v12.0.0 - initial commit

packages/server/lib/new-admin/graphql/directives/auth.js

@@ -0,0 +1,53 @@
+const _ = require('lodash/fp')
+const { mapSchema, getDirective, MapperKind } = require('@graphql-tools/utils')
+const { defaultFieldResolver } = require('graphql')
+
+const { AuthenticationError } = require('../errors')
+
+function authDirectiveTransformer(schema, directiveName = 'auth') {
+  return mapSchema(schema, {
+    // For object types
+    [MapperKind.OBJECT_TYPE]: objectType => {
+      const directive = getDirective(schema, objectType, directiveName)?.[0]
+      if (directive) {
+        const requiredAuthRole = directive.requires
+        objectType._requiredAuthRole = requiredAuthRole
+      }
+      return objectType
+    },
+
+    // For field definitions
+    [MapperKind.OBJECT_FIELD]: (fieldConfig, _fieldName, typeName) => {
+      const directive = getDirective(schema, fieldConfig, directiveName)?.[0]
+      if (directive) {
+        const requiredAuthRole = directive.requires
+        fieldConfig._requiredAuthRole = requiredAuthRole
+      }
+
+      // Get the parent object type
+      const objectType = schema.getType(typeName)
+
+      // Apply auth check to the field's resolver
+      const { resolve = defaultFieldResolver } = fieldConfig
+      fieldConfig.resolve = function (root, args, context, info) {
+        const requiredRoles =
+          fieldConfig._requiredAuthRole || objectType._requiredAuthRole
+        if (!requiredRoles)
+          return resolve.apply(this, [root, args, context, info])
+
+        const user = context.req.session.user
+        if (!user || !_.includes(_.upperCase(user.role), requiredRoles)) {
+          throw new AuthenticationError(
+            'You do not have permission to access this resource!',
+          )
+        }
+
+        return resolve.apply(this, [root, args, context, info])
+      }
+
+      return fieldConfig
+    },
+  })
+}
+
+module.exports = authDirectiveTransformer

packages/server/lib/new-admin/graphql/directives/index.js

@@ -0,0 +1,3 @@
+const authDirectiveTransformer = require('./auth')
+
+module.exports = { authDirectiveTransformer }

packages/server/lib/new-admin/graphql/errors.js

@@ -0,0 +1,107 @@
+const { GraphQLError } = require('graphql')
+const { ApolloServerErrorCode } = require('@apollo/server/errors')
+
+class AuthenticationError extends GraphQLError {
+  constructor() {
+    super('Authentication failed', {
+      extensions: {
+        code: 'UNAUTHENTICATED',
+      },
+    })
+  }
+}
+
+class InvalidCredentialsError extends GraphQLError {
+  constructor() {
+    super('Invalid credentials', {
+      extensions: {
+        code: 'INVALID_CREDENTIALS',
+      },
+    })
+  }
+}
+
+class UserAlreadyExistsError extends GraphQLError {
+  constructor() {
+    super('User already exists', {
+      extensions: {
+        code: 'USER_ALREADY_EXISTS',
+      },
+    })
+  }
+}
+
+class InvalidTwoFactorError extends GraphQLError {
+  constructor() {
+    super('Invalid two-factor code', {
+      extensions: {
+        code: 'INVALID_TWO_FACTOR_CODE',
+      },
+    })
+  }
+}
+
+class InvalidUrlError extends GraphQLError {
+  constructor() {
+    super('Invalid URL token', {
+      extensions: {
+        code: 'INVALID_URL_TOKEN',
+      },
+    })
+  }
+}
+
+class UserInputError extends GraphQLError {
+  constructor() {
+    super('User input error', {
+      extensions: {
+        code: ApolloServerErrorCode.BAD_USER_INPUT,
+      },
+    })
+  }
+}
+
+class ResourceNotFoundError extends GraphQLError {
+  constructor(details = {}) {
+    super('Resource not found', {
+      extensions: {
+        code: 'RESOURCE_NOT_FOUND',
+        ...details,
+      },
+    })
+  }
+}
+
+class ResourceAlreadyExistsError extends GraphQLError {
+  constructor(details = {}) {
+    super('Resource already exists', {
+      extensions: {
+        code: 'RESOURCE_ALREADY_EXISTS',
+        ...details,
+      },
+    })
+  }
+}
+
+class ResourceHasDependenciesError extends GraphQLError {
+  constructor(details = {}) {
+    super('Resource has dependencies', {
+      extensions: {
+        code: 'RESOURCE_HAS_DEPENDENCIES',
+        ...details,
+      },
+    })
+  }
+}
+
+module.exports = {
+  AuthenticationError,
+  InvalidCredentialsError,
+  UserAlreadyExistsError,
+  InvalidTwoFactorError,
+  InvalidUrlError,
+  UserInputError,
+  ResourceNotFoundError,
+  ResourceAlreadyExistsError,
+  ResourceHasDependenciesError,
+}

packages/server/lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js

@@ -0,0 +1,199 @@
+const simpleWebauthn = require('@simplewebauthn/server')
+const base64url = require('base64url')
+const _ = require('lodash/fp')
+
+const userManagement = require('../userManagement')
+const credentials = require('../../../../hardware-credentials')
+const T = require('../../../../time')
+const users = require('../../../../users')
+
+const devMode = require('minimist')(process.argv.slice(2)).dev
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const generateAttestationOptions = (session, options) => {
+  return users
+    .getUserById(options.userId)
+    .then(user => {
+      return Promise.all([
+        credentials.getHardwareCredentialsByUserId(user.id),
+        user,
+      ])
+    })
+    .then(([userDevices, user]) => {
+      const opts = simpleWebauthn.generateAttestationOptions({
+        rpName: 'Lamassu',
+        rpID: options.domain,
+        userName: user.username,
+        userID: user.id,
+        timeout: 60000,
+        attestationType: 'indirect',
+        excludeCredentials: userDevices.map(dev => ({
+          id: dev.data.credentialID,
+          type: 'public-key',
+          transports: ['usb', 'ble', 'nfc', 'internal'],
+        })),
+        authenticatorSelection: {
+          userVerification: 'discouraged',
+          requireResidentKey: false,
+        },
+      })
+
+      session.webauthn = {
+        attestation: {
+          challenge: opts.challenge,
+        },
+      }
+
+      return opts
+    })
+}
+
+const generateAssertionOptions = (session, options) => {
+  return userManagement
+    .authenticateUser(options.username, options.password)
+    .then(user => {
+      return credentials
+        .getHardwareCredentialsByUserId(user.id)
+        .then(devices => {
+          const opts = simpleWebauthn.generateAssertionOptions({
+            timeout: 60000,
+            allowCredentials: devices.map(dev => ({
+              id: dev.data.credentialID,
+              type: 'public-key',
+              transports: ['usb', 'ble', 'nfc', 'internal'],
+            })),
+            userVerification: 'discouraged',
+            rpID: options.domain,
+          })
+
+          session.webauthn = {
+            assertion: {
+              challenge: opts.challenge,
+            },
+          }
+
+          return opts
+        })
+    })
+}
+
+const validateAttestation = (session, options) => {
+  const webauthnData = session.webauthn.attestation
+  const expectedChallenge = webauthnData.challenge
+
+  return Promise.all([
+    users.getUserById(options.userId),
+    simpleWebauthn.verifyAttestationResponse({
+      credential: options.attestationResponse,
+      expectedChallenge: `${expectedChallenge}`,
+      expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
+      expectedRPID: options.domain,
+    }),
+  ]).then(([user, verification]) => {
+    const { verified, attestationInfo } = verification
+
+    if (!(verified || attestationInfo)) {
+      session.webauthn = null
+      return false
+    }
+
+    const { counter, credentialPublicKey, credentialID } = attestationInfo
+
+    return credentials
+      .getHardwareCredentialsByUserId(user.id)
+      .then(userDevices => {
+        const existingDevice = userDevices.find(
+          device => device.data.credentialID === credentialID,
+        )
+
+        if (!existingDevice) {
+          const newDevice = {
+            counter,
+            credentialPublicKey,
+            credentialID,
+          }
+          credentials.createHardwareCredential(user.id, newDevice)
+        }
+
+        session.webauthn = null
+        return verified
+      })
+  })
+}
+
+const validateAssertion = (session, options) => {
+  return userManagement
+    .authenticateUser(options.username, options.password)
+    .then(user => {
+      const expectedChallenge = session.webauthn.assertion.challenge
+
+      return credentials
+        .getHardwareCredentialsByUserId(user.id)
+        .then(devices => {
+          const dbAuthenticator = _.find(dev => {
+            return (
+              Buffer.from(dev.data.credentialID).compare(
+                base64url.toBuffer(options.assertionResponse.rawId),
+              ) === 0
+            )
+          }, devices)
+
+          if (!dbAuthenticator.data) {
+            throw new Error(
+              `Could not find authenticator matching ${options.assertionResponse.id}`,
+            )
+          }
+
+          const convertedAuthenticator = _.merge(dbAuthenticator.data, {
+            credentialPublicKey: Buffer.from(
+              dbAuthenticator.data.credentialPublicKey,
+            ),
+          })
+
+          let verification
+          try {
+            verification = simpleWebauthn.verifyAssertionResponse({
+              credential: options.assertionResponse,
+              expectedChallenge: `${expectedChallenge}`,
+              expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
+              expectedRPID: options.domain,
+              authenticator: convertedAuthenticator,
+            })
+          } catch (err) {
+            console.error(err)
+            return false
+          }
+
+          const { verified, assertionInfo } = verification
+
+          if (!verified) {
+            session.webauthn = null
+            return false
+          }
+
+          dbAuthenticator.data.counter = assertionInfo.newCounter
+          return credentials
+            .updateHardwareCredential(dbAuthenticator)
+            .then(() => {
+              const finalUser = {
+                id: user.id,
+                username: user.username,
+                role: user.role,
+              }
+              session.user = finalUser
+              if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
+
+              session.webauthn = null
+              return verified
+            })
+        })
+    })
+}
+
+module.exports = {
+  generateAttestationOptions,
+  generateAssertionOptions,
+  validateAttestation,
+  validateAssertion,
+}

packages/server/lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js

@@ -0,0 +1,187 @@
+const simpleWebauthn = require('@simplewebauthn/server')
+const base64url = require('base64url')
+const _ = require('lodash/fp')
+
+const credentials = require('../../../../hardware-credentials')
+const T = require('../../../../time')
+const users = require('../../../../users')
+
+const devMode = require('minimist')(process.argv.slice(2)).dev
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const generateAttestationOptions = (session, options) => {
+  return users
+    .getUserById(options.userId)
+    .then(user => {
+      return Promise.all([
+        credentials.getHardwareCredentialsByUserId(user.id),
+        user,
+      ])
+    })
+    .then(([userDevices, user]) => {
+      const opts = simpleWebauthn.generateAttestationOptions({
+        rpName: 'Lamassu',
+        rpID: options.domain,
+        userName: user.username,
+        userID: user.id,
+        timeout: 60000,
+        attestationType: 'indirect',
+        excludeCredentials: userDevices.map(dev => ({
+          id: dev.data.credentialID,
+          type: 'public-key',
+          transports: ['usb', 'ble', 'nfc', 'internal'],
+        })),
+        authenticatorSelection: {
+          userVerification: 'discouraged',
+          requireResidentKey: false,
+        },
+      })
+
+      session.webauthn = {
+        attestation: {
+          challenge: opts.challenge,
+        },
+      }
+
+      return opts
+    })
+}
+
+const generateAssertionOptions = (session, options) => {
+  return users.getUserByUsername(options.username).then(user => {
+    return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
+      const opts = simpleWebauthn.generateAssertionOptions({
+        timeout: 60000,
+        allowCredentials: devices.map(dev => ({
+          id: dev.data.credentialID,
+          type: 'public-key',
+          transports: ['usb', 'ble', 'nfc', 'internal'],
+        })),
+        userVerification: 'discouraged',
+        rpID: options.domain,
+      })
+
+      session.webauthn = {
+        assertion: {
+          challenge: opts.challenge,
+        },
+      }
+
+      return opts
+    })
+  })
+}
+
+const validateAttestation = (session, options) => {
+  const webauthnData = session.webauthn.attestation
+  const expectedChallenge = webauthnData.challenge
+
+  return Promise.all([
+    users.getUserById(options.userId),
+    simpleWebauthn.verifyAttestationResponse({
+      credential: options.attestationResponse,
+      expectedChallenge: `${expectedChallenge}`,
+      expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
+      expectedRPID: options.domain,
+    }),
+  ]).then(([user, verification]) => {
+    const { verified, attestationInfo } = verification
+
+    if (!(verified || attestationInfo)) {
+      session.webauthn = null
+      return false
+    }
+
+    const { counter, credentialPublicKey, credentialID } = attestationInfo
+
+    return credentials
+      .getHardwareCredentialsByUserId(user.id)
+      .then(userDevices => {
+        const existingDevice = userDevices.find(
+          device => device.data.credentialID === credentialID,
+        )
+
+        if (!existingDevice) {
+          const newDevice = {
+            counter,
+            credentialPublicKey,
+            credentialID,
+          }
+          credentials.createHardwareCredential(user.id, newDevice)
+        }
+
+        session.webauthn = null
+        return verified
+      })
+  })
+}
+
+const validateAssertion = (session, options) => {
+  return users.getUserByUsername(options.username).then(user => {
+    const expectedChallenge = session.webauthn.assertion.challenge
+
+    return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
+      const dbAuthenticator = _.find(dev => {
+        return (
+          Buffer.from(dev.data.credentialID).compare(
+            base64url.toBuffer(options.assertionResponse.rawId),
+          ) === 0
+        )
+      }, devices)
+
+      if (!dbAuthenticator.data) {
+        throw new Error(
+          `Could not find authenticator matching ${options.assertionResponse.id}`,
+        )
+      }
+
+      const convertedAuthenticator = _.merge(dbAuthenticator.data, {
+        credentialPublicKey: Buffer.from(
+          dbAuthenticator.data.credentialPublicKey,
+        ),
+      })
+
+      let verification
+      try {
+        verification = simpleWebauthn.verifyAssertionResponse({
+          credential: options.assertionResponse,
+          expectedChallenge: `${expectedChallenge}`,
+          expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
+          expectedRPID: options.domain,
+          authenticator: convertedAuthenticator,
+        })
+      } catch (err) {
+        console.error(err)
+        return false
+      }
+
+      const { verified, assertionInfo } = verification
+
+      if (!verified) {
+        return false
+      }
+
+      dbAuthenticator.data.counter = assertionInfo.newCounter
+      return credentials.updateHardwareCredential(dbAuthenticator).then(() => {
+        const finalUser = {
+          id: user.id,
+          username: user.username,
+          role: user.role,
+        }
+        session.user = finalUser
+        if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
+
+        session.webauthn = null
+        return verified
+      })
+    })
+  })
+}
+
+module.exports = {
+  generateAttestationOptions,
+  generateAssertionOptions,
+  validateAttestation,
+  validateAssertion,
+}

packages/server/lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js

@@ -0,0 +1,193 @@
+const simpleWebauthn = require('@simplewebauthn/server')
+const base64url = require('base64url')
+const _ = require('lodash/fp')
+
+const credentials = require('../../../../hardware-credentials')
+const T = require('../../../../time')
+const users = require('../../../../users')
+
+const devMode = require('minimist')(process.argv.slice(2)).dev
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const generateAttestationOptions = (session, options) => {
+  return credentials.getHardwareCredentials().then(devices => {
+    const opts = simpleWebauthn.generateAttestationOptions({
+      rpName: 'Lamassu',
+      rpID: options.domain,
+      userName: `Usernameless user created at ${new Date().toISOString()}`,
+      userID: options.userId,
+      timeout: 60000,
+      attestationType: 'direct',
+      excludeCredentials: devices.map(dev => ({
+        id: dev.data.credentialID,
+        type: 'public-key',
+        transports: ['usb', 'ble', 'nfc', 'internal'],
+      })),
+      authenticatorSelection: {
+        authenticatorAttachment: 'cross-platform',
+        userVerification: 'discouraged',
+        requireResidentKey: false,
+      },
+    })
+
+    session.webauthn = {
+      attestation: {
+        challenge: opts.challenge,
+      },
+    }
+
+    return opts
+  })
+}
+
+const generateAssertionOptions = (session, options) => {
+  return credentials.getHardwareCredentials().then(devices => {
+    const opts = simpleWebauthn.generateAssertionOptions({
+      timeout: 60000,
+      allowCredentials: devices.map(dev => ({
+        id: dev.data.credentialID,
+        type: 'public-key',
+        transports: ['usb', 'ble', 'nfc', 'internal'],
+      })),
+      userVerification: 'discouraged',
+      rpID: options.domain,
+    })
+
+    session.webauthn = {
+      assertion: {
+        challenge: opts.challenge,
+      },
+    }
+    return opts
+  })
+}
+
+const validateAttestation = (session, options) => {
+  const webauthnData = session.webauthn.attestation
+  const expectedChallenge = webauthnData.challenge
+
+  return Promise.all([
+    users.getUserById(options.userId),
+    simpleWebauthn.verifyAttestationResponse({
+      credential: options.attestationResponse,
+      expectedChallenge: `${expectedChallenge}`,
+      expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
+      expectedRPID: options.domain,
+    }),
+  ]).then(([user, verification]) => {
+    const { verified, attestationInfo } = verification
+
+    if (!(verified || attestationInfo)) {
+      session.webauthn = null
+      return verified
+    }
+
+    const {
+      fmt,
+      counter,
+      aaguid,
+      credentialPublicKey,
+      credentialID,
+      credentialType,
+      userVerified,
+      attestationObject,
+    } = attestationInfo
+
+    return credentials
+      .getHardwareCredentialsByUserId(user.id)
+      .then(userDevices => {
+        const existingDevice = userDevices.find(
+          device => device.data.credentialID === credentialID,
+        )
+
+        if (!existingDevice) {
+          const newDevice = {
+            fmt,
+            counter,
+            aaguid,
+            credentialPublicKey,
+            credentialID,
+            credentialType,
+            userVerified,
+            attestationObject,
+          }
+          credentials.createHardwareCredential(user.id, newDevice)
+        }
+
+        session.webauthn = null
+        return verified
+      })
+  })
+}
+
+const validateAssertion = (session, options) => {
+  const expectedChallenge = session.webauthn.assertion.challenge
+
+  return credentials.getHardwareCredentials().then(devices => {
+    const dbAuthenticator = _.find(dev => {
+      return (
+        Buffer.from(dev.data.credentialID).compare(
+          base64url.toBuffer(options.assertionResponse.rawId),
+        ) === 0
+      )
+    }, devices)
+
+    if (!dbAuthenticator.data) {
+      throw new Error(
+        `Could not find authenticator matching ${options.assertionResponse.id}`,
+      )
+    }
+
+    const convertedAuthenticator = _.merge(dbAuthenticator.data, {
+      credentialPublicKey: Buffer.from(
+        dbAuthenticator.data.credentialPublicKey,
+      ),
+    })
+
+    let verification
+    try {
+      verification = simpleWebauthn.verifyAssertionResponse({
+        credential: options.assertionResponse,
+        expectedChallenge: `${expectedChallenge}`,
+        expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
+        expectedRPID: options.domain,
+        authenticator: convertedAuthenticator,
+      })
+    } catch (err) {
+      console.error(err)
+      return false
+    }
+
+    const { verified, assertionInfo } = verification
+
+    if (!verified) {
+      session.webauthn = null
+      return false
+    }
+
+    dbAuthenticator.data.counter = assertionInfo.newCounter
+    return Promise.all([
+      credentials.updateHardwareCredential(dbAuthenticator),
+      users.getUserById(dbAuthenticator.user_id),
+    ]).then(([, user]) => {
+      const finalUser = {
+        id: user.id,
+        username: user.username,
+        role: user.role,
+      }
+      session.user = finalUser
+      session.cookie.maxAge = REMEMBER_ME_AGE
+
+      session.webauthn = null
+      return verified
+    })
+  })
+}
+
+module.exports = {
+  generateAttestationOptions,
+  generateAssertionOptions,
+  validateAttestation,
+  validateAssertion,
+}

packages/server/lib/new-admin/graphql/modules/authentication/index.js

@@ -0,0 +1,17 @@
+const FIDO2FA = require('./FIDO2FAStrategy')
+const FIDOPasswordless = require('./FIDOPasswordlessStrategy')
+const FIDOUsernameless = require('./FIDOUsernamelessStrategy')
+
+const STRATEGIES = {
+  FIDO2FA,
+  FIDOPasswordless,
+  FIDOUsernameless,
+}
+
+// FIDO2FA, FIDOPasswordless or FIDOUsernameless
+const CHOSEN_STRATEGY = 'FIDO2FA'
+
+module.exports = {
+  CHOSEN_STRATEGY,
+  strategy: STRATEGIES[CHOSEN_STRATEGY],
+}

packages/server/lib/new-admin/graphql/modules/userManagement.js

@@ -0,0 +1,312 @@
+const otplib = require('otplib')
+const argon2 = require('argon2')
+const _ = require('lodash/fp')
+
+const constants = require('../../../constants')
+const authTokens = require('../../../auth-tokens')
+const loginHelper = require('../../services/login')
+const T = require('../../../time')
+const users = require('../../../users')
+const sessionManager = require('../../../session-manager')
+const authErrors = require('../errors')
+const credentials = require('../../../hardware-credentials')
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const authenticateUser = (username, password) => {
+  return users
+    .getUserByUsername(username)
+    .then(user => {
+      const hashedPassword = user.password
+      if (!hashedPassword || !user.enabled)
+        throw new authErrors.InvalidCredentialsError()
+      return Promise.all([
+        argon2.verify(hashedPassword, password),
+        hashedPassword,
+      ])
+    })
+    .then(([isMatch, hashedPassword]) => {
+      if (!isMatch) throw new authErrors.InvalidCredentialsError()
+      return loginHelper.validateUser(username, hashedPassword)
+    })
+    .then(user => {
+      if (!user) throw new authErrors.InvalidCredentialsError()
+      return user
+    })
+}
+
+const destroySessionIfSameUser = (context, user) => {
+  const sessionUser = getUserFromCookie(context)
+  if (sessionUser && user.id === sessionUser.id) {
+    context.req.session.destroy()
+  }
+}
+
+const destroySessionIfBeingUsed = (sessID, context) => {
+  if (sessID === context.req.session.id) {
+    context.req.session.destroy()
+  }
+}
+
+const getUserFromCookie = context => {
+  return context.req.session.user
+}
+
+const getLamassuCookie = context => {
+  return context.req.cookies && context.req.cookies.lamassu_sid
+}
+
+const initializeSession = (context, user, rememberMe) => {
+  const finalUser = { id: user.id, username: user.username, role: user.role }
+  context.req.session.user = finalUser
+  if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
+}
+
+const executeProtectedAction = (code, id, context, action) => {
+  return users.getUserById(id).then(user => {
+    if (user.role !== 'superuser') {
+      return action()
+    }
+
+    return confirm2FA(code, context).then(() => action())
+  })
+}
+
+const getUserData = context => {
+  const lidCookie = getLamassuCookie(context)
+  if (!lidCookie) return
+
+  const user = getUserFromCookie(context)
+  return user
+}
+
+const get2FASecret = (username, password) => {
+  return authenticateUser(username, password)
+    .then(user => {
+      const secret = otplib.authenticator.generateSecret()
+      const otpauth = otplib.authenticator.keyuri(
+        user.username,
+        constants.AUTHENTICATOR_ISSUER_ENTITY,
+        secret,
+      )
+      return Promise.all([
+        users.saveTemp2FASecret(user.id, secret),
+        secret,
+        otpauth,
+      ])
+    })
+    .then(([, secret, otpauth]) => {
+      return { secret, otpauth }
+    })
+}
+
+const confirm2FA = (token, context) => {
+  const requestingUser = getUserFromCookie(context)
+
+  if (!requestingUser) throw new authErrors.InvalidCredentialsError()
+
+  return users.getUserById(requestingUser.id).then(user => {
+    const secret = user.twofa_code
+    const isCodeValid = otplib.authenticator.verify({ token, secret })
+
+    if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
+    return true
+  })
+}
+
+const validateRegisterLink = token => {
+  if (!token) throw new authErrors.InvalidUrlError()
+  return users.validateUserRegistrationToken(token).then(r => {
+    if (!r.success) throw new authErrors.InvalidUrlError()
+    return { username: r.username, role: r.role }
+  })
+}
+
+const validateResetPasswordLink = token => {
+  if (!token) throw new authErrors.InvalidUrlError()
+  return users.validateAuthToken(token, 'reset_password').then(r => {
+    if (!r.success) throw new authErrors.InvalidUrlError()
+    return { id: r.userID }
+  })
+}
+
+const validateReset2FALink = token => {
+  if (!token) throw new authErrors.InvalidUrlError()
+  return users
+    .validateAuthToken(token, 'reset_twofa')
+    .then(r => {
+      if (!r.success) throw new authErrors.InvalidUrlError()
+      return users.getUserById(r.userID)
+    })
+    .then(user => {
+      const secret = otplib.authenticator.generateSecret()
+      const otpauth = otplib.authenticator.keyuri(
+        user.username,
+        constants.AUTHENTICATOR_ISSUER_ENTITY,
+        secret,
+      )
+      return Promise.all([
+        users.saveTemp2FASecret(user.id, secret),
+        user,
+        secret,
+        otpauth,
+      ])
+    })
+    .then(([, user, secret, otpauth]) => {
+      return { user_id: user.id, secret, otpauth }
+    })
+}
+
+const deleteSession = (sessionID, context) => {
+  destroySessionIfBeingUsed(sessionID, context)
+  return sessionManager.deleteSessionById(sessionID)
+}
+
+const login = (username, password) => {
+  return authenticateUser(username, password)
+    .then(user => {
+      return Promise.all([
+        credentials.getHardwareCredentialsByUserId(user.id),
+        user.twofa_code,
+      ])
+    })
+    .then(([devices, twoFASecret]) => {
+      if (!_.isEmpty(devices)) return 'FIDO'
+      return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
+    })
+}
+
+const input2FA = (username, password, rememberMe, code, context) => {
+  return authenticateUser(username, password).then(user => {
+    const secret = user.twofa_code
+    const isCodeValid = otplib.authenticator.verify({
+      token: code,
+      secret: secret,
+    })
+    if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
+
+    initializeSession(context, user, rememberMe)
+    return true
+  })
+}
+
+const setup2FA = (
+  username,
+  password,
+  rememberMe,
+  codeConfirmation,
+  context,
+) => {
+  return authenticateUser(username, password)
+    .then(user => {
+      const isCodeValid = otplib.authenticator.verify({
+        token: codeConfirmation,
+        secret: user.temp_twofa_code,
+      })
+      if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
+
+      initializeSession(context, user, rememberMe)
+      return users.save2FASecret(user.id, user.temp_twofa_code)
+    })
+    .then(() => true)
+}
+
+const changeUserRole = (code, id, newRole, context) => {
+  const action = () => users.changeUserRole(id, newRole)
+  return executeProtectedAction(code, id, context, action)
+}
+
+const enableUser = (code, id, context) => {
+  const action = () => users.enableUser(id)
+  return executeProtectedAction(code, id, context, action)
+}
+
+const disableUser = (code, id, context) => {
+  const action = () => users.disableUser(id)
+  return executeProtectedAction(code, id, context, action)
+}
+
+const createResetPasswordToken = (code, userID, context) => {
+  const action = () => authTokens.createAuthToken(userID, 'reset_password')
+  return executeProtectedAction(code, userID, context, action)
+}
+
+const createReset2FAToken = (code, userID, context) => {
+  const action = () => authTokens.createAuthToken(userID, 'reset_twofa')
+  return executeProtectedAction(code, userID, context, action)
+}
+
+const createRegisterToken = (username, role) => {
+  return users.getUserByUsername(username).then(user => {
+    if (user) throw new authErrors.UserAlreadyExistsError()
+
+    return users.createUserRegistrationToken(username, role)
+  })
+}
+
+const register = (token, username, password, role) => {
+  return users.getUserByUsername(username).then(user => {
+    if (user) throw new authErrors.UserAlreadyExistsError()
+    return users.register(token, username, password, role).then(() => true)
+  })
+}
+
+const resetPassword = (token, userID, newPassword, context) => {
+  return users
+    .getUserById(userID)
+    .then(user => {
+      destroySessionIfSameUser(context, user)
+      return users.updatePassword(token, user.id, newPassword)
+    })
+    .then(() => true)
+}
+
+const reset2FA = (token, userID, code, context) => {
+  return users
+    .getUserById(userID)
+    .then(user => {
+      const isCodeValid = otplib.authenticator.verify({
+        token: code,
+        secret: user.temp_twofa_code,
+      })
+      if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
+
+      destroySessionIfSameUser(context, user)
+      return users.reset2FASecret(token, user.id, user.temp_twofa_code)
+    })
+    .then(() => true)
+}
+
+const getToken = context => {
+  if (
+    _.isNil(context.req.cookies['lamassu_sid']) ||
+    _.isNil(context.req.session.user.id)
+  )
+    throw new authErrors.AuthenticationError('Authentication failed')
+
+  return context.req.session.user.id
+}
+
+module.exports = {
+  authenticateUser,
+  getUserData,
+  get2FASecret,
+  confirm2FA,
+  validateRegisterLink,
+  validateResetPasswordLink,
+  validateReset2FALink,
+  deleteSession,
+  login,
+  input2FA,
+  setup2FA,
+  changeUserRole,
+  enableUser,
+  disableUser,
+  createResetPasswordToken,
+  createReset2FAToken,
+  createRegisterToken,
+  register,
+  resetPassword,
+  reset2FA,
+  getToken,
+}

packages/server/lib/new-admin/graphql/resolvers/bill.resolver.js

@@ -0,0 +1,9 @@
+const bills = require('../../services/bills')
+
+const resolvers = {
+  Query: {
+    bills: (...[, { filters }]) => bills.getBills(filters),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/blacklist.resolver.js

@@ -0,0 +1,18 @@
+const blacklist = require('../../../blacklist')
+
+const resolvers = {
+  Query: {
+    blacklist: () => blacklist.getBlacklist(),
+    blacklistMessages: () => blacklist.getMessages(),
+  },
+  Mutation: {
+    deleteBlacklistRow: (...[, { address }]) =>
+      blacklist.deleteFromBlacklist(address),
+    insertBlacklistRow: (...[, { address }]) =>
+      blacklist.insertIntoBlacklist(address),
+    editBlacklistMessage: (...[, { id, content }]) =>
+      blacklist.editBlacklistMessage(id, content),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/cashbox.resolver.js

@@ -0,0 +1,25 @@
+const { parseAsync } = require('json2csv')
+const cashbox = require('../../../cashbox-batches')
+const logDateFormat = require('../../../logs').logDateFormat
+
+const resolvers = {
+  Query: {
+    cashboxBatches: () => cashbox.getBatches(),
+    cashboxBatchesCsv: (...[, { from, until, timezone }]) =>
+      cashbox
+        .getBatches(from, until)
+        .then(data =>
+          parseAsync(
+            logDateFormat(timezone, cashbox.logFormatter(data), ['created']),
+          ),
+        ),
+  },
+  Mutation: {
+    createBatch: (...[, { deviceId, cashboxCount }]) =>
+      cashbox.createCashboxBatch(deviceId, cashboxCount),
+    editBatch: (...[, { id, performedBy }]) =>
+      cashbox.editBatchById(id, performedBy),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/config.resolver.js

@@ -0,0 +1,15 @@
+const {
+  accounts: accountsConfig,
+  countries,
+  languages,
+} = require('../../config')
+
+const resolver = {
+  Query: {
+    countries: () => countries,
+    languages: () => languages,
+    accountsConfig: () => accountsConfig,
+  },
+}
+
+module.exports = resolver

packages/server/lib/new-admin/graphql/resolvers/currency.resolver.js

@@ -0,0 +1,10 @@
+const { coins, currencies } = require('../../config')
+
+const resolver = {
+  Query: {
+    currencies: () => currencies,
+    cryptoCurrencies: () => coins,
+  },
+}
+
+module.exports = resolver

packages/server/lib/new-admin/graphql/resolvers/customInfoRequests.resolver.js

@@ -0,0 +1,56 @@
+const authentication = require('../modules/userManagement')
+const queries = require('../../services/customInfoRequests')
+const DataLoader = require('dataloader')
+
+const customerCustomInfoRequestsLoader = new DataLoader(
+  ids => queries.batchGetAllCustomInfoRequestsForCustomer(ids),
+  { cache: false },
+)
+
+const customInfoRequestLoader = new DataLoader(
+  ids => queries.batchGetCustomInfoRequest(ids),
+  { cache: false },
+)
+
+const resolvers = {
+  Customer: {
+    customInfoRequests: parent =>
+      customerCustomInfoRequestsLoader.load(parent.id),
+  },
+  CustomRequestData: {
+    customInfoRequest: parent =>
+      customInfoRequestLoader.load(parent.infoRequestId),
+  },
+  Query: {
+    customInfoRequests: (...[, { onlyEnabled }]) =>
+      queries.getCustomInfoRequests(onlyEnabled),
+    customerCustomInfoRequests: (...[, { customerId }]) =>
+      queries.getAllCustomInfoRequestsForCustomer(customerId),
+    customerCustomInfoRequest: (...[, { customerId, infoRequestId }]) =>
+      queries.getCustomInfoRequestForCustomer(customerId, infoRequestId),
+  },
+  Mutation: {
+    insertCustomInfoRequest: (...[, { customRequest }]) =>
+      queries.addCustomInfoRequest(customRequest),
+    removeCustomInfoRequest: (...[, { id }]) =>
+      queries.removeCustomInfoRequest(id),
+    editCustomInfoRequest: (...[, { id, customRequest }]) =>
+      queries.editCustomInfoRequest(id, customRequest),
+    setAuthorizedCustomRequest: (
+      ...[, { customerId, infoRequestId, override }, context]
+    ) => {
+      const token = authentication.getToken(context)
+      return queries.setAuthorizedCustomRequest(
+        customerId,
+        infoRequestId,
+        override,
+        token,
+      )
+    },
+    setCustomerCustomInfoRequest: (
+      ...[, { customerId, infoRequestId, data }]
+    ) => queries.setCustomerData(customerId, infoRequestId, data),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/customer.resolver.js

@@ -0,0 +1,84 @@
+const authentication = require('../modules/userManagement')
+const anonymous = require('../../../constants').anonymousCustomer
+const customers = require('../../../customers')
+const customerNotes = require('../../../customer-notes')
+const machineLoader = require('../../../machine-loader')
+const {
+  customers: { searchCustomers },
+} = require('typesafe-db')
+
+const addLastUsedMachineName = customer =>
+  (customer.lastUsedMachine
+    ? machineLoader.getMachineName(customer.lastUsedMachine)
+    : Promise.resolve(null)
+  ).then(lastUsedMachineName =>
+    Object.assign(customer, { lastUsedMachineName }),
+  )
+
+const resolvers = {
+  Customer: {
+    isAnonymous: parent => parent.customerId === anonymous.uuid,
+  },
+  Query: {
+    customers: () => customers.getCustomersList(),
+    customer: (...[, { customerId }]) =>
+      customers.getCustomerById(customerId).then(addLastUsedMachineName),
+    searchCustomers: (...[, { searchTerm, limit = 20 }]) =>
+      searchCustomers(searchTerm, limit),
+  },
+  Mutation: {
+    setCustomer: (root, { customerId, customerInput }, context) => {
+      const token = authentication.getToken(context)
+      if (customerId === anonymous.uuid)
+        return customers.getCustomerById(customerId)
+      return customers.updateCustomer(customerId, customerInput, token)
+    },
+    addCustomField: (...[, { customerId, label, value }]) =>
+      customers.addCustomField(customerId, label, value),
+    saveCustomField: (...[, { customerId, fieldId, value }]) =>
+      customers.saveCustomField(customerId, fieldId, value),
+    removeCustomField: (...[, [{ customerId, fieldId }]]) =>
+      customers.removeCustomField(customerId, fieldId),
+    editCustomer: async (root, { customerId, customerEdit }, context) => {
+      const token = authentication.getToken(context)
+      const editedData = await customerEdit
+      return customers.edit(customerId, editedData, token)
+    },
+    replacePhoto: async (
+      root,
+      { customerId, photoType, newPhoto },
+      context,
+    ) => {
+      const token = authentication.getToken(context)
+      const { file } = newPhoto
+      const photo = await file
+      if (!photo) return customers.getCustomerById(customerId)
+      return customers
+        .updateEditedPhoto(customerId, photo, photoType)
+        .then(newPatch => customers.edit(customerId, newPatch, token))
+    },
+    deleteEditedData: (root, { customerId }) => {
+      // TODO: NOT IMPLEMENTING THIS FEATURE FOR THE CURRENT VERSION
+      return customers.getCustomerById(customerId)
+    },
+    createCustomerNote: (...[, { customerId, title, content }, context]) => {
+      const token = authentication.getToken(context)
+      return customerNotes.createCustomerNote(customerId, token, title, content)
+    },
+    editCustomerNote: (...[, { noteId, newContent }, context]) => {
+      const token = authentication.getToken(context)
+      return customerNotes.updateCustomerNote(noteId, token, newContent)
+    },
+    deleteCustomerNote: (...[, { noteId }]) => {
+      return customerNotes.deleteCustomerNote(noteId)
+    },
+    createCustomer: (...[, { phoneNumber }]) =>
+      customers.add({ phone: phoneNumber }),
+    enableTestCustomer: (...[, { customerId }]) =>
+      customers.enableTestCustomer(customerId),
+    disableTestCustomer: (...[, { customerId }]) =>
+      customers.disableTestCustomer(customerId),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/funding.resolver.js

@@ -0,0 +1,9 @@
+const funding = require('../../services/funding')
+
+const resolvers = {
+  Query: {
+    funding: () => funding.getFunding(),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/index.js

@@ -0,0 +1,57 @@
+const { mergeResolvers } = require('@graphql-tools/merge')
+
+const bill = require('./bill.resolver')
+const blacklist = require('./blacklist.resolver')
+const cashbox = require('./cashbox.resolver')
+const config = require('./config.resolver')
+const currency = require('./currency.resolver')
+const customer = require('./customer.resolver')
+const customInfoRequests = require('./customInfoRequests.resolver')
+const funding = require('./funding.resolver')
+const log = require('./log.resolver')
+const loyalty = require('./loyalty.resolver')
+const machine = require('./machine.resolver')
+const machineGroups = require('./machineGroups.resolver')
+const market = require('./market.resolver')
+const notification = require('./notification.resolver')
+const pairing = require('./pairing.resolver')
+const rates = require('./rates.resolver')
+const sanctions = require('./sanctions.resolver')
+const scalar = require('./scalar.resolver')
+const settings = require('./settings.resolver')
+const sms = require('./sms.resolver')
+const status = require('./status.resolver')
+const transaction = require('./transaction.resolver')
+const user = require('./users.resolver')
+const version = require('./version.resolver')
+const triggers = require('./triggers.resolver')
+
+const resolvers = [
+  bill,
+  blacklist,
+  cashbox,
+  config,
+  currency,
+  customer,
+  customInfoRequests,
+  funding,
+  log,
+  loyalty,
+  machine,
+  machineGroups,
+  market,
+  notification,
+  pairing,
+  rates,
+  sanctions,
+  scalar,
+  settings,
+  sms,
+  status,
+  transaction,
+  user,
+  version,
+  triggers,
+]
+
+module.exports = mergeResolvers(resolvers)

packages/server/lib/new-admin/graphql/resolvers/log.resolver.js

@@ -0,0 +1,29 @@
+const { parseAsync } = require('json2csv')
+
+const logs = require('../../../logs')
+const serverLogs = require('../../services/server-logs')
+
+const resolvers = {
+  Query: {
+    machineLogs: (...[, { deviceId, from, until, limit, offset }]) =>
+      logs.simpleGetMachineLogs(deviceId, from, until, limit, offset),
+    machineLogsCsv: (
+      ...[, { deviceId, from, until, limit, offset, timezone }]
+    ) =>
+      logs
+        .simpleGetMachineLogs(deviceId, from, until, limit, offset)
+        .then(res =>
+          parseAsync(logs.logDateFormat(timezone, res, ['timestamp'])),
+        ),
+    serverLogs: (...[, { from, until, limit, offset }]) =>
+      serverLogs.getServerLogs(from, until, limit, offset),
+    serverLogsCsv: (...[, { from, until, limit, offset, timezone }]) =>
+      serverLogs
+        .getServerLogs(from, until, limit, offset)
+        .then(res =>
+          parseAsync(logs.logDateFormat(timezone, res, ['timestamp'])),
+        ),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/loyalty.resolver.js

@@ -0,0 +1,32 @@
+const DataLoader = require('dataloader')
+
+const loyalty = require('../../../loyalty')
+const { getSlimCustomerByIdBatch } = require('../../../customers')
+
+const customerLoader = new DataLoader(
+  ids => {
+    return getSlimCustomerByIdBatch(ids)
+  },
+  { cache: false },
+)
+
+const resolvers = {
+  IndividualDiscount: {
+    customer: parent => customerLoader.load(parent.customerId),
+  },
+  Query: {
+    promoCodes: () => loyalty.getAvailablePromoCodes(),
+    individualDiscounts: () => loyalty.getAvailableIndividualDiscounts(),
+  },
+  Mutation: {
+    createPromoCode: (...[, { code, discount }]) =>
+      loyalty.createPromoCode(code, discount),
+    deletePromoCode: (...[, { codeId }]) => loyalty.deletePromoCode(codeId),
+    createIndividualDiscount: (...[, { customerId, discount }]) =>
+      loyalty.createIndividualDiscount(customerId, discount),
+    deleteIndividualDiscount: (...[, { discountId }]) =>
+      loyalty.deleteIndividualDiscount(discountId),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/machine.resolver.js

@@ -0,0 +1,33 @@
+const DataLoader = require('dataloader')
+
+const { machineAction } = require('../../services/machines')
+
+const machineLoader = require('../../../machine-loader')
+const machineEventsByIdBatch =
+  require('../../../postgresql_interface').machineEventsByIdBatch
+
+const machineEventsLoader = new DataLoader(
+  ids => {
+    return machineEventsByIdBatch(ids)
+  },
+  { cache: false },
+)
+
+const resolvers = {
+  Machine: {
+    latestEvent: parent => machineEventsLoader.load(parent.deviceId),
+  },
+  Query: {
+    machines: () => machineLoader.getMachineNames(),
+    machine: (...[, { deviceId }]) => machineLoader.getMachine(deviceId),
+    unpairedMachines: () => machineLoader.getUnpairedMachines(),
+  },
+  Mutation: {
+    assignMachinesToGroup: (...[, { deviceIds, groupId }]) =>
+      machineLoader.assignToGroup(deviceIds, groupId),
+    machineAction: (...[, { deviceId, action, cashUnits, newName }, context]) =>
+      machineAction({ deviceId, action, cashUnits, newName }, context),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/machineGroups.resolver.js

@@ -0,0 +1,39 @@
+const DataLoader = require('dataloader')
+
+const {
+  getAllMachineGroups,
+  createMachineGroup,
+  deleteMachineGroup,
+  assignComplianceTriggerSetToMachineGroup,
+} = require('../../services/machineGroups')
+
+const {
+  getComplianceTriggerSetsByIdsBatch,
+} = require('../../services/triggers')
+
+const complianceTriggerSetsLoader = new DataLoader(
+  ids => getComplianceTriggerSetsByIdsBatch(ids),
+  { cache: false },
+)
+
+const resolvers = {
+  MachineGroup: {
+    complianceTriggerSet: parent =>
+      parent.complianceTriggerSetId
+        ? complianceTriggerSetsLoader.load(parent.complianceTriggerSetId)
+        : null,
+  },
+  Query: {
+    machineGroups: () => getAllMachineGroups(),
+  },
+  Mutation: {
+    createMachineGroup: (...[, { name }]) => createMachineGroup(name),
+    deleteMachineGroup: (...[, { id }]) => deleteMachineGroup(id),
+    assignComplianceTriggerSetToMachineGroup: (
+      source,
+      { id, complianceTriggerSetId },
+    ) => assignComplianceTriggerSetToMachineGroup(id, complianceTriggerSetId),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/market.resolver.js

@@ -0,0 +1,9 @@
+const exchange = require('../../../exchange')
+
+const resolvers = {
+  Query: {
+    getMarkets: () => exchange.getMarkets(),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/notification.resolver.js

@@ -0,0 +1,16 @@
+const notifierQueries = require('../../../notifier/queries')
+
+const resolvers = {
+  Query: {
+    notifications: () => notifierQueries.getNotifications(),
+    hasUnreadNotifications: () => notifierQueries.hasUnreadNotifications(),
+    alerts: () => notifierQueries.getAlerts(),
+  },
+  Mutation: {
+    toggleClearNotification: (...[, { id, read }]) =>
+      notifierQueries.setRead(id, read),
+    clearAllNotifications: () => notifierQueries.markAllAsRead(),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/pairing.resolver.js

@@ -0,0 +1,9 @@
+const pairing = require('../../services/pairing')
+
+const resolvers = {
+  Mutation: {
+    createPairingTotem: (...[, { name }]) => pairing.totem(name),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/rates.resolver.js

@@ -0,0 +1,21 @@
+const settingsLoader = require('../../../new-settings-loader')
+const forex = require('../../../forex')
+const plugins = require('../../../plugins')
+
+const resolvers = {
+  Query: {
+    cryptoRates: () =>
+      settingsLoader.load().then(settings => {
+        const pi = plugins(settings)
+        return pi.getRawRates().then(r => {
+          return {
+            withCommissions: pi.buildRates(r),
+            withoutCommissions: pi.buildRatesNoCommission(r),
+          }
+        })
+      }),
+    fiatRates: () => forex.getFiatRates(),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/sanctions.resolver.js

@@ -0,0 +1,13 @@
+const sanctions = require('../../../sanctions')
+const authentication = require('../modules/userManagement')
+
+const resolvers = {
+  Query: {
+    checkAgainstSanctions: (...[, { customerId }, context]) => {
+      const token = authentication.getToken(context)
+      return sanctions.checkByUser(customerId, token)
+    },
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/scalar.resolver.js

@@ -0,0 +1,13 @@
+const {
+  DateTimeISOResolver,
+  JSONResolver,
+  JSONObjectResolver,
+} = require('graphql-scalars')
+
+const resolvers = {
+  JSON: JSONResolver,
+  JSONObject: JSONObjectResolver,
+  DateTimeISO: DateTimeISOResolver,
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/settings.resolver.js

@@ -0,0 +1,15 @@
+const settingsLoader = require('../../../new-settings-loader')
+
+const resolvers = {
+  Query: {
+    accounts: () => settingsLoader.showAccounts(),
+    config: () => settingsLoader.loadConfig(),
+  },
+  Mutation: {
+    saveAccounts: (...[, { accounts }]) =>
+      settingsLoader.saveAccounts(accounts),
+    saveConfig: (source, { config }) => settingsLoader.saveConfig(config),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/sms.resolver.js

@@ -0,0 +1,15 @@
+const smsNotices = require('../../../sms-notices')
+
+const resolvers = {
+  Query: {
+    SMSNotices: () => smsNotices.getSMSNotices(),
+  },
+  Mutation: {
+    editSMSNotice: (...[, { id, event, message }]) =>
+      smsNotices.editSMSNotice(id, event, message),
+    enableSMSNotice: (...[, { id }]) => smsNotices.enableSMSNotice(id),
+    disableSMSNotice: (...[, { id }]) => smsNotices.disableSMSNotice(id),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/status.resolver.js

@@ -0,0 +1,13 @@
+const supervisor = require('../../services/supervisor')
+const {
+  getCachedRestrictionLevel,
+} = require('../../services/restriction-level')
+
+const resolvers = {
+  Query: {
+    uptime: () => supervisor.getAllProcessInfo(),
+    restrictionLevel: () => getCachedRestrictionLevel(),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/transaction.resolver.js

@@ -0,0 +1,126 @@
+const { parseAsync } = require('json2csv')
+
+const filters = require('../../filters')
+const cashOutTx = require('../../../cash-out/cash-out-tx')
+const cashInTx = require('../../../cash-in/cash-in-tx')
+const transactions = require('../../services/transactions')
+const anonymous = require('../../../constants').anonymousCustomer
+const logDateFormat = require('../../../logs').logDateFormat
+
+const resolvers = {
+  Transaction: {
+    isAnonymous: parent => parent.customerId === anonymous.uuid,
+  },
+  Query: {
+    transactions: (
+      ...[
+        ,
+        {
+          from,
+          until,
+          limit,
+          offset,
+          txClass,
+          deviceId,
+          customerName,
+          customerId,
+          fiatCode,
+          cryptoCode,
+          toAddress,
+          status,
+          swept,
+          excludeTestingCustomers,
+        },
+      ]
+    ) =>
+      transactions.batch({
+        from,
+        until,
+        limit,
+        offset,
+        txClass,
+        deviceId,
+        customerName,
+        customerId,
+        fiatCode,
+        cryptoCode,
+        toAddress,
+        status,
+        swept,
+        excludeTestingCustomers,
+      }),
+    transactionsCsv: (
+      ...[
+        ,
+        {
+          from,
+          until,
+          limit,
+          offset,
+          txClass,
+          deviceId,
+          customerName,
+          customerId,
+          fiatCode,
+          cryptoCode,
+          toAddress,
+          status,
+          swept,
+          timezone,
+          excludeTestingCustomers,
+          simplified,
+        },
+      ]
+    ) =>
+      transactions
+        .batch({
+          from,
+          until,
+          limit,
+          offset,
+          txClass,
+          deviceId,
+          customerName,
+          customerId,
+          fiatCode,
+          cryptoCode,
+          toAddress,
+          status,
+          swept,
+          excludeTestingCustomers,
+          simplified,
+        })
+        .then(data =>
+          parseAsync(
+            logDateFormat(timezone, data, [
+              'created',
+              'sendTime',
+              'publishedAt',
+            ]),
+          ),
+        ),
+    transactionCsv: (...[, { id, txClass, timezone }]) =>
+      transactions
+        .getTx(id, txClass)
+        .then(data =>
+          parseAsync(
+            logDateFormat(
+              timezone,
+              [data],
+              ['created', 'sendTime', 'publishedAt'],
+            ),
+          ),
+        ),
+    txAssociatedDataCsv: (...[, { id, txClass, timezone }]) =>
+      transactions
+        .getTxAssociatedData(id, txClass)
+        .then(data => parseAsync(logDateFormat(timezone, data, ['created']))),
+    transactionFilters: () => filters.transaction(),
+  },
+  Mutation: {
+    cancelCashOutTransaction: (...[, { id }]) => cashOutTx.cancel(id),
+    cancelCashInTransaction: (...[, { id }]) => cashInTx.cancel(id),
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/resolvers/triggers.resolver.js

@@ -0,0 +1,48 @@
+const {
+  getComplianceTriggerSets,
+  getComplianceTriggerSetById,
+  getComplianceTriggers,
+  createComplianceTriggerSet,
+  deleteComplianceTriggerSet,
+  createComplianceTrigger,
+  deleteComplianceTrigger,
+} = require('../../services/triggers')
+
+const Query = {
+  complianceTriggerSets() {
+    return getComplianceTriggerSets()
+  },
+
+  complianceTriggerSetById(source, { id }) {
+    return getComplianceTriggerSetById(id)
+  },
+
+  complianceTriggers(source, { complianceTriggerSetId }) {
+    return getComplianceTriggers(complianceTriggerSetId)
+  },
+}
+
+const Mutation = {
+  createComplianceTriggerSet(source, { name }) {
+    return createComplianceTriggerSet(name)
+  },
+
+  deleteComplianceTriggerSet(source, { id }) {
+    return deleteComplianceTriggerSet(id)
+  },
+
+  createComplianceTrigger(source, { complianceTriggerSetId, trigger }) {
+    return createComplianceTrigger(complianceTriggerSetId, trigger).then(
+      () => true,
+    )
+  },
+
+  deleteComplianceTrigger(source, { id }) {
+    return deleteComplianceTrigger(id).then(() => true)
+  },
+}
+
+module.exports = {
+  Query,
+  Mutation,
+}

packages/server/lib/new-admin/graphql/resolvers/users.resolver.js

@@ -0,0 +1,170 @@
+const authentication = require('../modules/authentication')
+const userManagement = require('../modules/userManagement')
+const users = require('../../../users')
+const sessionManager = require('../../../session-manager')
+
+const getAttestationQueryOptions = variables => {
+  switch (authentication.CHOSEN_STRATEGY) {
+    case 'FIDO2FA':
+      return { userId: variables.userID, domain: variables.domain }
+    case 'FIDOPasswordless':
+      return { userId: variables.userID, domain: variables.domain }
+    case 'FIDOUsernameless':
+      return { userId: variables.userID, domain: variables.domain }
+    default:
+      return {}
+  }
+}
+
+const getAssertionQueryOptions = variables => {
+  switch (authentication.CHOSEN_STRATEGY) {
+    case 'FIDO2FA':
+      return {
+        username: variables.username,
+        password: variables.password,
+        domain: variables.domain,
+      }
+    case 'FIDOPasswordless':
+      return { username: variables.username, domain: variables.domain }
+    case 'FIDOUsernameless':
+      return { domain: variables.domain }
+    default:
+      return {}
+  }
+}
+
+const getAttestationMutationOptions = variables => {
+  switch (authentication.CHOSEN_STRATEGY) {
+    case 'FIDO2FA':
+      return {
+        userId: variables.userID,
+        attestationResponse: variables.attestationResponse,
+        domain: variables.domain,
+      }
+    case 'FIDOPasswordless':
+      return {
+        userId: variables.userID,
+        attestationResponse: variables.attestationResponse,
+        domain: variables.domain,
+      }
+    case 'FIDOUsernameless':
+      return {
+        userId: variables.userID,
+        attestationResponse: variables.attestationResponse,
+        domain: variables.domain,
+      }
+    default:
+      return {}
+  }
+}
+
+const getAssertionMutationOptions = variables => {
+  switch (authentication.CHOSEN_STRATEGY) {
+    case 'FIDO2FA':
+      return {
+        username: variables.username,
+        password: variables.password,
+        rememberMe: variables.rememberMe,
+        assertionResponse: variables.assertionResponse,
+        domain: variables.domain,
+      }
+    case 'FIDOPasswordless':
+      return {
+        username: variables.username,
+        rememberMe: variables.rememberMe,
+        assertionResponse: variables.assertionResponse,
+        domain: variables.domain,
+      }
+    case 'FIDOUsernameless':
+      return {
+        assertionResponse: variables.assertionResponse,
+        domain: variables.domain,
+      }
+    default:
+      return {}
+  }
+}
+
+const resolver = {
+  Query: {
+    users: () => users.getUsers(),
+    sessions: () => sessionManager.getSessions(),
+    userSessions: (...[, { username }]) =>
+      sessionManager.getSessionsByUsername(username),
+    userData: (...[, , context]) => userManagement.getUserData(context),
+    get2FASecret: (...[, { username, password }]) =>
+      userManagement.get2FASecret(username, password),
+    confirm2FA: (...[, { code }, context]) =>
+      userManagement.confirm2FA(code, context),
+    validateRegisterLink: (...[, { token }]) =>
+      userManagement.validateRegisterLink(token),
+    validateResetPasswordLink: (...[, { token }]) =>
+      userManagement.validateResetPasswordLink(token),
+    validateReset2FALink: (...[, { token }]) =>
+      userManagement.validateReset2FALink(token),
+    generateAttestationOptions: (...[, variables, context]) =>
+      authentication.strategy.generateAttestationOptions(
+        context.req.session,
+        getAttestationQueryOptions(variables),
+      ),
+    generateAssertionOptions: (...[, variables, context]) =>
+      authentication.strategy.generateAssertionOptions(
+        context.req.session,
+        getAssertionQueryOptions(variables),
+      ),
+  },
+  Mutation: {
+    enableUser: (...[, { confirmationCode, id }, context]) =>
+      userManagement.enableUser(confirmationCode, id, context),
+    disableUser: (...[, { confirmationCode, id }, context]) =>
+      userManagement.disableUser(confirmationCode, id, context),
+    deleteSession: (...[, { sid }, context]) =>
+      userManagement.deleteSession(sid, context),
+    deleteUserSessions: (...[, { username }]) =>
+      sessionManager.deleteSessionsByUsername(username),
+    changeUserRole: (...[, { confirmationCode, id, newRole }, context]) =>
+      userManagement.changeUserRole(confirmationCode, id, newRole, context),
+    login: (...[, { username, password }]) =>
+      userManagement.login(username, password),
+    input2FA: (...[, { username, password, rememberMe, code }, context]) =>
+      userManagement.input2FA(username, password, rememberMe, code, context),
+    setup2FA: (
+      ...[, { username, password, rememberMe, codeConfirmation }, context]
+    ) =>
+      userManagement.setup2FA(
+        username,
+        password,
+        rememberMe,
+        codeConfirmation,
+        context,
+      ),
+    createResetPasswordToken: (...[, { confirmationCode, userID }, context]) =>
+      userManagement.createResetPasswordToken(
+        confirmationCode,
+        userID,
+        context,
+      ),
+    createReset2FAToken: (...[, { confirmationCode, userID }, context]) =>
+      userManagement.createReset2FAToken(confirmationCode, userID, context),
+    createRegisterToken: (...[, { username, role }]) =>
+      userManagement.createRegisterToken(username, role),
+    register: (...[, { token, username, password, role }]) =>
+      userManagement.register(token, username, password, role),
+    resetPassword: (...[, { token, userID, newPassword }, context]) =>
+      userManagement.resetPassword(token, userID, newPassword, context),
+    reset2FA: (...[, { token, userID, code }, context]) =>
+      userManagement.reset2FA(token, userID, code, context),
+    validateAttestation: (...[, variables, context]) =>
+      authentication.strategy.validateAttestation(
+        context.req.session,
+        getAttestationMutationOptions(variables),
+      ),
+    validateAssertion: (...[, variables, context]) =>
+      authentication.strategy.validateAssertion(
+        context.req.session,
+        getAssertionMutationOptions(variables),
+      ),
+  },
+}
+
+module.exports = resolver

packages/server/lib/new-admin/graphql/resolvers/version.resolver.js

@@ -0,0 +1,9 @@
+const serverVersion = require('../../../../package.json').version
+
+const resolvers = {
+  Query: {
+    serverVersion: () => serverVersion,
+  },
+}
+
+module.exports = resolvers

packages/server/lib/new-admin/graphql/schema.js

@@ -0,0 +1,7 @@
+const types = require('./types')
+const resolvers = require('./resolvers')
+
+module.exports = {
+  resolvers: resolvers,
+  typeDefs: types,
+}

packages/server/lib/new-admin/graphql/types/bill.type.js

@@ -0,0 +1,18 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Bill {
+    id: ID
+    fiat: Int
+    fiatCode: String
+    deviceId: ID
+    created: DateTimeISO
+    cashUnitOperationId: ID
+  }
+
+  type Query {
+    bills(filters: JSONObject): [Bill] @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/blacklist.type.js

@@ -0,0 +1,28 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Blacklist {
+    address: String!
+    blacklistMessage: BlacklistMessage!
+  }
+
+  type BlacklistMessage {
+    id: ID
+    label: String
+    content: String
+    allowToggle: Boolean
+  }
+
+  type Query {
+    blacklist: [Blacklist] @auth
+    blacklistMessages: [BlacklistMessage] @auth
+  }
+
+  type Mutation {
+    deleteBlacklistRow(address: String!): Blacklist @auth
+    insertBlacklistRow(address: String!): Blacklist @auth
+    editBlacklistMessage(id: ID, content: String): BlacklistMessage @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/cashbox.type.js

@@ -0,0 +1,30 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type CashboxBatch {
+    id: ID
+    deviceId: ID
+    created: DateTimeISO
+    operationType: String
+    customBillCount: Int
+    performedBy: String
+    billCount: Int
+    fiatTotal: Int
+  }
+
+  type Query {
+    cashboxBatches: [CashboxBatch] @auth
+    cashboxBatchesCsv(
+      from: DateTimeISO
+      until: DateTimeISO
+      timezone: String
+    ): String @auth
+  }
+
+  type Mutation {
+    createBatch(deviceId: ID, cashboxCount: Int): CashboxBatch @auth
+    editBatch(id: ID, performedBy: String): CashboxBatch @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/config.type.js

@@ -0,0 +1,29 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Country {
+    code: String!
+    display: String!
+  }
+
+  type Language {
+    code: String!
+    display: String!
+  }
+
+  type AccountConfig {
+    code: String!
+    display: String!
+    class: String!
+    cryptos: [String]
+    deprecated: Boolean
+  }
+
+  type Query {
+    countries: [Country] @auth
+    languages: [Language] @auth
+    accountsConfig: [AccountConfig] @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/currency.type.js

@@ -0,0 +1,22 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Currency {
+    code: String!
+    display: String!
+  }
+
+  type CryptoCurrency {
+    code: String!
+    display: String!
+    codeDisplay: String!
+    isBeta: Boolean
+  }
+
+  type Query {
+    currencies: [Currency] @auth
+    cryptoCurrencies: [CryptoCurrency] @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/customInfoRequests.type.js

@@ -0,0 +1,73 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type CustomInfoRequest {
+    id: ID!
+    enabled: Boolean
+    customRequest: JSON
+  }
+
+  input CustomRequestInputField {
+    choiceList: [String]
+    constraintType: String
+    type: String
+    numDigits: String
+    label1: String
+    label2: String
+  }
+
+  input CustomRequestInputScreen {
+    text: String
+    title: String
+  }
+
+  input CustomRequestInput {
+    name: String
+    input: CustomRequestInputField
+    disablePermissionScreen: Boolean
+    screen1: CustomRequestInputScreen
+    screen2: CustomRequestInputScreen
+  }
+
+  type CustomRequestData {
+    customerId: ID
+    infoRequestId: ID
+    override: String
+    overrideAt: DateTimeISO
+    overrideBy: ID
+    customerData: JSON
+    customInfoRequest: CustomInfoRequest
+  }
+
+  type Query {
+    customInfoRequests(onlyEnabled: Boolean): [CustomInfoRequest] @auth
+    customerCustomInfoRequests(customerId: ID!): [CustomRequestData] @auth
+    customerCustomInfoRequest(
+      customerId: ID!
+      infoRequestId: ID!
+    ): CustomRequestData @auth
+  }
+
+  type Mutation {
+    insertCustomInfoRequest(
+      customRequest: CustomRequestInput!
+    ): CustomInfoRequest @auth
+    removeCustomInfoRequest(id: ID!): CustomInfoRequest @auth
+    editCustomInfoRequest(
+      id: ID!
+      customRequest: CustomRequestInput!
+    ): CustomInfoRequest @auth
+    setAuthorizedCustomRequest(
+      customerId: ID!
+      infoRequestId: ID!
+      override: String!
+    ): Boolean @auth
+    setCustomerCustomInfoRequest(
+      customerId: ID!
+      infoRequestId: ID!
+      data: JSON!
+    ): Boolean @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/customer.type.js

@@ -0,0 +1,146 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Customer {
+    id: ID!
+    authorizedOverride: String
+    daysSuspended: Int
+    isSuspended: Boolean
+    newPhoto: Upload
+    photoType: String
+    frontCameraPath: String
+    frontCameraAt: DateTimeISO
+    frontCameraOverride: String
+    phone: String
+    email: String
+    isAnonymous: Boolean
+    smsOverride: String
+    idCardData: JSONObject
+    idCardDataOverride: String
+    idCardDataExpiration: DateTimeISO
+    idCardPhoto: Upload
+    idCardPhotoPath: String
+    idCardPhotoOverride: String
+    idCardPhotoAt: DateTimeISO
+    usSsn: String
+    usSsnOverride: String
+    sanctions: Boolean
+    sanctionsAt: DateTimeISO
+    sanctionsOverride: String
+    totalTxs: Int
+    totalSpent: String
+    lastActive: DateTimeISO
+    lastTxFiat: String
+    lastTxFiatCode: String
+    lastTxClass: String
+    lastUsedMachine: String
+    lastUsedMachineName: String
+    transactions: [Transaction]
+    subscriberInfo: JSONObject
+    phoneOverride: String
+    customFields: [CustomerCustomField]
+    customInfoRequests: [CustomRequestData]
+    notes: [CustomerNote]
+    isTestCustomer: Boolean
+    externalCompliance: [JSONObject]
+  }
+
+  input CustomerInput {
+    authorizedOverride: String
+    frontCameraPath: String
+    frontCameraOverride: String
+    phone: String
+    smsOverride: String
+    idCardData: JSONObject
+    idCardDataOverride: String
+    idCardDataExpiration: DateTimeISO
+    idCardPhotoPath: String
+    idCardPhotoOverride: String
+    usSsn: String
+    usSsnOverride: String
+    sanctions: Boolean
+    sanctionsAt: DateTimeISO
+    sanctionsOverride: String
+    totalTxs: Int
+    totalSpent: String
+    lastActive: DateTimeISO
+    lastTxFiat: String
+    lastTxFiatCode: String
+    lastTxClass: String
+    suspendedUntil: DateTimeISO
+    phoneOverride: String
+  }
+
+  input CustomerEdit {
+    idCardData: JSONObject
+    idCardPhoto: Upload
+    usSsn: String
+    subscriberInfo: JSONObject
+  }
+
+  type CustomerNote {
+    id: ID
+    customerId: ID
+    created: DateTimeISO
+    lastEditedAt: DateTimeISO
+    lastEditedBy: ID
+    title: String
+    content: String
+  }
+
+  type CustomerCustomField {
+    id: ID
+    label: String
+    value: String
+  }
+
+  type CustomerSearchResult {
+    id: ID!
+    name: String
+    phone: String
+    email: String
+  }
+
+  type Query {
+    customers(
+      phone: String
+      name: String
+      email: String
+      address: String
+      id: String
+    ): [Customer] @auth
+    customer(customerId: ID!): Customer @auth
+    customerFilters: [Filter] @auth
+    searchCustomers(searchTerm: String!, limit: Int): [CustomerSearchResult]
+      @auth
+  }
+
+  type Mutation {
+    setCustomer(customerId: ID!, customerInput: CustomerInput): Customer @auth
+    addCustomField(customerId: ID!, label: String!, value: String!): Boolean
+      @auth
+    saveCustomField(customerId: ID!, fieldId: ID!, value: String!): Boolean
+      @auth
+    removeCustomField(customerId: ID!, fieldId: ID!): Boolean @auth
+    editCustomer(customerId: ID!, customerEdit: CustomerEdit): Customer @auth
+    deleteEditedData(customerId: ID!, customerEdit: CustomerEdit): Customer
+      @auth
+    replacePhoto(
+      customerId: ID!
+      photoType: String
+      newPhoto: Upload
+    ): Customer @auth
+    createCustomerNote(
+      customerId: ID!
+      title: String!
+      content: String!
+    ): Boolean @auth
+    editCustomerNote(noteId: ID!, newContent: String!): Boolean @auth
+    deleteCustomerNote(noteId: ID!): Boolean @auth
+    createCustomer(phoneNumber: String): Customer @auth
+    enableTestCustomer(customerId: ID!): Boolean @auth
+    disableTestCustomer(customerId: ID!): Boolean @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/funding.type.js

@@ -0,0 +1,23 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type CoinFunds {
+    cryptoCode: String!
+    errorMsg: String
+    fundingAddress: String
+    fundingAddressUrl: String
+    confirmedBalance: String
+    pending: String
+    fiatConfirmedBalance: String
+    fiatPending: String
+    fiatCode: String
+    display: String
+    unitScale: String
+  }
+
+  type Query {
+    funding: [CoinFunds] @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/index.js

@@ -0,0 +1,57 @@
+const { mergeTypeDefs } = require('@graphql-tools/merge')
+
+const bill = require('./bill.type')
+const blacklist = require('./blacklist.type')
+const cashbox = require('./cashbox.type')
+const config = require('./config.type')
+const currency = require('./currency.type')
+const customer = require('./customer.type')
+const customInfoRequests = require('./customInfoRequests.type')
+const funding = require('./funding.type')
+const log = require('./log.type')
+const loyalty = require('./loyalty.type')
+const machine = require('./machine.type')
+const machineGroups = require('./machineGroups.type')
+const market = require('./market.type')
+const notification = require('./notification.type')
+const pairing = require('./pairing.type')
+const rates = require('./rates.type')
+const sanctions = require('./sanctions.type')
+const scalar = require('./scalar.type')
+const settings = require('./settings.type')
+const sms = require('./sms.type')
+const status = require('./status.type')
+const transaction = require('./transaction.type')
+const user = require('./users.type')
+const version = require('./version.type')
+const triggers = require('./triggers.type')
+
+const types = [
+  bill,
+  blacklist,
+  cashbox,
+  config,
+  currency,
+  customer,
+  customInfoRequests,
+  funding,
+  log,
+  loyalty,
+  machine,
+  machineGroups,
+  market,
+  notification,
+  pairing,
+  rates,
+  sanctions,
+  scalar,
+  settings,
+  sms,
+  status,
+  transaction,
+  user,
+  version,
+  triggers,
+]
+
+module.exports = mergeTypeDefs(types)

packages/server/lib/new-admin/graphql/types/log.type.js

@@ -0,0 +1,50 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type MachineLog {
+    id: ID!
+    logLevel: String!
+    timestamp: DateTimeISO!
+    message: String!
+  }
+
+  type ServerLog {
+    id: ID!
+    logLevel: String!
+    timestamp: DateTimeISO!
+    message: String
+  }
+
+  type Query {
+    machineLogs(
+      deviceId: ID!
+      from: DateTimeISO
+      until: DateTimeISO
+      limit: Int
+      offset: Int
+    ): [MachineLog] @auth
+    machineLogsCsv(
+      deviceId: ID!
+      from: DateTimeISO
+      until: DateTimeISO
+      limit: Int
+      offset: Int
+      timezone: String
+    ): String @auth
+    serverLogs(
+      from: DateTimeISO
+      until: DateTimeISO
+      limit: Int
+      offset: Int
+    ): [ServerLog] @auth
+    serverLogsCsv(
+      from: DateTimeISO
+      until: DateTimeISO
+      limit: Int
+      offset: Int
+      timezone: String
+    ): String @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/loyalty.type.js

@@ -0,0 +1,38 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type IndividualDiscount {
+    id: ID!
+    customer: DiscountCustomer!
+    discount: Int
+  }
+
+  type DiscountCustomer {
+    id: ID!
+    phone: String
+    idCardData: JSONObject
+  }
+
+  type PromoCode {
+    id: ID!
+    code: String!
+    discount: Int
+  }
+
+  type Query {
+    promoCodes: [PromoCode] @auth
+    individualDiscounts: [IndividualDiscount] @auth
+  }
+
+  type Mutation {
+    createPromoCode(code: String!, discount: Int!): PromoCode @auth
+    deletePromoCode(codeId: ID!): PromoCode @auth
+    createIndividualDiscount(
+      customerId: ID!
+      discount: Int!
+    ): IndividualDiscount @auth
+    deleteIndividualDiscount(discountId: ID!): IndividualDiscount @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/machine.type.js

@@ -0,0 +1,112 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type MachineStatus {
+    label: String!
+    type: String!
+  }
+
+  type Machine {
+    name: String!
+    deviceId: ID!
+    paired: Boolean!
+    lastPing: DateTimeISO
+    pairedAt: DateTimeISO
+    diagnostics: Diagnostics
+    version: String
+    model: String
+    cashUnits: CashUnits
+    numberOfCassettes: Int
+    numberOfRecyclers: Int
+    statuses: [MachineStatus]
+    latestEvent: MachineEvent
+    downloadSpeed: String
+    responseTime: String
+    packetLoss: String
+    machineGroup: MachineGroup
+  }
+
+  type Diagnostics {
+    timestamp: DateTimeISO
+    frontTimestamp: DateTimeISO
+    scanTimestamp: DateTimeISO
+  }
+
+  type CashUnits {
+    cashbox: Int
+    cassette1: Int
+    cassette2: Int
+    cassette3: Int
+    cassette4: Int
+    recycler1: Int
+    recycler2: Int
+    recycler3: Int
+    recycler4: Int
+    recycler5: Int
+    recycler6: Int
+  }
+
+  input CashUnitsInput {
+    cashbox: Int
+    cassette1: Int
+    cassette2: Int
+    cassette3: Int
+    cassette4: Int
+    recycler1: Int
+    recycler2: Int
+    recycler3: Int
+    recycler4: Int
+    recycler5: Int
+    recycler6: Int
+  }
+
+  type UnpairedMachine {
+    id: ID!
+    deviceId: ID!
+    name: String
+    model: String
+    paired: DateTimeISO!
+    unpaired: DateTimeISO!
+  }
+
+  type MachineEvent {
+    id: ID
+    deviceId: String
+    eventType: String
+    note: String
+    created: DateTimeISO
+    age: Float
+    deviceTime: DateTimeISO
+  }
+
+  enum MachineAction {
+    rename
+    resetCashOutBills
+    setCassetteBills
+    unpair
+    reboot
+    shutdown
+    restartServices
+    emptyUnit
+    refillUnit
+    diagnostics
+  }
+
+  type Query {
+    machines: [Machine] @auth
+    machine(deviceId: ID!): Machine @auth
+    unpairedMachines: [UnpairedMachine!]! @auth
+  }
+
+  type Mutation {
+    assignMachinesToGroup(deviceIds: [ID!]!, groupId: ID!): [ID]
+    machineAction(
+      deviceId: ID!
+      action: MachineAction!
+      cashUnits: CashUnitsInput
+      newName: String
+    ): Machine @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/machineGroups.type.js

@@ -0,0 +1,26 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type MachineGroup {
+    id: ID!
+    name: String!
+    complianceTriggerSetId: ID
+    complianceTriggerSet: ComplianceTriggerSet
+    deviceCount: Int
+  }
+
+  type Query {
+    machineGroups: [MachineGroup!]! @auth
+  }
+
+  type Mutation {
+    createMachineGroup(name: String!): MachineGroup! @auth
+    deleteMachineGroup(id: ID!): MachineGroup @auth
+    assignComplianceTriggerSetToMachineGroup(
+      id: ID!
+      complianceTriggerSetId: ID
+    ): MachineGroup! @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/market.type.js

@@ -0,0 +1,9 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Query {
+    getMarkets: JSONObject @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/notification.type.js

@@ -0,0 +1,26 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Notification {
+    id: ID!
+    type: String
+    detail: JSON
+    message: String
+    created: DateTimeISO
+    read: Boolean
+    valid: Boolean
+  }
+
+  type Query {
+    notifications: [Notification] @auth
+    alerts: [Notification] @auth
+    hasUnreadNotifications: Boolean @auth
+  }
+
+  type Mutation {
+    toggleClearNotification(id: ID!, read: Boolean!): Notification @auth
+    clearAllNotifications: Notification @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/pairing.type.js

@@ -0,0 +1,9 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Mutation {
+    createPairingTotem(name: String!): String @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/rates.type.js

@@ -0,0 +1,16 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Rate {
+    code: String
+    name: String
+    rate: Float
+  }
+
+  type Query {
+    cryptoRates: JSONObject @auth
+    fiatRates: [Rate] @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/sanctions.type.js

@@ -0,0 +1,13 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type SanctionMatches {
+    ofacSanctioned: Boolean
+  }
+
+  type Query {
+    checkAgainstSanctions(customerId: ID): SanctionMatches @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/scalar.type.js

@@ -0,0 +1,10 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  scalar JSON
+  scalar JSONObject
+  scalar DateTimeISO
+  scalar Upload
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/settings.type.js

@@ -0,0 +1,15 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Query {
+    accounts: JSONObject @auth
+    config: JSONObject @auth
+  }
+
+  type Mutation {
+    saveAccounts(accounts: JSONObject): JSONObject @auth
+    saveConfig(config: JSONObject): JSONObject @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/sms.type.js

@@ -0,0 +1,31 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type SMSNotice {
+    id: ID!
+    event: SMSNoticeEvent!
+    message: String!
+    messageName: String!
+    enabled: Boolean!
+    allowToggle: Boolean!
+  }
+
+  enum SMSNoticeEvent {
+    smsCode
+    cashOutDispenseReady
+    smsReceipt
+  }
+
+  type Query {
+    SMSNotices: [SMSNotice] @auth
+  }
+
+  type Mutation {
+    editSMSNotice(id: ID!, event: SMSNoticeEvent!, message: String!): SMSNotice
+      @auth
+    enableSMSNotice(id: ID!): SMSNotice @auth
+    disableSMSNotice(id: ID!): SMSNotice @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/status.type.js

@@ -0,0 +1,16 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type ProcessStatus {
+    name: String!
+    state: String!
+    uptime: Int!
+  }
+
+  type Query {
+    uptime: [ProcessStatus] @auth
+    restrictionLevel: Int
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/transaction.type.js

@@ -0,0 +1,111 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Transaction {
+    id: ID!
+    txClass: String!
+    deviceId: ID!
+    toAddress: String
+    cryptoAtoms: String!
+    cryptoCode: String!
+    fiat: String!
+    fiatCode: String!
+    fee: String
+    txHash: String
+    phone: String
+    error: String
+    created: DateTimeISO
+    send: Boolean
+    sendConfirmed: Boolean
+    dispense: Boolean
+    timedout: Boolean
+    sendTime: DateTimeISO
+    errorCode: String
+    operatorCompleted: Boolean
+    sendPending: Boolean
+    fixedFee: String
+    minimumTx: Float
+    isAnonymous: Boolean
+    txVersion: Int!
+    termsAccepted: Boolean
+    commissionPercentage: String
+    rawTickerPrice: String
+    isPaperWallet: Boolean
+    expired: Boolean
+    machineName: String
+    discount: Int
+    customerId: ID
+    customerPhone: String
+    customerEmail: String
+    customerIdCardData: JSONObject
+    customerFrontCameraPath: String
+    customerIdCardPhotoPath: String
+    txCustomerPhotoPath: String
+    txCustomerPhotoAt: DateTimeISO
+    batched: Boolean
+    batchTime: DateTimeISO
+    batchError: String
+    walletScore: Int
+    profit: String
+    swept: Boolean
+    status: String
+    paginationStats: PaginationStats
+  }
+
+  type PaginationStats {
+    totalCount: Int
+  }
+
+  type Filter {
+    type: String
+    value: String
+    label: String
+  }
+
+  type Query {
+    transactions(
+      from: DateTimeISO
+      until: DateTimeISO
+      limit: Int
+      offset: Int
+      txClass: String
+      deviceId: String
+      customerName: String
+      customerId: ID
+      fiatCode: String
+      cryptoCode: String
+      toAddress: String
+      status: String
+      swept: Boolean
+      excludeTestingCustomers: Boolean
+    ): [Transaction] @auth
+    transactionsCsv(
+      from: DateTimeISO
+      until: DateTimeISO
+      limit: Int
+      offset: Int
+      txClass: String
+      deviceId: String
+      customerName: String
+      customerId: ID
+      fiatCode: String
+      cryptoCode: String
+      toAddress: String
+      status: String
+      swept: Boolean
+      timezone: String
+      excludeTestingCustomers: Boolean
+      simplified: Boolean
+    ): String @auth
+    transactionCsv(id: ID, txClass: String, timezone: String): String @auth
+    txAssociatedDataCsv(id: ID, txClass: String, timezone: String): String @auth
+    transactionFilters: [Filter] @auth
+  }
+
+  type Mutation {
+    cancelCashOutTransaction(id: ID): Transaction @auth
+    cancelCashInTransaction(id: ID): Transaction @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/triggers.type.js

@@ -0,0 +1,73 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type ComplianceTriggerSet {
+    id: ID!
+    name: String!
+  }
+
+  enum TriggerType {
+    txAmount
+    txVolume
+    txVelocity
+    consecutiveDays
+  }
+
+  enum RequirementType {
+    sms
+    idCardPhoto
+    idCardData
+    facephoto
+    sanctions
+    usSsn
+    suspend
+    block
+    external
+    custom
+  }
+
+  type ComplianceTrigger {
+    id: ID!
+    direction: String!
+    triggerType: TriggerType!
+    requirementType: RequirementType!
+
+    suspensionDays: Float
+    threshold: Int
+    thresholdDays: Int
+    customInfoRequestId: ID
+    externalService: String
+  }
+
+  input ComplianceTriggerInput {
+    id: ID!
+    direction: String!
+    triggerType: TriggerType!
+    requirementType: RequirementType!
+
+    suspensionDays: Float
+    threshold: Int
+    thresholdDays: Int
+    customInfoRequestId: ID
+    externalService: String
+  }
+
+  type Query {
+    complianceTriggerSets: [ComplianceTriggerSet!]! @auth
+    complianceTriggerSetById(id: ID!): ComplianceTriggerSet! @auth
+
+    complianceTriggers(complianceTriggerSetId: ID!): [ComplianceTrigger!]! @auth
+  }
+
+  type Mutation {
+    createComplianceTriggerSet(name: String!): ComplianceTriggerSet @auth
+    deleteComplianceTriggerSet(id: ID!): ComplianceTriggerSet @auth
+    createComplianceTrigger(
+      complianceTriggerSetId: ID!
+      trigger: ComplianceTriggerInput!
+    ): Boolean! @auth
+    deleteComplianceTrigger(id: ID!): Boolean! @auth
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/users.type.js

@@ -0,0 +1,114 @@
+const authentication = require('../modules/authentication')
+
+const getFIDOStrategyQueryTypes = () => {
+  switch (authentication.CHOSEN_STRATEGY) {
+    case 'FIDO2FA':
+      return `generateAttestationOptions(userID: ID!, domain: String!): JSONObject
+    generateAssertionOptions(username: String!, password: String!, domain: String!): JSONObject`
+    case 'FIDOPasswordless':
+      return `generateAttestationOptions(userID: ID!, domain: String!): JSONObject
+    generateAssertionOptions(username: String!, domain: String!): JSONObject`
+    case 'FIDOUsernameless':
+      return `generateAttestationOptions(userID: ID!, domain: String!): JSONObject
+    generateAssertionOptions(domain: String!): JSONObject`
+    default:
+      return ``
+  }
+}
+
+const getFIDOStrategyMutationsTypes = () => {
+  switch (authentication.CHOSEN_STRATEGY) {
+    case 'FIDO2FA':
+      return `validateAttestation(userID: ID!, attestationResponse: JSONObject!, domain: String!): Boolean
+    validateAssertion(username: String!, password: String!, rememberMe: Boolean!, assertionResponse: JSONObject!, domain: String!): Boolean`
+    case 'FIDOPasswordless':
+      return `validateAttestation(userID: ID!, attestationResponse: JSONObject!, domain: String!): Boolean
+    validateAssertion(username: String!, rememberMe: Boolean!, assertionResponse: JSONObject!, domain: String!): Boolean`
+    case 'FIDOUsernameless':
+      return `validateAttestation(userID: ID!, attestationResponse: JSONObject!, domain: String!): Boolean
+    validateAssertion(assertionResponse: JSONObject!, domain: String!): Boolean`
+    default:
+      return ``
+  }
+}
+
+const typeDef = `
+  directive @auth(
+    requires: [Role] = [USER, SUPERUSER]
+  ) on OBJECT | FIELD_DEFINITION
+
+  enum Role {
+    SUPERUSER
+    USER
+  }
+
+  type UserSession {
+    sid: String!
+    sess: JSONObject!
+    expire: DateTimeISO!
+  }
+
+  type User {
+    id: ID
+    username: String
+    role: String
+    enabled: Boolean
+    created: DateTimeISO
+    last_accessed: DateTimeISO
+    last_accessed_from: String
+    last_accessed_address: String
+  }
+
+  type TwoFactorSecret {
+    user_id: ID
+    secret: String!
+    otpauth: String!
+  }
+
+  type ResetToken {
+    token: String
+    user_id: ID
+    expire: DateTimeISO
+  }
+
+  type RegistrationToken {
+    token: String
+    username: String
+    role: String
+    expire: DateTimeISO
+  }
+
+  type Query {
+    users: [User] @auth(requires: [SUPERUSER])
+    sessions: [UserSession] @auth(requires: [SUPERUSER])
+    userSessions(username: String!): [UserSession] @auth(requires: [SUPERUSER])
+    userData: User
+    get2FASecret(username: String!, password: String!): TwoFactorSecret
+    confirm2FA(code: String!): Boolean @auth(requires: [SUPERUSER])
+    validateRegisterLink(token: String!): User
+    validateResetPasswordLink(token: String!): User
+    validateReset2FALink(token: String!): TwoFactorSecret
+    ${getFIDOStrategyQueryTypes()}
+  }
+
+  type Mutation {
+    enableUser(confirmationCode: String, id: ID!): User @auth(requires: [SUPERUSER])
+    disableUser(confirmationCode: String, id: ID!): User @auth(requires: [SUPERUSER])
+    deleteSession(sid: String!): UserSession @auth(requires: [SUPERUSER])
+    deleteUserSessions(username: String!): [UserSession] @auth(requires: [SUPERUSER])
+    changeUserRole(confirmationCode: String, id: ID!, newRole: String!): User @auth(requires: [SUPERUSER])
+    toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER])
+    login(username: String!, password: String!): String
+    input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean
+    setup2FA(username: String!, password: String!, rememberMe: Boolean!, codeConfirmation: String!): Boolean
+    createResetPasswordToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
+    createReset2FAToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
+    createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER])
+    register(token: String!, username: String!, password: String!, role: String!): Boolean
+    resetPassword(token: String!, userID: ID!, newPassword: String!): Boolean
+    reset2FA(token: String!, userID: ID!, code: String!): Boolean
+    ${getFIDOStrategyMutationsTypes()}
+  }
+`
+
+module.exports = typeDef

packages/server/lib/new-admin/graphql/types/version.type.js

@@ -0,0 +1,9 @@
+const gql = require('graphql-tag')
+
+const typeDef = gql`
+  type Query {
+    serverVersion: String! @auth
+  }
+`
+
+module.exports = typeDef