Files
Commilitia-Drop/internal/httpapi/sessions.go
T
admin a2cad11224 后台/会话三诉求:子会话(一台设备一会话)+ 离线消息队列 + 被登出推送 + 后台唤醒层
- Req 1 子会话(iOS 多进程在用户视角=一台设备一会话,内部多条独立刷新逻辑会话):brokerclient 加 MintParams.Sub + SessionInfo.Sub + RevokeDeviceSessions(user,meta) 级联;device-session sub!="" 挂在主 device_id 之下、走 tier=clipboard 且不建第二个 device 行;handleSessionsList 按 meta 归并、隐藏 sub!=""(但保留“仅控件会话存活”的设备,不简单丢弃);revokeDevice 改走 meta 级联(移除设备连带吊控件子会话)。iOS provisionWidgetSessionIfNeeded 改用主 device_id + sub="widget"(弃用独立 dev_widget),控件令牌仍隔离持有、独立刷新——不碰引擎主会话,#7 隔离不变。蓝本 auth/docs/子会话方案.md(cdrop 提案 + Broker 评审接受 + cdrop 确认 6 点:用 sub、R1 cdrop 归并、scope 复用 tier=clipboard、级联 DELETE …?meta=)。
- Req 2a 离线消息队列:新增 pending_messages 表(0001_init + sqlc 查询);message.go 收件设备离线即入队(无论是否配推送都入队,恒 202),修“离线消息只随推送横幅一闪、不入收件列表”;GET /api/messages/pending 取即删(DELETE..RETURNING,单次投递);web hub.ts onOpen 每次 SSE 连接 / 重连即拉取补收、逐条 addMessage(全端受益,iOS 经桥推原生 + 累积未读);复用 login-request reaper 清 TTL。
- Req 3 被登出推送:push 加 KindSessionRevoked + 本地化文案,apns/web 双通道;revokeDevice 加 notifyRevoked 参(跨端 revoke=true、自登出=false),跨端移除时推送告知被踢设备;iOS AppDelegate 收 session:revoked 即清 Keychain 主会话 + 控件会话、发 .cdropSessionRevoked,前台经 AppRoot 即时回登录页、关闭态下次启动即登出。
- #6 后台唤醒层:apns apsEnvelope 加 content-available:1(服务端有消息时既弹可点横幅又短暂后台唤醒);iOS DeviceItem 加 Codable、presence 快照持久化(冷启即时显示设备列表,缓解“长时间重连”观感,SSE 一连即整组替换自校正);控件会话回前台补铸(scenePhase active)+ content-available 唤醒时刷新隔离的控件会话(剪贴板保活,绝不碰引擎主会话以免 #7 回归)。
- 测试:qr_test mock broker 加 sub 幂等键 + 级联吊销端点;bootstrap_test 期望表集加 pending_messages。
2026-06-27 17:42:53 +08:00

250 lines
10 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package httpapi
import (
"context"
"log/slog"
"net/http"
"github.com/go-chi/chi/v5"
"commilitia.net/cdrop/internal/brokerclient"
"commilitia.net/cdrop/internal/db"
"commilitia.net/cdrop/internal/jwtauth"
"commilitia.net/cdrop/internal/push"
)
// Session management. After the unified-session-model rework, every logged-in client —
// browser, desktop, QR-paired device — is one delegated device session in the broker. The
// broker (R1: GET /internal/sessions) is the single authoritative device list; cdrop no
// longer keeps a parallel authoritative session table. The local `devices` rows survive only
// as a type/presence cache: they supply each device's type for the list overlay and back the
// real-time presence view (which is cdrop's domain, keyed by device name). Listing reads R1
// and overlays type/online/current; revoking calls the broker (the session's source of truth)
// then drops the local cache row.
// requireFullSession rejects restricted guest sessions (scan-login borrow): they can
// transfer files but not manage devices, approve other devices, or revoke sessions.
// A full / dev session passes (AUTH Broker scope tier — Claims.Guest reads X-Auth-Scope).
func requireFullSession(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims, ok := jwtauth.ClaimsFromContext(r.Context())
if !ok {
writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "no session"})
return
}
if claims.Guest() {
writeJSON(w, http.StatusForbidden, map[string]string{"error": "full session required"})
return
}
next.ServeHTTP(w, r)
})
}
type sessionView struct {
ID string `json:"id"` // device_id (the revoke handle exposed to the client)
DeviceID string `json:"device_id"`
DeviceName string `json:"device_name"`
Kind string `json:"kind"` // device type: browser | macos | windows | linux | ios
Scope string `json:"scope"` // full | guest
Current bool `json:"current"`
Online bool `json:"online"`
CreatedAt int64 `json:"created_at"`
LastUsedAt int64 `json:"last_used_at"`
}
// handleSessionsList returns the caller's logged-in devices with their permission level
// (完整 / 受限访客) and live online flag, so the UI can show each and offer logout. The
// authoritative list is the broker's delegated device sessions (R1); cdrop overlays the
// device type (local cache), the online dot (hub presence, keyed by device name), and the
// "current" flag (the session whose meta is this request's X-Auth-Meta).
func (s *Server) handleSessionsList(w http.ResponseWriter, r *http.Request) {
claims, _ := jwtauth.ClaimsFromContext(r.Context())
sessions, err := s.broker.ListSessions(r.Context(), claims.UserID)
if err != nil {
slog.Error("list sessions failed", "err", err, "user", claims.UserID)
writeJSON(w, http.StatusBadGateway, map[string]string{"error": "broker"})
return
}
// device_id -> cached type, for the type overlay (a missing cache falls back to
// "browser"). The cache is bounded by the background device sweeper (last_seen TTL); a
// logged-out device's row is reaped there, not on this read path — this GET stays
// side-effect-free, and the session list itself is always R1-authoritative regardless of
// any stale cache row (the row only ever supplies a type for a device that is in R1).
// device_id -> cached type + live name. The name overlay is what keeps the session list
// consistent after a decoupled rename: the broker Label is only set at mint time and does
// not follow a PATCH /api/devices rename, so we prefer the devices-table name (the same
// source presence uses) and fall back to the broker Label only for a row-less session.
typeByID := map[string]string{}
nameByID := map[string]string{}
if devs, err := s.queries.ListDevicesByUser(r.Context(), claims.UserID); err == nil {
for _, d := range devs {
typeByID[d.DeviceID] = d.Type
nameByID[d.DeviceID] = d.Name
}
}
// 按 meta 归并:一台设备(meta)只呈现一条。子会话(sub!="",如控件剪贴板会话)与主会话共享 meta
// ——优先用主会话作代表;但若某设备只剩子会话存活(主会话已过期、控件会话仍独立刷新着),仍按该
// meta 呈现一台,故不能简单丢弃 sub!="" 行(否则“仅控件存活”的设备会从列表消失,见 auth/docs/
// 子会话方案.md §四)。meta-less 会话是非 cdrop 托管的机器会话(桌面 device-authorize bootstrap
// 随即被代铸替换),无 device_id、不是托管设备,跳过。
rep := make(map[string]brokerclient.SessionInfo, len(sessions))
order := make([]string, 0, len(sessions))
for _, sess := range sessions {
if sess.Meta == "" {
continue
}
if cur, ok := rep[sess.Meta]; !ok {
rep[sess.Meta] = sess
order = append(order, sess.Meta)
} else if cur.Sub != "" && sess.Sub == "" {
rep[sess.Meta] = sess // 主会话优先覆盖先到的子会话,作该设备的代表
}
}
out := make([]sessionView, 0, len(order))
for _, meta := range order {
sess := rep[meta]
typ := typeByID[meta]
if typ == "" {
typ = "browser"
}
name := nameByID[meta]
if name == "" {
name = sess.Label
}
scope := "full"
if jwtauth.ScopeTier(sess.Scope) == "guest" {
scope = "guest"
}
out = append(out, sessionView{
ID: meta,
DeviceID: meta,
DeviceName: name,
Kind: typ,
Scope: scope,
Current: meta == claims.DeviceID,
Online: s.hub.Online(claims.UserID, meta),
CreatedAt: sess.CreatedAt,
LastUsedAt: sess.LastUsedAt,
})
}
writeJSON(w, http.StatusOK, map[string]any{"sessions": out})
}
// handleSessionRevoke logs out a device by id (= device_id): it resolves the device's broker
// session, revokes it, and drops the local cache row. Full session required (route-gated).
func (s *Server) handleSessionRevoke(w http.ResponseWriter, r *http.Request) {
claims, _ := jwtauth.ClaimsFromContext(r.Context())
id := chi.URLParam(r, "id")
if id == "" {
writeJSON(w, http.StatusBadRequest, map[string]string{"error": "missing id"})
return
}
status, ok := s.revokeDevice(r, claims.UserID, id, true)
if !ok {
writeJSON(w, status, map[string]string{"error": revokeErrorMsg(status)})
return
}
w.WriteHeader(http.StatusNoContent)
}
// revokeDevice tears down a device's broker session and local cache row, then kicks its live
// SSE and re-broadcasts presence. Returns the HTTP status to report and whether it succeeded;
// the caller writes the response. Shared by device deletion, session revocation, and logout
// (they are the same operation). The broker session id is resolved cache-first (the local row
// holds the stable broker_sid) and falls back to R1 — the authoritative list — so a missing or
// pruned cache row still revokes correctly and stays authorized to this user.
func (s *Server) revokeDevice(r *http.Request, userID, deviceID string, notifyRevoked bool) (int, bool) {
// Resolve the device name (for the live SSE kick + the cross-device revoke push). Cache-first
// (the local row holds the live name, which a decoupled rename keeps current); fall back to the
// broker R1 label for a row-less session.
name := ""
localRowOwned := false
if dev, err := s.queries.GetDevice(r.Context(), deviceID); err == nil && dev.UserID == userID {
name = dev.Name
localRowOwned = true
}
if name == "" {
if sessions, err := s.broker.ListSessions(r.Context(), userID); err == nil {
for _, sess := range sessions {
if sess.Meta == deviceID {
name = sess.Label
break
}
}
}
}
// Cascade-revoke the whole device by meta: the main session AND any subordinate (clipboard
// widget) sessions sharing this device_id, so no orphan sub-session survives to keep reading
// the clipboard. Idempotent — revoked:0 when the device's sessions are already gone.
revoked, err := s.broker.RevokeDeviceSessions(r.Context(), userID, deviceID)
if err != nil {
slog.Error("broker cascade revoke failed", "err", err, "user", userID, "meta", deviceID)
return http.StatusBadGateway, false
}
// Nothing revoked and we own no local row → a device_id we have nothing for is a genuine 404.
// (A phantom row with no broker session still owns a local row, so it falls through to cleanup
// below — the user can always clear such a stale entry from their list.)
if revoked == 0 && !localRowOwned {
return http.StatusNotFound, false
}
// 跨设备登出(非自登出):推送告知被踢设备,使其立即知晓并清本地登录态——即便其页面 / app 已关闭,
// 也不必等下次请求 401 才发现。用一次性 context(请求 ctx 会随响应取消),best-effort 异步发。
if notifyRevoked && name != "" {
n := push.Notification{Type: push.KindSessionRevoked, Tag: "session:revoked"}
if s.push.Enabled() {
go s.push.Notify(context.Background(), userID, name, n)
}
if s.apns.Enabled() {
go s.apns.Notify(context.Background(), userID, name, n)
}
}
// Drop the local cache row (idempotent; non-fatal — the sweeper / next list-prune also clean it).
if _, err := s.queries.DeleteDevice(r.Context(), db.DeleteDeviceParams{
DeviceID: deviceID,
UserID: userID,
}); err != nil {
slog.Warn("delete device cache failed", "err", err, "user", userID, "device", deviceID)
}
// Kick by the stable device_id (the hub key); name rides along for the code-less fallback path
// inside Kick, so a renamed device is still kicked reliably (the prior "移除失败" symptom).
s.hub.Kick(userID, deviceID, name)
s.hub.PublishPresence(r.Context(), userID)
return http.StatusNoContent, true
}
// handleLogout logs out the calling device by revoking its own broker session (so it can no
// longer refresh) and dropping its cache row. The client also discards its tokens. A caller
// with no managed device (no X-Auth-Meta) just succeeds — there is nothing server-side to
// revoke. Origin-checked for CSRF.
func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
if !s.sameOrigin(r) {
writeJSON(w, http.StatusForbidden, map[string]string{"error": "bad origin"})
return
}
claims, _ := jwtauth.ClaimsFromContext(r.Context())
if claims.DeviceID != "" {
if status, ok := s.revokeDevice(r, claims.UserID, claims.DeviceID, false); !ok && status != http.StatusNotFound {
slog.Warn("logout revoke failed", "status", status, "user", claims.UserID)
}
}
w.WriteHeader(http.StatusNoContent)
}
func revokeErrorMsg(status int) string {
switch status {
case http.StatusNotFound:
return "device not found"
case http.StatusBadGateway:
return "revoke failed"
default:
return "db"
}
}