duobao backend — auth (TG one-tap), profile, inbox (read), shipping, TOS, security center, user.registered Kafka producer; notify dispatch delegated to message-service.
Diagram pending re-render after v1.0 scope cleanup. Authoritative details live in docs/ARCH/backend.md section 3.2. Components currently in the codebase:
/auth/v1/*: POST /auth/v1/tg/login, /auth/v1/refresh, /auth/v1/logout/api/v1/user/*: profile, messages, shipping-addr, tos, security/sessions/internal/v1/user/*: lookup by uid / batch / status / by-tg-id / shipping-addresses / notifyServiceTokenAuthFilter — internal Feign authUserHeaderVerifyFilter — HMAC X-User-Id from gatewayAuthController, UserProfileController, UserMessageController, ShippingAddressController, TosController, SecurityController, UserInternalControllerLoginOrchestrator — JWT + refresh + security upsert + user.registered publishTgLoginStrategy — initData HMAC verify + auto-registerRefreshTokenService — opaque token rotate + replay detectionUserProfileSvc, UserLookupSvc, UserMessageSvc, ShippingAddrSvc, TosServiceINotifyService → message-service POST /notify (Inbox + TG push fan-out)JwtIssuer (HS256 + jti), JwtRevocationStore (Redis jti blacklist), UidGenerator (8-char SecureRandom), TgInitDataVerifier (HMAC + expiry)KafkaUserRegisteredEventPublisher — @ConditionalOnProperty duobao.kafka.enabled=trueLoggingUserRegisteredEventPublisher — fallback when Kafka disabledone_userUserInfoMapper → user_info (+ vip_level)UserSecurityMapper → user_securityUserTosAgreementMapper → user_tos_agreementRefreshTokenMapper → refresh_tokenUserShippingAddrMapper → user_shipping_addressflyway_schema_history — single squashed migration V1__init.sqlone_userjwt:revoked:{jti} blacklistuser.registered producer (consumed by agent-service, wallet-service)