feat: gate recharge payment by login device

2026-05-15 08:43:21 +08:00
parent 5b70ec6af7
commit c94f22e26c
12 changed files with 527 additions and 72 deletions
--- a/server-rs/crates/api-server/src/auth_session.rs
+++ b/server-rs/crates/api-server/src/auth_session.rs
@@ -1,19 +1,19 @@
 use axum::http::{HeaderMap, HeaderValue, StatusCode, header::SET_COOKIE};
 use module_auth::{
-    AuthLoginMethod, AuthUser, CreateRefreshSessionInput, LogoutError, RefreshSessionError,
+    AuthLoginMethod, AuthUser, CreateRefreshSessionInput, LogoutError, RefreshSessionClientInfo,
+    RefreshSessionError,
 };
 use platform_auth::{
-    AccessTokenClaims, AccessTokenClaimsInput, AuthProvider, BindingStatus,
+    AccessTokenClaims, AccessTokenClaimsInput, AccessTokenDeviceInfo, AuthProvider, BindingStatus,
    build_refresh_session_clear_cookie, build_refresh_session_set_cookie,
    create_refresh_session_token, hash_refresh_session_token, sign_access_token,
 };
 use time::OffsetDateTime;

 use crate::session_client::SessionClientContext;
-use crate::{
-    http_error::AppError, request_context::RequestContext, state::AppState,
-    tracking::record_daily_login_tracking_event_after_success as record_daily_login_tracking_event_via_unified_path,
-};
+#[cfg(not(test))]
+use crate::tracking::record_daily_login_tracking_event_after_success as record_daily_login_tracking_event_via_unified_path;
+use crate::{http_error::AppError, request_context::RequestContext, state::AppState};

 #[derive(Debug, Clone)]
 pub struct SignedAuthSession {
@@ -81,6 +81,7 @@ pub fn create_auth_session(
        user,
        &session.session.session_id,
        Some(&session_provider),
+        Some(&session.session.client_info),
    )?;

    Ok(SignedAuthSession {
@@ -94,8 +95,9 @@ pub fn sign_access_token_for_user(
    user: &AuthUser,
    session_id: &str,
    session_provider_override: Option<&AuthLoginMethod>,
+    client_info: Option<&RefreshSessionClientInfo>,
 ) -> Result<String, AppError> {
-    let access_claims = AccessTokenClaims::from_input(
+    let access_claims = AccessTokenClaims::from_input_with_device(
        AccessTokenClaimsInput {
            user_id: user.id.clone(),
            session_id: session_id.to_string(),
@@ -106,6 +108,7 @@ pub fn sign_access_token_for_user(
            binding_status: map_binding_status(&user.binding_status),
            display_name: Some(user.display_name.clone()),
        },
+        client_info.map(map_access_token_device_info),
        state.auth_jwt_config(),
        OffsetDateTime::now_utc(),
    )
@@ -182,3 +185,11 @@ fn map_binding_status(binding_status: &module_auth::AuthBindingStatus) -> Bindin
        module_auth::AuthBindingStatus::PendingBindPhone => BindingStatus::PendingBindPhone,
    }
 }
+
+fn map_access_token_device_info(client_info: &RefreshSessionClientInfo) -> AccessTokenDeviceInfo {
+    AccessTokenDeviceInfo {
+        client_type: client_info.client_type.clone(),
+        client_runtime: client_info.client_runtime.clone(),
+        client_platform: client_info.client_platform.clone(),
+    }
+}