refactor(public-api): replace HMAC token injection with direct GraphQL execution

idoshamun · claude · idoshamun · commit f8a7f9301b8d · 2026-02-02T20:00:43.000Z
Eliminates the security concern of using short-lived HMAC tokens with
fastify.inject() to bridge REST endpoints to GraphQL. Instead, the
public API now executes GraphQL queries directly using the already
authenticated FastifyRequest object.

Changes:
- Add executeGraphql utility that creates Context from the real request
- Export DataSource via fastify.con decoration for route handlers
- Update feed.ts and posts.ts routes to use direct execution
- Add con property to FastifyInstance type declaration

Benefits:
- No HMAC tokens needed for internal communication
- No HTTP request simulation via fastify.inject()
- Uses the actual authenticated request object (userId, isPlus already set)
- Cleaner trust boundary - PAT validates at entry, real request carries identity
- Query parsing is cached for performance

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/routes/public/feed.ts b/src/routes/public/feed.ts
@@ -1,5 +1,5 @@
 import type { FastifyInstance } from 'fastify';
-import { injectGraphql } from '../../compatibility/utils';
+import { executeGraphql } from './graphqlExecutor';
 
 interface FeedQuery {
   limit?: string;
@@ -130,8 +130,8 @@ export default async function (fastify: FastifyInstance): Promise<void> {
       const limit = Math.min(Math.max(1, parsedLimit), MAX_LIMIT);
       const { cursor } = request.query;
 
-      return injectGraphql(
-        fastify,
+      return executeGraphql(
+        fastify.con!,
         {
           query: FEED_QUERY,
           variables: {
@@ -140,7 +140,7 @@ export default async function (fastify: FastifyInstance): Promise<void> {
           },
         },
         (json) => {
-          const feed = (json as unknown as FeedResponse).data.feed;
+          const feed = (json as FeedResponse['data']).feed;
           return {
             data: feed.edges.map(({ node }) => node),
             pagination: {
diff --git a/src/routes/public/graphqlExecutor.ts b/src/routes/public/graphqlExecutor.ts
@@ -0,0 +1,93 @@
+import { execute, parse, DocumentNode, GraphQLError } from 'graphql';
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import type { DataSource } from 'typeorm';
+import { Context } from '../../Context';
+import { schema } from '../../graphql';
+
+export interface GraphqlPayload {
+  query: string;
+  operationName?: string;
+  variables?: Record<string, unknown>;
+}
+
+// Cache for parsed queries to avoid re-parsing
+const queryCache = new Map<string, DocumentNode>();
+
+const parseQuery = (query: string): DocumentNode => {
+  const cached = queryCache.get(query);
+  if (cached) {
+    return cached;
+  }
+  const document = parse(query);
+  queryCache.set(query, document);
+  return document;
+};
+
+/**
+ * Execute GraphQL directly without HTTP injection.
+ * Uses the real FastifyRequest (already authenticated by PAT hook) to create the Context.
+ * This eliminates the need for HMAC tokens and fastify.inject().
+ */
+export const executeGraphql = async <T>(
+  con: DataSource,
+  payload: GraphqlPayload,
+  extractResponse: (obj: Record<string, unknown>) => T,
+  req: FastifyRequest,
+  res: FastifyReply,
+): Promise<FastifyReply> => {
+  // Create context from the REAL request (already has userId, isPlus from PAT auth hook)
+  const context = new Context(req, con);
+
+  // Parse the query (with caching for performance)
+  const document = parseQuery(payload.query);
+
+  // Execute GraphQL directly - no HTTP injection
+  const result = await execute({
+    schema,
+    document,
+    contextValue: context,
+    variableValues: payload.variables,
+    operationName: payload.operationName,
+  });
+
+  // Map GraphQL errors to HTTP status codes (same logic as injectGraphql)
+  if (result.errors?.length) {
+    const errors = result.errors as GraphQLError[];
+    const code = errors[0]?.extensions?.code;
+
+    if (code === 'UNAUTHENTICATED') {
+      return res.status(401).send({
+        error: 'unauthorized',
+        message: 'Authentication required',
+      });
+    }
+    if (code === 'FORBIDDEN') {
+      return res.status(403).send({
+        error: 'forbidden',
+        message: 'Access denied',
+      });
+    }
+    if (code === 'VALIDATION_ERROR' || code === 'GRAPHQL_VALIDATION_FAILED') {
+      return res.status(400).send({
+        error: 'validation_error',
+        message: errors[0]?.message || 'Invalid request',
+      });
+    }
+    if (code === 'NOT_FOUND') {
+      return res.status(404).send({
+        error: 'not_found',
+        message: errors[0]?.message || 'Resource not found',
+      });
+    }
+
+    // Unexpected errors
+    req.log.warn(
+      { graphqlResponse: result },
+      'unexpected graphql error when executing graphql request',
+    );
+    return res.status(500).send();
+  }
+
+  const resBody = extractResponse(result.data as Record<string, unknown>);
+  return res.status(resBody ? 200 : 204).send(resBody);
+};
diff --git a/src/routes/public/index.ts b/src/routes/public/index.ts
@@ -53,6 +53,9 @@ export default async function (
   fastify: FastifyInstance,
   con: DataSource,
 ): Promise<void> {
+  // Decorate fastify with the database connection for route handlers
+  fastify.decorate('con', con);
+
   // Register Swagger for OpenAPI documentation
   await fastify.register(fastifySwagger, {
     openapi: {
diff --git a/src/routes/public/posts.ts b/src/routes/public/posts.ts
@@ -1,5 +1,5 @@
 import type { FastifyInstance } from 'fastify';
-import { injectGraphql } from '../../compatibility/utils';
+import { executeGraphql } from './graphqlExecutor';
 
 interface PostParams {
   id: string;
@@ -108,14 +108,14 @@ export default async function (fastify: FastifyInstance): Promise<void> {
       // Auth middleware already validates the user, apiUserId is guaranteed
       const { id } = request.params;
 
-      return injectGraphql(
-        fastify,
+      return executeGraphql(
+        fastify.con!,
         {
           query: POST_QUERY,
           variables: { id },
         },
         (json) => {
-          const { post } = (json as unknown as PostQueryResponse).data;
+          const { post } = json as PostQueryResponse['data'];
           return { data: post };
         },
         request,
diff --git a/src/types.ts b/src/types.ts
@@ -114,6 +114,8 @@ declare module 'fastify' {
   interface FastifyInstance {
     // Used for tracing
     tracer?: opentelemetry.Tracer;
+    // Used for public API routes to access database
+    con?: import('typeorm').DataSource;
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,8 @@ declare module 'fastify' {`
`114`	`114`	`interface FastifyInstance {`
`115`	`115`	`// Used for tracing`
`116`	`116`	`tracer?: opentelemetry.Tracer;`
	`117`	`+ // Used for public API routes to access database`
	`118`	`+ con?: import('typeorm').DataSource;`
`117`	`119`	`}`
`118`	`120`	`}`
`119`	`121`