integrate logto on api

Author: saihaj

management-api/.dev.vars

@@ -2,3 +2,5 @@ SVIX_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MTc1OTg4NzIsImV4cCI
 SF_TOKEN="eyJhbGciOiJLTVNFUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjIwMzI5NTcyNjIsImp0aSI6Ijg4MGRlNTVkLTVjZDktNDY5MS04MDJjLTY1ZTBkMGI1NTgxOCIsImlhdCI6MTcxNzU5NzI2MiwiaXNzIjoiZGZ1c2UuaW8iLCJzdWIiOiIwem9qbzBmZjgxNDE5ZjA1ZTJjNjciLCJ2IjoxLCJha2kiOiJlMmZmMWFjMTZkMTczYmViYWJhNzkwZWU2OGY1YTJiOGZjZWYxMDFjODJhYTk5YmFmNzlmZjk4YzVmMGE0NGZiIiwidWlkIjoiMHpvam8wZmY4MTQxOWYwNWUyYzY3In0.Houp42QFgFbHPYzNw8ezbQ6k8YG8L82a3_SpeqWUt7agm1SHe4BqYkAp9Y23dCopoouFUQ1mXS_lpsPLrVTqIQ"
 GUILD_ADMIN_TOKEN="test"
 SUBSTREAM_LISTENER_HOST="http://localhost:4040"
+LOGTO_HOST="https://hokigy.logto.app"
+JWT_AUDIENCE="http://localhost:8787/graphql"

management-api/drizzle/0000_famous_hobgoblin.sql renamed to management-api/drizzle/0000_new_lyja.sql

@@ -9,7 +9,7 @@ CREATE TABLE `project` (
 	`id` text PRIMARY KEY NOT NULL,
 	`name` text NOT NULL,
 	`configuration` text NOT NULL,
-	`creator_id` integer NOT NULL,
+	`creator_id` text NOT NULL,
 	`organization_id` integer NOT NULL,
 	`created_at` integer DEFAULT (strftime('%s', 'now')),
 	`updated_at` integer DEFAULT (strftime('%s', 'now')),
@@ -18,14 +18,13 @@ CREATE TABLE `project` (
 );
 --> statement-breakpoint
 CREATE TABLE `user` (
-	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-	`name` text NOT NULL,
+	`id` text PRIMARY KEY NOT NULL,
 	`created_at` integer DEFAULT (strftime('%s', 'now')),
 	`updated_at` integer DEFAULT (strftime('%s', 'now'))
 );
 --> statement-breakpoint
 CREATE TABLE `users_to_organizations` (
-	`user_id` integer NOT NULL,
+	`user_id` text NOT NULL,
 	`organization_id` integer NOT NULL,
 	PRIMARY KEY(`organization_id`, `user_id`),
 	FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE no action ON DELETE no action,

management-api/drizzle/meta/0000_snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": "5",
   "dialect": "sqlite",
-  "id": "f863f5ee-aa68-422c-abbb-dd1bd42e6a20",
+  "id": "62b8f3b0-26d4-41ef-b2f0-8ad1e534587f",
   "prevId": "00000000-0000-0000-0000-000000000000",
   "tables": {
     "organization": {
@@ -69,7 +69,7 @@
         },
         "creator_id": {
           "name": "creator_id",
-          "type": "integer",
+          "type": "text",
           "primaryKey": false,
           "notNull": true,
           "autoincrement": false
@@ -133,15 +133,8 @@
       "columns": {
         "id": {
           "name": "id",
-          "type": "integer",
-          "primaryKey": true,
-          "notNull": true,
-          "autoincrement": true
-        },
-        "name": {
-          "name": "name",
           "type": "text",
-          "primaryKey": false,
+          "primaryKey": true,
           "notNull": true,
           "autoincrement": false
         },
@@ -172,7 +165,7 @@
       "columns": {
         "user_id": {
           "name": "user_id",
-          "type": "integer",
+          "type": "text",
           "primaryKey": false,
           "notNull": true,
           "autoincrement": false

management-api/drizzle/meta/_journal.json

@@ -5,8 +5,8 @@
     {
       "idx": 0,
       "version": "5",
-      "when": 1715030274652,
-      "tag": "0000_famous_hobgoblin",
+      "when": 1718830504856,
+      "tag": "0000_new_lyja",
       "breakpoints": true
     }
   ]

management-api/package.json

@@ -24,12 +24,14 @@
   "dependencies": {
     "@pothos/core": "^3.41.1",
     "@pothos/plugin-relay": "^3.46.0",
+    "@pothos/plugin-scope-auth": "^3.22.0",
     "@pothos/plugin-with-input": "^3.10.1",
     "drizzle-orm": "^0.30.10",
     "fets": "^0.8.0",
     "graphql": "^16.8.1",
     "graphql-scalars": "^1.23.0",
     "graphql-yoga": "^5.3.0",
+    "jose": "^5.4.1",
     "utils": "workspace:*",
     "uuid": "^9.0.1",
     "viem": "^2.9.31"

management-api/schema.graphql

@@ -53,14 +53,6 @@ scalar EthAddress
 
 type Mutation {
   createProject(input: CreateProjectInput!): CreateProjectPayload!
-  createUser(input: MutationCreateUserInput!): User!
-}
-
-input MutationCreateUserInput {
-  """
-  Name of the user
-  """
-  name: String!
 }
 
 interface Node {
@@ -119,7 +111,6 @@ User of the system
 """
 type User {
   id: ID!
-  name: String!
 }
 
 """

management-api/src/context.ts

@@ -1,5 +1,6 @@
 import { drizzle } from "drizzle-orm/d1";
 import { svixClient } from "./svix-api";
+import type * as dbSchema from "./db-schema";
 
 export interface Env {
   DB: D1Database;
@@ -8,9 +9,12 @@ export interface Env {
   SF_TOKEN: string;
   GUILD_ADMIN_TOKEN: string;
   SUBSTREAM_LISTENER_HOST: string;
+  LOGTO_HOST: string;
+  JWT_AUDIENCE: string;
 }
 
 export interface Context extends Env {
-  db: ReturnType<typeof drizzle>;
+  db: ReturnType<typeof drizzle<typeof dbSchema>>;
   svix: ReturnType<typeof svixClient>;
+  authUserId: string | null;
 }

management-api/src/db-schema.ts

@@ -9,8 +9,7 @@ import { v4 } from "uuid";
 import { relations, sql } from "drizzle-orm";
 
 export const user = sqliteTable("user", {
-  id: integer("id", { mode: "number" }).primaryKey({ autoIncrement: true }),
-  name: text("name").notNull(),
+  id: text("id").primaryKey(),
   createdAt: integer("created_at", { mode: "timestamp" }).default(
     sql`(strftime('%s', 'now'))`,
   ),
@@ -45,7 +44,7 @@ export const organizationRelations = relations(organization, ({ many }) => ({
 export const usersToOrgs = sqliteTable(
   "users_to_organizations",
   {
-    userId: integer("user_id")
+    userId: text("user_id")
       .notNull()
       .references(() => user.id),
     orgId: integer("organization_id")
@@ -78,7 +77,7 @@ export const project = sqliteTable(
     name: text("name").notNull(),
     // we store a zod processed objects. Allowing us more flexibility in the future
     configuration: text("configuration", { mode: "json" }).notNull(),
-    creator: integer("creator_id")
+    creator: text("creator_id")
       .references(() => user.id)
       .notNull(),
     organization: integer("organization_id")

management-api/src/index.ts

@@ -3,18 +3,83 @@ import { schema } from "./schema";
 import { drizzle } from "drizzle-orm/d1";
 import { Env } from "context";
 import { svixClient } from "svix-api";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import * as dbSchema from "./db-schema";
+import { eq } from "drizzle-orm";
 
 const yoga = createYoga<Env>({
   schema,
   maskedErrors: false,
-  context: (ctx) => {
+  context: async (ctx) => {
+    const db = drizzle(ctx.DB, {
+      schema: dbSchema,
+    });
+
+    const jwt = ctx.request.headers.get("authorization")?.split(" ")?.[1];
+    let authUserId: string | null = null;
+
+    if (jwt) {
+      const { payload } = await jwtVerify(
+        jwt, // The raw Bearer Token extracted from the request header
+        createRemoteJWKSet(new URL(`${ctx.LOGTO_HOST}/oidc/jwks`)), // generate a jwks using jwks_uri inquired from Logto server
+        {
+          issuer: `${ctx.LOGTO_HOST}/oidc`,
+          audience: ctx.JWT_AUDIENCE,
+        },
+      );
+
+      authUserId = payload.sub || null;
+
+      if (!authUserId) {
+        throw new Error("Missing sub in token");
+      }
+
+      const user = await db.query.user.findFirst({
+        where: eq(dbSchema.user.id, authUserId),
+      });
+
+      if (!user) {
+        const createOrg = await db
+          .insert(dbSchema.organization)
+          .values({
+            name: `${authUserId}'s Projects`,
+          })
+          .returning();
+
+        const createdOrg = createOrg[0];
+
+        if (!createdOrg) {
+          throw new Error("Unable to create organization");
+        }
+
+        const createUser = await db
+          .insert(dbSchema.user)
+          .values({
+            id: authUserId,
+          })
+          .returning();
+
+        const createdUser = createUser[0];
+
+        if (!createdUser) {
+          throw new Error("Unable to create user");
+        }
+
+        await db.insert(dbSchema.usersToOrgs).values({
+          userId: createdUser.id,
+          orgId: createdOrg.id,
+        });
+      }
+    }
+
     return {
       ...ctx,
       svix: svixClient({
         endpoint: ctx.SVIX_HOST,
         GUILD_ADMIN_TOKEN: ctx.GUILD_ADMIN_TOKEN,
       }),
-      db: drizzle(ctx.DB),
+      authUserId,
+      db,
     };
   },
 });

management-api/src/schema/project.ts

@@ -1,4 +1,4 @@
-import { project } from "../db-schema";
+import { project, user } from "../db-schema";
 import { builder, notEmpty } from "./utils";
 import { v4 as uuidv4 } from "uuid";
 import { ProjectConfigurationSchema, SUPPORTED_CHAINS } from "utils";
@@ -24,6 +24,7 @@ builder.node(Project, {
         ProjectConfigurationSchema.parse(obj.configuration).chain,
     }),
   }),
+
   loadOne: (id, { db }) =>
     db
       .select()
@@ -42,6 +43,9 @@ builder.queryField("projects", (t) => {
   return t.connection({
     type: Project,
     description: "List of projects",
+    authScopes: {
+      isAuthenticated: true,
+    },
     resolve: async (_parent, { first, after }, { db }) => {
       const limit = first ?? 10;
 
@@ -123,18 +127,26 @@ builder.relayMutationField(
     }),
   },
   {
+    authScopes: {
+      isAuthenticated: true,
+    },
     resolve: async (
       _parent,
       { input },
       {
         db,
+        authUserId,
         svix,
         SVIX_TOKEN,
         SF_TOKEN,
         GUILD_ADMIN_TOKEN,
         SUBSTREAM_LISTENER_HOST,
       },
     ) => {
+      if (!authUserId) {
+        throw new Error("User not authenticated");
+      }
+
       const configuration = await ProjectConfigurationSchema.safeParseAsync({
         ...input,
         webhookUrl: input.webhookUrl?.toString(),
@@ -183,14 +195,24 @@ builder.relayMutationField(
         throw new Error("Failed to register webhook");
       }
 
+      // For now we just have one organization that is user's default.
+      // TODO: rework this in future to handle multiple organizations
+      const org = await db.query.usersToOrgs.findFirst({
+        where: eq(user.id, authUserId),
+      });
+
+      if (!org) {
+        throw new Error("User is not part of any organization");
+      }
+
       const createdProj = await db
         .insert(project)
         .values({
           name: input.name,
           configuration: configuration.data,
-          creator: 1, // TODO: get from the context user
+          creator: authUserId,
           id,
-          organization: 1, // TODO: get from the context user
+          organization: org.orgId,
         })
         .returning();