Simplify anonymous request handling by removing explicit 'anonymous' string

- Replace explicit 'anonymous' string with empty string for anonymous requests
- Simplify checks: use empty string check instead of checking for 'anonymous'
- Update LinkService to treat empty userID as anonymous (handle GetUserID errors gracefully)
- Update ADR-42 documentation to reflect simplified approach
- Remove magic string 'anonymous' from codebase

This simplification makes the code cleaner and more intuitive:
empty user-id means anonymous request, no need for explicit string.

Author: batazor

boundaries/link/internal/usecases/link/get.go

@@ -27,13 +27,13 @@ func (uc *UC) Get(ctx context.Context, hash string) (*domain.Link, error) {
 		SAGA_STEP_CHECK_ACCESS   = "SAGA_STEP_CHECK_ACCESS"
 	)
 
+	// Get user ID from session metadata (may be empty for anonymous requests)
+	// If metadata is missing or empty, userID will be empty string (treated as anonymous)
 	userID, err := session.GetUserID(ctx)
 	if err != nil {
-		uc.log.ErrorWithContext(ctx, "failed to get user ID from session",
-			slog.String("error", err.Error()),
-		)
-
-		return nil, err
+		// If GetUserID returns error (metadata missing), treat as anonymous request
+		// This is normal for unauthenticated users accessing public links
+		userID = ""
 	}
 
 	var resp *domain.Link
@@ -75,11 +75,11 @@ func (uc *UC) Get(ctx context.Context, hash string) (*domain.Link, error) {
 
 				// For private links: check via allowlist
 				// According to ADR-42:
-				// - If user_id == "anonymous" → ErrPermissionDenied
+				// - If user_id is empty (anonymous request) → ErrPermissionDenied
 				// - Get email from Kratos Admin API
 				// - Check email against allowlist using link.CanBeViewedByEmail(email)
 
-				if userID == "" || userID == "anonymous" {
+				if userID == "" {
 					return domain.ErrPermissionDenied(nil)
 				}
 

boundaries/proxy/src/domain/repositories/ILinkRepository.ts

@@ -9,7 +9,7 @@ export interface ILinkRepository {
   /**
    * Находит ссылку по хешу
    * @param hash - хеш ссылки
-   * @param userId - optional user_id from Kratos session, or "anonymous" if not authenticated
+   * @param userId - optional user_id from Kratos session, undefined if not authenticated (treated as anonymous)
    * @returns Promise с доменной сущностью Link
    * @throws LinkNotFoundError если ссылка не найдена или доступ запрещен
    */

boundaries/proxy/src/infrastructure/adapters/ILinkServiceAdapter.ts

@@ -10,7 +10,7 @@ export interface ILinkServiceAdapter {
    * Получает ссылку по хешу из внешнего сервиса
    *
    * @param hash - хеш ссылки
-   * @param userId - optional user_id from Kratos session, or "anonymous" if not authenticated
+   * @param userId - optional user_id from Kratos session, undefined if not authenticated (treated as anonymous)
    * @returns Promise с доменной сущностью Link
    * @throws LinkNotFoundError если ссылка не найдена или доступ запрещен
    */

boundaries/proxy/src/infrastructure/adapters/LinkServiceConnectAdapter.ts

@@ -114,10 +114,10 @@ export class LinkServiceConnectAdapter implements ILinkServiceAdapter {
       signal: AbortSignal.timeout(this.externalServicesConfig.requestTimeout),
     };
 
-    // Link Service expects "user-id" in metadata (session_interceptor checks for it)
-    // Always set header - if userId provided, use it; otherwise pass "anonymous"
-    // SessionInterceptor will use serviceUserId as fallback if header is missing
-    const userIdValue = userId && userId !== "anonymous" ? userId : "anonymous";
+    // Link Service expects "user-id" in metadata
+    // If userId is not provided (anonymous request), pass empty string (treated as anonymous by LinkService)
+    // If header is not set at all, SessionInterceptor would set serviceUserId fallback (which we don't want for anonymous requests)
+    const userIdValue = userId || "";
     options.header = {
       "user-id": userIdValue,
     };

boundaries/proxy/src/infrastructure/adapters/connect/interceptors/SessionInterceptor.ts

@@ -8,10 +8,11 @@ const USER_ID_HEADER = "user-id";
  * Link Service uses this to check private link access via Kratos Admin API.
  *
  * This interceptor sets a default value (serviceUserId) if user-id is not already set
- * in the request headers. The actual userId from Kratos session is set via callOptions.header
+ * in the request headers. This is a fallback for service-to-service calls.
+ * The actual userId from Kratos session (or empty string for anonymous) is set via callOptions.header
  * in LinkServiceConnectAdapter.getLinkByHash().
  *
- * @param serviceUserId - stable identifier for proxy service account (fallback).
+ * @param serviceUserId - stable identifier for proxy service account (fallback for service-to-service calls).
  */
 export function createSessionInterceptor(serviceUserId: string): Interceptor {
   if (!serviceUserId || !serviceUserId.trim()) {

boundaries/proxy/src/infrastructure/http/fastify/controllers/ProxyController.ts

@@ -35,11 +35,11 @@ export class ProxyController {
       const hash = new Hash(request.params.hash);
 
       // Extract Kratos session to get user_id for private link access
-      // According to ADR 42: if no valid session, pass "anonymous"
+      // If no valid session, userId will be undefined (empty string will be passed to LinkService, treated as anonymous)
       const session = await this.kratosSessionExtractor.extractSession(request);
       const userId = session.isAuthenticated && session.userId
         ? session.userId
-        : "anonymous";
+        : undefined;
 
       // Call application service with user_id
       const result = await this.linkApplicationService.handleRedirect({

boundaries/proxy/src/infrastructure/repositories/LinkServiceRepository.ts

@@ -35,10 +35,10 @@ export class LinkServiceRepository implements ILinkRepository {
 
   async findByHash(hash: Hash, userId?: string | null): Promise<Link> {
     // Note: Cache doesn't consider userId, so private links might be cached incorrectly
-    // For now, we skip cache when userId is provided and not "anonymous" (private link access)
+    // For now, we skip cache when userId is provided (private link access)
     // TODO: Consider cache key that includes userId for private links
 
-    if (userId && userId !== "anonymous") {
+    if (userId) {
       // For private links, skip cache and go directly to adapter
       this.logger.debug("Cache bypass - fetching private link from adapter", {
         hash: hash.value,

docs/ADR/decisions/0042-link-privacy-control.md

@@ -70,10 +70,10 @@ func (l *Link) CanBeViewedByEmail(email string) bool {
 
 - Reads Kratos session
 - Extracts `user_id` from that session
-- **If Kratos responds 401 (no valid session) Proxy sends `user_id = "anonymous"` to LinkService**
-- Passes `user_id` via gRPC metadata `x-user-id: <kratos_user_id | anonymous>`
+- **If no valid session, Proxy sends empty string (`""`) for `user_id` to LinkService**
+- Passes `user_id` via gRPC metadata `x-user-id: <kratos_user_id | "">`
 
-This removes ambiguity: LinkService can distinguish “Kratos error / user missing” from “user is anonymous”.
+LinkService treats empty `user_id` as anonymous request (no need to distinguish different cases - empty means anonymous).
 
 Proxy never makes privacy decisions.
 
@@ -84,7 +84,7 @@ Proxy never makes privacy decisions.
 1. Fetch the link from DB
 2. If `allowed_emails != []`:
    - the link is private
-   - if `user_id == "anonymous"` → immediately return `ErrPermissionDenied` (skip Kratos)
+   - if `user_id == ""` (empty, anonymous request) → immediately return `ErrPermissionDenied` (skip Kratos)
    - otherwise call the **Kratos Admin API** (`GET /admin/identities/{user_id}`) to load the email
    - read `identity.traits.email`
    - check the allowlist
@@ -101,7 +101,7 @@ Proxy never makes privacy decisions.
 - JSON decoding failures
 - Missing `traits.email` in the identity
 - Email not on the allowlist
-- `user_id == "anonymous"`
+- `user_id == ""` (empty, anonymous request)
 
 Therefore external observers cannot distinguish between:
 
@@ -176,7 +176,7 @@ alt KratosPublic returns 200 (valid session)
     Proxy -> LS: GetLink(hash)\nmetadata: x-user-id=user_id
 else KratosPublic returns 401 (no session)
     KratosPublic --> Proxy: 401 Unauthorized
-    Proxy -> LS: GetLink(hash)\nmetadata: x-user-id=anonymous
+    Proxy -> LS: GetLink(hash)\nmetadata: x-user-id="" (empty, anonymous)
 end
 
 LS -> DB: SELECT * FROM links WHERE hash = ?