fix(database): forward currentUrl and iframeUrl through session projection#2821
Merged
Merged
Conversation
…ction `getSessionRecordBySessionId` narrowed the origin session read to a projection that omitted `currentUrl` and `iframeUrl`. `buildEscalation` in `submitPoWCaptchaSolution` then forwarded `undefined` into `createSession`, so every post-PoW escalated session was persisted without the URL context — 100% loss confirmed in prod on 2026-07-09 (384/384 Twickets escalations in a 30-minute window had `currentUrl: undefined` even though 1786/1786 origin PoW sessions had it populated). Add both fields to the projection and extend the regression test that already guards the buildEscalation contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
getSessionRecordBySessionIdprojected only a hand-picked list of session fields;currentUrlandiframeUrlwere not on the list.buildEscalationinsubmitPoWCaptchaSolutionreads the origin session via this method and forwards the URLs intocreateSession— so every escalation session was persisted withundefinedURLs.Prod evidence (captchastorage, 2026-07-09, 30-minute window)
currentUrlThe origin sessions correctly stored
currentUrl(e.g.https://www.client.com/…). Every escalation minted from those origins came outundefined, so downstream analytics (attack attribution, per-URL routing) lost the URL on the PoW → image/puzzle hop.Scope
sessionscollection only.powcaptchasandusercommitmentsschemas do not havecurrentUrland are intentionally left alone — attribute viasessionIdjoin.currentUrlandiframeUrlare added; other fields also missing from the projection (isProtect, entropy fields, handshake timings) are out of scope for this PR.Test plan
npx vitest run src/tests/integration/sessionRecordProjection.integration.test.ts— 3/3 passnpm run -w @prosopo/database build:tscnpm run -w @prosopo/provider build:tsccurrentUrl🤖 Generated with Claude Code