SVSim/SVSimServer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

refactor(auth): decouple Steam handler from request DTO shape

Browse Source 
Translation middleware now extracts viewer_id/steam_id/steam_session_ticket
from the decrypted msgpack dict into HttpContext.Items before the typed
DTO deserialize. The Steam handler reads from there instead of re-parsing
Request.Body — so authed action DTOs no longer need to inherit BaseRequest
to keep the auth fields alive through the msgpack→DTO→JSON pivot.

Retires the recurring footgun documented in
docs/superpowers/specs/2026-06-02-baseRequest-auth-footgun-improvement.md
(2026-05-25 basic-puzzle, 2026-05-28 deck-code, 2026-06-02 Phase 3 Bot,
2026-06-10 profile/index + item_acquire_history/info + user_mypage/update).

Pinned by AuthDecouplingTests — posts an encrypted msgpack body to
/profile/index (DTO does not inherit BaseRequest) through the real
translation middleware + auth handler and asserts 200. Adds an
EncryptedMsgpackHelper + useRealAuthHandler factory flag, reusable for
future wire-shape tests.

ProfileIndexRequest, ItemAcquireHistoryInfoRequest, and
UserMyPageUpdateRequest revert to the naked shape — the per-DTO
workarounds become vestigial under the new architecture.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
gamer147
2026-06-10 12:29:10 -04:00
parent b18b24b085
commit 1960e28298
9 changed files with 247 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
SVSim.EmulatedEntrypoint/Security/SteamSessionAuthentication/AuthFields.cs Normal file
View File

@@ -0,0 +1,22 @@
namespace SVSim.EmulatedEntrypoint.Security.SteamSessionAuthentication;
/// <summary>
/// Auth tuple extracted from the decrypted msgpack request body BEFORE it gets pivoted into
/// the action's typed DTO. Stashed into <c>HttpContext.Items</c> under <see cref="ContextKey"/>
/// by <c>ShadowverseTranslationMiddleware</c> so <c>SteamSessionAuthenticationHandler</c> can
/// read the ticket without depending on the DTO modelling these fields.
///
/// History: see <c>docs/superpowers/specs/2026-06-02-baseRequest-auth-footgun-improvement.md</c>.
/// The pre-existing route required every authed DTO to inherit <c>BaseRequest</c> (otherwise
/// the msgpack→DTO→JSON pivot dropped the auth fields and the handler silently 401'd live).
/// Surfacing the fields via a separate channel decouples auth from DTO shape entirely.
/// </summary>
public sealed class AuthFields
{
/// <summary>Items key under which the middleware stashes / the handler reads the auth tuple.</summary>
public const string ContextKey = "SVSim.AuthFields";
public string? ViewerId { get; init; }
public ulong SteamId { get; init; }
public string? SteamSessionTicket { get; init; }
}