From 147202022ad307b7e01066e8b4164ebf512388b9 Mon Sep 17 00:00:00 2001
From: Ruslan Bakiev <ruslanbakiev@dsrptlab.com>
Date: Sun, 31 May 2026 18:06:41 +0500
Subject: [PATCH] Accept Flutter sessions for KYC

---
 src/auth.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/auth.ts b/src/auth.ts
index 000ef39..aac497f 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -4,6 +4,8 @@ import type { Request } from 'express'
 
 const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks'
 const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc'
+const TEAMS_USER_GRAPHQL_URL = process.env.TEAMS_USER_GRAPHQL_URL || 'https://teams.optovia.ru/graphql/user/'
+const SESSION_TOKEN_PREFIX = 'optovia-session:'
 
 const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL))
 
@@ -38,6 +40,22 @@ export async function userContext(req: Request): Promise<AuthContext> {
   if (!token) {
     throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
   }
+  if (token.startsWith(SESSION_TOKEN_PREFIX)) {
+    const response = await fetch(TEAMS_USER_GRAPHQL_URL, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        authorization: `Bearer ${token}`,
+      },
+      body: JSON.stringify({ query: `query KycSessionMe { me { id } }` }),
+    })
+    const body = await response.json() as { data?: { me?: { id?: string } } }
+    const userId = body.data?.me?.id
+    if (!userId) {
+      throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
+    }
+    return { userId, scopes: [] }
+  }
   const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER })
   return { userId: payload.sub, scopes: [] }
 }