Kwaku Danso
b873012191
Per-event fraud tuning. Hosts can now dial the medium / high / block
boundaries, allowlist trusted networks, and feed verdicts back on
flagged accesses — the seed corpus for a future ML model.
Schema (migration 0011)
- events.fraud_{medium,high,block}_threshold default 30/60/85 so
existing events behave identically until a host changes them
- access_logs.geo_{country,city,lat,lon} for future enrichment
- fraud_feedback table — verdict ('legitimate' | 'suspicious') + note,
PK on access_log_id so re-mark is an upsert
- event_allowlists table — (event_id, ip_cidr) primary key, inet column
so containment checks use the native >>= operator (indexed lookup)
Domain
- FraudThresholds with Valid() + Band() helpers; Default trio echoed
through GET responses so the frontend doesn't duplicate constants
- ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and
canonicalises the output (203.0.113.42 → 203.0.113.42/32)
- Event.Thresholds() falls back to defaults if columns weren't
populated yet, so the API never wedges every score into "low"
Storage
- AllowlistRepo: List / Add / Remove + Matches() — the latter pushes
CIDR containment into Postgres rather than streaming rows back
- FeedbackRepo: Record (upserts) + ListForEvent (joined through guests)
- EventRepo.GetThresholds + UpdateThresholds, plus the threshold
columns baked into scanEvent so every event load carries them
- AccessLogRepo.BelongsToEvent — stops a hostile editor on event A
from marking event B's access logs
API
- GET/PUT /events/{id}/security/thresholds (viewer/editor)
- GET/POST/DELETE /events/{id}/security/allowlist
- POST /events/{id}/access-logs/{log_id}/feedback (editor)
- GET /events/{id}/security/feedback
- RSVP scoring path: allowlist short-circuit fires before the fraud
engine; the engine's score is then re-banded against the event's
thresholds (engine.Risk becomes advisory — API is the source of
truth for "what counts as block here")
- CORS Allow-Methods already includes PUT (Block D fix)
Fraud engine
- Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the
final into HIGH. Fixes the well-known "second visit with a slightly
shifted fingerprint scores 60+" false positive
- Engine band remains advisory; API re-bands using per-event
thresholds before deciding to block
Frontend
- SecurityCard.vue: visual band ribbon (proportional to thresholds),
three sliders with mutual clamping so dragging medium past high
pushes high (not an invalid ordering), reset-to-defaults button,
CIDR allowlist with inline add + per-row remove, verdict-history
inbox. Toast feedback on save/add/remove
- "Security" tab added to the event-detail tab nav (5th tab,
right of Analytics)
- Viewer role hides write affordances; server enforces too
Tests
- Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare
IP widening + traversal/typo rejection), FraudFeedbackValid
- Integration: thresholds round-trip + invalid ordering rejection,
allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen,
feedback record + upsert + cross-tenant 404 + invalid verdict 400,
viewer can read / editor can write / outsider gets 404
- Full integration suite green (315.8s, all 36 top-level tests pass)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
70 lines
2.0 KiB
Go
70 lines
2.0 KiB
Go
package domain
|
|
|
|
import (
|
|
"errors"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
type EventStatus string
|
|
|
|
const (
|
|
EventStatusDraft EventStatus = "draft"
|
|
EventStatusPublished EventStatus = "published"
|
|
EventStatusClosed EventStatus = "closed"
|
|
EventStatusArchived EventStatus = "archived"
|
|
)
|
|
|
|
func (s EventStatus) Valid() bool {
|
|
switch s {
|
|
case EventStatusDraft, EventStatusPublished, EventStatusClosed, EventStatusArchived:
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
type Event struct {
|
|
ID uuid.UUID `json:"id"`
|
|
HostID uuid.UUID `json:"host_id"`
|
|
Name string `json:"name"`
|
|
Slug string `json:"slug"`
|
|
EventDate time.Time `json:"event_date"`
|
|
Venue string `json:"venue"`
|
|
MaxCapacity int `json:"max_capacity"`
|
|
Settings map[string]any `json:"settings"`
|
|
Status EventStatus `json:"status"`
|
|
CreatedAt time.Time `json:"created_at"`
|
|
UpdatedAt time.Time `json:"updated_at"`
|
|
|
|
// Per-event fraud-band thresholds (Tier 2 Block G). The defaults are
|
|
// set by the migration so events created pre-Block-G continue to use
|
|
// the previous global 30/60/85 boundaries until a host changes them.
|
|
FraudMediumThreshold int `json:"fraud_medium_threshold"`
|
|
FraudHighThreshold int `json:"fraud_high_threshold"`
|
|
FraudBlockThreshold int `json:"fraud_block_threshold"`
|
|
}
|
|
|
|
// Thresholds returns the event's fraud band trio as a single value the
|
|
// scoring path can pass around (or fall back to defaults if the row was
|
|
// loaded before this migration).
|
|
func (e *Event) Thresholds() FraudThresholds {
|
|
t := FraudThresholds{
|
|
Medium: e.FraudMediumThreshold,
|
|
High: e.FraudHighThreshold,
|
|
Block: e.FraudBlockThreshold,
|
|
}
|
|
// Treat zeros (or invalid orderings) as "host hasn't customised";
|
|
// fall back to defaults rather than wedge every score into the lowest
|
|
// band.
|
|
if t.Valid() != nil || t.Block == 0 {
|
|
return DefaultThresholds()
|
|
}
|
|
return t
|
|
}
|
|
|
|
var (
|
|
ErrEventNotFound = errors.New("event not found")
|
|
ErrSlugTaken = errors.New("slug already in use")
|
|
)
|