From 133d7b434bbd0e3b0f1cd05ac0df6123190deeca Mon Sep 17 00:00:00 2001
From: Ruslan Bakiev <ruslanbakiev@dsrptlab.com>
Date: Sun, 31 May 2026 18:06:33 +0500
Subject: [PATCH] Accept Flutter sessions for billing

---
 src/auth.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/auth.ts b/src/auth.ts
index fb7afaf..afc1dd6 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -5,6 +5,8 @@ import type { Request } from 'express'
 const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks'
 const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc'
 const LOGTO_BILLING_AUDIENCE = process.env.LOGTO_BILLING_AUDIENCE || 'https://billing.optovia.ru'
+const TEAMS_USER_GRAPHQL_URL = process.env.TEAMS_USER_GRAPHQL_URL || 'https://teams.optovia.ru/graphql/user/'
+const SESSION_TOKEN_PREFIX = 'optovia-session:'
 
 const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL))
 
@@ -41,6 +43,24 @@ export async function m2mContext(): Promise<AuthContext> {
 
 export async function teamContext(req: Request): Promise<AuthContext> {
   const token = getBearerToken(req)
+  if (token.startsWith(SESSION_TOKEN_PREFIX)) {
+    const response = await fetch(TEAMS_USER_GRAPHQL_URL, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        authorization: `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        query: `query BillingSessionMe { me { id activeTeamId } }`,
+      }),
+    })
+    const body = await response.json() as { data?: { me?: { id?: string; activeTeamId?: string } } }
+    const me = body.data?.me
+    if (!me?.id || !me.activeTeamId) {
+      throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
+    }
+    return { userId: me.id, teamUuid: me.activeTeamId, scopes: ['teams:member'] }
+  }
   const { payload } = await jwtVerify(token, jwks, {
     issuer: LOGTO_ISSUER,
     audience: LOGTO_BILLING_AUDIENCE,