soroush.asadi
1f52f53cf7
Build backend images / build content-svc (push) Failing after 51s
Build backend images / build file-svc (push) Failing after 53s
Build backend images / build gateway (push) Failing after 1m1s
Build backend images / build identity-svc (push) Failing after 48s
Build backend images / build notification-svc (push) Failing after 42s
Build backend images / build render-svc (push) Failing after 47s
Build backend images / build studio-svc (push) Failing after 1m13s
Business rule: each user has a daily render limit. Admin-stop refunds the used
charge (not the user's fault); a user's own cancel does not.
- identity: ConsumeRenderChargeAsync / RefundRenderChargeAsync on DailyRemainRenderCount
with lazy daily reset (mig 24: daily_renders_reset_at). Convention: max=0 ⇒ UNLIMITED,
so existing 0/0 users keep rendering until an admin sets a real limit.
- identity InternalController (service-token): POST /v1/internal/render-charge/{consume,refund}
- render-svc: identityclient + on Create consume (block 429 when limit reached, fail-open
on identity outage); on admin Stop refund the job owner; user /cancel unchanged
- compose: IDENTITY_URL for render-svc, ServiceToken for identity-svc
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
44 lines
1.6 KiB
C#
44 lines
1.6 KiB
C#
using FlatRender.IdentitySvc.Application.Services;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
namespace FlatRender.IdentitySvc.Controllers;
|
|
|
|
/// <summary>Service-to-service endpoints (render-svc → identity). Auth via shared service token,
|
|
/// reachable only on the internal network (the gateway does not route /v1/internal).</summary>
|
|
[ApiController]
|
|
[AllowAnonymous]
|
|
[Route("v1/internal")]
|
|
public class InternalController(AdminService svc, IConfiguration config) : ControllerBase
|
|
{
|
|
public record ChargeReq(Guid UserId);
|
|
|
|
private bool ServiceTokenValid()
|
|
{
|
|
var expected = config["ServiceToken"] ?? Environment.GetEnvironmentVariable("SERVICE_TOKEN") ?? "internal-service-secret";
|
|
var got = Request.Headers["X-Service-Token"].ToString();
|
|
if (string.IsNullOrEmpty(got))
|
|
{
|
|
var auth = Request.Headers["Authorization"].ToString();
|
|
if (auth.StartsWith("Bearer ", StringComparison.Ordinal)) got = auth[7..];
|
|
}
|
|
return !string.IsNullOrEmpty(got) && got == expected;
|
|
}
|
|
|
|
[HttpPost("render-charge/consume")]
|
|
public async Task<IActionResult> Consume([FromBody] ChargeReq req)
|
|
{
|
|
if (!ServiceTokenValid()) return Unauthorized();
|
|
var (allowed, remaining) = await svc.ConsumeRenderChargeAsync(req.UserId);
|
|
return Ok(new { allowed, remaining });
|
|
}
|
|
|
|
[HttpPost("render-charge/refund")]
|
|
public async Task<IActionResult> Refund([FromBody] ChargeReq req)
|
|
{
|
|
if (!ServiceTokenValid()) return Unauthorized();
|
|
await svc.RefundRenderChargeAsync(req.UserId);
|
|
return Ok(new { ok = true });
|
|
}
|
|
}
|