@abtnode/auth 1.16.11-beta-0ae58a71 → 1.16.11-beta-f9719c31

package/lib/auth.js

@@ -191,6 +191,10 @@ const messages = {
     en: 'Missing chain host',
     zh: '缺少链的端点地址',
   },
+  missingLauncherSession: {
+    en: 'Missing launcherUrl and launcherSessionId',
+    zh: '缺少启动器会话参数',
+  },
   invalidBlocklet: {
     en: 'Invalid Blocklet',
     zh: '无效的 Blocklet',
@@ -249,10 +253,14 @@ const messages = {
     en: 'Blocklet Space NFT ID is required',
     zh: '应用空间 NFT ID 是必须的',
   },
-  nftAlreadyConsume: {
+  nftAlreadyConsumed: {
     en: 'This NFT has already been used',
     zh: '该 NFT 已经被使用过了',
   },
+  sessionAlreadyConsumed: {
+    en: 'This session has already been used',
+    zh: '该会话已经被使用过了',
+  },
   nftAlreadyExpired: {
     en: 'This NFT has expired',
     zh: '该 NFT 已经过期',
@@ -896,7 +904,7 @@ const handleIssuePassportResponse = async ({
   };
 };
 
-const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
+const getVCFromClaims = ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
   const credential = claims
     .filter(Boolean) // FIXES: https://github.com/ArcBlock/did-connect/issues/74
     .find((x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item)));
@@ -1114,8 +1122,44 @@ const setUserInfoHeaders = (req) => {
   }
 };
 
+/**
+ * Defines properties for an asset.
+ * @typedef {Object} AssetClaim
+ * @property {string} acquireUrl URL to acquire the asset
+ * @property {string} asset The asset identifier
+ * @property {string} description A description of the asset
+ * @property {Filter[]} [filters] Filters that can be used to acquire the asset
+ * @property {Object} [meta] Metadata associated with the asset
+ * @property {string[]} [mfaCode] Multi-factor authentication code for the asset
+ * @property {boolean} optional Whether the asset is optional or required
+ * @property {string} ownerDid DID of the asset owner
+ * @property {string} ownerPk Public key of the asset owner
+ * @property {string} ownerProof Ownership proof for the asset
+ * @property {string} [tag] Tag or category of the asset
+ * @property {'asset'} type The type of entity, always "asset"
+ */
+
+/**
+ * @typedef {Object} Filter
+ * @property {string} acquireUrl URL to acquire the asset through this filter
+ * @property {string} tag Tag associated with this filter
+ * @property {string[]} trustedIssuers Issuers trusted for this filter
+ */
+
+/**
+ *
+ * @description 校验 NFT
+ * @param {{
+ *  claims: any[],
+ *  challenge: any,
+ *  chainHost: string,
+ *  locale: 'zh' | 'en',
+ * }}
+ * @returns {Promise<import('@ocap/client').AssetState>}
+ */
 const verifyNFT = async ({ claims, challenge, chainHost, locale }) => {
   const client = getChainClient(chainHost);
+  /** @type {AssetClaim} */
   const claim = claims.find((x) => x.type === 'asset');
   if (!claim) {
     throw new Error(messages.missingNftClaim[locale]);

package/lib/launcher.js

@@ -0,0 +1,90 @@
+const Joi = require('joi');
+const axios = require('@abtnode/util/lib/axios');
+const joinURL = require('url-join');
+const pRetry = require('p-retry');
+const { stableStringify } = require('@arcblock/vc');
+const { toBase58 } = require('@ocap/util');
+const getNodeWallet = require('@abtnode/util/lib/get-app-wallet');
+const formatError = require('@abtnode/util/lib/format-error');
+
+const logger = require('@abtnode/logger')('@abtnode/auth:launcher');
+
+const schema = Joi.object({
+  launcherSessionId: Joi.string().required(),
+  launcherUrl: Joi.string().uri().required(),
+});
+
+// eslint-disable-next-line require-await
+const doRequest = async (serverSk, { launcherUrl, pathname, payload, method = 'post' }) => {
+  if (!serverSk) {
+    throw new Error('serverSk is required to request launcher');
+  }
+
+  const wallet = getNodeWallet(serverSk);
+
+  const fn = async () => {
+    const { data } = await axios({
+      method,
+      url: joinURL(launcherUrl, pathname),
+      data: method !== 'get' ? payload : {},
+      params: method === 'get' ? payload : {},
+      headers: {
+        'x-server-sig': toBase58(wallet.sign(stableStringify(payload))),
+      },
+    });
+
+    return data;
+  };
+
+  const delay = 10 * 1000;
+  return pRetry(fn, {
+    retries: 3,
+    minTimeout: delay,
+    maxTimeout: delay,
+    onFailedAttempt: (error) => {
+      logger.error('failed to call launcher', { error, launcherUrl, pathname, payload });
+      // Exclude retrying for 4XX response codes
+      if (error.response && error.response.status >= 400 && error.response.status < 500) {
+        throw error;
+      }
+    },
+  });
+};
+
+const getLauncherSession = async (serverSk, params) => {
+  const { error } = schema.validate(params);
+  if (error) {
+    return { error: formatError(error) };
+  }
+
+  const { launcherSessionId, launcherUrl } = params;
+  try {
+    const result = await doRequest(serverSk, {
+      launcherUrl,
+      pathname: `/api/launches/${launcherSessionId}`,
+      payload: {},
+      method: 'get',
+    });
+    return { error: '', launcherSession: result.launch };
+  } catch (err) {
+    return { error: formatError(err) };
+  }
+};
+
+const getLauncherUser = async (serverSk, params) => {
+  const { launcherSessionId, launcherUrl } = params;
+  const result = await doRequest(serverSk, {
+    launcherUrl,
+    pathname: `/api/launches/${launcherSessionId}/user`,
+    payload: {},
+    method: 'get',
+  });
+
+  return result.user;
+};
+
+module.exports = {
+  doRequest,
+  getLauncherSession,
+  getLauncherUser,
+};

package/lib/lost-passport.js

@@ -89,7 +89,7 @@ const createLostPassportListRoute = ({ node, type }) => ({
   action: 'lost-passport-list',
 
   claims: {
-    profile: async ({ extraParams }) => {
+    profile: ({ extraParams }) => {
       const { locale } = extraParams;
       return {
         fields: ['fullName'],

package/lib/passport.js

@@ -29,7 +29,7 @@ const validatePassport = (d) => {
   return value;
 };
 
-const createPassport = async ({ name, node, locale = 'en', teamDid, endpoint, role: inputRole } = {}) => {
+const createPassport = async ({ name, node, locale = 'en', teamDid, endpoint, role: inputRole = null } = {}) => {
   const passportNotFound = {
     en: (x) => `The passport was not found: ${x}`,
     zh: (x) => `未找到通行证: ${x}`,
@@ -66,7 +66,7 @@ const createPassportVC = ({
   passport,
   endpoint,
   types = [],
-  tag,
+  tag = '',
   ownerProfile,
   preferredColor,
   expirationDate,

package/lib/server.js

@@ -47,6 +47,7 @@ const {
   createUserPassport,
   getPassportClaimUrl,
 } = require('./passport');
+const { getLauncherSession } = require('./launcher');
 const logger = require('./logger');
 
 const secret = process.env.ABT_NODE_SESSION_SECRET;
@@ -245,6 +246,35 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isA
   };
 };
 
+const authenticateByLauncher = async ({ node, claims, launcherSessionId, launcherUrl, chainHost }) => {
+  const info = await node.getNodeInfo();
+  const { error, launcherSession } = await getLauncherSession(info.sk, { launcherSessionId, launcherUrl });
+  if (error) {
+    throw new Error(error);
+  }
+
+  const claim = claims.find((x) => x.type === 'keyPair');
+  return {
+    role: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
+    teamDid: info.did,
+    user: {
+      did: claim.userDid,
+      pk: claim.userPk,
+    },
+    extra: {
+      controller: {
+        nftId: launcherSession.nftDid,
+        nftOwner: launcherSession.userDid,
+        chainHost,
+        appMaxCount: 1,
+        launcherUrl,
+        launcherSessionId,
+        ownerDid: claim.userDid,
+      },
+    },
+  };
+};
+
 const authenticateBySession = async ({ node, userDid, locale, allowedRoles = ['owner', 'admin', 'member'] }) => {
   const info = await node.getNodeInfo();
   const user = await getUser(node, info.did, userDid);
@@ -297,7 +327,7 @@ const getAuthVcClaim =
 
 const getAuthNFTClaim =
   ({ node }) =>
-  async ({ extraParams: { locale, launchType, nftId }, context: { didwallet } }) => {
+  ({ extraParams: { locale, launchType, nftId }, context: { didwallet } }) => {
     checkWalletVersion({ didwallet, locale });
     if (launchType === 'serverless') {
       if (!nftId) {
@@ -535,7 +565,7 @@ const getOwnershipNFTClaim = async (node, locale) => {
   };
 };
 
-const getServerlessNFTClaim = async (nftId, locale) => {
+const getServerlessNFTClaim = (nftId, locale) => {
   return {
     description: messages.requestBlockletSpaceNFT[locale],
     address: nftId,
@@ -549,10 +579,12 @@ const ensureBlockletPermission = async ({
   claims,
   challenge,
   locale,
-  blocklet,
-  isAuth,
   chainHost,
+  isAuth = false,
+  blocklet = null,
   allowedRoles = ['owner', 'admin', 'member'],
+  launcherUrl = '',
+  launcherSessionId = '',
 }) => {
   let result;
   if (authMethod === 'vc') {
@@ -576,6 +608,14 @@ const ensureBlockletPermission = async ({
       isAuth,
       chainHost,
     });
+  } else if (authMethod === 'launcher') {
+    result = await authenticateByLauncher({
+      node,
+      claims,
+      launcherUrl,
+      launcherSessionId,
+      chainHost,
+    });
   } else {
     result = await authenticateBySession({
       node,
@@ -597,12 +637,12 @@ const ensureBlockletPermission = async ({
 const createLaunchBlockletHandler =
   (node, authMethod) =>
   async ({ claims, challenge, userDid, updateSession, req, didwallet, extraParams }) => {
-    const { locale, blockletMetaUrl, title, description, chainHost } = extraParams;
+    const { locale, blockletMetaUrl, title, description, chainHost, launcherSessionId, launcherUrl } = extraParams;
     logger.info('createLaunchBlockletHandler', extraParams);
 
-    const keyPair = claims.find((x) => x.type === 'keyPair');
-    if (!keyPair) {
-      logger.error('app keyPair must be provided');
+    const claim = claims.find((x) => x.type === 'keyPair');
+    if (!claim) {
+      logger.error('keyPair claim must be provided');
       throw new Error(messages.missingKeyPair[locale]);
     }
 
@@ -616,6 +656,11 @@ const createLaunchBlockletHandler =
       throw new Error(messages.missingChainHost[locale]);
     }
 
+    if (authMethod === 'launcher' && !(launcherSessionId && launcherUrl)) {
+      logger.error('launcherUrl and launcherSessionId must be provided');
+      throw new Error(messages.missingLauncherSession[locale]);
+    }
+
     let blocklet;
     let blockletWalletType;
     if (blockletMetaUrl) {
@@ -644,13 +689,13 @@ const createLaunchBlockletHandler =
       claims,
       challenge,
       locale,
-      isAuth: false,
       chainHost,
       blocklet,
+      launcherSessionId,
+      launcherUrl,
     });
 
     let controller;
-
     let sessionToken = '';
     if (authMethod === 'vc') {
       sessionToken = createAuthToken({
@@ -660,52 +705,71 @@ const createLaunchBlockletHandler =
         secret,
         expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
       });
-    }
-    if (authMethod === 'nft') {
-      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
-        controller = extra.controller;
-        sessionToken = createBlockletControllerAuthToken({
-          did: userDid,
-          role,
-          controller,
-          secret,
-          expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-        });
-      } else {
-        sessionToken = createAuthTokenByOwnershipNFT({
-          did: userDid,
-          role,
-          secret,
-          expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-        });
-      }
+    } else if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+      // launch with serverless nft or launcher session
+      controller = extra.controller;
+      sessionToken = createBlockletControllerAuthToken({
+        did: userDid,
+        role,
+        controller,
+        secret,
+        expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    } else if (authMethod === 'nft') {
+      // launch with server nft
+      sessionToken = createAuthTokenByOwnershipNFT({
+        did: userDid,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
     }
 
     if (sessionToken) {
       await updateSession({ sessionToken }, true);
     }
 
-    const appSk = toHex(keyPair.secret);
-    const appDid = getApplicationWallet(appSk, undefined, blockletWalletType).address;
-    await updateSession({ appDid });
+    const appSk = toHex(claim.secret);
+    const wallet = getApplicationWallet(appSk, undefined, blockletWalletType);
+    const appDid = wallet.address;
+    const { id: sessionId } = await node.startSession({
+      data: {
+        appDid,
+        userDid,
+        ownerDid: claim.userDid,
+        ownerPk: claim.userPk,
+        lastLoginIp: get(req, 'headers[x-real-ip]') || '',
+        context: formatContext(req),
+        locale,
+        launcherSessionId,
+        launcherUrl,
+      },
+    });
+
+    await updateSession({ appDid, sessionId });
 
+    // FIXME: @zhenqiang do we still need this here? since the appDid changes each time
     if (blocklet) {
       // 检查是否已安装，这里不做升级的处理
       const existedBlocklet = await node.getBlocklet({ did: appDid });
-
-      // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
-      if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
-        throw new Error(messages.nftAlreadyConsumed[locale]);
-      }
-
       if (existedBlocklet) {
         await updateSession({ isInstalled: true });
         logger.info('blocklet already exists', { appDid });
         return;
       }
+
+      // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
+      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+        if (authMethod === 'nft' && isNFTConsumed(nft)) {
+          throw new Error(messages.nftAlreadyConsumed[locale]);
+        }
+        if (authMethod === 'launcher' && (await node.isLauncherSessionConsumed({ launcherUrl, launcherSessionId }))) {
+          throw new Error(messages.sessionAlreadyConsumed[locale]);
+        }
+      }
     }
 
-    logger.info('start install blocklet', { blockletMetaUrl, title, description });
+    logger.info('start install blocklet', { blockletMetaUrl, title, description, controller });
     await node.installBlocklet(
       {
         url: blockletMetaUrl,
@@ -713,7 +777,6 @@ const createLaunchBlockletHandler =
         description,
         appSk,
         skSource: didwallet?.version ? `${didwallet.os}-wallet-v${didwallet.version}` : '',
-        delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
         downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
         controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
       },
@@ -754,9 +817,9 @@ const createRotateKeyPairHandler =
     const { locale, appDid } = extraParams;
     logger.info('createRotateKeyPairHandler', extraParams);
 
-    const keyPair = claims.find((x) => x.type === 'keyPair');
-    if (!keyPair) {
-      logger.error('app keyPair must be provided');
+    const claim = claims.find((x) => x.type === 'keyPair');
+    if (!claim) {
+      logger.error('keyPair claim must be provided');
       throw new Error(messages.missingKeyPair[locale]);
     }
 
@@ -783,16 +846,47 @@ const createRotateKeyPairHandler =
     await node.configBlocklet(
       {
         did: blocklet.meta.did,
-        configs: [{ key: 'BLOCKLET_APP_SK', value: toHex(keyPair.secret), secure: true }],
+        configs: [{ key: 'BLOCKLET_APP_SK', value: toHex(claim.secret), secure: true }],
         skipHook: true,
       },
       formatContext(Object.assign(req, { user: { did: userDid, fullName: 'Owner', role: 'owner' } }))
     );
   };
 
+const handleRestoreByLauncherSession = async ({ node, userDid, updateSession, extraParams }) => {
+  const { chainHost, locale, launcherUrl, launcherSessionId } = extraParams;
+  if (await node.isLauncherSessionConsumed({ launcherUrl, launcherSessionId })) {
+    throw new Error(messages.sessionAlreadyConsumed[locale]);
+  }
+
+  const { launcherSession } = await node.getLauncherSession({ launcherUrl, launcherSessionId, external: false });
+  const controller = {
+    nftId: launcherSession.nftDid,
+    nftOwner: launcherSession.userDid,
+    chainHost,
+    appMaxCount: 1,
+    launcherUrl,
+    launcherSessionId,
+    ownerDid: userDid, // FIXME: @wangshijun is this incorrect
+  };
+
+  const sessionToken = createBlockletControllerAuthToken({
+    did: userDid,
+    role: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
+    controller,
+    secret,
+    expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+  });
+
+  await updateSession({ sessionToken }, true);
+
+  return controller;
+};
+
 const createRestoreByNftHandler =
   (node, authMethod) =>
-  async ({ claims, challenge, userDid, updateSession, extraParams: { chainHost, locale } }) => {
+  async ({ claims, challenge, userDid, updateSession, extraParams }) => {
+    const { chainHost, locale, launcherUrl, launcherSessionId } = extraParams;
     const { role, extra } = await ensureBlockletPermission({
       authMethod,
       node,
@@ -800,8 +894,9 @@ const createRestoreByNftHandler =
       claims,
       challenge,
       locale,
-      isAuth: false,
       chainHost,
+      launcherUrl,
+      launcherSessionId,
     });
 
     let sessionToken = '';
@@ -838,7 +933,7 @@ const createRestoreByNftHandler =
 
 const createServerlessInstallGuard = (node) => {
   return async ({ extraParams }) => {
-    const { locale, blockletMetaUrl } = extraParams;
+    const { locale, blockletMetaUrl, launcherUrl, launcherSessionId } = extraParams;
     const [info, blocklet] = await Promise.all([
       node.getNodeInfo(),
       blockletMetaUrl ? node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true }) : null,
@@ -851,6 +946,13 @@ const createServerlessInstallGuard = (node) => {
         throw new Error(messages.notSupported[locale]);
       }
     }
+
+    // check if launcher session consumed
+    if (launcherUrl && launcherSessionId) {
+      if (await node.isLauncherSessionConsumed({ launcherUrl, launcherSessionId })) {
+        throw new Error(messages.sessionAlreadyConsumed[locale]);
+      }
+    }
   };
 };
 
@@ -860,6 +962,7 @@ module.exports = {
   authenticateByVc,
   authenticateByNFT,
   authenticateBySession,
+  authenticateByLauncher,
   getRotateKeyPairClaims,
   getOwnershipNFTClaim,
   getLaunchBlockletClaims,
@@ -876,4 +979,5 @@ module.exports = {
   getAuthPrincipalForMigrateAppToV2,
   getAuthPrincipalForTransferAppOwnerShip,
   createServerlessInstallGuard,
+  handleRestoreByLauncherSession,
 };

package/lib/util/get-auth-method.js

@@ -1,10 +1,18 @@
 const get = require('lodash/get');
 
-const getServerAuthMethod = (info, type) => {
+const getServerAuthMethod = (info, type, launcherSessionId = '', authorized = false) => {
+  if (launcherSessionId) {
+    return 'launcher';
+  }
+
   if (type === 'serverless') {
     return 'nft';
   }
 
+  if (authorized) {
+    return 'session';
+  }
+
   if (info.initialized) {
     return 'vc';
   }

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.11-beta-0ae58a71",
+  "version": "1.16.11-beta-f9719c31",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,16 +20,17 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.11-beta-0ae58a71",
-    "@abtnode/logger": "1.16.11-beta-0ae58a71",
-    "@abtnode/util": "1.16.11-beta-0ae58a71",
-    "@arcblock/did": "1.18.80",
-    "@arcblock/vc": "1.18.80",
-    "@blocklet/constant": "1.16.11-beta-0ae58a71",
-    "@blocklet/meta": "1.16.11-beta-0ae58a71",
-    "@ocap/mcrypto": "1.18.80",
-    "@ocap/util": "1.18.80",
-    "@ocap/wallet": "1.18.80",
+    "@abtnode/constant": "1.16.11-beta-f9719c31",
+    "@abtnode/logger": "1.16.11-beta-f9719c31",
+    "@abtnode/util": "1.16.11-beta-f9719c31",
+    "@arcblock/did": "1.18.84",
+    "@arcblock/vc": "1.18.84",
+    "@blocklet/constant": "1.16.11-beta-f9719c31",
+    "@blocklet/meta": "1.16.11-beta-f9719c31",
+    "@ocap/mcrypto": "1.18.84",
+    "@ocap/util": "1.18.84",
+    "@ocap/wallet": "1.18.84",
+    "fs-extra": "^10.1.0",
     "joi": "17.7.0",
     "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.21",
@@ -41,5 +42,5 @@
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "5d044a08b4399eb855563e670af7cbd0d3851e94"
+  "gitHead": "2d88c5df1a414e5b6a8d575984e1940de7573976"
 }