后台/会话三诉求:子会话(一台设备一会话)+ 离线消息队列 + 被登出推送 + 后台唤醒层

- Req 1 子会话(iOS 多进程在用户视角=一台设备一会话,内部多条独立刷新逻辑会话):brokerclient 加 MintParams.Sub + SessionInfo.Sub + RevokeDeviceSessions(user,meta) 级联;device-session sub!="" 挂在主 device_id 之下、走 tier=clipboard 且不建第二个 device 行;handleSessionsList 按 meta 归并、隐藏 sub!=""(但保留“仅控件会话存活”的设备,不简单丢弃);revokeDevice 改走 meta 级联(移除设备连带吊控件子会话)。iOS provisionWidgetSessionIfNeeded 改用主 device_id + sub="widget"(弃用独立 dev_widget),控件令牌仍隔离持有、独立刷新——不碰引擎主会话,#7 隔离不变。蓝本 auth/docs/子会话方案.md(cdrop 提案 + Broker 评审接受 + cdrop 确认 6 点:用 sub、R1 cdrop 归并、scope 复用 tier=clipboard、级联 DELETE …?meta=)。
- Req 2a 离线消息队列:新增 pending_messages 表(0001_init + sqlc 查询);message.go 收件设备离线即入队(无论是否配推送都入队,恒 202),修“离线消息只随推送横幅一闪、不入收件列表”;GET /api/messages/pending 取即删(DELETE..RETURNING,单次投递);web hub.ts onOpen 每次 SSE 连接 / 重连即拉取补收、逐条 addMessage(全端受益,iOS 经桥推原生 + 累积未读);复用 login-request reaper 清 TTL。
- Req 3 被登出推送:push 加 KindSessionRevoked + 本地化文案,apns/web 双通道;revokeDevice 加 notifyRevoked 参(跨端 revoke=true、自登出=false),跨端移除时推送告知被踢设备;iOS AppDelegate 收 session:revoked 即清 Keychain 主会话 + 控件会话、发 .cdropSessionRevoked,前台经 AppRoot 即时回登录页、关闭态下次启动即登出。
- #6 后台唤醒层:apns apsEnvelope 加 content-available:1(服务端有消息时既弹可点横幅又短暂后台唤醒);iOS DeviceItem 加 Codable、presence 快照持久化(冷启即时显示设备列表,缓解“长时间重连”观感,SSE 一连即整组替换自校正);控件会话回前台补铸(scenePhase active)+ content-available 唤醒时刷新隔离的控件会话(剪贴板保活,绝不碰引擎主会话以免 #7 回归)。
- 测试:qr_test mock broker 加 sub 幂等键 + 级联吊销端点;bootstrap_test 期望表集加 pending_messages。
This commit is contained in:
2026-06-27 17:42:53 +08:00
parent 1b94df1604
commit a2cad11224
23 changed files with 790 additions and 105 deletions
+34 -3
View File
@@ -57,6 +57,11 @@ type MintParams struct {
Sliding bool
Label string
Meta string
// Sub is the intra-device session discriminator under one Meta (device): "" = the main
// session, a non-empty value (e.g. "widget") a subordinate session that shares the device
// identity but holds its own independently-refreshed tokens. The broker keys R2 idempotency
// on (user, app, meta, sub), so a sub session coexists with the main instead of rotating it.
Sub string
}
// Session is a freshly minted delegated session. SID is the broker's session id —
@@ -78,6 +83,7 @@ type mintReqWire struct {
Sliding bool `json:"sliding,omitempty"`
Label string `json:"label,omitempty"`
Meta string `json:"meta,omitempty"`
Sub string `json:"sub,omitempty"`
}
type sessionWire struct {
@@ -94,7 +100,7 @@ func (c *Client) MintSession(ctx context.Context, p MintParams) (Session, error)
body := mintReqWire{
UserID: p.UserID, App: c.app, Tier: p.Tier,
AccessTTL: p.AccessTTL, RefreshTTL: p.RefreshTTL, Sliding: p.Sliding,
Label: p.Label, Meta: p.Meta,
Label: p.Label, Meta: p.Meta, Sub: p.Sub,
}
headers := map[string]string{"X-Internal-Key": c.internalKey}
var out sessionWire
@@ -123,6 +129,29 @@ func (c *Client) RevokeSession(ctx context.Context, sid string) error {
return err
}
// RevokeDeviceSessions cascade-revokes every session under one device meta — the main session
// and any subordinate (e.g. clipboard widget) sessions sharing that device
// (DELETE /internal/sessions?user_id=&app=&meta=). cdrop calls this when removing a device or
// logging it out, so no orphan sub-session survives to keep reading the clipboard. Returns the
// count revoked; revoked:0 (nothing to revoke) is idempotent success, not an error.
func (c *Client) RevokeDeviceSessions(ctx context.Context, userID, meta string) (int, error) {
q := url.Values{"user_id": {userID}, "app": {c.app}, "meta": {meta}}
headers := map[string]string{
"X-Internal-Key": c.internalKey,
"X-Broker-App": c.app,
}
var out struct {
Revoked int `json:"revoked"`
}
// The cascade endpoint always returns 200 {revoked:N} (revoked:0 when nothing matched), never
// 404 — so a 404 here means the endpoint is absent (a broker predating sub support) and must
// surface as an error rather than masquerade as success and silently leak the session.
if err := c.do(ctx, http.MethodDelete, "/internal/sessions?"+q.Encode(), headers, nil, http.StatusOK, &out); err != nil {
return 0, err
}
return out.Revoked, nil
}
// Refreshed is the result of rolling a session's access token. The broker rotates
// the refresh credential, so the old one is now dead and the new one must be stored.
type Refreshed struct {
@@ -156,7 +185,8 @@ func (c *Client) RefreshSession(ctx context.Context, refresh string) (Refreshed,
// (the session<->device join key). The broker returns only kind==machine sessions for this
// app and never includes credentials.
type SessionInfo struct {
SID string
SID string
Sub string // intra-device discriminator: "" = main; non-empty = subordinate (cdrop hides it)
Scope string
Label string
Meta string
@@ -167,6 +197,7 @@ type SessionInfo struct {
type sessionInfoWire struct {
ID string `json:"id"`
Sub string `json:"sub"`
Scope string `json:"scope"`
Label string `json:"label"`
Meta string `json:"meta"`
@@ -192,7 +223,7 @@ func (c *Client) ListSessions(ctx context.Context, userID string) ([]SessionInfo
sessions := make([]SessionInfo, 0, len(out.Sessions))
for _, s := range out.Sessions {
sessions = append(sessions, SessionInfo{
SID: s.ID, Scope: s.Scope, Label: s.Label, Meta: s.Meta,
SID: s.ID, Sub: s.Sub, Scope: s.Scope, Label: s.Label, Meta: s.Meta,
CreatedAt: s.CreatedAt, LastUsedAt: s.LastUsedAt, ExpiresAt: s.ExpiresAt,
})
}