Skip to content

fix(database): forward currentUrl and iframeUrl through session projection#2821

Merged
forgetso merged 3 commits into
mainfrom
fix/session-projection-currenturl-iframeurl
Jul 9, 2026
Merged

fix(database): forward currentUrl and iframeUrl through session projection#2821
forgetso merged 3 commits into
mainfrom
fix/session-projection-currenturl-iframeurl

Conversation

@forgetso

@forgetso forgetso commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

  • getSessionRecordBySessionId projected only a hand-picked list of session fields; currentUrl and iframeUrl were not on the list.
  • buildEscalation in submitPoWCaptchaSolution reads the origin session via this method and forwards the URLs into createSession — so every escalation session was persisted with undefined URLs.
  • Add both fields to the projection and extend the existing regression test.

Prod evidence (captchastorage, 2026-07-09, 30-minute window)

Cohort Sessions With currentUrl
Client origin PoW sessions 1,786 1,786 (100%)
Client escalation sessions 384 0 (0%)

The origin sessions correctly stored currentUrl (e.g. https://www.client.com/…). Every escalation minted from those origins came out undefined, so downstream analytics (attack attribution, per-URL routing) lost the URL on the PoW → image/puzzle hop.

Scope

  • sessions collection only. powcaptchas and usercommitments schemas do not have currentUrl and are intentionally left alone — attribute via sessionId join.
  • Only currentUrl and iframeUrl are added; other fields also missing from the projection (isProtect, entropy fields, handshake timings) are out of scope for this PR.

Test plan

  • npx vitest run src/tests/integration/sessionRecordProjection.integration.test.ts — 3/3 pass
  • npm run -w @prosopo/database build:tsc
  • npm run -w @prosopo/provider build:tsc
  • After merge: verify Client escalation sessions in prod start populating currentUrl

🤖 Generated with Claude Code

…ction

`getSessionRecordBySessionId` narrowed the origin session read to a
projection that omitted `currentUrl` and `iframeUrl`. `buildEscalation`
in `submitPoWCaptchaSolution` then forwarded `undefined` into
`createSession`, so every post-PoW escalated session was persisted
without the URL context — 100% loss confirmed in prod on 2026-07-09
(384/384 Twickets escalations in a 30-minute window had
`currentUrl: undefined` even though 1786/1786 origin PoW sessions had
it populated).

Add both fields to the projection and extend the regression test that
already guards the buildEscalation contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@forgetso forgetso enabled auto-merge (squash) July 9, 2026 15:55
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@forgetso forgetso merged commit 29b5c6a into main Jul 9, 2026
11 checks passed
@forgetso forgetso deleted the fix/session-projection-currenturl-iframeurl branch July 9, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant