optovia/orders
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Use Logto manager claims for orders
Some checks failed
Build Docker Image / build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Ruslan Bakiev
2026-05-31 22:26:58 +05:00
parent 6719e9faf7
commit e5cbb8855d
1 changed files with 77 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
src/auth.ts
View File

@@ -1,99 +1,123 @@
import { createRemoteJWKSet, jwtVerify, type JWTPayload } from 'jose' import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
import { GraphQLError } from 'graphql' import { GraphQLError } from "graphql";
import type { Request } from 'express' import type { Request } from "express";
const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks' const LOGTO_JWKS_URL =
const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc' process.env.LOGTO_JWKS_URL || "https://auth.optovia.ru/oidc/jwks";
const LOGTO_ORDERS_AUDIENCE = process.env.LOGTO_ORDERS_AUDIENCE || 'https://orders.optovia.ru' const LOGTO_ISSUER = process.env.LOGTO_ISSUER || "https://auth.optovia.ru/oidc";
const APP_JWT_ISSUER = 'optovia:teams' const LOGTO_ORDERS_AUDIENCE =
process.env.LOGTO_ORDERS_AUDIENCE || "https://orders.optovia.ru";
const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL)) const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL));
export interface AuthContext { export interface AuthContext {
userId?: string userId?: string;
teamUuid?: string teamUuid?: string;
scopes: string[] scopes: string[];
} }
function getBearerToken(req: Request): string { function getBearerToken(req: Request): string {
const auth = req.headers.authorization || '' const auth = req.headers.authorization || "";
if (!auth.startsWith('Bearer ')) { if (!auth.startsWith("Bearer ")) {
throw new GraphQLError('Missing Bearer token', { extensions: { code: 'UNAUTHENTICATED' } }) throw new GraphQLError("Missing Bearer token", {
extensions: { code: "UNAUTHENTICATED" },
});
} }
const token = auth.slice(7) const token = auth.slice(7);
if (!token || token === 'undefined') { if (!token || token === "undefined") {
throw new GraphQLError('Empty Bearer token', { extensions: { code: 'UNAUTHENTICATED' } }) throw new GraphQLError("Empty Bearer token", {
extensions: { code: "UNAUTHENTICATED" },
});
} }
return token return token;
} }
function scopesFromPayload(payload: JWTPayload): string[] { function scopesFromPayload(payload: JWTPayload): string[] {
const scope = payload.scope const scope = payload.scope;
if (!scope) return [] if (!scope) return [];
if (typeof scope === 'string') return scope.split(' ') if (typeof scope === "string") return scope.split(" ");
if (Array.isArray(scope)) return scope as string[] if (Array.isArray(scope)) return scope as string[];
return [] return [];
}
function claimList(payload: JWTPayload, key: string): string[] {
const value = (payload as Record<string, unknown>)[key];
if (typeof value === "string") return value.split(" ");
if (Array.isArray(value))
return value.filter((item): item is string => typeof item === "string");
return [];
}
function hasManagerClaim(payload: JWTPayload): boolean {
const scopes = scopesFromPayload(payload);
return (
scopes.includes("manager") ||
claimList(payload, "roles").includes("manager") ||
claimList(payload, "permissions").includes("manager")
);
} }
export async function publicContext(): Promise<AuthContext> { export async function publicContext(): Promise<AuthContext> {
return { scopes: [] } return { scopes: [] };
} }
export async function userContext(req: Request): Promise<AuthContext> { export async function userContext(req: Request): Promise<AuthContext> {
const token = getBearerToken(req) const token = getBearerToken(req);
const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER }) const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER });
return { return {
userId: payload.sub, userId: payload.sub,
scopes: scopesFromPayload(payload), scopes: scopesFromPayload(payload),
} };
} }
export async function teamContext(req: Request): Promise<AuthContext> { export async function teamContext(req: Request): Promise<AuthContext> {
const token = getBearerToken(req) const token = getBearerToken(req);
const { payload } = await jwtVerify(token, jwks, { const { payload } = await jwtVerify(token, jwks, {
issuer: LOGTO_ISSUER, issuer: LOGTO_ISSUER,
audience: LOGTO_ORDERS_AUDIENCE, audience: LOGTO_ORDERS_AUDIENCE,
}) });
const teamUuid = (payload as Record<string, unknown>).team_uuid as string | undefined const teamUuid = (payload as Record<string, unknown>).team_uuid as
const scopes = scopesFromPayload(payload) | string
| undefined;
const scopes = scopesFromPayload(payload);
if (!teamUuid || !scopes.includes('teams:member')) { if (!teamUuid || !scopes.includes("teams:member")) {
throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } }) throw new GraphQLError("Unauthorized", {
extensions: { code: "UNAUTHENTICATED" },
});
} }
return { return {
userId: payload.sub, userId: payload.sub,
teamUuid, teamUuid,
scopes, scopes,
} };
}
function appJwtSecret(): Uint8Array {
const secret = process.env.APP_JWT_SECRET
if (!secret) throw new GraphQLError('APP_JWT_SECRET is required', { extensions: { code: 'INTERNAL_SERVER_ERROR' } })
return new TextEncoder().encode(secret)
} }
export async function managerContext(req: Request): Promise<AuthContext> { export async function managerContext(req: Request): Promise<AuthContext> {
const token = getBearerToken(req) const token = getBearerToken(req);
const { payload } = await jwtVerify(token, appJwtSecret(), { const { payload } = await jwtVerify(token, jwks, {
issuer: APP_JWT_ISSUER, issuer: LOGTO_ISSUER,
audience: LOGTO_ORDERS_AUDIENCE, audience: LOGTO_ORDERS_AUDIENCE,
}) });
const scopes = scopesFromPayload(payload) const scopes = scopesFromPayload(payload);
const teamUuid = (payload as Record<string, unknown>).team_uuid as string | undefined const teamUuid = (payload as Record<string, unknown>).team_uuid as
if (!payload.sub || !scopes.includes('manager') || !teamUuid) { | string
throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } }) | undefined;
if (!payload.sub || !hasManagerClaim(payload) || !teamUuid) {
throw new GraphQLError("Unauthorized", {
extensions: { code: "UNAUTHENTICATED" },
});
} }
return { userId: payload.sub, teamUuid, scopes: ['teams:member', 'manager'] } return { userId: payload.sub, teamUuid, scopes: ["teams:member", "manager"] };
} }
export function requireScopes(ctx: AuthContext, ...required: string[]): void { export function requireScopes(ctx: AuthContext, ...required: string[]): void {
const missing = required.filter(s => !ctx.scopes.includes(s)) const missing = required.filter((s) => !ctx.scopes.includes(s));
if (missing.length > 0) { if (missing.length > 0) {
throw new GraphQLError(`Missing required scopes: ${missing.join(', ')}`, { throw new GraphQLError(`Missing required scopes: ${missing.join(", ")}`, {
extensions: { code: 'FORBIDDEN' }, extensions: { code: "FORBIDDEN" },
}) });
} }
} }