().Add(time.Hour)); err != nil || fb == 0 {
|
||||
t.Fatalf("reap deleted = (fb %d, err %v), want fb>=1", fb, err)
|
||||
}
|
||||
if name, _ := deletedFields(t, del.ID); name != "" {
|
||||
t.Errorf("deleted_display_name after reap = %q, want cleared", name)
|
||||
}
|
||||
var fbCount int
|
||||
if err := testDB.QueryRowContext(ctx, "SELECT count(*) FROM feedback_messages WHERE account_id = $1", del.ID).Scan(&fbCount); err != nil {
|
||||
t.Fatalf("count feedback: %v", err)
|
||||
}
|
||||
if fbCount != 0 {
|
||||
t.Errorf("feedback rows after reap = %d, want 0", fbCount)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,178 @@
|
||||
//go:build integration
|
||||
|
||||
package inttest
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"testing"
|
||||
|
||||
"github.com/google/uuid"
|
||||
"github.com/pressly/goose/v3"
|
||||
testcontainers "github.com/testcontainers/testcontainers-go"
|
||||
tcpostgres "github.com/testcontainers/testcontainers-go/modules/postgres"
|
||||
"github.com/testcontainers/testcontainers-go/wait"
|
||||
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/postgres"
|
||||
"scrabble/backend/internal/postgres/migrations"
|
||||
"scrabble/backend/internal/session"
|
||||
)
|
||||
|
||||
// TestSessionPlatformCaptureAndUntrusted proves a session round-trips its captured
|
||||
// platform through create and a cold-cache (DB-backed) resolve for each kind, and
|
||||
// that an unattributed session records no platform — the untrusted, view-only case.
|
||||
func TestSessionPlatformCaptureAndUntrusted(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
accounts := account.NewStore(testDB)
|
||||
store := session.NewStore(testDB)
|
||||
svc := session.NewService(store, session.NewCache())
|
||||
|
||||
for _, tc := range []struct {
|
||||
name string
|
||||
platform session.Platform
|
||||
}{
|
||||
{"vk-ios", session.Platform{Kind: session.PlatformKindVK, Subtype: session.SubtypeIOS}},
|
||||
{"telegram-android", session.Platform{Kind: session.PlatformKindTelegram, Subtype: session.SubtypeAndroid}},
|
||||
{"direct-web", session.Platform{Kind: session.PlatformKindDirect, Subtype: session.SubtypeWeb}},
|
||||
{"untrusted", session.Platform{}},
|
||||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
acc, err := accounts.ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
token, sess, err := svc.Create(ctx, acc.ID, tc.platform)
|
||||
if err != nil {
|
||||
t.Fatalf("create: %v", err)
|
||||
}
|
||||
if sess.Platform != tc.platform {
|
||||
t.Errorf("created platform = %+v, want %+v", sess.Platform, tc.platform)
|
||||
}
|
||||
// Resolve through a cold cache so the value comes back via the DB columns.
|
||||
cold := session.NewService(store, session.NewCache())
|
||||
if err := cold.Warm(ctx); err != nil {
|
||||
t.Fatalf("warm: %v", err)
|
||||
}
|
||||
got, err := cold.Resolve(ctx, token)
|
||||
if err != nil {
|
||||
t.Fatalf("resolve: %v", err)
|
||||
}
|
||||
if got.Platform != tc.platform {
|
||||
t.Errorf("resolved platform = %+v, want %+v", got.Platform, tc.platform)
|
||||
}
|
||||
if got.Platform.Trusted() != tc.platform.Trusted() {
|
||||
t.Errorf("resolved Trusted() = %v, want %v", got.Platform.Trusted(), tc.platform.Trusted())
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestSessionPlatformCheckConstraints proves the CHECK constraints reject an
|
||||
// out-of-range kind or subtype, so a corrupt value cannot be persisted.
|
||||
func TestSessionPlatformCheckConstraints(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
acc, err := account.NewStore(testDB).ProvisionByIdentity(ctx, account.KindTelegram, "tg-"+uuid.NewString())
|
||||
if err != nil {
|
||||
t.Fatalf("provision: %v", err)
|
||||
}
|
||||
const pgCheckViolation = "23514"
|
||||
for _, tc := range []struct {
|
||||
name string
|
||||
kind string
|
||||
subtype string
|
||||
}{
|
||||
{"bad-kind", "facebook", "web"},
|
||||
{"bad-subtype", "vk", "windows"},
|
||||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
_, err := testDB.ExecContext(ctx,
|
||||
`INSERT INTO backend.sessions (session_id, account_id, token_hash, platform_kind, platform_subtype)
|
||||
VALUES ($1, $2, $3, $4, $5)`,
|
||||
uuid.New(), acc.ID, uuid.NewString(), tc.kind, tc.subtype)
|
||||
if !isPgCode(err, pgCheckViolation) {
|
||||
t.Errorf("insert %s: err = %v, want check_violation", tc.name, err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestSessionPlatformMigrationReversible proves migration 00011 is expand-contract:
|
||||
// it applies, rolls back (dropping the platform columns), and re-applies cleanly —
|
||||
// so a backend image rollback stays DB-safe. It uses its own container so the Down
|
||||
// does not disturb the shared suite database.
|
||||
func TestSessionPlatformMigrationReversible(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
container, err := tcpostgres.Run(ctx, pgImage,
|
||||
tcpostgres.WithDatabase(pgDatabase),
|
||||
tcpostgres.WithUsername(pgUser),
|
||||
tcpostgres.WithPassword(pgPassword),
|
||||
testcontainers.WithWaitStrategy(
|
||||
wait.ForLog("database system is ready to accept connections").
|
||||
WithOccurrence(2).
|
||||
WithStartupTimeout(containerStartup),
|
||||
),
|
||||
)
|
||||
if err != nil {
|
||||
t.Fatalf("start container: %v", err)
|
||||
}
|
||||
defer func() { _ = container.Terminate(context.Background()) }()
|
||||
|
||||
baseDSN, err := container.ConnectionString(ctx, "sslmode=disable")
|
||||
if err != nil {
|
||||
t.Fatalf("connection string: %v", err)
|
||||
}
|
||||
dsn, err := withSearchPath(baseDSN, pgSchema)
|
||||
if err != nil {
|
||||
t.Fatalf("search path: %v", err)
|
||||
}
|
||||
cfg := postgres.DefaultConfig()
|
||||
cfg.DSN = dsn
|
||||
db, err := postgres.Open(ctx, cfg)
|
||||
if err != nil {
|
||||
t.Fatalf("open pool: %v", err)
|
||||
}
|
||||
defer func() { _ = db.Close() }()
|
||||
|
||||
if err := postgres.ApplyMigrations(ctx, db); err != nil {
|
||||
t.Fatalf("apply up: %v", err)
|
||||
}
|
||||
if !sessionsPlatformColumnsExist(ctx, t, db) {
|
||||
t.Fatal("platform columns absent after up")
|
||||
}
|
||||
|
||||
goose.SetBaseFS(migrations.Migrations())
|
||||
defer goose.SetBaseFS(nil)
|
||||
if err := goose.SetDialect("postgres"); err != nil {
|
||||
t.Fatalf("set dialect: %v", err)
|
||||
}
|
||||
// Down past 00011 (to 00010) and assert the columns are gone.
|
||||
if err := goose.DownToContext(ctx, db, ".", 10); err != nil {
|
||||
t.Fatalf("down to 10: %v", err)
|
||||
}
|
||||
if sessionsPlatformColumnsExist(ctx, t, db) {
|
||||
t.Error("platform columns survived the down migration")
|
||||
}
|
||||
// Re-apply and assert they return.
|
||||
if err := goose.UpContext(ctx, db, "."); err != nil {
|
||||
t.Fatalf("re-apply up: %v", err)
|
||||
}
|
||||
if !sessionsPlatformColumnsExist(ctx, t, db) {
|
||||
t.Fatal("platform columns absent after re-apply")
|
||||
}
|
||||
}
|
||||
|
||||
// sessionsPlatformColumnsExist reports whether both platform columns are present on
|
||||
// backend.sessions.
|
||||
func sessionsPlatformColumnsExist(ctx context.Context, t *testing.T, db *sql.DB) bool {
|
||||
t.Helper()
|
||||
var n int
|
||||
if err := db.QueryRowContext(ctx,
|
||||
`SELECT count(*) FROM information_schema.columns
|
||||
WHERE table_schema = 'backend' AND table_name = 'sessions'
|
||||
AND column_name IN ('platform_kind', 'platform_subtype')`).Scan(&n); err != nil {
|
||||
t.Fatalf("count platform columns: %v", err)
|
||||
}
|
||||
return n == 2
|
||||
}
|
||||
@@ -26,7 +26,8 @@ func TestSessionLifecycle(t *testing.T) {
|
||||
store := session.NewStore(testDB)
|
||||
svc := session.NewService(store, session.NewCache())
|
||||
|
||||
token, sess, err := svc.Create(ctx, acc.ID)
|
||||
platform := session.Platform{Kind: session.PlatformKindVK, Subtype: session.SubtypeIOS}
|
||||
token, sess, err := svc.Create(ctx, acc.ID, platform)
|
||||
if err != nil {
|
||||
t.Fatalf("create session: %v", err)
|
||||
}
|
||||
@@ -36,6 +37,9 @@ func TestSessionLifecycle(t *testing.T) {
|
||||
if token == sess.TokenHash {
|
||||
t.Error("plaintext token must not equal the stored hash")
|
||||
}
|
||||
if sess.Platform != platform {
|
||||
t.Errorf("session platform = %+v, want %+v", sess.Platform, platform)
|
||||
}
|
||||
|
||||
// Resolve via the warm write-through cache.
|
||||
got, err := svc.Resolve(ctx, token)
|
||||
@@ -63,8 +67,8 @@ func TestSessionLifecycle(t *testing.T) {
|
||||
if _, ok := cold.Get(session.HashToken(token)); !ok {
|
||||
t.Error("Warm must load the active session into the cache")
|
||||
}
|
||||
if got2, err := svc2.Resolve(ctx, token); err != nil || got2.ID != sess.ID {
|
||||
t.Errorf("resolve after warm = (%s, %v), want %s", got2.ID, err, sess.ID)
|
||||
if got2, err := svc2.Resolve(ctx, token); err != nil || got2.ID != sess.ID || got2.Platform != platform {
|
||||
t.Errorf("resolve after warm = (%s, %+v, %v), want %s / %+v", got2.ID, got2.Platform, err, sess.ID, platform)
|
||||
}
|
||||
|
||||
// Revoke, then the token no longer resolves; revoke again is a no-op.
|
||||
|
||||
@@ -133,6 +133,53 @@ func (s *Service) attachTelegram(ctx context.Context, callerID uuid.UUID, extern
|
||||
return s.accounts.ClearGuest(ctx, callerID)
|
||||
}
|
||||
|
||||
// ConfirmVK attaches a gateway-validated VK identity to the caller (Linked) or
|
||||
// reports that it belongs to another account (MergeRequired). The gateway has already
|
||||
// completed the VK ID code exchange, so externalID is the trusted vk user id.
|
||||
func (s *Service) ConfirmVK(ctx context.Context, callerID uuid.UUID, externalID string) (ConfirmResult, error) {
|
||||
owner, ok, err := s.accounts.AccountIDByIdentity(ctx, account.KindVK, externalID)
|
||||
if err != nil {
|
||||
return ConfirmResult{}, err
|
||||
}
|
||||
if !ok {
|
||||
if err := s.attachVK(ctx, callerID, externalID); err != nil {
|
||||
return ConfirmResult{}, err
|
||||
}
|
||||
return ConfirmResult{Linked: true}, nil
|
||||
}
|
||||
if owner == callerID {
|
||||
return ConfirmResult{Linked: true}, nil
|
||||
}
|
||||
return ConfirmResult{MergeRequired: true, SecondaryID: owner}, nil
|
||||
}
|
||||
|
||||
// MergeVK merges the account owning a gateway-validated VK identity into the caller's
|
||||
// (subject to the guest-primary rule).
|
||||
func (s *Service) MergeVK(ctx context.Context, callerID uuid.UUID, externalID string) (MergeResult, error) {
|
||||
owner, ok, err := s.accounts.AccountIDByIdentity(ctx, account.KindVK, externalID)
|
||||
if err != nil {
|
||||
return MergeResult{}, err
|
||||
}
|
||||
if !ok {
|
||||
if err := s.attachVK(ctx, callerID, externalID); err != nil {
|
||||
return MergeResult{}, err
|
||||
}
|
||||
return MergeResult{PrimaryID: callerID}, nil
|
||||
}
|
||||
if owner == callerID {
|
||||
return MergeResult{PrimaryID: callerID}, nil
|
||||
}
|
||||
return s.merge(ctx, callerID, owner)
|
||||
}
|
||||
|
||||
// attachVK links the identity to the caller and promotes a guest.
|
||||
func (s *Service) attachVK(ctx context.Context, callerID uuid.UUID, externalID string) error {
|
||||
if err := s.accounts.AttachIdentity(ctx, callerID, account.KindVK, externalID, true); err != nil {
|
||||
return err
|
||||
}
|
||||
return s.accounts.ClearGuest(ctx, callerID)
|
||||
}
|
||||
|
||||
// merge decides the primary (the caller, unless it is a guest and the other is
|
||||
// durable), runs the data merge, retires the secondary's sessions and mints a new
|
||||
// session when the active account switches.
|
||||
@@ -153,7 +200,11 @@ func (s *Service) merge(ctx context.Context, callerID, otherID uuid.UUID) (Merge
|
||||
}
|
||||
res := MergeResult{PrimaryID: primary}
|
||||
if primary != callerID {
|
||||
token, _, err := s.sessions.Create(ctx, primary)
|
||||
// The switched-to session inherits the caller's current trusted platform
|
||||
// (the context the merge was initiated from); absent when the caller's
|
||||
// session itself is untrusted.
|
||||
platform, _ := session.PlatformFromContext(ctx)
|
||||
token, _, err := s.sessions.Create(ctx, primary, platform)
|
||||
if err != nil {
|
||||
return MergeResult{}, err
|
||||
}
|
||||
|
||||
@@ -15,6 +15,7 @@ import (
|
||||
"scrabble/backend/internal/account"
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/notify"
|
||||
"scrabble/backend/internal/postgres/jet/backend/model"
|
||||
"scrabble/backend/internal/postgres/jet/backend/table"
|
||||
@@ -218,6 +219,20 @@ func (svc *InvitationService) CreateInvitation(ctx context.Context, inviterID uu
|
||||
if !slices.Contains(game.AllowedTurnTimeouts, settings.TurnTimeout) {
|
||||
return Invitation{}, fmt.Errorf("%w: turn timeout %s not allowed", ErrInvalidInvitation, settings.TurnTimeout)
|
||||
}
|
||||
// A guest cannot invite: friend games are a durable-account feature. The UI hides the flow;
|
||||
// this is the server source of truth.
|
||||
if acc, err := svc.accounts.GetByID(ctx, inviterID); err != nil {
|
||||
return Invitation{}, err
|
||||
} else if acc.IsGuest {
|
||||
return Invitation{}, ErrGuestForbidden
|
||||
}
|
||||
// A durable inviter is still capped: refuse a new friend game once the per-tier friends limit is
|
||||
// reached. The guest branch above short-circuits before here, so this is the durable cap.
|
||||
if atLimit, err := svc.games.AtGameLimit(ctx, inviterID, gamelimits.KindFriends); err != nil {
|
||||
return Invitation{}, err
|
||||
} else if atLimit {
|
||||
return Invitation{}, game.ErrGameLimitReached
|
||||
}
|
||||
seen := map[uuid.UUID]bool{inviterID: true}
|
||||
// suppressed collects invitees who have blocked the inviter: the invitation is still
|
||||
// created and persisted for them, but they are never notified and never see it (their
|
||||
@@ -336,6 +351,7 @@ func (svc *InvitationService) startGame(ctx context.Context, invitationID uuid.U
|
||||
HintsPerPlayer: inv.Settings.HintsPerPlayer,
|
||||
DropoutTiles: inv.Settings.DropoutTiles,
|
||||
MultipleWordsPerTurn: inv.Settings.MultipleWordsPerTurn,
|
||||
Kind: gamelimits.KindFriends,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
@@ -15,17 +15,22 @@ import (
|
||||
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/notify"
|
||||
)
|
||||
|
||||
// GameCreator is the slice of the game domain the lobby needs: starting a seated
|
||||
// game and reading a player's initial view of it. game.Service satisfies it.
|
||||
// game, reading a player's initial view of it, and testing a caller's active-game
|
||||
// cap. game.Service satisfies it.
|
||||
type GameCreator interface {
|
||||
Create(ctx context.Context, params game.CreateParams) (game.Game, error)
|
||||
// InitialState returns a seated player's full initial view of a started game, used
|
||||
// to enrich the game_started event so the client renders the new game without a
|
||||
// follow-up fetch.
|
||||
InitialState(ctx context.Context, gameID, accountID uuid.UUID) (notify.PlayerState, error)
|
||||
// AtGameLimit reports whether accountID has reached its tier's active-game cap for kind. The
|
||||
// invitation path uses it to enforce the friends limit before opening one.
|
||||
AtGameLimit(ctx context.Context, accountID uuid.UUID, kind gamelimits.Kind) (bool, error)
|
||||
}
|
||||
|
||||
// RobotProvider supplies a robot account to substitute for a missing human in
|
||||
@@ -62,6 +67,9 @@ var (
|
||||
// ErrInvalidInvitation is returned for a malformed invitation (bad player
|
||||
// count, duplicate or self invitee, or unacceptable settings).
|
||||
ErrInvalidInvitation = errors.New("lobby: invalid invitation")
|
||||
// ErrGuestForbidden is returned when a guest attempts a durable-only action (invite a
|
||||
// friend); the friend flow is gated to durable accounts.
|
||||
ErrGuestForbidden = errors.New("lobby: guests cannot invite")
|
||||
// ErrInvitationBlocked is returned when a block stands between the inviter and
|
||||
// an invitee.
|
||||
ErrInvitationBlocked = errors.New("lobby: invitation blocked between accounts")
|
||||
|
||||
@@ -10,6 +10,7 @@ import (
|
||||
|
||||
"scrabble/backend/internal/engine"
|
||||
"scrabble/backend/internal/game"
|
||||
"scrabble/backend/internal/gamelimits"
|
||||
"scrabble/backend/internal/notify"
|
||||
)
|
||||
|
||||
@@ -141,6 +142,7 @@ func (m *Matchmaker) StartVsAI(ctx context.Context, accountID uuid.UUID, variant
|
||||
if rand.IntN(2) == 1 {
|
||||
params.Seats = []uuid.UUID{robotID, accountID}
|
||||
}
|
||||
params.Kind = gamelimits.KindVsAI
|
||||
g, err := m.games.Create(ctx, params)
|
||||
if err != nil {
|
||||
return EnqueueResult{}, err
|
||||
|
||||
@@ -37,6 +37,7 @@ func toWireGame(g GameSummary) wire.GameView {
|
||||
TurnTimeoutSecs: g.TurnTimeoutSecs,
|
||||
MultipleWordsPerTurn: g.MultipleWordsPerTurn,
|
||||
VsAI: g.VsAI,
|
||||
Kind: g.Kind,
|
||||
MoveCount: g.MoveCount,
|
||||
EndReason: g.EndReason,
|
||||
Seats: seats,
|
||||
@@ -83,7 +84,6 @@ func buildStateView(b *flatbuffers.Builder, s PlayerState) flatbuffers.UOffsetT
|
||||
Rack: s.Rack,
|
||||
BagLen: s.BagLen,
|
||||
HintsRemaining: s.HintsRemaining,
|
||||
WalletBalance: s.WalletBalance,
|
||||
Alphabet: alphabet,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -155,6 +155,13 @@ func Notification(userID uuid.UUID, kind string) Intent {
|
||||
return Intent{UserID: userID, Kind: KindNotification, Payload: b.FinishedBytes(), EventID: eventID()}
|
||||
}
|
||||
|
||||
// ProfileChanged is a payload-free "re-fetch your profile" signal to userID, emitted
|
||||
// when the viewer's own account changed out of band — an email confirmed through the
|
||||
// one-tap deeplink opened in another browser.
|
||||
func ProfileChanged(userID uuid.UUID) Intent {
|
||||
return Notification(userID, NotifyProfile)
|
||||
}
|
||||
|
||||
// NotificationAccount builds a lobby notification of one of the friend_* kinds carrying the
|
||||
// account it concerns (the requester, the new friend or the decliner), so the client updates its
|
||||
// requests/friends lists and the in-game "add friend" state without a refetch.
|
||||
|
||||
@@ -69,6 +69,14 @@ const (
|
||||
// it re-fetches profile.get to show or hide the banner. It carries no payload (the
|
||||
// banner set rides the profile response). In-app only.
|
||||
NotifyBanner = "banner"
|
||||
// NotifyProfile tells the client that the viewer's own profile changed out of band
|
||||
// (e.g. an email was confirmed via the one-tap deeplink opened in another browser),
|
||||
// so it re-fetches profile.get. It carries no payload. In-app only.
|
||||
NotifyProfile = "profile"
|
||||
// NotifyPayment tells the client that the viewer's wallet changed from a payment-intake event
|
||||
// (a credit or a refund), so it re-fetches the wallet in place. It carries no payload. In-app
|
||||
// only; the payment_events dispatcher emits it after the crediting transaction commits.
|
||||
NotifyPayment = "payment"
|
||||
// NotifyUserBlocked confirms to the blocker that a per-user block took effect,
|
||||
// carrying the blocked account, so every one of the blocker's sessions updates the
|
||||
// in-game block/add-friend controls and the struck name in place. It is delivered
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user