Use Logto manager claims for orders

Authorize manager orders by app JWT scope
Add manager orders endpoint
2026-05-31 22:26:58 +05:00 · 2026-05-31 22:01:00 +05:00 · 2026-05-31 21:52:48 +05:00
2 changed files with 97 additions and 38 deletions
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -1,78 +1,123 @@
-import { createRemoteJWKSet, jwtVerify, type JWTPayload } from 'jose'
-import { GraphQLError } from 'graphql'
-import type { Request } from 'express'
+import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
+import { GraphQLError } from "graphql";
+import type { Request } from "express";

-const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks'
-const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc'
-const LOGTO_ORDERS_AUDIENCE = process.env.LOGTO_ORDERS_AUDIENCE || 'https://orders.optovia.ru'
+const LOGTO_JWKS_URL =
+  process.env.LOGTO_JWKS_URL || "https://auth.optovia.ru/oidc/jwks";
+const LOGTO_ISSUER = process.env.LOGTO_ISSUER || "https://auth.optovia.ru/oidc";
+const LOGTO_ORDERS_AUDIENCE =
+  process.env.LOGTO_ORDERS_AUDIENCE || "https://orders.optovia.ru";

-const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL))
+const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL));

 export interface AuthContext {
-  userId?: string
-  teamUuid?: string
-  scopes: string[]
+  userId?: string;
+  teamUuid?: string;
+  scopes: string[];
 }

 function getBearerToken(req: Request): string {
-  const auth = req.headers.authorization || ''
-  if (!auth.startsWith('Bearer ')) {
-    throw new GraphQLError('Missing Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
+  const auth = req.headers.authorization || "";
+  if (!auth.startsWith("Bearer ")) {
+    throw new GraphQLError("Missing Bearer token", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
  }
-  const token = auth.slice(7)
-  if (!token || token === 'undefined') {
-    throw new GraphQLError('Empty Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
+  const token = auth.slice(7);
+  if (!token || token === "undefined") {
+    throw new GraphQLError("Empty Bearer token", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
  }
-  return token
+  return token;
 }

 function scopesFromPayload(payload: JWTPayload): string[] {
-  const scope = payload.scope
-  if (!scope) return []
-  if (typeof scope === 'string') return scope.split(' ')
-  if (Array.isArray(scope)) return scope as string[]
-  return []
+  const scope = payload.scope;
+  if (!scope) return [];
+  if (typeof scope === "string") return scope.split(" ");
+  if (Array.isArray(scope)) return scope as string[];
+  return [];
+}
+
+function claimList(payload: JWTPayload, key: string): string[] {
+  const value = (payload as Record<string, unknown>)[key];
+  if (typeof value === "string") return value.split(" ");
+  if (Array.isArray(value))
+    return value.filter((item): item is string => typeof item === "string");
+  return [];
+}
+
+function hasManagerClaim(payload: JWTPayload): boolean {
+  const scopes = scopesFromPayload(payload);
+  return (
+    scopes.includes("manager") ||
+    claimList(payload, "roles").includes("manager") ||
+    claimList(payload, "permissions").includes("manager")
+  );
 }

 export async function publicContext(): Promise<AuthContext> {
-  return { scopes: [] }
+  return { scopes: [] };
 }

 export async function userContext(req: Request): Promise<AuthContext> {
-  const token = getBearerToken(req)
-  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER })
+  const token = getBearerToken(req);
+  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER });
  return {
    userId: payload.sub,
    scopes: scopesFromPayload(payload),
-  }
+  };
 }

 export async function teamContext(req: Request): Promise<AuthContext> {
-  const token = getBearerToken(req)
+  const token = getBearerToken(req);
  const { payload } = await jwtVerify(token, jwks, {
    issuer: LOGTO_ISSUER,
    audience: LOGTO_ORDERS_AUDIENCE,
-  })
+  });

-  const teamUuid = (payload as Record<string, unknown>).team_uuid as string | undefined
-  const scopes = scopesFromPayload(payload)
+  const teamUuid = (payload as Record<string, unknown>).team_uuid as
+    | string
+    | undefined;
+  const scopes = scopesFromPayload(payload);

-  if (!teamUuid || !scopes.includes('teams:member')) {
-    throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
+  if (!teamUuid || !scopes.includes("teams:member")) {
+    throw new GraphQLError("Unauthorized", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
  }

  return {
    userId: payload.sub,
    teamUuid,
    scopes,
+  };
+}
+
+export async function managerContext(req: Request): Promise<AuthContext> {
+  const token = getBearerToken(req);
+  const { payload } = await jwtVerify(token, jwks, {
+    issuer: LOGTO_ISSUER,
+    audience: LOGTO_ORDERS_AUDIENCE,
+  });
+  const scopes = scopesFromPayload(payload);
+  const teamUuid = (payload as Record<string, unknown>).team_uuid as
+    | string
+    | undefined;
+  if (!payload.sub || !hasManagerClaim(payload) || !teamUuid) {
+    throw new GraphQLError("Unauthorized", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
  }
+  return { userId: payload.sub, teamUuid, scopes: ["teams:member", "manager"] };
 }

 export function requireScopes(ctx: AuthContext, ...required: string[]): void {
-  const missing = required.filter(s => !ctx.scopes.includes(s))
+  const missing = required.filter((s) => !ctx.scopes.includes(s));
  if (missing.length > 0) {
-    throw new GraphQLError(`Missing required scopes: ${missing.join(', ')}`, {
-      extensions: { code: 'FORBIDDEN' },
-    })
+    throw new GraphQLError(`Missing required scopes: ${missing.join(", ")}`, {
+      extensions: { code: "FORBIDDEN" },
+    });
  }
 }
--- a/src/index.ts
+++ b/src/index.ts
@@ -6,7 +6,7 @@ import * as Sentry from '@sentry/node'
 import { publicTypeDefs, publicResolvers } from './schemas/public.js'
 import { userTypeDefs, userResolvers } from './schemas/user.js'
 import { teamTypeDefs, teamResolvers } from './schemas/team.js'
-import { publicContext, userContext, teamContext, type AuthContext } from './auth.js'
+import { publicContext, userContext, teamContext, managerContext, type AuthContext } from './auth.js'

 const PORT = parseInt(process.env.PORT || '8000', 10)
 const SENTRY_DSN = process.env.SENTRY_DSN || ''
@@ -41,8 +41,13 @@ const teamServer = new ApolloServer<AuthContext>({
  resolvers: teamResolvers,
  introspection: true,
 })
+const managerServer = new ApolloServer<AuthContext>({
+  typeDefs: teamTypeDefs,
+  resolvers: teamResolvers,
+  introspection: true,
+})

-await Promise.all([publicServer.start(), userServer.start(), teamServer.start()])
+await Promise.all([publicServer.start(), userServer.start(), teamServer.start(), managerServer.start()])

 app.use(
  '/graphql/public',
@@ -74,6 +79,14 @@ app.use(
  }) as unknown as express.RequestHandler,
 )

+app.use(
+  '/graphql/manager',
+  express.json(),
+  expressMiddleware(managerServer, {
+    context: async ({ req }) => managerContext(req as unknown as import('express').Request),
+  }) as unknown as express.RequestHandler,
+)
+
 app.get('/health', (_, res) => {
  res.json({ status: 'ok' })
 })
@@ -83,4 +96,5 @@ app.listen(PORT, '0.0.0.0', () => {
  console.log(`  /graphql/public  - public`)
  console.log(`  /graphql/user    - id token auth`)
  console.log(`  /graphql/team    - team access token auth`)
+  console.log(`  /graphql/manager - manager JWT auth`)
 })
Author	SHA1	Message	Date
Ruslan Bakiev	e5cbb8855d	Use Logto manager claims for orders Some checks failed Build Docker Image / build (push) Has been cancelled Details	2026-05-31 22:26:58 +05:00
Ruslan Bakiev	6719e9faf7	Authorize manager orders by app JWT scope	2026-05-31 22:01:00 +05:00
Ruslan Bakiev	3392bedc80	Add manager orders endpoint	2026-05-31 21:52:48 +05:00