@abtnode/auth 1.15.17 → 1.16.0-beta-b16cb035

package/lib/auth.js

@@ -1,28 +1,41 @@
+const path = require('path');
 const jwt = require('jsonwebtoken');
 const semver = require('semver');
 const joinUrl = require('url-join');
 const get = require('lodash/get');
 const { verifyPresentation, createCredentialList } = require('@arcblock/vc');
+const formatContext = require('@abtnode/util/lib/format-context');
 const Mcrypto = require('@ocap/mcrypto');
+const Client = require('@ocap/client');
 const { fromSecretKey, WalletType } = require('@ocap/wallet');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
-const { PASSPORT_STATUS, NFT_TYPE_NODE_PASSPORT } = require('@abtnode/constant');
+const {
+  PASSPORT_STATUS,
+  VC_TYPE_NODE_PASSPORT,
+  ROLES,
+  NODE_DATA_DIR_NAME,
+  AUTH_CERT_TYPE,
+  WELLKNOWN_BLOCKLET_ADMIN_PATH,
+} = require('@abtnode/constant');
 const axios = require('@abtnode/util/lib/axios');
+const { extractUserAvatar, parseUserAvatar } = require('@abtnode/util/lib/user-avatar');
+
 const logger = require('./logger');
 const verifySignature = require('./util/verify-signature');
 const {
   createPassport,
   createPassportVC,
-  createPassportSvg,
   upsertToPassports,
   createUserPassport,
   getRoleFromLocalPassport,
 } = require('./passport');
 
+const createPassportSvg = require('./util/create-passport-svg');
+
 const messages = {
   description: {
-    en: 'Login with your DID Wallet',
-    zh: '用 DID 钱包登录',
+    en: 'Connect your DID Wallet',
+    zh: '连接 DID 钱包',
   },
   requestProfile: {
     en: 'Please provide following information to continue',
@@ -36,6 +49,10 @@ const messages = {
     en: 'Please provide passport',
     zh: '请提供通行证',
   },
+  requestOwnerPassport: {
+    en: 'Please provide owner passport',
+    zh: '请提供节点的所有者通行证',
+  },
   requestBlockletNft: {
     en: 'Please provide Blocklet Purchase NFT',
     zh: '请提供 Blocklet Purchase NFT',
@@ -46,6 +63,10 @@ const messages = {
   },
 
   // error
+  actionForbidden: {
+    en: 'You are not allowed perform this action',
+    zh: '你没有权限执行此操作',
+  },
 
   notInitialized: {
     en: 'This node is not initialized, login is disabled',
@@ -75,6 +96,10 @@ const messages = {
     en: (types) => `Invalid credential type, expect ${types.join(' or ')}`,
     zh: (types) => `无效的凭证类型，必须是 ${types.join(' 或 ')}`,
   },
+  invalidCredentialId: {
+    en: (ids) => `Invalid credential type, expect ${[].concat(ids).join(' or ')}`,
+    zh: (ids) => `无效的凭证，ID 必须是 ${[].concat(ids).join(' 或 ')}`,
+  },
   invalidCredentialHolder: {
     en: 'Invalid credential holder',
     zh: '无效的凭证持有者',
@@ -91,12 +116,16 @@ const messages = {
     en: 'The account does not match the owner account of this passport, please use the DID wallet that contains the owner account of this passport to receive.',
     zh: '该账号与此通行证的所有者账号不匹配，请使用包含此通行证所有者账号的 DID 钱包领取。',
   },
+  userMismatch: {
+    en: 'User mismatch, please use connected DID wallet to continue.',
+    zh: '用户不匹配，请使用当前会话连接的钱包操作',
+  },
   lowVersion: {
     en: 'Your DID wallet version is too low, please upgrade to the latest version',
     zh: '你的 DID 钱包版本过低，请升级至最新版本',
   },
   passportStatusCheckFailed: {
-    en: (message) => `Passport status check failed:${message}`,
+    en: (message) => `Passport status check failed: ${message}`,
     zh: (message) => `通行证状态检测失败：${message}`,
   },
   unKnownStatus: {
@@ -127,6 +156,22 @@ const messages = {
     en: 'Invalid Params',
     zh: '无效的参数',
   },
+  missingKeyPair: {
+    en: 'Missing app key pair',
+    zh: '缺少应用钥匙对',
+  },
+  missingBlockletUrl: {
+    en: 'Missing blocklet url',
+    zh: '缺少应用下载地址',
+  },
+  missingBlockletDid: {
+    en: 'Missing blocklet did',
+    zh: '缺少应用 ID',
+  },
+  missingChainHost: {
+    en: 'Missing chain host',
+    zh: '缺少链的端点地址',
+  },
   invalidBlocklet: {
     en: 'Invalid Blocklet',
     zh: '无效的 Blocklet',
@@ -139,10 +184,101 @@ const messages = {
     en: 'Invalid Blocklet VC',
     zh: '无效的 Blocklet VC',
   },
+  invalidAppVersion: {
+    en: 'App key-pair rotating can only be performed on the latest version',
+    zh: '只有最新版应用可以变更钥匙对',
+  },
+
+  // NFT related
+  missingProfileClaim: {
+    en: 'Owner profile not provided',
+    zh: '节点所有者信息必须提供',
+  },
+  invalidNftClaim: {
+    en: 'Invalid Asset Claim: ownerPk, ownerDid and ownerProof are required',
+    zh: '无效的 NFT Claim：ownerPk、ownerDid、ownerProof 是必填的',
+  },
+  invalidNft: {
+    en: 'Invalid server ownership NFT state',
+    zh: '无效的节点所有权 NFT',
+  },
+  invalidNftHolder: {
+    en: 'Invalid server ownership NFT holder',
+    zh: '无效的节点所有权 NFT 持有者',
+  },
+  invalidNftProof: {
+    en: 'Invalid server ownership NFT signature proof',
+    zh: '无效的节点所有权 NFT 签名',
+  },
+  invalidNftIssuer: {
+    en: 'Invalid server ownership NFT issuer',
+    zh: '无效的节点所有权 NFT 颁发者',
+  },
+  tagNotMatch: {
+    en: 'This NFT is for another blocklet server',
+    zh: '您所提供的所有权 NFT 不属于当前节点',
+  },
+  requestNft: {
+    en: 'Please provide server ownership NFT',
+    zh: '请提供节点所有权 NFT',
+  },
+  requestServerlessNFT: {
+    en: 'Please provide serverless NFT',
+    zh: '请提供无服务 NFT',
+  },
+  serverlessNftIdRequired: {
+    en: 'Serverless NFT ID is required',
+    zh: '无服务 NFT ID 是必须的',
+  },
+  nftAlreadyConsume: {
+    en: 'This NFT has already been used',
+    zh: '该 NFT 已经被使用过了',
+  },
+  nftAlreadyExpired: {
+    en: 'This NFT has expired',
+    zh: '该 NFT 已经过期',
+  },
+  missingNftClaim: {
+    en: 'Ownership NFT not provided',
+    zh: '节点所有权 NFT 必须提供',
+  },
+  noNft: {
+    en: 'This server is not initialized to accept ownership NFT',
+    zh: '该节点不能用这种方式成为管理员',
+  },
+  noTag: {
+    en: 'Tag not found from server launcher info',
+    zh: '节点初始化信息异常：缺少标签',
+  },
+  noChainHost: {
+    en: 'chainHost not found from server launcher info',
+    zh: '节点初始化信息异常：缺少链地址',
+  },
+  alreadyTransferred: {
+    en: 'The Blocklet Server already belongs to {owner}',
+    zh: '该节点已经属于 {owner}',
+  },
+  delegateTransferOwnerNFT: {
+    en: 'Sign the delegation transaction to authorize blocklet server to transfer your ownership NFT to new owner when he/she claims the transfer.',
+    zh: '签名下面的交易以授权节点转移所有权以及代表所有权的 NFT。',
+  },
+  notAllowedTransferToSelf: {
+    en: 'Not allowed to transfer the Server to yourself',
+    zh: '不能将节点转移给自己',
+  },
+  tagRequired: {
+    en: 'tag is required',
+    zh: 'tag 不能为空',
+  },
 };
 
 const PASSPORT_STATUS_KEY = 'passport-status';
 
+const TEAM_TYPE = {
+  NODE: 'node',
+  BLOCKLET: 'blocklet',
+};
+
 const getPassportStatusEndpoint = ({ baseUrl, userDid, teamDid }) => {
   if (!baseUrl) {
     return null;
@@ -172,24 +308,37 @@ const getRandomMessage = (len = 16) => {
   return hex.replace(/^0x/, '').toUpperCase();
 };
 
-const getTeamInfo = async ({ node, nodeInfo, teamDid }) => {
+const getApplicationInfo = async ({ node, nodeInfo, teamDid }) => {
   let type;
   let name;
   let wallet;
+  let permanentWallet;
   let description;
+  let passportColor;
+  let owner;
+  let dataDir;
 
   if (teamDid === nodeInfo.did) {
     name = nodeInfo.name;
     description = nodeInfo.description;
-    wallet = getNodeWallet(nodeInfo.sk);
-    type = 'node';
+    const _wallet = getNodeWallet(nodeInfo.sk);
+    wallet = _wallet;
+    permanentWallet = _wallet;
+    type = TEAM_TYPE.NODE;
+    passportColor = 'default';
+    owner = nodeInfo.nodeOwner;
+    dataDir = path.join(node.dataDirs.data, NODE_DATA_DIR_NAME);
   } else {
     const blocklet = await node.getBlocklet({ did: teamDid, attachRuntimeInfo: false });
     const blockletInfo = getBlockletInfo(blocklet, nodeInfo.sk);
     name = blockletInfo.name;
     description = blockletInfo.description;
     wallet = blockletInfo.wallet;
-    type = 'blocklet';
+    permanentWallet = blockletInfo.permanentWallet;
+    passportColor = blockletInfo.passportColor;
+    type = TEAM_TYPE.BLOCKLET;
+    owner = get(blocklet, 'settings.owner');
+    dataDir = blocklet.env.dataDir;
   }
 
   return {
@@ -197,7 +346,10 @@ const getTeamInfo = async ({ node, nodeInfo, teamDid }) => {
     name,
     description,
     wallet,
-    did: teamDid,
+    permanentWallet,
+    passportColor,
+    owner,
+    dataDir,
   };
 };
 
@@ -219,9 +371,21 @@ const createAuthToken = ({ did, passport, role, secret, expiresIn } = {}) => {
   return token;
 };
 
-const createAuthTokenByOwnershipNFT = ({ role, secret, expiresIn } = {}) => {
+const createBlockletControllerAuthToken = ({ did, role, controller, secret, expiresIn } = {}) => {
+  const payload = {
+    type: AUTH_CERT_TYPE.BLOCKLET_CONTROLLER,
+    did,
+    role,
+    controller,
+  };
+
+  return jwt.sign(payload, secret, { expiresIn });
+};
+
+const createAuthTokenByOwnershipNFT = ({ did, role, secret, expiresIn } = {}) => {
   const payload = {
-    type: 'ownership_nft',
+    type: AUTH_CERT_TYPE.OWNERSHIP_NFT,
+    did,
     role,
   };
 
@@ -234,8 +398,7 @@ const getUser = async (node, teamDid, userDid) => {
 };
 
 const beforeInvitationRequest = async ({ node, teamDid, inviteId, locale = 'en' }) => {
-  const invitations = await node.getInvitations({ teamDid });
-  const inviteInfo = invitations.find((d) => d.inviteId === inviteId);
+  const inviteInfo = await node.getInvitation({ teamDid, inviteId });
 
   if (!inviteInfo) {
     throw new Error(
@@ -245,17 +408,30 @@ const beforeInvitationRequest = async ({ node, teamDid, inviteId, locale = 'en'
       }[locale]
     );
   }
+
+  const count = await node.getUsersCount({ teamDid });
+  if (count === 0) {
+    throw new Error(
+      {
+        en: 'The Application has no owner attached',
+        zh: '应用未绑定所有者',
+      }[locale]
+    );
+  }
 };
 
 const createInvitationRequest = async ({ node, nodeInfo, teamDid, inviteId, locale = 'en' }) => {
   // verify invite id
-  const invitations = await node.getInvitations({ teamDid });
-  const inviteInfo = invitations.find((d) => d.inviteId === inviteId);
+  const inviteInfo = await node.getInvitation({ teamDid, inviteId });
   if (!inviteInfo) {
     throw new Error('The invitation does not exist or has been used');
   }
 
-  const { name: issuerName, wallet: issuerWallet } = await getTeamInfo({ node, nodeInfo, teamDid });
+  const {
+    name: issuerName,
+    wallet: issuerWallet,
+    passportColor,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid });
 
   const passport = await createPassport({
     name: inviteInfo.role,
@@ -270,12 +446,19 @@ const createInvitationRequest = async ({ node, nodeInfo, teamDid, inviteId, loca
     type: 'mime:text/plain',
     display: JSON.stringify({
       type: 'svg',
-      content: createPassportSvg({ issuer: issuerName, title: passport.title, issuerDid: issuerWallet.address }),
+      content: createPassportSvg({
+        issuer: issuerName,
+        title: passport.title,
+        issuerDid: issuerWallet.address,
+        ownerName: 'Your Name',
+        preferredColor: passportColor,
+      }),
     }),
   };
 };
 
 const handleInvitationResponse = async ({
+  req = {},
   node,
   nodeInfo,
   teamDid,
@@ -286,6 +469,7 @@ const handleInvitationResponse = async ({
   claims,
   statusEndpointBaseUrl,
   endpoint,
+  newNftOwner,
 }) => {
   if (!nodeInfo.nodeOwner) {
     throw new Error(messages.notInitialized[locale]);
@@ -294,9 +478,48 @@ const handleInvitationResponse = async ({
   const claim = claims.find((x) => x.type === 'signature');
   verifySignature(claim, userDid, userPk, locale);
 
-  const { name: issuerName, wallet: issuerWallet, type: issuerType } = await getTeamInfo({ node, nodeInfo, teamDid });
+  const inviteInfo = await node.getInvitation({ teamDid, inviteId });
+  if (!inviteInfo) {
+    throw new Error(`The invitation does not exist: ${inviteId}`);
+  }
+
+  if (inviteInfo.role === 'owner' && userDid === nodeInfo.nodeOwner.did) {
+    throw new Error(messages.notAllowedTransferToSelf[locale]);
+  }
+
+  await node.checkInvitation({ teamDid, inviteId });
+
+  if (inviteInfo.role === 'owner' && get(nodeInfo, 'ownerNft.holder')) {
+    // 这种情况下是 Transfer 有 Owner NFT 的 Blocklet Server
+    const client = new Client(nodeInfo.launcher.chainHost);
+    const ownerNftDid = get(nodeInfo, 'ownerNft.did');
+
+    const { state: assetState } = await client.getAssetState({ address: ownerNftDid });
+    if (assetState.owner !== newNftOwner) {
+      const hash = await client.transfer({
+        delegator: get(nodeInfo, 'ownerNft.holder'),
+        to: newNftOwner,
+        assets: [ownerNftDid],
+        wallet: getNodeWallet(nodeInfo.sk),
+      });
+
+      logger.info('transferred nft', { hash, nft: ownerNftDid });
+      await node.updateNftHolder(newNftOwner);
+      logger.info('updated owner nft holder', { holder: newNftOwner, nft: ownerNftDid });
+    }
+  }
+
+  const {
+    name: issuerName,
+    wallet: issuerWallet,
+    type: issuerType,
+    passportColor,
+    dataDir,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid });
+
+  const { remark } = inviteInfo;
 
-  const inviteInfo = await node.processInvitation({ teamDid, inviteId });
+  const profile = claims.find((x) => x.type === 'profile');
 
   const vcParams = {
     issuerName,
@@ -314,10 +537,12 @@ const handleInvitationResponse = async ({
       userDid,
       teamDid,
     }),
-    types: teamDid === nodeInfo.did ? [NFT_TYPE_NODE_PASSPORT] : [],
+    types: teamDid === nodeInfo.did ? [VC_TYPE_NODE_PASSPORT] : [],
+    ownerProfile: profile,
+    preferredColor: passportColor,
   };
 
-  if (issuerType === 'node') {
+  if (issuerType === TEAM_TYPE.NODE) {
     vcParams.tag = nodeInfo.did;
   }
 
@@ -326,27 +551,61 @@ const handleInvitationResponse = async ({
   const role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
   const passport = createUserPassport(vc, { role });
 
-  const profile = claims.find((x) => x.type === 'profile');
-
   const user = await getUser(node, teamDid, userDid);
 
+  if (role === 'owner') {
+    if (user && user.role === 'owner') {
+      throw new Error(messages.alreadyTransferred[locale](userDid));
+    }
+
+    await node.updateNodeOwner({ nodeOwner: { did: userDid, pk: userPk } });
+
+    const originalOwner = await getUser(node, teamDid, nodeInfo.nodeOwner.did);
+    const originalOwnerPassport = (originalOwner.passports || []).find((p) => p.role === 'owner');
+    if (originalOwnerPassport) {
+      await node.revokeUserPassport({ teamDid, userDid: nodeInfo.nodeOwner.did, passportId: originalOwnerPassport.id });
+      logger.info('passport revoked on server transfer claiming', {
+        teamDid,
+        userDid: nodeInfo.nodeOwner.did,
+        passportId: originalOwnerPassport.id,
+      });
+    }
+  }
+
+  const avatar = await extractUserAvatar(get(profile, 'avatar'), {
+    dataDir,
+  });
+
   if (user) {
-    await node.updateUser({
+    const doc = await node.updateUser({
       teamDid,
       user: {
         ...profile,
+        avatar,
         did: userDid,
         pk: userPk,
         locale,
         passports: upsertToPassports(user.passports || [], passport),
         lastLoginAt: new Date().toISOString(),
+        lastLoginIp: get(req, 'headers[x-real-ip]') || '',
+        remark,
       },
     });
+    await node.createAuditLog(
+      {
+        action: 'updateUser',
+        args: { teamDid, userDid, passport, inviteId, reason: 'accepted invitation' },
+        context: formatContext(Object.assign(req, { user })),
+        result: doc,
+      },
+      node
+    );
   } else {
-    await node.addUser({
+    const doc = await node.addUser({
       teamDid,
       user: {
         ...profile,
+        avatar,
         did: userDid,
         pk: userPk,
         approved: true,
@@ -354,11 +613,30 @@ const handleInvitationResponse = async ({
         passports: [passport],
         firstLoginAt: new Date().toISOString(),
         lastLoginAt: new Date().toISOString(),
+        lastLoginIp: get(req, 'headers[x-real-ip]') || '',
+        remark,
       },
     });
+    await node.createAuditLog(
+      {
+        action: 'addUser',
+        args: { teamDid, userDid, passport, inviteId, reason: 'accepted invitation' },
+        context: formatContext(Object.assign(req, { user: doc })),
+        result: doc,
+      },
+      node
+    );
   }
 
-  logger.info('login.success', { userDid });
+  logger.info('invite success', { userDid });
+
+  // await node.closeInvitation({ teamDid, inviteId, status: 'success', receiver: { did: userDid, role } });
+  await node.closeInvitation({
+    teamDid,
+    inviteId,
+    status: 'success',
+    receiver: { did: userDid, role, timeout: 1000 * 9999 },
+  });
 
   return {
     passport,
@@ -388,14 +666,25 @@ const createIssuePassportRequest = async ({ node, nodeInfo, teamDid, id, locale
   if (!id) {
     throw new Error('The issuance id does not exist');
   }
-
   const list = await node.getPassportIssuances({ teamDid });
   const issuanceInfo = list.find((x) => x.id === id);
   if (!issuanceInfo) {
     throw new Error('The issuance does not exist or has been used');
   }
 
-  const { name: issuerName, wallet: issuerWallet } = await getTeamInfo({ node, nodeInfo, teamDid });
+  const {
+    name: issuerName,
+    wallet: issuerWallet,
+    passportColor,
+    owner: teamOwner,
+    dataDir,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid });
+
+  if (issuanceInfo.name === ROLES.OWNER && !!teamOwner) {
+    throw new Error('Cannot receive owner passport because the owner already exists');
+  }
+
+  const user = await getUser(node, teamDid, issuanceInfo.ownerDid);
 
   const passport = await createPassport({
     name: issuanceInfo.name,
@@ -410,7 +699,14 @@ const createIssuePassportRequest = async ({ node, nodeInfo, teamDid, id, locale
     type: 'mime:text/plain',
     display: JSON.stringify({
       type: 'svg',
-      content: createPassportSvg({ issuer: issuerName, title: passport.title, issuerDid: issuerWallet.address }),
+      content: createPassportSvg({
+        issuer: issuerName,
+        title: passport.title,
+        issuerDid: issuerWallet.address,
+        ownerName: get(user, 'fullName', 'Your Name'),
+        ownerAvatarUrl: await parseUserAvatar(get(user, 'avatar', ''), { dataDir }),
+        preferredColor: passportColor,
+      }),
     }),
   };
 };
@@ -420,6 +716,7 @@ const createIssuePassportRequest = async ({ node, nodeInfo, teamDid, id, locale
  * @param {string} statusEndpointBaseUrl passport status endpoint base url
  */
 const handleIssuePassportResponse = async ({
+  req = {},
   node,
   nodeInfo,
   teamDid,
@@ -429,6 +726,7 @@ const handleIssuePassportResponse = async ({
   locale = 'en',
   claims,
   statusEndpointBaseUrl,
+  updateSession,
   endpoint,
 }) => {
   // verify signature
@@ -445,17 +743,32 @@ const handleIssuePassportResponse = async ({
     );
   }
 
-  const { name: issuerName, wallet: issuerWallet, type: issuerType } = await getTeamInfo({ node, nodeInfo, teamDid });
+  const {
+    name: issuerName,
+    wallet: issuerWallet,
+    type: issuerType,
+    passportColor,
+    owner: teamOwner,
+    dataDir,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid });
 
   // get issuanceInfo from session
   const list = await node.getPassportIssuances({ teamDid });
   const issuanceInfo = list.find((x) => x.id === id);
   const { name, ownerDid } = issuanceInfo;
 
+  if (name === ROLES.OWNER && !!teamOwner) {
+    throw new Error('Cannot receive Owner Passport because the owner already exists');
+  }
+
   if (ownerDid !== userDid) {
     throw new Error(messages.notOwner[locale]);
   }
 
+  if (user) {
+    user.avatar = await parseUserAvatar(user.avatar, { dataDir });
+  }
+
   const vcParams = {
     issuerName,
     issuerWallet,
@@ -472,10 +785,12 @@ const handleIssuePassportResponse = async ({
       userDid,
       teamDid,
     }),
-    types: teamDid === nodeInfo.did ? [NFT_TYPE_NODE_PASSPORT] : [],
+    types: teamDid === nodeInfo.did ? [VC_TYPE_NODE_PASSPORT] : [],
+    ownerProfile: user,
+    preferredColor: passportColor,
   };
 
-  if (issuerType === 'node') {
+  if (issuerType === TEAM_TYPE.NODE) {
     vcParams.tag = nodeInfo.did;
   }
 
@@ -496,7 +811,23 @@ const handleIssuePassportResponse = async ({
   }
 
   // delete session
-  await node.processPassportIssuance({ teamDid, sessionId: id });
+  const result = await node.processPassportIssuance({ teamDid, sessionId: id });
+  await node.createAuditLog(
+    {
+      action: 'processPassportIssuance',
+      args: { teamDid, userDid, ...result, sessionId: id, reason: 'claimed passport' },
+      context: formatContext(Object.assign(req, { user })),
+      result,
+    },
+    node
+  );
+
+  if (name === ROLES.OWNER && issuerType === TEAM_TYPE.BLOCKLET) {
+    logger.info('Bind owner for blocklet', { teamDid, userDid });
+    await node.setBlockletInitialized({ did: teamDid, owner: { did: userDid, pk: userPk } });
+  }
+
+  await updateSession({ passportId: vc.id });
 
   return {
     disposition: 'attachment',
@@ -505,10 +836,10 @@ const handleIssuePassportResponse = async ({
   };
 };
 
-const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en' }) => {
-  const credential = claims.find(
-    (x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item))
-  );
+const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
+  const credential = claims
+    .filter(Boolean) // FIXES: https://github.com/ArcBlock/did-connect/issues/74
+    .find((x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item)));
 
   if (!credential || !credential.presentation) {
     return {};
@@ -534,6 +865,11 @@ const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, loc
     : [presentation.verifiableCredential];
   const vc = JSON.parse(credentials[0]);
 
+  // verify vc id
+  if (vcId && vc.id !== vcId) {
+    throw new Error(messages.invalidCredentialId[locale](vcId));
+  }
+
   // verify vc type
   const types = [].concat(vc.type);
   if (!types.some((x) => vcTypes.includes(x))) {
@@ -546,8 +882,8 @@ const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, loc
   };
 };
 
-const checkWalletVersion = ({ abtwallet, locale = 'en' }) => {
-  const { os, version } = abtwallet;
+const checkWalletVersion = ({ didwallet, locale = 'en' }) => {
+  const { os, version } = didwallet;
 
   const defaultExpected = '3.0.0';
 
@@ -566,11 +902,21 @@ const checkWalletVersion = ({ abtwallet, locale = 'en' }) => {
 
 const getPassportStatus = async ({ node, teamDid, userDid, vcId, locale = 'en' }) => {
   const nodeInfo = await node.getNodeInfo();
-  const { wallet: issuerWallet, name: issuerName, type: issuerType } = await getTeamInfo({ node, nodeInfo, teamDid });
+  const {
+    wallet: issuerWallet,
+    name: issuerName,
+    type: issuerType,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid });
 
   const actionLabel = {
-    zh: `${issuerType === 'node' ? '管理节点' : '查看 Blocklet'}`,
-    en: `${issuerType === 'node' ? 'Manage Node' : 'View Blocklet'}`,
+    open: {
+      zh: `${issuerType === TEAM_TYPE.NODE ? '管理节点' : '查看 Blocklet'}`,
+      en: `${issuerType === TEAM_TYPE.NODE ? 'Manage Node' : 'View Blocklet'}`,
+    },
+    manage: {
+      zh: '管理 Blocklet',
+      en: 'Manage Blocklet',
+    },
   };
 
   const user = await node.getUser({ teamDid, user: { did: userDid } });
@@ -598,18 +944,33 @@ const getPassportStatus = async ({ node, teamDid, userDid, vcId, locale = 'en' }
 
   const actionList = [];
   if (passport.endpoint) {
+    const claims = [];
+
+    // open blocklet
+    claims.push({
+      id: passport.endpoint,
+      type: 'navigate',
+      name: issuerType === TEAM_TYPE.NODE ? 'open-node' : 'open-blocklet',
+      scope: 'public',
+      label: actionLabel.open[locale],
+    });
+
+    // manage blocklet
+    const { name } = passport;
+    if ([ROLES.OWNER, ROLES.ADMIN].includes(name) && issuerType === TEAM_TYPE.BLOCKLET) {
+      claims.push({
+        id: joinUrl(passport.endpoint, WELLKNOWN_BLOCKLET_ADMIN_PATH),
+        type: 'navigate',
+        name: 'open-blocklet-admin',
+        scope: 'public',
+        label: actionLabel.manage[locale],
+      });
+    }
+
     actionList.push(
       ...createCredentialList({
         issuer,
-        claims: [
-          {
-            id: passport.endpoint,
-            type: 'navigate',
-            name: issuerType === 'node' ? 'open-node' : 'open-blocklet',
-            scope: 'public',
-            label: actionLabel[locale],
-          },
-        ],
+        claims,
       })
     );
   }
@@ -682,7 +1043,7 @@ const setUserInfoHeaders = (req) => {
 
 module.exports = {
   getUser,
-  getTeamInfo,
+  getApplicationInfo,
   createAuthToken,
   createAuthTokenByOwnershipNFT,
   beforeInvitationRequest,
@@ -698,4 +1059,6 @@ module.exports = {
   getPassportStatus,
   validatePassportStatus,
   setUserInfoHeaders,
+  createBlockletControllerAuthToken,
+  TEAM_TYPE,
 };