2c465c01d2
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m4s
CI / conformance (pull_request) Successful in 9s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m39s
A browser has no signed VK Mini App launch params, so linking VK on the web uses
VK ID's raw OAuth 2.1 flow (PKCE, no @vkid/sdk): the SPA redirects to VK's hosted
login and returns with an authorization code, which the gateway exchanges
server-side (confidential, under the VK "Web" app's protected key) for the trusted
vk user id — then the existing link/merge machinery attaches or merges it.
- fbs LinkVKRequest{code, device_id, code_verifier}; codec + TS bindings.
- backend link.Service ConfirmVK/MergeVK/attachVK (KindVK, mirror Telegram),
handleLinkVK[Merge], routes /user/link/vk[/merge], backendclient LinkVK[Merge].
- gateway internal/vkid confidential code exchange (id.vk.com/oauth2/auth);
transcode link.vk.confirm/merge (registered only when configured) + config
GATEWAY_VK_ID_{APP_ID,CLIENT_SECRET,REDIRECT_URL} + main wiring.
- UI lib/vkid (PKCE authorize redirect + callback), Profile "Link VK" control,
boot callback handling; a merge re-authorizes for a fresh code (VK codes are
single-use). Web-only (a redirect strands a Mini App webview).
- Deploy: VITE_VK_APP_ID + VITE_VK_ID_REDIRECT_URL build args + gateway env,
ci.yaml/prod-deploy TEST_/PROD_ vars, compose/Dockerfile/.env.example/README.
- Tests: vkid exchange unit (string/number user_id, id_token fallback, errors),
transcode link.vk, backend ConfirmVK/MergeVK inttest, codec encodeLinkVK.
- Docs: ARCHITECTURE §4, FUNCTIONAL(+ru), gateway README.
91 lines
2.9 KiB
Go
91 lines
2.9 KiB
Go
package transcode_test
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"testing"
|
|
|
|
flatbuffers "github.com/google/flatbuffers/go"
|
|
|
|
"scrabble/gateway/internal/transcode"
|
|
"scrabble/gateway/internal/vkid"
|
|
fb "scrabble/pkg/fbs/scrabblefb"
|
|
)
|
|
|
|
func linkVKPayload(code, deviceID, verifier string) []byte {
|
|
b := flatbuffers.NewBuilder(64)
|
|
c := b.CreateString(code)
|
|
d := b.CreateString(deviceID)
|
|
v := b.CreateString(verifier)
|
|
fb.LinkVKRequestStart(b)
|
|
fb.LinkVKRequestAddCode(b, c)
|
|
fb.LinkVKRequestAddDeviceId(b, d)
|
|
fb.LinkVKRequestAddCodeVerifier(b, v)
|
|
b.Finish(fb.LinkVKRequestEnd(b))
|
|
return b.FinishedBytes()
|
|
}
|
|
|
|
// fakeVKIDExchanger records the exchange inputs and returns a canned identity.
|
|
type fakeVKIDExchanger struct {
|
|
id vkid.Identity
|
|
err error
|
|
gotCode, gotDevice, gotVerifier string
|
|
}
|
|
|
|
func (f *fakeVKIDExchanger) Exchange(_ context.Context, code, deviceID, codeVerifier string) (vkid.Identity, error) {
|
|
f.gotCode, f.gotDevice, f.gotVerifier = code, deviceID, codeVerifier
|
|
return f.id, f.err
|
|
}
|
|
|
|
func TestLinkVKExchangesAndForwards(t *testing.T) {
|
|
var gotExternalID string
|
|
backend, cleanup := fakeBackend(t, func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/api/v1/user/link/vk" {
|
|
t.Errorf("path = %q", r.URL.Path)
|
|
}
|
|
var body struct {
|
|
ExternalID string `json:"external_id"`
|
|
}
|
|
_ = json.NewDecoder(r.Body).Decode(&body)
|
|
gotExternalID = body.ExternalID
|
|
_, _ = w.Write([]byte(`{"status":"linked"}`))
|
|
})
|
|
defer cleanup()
|
|
|
|
ex := &fakeVKIDExchanger{id: vkid.Identity{ExternalID: "777"}}
|
|
reg := transcode.NewRegistry(backend, nil, transcode.WithVKLink(ex))
|
|
op, ok := reg.Lookup(transcode.MsgLinkVK)
|
|
if !ok {
|
|
t.Fatal("link.vk.confirm not registered")
|
|
}
|
|
payload, err := op.Handler(context.Background(), transcode.Request{UserID: "u-1", Payload: linkVKPayload("the-code", "dev-1", "verifier-1")})
|
|
if err != nil {
|
|
t.Fatalf("handler: %v", err)
|
|
}
|
|
// The PKCE inputs from the wire must reach the exchanger verbatim...
|
|
if ex.gotCode != "the-code" || ex.gotDevice != "dev-1" || ex.gotVerifier != "verifier-1" {
|
|
t.Errorf("exchange got %q/%q/%q", ex.gotCode, ex.gotDevice, ex.gotVerifier)
|
|
}
|
|
// ...and the resolved vk id must be the one forwarded to the backend.
|
|
if gotExternalID != "777" {
|
|
t.Errorf("backend external_id = %q, want 777", gotExternalID)
|
|
}
|
|
if string(fb.GetRootAsLinkResult(payload, 0).Status()) != "linked" {
|
|
t.Error("expected a linked result")
|
|
}
|
|
}
|
|
|
|
func TestLinkVKUnregisteredWithoutExchanger(t *testing.T) {
|
|
backend, cleanup := fakeBackend(t, func(http.ResponseWriter, *http.Request) {})
|
|
defer cleanup()
|
|
|
|
reg := transcode.NewRegistry(backend, nil)
|
|
if _, ok := reg.Lookup(transcode.MsgLinkVK); ok {
|
|
t.Error("link.vk.confirm must be unregistered when no VK ID exchanger is configured")
|
|
}
|
|
if _, ok := reg.Lookup(transcode.MsgLinkVKMerge); ok {
|
|
t.Error("link.vk.merge must be unregistered when no VK ID exchanger is configured")
|
|
}
|
|
}
|