optovia/teams
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: optovia:dd99bbe2e799c8a0f73a8b06a0cc4942a7577beb
Branches Tags
optovia:main
...
compare: optovia:main
Branches Tags
optovia:main

7 Commits
dd99bbe2e7 ... main

Author SHA1 Message Date
Ruslan Bakiev
7fc16bb333 Use Fastify Mercurius and GraphQL contracts
Some checks are pending
Build Docker Image / build (push) Waiting to run
Details
2026-06-01 00:25:27 +05:00
Ruslan Bakiev
b076343c57 Use Logto claims for teams auth
Some checks failed
Build Docker Image / build (push) Has been cancelled
Details
2026-05-31 22:26:58 +05:00
Ruslan Bakiev
1a3f72205f Use shared app JWT for manager access 2026-05-31 22:00:52 +05:00
Ruslan Bakiev
bca8c0e782 Add manager GraphQL endpoint 2026-05-31 21:52:42 +05:00
Ruslan Bakiev
0473291940 Remove admin role alias from Teams auth 2026-05-31 21:42:39 +05:00
Ruslan Bakiev
71bb2e951b Expose manager session flag 2026-05-31 21:36:19 +05:00
Ruslan Bakiev
e6e014ebb0 Add Flutter auth sessions to teams
All checks were successful
Build Docker Image / build (push) Successful in 2m10s
Details
2026-05-31 16:46:04 +05:00
10 changed files with 1767 additions and 1705 deletions
Expand all files Collapse all files

3
.gitmodules vendored Normal file
View File

@@ -0,0 +1,3 @@
[submodule "graphql-contracts"]
path = graphql-contracts
url = git@gitea.dsrptlab.com:optovia/teams-graphql-contracts.git

1
graphql-contracts Submodule

Submodule graphql-contracts added at c632d41e35

2664
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

10
package.json
View File

@@ -9,18 +9,16 @@
"start": "prisma migrate deploy && node dist/index.js"
},
"dependencies": {
"@apollo/server": "^4.11.3",
"@fastify/cors": "^11.2.0",
"@prisma/client": "^6.5.0",
"@sentry/node": "^9.5.0",
"cors": "^2.8.5",
"express": "^4.21.2",
"fastify": "^5.8.5",
"graphql": "^16.10.0",
"graphql-tag": "^2.12.6",
"jose": "^6.0.11"
"jose": "^6.0.11",
"mercurius": "^16.9.0"
},
"devDependencies": {
"@types/cors": "^2.8.17",
"@types/express": "^5.0.0",
"@types/node": "^22.13.0",
"prisma": "^6.5.0",
"tsx": "^4.19.0",

40
prisma/migrations/1_add_flutter_auth_sessions/migration.sql Normal file
View File

@@ -0,0 +1,40 @@
-- CreateTable
CREATE TABLE "teams_app_loginchallenge" (
"id" SERIAL NOT NULL,
"uuid" TEXT NOT NULL,
"phone" VARCHAR(50) NOT NULL,
"code" VARCHAR(20) NOT NULL,
"expires_at" TIMESTAMP(3) NOT NULL,
"used_at" TIMESTAMP(3),
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
CONSTRAINT "teams_app_loginchallenge_pkey" PRIMARY KEY ("id")
);
-- CreateTable
CREATE TABLE "teams_app_authsession" (
"id" SERIAL NOT NULL,
"token" VARCHAR(255) NOT NULL,
"user_id" INTEGER NOT NULL,
"expires_at" TIMESTAMP(3) NOT NULL,
"revoked_at" TIMESTAMP(3),
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
CONSTRAINT "teams_app_authsession_pkey" PRIMARY KEY ("id")
);
-- CreateIndex
CREATE UNIQUE INDEX "teams_app_loginchallenge_uuid_key" ON "teams_app_loginchallenge"("uuid");
-- CreateIndex
CREATE INDEX "teams_app_loginchallenge_phone_idx" ON "teams_app_loginchallenge"("phone");
-- CreateIndex
CREATE UNIQUE INDEX "teams_app_authsession_token_key" ON "teams_app_authsession"("token");
-- CreateIndex
CREATE INDEX "teams_app_authsession_user_id_idx" ON "teams_app_authsession"("user_id");
-- AddForeignKey
ALTER TABLE "teams_app_authsession" ADD CONSTRAINT "teams_app_authsession_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "auth_user"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

133
prisma/schema.prisma
View File

@@ -8,20 +8,20 @@ datasource db {
}
model Team {
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
name String @db.VarChar(200)
teamType String @default("BUYER") @map("team_type") @db.VarChar(20)
logtoOrgId String? @map("logto_org_id") @db.VarChar(100)
ownerId Int? @map("owner_id")
owner User? @relation(fields: [ownerId], references: [id])
selectedLocationType String? @map("selected_location_type") @db.VarChar(20)
selectedLocationUuid String? @map("selected_location_uuid") @db.VarChar(100)
selectedLocationName String? @map("selected_location_name") @db.VarChar(255)
selectedLocationLat Float? @map("selected_location_lat")
selectedLocationLon Float? @map("selected_location_lon")
createdAt DateTime @default(now()) @map("created_at")
updatedAt DateTime @updatedAt @map("updated_at")
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
name String @db.VarChar(200)
teamType String @default("BUYER") @map("team_type") @db.VarChar(20)
logtoOrgId String? @map("logto_org_id") @db.VarChar(100)
ownerId Int? @map("owner_id")
owner User? @relation(fields: [ownerId], references: [id])
selectedLocationType String? @map("selected_location_type") @db.VarChar(20)
selectedLocationUuid String? @map("selected_location_uuid") @db.VarChar(100)
selectedLocationName String? @map("selected_location_name") @db.VarChar(255)
selectedLocationLat Float? @map("selected_location_lat")
selectedLocationLon Float? @map("selected_location_lon")
createdAt DateTime @default(now()) @map("created_at")
updatedAt DateTime @updatedAt @map("updated_at")
members TeamMember[]
invitations TeamInvitation[]
@@ -32,40 +32,67 @@ model Team {
}
model User {
id Int @id @default(autoincrement())
password String @default("") @db.VarChar(128)
username String @unique @db.VarChar(150)
firstName String @default("") @map("first_name") @db.VarChar(150)
lastName String @default("") @map("last_name") @db.VarChar(150)
email String @default("") @db.VarChar(254)
isActive Boolean @default(true) @map("is_active")
dateJoined DateTime @default(now()) @map("date_joined")
isSuperuser Boolean @default(false) @map("is_superuser")
isStaff Boolean @default(false) @map("is_staff")
lastLogin DateTime? @map("last_login")
id Int @id @default(autoincrement())
password String @default("") @db.VarChar(128)
username String @unique @db.VarChar(150)
firstName String @default("") @map("first_name") @db.VarChar(150)
lastName String @default("") @map("last_name") @db.VarChar(150)
email String @default("") @db.VarChar(254)
isActive Boolean @default(true) @map("is_active")
dateJoined DateTime @default(now()) @map("date_joined")
isSuperuser Boolean @default(false) @map("is_superuser")
isStaff Boolean @default(false) @map("is_staff")
lastLogin DateTime? @map("last_login")
profile UserProfile?
teams Team[]
profile UserProfile?
sessions AuthSession[]
teams Team[]
memberships TeamMember[]
@@map("auth_user")
}
model UserProfile {
id Int @id @default(autoincrement())
userId Int @unique @map("user_id")
user User @relation(fields: [userId], references: [id])
logtoId String @unique @map("logto_id") @db.VarChar(255)
avatarId String? @map("avatar_id") @db.VarChar(255)
phone String @default("") @db.VarChar(50)
activeTeamId Int? @map("active_team_id")
activeTeam Team? @relation("ActiveTeam", fields: [activeTeamId], references: [id])
createdAt DateTime @default(now()) @map("created_at")
updatedAt DateTime @updatedAt @map("updated_at")
id Int @id @default(autoincrement())
userId Int @unique @map("user_id")
user User @relation(fields: [userId], references: [id])
logtoId String @unique @map("logto_id") @db.VarChar(255)
avatarId String? @map("avatar_id") @db.VarChar(255)
phone String @default("") @db.VarChar(50)
activeTeamId Int? @map("active_team_id")
activeTeam Team? @relation("ActiveTeam", fields: [activeTeamId], references: [id])
createdAt DateTime @default(now()) @map("created_at")
updatedAt DateTime @updatedAt @map("updated_at")
@@map("teams_app_userprofile")
}
model LoginChallenge {
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
phone String @db.VarChar(50)
code String @db.VarChar(20)
expiresAt DateTime @map("expires_at")
usedAt DateTime? @map("used_at")
createdAt DateTime @default(now()) @map("created_at")
@@index([phone])
@@map("teams_app_loginchallenge")
}
model AuthSession {
id Int @id @default(autoincrement())
token String @unique @db.VarChar(255)
userId Int @map("user_id")
user User @relation(fields: [userId], references: [id])
expiresAt DateTime @map("expires_at")
revokedAt DateTime? @map("revoked_at")
createdAt DateTime @default(now()) @map("created_at")
@@index([userId])
@@map("teams_app_authsession")
}
model TeamMember {
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
@@ -81,16 +108,16 @@ model TeamMember {
}
model TeamInvitation {
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
teamId Int @map("team_id")
team Team @relation(fields: [teamId], references: [id])
email String @db.VarChar(254)
role String @default("MEMBER") @db.VarChar(20)
status String @default("PENDING") @db.VarChar(20)
invitedBy String @default("") @map("invited_by") @db.VarChar(255)
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
teamId Int @map("team_id")
team Team @relation(fields: [teamId], references: [id])
email String @db.VarChar(254)
role String @default("MEMBER") @db.VarChar(20)
status String @default("PENDING") @db.VarChar(20)
invitedBy String @default("") @map("invited_by") @db.VarChar(255)
expiresAt DateTime? @map("expires_at")
createdAt DateTime @default(now()) @map("created_at")
createdAt DateTime @default(now()) @map("created_at")
tokens TeamInvitationToken[]
@@ -99,14 +126,14 @@ model TeamInvitation {
}
model TeamInvitationToken {
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
invitationId Int @map("invitation_id")
id Int @id @default(autoincrement())
uuid String @unique @default(uuid())
invitationId Int @map("invitation_id")
invitation TeamInvitation @relation(fields: [invitationId], references: [id])
tokenHash String @unique @map("token_hash") @db.VarChar(255)
workflowStatus String @default("pending") @map("workflow_status") @db.VarChar(20)
expiresAt DateTime? @map("expires_at")
createdAt DateTime @default(now()) @map("created_at")
tokenHash String @unique @map("token_hash") @db.VarChar(255)
workflowStatus String @default("pending") @map("workflow_status") @db.VarChar(20)
expiresAt DateTime? @map("expires_at")
createdAt DateTime @default(now()) @map("created_at")
@@map("teams_app_teaminvitationtoken")
}

170
src/auth.ts
View File

@@ -1,55 +1,151 @@
import { createRemoteJWKSet, jwtVerify, type JWTPayload } from 'jose'
import { GraphQLError } from 'graphql'
import type { Request } from 'express'
import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
import { GraphQLError } from "graphql";
import type { FastifyRequest } from "fastify";
import { prisma } from "./db.js";
const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks'
const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc'
const LOGTO_TEAMS_AUDIENCE = process.env.LOGTO_TEAMS_AUDIENCE || 'https://teams.optovia.ru'
const LOGTO_JWKS_URL =
process.env.LOGTO_JWKS_URL || "https://auth.optovia.ru/oidc/jwks";
const LOGTO_ISSUER = process.env.LOGTO_ISSUER || "https://auth.optovia.ru/oidc";
const LOGTO_TEAMS_AUDIENCE =
process.env.LOGTO_TEAMS_AUDIENCE || "https://teams.optovia.ru";
const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL))
const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL));
export interface AuthContext {
userId?: string
teamUuid?: string
scopes: string[]
isM2M?: boolean
userId?: string;
teamUuid?: string;
sessionToken?: string;
scopes: string[];
isM2M?: boolean;
}
function getBearerToken(req: Request): string {
const auth = req.headers.authorization || ''
if (!auth.startsWith('Bearer ')) throw new GraphQLError('Missing Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
const token = auth.slice(7)
if (!token || token === 'undefined') throw new GraphQLError('Empty Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
return token
export const SESSION_TOKEN_PREFIX = "optovia-session:";
function getBearerToken(req: FastifyRequest): string {
const auth = req.headers.authorization || "";
if (!auth.startsWith("Bearer "))
throw new GraphQLError("Missing Bearer token", {
extensions: { code: "UNAUTHENTICATED" },
});
const token = auth.slice(7);
if (!token || token === "undefined")
throw new GraphQLError("Empty Bearer token", {
extensions: { code: "UNAUTHENTICATED" },
});
return token;
}
function optionalBearerToken(req: FastifyRequest): string | null {
const auth = req.headers.authorization || "";
if (!auth.startsWith("Bearer ")) return null;
const token = auth.slice(7);
if (!token || token === "undefined") return null;
return token;
}
function scopesFromPayload(payload: JWTPayload): string[] {
const scope = payload.scope
if (!scope) return []
if (typeof scope === 'string') return scope.split(' ')
return []
const scope = payload.scope;
if (!scope) return [];
if (typeof scope === "string") return scope.split(" ");
if (Array.isArray(scope)) return scope as string[];
return [];
}
export async function publicContext(): Promise<AuthContext> { return { scopes: [] } }
export async function userContext(req: Request): Promise<AuthContext> {
const token = getBearerToken(req)
const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER })
return { userId: payload.sub, scopes: [] }
export async function publicContext(): Promise<AuthContext> {
return { scopes: [] };
}
export async function teamContext(req: Request): Promise<AuthContext> {
const token = getBearerToken(req)
const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER, audience: LOGTO_TEAMS_AUDIENCE })
const teamUuid = (payload as Record<string, unknown>).team_uuid as string | undefined
const scopes = scopesFromPayload(payload)
if (!teamUuid || !scopes.includes('teams:member')) throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
return { userId: payload.sub, teamUuid, scopes }
function claimList(payload: JWTPayload, key: string): string[] {
const value = (payload as Record<string, unknown>)[key];
if (typeof value === "string") return value.split(" ");
if (Array.isArray(value))
return value.filter((item): item is string => typeof item === "string");
return [];
}
export async function m2mContext(): Promise<AuthContext> { return { scopes: [], isM2M: true } }
function hasManagerClaim(payload: JWTPayload): boolean {
const scopes = scopesFromPayload(payload);
return (
scopes.includes("manager") ||
claimList(payload, "roles").includes("manager") ||
claimList(payload, "permissions").includes("manager")
);
}
export async function userContext(req: FastifyRequest): Promise<AuthContext> {
const token = optionalBearerToken(req);
if (token === null) return { scopes: [] };
if (token.startsWith(SESSION_TOKEN_PREFIX)) {
const session = await prisma.authSession.findUnique({
where: { token },
include: { user: true },
});
if (
session === null ||
session.revokedAt !== null ||
session.expiresAt <= new Date()
) {
throw new GraphQLError("Session expired", {
extensions: { code: "UNAUTHENTICATED" },
});
}
return {
userId: session.user.username,
sessionToken: token,
scopes: ["teams:user"],
};
}
const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER });
return { userId: payload.sub, scopes: scopesFromPayload(payload) };
}
export async function managerContext(
req: FastifyRequest,
): Promise<AuthContext> {
const token = getBearerToken(req);
const { payload } = await jwtVerify(token, jwks, {
issuer: LOGTO_ISSUER,
audience: LOGTO_TEAMS_AUDIENCE,
});
if (!payload.sub || !hasManagerClaim(payload)) {
throw new GraphQLError("Manager access required", {
extensions: { code: "FORBIDDEN" },
});
}
return {
userId: payload.sub,
teamUuid: (payload as Record<string, unknown>).team_uuid as
| string
| undefined,
scopes: [...new Set([...scopesFromPayload(payload), "manager"])],
};
}
export async function teamContext(req: FastifyRequest): Promise<AuthContext> {
const token = getBearerToken(req);
const { payload } = await jwtVerify(token, jwks, {
issuer: LOGTO_ISSUER,
audience: LOGTO_TEAMS_AUDIENCE,
});
const teamUuid = (payload as Record<string, unknown>).team_uuid as
| string
| undefined;
const scopes = scopesFromPayload(payload);
if (!teamUuid || !scopes.includes("teams:member"))
throw new GraphQLError("Unauthorized", {
extensions: { code: "UNAUTHENTICATED" },
});
return { userId: payload.sub, teamUuid, scopes };
}
export async function m2mContext(): Promise<AuthContext> {
return { scopes: [], isM2M: true };
}
export function requireScopes(ctx: AuthContext, ...required: string[]): void {
const missing = required.filter(s => !ctx.scopes.includes(s))
if (missing.length > 0) throw new GraphQLError(`Missing required scopes: ${missing.join(', ')}`, { extensions: { code: 'FORBIDDEN' } })
const missing = required.filter((s) => !ctx.scopes.includes(s));
if (missing.length > 0)
throw new GraphQLError(`Missing required scopes: ${missing.join(", ")}`, {
extensions: { code: "FORBIDDEN" },
});
}

136
src/index.ts
View File

@@ -1,47 +1,115 @@
import express from 'express'
import cors from 'cors'
import { ApolloServer } from '@apollo/server'
import { expressMiddleware } from '@apollo/server/express4'
import * as Sentry from '@sentry/node'
import { publicTypeDefs, publicResolvers } from './schemas/public.js'
import { userTypeDefs, userResolvers } from './schemas/user.js'
import { teamTypeDefs, teamResolvers } from './schemas/team.js'
import { m2mTypeDefs, m2mResolvers } from './schemas/m2m.js'
import { publicContext, userContext, teamContext, m2mContext, type AuthContext } from './auth.js'
import Fastify from "fastify";
import type { FastifyInstance, FastifyRequest } from "fastify";
import cors from "@fastify/cors";
import mercurius from "mercurius";
import * as Sentry from "@sentry/node";
import { publicTypeDefs, publicResolvers } from "./schemas/public.js";
import { userTypeDefs, userResolvers } from "./schemas/user.js";
import { teamTypeDefs, teamResolvers } from "./schemas/team.js";
import { managerTypeDefs, managerResolvers } from "./schemas/manager.js";
import { m2mTypeDefs, m2mResolvers } from "./schemas/m2m.js";
import {
publicContext,
userContext,
teamContext,
managerContext,
m2mContext,
} from "./auth.js";
const PORT = parseInt(process.env.PORT || '8000', 10)
const SENTRY_DSN = process.env.SENTRY_DSN || ''
const PORT = Number.parseInt(process.env.PORT || "8000", 10);
const SENTRY_DSN = process.env.SENTRY_DSN || "";
if (SENTRY_DSN) {
Sentry.init({
dsn: SENTRY_DSN,
tracesSampleRate: 0.01,
release: process.env.RELEASE_VERSION || '1.0.0',
environment: process.env.ENVIRONMENT || 'production',
})
release: process.env.RELEASE_VERSION || "1.0.0",
environment: process.env.ENVIRONMENT || "production",
});
}
const app = express()
app.use(cors({ origin: ['https://optovia.ru'], credentials: true }))
const app = Fastify();
await app.register(cors, { origin: ["https://optovia.ru"], credentials: true });
const publicServer = new ApolloServer<AuthContext>({ typeDefs: publicTypeDefs, resolvers: publicResolvers, introspection: true })
const userServer = new ApolloServer<AuthContext>({ typeDefs: userTypeDefs, resolvers: userResolvers, introspection: true })
const teamServer = new ApolloServer<AuthContext>({ typeDefs: teamTypeDefs, resolvers: teamResolvers, introspection: true })
const m2mServer = new ApolloServer<AuthContext>({ typeDefs: m2mTypeDefs, resolvers: m2mResolvers, introspection: true })
type GraphqlBody = {
query?: string;
variables?: Record<string, unknown>;
operationName?: string;
};
await Promise.all([publicServer.start(), userServer.start(), teamServer.start(), m2mServer.start()])
async function registerGraphqlEndpoint(
server: FastifyInstance,
path: string,
schema: string,
resolvers: unknown,
context: (request: FastifyRequest) => Promise<unknown> | unknown,
) {
await server.register(
async (route) => {
await route.register(mercurius, {
schema,
resolvers: resolvers as never,
routes: false,
});
route.post("/", async (request, reply) => {
const body = request.body as GraphqlBody;
if (typeof body.query !== "string") {
throw new Error("GraphQL query is required");
}
return reply.graphql(
body.query,
(await context(request)) as Record<string, unknown>,
body.variables,
body.operationName,
);
});
},
{ prefix: path },
);
}
app.use('/graphql/public', express.json(), expressMiddleware(publicServer, { context: async () => publicContext() }) as unknown as express.RequestHandler)
app.use('/graphql/user', express.json(), expressMiddleware(userServer, { context: async ({ req }) => userContext(req as unknown as import('express').Request) }) as unknown as express.RequestHandler)
app.use('/graphql/team', express.json(), expressMiddleware(teamServer, { context: async ({ req }) => teamContext(req as unknown as import('express').Request) }) as unknown as express.RequestHandler)
app.use('/graphql/m2m', express.json(), expressMiddleware(m2mServer, { context: async () => m2mContext() }) as unknown as express.RequestHandler)
await registerGraphqlEndpoint(
app,
"/graphql/public",
publicTypeDefs,
publicResolvers,
async () => publicContext(),
);
await registerGraphqlEndpoint(
app,
"/graphql/user",
userTypeDefs,
userResolvers,
userContext,
);
await registerGraphqlEndpoint(
app,
"/graphql/team",
teamTypeDefs,
teamResolvers,
teamContext,
);
await registerGraphqlEndpoint(
app,
"/graphql/manager",
managerTypeDefs,
managerResolvers,
managerContext,
);
await registerGraphqlEndpoint(
app,
"/graphql/m2m",
m2mTypeDefs,
m2mResolvers,
async () => m2mContext(),
);
app.get('/health', (_, res) => { res.json({ status: 'ok' }) })
app.get("/health", async () => ({ status: "ok" }));
app.listen(PORT, '0.0.0.0', () => {
console.log(`Teams server ready on port ${PORT}`)
console.log(` /graphql/public - public`)
console.log(` /graphql/user - id token auth`)
console.log(` /graphql/team - team access token auth`)
console.log(` /graphql/m2m - internal services (no auth)`)
})
await app.listen({ port: PORT, host: "0.0.0.0" });
console.log(`Teams server ready on port ${PORT}`);
console.log(` /graphql/public - public`);
console.log(` /graphql/user - id token auth`);
console.log(` /graphql/team - team access token auth`);
console.log(` /graphql/manager - manager JWT auth`);
console.log(` /graphql/m2m - internal services (no auth)`);

74
src/schemas/manager.ts Normal file
View File

@@ -0,0 +1,74 @@
import { GraphQLError } from 'graphql'
import { prisma } from '../db.js'
import { requireScopes, type AuthContext } from '../auth.js'
export const managerTypeDefs = `#graphql
type ManagerUser {
id: ID!
accountId: String
displayName: String
phone: String!
companyName: String
telegramGroupTitle: String
telegramNotificationsEnabled: Boolean!
}
type Query {
managerUsers: [ManagerUser!]!
}
`
function displayName(firstName: string, lastName: string, phone: string): string {
const name = `${firstName} ${lastName}`.trim()
return name.length > 0 ? name : phone
}
async function isManagerUser(userId: number): Promise<boolean> {
const user = await prisma.user.findUnique({ where: { id: userId } })
if (user === null) return false
if (user.isStaff || user.isSuperuser) return true
const managerMembership = await prisma.teamMember.findFirst({
where: { userId, role: { in: ['OWNER', 'MANAGER', 'ADMIN'] } },
})
return managerMembership !== null
}
async function requireManagerProfile(ctx: AuthContext) {
requireScopes(ctx, 'manager')
if (!ctx.userId) throw new GraphQLError('Not authenticated')
const profile = await prisma.userProfile.findUnique({
where: { logtoId: ctx.userId },
include: { user: true, activeTeam: true },
})
if (profile === null || !(await isManagerUser(profile.userId))) {
throw new GraphQLError('Manager access required', { extensions: { code: 'FORBIDDEN' } })
}
return profile
}
export const managerResolvers = {
Query: {
managerUsers: async (_: unknown, __: unknown, ctx: AuthContext) => {
const profile = await requireManagerProfile(ctx)
const members = await prisma.teamMember.findMany({
where: profile.activeTeamId === null ? {} : { teamId: profile.activeTeamId },
include: { user: { include: { profile: { include: { activeTeam: true } } } }, team: true },
orderBy: { joinedAt: 'desc' },
})
return members.filter(member => member.user !== null).map(member => {
const user = member.user!
const memberProfile = user.profile
const phone = memberProfile?.phone ?? ''
return {
id: member.uuid,
accountId: memberProfile?.logtoId ?? user.username,
displayName: displayName(user.firstName, user.lastName, phone),
phone,
companyName: member.team.name,
telegramGroupTitle: null,
telegramNotificationsEnabled: false,
}
})
},
},
}

241
src/schemas/user.ts
View File

@@ -1,6 +1,6 @@
import { GraphQLError } from 'graphql'
import { prisma } from '../db.js'
import type { AuthContext } from '../auth.js'
import { GraphQLError } from "graphql";
import { prisma } from "../db.js";
import { type AuthContext } from "../auth.js";
export const userTypeDefs = `#graphql
type UserTeam {
@@ -15,8 +15,10 @@ export const userTypeDefs = `#graphql
id: String
firstName: String
lastName: String
displayName: String
phone: String
avatarId: String
isManager: Boolean
activeTeamId: String
activeTeam: UserTeam
teams: [UserTeam]
@@ -77,106 +79,229 @@ export const userTypeDefs = `#graphql
}
type Mutation {
logout: Boolean!
createTeam(input: CreateTeamInput!): CreateTeamResult
updateUser(userId: String!, input: UpdateUserInput!): UpdateUserResult
switchTeam(teamId: String!): SwitchTeamResult
}
`
`;
async function getOrCreateProfile(logtoId: string) {
let profile = await prisma.userProfile.findUnique({ where: { logtoId: logtoId }, include: { user: true, activeTeam: true } })
let profile = await prisma.userProfile.findUnique({
where: { logtoId: logtoId },
include: { user: true, activeTeam: true },
});
if (!profile) {
const user = await prisma.user.create({ data: { username: logtoId, firstName: '', lastName: '' } })
const user = await prisma.user.create({
data: { username: logtoId, firstName: "", lastName: "" },
});
profile = await prisma.userProfile.create({
data: { userId: user.id, logtoId: logtoId },
include: { user: true, activeTeam: true },
})
});
}
return profile
return profile;
}
function displayName(
firstName: string,
lastName: string,
phone: string,
): string {
const name = `${firstName} ${lastName}`.trim();
return name.length > 0 ? name : phone;
}
async function isManagerUser(userId: number): Promise<boolean> {
const user = await prisma.user.findUnique({ where: { id: userId } });
if (user === null) return false;
if (user.isStaff || user.isSuperuser) return true;
const managerMembership = await prisma.teamMember.findFirst({
where: { userId, role: { in: ["OWNER", "MANAGER", "ADMIN"] } },
});
return managerMembership !== null;
}
async function mapProfileUser(
profile: Awaited<ReturnType<typeof getOrCreateProfile>>,
) {
const memberships = await prisma.teamMember.findMany({
where: { userId: profile.userId },
include: { team: true },
});
const isManager = await isManagerUser(profile.userId);
return {
id: profile.logtoId,
firstName: profile.user.firstName,
lastName: profile.user.lastName,
displayName: displayName(
profile.user.firstName,
profile.user.lastName,
profile.phone,
),
phone: profile.phone,
avatarId: profile.avatarId,
isManager,
activeTeamId: profile.activeTeam?.uuid ?? null,
activeTeam: profile.activeTeam
? {
id: profile.activeTeam.uuid,
name: profile.activeTeam.name,
teamType: profile.activeTeam.teamType,
logtoOrgId: profile.activeTeam.logtoOrgId,
createdAt: profile.activeTeam.createdAt.toISOString(),
}
: null,
teams: memberships.map((m) => ({
id: m.team.uuid,
name: m.team.name,
teamType: m.team.teamType,
logtoOrgId: m.team.logtoOrgId,
createdAt: m.team.createdAt.toISOString(),
})),
};
}
export const userResolvers = {
Query: {
me: async (_: unknown, __: unknown, ctx: AuthContext) => {
if (!ctx.userId) throw new GraphQLError('Not authenticated')
const profile = await getOrCreateProfile(ctx.userId)
const memberships = await prisma.teamMember.findMany({ where: { userId: profile.userId }, include: { team: true } })
return {
id: ctx.userId,
firstName: profile.user.firstName,
lastName: profile.user.lastName,
phone: profile.phone,
avatarId: profile.avatarId,
activeTeamId: profile.activeTeam?.uuid ?? null,
activeTeam: profile.activeTeam ? { id: profile.activeTeam.uuid, name: profile.activeTeam.name, teamType: profile.activeTeam.teamType, logtoOrgId: profile.activeTeam.logtoOrgId, createdAt: profile.activeTeam.createdAt.toISOString() } : null,
teams: memberships.map(m => ({ id: m.team.uuid, name: m.team.name, teamType: m.team.teamType, logtoOrgId: m.team.logtoOrgId, createdAt: m.team.createdAt.toISOString() })),
}
if (!ctx.userId) throw new GraphQLError("Not authenticated");
const profile = await getOrCreateProfile(ctx.userId);
return mapProfileUser(profile);
},
getTeam: async (_: unknown, args: { teamId: string }, ctx: AuthContext) => {
if (!ctx.userId) throw new GraphQLError('Not authenticated')
if (!ctx.userId) throw new GraphQLError("Not authenticated");
const team = await prisma.team.findUnique({
where: { uuid: args.teamId },
include: {
members: { include: { user: true } },
invitations: true,
},
})
if (!team) return null
});
if (!team) return null;
return {
uuid: team.uuid,
name: team.name,
members: team.members.map(m => ({ uuid: m.uuid, role: m.role, joinedAt: m.joinedAt.toISOString() })),
invitations: team.invitations.map(i => ({
uuid: i.uuid, email: i.email, role: i.role, status: i.status,
invitedBy: i.invitedBy, expiresAt: i.expiresAt?.toISOString() ?? null,
members: team.members.map((m) => ({
uuid: m.uuid,
role: m.role,
joinedAt: m.joinedAt.toISOString(),
})),
invitations: team.invitations.map((i) => ({
uuid: i.uuid,
email: i.email,
role: i.role,
status: i.status,
invitedBy: i.invitedBy,
expiresAt: i.expiresAt?.toISOString() ?? null,
createdAt: i.createdAt.toISOString(),
})),
}
};
},
},
Mutation: {
createTeam: async (_: unknown, args: { input: { name: string; teamType?: string } }, ctx: AuthContext) => {
if (!ctx.userId) throw new GraphQLError('Not authenticated')
const profile = await getOrCreateProfile(ctx.userId)
logout: async (_: unknown, __: unknown, ctx: AuthContext) => {
if (ctx.sessionToken !== undefined) {
await prisma.authSession.updateMany({
where: { token: ctx.sessionToken, revokedAt: null },
data: { revokedAt: new Date() },
});
}
return true;
},
createTeam: async (
_: unknown,
args: { input: { name: string; teamType?: string } },
ctx: AuthContext,
) => {
if (!ctx.userId) throw new GraphQLError("Not authenticated");
const profile = await getOrCreateProfile(ctx.userId);
const team = await prisma.team.create({
data: { name: args.input.name, teamType: args.input.teamType || 'BUYER', ownerId: profile.userId },
})
await prisma.teamMember.create({ data: { teamId: team.id, userId: profile.userId, role: 'OWNER' } })
await prisma.userProfile.update({ where: { id: profile.id }, data: { activeTeamId: team.id } })
data: {
name: args.input.name,
teamType: args.input.teamType || "BUYER",
ownerId: profile.userId,
},
});
await prisma.teamMember.create({
data: { teamId: team.id, userId: profile.userId, role: "OWNER" },
});
await prisma.userProfile.update({
where: { id: profile.id },
data: { activeTeamId: team.id },
});
return {
team: { id: team.uuid, name: team.name, teamType: team.teamType, logtoOrgId: team.logtoOrgId, createdAt: team.createdAt.toISOString() },
team: {
id: team.uuid,
name: team.name,
teamType: team.teamType,
logtoOrgId: team.logtoOrgId,
createdAt: team.createdAt.toISOString(),
},
success: true,
}
};
},
updateUser: async (_: unknown, args: { userId: string; input: { firstName?: string; lastName?: string; phone?: string; avatarId?: string } }, ctx: AuthContext) => {
if (!ctx.userId) throw new GraphQLError('Not authenticated')
const profile = await getOrCreateProfile(ctx.userId)
const userUpdate: Record<string, unknown> = {}
if (args.input.firstName !== undefined) userUpdate.firstName = args.input.firstName
if (args.input.lastName !== undefined) userUpdate.lastName = args.input.lastName
updateUser: async (
_: unknown,
args: {
userId: string;
input: {
firstName?: string;
lastName?: string;
phone?: string;
avatarId?: string;
};
},
ctx: AuthContext,
) => {
if (!ctx.userId) throw new GraphQLError("Not authenticated");
const profile = await getOrCreateProfile(ctx.userId);
const userUpdate: Record<string, unknown> = {};
if (args.input.firstName !== undefined)
userUpdate.firstName = args.input.firstName;
if (args.input.lastName !== undefined)
userUpdate.lastName = args.input.lastName;
if (Object.keys(userUpdate).length > 0) {
await prisma.user.update({ where: { id: profile.userId }, data: userUpdate })
await prisma.user.update({
where: { id: profile.userId },
data: userUpdate,
});
}
const profileUpdate: Record<string, unknown> = {}
if (args.input.phone !== undefined) profileUpdate.phone = args.input.phone
if (args.input.avatarId !== undefined) profileUpdate.avatarId = args.input.avatarId
const profileUpdate: Record<string, unknown> = {};
if (args.input.phone !== undefined)
profileUpdate.phone = args.input.phone;
if (args.input.avatarId !== undefined)
profileUpdate.avatarId = args.input.avatarId;
if (Object.keys(profileUpdate).length > 0) {
await prisma.userProfile.update({ where: { id: profile.id }, data: profileUpdate })
await prisma.userProfile.update({
where: { id: profile.id },
data: profileUpdate,
});
}
return { user: { id: ctx.userId }, success: true }
return { user: { id: ctx.userId }, success: true };
},
switchTeam: async (_: unknown, args: { teamId: string }, ctx: AuthContext) => {
if (!ctx.userId) throw new GraphQLError('Not authenticated')
const profile = await getOrCreateProfile(ctx.userId)
const team = await prisma.team.findUnique({ where: { uuid: args.teamId } })
if (!team) throw new GraphQLError('Team not found')
await prisma.userProfile.update({ where: { id: profile.id }, data: { activeTeamId: team.id } })
return { success: true }
switchTeam: async (
_: unknown,
args: { teamId: string },
ctx: AuthContext,
) => {
if (!ctx.userId) throw new GraphQLError("Not authenticated");
const profile = await getOrCreateProfile(ctx.userId);
const team = await prisma.team.findUnique({
where: { uuid: args.teamId },
});
if (!team) throw new GraphQLError("Team not found");
await prisma.userProfile.update({
where: { id: profile.id },
data: { activeTeamId: team.id },
});
return { success: true };
},
},
}
};