feat: use same issuer for monthly and annual products

[pavelbrm]

Summary

This PR changes the way SKU values are used when interacting with CBP in such a way as to make sure that each Premium product pair (monthly and annual) uses the same issuer.

Currently, Premium products have SKU values in the format of brave-[name]-premium. Annual products will temporarily have SKUs like brave-[name]-premium-year. Although eventually variants of the same product will use the same SKU, until that happened we need a way to make sure the same issuer is used for signing and verifying credentials.

This is accomplished by trimming the -year suffix from SKU values in places where they are sent to CBP.

Additionally, this PR offers some refactoring and improvements to the verify credential endpoints.

Type of Change

• Product feature
• Bug fix
• Performance improvement
• Refactor
• Other

Tested Environments

• Development
• Staging
• Production

Before Requesting Review

• Does your code build cleanly without any errors or warnings?
• Have you used auto closing keywords?
• Have you added tests for new functionality?
• Have validated query efficiency for new database queries?
• Have documented new functionality in README or in comments?
• Have you squashed all intermediate commits?
• Is there a clear title that explains what the PR does?
• Have you used intuitive function, variable and other naming?
• Have you requested security and/or privacy review if needed
• Have you performed a self review of this PR?

Manual Test Plan

[clD11]

Same as above, would using must.NotNil(tt, err) not be more concise?

[pavelbrm]

Same reasoning as here.

[clD11]

question: would using must.Nil(tt, err) be more concise?

[pavelbrm]

Same reasoning as here.

[clD11]

Now the blocking comment and conflicts have been resolved, happy to approve.

Left a few non blocking responses to your comments.

[github-actions]

[puLL-Merge] - brave-intl/bat-go@2654

Description

This PR refactors the credential verification process in the SKUs service, improving code organization, error handling, and type safety. It also introduces new validation and parsing functions for credential requests.

Changes

Changes

1. services/skus/controllers.go:

   • Renamed and refactored VerifyCredentialV1 and VerifyCredentialV2 to handleVerifyCredV1 and handleVerifyCredV2.
   • Introduced a validator instance for request validation.
   • Improved error handling and logging.
   • Added new functions parseVerifyCredRequestV2, parseVerifyCredOpaque, and validateVerifyCredRequestV2.

2. services/skus/controllers_noint_test.go:

   • Added new tests for parseVerifyCredRequestV2 and validateVerifyCredRequestV2.

3. services/skus/credentials.go and services/skus/credentials_test.go:

   • Updated CreateIssuer, CreateIssuerV3, and CreateOrderItemCredentials to use item.SKUForIssuer() instead of item.SKU.

4. services/skus/input.go:

   • Removed this file, moving its contents to services/skus/model/model.go.

5. services/skus/model/model.go:

   • Added new types VerifyCredentialRequestV1, VerifyCredentialRequestV2, and VerifyCredentialOpaque.
   • Implemented methods for these types to satisfy the credential interface.
   • Added a fixPremiumSKUForIssuer function to handle SKU normalization.

6. services/skus/model/model_test.go:

   • Added tests for new types and methods.

7. services/skus/service.go:

   • Updated the credential interface and verifyCredential method to use the new types.

Possible Issues

1. The change in SKU handling (trimming "-year" suffix) might affect existing data or integrations that rely on the full SKU string.

Security Hotspots

1. The parseVerifyCredOpaque function decodes base64 data and unmarshals it into a struct. Ensure that the input is properly validated and sanitized to prevent potential injection attacks or buffer overflows.

2. The handleVerifyCredV1 and handleVerifyCredV2 functions now use io.LimitReader to limit the request body size, which is a good security practice. However, ensure that the reqBodyLimit10MB constant is appropriately set to prevent potential DoS attacks.

Overall, this PR appears to improve the code structure and type safety of the credential verification process. The changes seem well-tested and follow good coding practices. The main points to consider are the potential impact of the SKU normalization change and ensuring proper input validation throughout the new parsing and validation functions.