From bf783639c1879c8868300e0a24dc95efc9ef2b0a Mon Sep 17 00:00:00 2001 From: gamer147 Date: Tue, 2 Jun 2026 09:29:48 -0400 Subject: [PATCH] fix(rank-battle): inherit BaseRequest so auth fields survive translation roundtrip MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The translation middleware decrypts + msgpack-decodes the request body into the action's first-parameter type, then re-serializes that DTO to JSON for the auth handler to read. Phase 3's DoMatchingRequestDto and RankBattleFinishRequestDto didn't inherit BaseRequest, so viewer_id / steam_id / steam_session_ticket were dropped during the msgpack → DTO → JSON pivot — the auth handler then saw a body with no auth fields and 401'd every request. Fixed by making both DTOs extend BaseRequest, mirroring the Phase 2 TK2 DoMatchingRequest pattern. Also added [FromBody] BaseRequest parameters to the previously body-less actions (AiStart × 2, ForceFinish, AddClientLog, GetLatestMasterPoint). The translation middleware explicitly requires at least one parameter to bind the decrypted msgpack body (see L130-136 of the middleware); without it the request would throw InvalidOperationException at runtime. Tests updated to post viewer_id / steam_id / steam_session_ticket placeholder values in the request body, matching the existing TK2 test pattern. Co-Authored-By: Claude Opus 4.7 --- .../Controllers/RankBattleController.cs | 22 +++--- .../Dtos/RankBattle/DoMatchingRequestDto.cs | 15 ++-- .../RankBattle/RankBattleFinishRequestDto.cs | 8 ++- .../Controllers/RankBattleControllerTests.cs | 68 ++++++++++++------- 4 files changed, 74 insertions(+), 39 deletions(-) diff --git a/SVSim.EmulatedEntrypoint/Controllers/RankBattleController.cs b/SVSim.EmulatedEntrypoint/Controllers/RankBattleController.cs index ba26878..7c882ed 100644 --- a/SVSim.EmulatedEntrypoint/Controllers/RankBattleController.cs +++ b/SVSim.EmulatedEntrypoint/Controllers/RankBattleController.cs @@ -5,6 +5,7 @@ using SVSim.Database.Enums; using SVSim.EmulatedEntrypoint.Constants; using SVSim.EmulatedEntrypoint.Matching; using SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle; +using SVSim.EmulatedEntrypoint.Models.Dtos.Requests; using SVSim.EmulatedEntrypoint.Security.SteamSessionAuthentication; using SVSim.EmulatedEntrypoint.Services; @@ -56,12 +57,15 @@ public sealed class RankBattleController : ControllerBase public Task DoMatchingUnlimited([FromBody] DoMatchingRequestDto req, CancellationToken ct) => DoMatchingInternal("unlimited_rank_battle", Format.Unlimited, req, ct); + // AIBattleStartTask has no SetParameter override, so the body is just the inherited + // PostParams (viewer_id / steam_id / steam_session_ticket) — but the translation + // middleware requires at least one parameter to bind the decrypted body. Use BaseRequest. [HttpPost("/ai_rotation_rank_battle/start")] - public Task AiStartRotation(CancellationToken ct) + public Task AiStartRotation([FromBody] BaseRequest _, CancellationToken ct) => AiStartInternal(Format.Rotation, ct); [HttpPost("/ai_unlimited_rank_battle/start")] - public Task AiStartUnlimited(CancellationToken ct) + public Task AiStartUnlimited([FromBody] BaseRequest _, CancellationToken ct) => AiStartInternal(Format.Unlimited, ct); /// @@ -84,26 +88,28 @@ public sealed class RankBattleController : ControllerBase }); } + // BaseRequest parameter on every body-less action so the translation middleware can + // bind the decrypted msgpack body (it explicitly requires at least one parameter). [HttpPost("/rank_battle/force_finish")] - public IActionResult ForceFinish() + public IActionResult ForceFinish([FromBody] BaseRequest _) { - if (!TryGetViewerId(out var _)) return Unauthorized(); + if (!TryGetViewerId(out var _u)) return Unauthorized(); return Ok(new { }); } [HttpPost("/rank_battle/add_client_log")] [HttpPost("/rank_battle/add_all_client_log")] [HttpPost("/rank_battle/add_last_turn_log")] - public IActionResult AddClientLog() + public IActionResult AddClientLog([FromBody] BaseRequest _) { - if (!TryGetViewerId(out var _)) return Unauthorized(); + if (!TryGetViewerId(out var _u)) return Unauthorized(); return Ok(new { }); } [HttpPost("/rank_battle/get_latest_master_point")] - public IActionResult GetLatestMasterPoint() + public IActionResult GetLatestMasterPoint([FromBody] BaseRequest _) { - if (!TryGetViewerId(out var _)) return Unauthorized(); + if (!TryGetViewerId(out var _u)) return Unauthorized(); return Ok(new { }); } diff --git a/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/DoMatchingRequestDto.cs b/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/DoMatchingRequestDto.cs index 2d98a3a..8866e0e 100644 --- a/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/DoMatchingRequestDto.cs +++ b/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/DoMatchingRequestDto.cs @@ -1,10 +1,17 @@ using System.Text.Json.Serialization; using MessagePack; +using SVSim.EmulatedEntrypoint.Models.Dtos.Requests; namespace SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle; -[MessagePackObject(keyAsPropertyName: true)] -public sealed class DoMatchingRequestDto +/// +/// Standard DoMatchingParam shape for rank battle (rotation/unlimited). Inherits viewer_id / +/// steam_id / steam_session_ticket from so the auth fields survive +/// the translation-middleware msgpack → DTO → JSON round-trip (otherwise the +/// SteamSessionAuthenticationHandler sees a body without auth fields and 401s). +/// +[MessagePackObject] +public sealed class DoMatchingRequestDto : BaseRequest { [JsonPropertyName("deck_no")] [Key("deck_no")] @@ -20,7 +27,7 @@ public sealed class DoMatchingRequestDto [JsonPropertyName("log")] [Key("log")] - public string? Log { get; set; } + public int Log { get; set; } [JsonPropertyName("use_stage_select")] [Key("use_stage_select")] @@ -28,7 +35,7 @@ public sealed class DoMatchingRequestDto [JsonPropertyName("excluded_field_id_list")] [Key("excluded_field_id_list")] - public int[]? ExcludedFieldIdList { get; set; } + public List ExcludedFieldIdList { get; set; } = new(); [JsonPropertyName("is_default_skin")] [Key("is_default_skin")] diff --git a/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/RankBattleFinishRequestDto.cs b/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/RankBattleFinishRequestDto.cs index 9eaf100..53af0c7 100644 --- a/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/RankBattleFinishRequestDto.cs +++ b/SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/RankBattleFinishRequestDto.cs @@ -1,5 +1,6 @@ using System.Text.Json.Serialization; using MessagePack; +using SVSim.EmulatedEntrypoint.Models.Dtos.Requests; namespace SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle; @@ -7,9 +8,12 @@ namespace SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle; /// Standard BattleFinishParam shape — see docs/api-spec/common/types.ts.md and /// docs/api-spec/endpoints/post-login/rank-battle/finish.md. Future: promote to /// a shared common DTO when a second finish endpoint reuses this. +/// +/// Inherits viewer_id / steam_id / steam_session_ticket from +/// so the auth fields survive the translation-middleware round-trip. /// -[MessagePackObject(keyAsPropertyName: true)] -public sealed class RankBattleFinishRequestDto +[MessagePackObject] +public sealed class RankBattleFinishRequestDto : BaseRequest { [JsonPropertyName("battle_result")] [Key("battle_result")] diff --git a/SVSim.UnitTests/Controllers/RankBattleControllerTests.cs b/SVSim.UnitTests/Controllers/RankBattleControllerTests.cs index a9603f5..94574c9 100644 --- a/SVSim.UnitTests/Controllers/RankBattleControllerTests.cs +++ b/SVSim.UnitTests/Controllers/RankBattleControllerTests.cs @@ -10,6 +10,40 @@ namespace SVSim.UnitTests.Controllers; [TestFixture] public class RankBattleControllerTests { + // BaseRequest fields (viewer_id / steam_id / steam_session_ticket) are required by the + // request DTOs — the ApiController's auto-validation rejects bodies missing them. We + // post placeholder values here; the TestAuthHandler injects the real viewer-id via the + // X-Test-Viewer-Id header set by CreateAuthenticatedClient, so these body values are + // ignored by auth. + private static readonly object DoMatchingBody = new + { + deck_no = 1, + need_init = 1, + log = 0, + viewer_id = "0", + steam_id = 0, + steam_session_ticket = "", + }; + + private static object FinishBody(int battleResult, int classId = 3) => new + { + battle_result = battleResult, + is_retire = 0, + recovery_data = "{}", + class_id = classId, + total_turn = 5, + viewer_id = "0", + steam_id = 0, + steam_session_ticket = "", + }; + + private static readonly object EmptyAuthedBody = new + { + viewer_id = "0", + steam_id = 0, + steam_session_ticket = "", + }; + [Test] public async Task DoMatching_rotation_first_poll_returns_3002_RETRY_with_empty_node_server_url() { @@ -19,9 +53,7 @@ public class RankBattleControllerTests await factory.SeedDeckAsync(viewerId, Format.Rotation, 1); var client = factory.CreateAuthenticatedClient(viewerId); - var resp = await client.PostAsJsonAsync( - "/rotation_rank_battle/do_matching", - new { deck_no = 1, need_init = 1 }); + var resp = await client.PostAsJsonAsync("/rotation_rank_battle/do_matching", DoMatchingBody); Assert.That(resp.IsSuccessStatusCode, Is.True, $"Expected 2xx, got {resp.StatusCode}"); var raw = await resp.Content.ReadAsStringAsync(); @@ -44,23 +76,20 @@ public class RankBattleControllerTests // Alice polls first → parks. var c1 = factory.CreateAuthenticatedClient(v1); - var r1 = await c1.PostAsJsonAsync( - "/rotation_rank_battle/do_matching", new { deck_no = 1, need_init = 1 }); + var r1 = await c1.PostAsJsonAsync("/rotation_rank_battle/do_matching", DoMatchingBody); var j1 = JsonDocument.Parse(await r1.Content.ReadAsStringAsync()).RootElement; Assert.That(j1.GetProperty("matching_state").GetInt32(), Is.EqualTo(3002)); // Bob polls — pairs, returns joiner (3004). var c2 = factory.CreateAuthenticatedClient(v2); - var r2 = await c2.PostAsJsonAsync( - "/rotation_rank_battle/do_matching", new { deck_no = 1, need_init = 1 }); + var r2 = await c2.PostAsJsonAsync("/rotation_rank_battle/do_matching", DoMatchingBody); var j2 = JsonDocument.Parse(await r2.Content.ReadAsStringAsync()).RootElement; Assert.That(j2.GetProperty("matching_state").GetInt32(), Is.EqualTo(3004), "Joiner = 3004."); Assert.That(j2.GetProperty("battle_id").GetString(), Is.Not.Null.And.Not.Empty); Assert.That(j2.GetProperty("node_server_url").GetString(), Is.Not.Empty); // Alice polls again — gets cached match, owner role (3007). - var r3 = await c1.PostAsJsonAsync( - "/rotation_rank_battle/do_matching", new { deck_no = 1, need_init = 0 }); + var r3 = await c1.PostAsJsonAsync("/rotation_rank_battle/do_matching", DoMatchingBody); var j3 = JsonDocument.Parse(await r3.Content.ReadAsStringAsync()).RootElement; Assert.That(j3.GetProperty("matching_state").GetInt32(), Is.EqualTo(3007), "Owner = 3007."); Assert.That(j3.GetProperty("battle_id").GetString(), Is.EqualTo(j2.GetProperty("battle_id").GetString())); @@ -75,7 +104,7 @@ public class RankBattleControllerTests await factory.SeedDeckAsync(viewerId, Format.Rotation, 1); var client = factory.CreateAuthenticatedClient(viewerId); - var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/start", new { }); + var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/start", EmptyAuthedBody); var raw = await resp.Content.ReadAsStringAsync(); using var doc = JsonDocument.Parse(raw); @@ -111,7 +140,7 @@ public class RankBattleControllerTests await factory.SeedDeckAsync(viewerId, Format.Rotation, 1); var client = factory.CreateAuthenticatedClient(viewerId); - var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/start", new { }); + var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/start", EmptyAuthedBody); using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync()); var selfInfo = doc.RootElement.GetProperty("self_info"); @@ -127,7 +156,7 @@ public class RankBattleControllerTests await factory.SeedDeckAsync(viewerId, Format.Rotation, 1); var client = factory.CreateAuthenticatedClient(viewerId); - var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/start", new { }); + var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/start", EmptyAuthedBody); using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync()); var oppoInfo = doc.RootElement.GetProperty("oppo_info"); @@ -143,14 +172,7 @@ public class RankBattleControllerTests var viewerId = await factory.SeedViewerAsync(); var client = factory.CreateAuthenticatedClient(viewerId); - var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/finish", new - { - battle_result = 1, // win - is_retire = 0, - recovery_data = "{}", - class_id = 3, - total_turn = 5, - }); + var resp = await client.PostAsJsonAsync("/ai_rotation_rank_battle/finish", FinishBody(battleResult: 1)); Assert.That(resp.IsSuccessStatusCode, Is.True); using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync()); @@ -168,11 +190,7 @@ public class RankBattleControllerTests var viewerId = await factory.SeedViewerAsync(); var client = factory.CreateAuthenticatedClient(viewerId); - var resp = await client.PostAsJsonAsync("/rotation_rank_battle/finish", new - { - battle_result = 2, // consistency error - class_id = 3, - }); + var resp = await client.PostAsJsonAsync("/rotation_rank_battle/finish", FinishBody(battleResult: 2)); using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync()); Assert.That(doc.RootElement.GetProperty("battle_result").GetInt32(), Is.EqualTo(2));