a2cad11224
- Req 1 子会话(iOS 多进程在用户视角=一台设备一会话,内部多条独立刷新逻辑会话):brokerclient 加 MintParams.Sub + SessionInfo.Sub + RevokeDeviceSessions(user,meta) 级联;device-session sub!="" 挂在主 device_id 之下、走 tier=clipboard 且不建第二个 device 行;handleSessionsList 按 meta 归并、隐藏 sub!=""(但保留“仅控件会话存活”的设备,不简单丢弃);revokeDevice 改走 meta 级联(移除设备连带吊控件子会话)。iOS provisionWidgetSessionIfNeeded 改用主 device_id + sub="widget"(弃用独立 dev_widget),控件令牌仍隔离持有、独立刷新——不碰引擎主会话,#7 隔离不变。蓝本 auth/docs/子会话方案.md(cdrop 提案 + Broker 评审接受 + cdrop 确认 6 点:用 sub、R1 cdrop 归并、scope 复用 tier=clipboard、级联 DELETE …?meta=)。 - Req 2a 离线消息队列:新增 pending_messages 表(0001_init + sqlc 查询);message.go 收件设备离线即入队(无论是否配推送都入队,恒 202),修“离线消息只随推送横幅一闪、不入收件列表”;GET /api/messages/pending 取即删(DELETE..RETURNING,单次投递);web hub.ts onOpen 每次 SSE 连接 / 重连即拉取补收、逐条 addMessage(全端受益,iOS 经桥推原生 + 累积未读);复用 login-request reaper 清 TTL。 - Req 3 被登出推送:push 加 KindSessionRevoked + 本地化文案,apns/web 双通道;revokeDevice 加 notifyRevoked 参(跨端 revoke=true、自登出=false),跨端移除时推送告知被踢设备;iOS AppDelegate 收 session:revoked 即清 Keychain 主会话 + 控件会话、发 .cdropSessionRevoked,前台经 AppRoot 即时回登录页、关闭态下次启动即登出。 - #6 后台唤醒层:apns apsEnvelope 加 content-available:1(服务端有消息时既弹可点横幅又短暂后台唤醒);iOS DeviceItem 加 Codable、presence 快照持久化(冷启即时显示设备列表,缓解“长时间重连”观感,SSE 一连即整组替换自校正);控件会话回前台补铸(scenePhase active)+ content-available 唤醒时刷新隔离的控件会话(剪贴板保活,绝不碰引擎主会话以免 #7 回归)。 - 测试:qr_test mock broker 加 sub 幂等键 + 级联吊销端点;bootstrap_test 期望表集加 pending_messages。
84 lines
2.6 KiB
Go
84 lines
2.6 KiB
Go
package httpapi
|
|
|
|
import (
|
|
"context"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"log/slog"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
"commilitia.net/cdrop/internal/db"
|
|
)
|
|
|
|
// Shared HTTP helpers for the auth surface. After the Auth Broker migration (path A)
|
|
// cdrop no longer keeps server-side sessions, cookies, or refresh tokens — identity
|
|
// and session lifecycle live in the broker. What remains here is the CSRF origin
|
|
// check, the scan-login poll-secret hash, and the login-request reaper.
|
|
|
|
// deriveSiteOrigin extracts scheme://host from the configured public URL to give the
|
|
// CSRF Origin check a fixed expected value (and the scan-login QR its link origin).
|
|
// Empty / unparseable (dev) disables the origin check.
|
|
func deriveSiteOrigin(publicURL string) string {
|
|
if publicURL == "" {
|
|
return ""
|
|
}
|
|
u, err := url.Parse(publicURL)
|
|
if err != nil || u.Scheme == "" || u.Host == "" {
|
|
return ""
|
|
}
|
|
return u.Scheme + "://" + u.Host
|
|
}
|
|
|
|
// sessionID hashes an opaque token to its storage form (hex SHA-256). The scan-login
|
|
// poll_secret is stored as this hash — the new device holds the plaintext, so a leaked
|
|
// DB never yields a usable secret.
|
|
func sessionID(raw string) string {
|
|
sum := sha256.Sum256([]byte(raw))
|
|
return hex.EncodeToString(sum[:])
|
|
}
|
|
|
|
// sameOrigin is belt-and-suspenders CSRF defence: when the browser sends an Origin
|
|
// header (always, on fetch POST) it must match the deployment's own origin. Absent
|
|
// Origin (non-browser clients) is allowed, as is an unconfigured site origin (dev).
|
|
func (s *Server) sameOrigin(r *http.Request) bool {
|
|
origin := r.Header.Get("Origin")
|
|
if origin == "" || s.siteOrigin == "" {
|
|
return true
|
|
}
|
|
return origin == s.siteOrigin
|
|
}
|
|
|
|
func truncate(s string, n int) string {
|
|
if len(s) <= n {
|
|
return s
|
|
}
|
|
return s[:n] + "…"
|
|
}
|
|
|
|
// RunLoginRequestReaper periodically reclaims expired scan-login request rows. They
|
|
// are short-lived (default 120s) and already rejected at use time; this sweeps the
|
|
// stragglers that are opened and never collected.
|
|
func RunLoginRequestReaper(ctx context.Context, q *db.Queries) {
|
|
ticker := time.NewTicker(1 * time.Hour)
|
|
defer ticker.Stop()
|
|
for {
|
|
select {
|
|
case <-ctx.Done():
|
|
return
|
|
case <-ticker.C:
|
|
now := time.Now().Unix()
|
|
if n, err := q.DeleteExpiredLoginRequests(ctx, now); err != nil {
|
|
slog.Warn("login request reaper failed", "err", err)
|
|
} else if n > 0 {
|
|
slog.Info("login requests reaped", "count", n)
|
|
}
|
|
// 顺带清陈旧未取走的离线消息(同 1h 节律,复用本 goroutine)。
|
|
if err := q.DeleteExpiredPendingMessages(ctx, now); err != nil {
|
|
slog.Warn("pending message reaper failed", "err", err)
|
|
}
|
|
}
|
|
}
|
|
}
|