Use Fastify Mercurius and GraphQL contracts

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "graphql-contracts"]
+	path = graphql-contracts
+	url = git@gitea.dsrptlab.com:optovia/orders-graphql-contracts.git

package.json

@@ -9,18 +9,16 @@
     "start": "prisma migrate deploy && node dist/index.js"
   },
   "dependencies": {
-    "@apollo/server": "^4.11.3",
+    "@fastify/cors": "^11.2.0",
     "@prisma/client": "^6.5.0",
-    "cors": "^2.8.5",
-    "express": "^4.21.2",
+    "@sentry/node": "^9.5.0",
+    "fastify": "^5.8.5",
     "graphql": "^16.10.0",
     "graphql-tag": "^2.12.6",
     "jose": "^6.0.11",
-    "@sentry/node": "^9.5.0"
+    "mercurius": "^16.9.0"
   },
   "devDependencies": {
-    "@types/cors": "^2.8.17",
-    "@types/express": "^5.0.0",
     "@types/node": "^22.13.0",
     "prisma": "^6.5.0",
     "tsx": "^4.19.0",

src/auth.ts

@@ -1,78 +1,125 @@
-import { createRemoteJWKSet, jwtVerify, type JWTPayload } from 'jose'
-import { GraphQLError } from 'graphql'
-import type { Request } from 'express'
+import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
+import { GraphQLError } from "graphql";
+import type { FastifyRequest } from "fastify";
 
-const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks'
-const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc'
-const LOGTO_ORDERS_AUDIENCE = process.env.LOGTO_ORDERS_AUDIENCE || 'https://orders.optovia.ru'
+const LOGTO_JWKS_URL =
+  process.env.LOGTO_JWKS_URL || "https://auth.optovia.ru/oidc/jwks";
+const LOGTO_ISSUER = process.env.LOGTO_ISSUER || "https://auth.optovia.ru/oidc";
+const LOGTO_ORDERS_AUDIENCE =
+  process.env.LOGTO_ORDERS_AUDIENCE || "https://orders.optovia.ru";
 
-const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL))
+const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL));
 
 export interface AuthContext {
-  userId?: string
-  teamUuid?: string
-  scopes: string[]
+  userId?: string;
+  teamUuid?: string;
+  scopes: string[];
 }
 
-function getBearerToken(req: Request): string {
-  const auth = req.headers.authorization || ''
-  if (!auth.startsWith('Bearer ')) {
-    throw new GraphQLError('Missing Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
+function getBearerToken(req: FastifyRequest): string {
+  const auth = req.headers.authorization || "";
+  if (!auth.startsWith("Bearer ")) {
+    throw new GraphQLError("Missing Bearer token", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
   }
-  const token = auth.slice(7)
-  if (!token || token === 'undefined') {
-    throw new GraphQLError('Empty Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
+  const token = auth.slice(7);
+  if (!token || token === "undefined") {
+    throw new GraphQLError("Empty Bearer token", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
   }
-  return token
+  return token;
 }
 
 function scopesFromPayload(payload: JWTPayload): string[] {
-  const scope = payload.scope
-  if (!scope) return []
-  if (typeof scope === 'string') return scope.split(' ')
-  if (Array.isArray(scope)) return scope as string[]
-  return []
+  const scope = payload.scope;
+  if (!scope) return [];
+  if (typeof scope === "string") return scope.split(" ");
+  if (Array.isArray(scope)) return scope as string[];
+  return [];
+}
+
+function claimList(payload: JWTPayload, key: string): string[] {
+  const value = (payload as Record<string, unknown>)[key];
+  if (typeof value === "string") return value.split(" ");
+  if (Array.isArray(value))
+    return value.filter((item): item is string => typeof item === "string");
+  return [];
+}
+
+function hasManagerClaim(payload: JWTPayload): boolean {
+  const scopes = scopesFromPayload(payload);
+  return (
+    scopes.includes("manager") ||
+    claimList(payload, "roles").includes("manager") ||
+    claimList(payload, "permissions").includes("manager")
+  );
 }
 
 export async function publicContext(): Promise<AuthContext> {
-  return { scopes: [] }
+  return { scopes: [] };
 }
 
-export async function userContext(req: Request): Promise<AuthContext> {
-  const token = getBearerToken(req)
-  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER })
+export async function userContext(req: FastifyRequest): Promise<AuthContext> {
+  const token = getBearerToken(req);
+  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER });
   return {
     userId: payload.sub,
     scopes: scopesFromPayload(payload),
-  }
+  };
 }
 
-export async function teamContext(req: Request): Promise<AuthContext> {
-  const token = getBearerToken(req)
+export async function teamContext(req: FastifyRequest): Promise<AuthContext> {
+  const token = getBearerToken(req);
   const { payload } = await jwtVerify(token, jwks, {
     issuer: LOGTO_ISSUER,
     audience: LOGTO_ORDERS_AUDIENCE,
-  })
+  });
 
-  const teamUuid = (payload as Record<string, unknown>).team_uuid as string | undefined
-  const scopes = scopesFromPayload(payload)
+  const teamUuid = (payload as Record<string, unknown>).team_uuid as
+    | string
+    | undefined;
+  const scopes = scopesFromPayload(payload);
 
-  if (!teamUuid || !scopes.includes('teams:member')) {
-    throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
+  if (!teamUuid || !scopes.includes("teams:member")) {
+    throw new GraphQLError("Unauthorized", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
   }
 
   return {
     userId: payload.sub,
     teamUuid,
     scopes,
+  };
+}
+
+export async function managerContext(
+  req: FastifyRequest,
+): Promise<AuthContext> {
+  const token = getBearerToken(req);
+  const { payload } = await jwtVerify(token, jwks, {
+    issuer: LOGTO_ISSUER,
+    audience: LOGTO_ORDERS_AUDIENCE,
+  });
+  const scopes = scopesFromPayload(payload);
+  const teamUuid = (payload as Record<string, unknown>).team_uuid as
+    | string
+    | undefined;
+  if (!payload.sub || !hasManagerClaim(payload) || !teamUuid) {
+    throw new GraphQLError("Unauthorized", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
   }
+  return { userId: payload.sub, teamUuid, scopes: ["teams:member", "manager"] };
 }
 
 export function requireScopes(ctx: AuthContext, ...required: string[]): void {
-  const missing = required.filter(s => !ctx.scopes.includes(s))
+  const missing = required.filter((s) => !ctx.scopes.includes(s));
   if (missing.length > 0) {
-    throw new GraphQLError(`Missing required scopes: ${missing.join(', ')}`, {
-      extensions: { code: 'FORBIDDEN' },
-    })
+    throw new GraphQLError(`Missing required scopes: ${missing.join(", ")}`, {
+      extensions: { code: "FORBIDDEN" },
+    });
   }
 }

src/index.ts

@@ -1,86 +1,104 @@
-import express from 'express'
-import cors from 'cors'
-import { ApolloServer } from '@apollo/server'
-import { expressMiddleware } from '@apollo/server/express4'
-import * as Sentry from '@sentry/node'
-import { publicTypeDefs, publicResolvers } from './schemas/public.js'
-import { userTypeDefs, userResolvers } from './schemas/user.js'
-import { teamTypeDefs, teamResolvers } from './schemas/team.js'
-import { publicContext, userContext, teamContext, type AuthContext } from './auth.js'
+import Fastify from "fastify";
+import type { FastifyInstance, FastifyRequest } from "fastify";
+import cors from "@fastify/cors";
+import mercurius from "mercurius";
+import * as Sentry from "@sentry/node";
+import { publicTypeDefs, publicResolvers } from "./schemas/public.js";
+import { userTypeDefs, userResolvers } from "./schemas/user.js";
+import { teamTypeDefs, teamResolvers } from "./schemas/team.js";
+import {
+  publicContext,
+  userContext,
+  teamContext,
+  managerContext,
+} from "./auth.js";
 
-const PORT = parseInt(process.env.PORT || '8000', 10)
-const SENTRY_DSN = process.env.SENTRY_DSN || ''
+const PORT = Number.parseInt(process.env.PORT || "8000", 10);
+const SENTRY_DSN = process.env.SENTRY_DSN || "";
 
 if (SENTRY_DSN) {
   Sentry.init({
     dsn: SENTRY_DSN,
     tracesSampleRate: 0.01,
-    release: process.env.RELEASE_VERSION || '1.0.0',
-    environment: process.env.ENVIRONMENT || 'production',
-  })
+    release: process.env.RELEASE_VERSION || "1.0.0",
+    environment: process.env.ENVIRONMENT || "production",
+  });
 }
 
-const app = express()
+const app = Fastify();
+await app.register(cors, { origin: ["https://optovia.ru"], credentials: true });
 
-app.use(cors({ origin: ['https://optovia.ru'], credentials: true }))
+type GraphqlBody = {
+  query?: string;
+  variables?: Record<string, unknown>;
+  operationName?: string;
+};
 
-const publicServer = new ApolloServer<AuthContext>({
-  typeDefs: publicTypeDefs,
-  resolvers: publicResolvers,
-  introspection: true,
-})
-
-const userServer = new ApolloServer<AuthContext>({
-  typeDefs: userTypeDefs,
-  resolvers: userResolvers,
-  introspection: true,
-})
-
-const teamServer = new ApolloServer<AuthContext>({
-  typeDefs: teamTypeDefs,
-  resolvers: teamResolvers,
-  introspection: true,
-})
-
-await Promise.all([publicServer.start(), userServer.start(), teamServer.start()])
-
-app.use(
-  '/graphql/public',
-  express.json(),
-  expressMiddleware(publicServer, {
-    context: async () => publicContext(),
-  }) as unknown as express.RequestHandler,
-)
-
-app.use(
-  '/graphql/user',
-  express.json(),
-  expressMiddleware(userServer, {
-    context: async ({ req }) => {
-      try {
-        return await userContext(req as unknown as import('express').Request)
-      } catch {
-        return { scopes: [] }
-      }
+async function registerGraphqlEndpoint(
+  server: FastifyInstance,
+  path: string,
+  schema: string,
+  resolvers: unknown,
+  context: (request: FastifyRequest) => Promise<unknown> | unknown,
+) {
+  await server.register(
+    async (route) => {
+      await route.register(mercurius, {
+        schema,
+        resolvers: resolvers as never,
+        routes: false,
+      });
+      route.post("/", async (request, reply) => {
+        const body = request.body as GraphqlBody;
+        if (typeof body.query !== "string") {
+          throw new Error("GraphQL query is required");
+        }
+        return reply.graphql(
+          body.query,
+          (await context(request)) as Record<string, unknown>,
+          body.variables,
+          body.operationName,
+        );
+      });
     },
-  }) as unknown as express.RequestHandler,
-)
+    { prefix: path },
+  );
+}
 
-app.use(
-  '/graphql/team',
-  express.json(),
-  expressMiddleware(teamServer, {
-    context: async ({ req }) => teamContext(req as unknown as import('express').Request),
-  }) as unknown as express.RequestHandler,
-)
+await registerGraphqlEndpoint(
+  app,
+  "/graphql/public",
+  publicTypeDefs,
+  publicResolvers,
+  async () => publicContext(),
+);
+await registerGraphqlEndpoint(
+  app,
+  "/graphql/user",
+  userTypeDefs,
+  userResolvers,
+  userContext,
+);
+await registerGraphqlEndpoint(
+  app,
+  "/graphql/team",
+  teamTypeDefs,
+  teamResolvers,
+  teamContext,
+);
+await registerGraphqlEndpoint(
+  app,
+  "/graphql/manager",
+  teamTypeDefs,
+  teamResolvers,
+  managerContext,
+);
 
-app.get('/health', (_, res) => {
-  res.json({ status: 'ok' })
-})
+app.get("/health", async () => ({ status: "ok" }));
 
-app.listen(PORT, '0.0.0.0', () => {
-  console.log(`Orders server ready on port ${PORT}`)
-  console.log(`  /graphql/public  - public`)
-  console.log(`  /graphql/user    - id token auth`)
-  console.log(`  /graphql/team    - team access token auth`)
-})
+await app.listen({ port: PORT, host: "0.0.0.0" });
+console.log(`Orders server ready on port ${PORT}`);
+console.log(`  /graphql/public  - public`);
+console.log(`  /graphql/user    - id token auth`);
+console.log(`  /graphql/team    - team access token auth`);
+console.log(`  /graphql/manager - manager JWT auth`);