stacker.news/pages/api/graphql.js

import { ApolloServer } from '@apollo/server'
import { startServerAndCreateNextHandler } from '@as-integrations/next'
import resolvers from '@/api/resolvers'
import models from '@/api/models'
import lnd from '@/api/lnd'
import typeDefs from '@/api/typeDefs'
import { getServerSession } from 'next-auth/next'
import { getAuthOptions } from './auth/[...nextauth]'
import search from '@/api/search'
import {
  ApolloServerPluginLandingPageLocalDefault,
  ApolloServerPluginLandingPageProductionDefault
} from '@apollo/server/plugin/landingPage/default'

const apolloServer = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: true,
  plugins: [{
    requestDidStart (initialRequestContext) {
      return {
        executionDidStart () {
          return {
            willResolveField ({ source, args, context, info }) {
              const start = process.hrtime.bigint()
              return (error, result) => {
                const end = process.hrtime.bigint()
                const ms = (end - start) / 1000000n
                if (process.env.GRAPHQL_SLOW_LOGS_MS && ms > process.env.GRAPHQL_SLOW_LOGS_MS) {
                  console.log(`Field ${info.parentType.name}.${info.fieldName} took ${ms}ms`)
                }
                if (error) {
                  console.log(`Field ${info.parentType.name}.${info.fieldName} failed with ${error}`)
                }
              }
            },
            async executionDidEnd (err) {
              if (err) {
                console.error('hey bud', err)
              }
            }
          }
        }
      }
    }
  },
  process.env.NODE_ENV === 'production'
    ? ApolloServerPluginLandingPageProductionDefault(
      { embed: { endpointIsEditable: false, persistExplorerState: true, displayOptions: { theme: 'dark' } }, footer: false })
    : ApolloServerPluginLandingPageLocalDefault(
      { embed: { endpointIsEditable: false, persistExplorerState: true, displayOptions: { theme: 'dark' } }, footer: false })]
})

export default startServerAndCreateNextHandler(apolloServer, {
  context: async (req, res) => {
    const apiKey = req.headers['x-api-key']
    let session
    if (apiKey) {
      const [user] = await models.$queryRaw`
      SELECT id, name, "apiKeyEnabled"
      FROM users
      WHERE "apiKeyHash" = encode(digest(${apiKey}, 'sha256'), 'hex')
      LIMIT 1`
      if (user?.apiKeyEnabled) {
        const { apiKeyEnabled, ...sessionFields } = user
        session = { user: { ...sessionFields, apiKey: true } }
      }
    } else {
      req = multiAuthMiddleware(req)
      session = await getServerSession(req, res, getAuthOptions(req))
    }
    return {
      models,
      headers: req.headers,
      lnd,
      me: session
        ? session.user
        : null,
      search
    }
  }
})

function multiAuthMiddleware (request) {
  // switch next-auth session cookie with multi_auth cookie if cookie pointer present

  // is there a cookie pointer?
  const cookiePointerName = 'multi_auth.user-id'
  const hasCookiePointer = !!request.cookies[cookiePointerName]

  const secure = process.env.NODE_ENV === 'production'

  // is there a session?
  const sessionCookieName = secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
  const hasSession = !!request.cookies[sessionCookieName]

  if (!hasCookiePointer || !hasSession) {
    // no session or no cookie pointer. do nothing.
    return request
  }

  const userId = request.cookies[cookiePointerName]
  if (userId === 'anonymous') {
    // user switched to anon. only delete session cookie.
    delete request.cookies[sessionCookieName]
    return request
  }

  const userJWT = request.cookies[`multi_auth.${userId}`]
  if (!userJWT) {
    // no JWT for account switching found
    return request
  }

  if (userJWT) {
    // use JWT found in cookie pointed to by cookie pointer
    request.cookies[sessionCookieName] = userJWT
    return request
  }

  return request
}
Revert "Revert "shield your eyes; massive, squashed refactor; nextjs/react/react-dom/apollo upgrades"" This reverts commit 18910fa2ed470fe12ffbfb83df18e206101f0a05. 2023-07-23 15:08:43 +00:00			`import { ApolloServer } from '@apollo/server'`
			`import { startServerAndCreateNextHandler } from '@as-integrations/next'`
Use module path aliases (#938) * Use module path aliases * fix broken refactor * path mapping for svgs, style, and remaining places (bonus: lose babel dep) --------- Co-authored-by: keyan <keyan.kousha+huumn@gmail.com> 2024-03-20 00:37:31 +00:00			`import resolvers from '@/api/resolvers'`
			`import models from '@/api/models'`
			`import lnd from '@/api/lnd'`
			`import typeDefs from '@/api/typeDefs'`
upgrade to next-auth 4 (bonus: improve error pages) 2023-07-29 19:38:20 +00:00			`import { getServerSession } from 'next-auth/next'`
			`import { getAuthOptions } from './auth/[...nextauth]'`
Use module path aliases (#938) * Use module path aliases * fix broken refactor * path mapping for svgs, style, and remaining places (bonus: lose babel dep) --------- Co-authored-by: keyan <keyan.kousha+huumn@gmail.com> 2024-03-20 00:37:31 +00:00			`import search from '@/api/search'`
embed graphql sandbox 2023-11-21 22:46:03 +00:00			`import {`
			`ApolloServerPluginLandingPageLocalDefault,`
			`ApolloServerPluginLandingPageProductionDefault`
			`} from '@apollo/server/plugin/landingPage/default'`
begin working on db schema 2021-03-25 19:29:24 +00:00
refine module instantiation 2022-04-27 22:06:42 +00:00			`const apolloServer = new ApolloServer({`
begin working on db schema 2021-03-25 19:29:24 +00:00			`typeDefs,`
			`resolvers,`
enable prod graphql introspection 2023-11-22 15:16:40 +00:00			`introspection: true,`
a few perf enhancements + gql slowlogs 2022-04-28 18:11:05 +00:00			`plugins: [{`
			`requestDidStart (initialRequestContext) {`
			`return {`
upgrade to prisma 4 2023-07-27 00:18:42 +00:00			`executionDidStart () {`
a few perf enhancements + gql slowlogs 2022-04-28 18:11:05 +00:00			`return {`
			`willResolveField ({ source, args, context, info }) {`
			`const start = process.hrtime.bigint()`
			`return (error, result) => {`
			`const end = process.hrtime.bigint()`
			`const ms = (end - start) / 1000000n`
allow slog logs to be disabled/configured 2024-07-01 21:48:54 +00:00			`if (process.env.GRAPHQL_SLOW_LOGS_MS && ms > process.env.GRAPHQL_SLOW_LOGS_MS) {`
a few perf enhancements + gql slowlogs 2022-04-28 18:11:05 +00:00			console.log(`Field ${info.parentType.name}.${info.fieldName} took ${ms}ms`)
			`}`
			`if (error) {`
Revert "Revert "shield your eyes; massive, squashed refactor; nextjs/react/react-dom/apollo upgrades"" This reverts commit 18910fa2ed470fe12ffbfb83df18e206101f0a05. 2023-07-23 15:08:43 +00:00			console.log(`Field ${info.parentType.name}.${info.fieldName} failed with ${error}`)
a few perf enhancements + gql slowlogs 2022-04-28 18:11:05 +00:00			`}`
			`}`
upgrade to prisma 4 2023-07-27 00:18:42 +00:00			`},`
			`async executionDidEnd (err) {`
			`if (err) {`
			`console.error('hey bud', err)`
			`}`
a few perf enhancements + gql slowlogs 2022-04-28 18:11:05 +00:00			`}`
			`}`
			`}`
			`}`
			`}`
embed graphql sandbox 2023-11-21 22:46:03 +00:00			`},`
			`process.env.NODE_ENV === 'production'`
			`? ApolloServerPluginLandingPageProductionDefault(`
			`{ embed: { endpointIsEditable: false, persistExplorerState: true, displayOptions: { theme: 'dark' } }, footer: false })`
			`: ApolloServerPluginLandingPageLocalDefault(`
			`{ embed: { endpointIsEditable: false, persistExplorerState: true, displayOptions: { theme: 'dark' } }, footer: false })]`
Revert "Revert "shield your eyes; massive, squashed refactor; nextjs/react/react-dom/apollo upgrades"" This reverts commit 18910fa2ed470fe12ffbfb83df18e206101f0a05. 2023-07-23 15:08:43 +00:00			`})`

			`export default startServerAndCreateNextHandler(apolloServer, {`
upgrade to next-auth 4 (bonus: improve error pages) 2023-07-29 19:38:20 +00:00			`context: async (req, res) => {`
API Keys (#915) * Generate API key in settings * Check x-api-key for GraphQL API requests * Don't fallback to cookie if x-api-key header was provided * Select all session fields * Fix error if API key not found * Fix style in settings via form-label className --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> 2024-03-14 20:32:34 +00:00			`const apiKey = req.headers['x-api-key']`
			`let session`
			`if (apiKey) {`
Hash API keys with SHA-256 and never show them again 2024-03-26 18:26:09 +00:00			const [user] = await models.$queryRaw`
Store hashed and salted email addresses (#1111) * first pass of hashing user emails * use salt * add a salt to .env.development (prod salt needs to be kept a secret) * move `hashEmail` util to a new util module * trigger a one-time job to migrate existing emails via the worker so we can use the salt from an env var * move newsletter signup move newsletter signup to prisma adapter create user with email code path so we can still auto-enroll email accounts without having to persist the email address in plaintext * remove `email` from api key session lookup query * drop user email index before dropping column * restore email column, just null values instead * fix function name * fix salt and hash raw sql statement * update auth methods email type in typedefs from str to bool * remove todo comment * lowercase email before hashing during migration * check for emailHash and email to accommodate migration window update our lookups to check for a matching emailHash, and then a matching email, in that order, to accommodate the case that a user tries to login via email while the migration is running, and their account has not yet been migrated also update sndev to have a command `./sndev email` to launch the mailhog inbox in your browser also update `./sndev login` to hash the generated email address and insert it into the db record * update sndev help * update awards.csv * update the hack in next-auth to re-use the email supplied on input to `getUserByEmail` * consolidate console.error logs * create generic open command --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> Co-authored-by: keyan <keyan.kousha+huumn@gmail.com> 2024-05-04 23:06:15 +00:00			`SELECT id, name, "apiKeyEnabled"`
Hash API keys with SHA-256 and never show them again 2024-03-26 18:26:09 +00:00			`FROM users`
			`WHERE "apiKeyHash" = encode(digest(${apiKey}, 'sha256'), 'hex')`
			LIMIT 1`
API Keys (#915) * Generate API key in settings * Check x-api-key for GraphQL API requests * Don't fallback to cookie if x-api-key header was provided * Select all session fields * Fix error if API key not found * Fix style in settings via form-label className --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> 2024-03-14 20:32:34 +00:00			`if (user?.apiKeyEnabled) {`
			`const { apiKeyEnabled, ...sessionFields } = user`
			`session = { user: { ...sessionFields, apiKey: true } }`
			`}`
			`} else {`
Account Switching (#644) * WIP: Account switching * Fix empty USER query ANON_USER_ID was undefined and thus the query for @anon had no variables. * Apply multiAuthMiddleware in /api/graphql * Fix 'you must be logged in' query error on switch to anon * Add smart 'switch account' button "smart" means that it only shows if there are accounts to which one can switch * Fix multiAuth not set in backend * Comment fixes, minor changes * Use fw-bold instead of 'selected' * Close dropdown and offcanvas Inside a dropdown, we can rely on autoClose but need to wrap the buttons with <Dropdown.Item> for that to work. For the offcanvas, we need to pass down handleClose. * Use button to add account * Some pages require hard reload on account switch * Reinit settings form on account switch * Also don't refetch WalletHistory * Formatting * Use width: fit-content for standalone SignUpButton * Remove unused className * Use fw-bold and text-underline on selected * Fix inconsistent padding of login buttons * Fix duplicate redirect from /settings on anon switch * Never throw during refetch * Throw errors which extend GraphQLError * Only use meAnonSats if logged out * Use reactive variable for meAnonSats The previous commit broke the UI update after anon zaps because we actually updated item.meSats in the cache and not item.meAnonSats. Updating item.meAnonSats was not possible because it's a local field. For that, one needs to use reactive variables. We do this now and thus also don't need the useEffect hack in item-info.js anymore. * Switch to new user * Fix missing cleanup during logout If we logged in but never switched to any other account, the 'multi_auth.user-id' cookie was not set. This meant that during logout, the other 'multi_auth.' cookies were not deleted. This broke the account switch modal. This is fixed by setting the 'multi_auth.user-id' cookie on login. Additionally, we now cleanup if cookie pointer OR session is set (instead of only if both are set). Fix comments in middleware * Remove unnecessary effect dependencies setState is stable and thus only noise in effect dependencies * Show but disable unavailable auth methods * make signup button consistent with others * Always reload page on switch * refine account switch styling * logout barrier --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> Co-authored-by: k00b <k00b@stacker.news> 2024-09-12 18:05:11 +00:00			`req = multiAuthMiddleware(req)`
API Keys (#915) * Generate API key in settings * Check x-api-key for GraphQL API requests * Don't fallback to cookie if x-api-key header was provided * Select all session fields * Fix error if API key not found * Fix style in settings via form-label className --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> 2024-03-14 20:32:34 +00:00			`session = await getServerSession(req, res, getAuthOptions(req))`
			`}`
a bunch of increments 2021-04-12 18:05:09 +00:00			`return {`
			`models,`
gofac yourself 2023-12-14 17:30:51 +00:00			`headers: req.headers,`
add lightning 2021-04-29 21:58:43 +00:00			`lnd,`
add notification settings 2022-04-21 22:50:02 +00:00			`me: session`
add ln addr + lnurl pay qr code to profile pages 2022-05-06 19:32:20 +00:00			`? session.user`
add notification settings 2022-04-21 22:50:02 +00:00			`: null,`
remove slashtags temporarily 2023-08-17 00:48:45 +00:00			`search`
a bunch of increments 2021-04-12 18:05:09 +00:00			`}`
			`}`
begin working on db schema 2021-03-25 19:29:24 +00:00			`})`
Account Switching (#644) * WIP: Account switching * Fix empty USER query ANON_USER_ID was undefined and thus the query for @anon had no variables. * Apply multiAuthMiddleware in /api/graphql * Fix 'you must be logged in' query error on switch to anon * Add smart 'switch account' button "smart" means that it only shows if there are accounts to which one can switch * Fix multiAuth not set in backend * Comment fixes, minor changes * Use fw-bold instead of 'selected' * Close dropdown and offcanvas Inside a dropdown, we can rely on autoClose but need to wrap the buttons with <Dropdown.Item> for that to work. For the offcanvas, we need to pass down handleClose. * Use button to add account * Some pages require hard reload on account switch * Reinit settings form on account switch * Also don't refetch WalletHistory * Formatting * Use width: fit-content for standalone SignUpButton * Remove unused className * Use fw-bold and text-underline on selected * Fix inconsistent padding of login buttons * Fix duplicate redirect from /settings on anon switch * Never throw during refetch * Throw errors which extend GraphQLError * Only use meAnonSats if logged out * Use reactive variable for meAnonSats The previous commit broke the UI update after anon zaps because we actually updated item.meSats in the cache and not item.meAnonSats. Updating item.meAnonSats was not possible because it's a local field. For that, one needs to use reactive variables. We do this now and thus also don't need the useEffect hack in item-info.js anymore. * Switch to new user * Fix missing cleanup during logout If we logged in but never switched to any other account, the 'multi_auth.user-id' cookie was not set. This meant that during logout, the other 'multi_auth.' cookies were not deleted. This broke the account switch modal. This is fixed by setting the 'multi_auth.user-id' cookie on login. Additionally, we now cleanup if cookie pointer OR session is set (instead of only if both are set). Fix comments in middleware * Remove unnecessary effect dependencies setState is stable and thus only noise in effect dependencies * Show but disable unavailable auth methods * make signup button consistent with others * Always reload page on switch * refine account switch styling * logout barrier --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> Co-authored-by: k00b <k00b@stacker.news> 2024-09-12 18:05:11 +00:00
			`function multiAuthMiddleware (request) {`
			`// switch next-auth session cookie with multi_auth cookie if cookie pointer present`

			`// is there a cookie pointer?`
			`const cookiePointerName = 'multi_auth.user-id'`
			`const hasCookiePointer = !!request.cookies[cookiePointerName]`

Always set Secure for multi auth cookies in prod (#1404) 2024-09-13 18:00:16 +00:00			`const secure = process.env.NODE_ENV === 'production'`
Use X-Forwarded-Proto to detect scheme (#1403) 2024-09-13 17:27:52 +00:00
Account Switching (#644) * WIP: Account switching * Fix empty USER query ANON_USER_ID was undefined and thus the query for @anon had no variables. * Apply multiAuthMiddleware in /api/graphql * Fix 'you must be logged in' query error on switch to anon * Add smart 'switch account' button "smart" means that it only shows if there are accounts to which one can switch * Fix multiAuth not set in backend * Comment fixes, minor changes * Use fw-bold instead of 'selected' * Close dropdown and offcanvas Inside a dropdown, we can rely on autoClose but need to wrap the buttons with <Dropdown.Item> for that to work. For the offcanvas, we need to pass down handleClose. * Use button to add account * Some pages require hard reload on account switch * Reinit settings form on account switch * Also don't refetch WalletHistory * Formatting * Use width: fit-content for standalone SignUpButton * Remove unused className * Use fw-bold and text-underline on selected * Fix inconsistent padding of login buttons * Fix duplicate redirect from /settings on anon switch * Never throw during refetch * Throw errors which extend GraphQLError * Only use meAnonSats if logged out * Use reactive variable for meAnonSats The previous commit broke the UI update after anon zaps because we actually updated item.meSats in the cache and not item.meAnonSats. Updating item.meAnonSats was not possible because it's a local field. For that, one needs to use reactive variables. We do this now and thus also don't need the useEffect hack in item-info.js anymore. * Switch to new user * Fix missing cleanup during logout If we logged in but never switched to any other account, the 'multi_auth.user-id' cookie was not set. This meant that during logout, the other 'multi_auth.' cookies were not deleted. This broke the account switch modal. This is fixed by setting the 'multi_auth.user-id' cookie on login. Additionally, we now cleanup if cookie pointer OR session is set (instead of only if both are set). Fix comments in middleware * Remove unnecessary effect dependencies setState is stable and thus only noise in effect dependencies * Show but disable unavailable auth methods * make signup button consistent with others * Always reload page on switch * refine account switch styling * logout barrier --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> Co-authored-by: k00b <k00b@stacker.news> 2024-09-12 18:05:11 +00:00			`// is there a session?`
Use X-Forwarded-Proto to detect scheme (#1403) 2024-09-13 17:27:52 +00:00			`const sessionCookieName = secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'`
Account Switching (#644) * WIP: Account switching * Fix empty USER query ANON_USER_ID was undefined and thus the query for @anon had no variables. * Apply multiAuthMiddleware in /api/graphql * Fix 'you must be logged in' query error on switch to anon * Add smart 'switch account' button "smart" means that it only shows if there are accounts to which one can switch * Fix multiAuth not set in backend * Comment fixes, minor changes * Use fw-bold instead of 'selected' * Close dropdown and offcanvas Inside a dropdown, we can rely on autoClose but need to wrap the buttons with <Dropdown.Item> for that to work. For the offcanvas, we need to pass down handleClose. * Use button to add account * Some pages require hard reload on account switch * Reinit settings form on account switch * Also don't refetch WalletHistory * Formatting * Use width: fit-content for standalone SignUpButton * Remove unused className * Use fw-bold and text-underline on selected * Fix inconsistent padding of login buttons * Fix duplicate redirect from /settings on anon switch * Never throw during refetch * Throw errors which extend GraphQLError * Only use meAnonSats if logged out * Use reactive variable for meAnonSats The previous commit broke the UI update after anon zaps because we actually updated item.meSats in the cache and not item.meAnonSats. Updating item.meAnonSats was not possible because it's a local field. For that, one needs to use reactive variables. We do this now and thus also don't need the useEffect hack in item-info.js anymore. * Switch to new user * Fix missing cleanup during logout If we logged in but never switched to any other account, the 'multi_auth.user-id' cookie was not set. This meant that during logout, the other 'multi_auth.' cookies were not deleted. This broke the account switch modal. This is fixed by setting the 'multi_auth.user-id' cookie on login. Additionally, we now cleanup if cookie pointer OR session is set (instead of only if both are set). Fix comments in middleware * Remove unnecessary effect dependencies setState is stable and thus only noise in effect dependencies * Show but disable unavailable auth methods * make signup button consistent with others * Always reload page on switch * refine account switch styling * logout barrier --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> Co-authored-by: k00b <k00b@stacker.news> 2024-09-12 18:05:11 +00:00			`const hasSession = !!request.cookies[sessionCookieName]`

			`if (!hasCookiePointer \|\| !hasSession) {`
			`// no session or no cookie pointer. do nothing.`
			`return request`
			`}`

			`const userId = request.cookies[cookiePointerName]`
			`if (userId === 'anonymous') {`
			`// user switched to anon. only delete session cookie.`
			`delete request.cookies[sessionCookieName]`
			`return request`
			`}`

			const userJWT = request.cookies[`multi_auth.${userId}`]
			`if (!userJWT) {`
			`// no JWT for account switching found`
			`return request`
			`}`

			`if (userJWT) {`
			`// use JWT found in cookie pointed to by cookie pointer`
			`request.cookies[sessionCookieName] = userJWT`
			`return request`
			`}`

			`return request`
			`}`