[AZ-197] Remove hardware ID binding from resource flow

Sealed-Jetson + SaaS architecture eliminates the credential-reuse-across- machines threat that motivated hardware fingerprint binding. The binding's only remaining effect was a real production failure mode on legitimate hardware events. Production: - Drop PUT /users/hardware/set and POST /resources/check. - Simplify POST /resources/get/{dataFolder?} (no Hardware field). - Remove CheckHardwareHash, UpdateHardware, Security.GetHWHash. - GetApiEncryptionKey signature: (email, password) — no hardwareHash. - Drop SetHWRequest DTO and Hardware property from GetResourceRequest. - Remove HardwareIdMismatch (40) and BadHardware (45) ExceptionEnum entries; numeric codes left as a gap, not for reuse. Wire-compat policy: drop entirely (no Loader; no in-flight legacy clients). Stale callers will see 404s, which is the right loud failure. Tombstones: - User.Hardware DB column kept (nullable, unused) — separate cleanup ticket for the migration per workspace "no rename without confirmation". - User.LastLogin is now never written by app code (only writer was inside the deleted CheckHardwareHash); flagged in batch_06_review for a future ticket. Tests: - Delete e2e HardwareBindingTests (165 lines) and Azaion.Test UserServiceTest (sole test was CheckHardwareHashTest). - Drop Hardware payloads + /resources/check preconditions from e2e ResourceTests, SecurityTests, ResilienceTests; drop hardwareId arg from Azaion.Test SecurityTest. - Add SecurityTests.Hardware_endpoints_are_removed_AZ_197 (AC-2 regression asserting both removed routes return 404). Docs: - architecture.md: System Context note, ADR-003 new key formula, ADR-004 retired with rationale. - diagrams/flows/flow_hardware_check.md: tombstoned. Also archives the four batch-1+batch-2 task files into _docs/02_tasks/done/ (file moves were missed by the batch_05 commit). Code review: PASS — see _docs/03_implementation/reviews/batch_06_review.md. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:31:09 +00:00 · 2026-05-13 04:46:39 +03:00
parent 5ca9ccab2c
commit 5e90512987
22 changed files with 359 additions and 490 deletions
@@ -18,8 +18,6 @@ public sealed class ResourceTests
    };

    private const string TestUserPassword = "TestPass1234";
-    private const string SampleHardware =
-        "CPU: TestCPU. GPU: TestGPU. Memory: 16384. DriveSerial: TESTDRIVE001.";

    private sealed record ErrorResponse(int ErrorCode, string Message);

@@ -82,14 +80,10 @@ public sealed class ResourceTests
            using var loginClient = _fixture.CreateApiClient();
            var userToken = await loginClient.LoginAsync(email, TestUserPassword);
            using var userClient = _fixture.CreateAuthenticatedClient(userToken);
-            using (var bind = await userClient.PostAsync("/resources/check", new { Hardware = SampleHardware }))
-            {
-                bind.EnsureSuccessStatusCode();
-            }

            // Act
            using var response = await userClient.PostAsync($"/resources/get/{folder}",
-                new { Password = TestUserPassword, Hardware = SampleHardware, FileName = fileName });
+                new { Password = TestUserPassword, FileName = fileName });

            // Assert
            response.StatusCode.Should().Be(HttpStatusCode.OK);
@@ -120,7 +114,6 @@ public sealed class ResourceTests
        const string fileName = "roundtrip.bin";
        var original = Enumerable.Range(0, 128).Select(i => (byte)i).ToArray();
        const string password = "RoundTrip123";
-        const string hardware = "RT-HW-CPU-001-GPU-002";
        string? email = null;

        try
@@ -144,17 +137,13 @@ public sealed class ResourceTests
            using var loginClient = _fixture.CreateApiClient();
            var userToken = await loginClient.LoginAsync(email, password);
            using var userClient = _fixture.CreateAuthenticatedClient(userToken);
-            using (var bind = await userClient.PostAsync("/resources/check", new { Hardware = hardware }))
-            {
-                bind.EnsureSuccessStatusCode();
-            }

            // Act
            using var download = await userClient.PostAsync($"/resources/get/{folder}",
-                new { Password = password, Hardware = hardware, FileName = fileName });
+                new { Password = password, FileName = fileName });
            download.EnsureSuccessStatusCode();
            var encrypted = await download.Content.ReadAsByteArrayAsync();
-            var decrypted = DecryptResourcePayload(encrypted, email!, password, hardware);
+            var decrypted = DecryptResourcePayload(encrypted, email!, password);

            // Assert
            decrypted.Should().Equal(original);
@@ -194,12 +183,10 @@ public sealed class ResourceTests
        }
    }

-    private static byte[] DecryptResourcePayload(byte[] encrypted, string email, string password, string hardware)
+    private static byte[] DecryptResourcePayload(byte[] encrypted, string email, string password)
    {
-        var hwHash = Convert.ToBase64String(SHA384.HashData(
-            Encoding.UTF8.GetBytes($"Azaion_{hardware}_%$$$)0_")));
        var apiKey = Convert.ToBase64String(SHA384.HashData(
-            Encoding.UTF8.GetBytes($"{email}-{password}-{hwHash}-#%@AzaionKey@%#---")));
+            Encoding.UTF8.GetBytes($"{email}-{password}-#%@AzaionKey@%#---")));
        var aesKey = SHA256.HashData(Encoding.UTF8.GetBytes(apiKey));

        if (encrypted.Length <= 16)