Use Logto claims for teams auth

src/auth.ts

@@ -1,75 +1,149 @@
-import { createRemoteJWKSet, jwtVerify, type JWTPayload } from 'jose'
+import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
-import { GraphQLError } from 'graphql'
+import { GraphQLError } from "graphql";
-import type { Request } from 'express'
+import type { Request } from "express";
-import { prisma } from './db.js'
+import { prisma } from "./db.js";
 
-const LOGTO_JWKS_URL = process.env.LOGTO_JWKS_URL || 'https://auth.optovia.ru/oidc/jwks'
+const LOGTO_JWKS_URL =
-const LOGTO_ISSUER = process.env.LOGTO_ISSUER || 'https://auth.optovia.ru/oidc'
+  process.env.LOGTO_JWKS_URL || "https://auth.optovia.ru/oidc/jwks";
-const LOGTO_TEAMS_AUDIENCE = process.env.LOGTO_TEAMS_AUDIENCE || 'https://teams.optovia.ru'
+const LOGTO_ISSUER = process.env.LOGTO_ISSUER || "https://auth.optovia.ru/oidc";
+const LOGTO_TEAMS_AUDIENCE =
+  process.env.LOGTO_TEAMS_AUDIENCE || "https://teams.optovia.ru";
 
-const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL))
+const jwks = createRemoteJWKSet(new URL(LOGTO_JWKS_URL));
 
 export interface AuthContext {
-  userId?: string
+  userId?: string;
-  teamUuid?: string
+  teamUuid?: string;
-  sessionToken?: string
+  sessionToken?: string;
-  scopes: string[]
+  scopes: string[];
-  isM2M?: boolean
+  isM2M?: boolean;
 }
 
-export const SESSION_TOKEN_PREFIX = 'optovia-session:'
+export const SESSION_TOKEN_PREFIX = "optovia-session:";
 
 function getBearerToken(req: Request): string {
-  const auth = req.headers.authorization || ''
+  const auth = req.headers.authorization || "";
-  if (!auth.startsWith('Bearer ')) throw new GraphQLError('Missing Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
+  if (!auth.startsWith("Bearer "))
-  const token = auth.slice(7)
+    throw new GraphQLError("Missing Bearer token", {
-  if (!token || token === 'undefined') throw new GraphQLError('Empty Bearer token', { extensions: { code: 'UNAUTHENTICATED' } })
+      extensions: { code: "UNAUTHENTICATED" },
-  return token
+    });
+  const token = auth.slice(7);
+  if (!token || token === "undefined")
+    throw new GraphQLError("Empty Bearer token", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
+  return token;
 }
 
 function optionalBearerToken(req: Request): string | null {
-  const auth = req.headers.authorization || ''
+  const auth = req.headers.authorization || "";
-  if (!auth.startsWith('Bearer ')) return null
+  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7)
+  const token = auth.slice(7);
-  if (!token || token === 'undefined') return null
+  if (!token || token === "undefined") return null;
-  return token
+  return token;
 }
 
 function scopesFromPayload(payload: JWTPayload): string[] {
-  const scope = payload.scope
+  const scope = payload.scope;
-  if (!scope) return []
+  if (!scope) return [];
-  if (typeof scope === 'string') return scope.split(' ')
+  if (typeof scope === "string") return scope.split(" ");
-  return []
+  if (Array.isArray(scope)) return scope as string[];
+  return [];
 }
 
-export async function publicContext(): Promise<AuthContext> { return { scopes: [] } }
+export async function publicContext(): Promise<AuthContext> {
+  return { scopes: [] };
+}
+
+function claimList(payload: JWTPayload, key: string): string[] {
+  const value = (payload as Record<string, unknown>)[key];
+  if (typeof value === "string") return value.split(" ");
+  if (Array.isArray(value))
+    return value.filter((item): item is string => typeof item === "string");
+  return [];
+}
+
+function hasManagerClaim(payload: JWTPayload): boolean {
+  const scopes = scopesFromPayload(payload);
+  return (
+    scopes.includes("manager") ||
+    claimList(payload, "roles").includes("manager") ||
+    claimList(payload, "permissions").includes("manager")
+  );
+}
 
 export async function userContext(req: Request): Promise<AuthContext> {
-  const token = optionalBearerToken(req)
+  const token = optionalBearerToken(req);
-  if (token === null) return { scopes: [] }
+  if (token === null) return { scopes: [] };
   if (token.startsWith(SESSION_TOKEN_PREFIX)) {
-    const session = await prisma.authSession.findUnique({ where: { token }, include: { user: true } })
+    const session = await prisma.authSession.findUnique({
-    if (session === null || session.revokedAt !== null || session.expiresAt <= new Date()) {
+      where: { token },
-      throw new GraphQLError('Session expired', { extensions: { code: 'UNAUTHENTICATED' } })
+      include: { user: true },
+    });
+    if (
+      session === null ||
+      session.revokedAt !== null ||
+      session.expiresAt <= new Date()
+    ) {
+      throw new GraphQLError("Session expired", {
+        extensions: { code: "UNAUTHENTICATED" },
+      });
     }
-    return { userId: session.user.username, sessionToken: token, scopes: ['teams:user'] }
+    return {
+      userId: session.user.username,
+      sessionToken: token,
+      scopes: ["teams:user"],
+    };
   }
-  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER })
+  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER });
-  return { userId: payload.sub, scopes: [] }
+  return { userId: payload.sub, scopes: scopesFromPayload(payload) };
+}
+
+export async function managerContext(req: Request): Promise<AuthContext> {
+  const token = getBearerToken(req);
+  const { payload } = await jwtVerify(token, jwks, {
+    issuer: LOGTO_ISSUER,
+    audience: LOGTO_TEAMS_AUDIENCE,
+  });
+  if (!payload.sub || !hasManagerClaim(payload)) {
+    throw new GraphQLError("Manager access required", {
+      extensions: { code: "FORBIDDEN" },
+    });
+  }
+  return {
+    userId: payload.sub,
+    teamUuid: (payload as Record<string, unknown>).team_uuid as
+      | string
+      | undefined,
+    scopes: [...new Set([...scopesFromPayload(payload), "manager"])],
+  };
 }
 
 export async function teamContext(req: Request): Promise<AuthContext> {
-  const token = getBearerToken(req)
+  const token = getBearerToken(req);
-  const { payload } = await jwtVerify(token, jwks, { issuer: LOGTO_ISSUER, audience: LOGTO_TEAMS_AUDIENCE })
+  const { payload } = await jwtVerify(token, jwks, {
-  const teamUuid = (payload as Record<string, unknown>).team_uuid as string | undefined
+    issuer: LOGTO_ISSUER,
-  const scopes = scopesFromPayload(payload)
+    audience: LOGTO_TEAMS_AUDIENCE,
-  if (!teamUuid || !scopes.includes('teams:member')) throw new GraphQLError('Unauthorized', { extensions: { code: 'UNAUTHENTICATED' } })
+  });
-  return { userId: payload.sub, teamUuid, scopes }
+  const teamUuid = (payload as Record<string, unknown>).team_uuid as
+    | string
+    | undefined;
+  const scopes = scopesFromPayload(payload);
+  if (!teamUuid || !scopes.includes("teams:member"))
+    throw new GraphQLError("Unauthorized", {
+      extensions: { code: "UNAUTHENTICATED" },
+    });
+  return { userId: payload.sub, teamUuid, scopes };
 }
 
-export async function m2mContext(): Promise<AuthContext> { return { scopes: [], isM2M: true } }
+export async function m2mContext(): Promise<AuthContext> {
+  return { scopes: [], isM2M: true };
+}
 
 export function requireScopes(ctx: AuthContext, ...required: string[]): void {
-  const missing = required.filter(s => !ctx.scopes.includes(s))
+  const missing = required.filter((s) => !ctx.scopes.includes(s));
-  if (missing.length > 0) throw new GraphQLError(`Missing required scopes: ${missing.join(', ')}`, { extensions: { code: 'FORBIDDEN' } })
+  if (missing.length > 0)
+    throw new GraphQLError(`Missing required scopes: ${missing.join(", ")}`, {
+      extensions: { code: "FORBIDDEN" },
+    });
 }

src/index.ts

@@ -6,8 +6,9 @@ import * as Sentry from '@sentry/node'
 import { publicTypeDefs, publicResolvers } from './schemas/public.js'
 import { userTypeDefs, userResolvers } from './schemas/user.js'
 import { teamTypeDefs, teamResolvers } from './schemas/team.js'
+import { managerTypeDefs, managerResolvers } from './schemas/manager.js'
 import { m2mTypeDefs, m2mResolvers } from './schemas/m2m.js'
-import { publicContext, userContext, teamContext, m2mContext, type AuthContext } from './auth.js'
+import { publicContext, userContext, teamContext, managerContext, m2mContext, type AuthContext } from './auth.js'
 
 const PORT = parseInt(process.env.PORT || '8000', 10)
 const SENTRY_DSN = process.env.SENTRY_DSN || ''
@@ -27,13 +28,15 @@ app.use(cors({ origin: ['https://optovia.ru'], credentials: true }))
 const publicServer = new ApolloServer<AuthContext>({ typeDefs: publicTypeDefs, resolvers: publicResolvers, introspection: true })
 const userServer = new ApolloServer<AuthContext>({ typeDefs: userTypeDefs, resolvers: userResolvers, introspection: true })
 const teamServer = new ApolloServer<AuthContext>({ typeDefs: teamTypeDefs, resolvers: teamResolvers, introspection: true })
+const managerServer = new ApolloServer<AuthContext>({ typeDefs: managerTypeDefs, resolvers: managerResolvers, introspection: true })
 const m2mServer = new ApolloServer<AuthContext>({ typeDefs: m2mTypeDefs, resolvers: m2mResolvers, introspection: true })
 
-await Promise.all([publicServer.start(), userServer.start(), teamServer.start(), m2mServer.start()])
+await Promise.all([publicServer.start(), userServer.start(), teamServer.start(), managerServer.start(), m2mServer.start()])
 
 app.use('/graphql/public', express.json(), expressMiddleware(publicServer, { context: async () => publicContext() }) as unknown as express.RequestHandler)
 app.use('/graphql/user', express.json(), expressMiddleware(userServer, { context: async ({ req }) => userContext(req as unknown as import('express').Request) }) as unknown as express.RequestHandler)
 app.use('/graphql/team', express.json(), expressMiddleware(teamServer, { context: async ({ req }) => teamContext(req as unknown as import('express').Request) }) as unknown as express.RequestHandler)
+app.use('/graphql/manager', express.json(), expressMiddleware(managerServer, { context: async ({ req }) => managerContext(req as unknown as import('express').Request) }) as unknown as express.RequestHandler)
 app.use('/graphql/m2m', express.json(), expressMiddleware(m2mServer, { context: async () => m2mContext() }) as unknown as express.RequestHandler)
 
 app.get('/health', (_, res) => { res.json({ status: 'ok' }) })
@@ -43,5 +46,6 @@ app.listen(PORT, '0.0.0.0', () => {
   console.log(`  /graphql/public  - public`)
   console.log(`  /graphql/user    - id token auth`)
   console.log(`  /graphql/team    - team access token auth`)
+  console.log(`  /graphql/manager - manager JWT auth`)
   console.log(`  /graphql/m2m     - internal services (no auth)`)
 })

src/schemas/manager.ts

@@ -0,0 +1,74 @@
+import { GraphQLError } from 'graphql'
+import { prisma } from '../db.js'
+import { requireScopes, type AuthContext } from '../auth.js'
+
+export const managerTypeDefs = `#graphql
+  type ManagerUser {
+    id: ID!
+    accountId: String
+    displayName: String
+    phone: String!
+    companyName: String
+    telegramGroupTitle: String
+    telegramNotificationsEnabled: Boolean!
+  }
+
+  type Query {
+    managerUsers: [ManagerUser!]!
+  }
+`
+
+function displayName(firstName: string, lastName: string, phone: string): string {
+  const name = `${firstName} ${lastName}`.trim()
+  return name.length > 0 ? name : phone
+}
+
+async function isManagerUser(userId: number): Promise<boolean> {
+  const user = await prisma.user.findUnique({ where: { id: userId } })
+  if (user === null) return false
+  if (user.isStaff || user.isSuperuser) return true
+  const managerMembership = await prisma.teamMember.findFirst({
+    where: { userId, role: { in: ['OWNER', 'MANAGER', 'ADMIN'] } },
+  })
+  return managerMembership !== null
+}
+
+async function requireManagerProfile(ctx: AuthContext) {
+  requireScopes(ctx, 'manager')
+  if (!ctx.userId) throw new GraphQLError('Not authenticated')
+  const profile = await prisma.userProfile.findUnique({
+    where: { logtoId: ctx.userId },
+    include: { user: true, activeTeam: true },
+  })
+  if (profile === null || !(await isManagerUser(profile.userId))) {
+    throw new GraphQLError('Manager access required', { extensions: { code: 'FORBIDDEN' } })
+  }
+  return profile
+}
+
+export const managerResolvers = {
+  Query: {
+    managerUsers: async (_: unknown, __: unknown, ctx: AuthContext) => {
+      const profile = await requireManagerProfile(ctx)
+      const members = await prisma.teamMember.findMany({
+        where: profile.activeTeamId === null ? {} : { teamId: profile.activeTeamId },
+        include: { user: { include: { profile: { include: { activeTeam: true } } } }, team: true },
+        orderBy: { joinedAt: 'desc' },
+      })
+      return members.filter(member => member.user !== null).map(member => {
+        const user = member.user!
+        const memberProfile = user.profile
+        const phone = memberProfile?.phone ?? ''
+        return {
+          id: member.uuid,
+          accountId: memberProfile?.logtoId ?? user.username,
+          displayName: displayName(user.firstName, user.lastName, phone),
+          phone,
+          companyName: member.team.name,
+          telegramGroupTitle: null,
+          telegramNotificationsEnabled: false,
+        }
+      })
+    },
+  },
+}

src/schemas/user.ts

@@ -1,11 +1,6 @@
-import { GraphQLError } from 'graphql'
+import { GraphQLError } from "graphql";
-import { randomBytes } from 'crypto'
+import { prisma } from "../db.js";
-import { prisma } from '../db.js'
+import { type AuthContext } from "../auth.js";
-import { SESSION_TOKEN_PREFIX, type AuthContext } from '../auth.js'
-
-const OTP_TTL_MINUTES = Number.parseInt(process.env.LOGIN_OTP_TTL_MINUTES || '10', 10)
-const SESSION_TTL_DAYS = Number.parseInt(process.env.LOGIN_SESSION_TTL_DAYS || '30', 10)
-const DEV_LOGIN_OTP_CODE = process.env.LOGIN_OTP_DEV_CODE || '000000'
 
 export const userTypeDefs = `#graphql
   type UserTeam {
@@ -23,50 +18,12 @@ export const userTypeDefs = `#graphql
     displayName: String
     phone: String
     avatarId: String
-    isAdmin: Boolean
+    isManager: Boolean
     activeTeamId: String
     activeTeam: UserTeam
     teams: [UserTeam]
   }
 
-  type AuthChallenge {
-    challengeType: String!
-    phone: String!
-    expiresAt: String!
-    codeForDev: String
-    totpConfigured: Boolean!
-  }
-
-  type AuthPayload {
-    token: String!
-    sessionExpiresAt: String!
-    user: User!
-  }
-
-  type ManagerUser {
-    id: ID!
-    accountId: String
-    displayName: String
-    phone: String!
-    companyName: String
-    telegramGroupTitle: String
-    telegramNotificationsEnabled: Boolean!
-  }
-
-  input RequestLoginOtpInput {
-    phone: String!
-  }
-
-  input VerifyLoginOtpInput {
-    phone: String!
-    code: String!
-  }
-
-  input AdminTotpLoginInput {
-    phone: String!
-    code: String!
-  }
-
   type TeamMemberInfo {
     uuid: String!
     role: String!
@@ -118,240 +75,233 @@ export const userTypeDefs = `#graphql
 
   type Query {
     me: User
-    managerUsers: [ManagerUser!]!
     getTeam(teamId: String!): TeamWithMembers
   }
 
   type Mutation {
-    requestLoginOtp(input: RequestLoginOtpInput!): AuthChallenge!
-    verifyLoginOtp(input: VerifyLoginOtpInput!): AuthPayload!
-    adminTotpLogin(input: AdminTotpLoginInput!): AuthPayload!
     logout: Boolean!
     createTeam(input: CreateTeamInput!): CreateTeamResult
     updateUser(userId: String!, input: UpdateUserInput!): UpdateUserResult
     switchTeam(teamId: String!): SwitchTeamResult
   }
-`
+`;
 
 async function getOrCreateProfile(logtoId: string) {
-  let profile = await prisma.userProfile.findUnique({ where: { logtoId: logtoId }, include: { user: true, activeTeam: true } })
+  let profile = await prisma.userProfile.findUnique({
+    where: { logtoId: logtoId },
+    include: { user: true, activeTeam: true },
+  });
   if (!profile) {
-    const user = await prisma.user.create({ data: { username: logtoId, firstName: '', lastName: '' } })
+    const user = await prisma.user.create({
+      data: { username: logtoId, firstName: "", lastName: "" },
+    });
     profile = await prisma.userProfile.create({
       data: { userId: user.id, logtoId: logtoId },
       include: { user: true, activeTeam: true },
-    })
+    });
   }
-  return profile
+  return profile;
 }
 
-function normalizePhone(phone: string): string {
+function displayName(
-  const normalized = phone.replace(/[^\d+]/g, '')
+  firstName: string,
-  if (normalized.length < 5) throw new GraphQLError('Invalid phone')
+  lastName: string,
-  return normalized
+  phone: string,
+): string {
+  const name = `${firstName} ${lastName}`.trim();
+  return name.length > 0 ? name : phone;
 }
 
-function displayName(firstName: string, lastName: string, phone: string): string {
+async function isManagerUser(userId: number): Promise<boolean> {
-  const name = `${firstName} ${lastName}`.trim()
+  const user = await prisma.user.findUnique({ where: { id: userId } });
-  return name.length > 0 ? name : phone
+  if (user === null) return false;
-}
+  if (user.isStaff || user.isSuperuser) return true;
-
-async function getOrCreateProfileByPhone(phone: string) {
-  const logtoId = `phone:${phone}`
-  const existing = await prisma.userProfile.findFirst({
-    where: { OR: [{ phone }, { logtoId }] },
-    include: { user: true, activeTeam: true },
-  })
-  if (existing !== null) return existing
-
-  const user = await prisma.user.create({ data: { username: logtoId, firstName: '', lastName: '' } })
-  return prisma.userProfile.create({
-    data: { userId: user.id, logtoId, phone },
-    include: { user: true, activeTeam: true },
-  })
-}
-
-async function isAdminUser(userId: number): Promise<boolean> {
-  const user = await prisma.user.findUnique({ where: { id: userId } })
-  if (user === null) return false
-  if (user.isStaff || user.isSuperuser) return true
   const managerMembership = await prisma.teamMember.findFirst({
-    where: { userId, role: { in: ['OWNER', 'MANAGER', 'ADMIN'] } },
+    where: { userId, role: { in: ["OWNER", "MANAGER", "ADMIN"] } },
-  })
+  });
-  return managerMembership !== null
+  return managerMembership !== null;
 }
 
-async function mapProfileUser(profile: Awaited<ReturnType<typeof getOrCreateProfile>>) {
+async function mapProfileUser(
-  const memberships = await prisma.teamMember.findMany({ where: { userId: profile.userId }, include: { team: true } })
+  profile: Awaited<ReturnType<typeof getOrCreateProfile>>,
+) {
+  const memberships = await prisma.teamMember.findMany({
+    where: { userId: profile.userId },
+    include: { team: true },
+  });
+  const isManager = await isManagerUser(profile.userId);
   return {
     id: profile.logtoId,
     firstName: profile.user.firstName,
     lastName: profile.user.lastName,
-    displayName: displayName(profile.user.firstName, profile.user.lastName, profile.phone),
+    displayName: displayName(
+      profile.user.firstName,
+      profile.user.lastName,
+      profile.phone,
+    ),
     phone: profile.phone,
     avatarId: profile.avatarId,
-    isAdmin: await isAdminUser(profile.userId),
+    isManager,
     activeTeamId: profile.activeTeam?.uuid ?? null,
-    activeTeam: profile.activeTeam ? { id: profile.activeTeam.uuid, name: profile.activeTeam.name, teamType: profile.activeTeam.teamType, logtoOrgId: profile.activeTeam.logtoOrgId, createdAt: profile.activeTeam.createdAt.toISOString() } : null,
+    activeTeam: profile.activeTeam
-    teams: memberships.map(m => ({ id: m.team.uuid, name: m.team.name, teamType: m.team.teamType, logtoOrgId: m.team.logtoOrgId, createdAt: m.team.createdAt.toISOString() })),
+      ? {
-  }
+          id: profile.activeTeam.uuid,
-}
+          name: profile.activeTeam.name,
-
+          teamType: profile.activeTeam.teamType,
-async function issueSession(userId: number) {
+          logtoOrgId: profile.activeTeam.logtoOrgId,
-  const token = `${SESSION_TOKEN_PREFIX}${randomBytes(32).toString('hex')}`
+          createdAt: profile.activeTeam.createdAt.toISOString(),
-  const expiresAt = new Date(Date.now() + SESSION_TTL_DAYS * 24 * 60 * 60 * 1000)
-  await prisma.authSession.create({ data: { token, userId, expiresAt } })
-  return { token, expiresAt }
-}
-
-async function verifyPhoneLogin(phone: string, code: string) {
-  const normalizedPhone = normalizePhone(phone)
-  const challenge = await prisma.loginChallenge.findFirst({
-    where: {
-      phone: normalizedPhone,
-      code,
-      usedAt: null,
-      expiresAt: { gt: new Date() },
-    },
-    orderBy: { createdAt: 'desc' },
-  })
-  if (challenge === null) throw new GraphQLError('Invalid login code')
-
-  await prisma.loginChallenge.update({ where: { id: challenge.id }, data: { usedAt: new Date() } })
-  const profile = await getOrCreateProfileByPhone(normalizedPhone)
-  const session = await issueSession(profile.userId)
-  return {
-    token: session.token,
-    sessionExpiresAt: session.expiresAt.toISOString(),
-    user: await mapProfileUser(profile),
         }
+      : null,
+    teams: memberships.map((m) => ({
+      id: m.team.uuid,
+      name: m.team.name,
+      teamType: m.team.teamType,
+      logtoOrgId: m.team.logtoOrgId,
+      createdAt: m.team.createdAt.toISOString(),
+    })),
+  };
 }
 
 export const userResolvers = {
   Query: {
     me: async (_: unknown, __: unknown, ctx: AuthContext) => {
-      if (!ctx.userId) throw new GraphQLError('Not authenticated')
+      if (!ctx.userId) throw new GraphQLError("Not authenticated");
-      const profile = await getOrCreateProfile(ctx.userId)
+      const profile = await getOrCreateProfile(ctx.userId);
-      return mapProfileUser(profile)
+      return mapProfileUser(profile);
-    },
-
-    managerUsers: async (_: unknown, __: unknown, ctx: AuthContext) => {
-      if (!ctx.userId) throw new GraphQLError('Not authenticated')
-      const profile = await getOrCreateProfile(ctx.userId)
-      if (!(await isAdminUser(profile.userId))) return []
-      const members = await prisma.teamMember.findMany({
-        where: profile.activeTeamId === null ? {} : { teamId: profile.activeTeamId },
-        include: { user: { include: { profile: { include: { activeTeam: true } } } }, team: true },
-        orderBy: { joinedAt: 'desc' },
-      })
-      return members.filter(member => member.user !== null).map(member => {
-        const user = member.user!
-        const memberProfile = user.profile
-        const phone = memberProfile?.phone ?? ''
-        return {
-          id: member.uuid,
-          accountId: memberProfile?.logtoId ?? user.username,
-          displayName: displayName(user.firstName, user.lastName, phone),
-          phone,
-          companyName: member.team.name,
-          telegramGroupTitle: null,
-          telegramNotificationsEnabled: false,
-        }
-      })
     },
 
     getTeam: async (_: unknown, args: { teamId: string }, ctx: AuthContext) => {
-      if (!ctx.userId) throw new GraphQLError('Not authenticated')
+      if (!ctx.userId) throw new GraphQLError("Not authenticated");
       const team = await prisma.team.findUnique({
         where: { uuid: args.teamId },
         include: {
           members: { include: { user: true } },
           invitations: true,
         },
-      })
+      });
-      if (!team) return null
+      if (!team) return null;
       return {
         uuid: team.uuid,
         name: team.name,
-        members: team.members.map(m => ({ uuid: m.uuid, role: m.role, joinedAt: m.joinedAt.toISOString() })),
+        members: team.members.map((m) => ({
-        invitations: team.invitations.map(i => ({
+          uuid: m.uuid,
-          uuid: i.uuid, email: i.email, role: i.role, status: i.status,
+          role: m.role,
-          invitedBy: i.invitedBy, expiresAt: i.expiresAt?.toISOString() ?? null,
+          joinedAt: m.joinedAt.toISOString(),
+        })),
+        invitations: team.invitations.map((i) => ({
+          uuid: i.uuid,
+          email: i.email,
+          role: i.role,
+          status: i.status,
+          invitedBy: i.invitedBy,
+          expiresAt: i.expiresAt?.toISOString() ?? null,
           createdAt: i.createdAt.toISOString(),
         })),
-      }
+      };
     },
   },
 
   Mutation: {
-    requestLoginOtp: async (_: unknown, args: { input: { phone: string } }) => {
-      const phone = normalizePhone(args.input.phone)
-      const expiresAt = new Date(Date.now() + OTP_TTL_MINUTES * 60 * 1000)
-      await prisma.loginChallenge.create({ data: { phone, code: DEV_LOGIN_OTP_CODE, expiresAt } })
-      return {
-        challengeType: 'otp',
-        phone,
-        expiresAt: expiresAt.toISOString(),
-        codeForDev: process.env.NODE_ENV === 'production' ? null : DEV_LOGIN_OTP_CODE,
-        totpConfigured: true,
-      }
-    },
-
-    verifyLoginOtp: async (_: unknown, args: { input: { phone: string; code: string } }) => {
-      return verifyPhoneLogin(args.input.phone, args.input.code)
-    },
-
-    adminTotpLogin: async (_: unknown, args: { input: { phone: string; code: string } }) => {
-      return verifyPhoneLogin(args.input.phone, args.input.code)
-    },
-
     logout: async (_: unknown, __: unknown, ctx: AuthContext) => {
       if (ctx.sessionToken !== undefined) {
-        await prisma.authSession.updateMany({ where: { token: ctx.sessionToken, revokedAt: null }, data: { revokedAt: new Date() } })
+        await prisma.authSession.updateMany({
+          where: { token: ctx.sessionToken, revokedAt: null },
+          data: { revokedAt: new Date() },
+        });
       }
-      return true
+      return true;
     },
 
-    createTeam: async (_: unknown, args: { input: { name: string; teamType?: string } }, ctx: AuthContext) => {
+    createTeam: async (
-      if (!ctx.userId) throw new GraphQLError('Not authenticated')
+      _: unknown,
-      const profile = await getOrCreateProfile(ctx.userId)
+      args: { input: { name: string; teamType?: string } },
+      ctx: AuthContext,
+    ) => {
+      if (!ctx.userId) throw new GraphQLError("Not authenticated");
+      const profile = await getOrCreateProfile(ctx.userId);
       const team = await prisma.team.create({
-        data: { name: args.input.name, teamType: args.input.teamType || 'BUYER', ownerId: profile.userId },
+        data: {
-      })
+          name: args.input.name,
-      await prisma.teamMember.create({ data: { teamId: team.id, userId: profile.userId, role: 'OWNER' } })
+          teamType: args.input.teamType || "BUYER",
-      await prisma.userProfile.update({ where: { id: profile.id }, data: { activeTeamId: team.id } })
+          ownerId: profile.userId,
+        },
+      });
+      await prisma.teamMember.create({
+        data: { teamId: team.id, userId: profile.userId, role: "OWNER" },
+      });
+      await prisma.userProfile.update({
+        where: { id: profile.id },
+        data: { activeTeamId: team.id },
+      });
 
       return {
-        team: { id: team.uuid, name: team.name, teamType: team.teamType, logtoOrgId: team.logtoOrgId, createdAt: team.createdAt.toISOString() },
+        team: {
+          id: team.uuid,
+          name: team.name,
+          teamType: team.teamType,
+          logtoOrgId: team.logtoOrgId,
+          createdAt: team.createdAt.toISOString(),
+        },
         success: true,
-      }
+      };
     },
 
-    updateUser: async (_: unknown, args: { userId: string; input: { firstName?: string; lastName?: string; phone?: string; avatarId?: string } }, ctx: AuthContext) => {
+    updateUser: async (
-      if (!ctx.userId) throw new GraphQLError('Not authenticated')
+      _: unknown,
-      const profile = await getOrCreateProfile(ctx.userId)
+      args: {
-      const userUpdate: Record<string, unknown> = {}
+        userId: string;
-      if (args.input.firstName !== undefined) userUpdate.firstName = args.input.firstName
+        input: {
-      if (args.input.lastName !== undefined) userUpdate.lastName = args.input.lastName
+          firstName?: string;
+          lastName?: string;
+          phone?: string;
+          avatarId?: string;
+        };
+      },
+      ctx: AuthContext,
+    ) => {
+      if (!ctx.userId) throw new GraphQLError("Not authenticated");
+      const profile = await getOrCreateProfile(ctx.userId);
+      const userUpdate: Record<string, unknown> = {};
+      if (args.input.firstName !== undefined)
+        userUpdate.firstName = args.input.firstName;
+      if (args.input.lastName !== undefined)
+        userUpdate.lastName = args.input.lastName;
       if (Object.keys(userUpdate).length > 0) {
-        await prisma.user.update({ where: { id: profile.userId }, data: userUpdate })
+        await prisma.user.update({
+          where: { id: profile.userId },
+          data: userUpdate,
+        });
       }
-      const profileUpdate: Record<string, unknown> = {}
+      const profileUpdate: Record<string, unknown> = {};
-      if (args.input.phone !== undefined) profileUpdate.phone = args.input.phone
+      if (args.input.phone !== undefined)
-      if (args.input.avatarId !== undefined) profileUpdate.avatarId = args.input.avatarId
+        profileUpdate.phone = args.input.phone;
+      if (args.input.avatarId !== undefined)
+        profileUpdate.avatarId = args.input.avatarId;
       if (Object.keys(profileUpdate).length > 0) {
-        await prisma.userProfile.update({ where: { id: profile.id }, data: profileUpdate })
+        await prisma.userProfile.update({
+          where: { id: profile.id },
+          data: profileUpdate,
+        });
       }
-      return { user: { id: ctx.userId }, success: true }
+      return { user: { id: ctx.userId }, success: true };
     },
 
-    switchTeam: async (_: unknown, args: { teamId: string }, ctx: AuthContext) => {
+    switchTeam: async (
-      if (!ctx.userId) throw new GraphQLError('Not authenticated')
+      _: unknown,
-      const profile = await getOrCreateProfile(ctx.userId)
+      args: { teamId: string },
-      const team = await prisma.team.findUnique({ where: { uuid: args.teamId } })
+      ctx: AuthContext,
-      if (!team) throw new GraphQLError('Team not found')
+    ) => {
-      await prisma.userProfile.update({ where: { id: profile.id }, data: { activeTeamId: team.id } })
+      if (!ctx.userId) throw new GraphQLError("Not authenticated");
-      return { success: true }
+      const profile = await getOrCreateProfile(ctx.userId);
+      const team = await prisma.team.findUnique({
+        where: { uuid: args.teamId },
+      });
+      if (!team) throw new GraphQLError("Team not found");
+      await prisma.userProfile.update({
+        where: { id: profile.id },
+        data: { activeTeamId: team.id },
+      });
+      return { success: true };
     },
   },
-}
+};