dotnet-cqrs

svrnty/dotnet-cqrs

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mathias Beaulieu-Duncan	07a7a683b7	feat(altcha): IAltchaDifficultyAdvisor for per-request PoW complexity All checks were successful Publish NuGets / build (release) Successful in 39s Details Adds an abstraction over the CreateChallengeRequest.complexity field (already present in the proto since the original altcha module landed), letting applications scale PoW difficulty per request based on actor signals — repeat-offender counters, threat-intel headers, reputation scores — without leaking those concerns into the gRPC provider. - new IAltchaDifficultyAdvisor in Svrnty.CQRS.Altcha.Abstractions: Task<uint?> GetComplexityAsync(...). null means "use the upstream service's configured default." - NullAltchaDifficultyAdvisor in Svrnty.CQRS.Altcha is the no-op fallback registered by AddSvrntyAltcha() via TryAddSingleton, so applications can replace it without ordering constraints. - AltchaGrpcChallengeProvider now resolves the advisor and sets CreateChallengeRequest.Complexity when the advisor returns a value. The Altcha server clamps to its configured min/max, so callers don't need to enforce bounds here. No breaking changes to existing consumers — the no-op default keeps behaviour identical when no advisor is registered. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-12 20:09:00 -04:00
Mathias Beaulieu-Duncan	69e29d4f6d	feat(altcha): add Svrnty.CQRS.Altcha core check + DI The Altcha authorization check, plugged into the ICommandAuthorizationCheck / IQueryAuthorizationCheck seam. Behavior - Self-applies: returns Allowed for any request whose type isn't decorated with [Altcha]. No-op for the 99% of endpoints that don't need PoW. - Reads ctx.Items["mobile_attested"] for Phase 3 bypass when the attribute's AllowMobileAttestationBypass is true. - Pulls the solution off the request via IHasAltchaSolution and delegates verification to IAltchaVerifier (resolved per-call from the request scope, so any verifier lifetime works). - Stashes a diagnostic reason in ctx.Items["altcha_reason"] (missing / misconfigured / invalid / replayed / expired / etc.) for downstream middleware to surface in error responses. - Singleton itself — stateless; one instance shared via factory registrations under both check interfaces. AddSvrntyAltcha() registers the check. The verifier is provided by a transport-specific module (e.g. Svrnty.CQRS.Altcha.Grpc, next). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-12 16:24:02 -04:00

Author

SHA1

Message

Date

Mathias Beaulieu-Duncan

07a7a683b7

feat(altcha): IAltchaDifficultyAdvisor for per-request PoW complexity

Publish NuGets / build (release) Successful in 39s

Details

Adds an abstraction over the CreateChallengeRequest.complexity field
(already present in the proto since the original altcha module landed),
letting applications scale PoW difficulty per request based on actor
signals — repeat-offender counters, threat-intel headers, reputation
scores — without leaking those concerns into the gRPC provider.

  - new IAltchaDifficultyAdvisor in Svrnty.CQRS.Altcha.Abstractions:
    Task<uint?> GetComplexityAsync(...). null means "use the upstream
    service's configured default."

  - NullAltchaDifficultyAdvisor in Svrnty.CQRS.Altcha is the no-op
    fallback registered by AddSvrntyAltcha() via TryAddSingleton, so
    applications can replace it without ordering constraints.

  - AltchaGrpcChallengeProvider now resolves the advisor and sets
    CreateChallengeRequest.Complexity when the advisor returns a value.
    The Altcha server clamps to its configured min/max, so callers
    don't need to enforce bounds here.

No breaking changes to existing consumers — the no-op default keeps
behaviour identical when no advisor is registered.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-12 20:09:00 -04:00

Mathias Beaulieu-Duncan

69e29d4f6d

feat(altcha): add Svrnty.CQRS.Altcha core check + DI

The Altcha authorization check, plugged into the
ICommandAuthorizationCheck / IQueryAuthorizationCheck seam.

Behavior
- Self-applies: returns Allowed for any request whose type isn't
  decorated with [Altcha]. No-op for the 99% of endpoints that don't
  need PoW.
- Reads ctx.Items["mobile_attested"] for Phase 3 bypass when the
  attribute's AllowMobileAttestationBypass is true.
- Pulls the solution off the request via IHasAltchaSolution and
  delegates verification to IAltchaVerifier (resolved per-call from
  the request scope, so any verifier lifetime works).
- Stashes a diagnostic reason in ctx.Items["altcha_reason"]
  (missing / misconfigured / invalid / replayed / expired / etc.)
  for downstream middleware to surface in error responses.
- Singleton itself — stateless; one instance shared via factory
  registrations under both check interfaces.

AddSvrntyAltcha() registers the check. The verifier is provided by
a transport-specific module (e.g. Svrnty.CQRS.Altcha.Grpc, next).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-12 16:24:02 -04:00

2 Commits