ParabolInc · Dschoordsch · Mar 3, 2025
diff --git a/packages/server/graphql/private/mutations/loginMattermost.ts b/packages/server/graphql/private/mutations/loginMattermost.ts
@@ -0,0 +1,29 @@
+import AuthToken from '../../../database/types/AuthToken'
+import getKysely from '../../../postgres/getKysely'
+import encodeAuthToken from '../../../utils/encodeAuthToken'
+import {MutationResolvers} from '../resolverTypes'
+
+const loginMattermost: MutationResolvers['loginMattermost'] = async (
+  _source,
+  {email}
+) => {
+  const pg = getKysely()
+  const user = await pg
+    .selectFrom('User')
+    .selectAll()
+    .where('email', '=', email)
+    .executeTakeFirst()
+  if (!user) {
+    return {error: {message: 'Unknown user'}}
+  }
+  const {id: userId, tms} = user
+  const authToken = new AuthToken({sub: userId, tms})
+
+  return {
+    userId,
+    authToken: encodeAuthToken(authToken),
+    isNewUser: false
+  }
+}
+
+export default loginMattermost
diff --git a/packages/server/graphql/private/typeDefs/Mutation.graphql b/packages/server/graphql/private/typeDefs/Mutation.graphql
@@ -191,6 +191,21 @@ type Mutation {
     isDangerous: Boolean!
   ): String
 
+  """
+  add/remove a flag on an org asking them to pay
+  """
+  flagConversionModal(
+    """
+    true to turn the modal on, false to turn it off
+    """
+    active: Boolean!
+
+    """
+    the orgId to toggle the flag for
+    """
+    orgId: ID!
+  ): FlagConversionModalPayload
+
   """
   hard deletes a user and all its associated objects
   """
@@ -436,6 +451,16 @@ type Mutation {
     samlName: ID!
   ): UserLogInPayload!
 
+  """
+  Log in with email from a trusted Mattermost
+  """
+  loginMattermost(
+    """
+    The email of the user
+    """
+    email: Email!
+  ): UserLogInPayload!
+
   """
   Processes recurrence for meetings that should start and end.
   """

diff --git a/packages/server/integrations/mattermost/mattermostWebhookHandler.ts b/packages/server/integrations/mattermost/mattermostWebhookHandler.ts
@@ -1,30 +1,47 @@
 import {createVerifier, httpbis} from 'http-message-signatures'
 import {HttpRequest, HttpResponse} from 'uWebSockets.js'
 import appOrigin from '../../appOrigin'
-import AuthToken from '../../database/types/AuthToken'
 import uWSAsyncHandler from '../../graphql/uWSAsyncHandler'
 import parseBody from '../../parseBody'
-import getKysely from '../../postgres/getKysely'
+import publishWebhookGQL from '../../utils/publishWebhookGQL'
+import ConnectionContext from '../../socketHelpers/ConnectionContext'
+import uwsGetIP from '../../utils/uwsGetIP'
+import checkBlacklistJWT from '../../utils/checkBlacklistJWT'
+import activeClients from '../../activeClients'
+import handleConnect from '../../socketHandlers/handleConnect'
+import getVerifiedAuthToken from '../../utils/getVerifiedAuthToken'
 import encodeAuthToken from '../../utils/encodeAuthToken'
+import {MMSocket} from '../../socketHelpers/transports/MMSocket'
 
 const MATTERMOST_SECRET = process.env.MATTERMOST_SECRET
 
+
 const login = async (email: string) => {
-  const pg = getKysely()
-  const user = await pg
-    .selectFrom('User')
-    .selectAll()
-    .where('email', '=', email)
-    .executeTakeFirstOrThrow()
-  const authToken = new AuthToken({sub: user.id, tms: user.tms})
-  return encodeAuthToken(authToken)
+  const query = `
+    mutation LoginMattermost($email: String!) {
+      loginMattermost(email: $email) {
+        error {
+          message
+        }
+        authToken
+      }
+    }
+  `
+
+  const loginResult = await publishWebhookGQL<any>(query, {email})
+  const {authToken} = loginResult?.data?.loginMattermost ?? {}
+  return authToken as string
 }
 
 const mattermostWebhookHandler = uWSAsyncHandler(async (res: HttpResponse, req: HttpRequest) => {
   if (!MATTERMOST_SECRET) {
     res.writeStatus('404').end()
     return
   }
+
+  const ip = uwsGetIP(res, req)
+  const connectionId = req.getHeader('x-correlation-id')
+
   const headers = {
     'content-type': req.getHeader('content-type'),
     'content-digest': req.getHeader('content-digest'),
@@ -66,11 +83,26 @@ const mattermostWebhookHandler = uWSAsyncHandler(async (res: HttpResponse, req:
     return
   }
 
-  const authToken = await login(email)
+  const authToken = getVerifiedAuthToken(await login(email))
+
+  const connectionContext = new ConnectionContext(new MMSocket(connectionId), authToken, ip)
+  // TODO: Find a nicer solution to this. This is the easiest to multiplex the webhook in the MM-Plugin.
+  // If we don't use the client provided connectionId, the plugin would need to keep state to correlate userIDs with connectionIds.
+  // This might be superseeded once we establish the Parabol userId <-> Mattermost userId mapping on Parabol side.
+  connectionContext.id = connectionId
+  const {sub: userId, iat} = authToken
+  const isBlacklistedJWT = await checkBlacklistJWT(userId, iat)
+  if (isBlacklistedJWT) {
+    return
+  }
+
+  activeClients.set(connectionContext)
+  const nextAuthToken = await handleConnect(connectionContext)
+
   res
     .writeStatus('200')
     .writeHeader('Content-Type', 'application/json')
-    .end(JSON.stringify({authToken}))
+    .end(JSON.stringify({authToken: nextAuthToken ?? encodeAuthToken(authToken)}))
 })
 
 export default mattermostWebhookHandler