Phase 4 §2.1: anonymous → existing-user merge breadcrumb
Adds `customers.account_belongs_to UUID NULL` and refactors customer sign-in (phone/Google/Apple) so an anon row that re-verifies into an existing customer no longer 409s. Instead the anon row stays intact with a breadcrumb pointing at the real customer; tokens are issued for the existing user. Actual data reconciliation onto the existing row (chat_sessions, customer_transactions, payment_sessions, pairing_failures) is deferred. Backend - migrate.js: ADD COLUMN account_belongs_to UUID REFERENCES customers(id) ON DELETE SET NULL. - customer.service.js: stampAccountBelongsTo helper; account_belongs_to exposed in CUSTOMER_SELECT. - auth.service.js: new shared resolveCustomerForIdentity (4-case logic); normalizeIdentityConflict + IDENTITY_ALREADY_LINKED 409 deleted; completeCustomerPhoneSignIn / signInWithGoogle / signInWithApple all route through the shared helper. - client.auth.routes.js: new resolveAnonymousCustomerId picks the anon prefix ONLY from a verified Bearer JWT — closes the UUID-leak attack where a tamper-able body field could mis-route someone else's transactions. /otp/verify, /google, /apple all use it; the body field `anonymous_customer_id` is no longer accepted on any of them. - test/services/auth.service.test.js: 9 Vitest cases covering phone + Google + Apple, all 4 logic cases + multi-merge accumulation. Customer app - auth_notifier.dart::verifyOtp: drop `skipAuth: true` and the dead body field so ApiClient auto-attaches the anon's Bearer from AuthBridge. Survives the AuthOtpSentData state transition (the earlier `_currentAnonymousCustomerId()` state-drop bug is bypassed by sourcing the id from the bridge instead of state). - Google + Apple client paths remain unchanged (gated on provider creds; mirror this fix when wiring lands). Docs - flow_customer.mermaid.md: new §2.1 sub-section with the merge diagram, schema note, replaces-current-behaviour paragraph, and Bearer-only security callout. - phase3.4-testing.md: §1.5 line 76 simplified (no more per-path split); new §1.5.1 with the 5-step operator scenario + DB invariants + curl recipe + Vitest pointer; new §1.5.2 covering Google/Apple parity (deferred client work flagged). Verification (against live dev backend, before this commit): - Vitest: 9/9 in auth.service.test.js; 49/51 overall (2 unrelated pre-existing failures in session-timer.service.test.js). - Operator Node smoke: 14/14 in the §1.5.1 scenario; 11/11 in the Bearer-precedence cases. - Real-device UI walkthrough on SM-A530F still pending — see resume memory `project_phase4_2_1_resume_test`. Sister WIP bundled in migrate.js + customer.service.js: `usp_seen` column + `markCustomerUspSeen` helper (Phase 4 USP one-time gate, was already uncommitted in the working tree). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,6 +7,7 @@ import {
|
||||
createAnonymousCustomerV2,
|
||||
createCustomerWithIdentity,
|
||||
upgradeCustomerIdentity,
|
||||
stampAccountBelongsTo,
|
||||
} from './customer.service.js'
|
||||
import {
|
||||
getMitraByPhone,
|
||||
@@ -38,15 +39,37 @@ export class AuthError extends Error {
|
||||
}
|
||||
}
|
||||
|
||||
const normalizeIdentityConflict = async ({ existing, anonymousCustomerId }) => {
|
||||
// If an authenticated identity is already linked to a DIFFERENT customer,
|
||||
// reject. Merge is deferred per PRD.
|
||||
if (existing && anonymousCustomerId && existing.id !== anonymousCustomerId) {
|
||||
throw new AuthError(
|
||||
'This account is already linked to another session. Please log out first.',
|
||||
'IDENTITY_ALREADY_LINKED', 409,
|
||||
)
|
||||
// Phase 4 §2.1 — shared identity-resolution path used by phone/Google/Apple
|
||||
// sign-ins. Three branches:
|
||||
//
|
||||
// 1. existing identity row + anon prefix points at a different row
|
||||
// → stamp `account_belongs_to` on the anon row and return the existing
|
||||
// row. The anon row stays intact so its prior chat_sessions /
|
||||
// customer_transactions FKs remain valid; reconciliation onto the
|
||||
// existing customer is replayable later via the breadcrumb.
|
||||
// 2. existing identity row (no anon, or anon id == existing.id)
|
||||
// → return existing as-is.
|
||||
// 3. no existing row + anon prefix
|
||||
// → upgrade the anon row in place (set identity fields, preserve
|
||||
// display_name etc. via COALESCE).
|
||||
// 4. no existing row + no anon
|
||||
// → create a fresh identified customer with display_name=null (client
|
||||
// routes to the set-display-name screen).
|
||||
//
|
||||
// `identityFields` is the set of columns added by either upgrade or create
|
||||
// (phone, google_sub+email, apple_sub+email). display_name=null is appended
|
||||
// automatically for the create case.
|
||||
const resolveCustomerForIdentity = async ({ existing, anonymousCustomerId, identityFields }) => {
|
||||
if (existing) {
|
||||
if (anonymousCustomerId && existing.id !== anonymousCustomerId) {
|
||||
await stampAccountBelongsTo(anonymousCustomerId, existing.id)
|
||||
}
|
||||
return existing
|
||||
}
|
||||
if (anonymousCustomerId) {
|
||||
return await upgradeCustomerIdentity(anonymousCustomerId, identityFields)
|
||||
}
|
||||
return await createCustomerWithIdentity({ ...identityFields, display_name: null })
|
||||
}
|
||||
|
||||
// --- Anonymous ---
|
||||
@@ -63,21 +86,14 @@ export const signInAnonymous = async ({ deviceInfo } = {}) => {
|
||||
return { tokens, profile: customer }
|
||||
}
|
||||
|
||||
// --- Phone OTP — Customer ---
|
||||
|
||||
// --- Phone OTP — Customer (Phase 4 §2.1 merge breadcrumb) ---
|
||||
export const completeCustomerPhoneSignIn = async ({ phone, anonymousCustomerId, deviceInfo }) => {
|
||||
const existing = await getCustomerByPhone(phone)
|
||||
await normalizeIdentityConflict({ existing, anonymousCustomerId })
|
||||
|
||||
let customer
|
||||
if (existing) {
|
||||
customer = existing
|
||||
} else if (anonymousCustomerId) {
|
||||
customer = await upgradeCustomerIdentity(anonymousCustomerId, { phone })
|
||||
} else {
|
||||
customer = await createCustomerWithIdentity({ phone, display_name: null })
|
||||
}
|
||||
|
||||
const customer = await resolveCustomerForIdentity({
|
||||
existing,
|
||||
anonymousCustomerId,
|
||||
identityFields: { phone },
|
||||
})
|
||||
const tokens = await issueTokens({
|
||||
userType: UserType.CUSTOMER,
|
||||
userId: customer.id,
|
||||
@@ -101,32 +117,18 @@ export const completeMitraPhoneSignIn = async ({ phone, deviceInfo }) => {
|
||||
return { tokens, profile: mitra }
|
||||
}
|
||||
|
||||
// --- Google (customer only) ---
|
||||
|
||||
// --- Google (customer only) — Phase 4 §2.1 merge breadcrumb ---
|
||||
//
|
||||
// We don't pull display_name from Google; the anon's display_name is
|
||||
// preserved via upgradeCustomerIdentity's COALESCE.
|
||||
export const signInWithGoogle = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
|
||||
const google = await verifyGoogleIdToken(idToken)
|
||||
const existing = await getCustomerByGoogleSub(google.sub)
|
||||
await normalizeIdentityConflict({ existing, anonymousCustomerId })
|
||||
|
||||
let customer
|
||||
if (existing) {
|
||||
customer = existing
|
||||
} else if (anonymousCustomerId) {
|
||||
// Preserve the anonymous display_name; we don't pull name from Google.
|
||||
customer = await upgradeCustomerIdentity(anonymousCustomerId, {
|
||||
google_sub: google.sub,
|
||||
email: google.email,
|
||||
})
|
||||
} else {
|
||||
// No anonymous bootstrap → display_name is null; frontend routes to
|
||||
// the set-display-name screen.
|
||||
customer = await createCustomerWithIdentity({
|
||||
google_sub: google.sub,
|
||||
email: google.email,
|
||||
display_name: null,
|
||||
})
|
||||
}
|
||||
|
||||
const customer = await resolveCustomerForIdentity({
|
||||
existing,
|
||||
anonymousCustomerId,
|
||||
identityFields: { google_sub: google.sub, email: google.email },
|
||||
})
|
||||
const tokens = await issueTokens({
|
||||
userType: UserType.CUSTOMER,
|
||||
userId: customer.id,
|
||||
@@ -135,29 +137,16 @@ export const signInWithGoogle = async ({ idToken, anonymousCustomerId, deviceInf
|
||||
return { tokens, profile: customer }
|
||||
}
|
||||
|
||||
// --- Apple (customer only) ---
|
||||
// --- Apple (customer only) — Phase 4 §2.1 merge breadcrumb ---
|
||||
|
||||
export const signInWithApple = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
|
||||
const apple = await verifyAppleIdToken(idToken)
|
||||
const existing = await getCustomerByAppleSub(apple.sub)
|
||||
await normalizeIdentityConflict({ existing, anonymousCustomerId })
|
||||
|
||||
let customer
|
||||
if (existing) {
|
||||
customer = existing
|
||||
} else if (anonymousCustomerId) {
|
||||
customer = await upgradeCustomerIdentity(anonymousCustomerId, {
|
||||
apple_sub: apple.sub,
|
||||
email: apple.email,
|
||||
})
|
||||
} else {
|
||||
customer = await createCustomerWithIdentity({
|
||||
apple_sub: apple.sub,
|
||||
email: apple.email,
|
||||
display_name: null,
|
||||
})
|
||||
}
|
||||
|
||||
const customer = await resolveCustomerForIdentity({
|
||||
existing,
|
||||
anonymousCustomerId,
|
||||
identityFields: { apple_sub: apple.sub, email: apple.email },
|
||||
})
|
||||
const tokens = await issueTokens({
|
||||
userType: UserType.CUSTOMER,
|
||||
userId: customer.id,
|
||||
|
||||
Reference in New Issue
Block a user