@abtnode/auth 1.16.32-beta-4d47ae7f → 1.16.32-beta-0593a408

package/lib/auth.js

@@ -34,6 +34,7 @@ const {
   upsertToPassports,
   createUserPassport,
   getRoleFromLocalPassport,
+  createKycVC,
 } = require('./passport');
 
 const createPassportSvg = require('./util/create-passport-svg');
@@ -48,6 +49,10 @@ const messages = {
   requestOwnerPassport: getLocaleMap('requestOwnerPassport'),
   requestBlockletNft: getLocaleMap('requestBlockletNft'),
   receivePassport: getLocaleMap('receivePassport'),
+  requestEmailKyc: getLocaleMap('requestEmailKyc'),
+  requestPhoneKyc: getLocaleMap('requestPhoneKyc'),
+  receiveEmailKyc: getLocaleMap('receiveEmailKyc'),
+  receivePhoneKyc: getLocaleMap('receivePhoneKyc'),
 
   // error
   actionForbidden: getLocaleMap('actionForbidden'),
@@ -59,9 +64,14 @@ const messages = {
   notAppOwner: getLocaleMap('notAppOwner'),
   notSupported: getLocaleMap('notSupported'),
   notAllowedAppUser: getLocaleMap('notAllowedAppUser'),
-  missingCredentialClaim: getLocaleMap('missingCredentialClaim'),
-  missingBlockletCredentialClaim: getLocaleMap('missingBlockletCredentialClaim'),
+  missingPassport: getLocaleMap('missingPassport'),
+  missingEmailKyc: getLocaleMap('missingEmailKyc'),
+  missingPhoneKyc: getLocaleMap('missingPhoneKyc'),
   missingChallenge: getLocaleMap('missingChallenge'),
+  emailMismatch: getLocaleMap('emailMismatch'),
+  phoneMismatch: getLocaleMap('phoneMismatch'),
+  emailAlreadyUsed: getLocaleMap('emailAlreadyUsed'),
+  phoneAlreadyUsed: getLocaleMap('phoneAlreadyUsed'),
   invalidCredentialHolder: getLocaleMap('invalidCredentialHolder'),
   invalidCredentialProof: getLocaleMap('invalidCredentialProof'),
   notOwner: getLocaleMap('notOwner'),
@@ -273,12 +283,14 @@ const createAuthToken = ({
   tokenType,
   provider = LOGIN_PROVIDER.WALLET,
   walletOS,
+  kyc = 0,
 } = {}) => {
   const payload = {
     type: 'user',
     did,
     role,
     provider,
+    kyc,
   };
   if (walletOS) {
     payload.walletOS = walletOS;
@@ -375,6 +387,8 @@ const createInvitationRequest = async ({ node, nodeInfo, teamDid, inviteId, base
     display: JSON.stringify({
       type: 'svg',
       content: createPassportSvg({
+        scope: 'passport',
+        role: inviteInfo.role,
         issuer: issuerName,
         title: passport.title,
         issuerDid: issuerWallet.address,
@@ -401,6 +415,7 @@ const handleInvitationReceive = async ({
   endpoint,
   profile,
   provider = LOGIN_PROVIDER.WALLET,
+  kycUpdates = {},
 }) => {
   if (!nodeInfo.nodeOwner) {
     throw new Error(messages.notInitialized[locale]);
@@ -518,6 +533,7 @@ const handleInvitationReceive = async ({
       teamDid,
       user: {
         ...profile,
+        ...kycUpdates,
         avatar,
         did: user.did,
         pk: user.pk,
@@ -547,6 +563,7 @@ const handleInvitationReceive = async ({
       teamDid,
       user: {
         ...profile,
+        ...kycUpdates,
         avatar,
         did: userDid,
         pk: userPk,
@@ -610,6 +627,7 @@ const handleInvitationResponse = async ({
   statusEndpointBaseUrl,
   endpoint,
   newNftOwner,
+  kycUpdates = {},
 }) => {
   const claim = claims.find((x) => x.type === 'signature');
   verifySignature(claim, userDid, userPk, locale);
@@ -630,6 +648,7 @@ const handleInvitationResponse = async ({
     endpoint,
     profile,
     provider: LOGIN_PROVIDER.WALLET,
+    kycUpdates,
   });
 
   return receiveResult;
@@ -683,6 +702,8 @@ const createIssuePassportRequest = async ({ node, nodeInfo, teamDid, id, baseUrl
     display: JSON.stringify({
       type: 'svg',
       content: createPassportSvg({
+        scope: 'passport',
+        role: issuanceInfo.name,
         issuer: issuerName,
         title: passport.title,
         issuerDid: issuerWallet.address,
@@ -696,10 +717,6 @@ const createIssuePassportRequest = async ({ node, nodeInfo, teamDid, id, baseUrl
   };
 };
 
-/**
- * @param {string} endpoint passport endpoint
- * @param {string} statusEndpointBaseUrl passport status endpoint base url
- */
 const handleIssuePassportResponse = async ({
   req = {},
   node,
@@ -828,7 +845,7 @@ const handleIssuePassportResponse = async ({
   };
 };
 
-const getVCFromClaims = ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
+const getVCFromClaims = ({ claims, challenge, trustedIssuers, types, locale = 'en', vcId = '' }) => {
   const credential = claims
     .filter(Boolean) // FIXES: https://github.com/ArcBlock/did-connect/issues/74
     .find(
@@ -836,7 +853,7 @@ const getVCFromClaims = ({ claims, challenge, trustedIssuers, vcTypes, locale =
         x.type === 'verifiableCredential' &&
         // 注意此处不要筛选出 did Spaces 的 verifiableCredential
         x?.meta?.purpose !== 'DidSpace' &&
-        vcTypes.some((item) => x.item.includes(item))
+        types.some((item) => x.item.includes(item))
     );
 
   if (!credential || !credential.presentation) {
@@ -870,14 +887,13 @@ const getVCFromClaims = ({ claims, challenge, trustedIssuers, vcTypes, locale =
   }
 
   // verify vc type
-  const types = [].concat(vc.type);
-  if (!types.some((x) => vcTypes.includes(x))) {
-    throw new Error(messages.invalidCredentialType[locale](vcTypes));
+  if (![].concat(vc.type).some((x) => types.includes(x))) {
+    throw new Error(messages.invalidCredentialType[locale](types));
   }
 
   return {
     vc,
-    types,
+    types: [].concat(vc.type),
   };
 };
 
@@ -1046,12 +1062,14 @@ const setUserInfoHeaders = (req) => {
     req.headers['x-user-provider'] = req.user.provider || LOGIN_PROVIDER.WALLET;
     req.headers['x-connected-did'] = req.user.did;
     req.headers['x-user-wallet-os'] = req.user.walletOS || '';
+    req.headers['x-user-kyc'] = req.user.kyc || 0;
   } else {
     delete req.headers['x-user-did'];
     delete req.headers['x-user-fullname'];
     delete req.headers['x-user-role'];
     delete req.headers['x-user-provider'];
     delete req.headers['x-user-wallet-os'];
+    delete req.headers['x-user-kyc'];
 
     if (req.cookies && req.cookies.connected_did) {
       req.headers['x-connected-did'] = req.cookies.connected_did;
@@ -1135,6 +1153,163 @@ const verifyNFT = async ({ claims, challenge, chainHost, locale }) => {
   return state;
 };
 
+const beforeIssueKycRequest = async ({ node, teamDid, code, locale = 'en' }) => {
+  const blocklet = await node.getBlocklet({ did: teamDid });
+  if (!blocklet?.settings?.notification?.email?.enabled) {
+    throw new Error(
+      {
+        en: 'Email notification is not enabled',
+        zh: '邮箱通知未启用',
+      }[locale]
+    );
+  }
+
+  const doc = await node.getVerifyCode({ teamDid, code });
+  if (!doc || !doc.verified) {
+    throw new Error(
+      {
+        en: 'The verification code is not verified',
+        zh: '验证码未验证',
+      }[locale]
+    );
+  }
+};
+
+const handleIssueKycResponse = async ({
+  request = {},
+  node,
+  nodeInfo,
+  teamDid,
+  userDid,
+  userPk,
+  code,
+  locale = 'en',
+  claims,
+  statusEndpointBaseUrl,
+  endpoint,
+  updateKyc,
+  inviter,
+}) => {
+  const blocklet = await node.getBlocklet({ did: teamDid });
+  const profile = claims.find((x) => x.type === 'profile');
+  const doc = await node.getVerifyCode({ teamDid, code });
+
+  const user = await getUser(node, teamDid, userDid, { enableConnectedAccount: true });
+  if (user && !user.approved) {
+    throw new Error(
+      {
+        zh: '你没有权限访问该应用',
+        en: 'You are not allowed to access this app',
+      }[locale]
+    );
+  }
+
+  const {
+    name: issuerName,
+    wallet: issuerWallet,
+    dataDir,
+    passportColor,
+    logo,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid, baseUrl: endpoint });
+
+  const ownerAvatar = getUserAvatarUrl(
+    endpoint,
+    await extractUserAvatar(profile.avatar, { dataDir }),
+    nodeInfo,
+    teamDid === nodeInfo.did
+  );
+
+  const vc = createKycVC({
+    issuerName,
+    issuerWallet,
+    issuerAvatarUrl: logo,
+    ownerDid: userDid,
+    kyc: {
+      scope: doc.scope,
+      subject: doc.subject,
+      digest: doc.digest,
+      specVersion: doc.specVersion,
+    },
+    endpoint: getPassportStatusEndpoint({
+      baseUrl: statusEndpointBaseUrl,
+      userDid,
+      teamDid,
+    }),
+    types: {
+      email: ['VerifiedEmailCredential'],
+      phone: ['VerifiedPhoneCredential'],
+    }[doc.scope],
+    ownerProfile: {
+      avatar: ownerAvatar,
+      fullName: profile.fullName,
+    },
+    preferredColor: passportColor,
+  });
+
+  // persist passport
+  const passport = createUserPassport(vc, { role: doc.scope });
+  logger.debug('issued kyc passport', passport);
+  const passports = upsertToPassports(user?.passports || [], passport);
+  if (user) {
+    const emailVerified = Boolean(updateKyc ? doc.scope === 'email' : user.emailVerified);
+    const phoneVerified = Boolean(updateKyc ? doc.scope === 'phone' : user.phoneVerified);
+    const newEmail = updateKyc && doc.scope === 'email' && emailVerified ? doc.subject : user.email;
+    const newPhone = updateKyc && doc.scope === 'phone' && phoneVerified ? doc.subject : user.phone;
+    await node.updateUser({
+      teamDid,
+      user: {
+        did: userDid,
+        pk: userPk,
+        email: newEmail,
+        phone: newPhone,
+        passports,
+        emailVerified,
+        phoneVerified,
+        kycChanged: emailVerified !== user.emailVerified || phoneVerified !== user.phoneVerified,
+      },
+    });
+    await node.createAuditLog(
+      {
+        action: 'issueKyc',
+        args: { teamDid, userDid, code, reason: 'claimed kyc' },
+        context: formatContext(Object.assign(request, { user })),
+        result: passport,
+      },
+      node
+    );
+  } else {
+    const emailVerified = doc.scope === 'email';
+    const phoneVerified = doc.scope === 'phone';
+    const newEmail = emailVerified ? doc.subject : '';
+    const newPhone = phoneVerified ? doc.subject : '';
+    await node.addUser({
+      teamDid,
+      user: {
+        did: userDid,
+        pk: userPk,
+        email: newEmail,
+        phone: newPhone,
+        emailVerified,
+        phoneVerified,
+        passports,
+        inviter,
+        approved: true,
+        ...profile,
+        avatar: await extractUserAvatar(get(profile, 'avatar'), {
+          dataDir: blocklet.env.dataDir,
+        }),
+      },
+    });
+    logger.info('issued kyc passport for new user', { userDid, teamDid });
+  }
+
+  return {
+    disposition: 'attachment',
+    type: 'VerifiableCredential',
+    data: vc,
+  };
+};
+
 /**
  * @typedef {Object} UserSessionRequstData
  * @property {string} teamDid
@@ -1172,5 +1347,7 @@ module.exports = {
   validatePassportStatus,
   setUserInfoHeaders,
   createBlockletControllerAuthToken,
+  beforeIssueKycRequest,
+  handleIssueKycResponse,
   TEAM_TYPE,
 };

package/lib/lost-passport.js

@@ -2,17 +2,18 @@ const path = require('path');
 const { joinURL } = require('ufo');
 const uniqBy = require('lodash/uniqBy');
 const uniq = require('lodash/uniq');
+const get = require('lodash/get');
+const isFunction = require('lodash/isFunction');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
 const formatContext = require('@abtnode/util/lib/format-context');
 const getRandomMessage = require('@abtnode/util/lib/get-random-message');
 const getNodeWallet = require('@abtnode/util/lib/get-app-wallet');
 const { getDisplayName, getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 const { VC_TYPE_NODE_PASSPORT, PASSPORT_STATUS, NODE_DATA_DIR_NAME } = require('@abtnode/constant');
-const get = require('lodash/get');
-const isFunction = require('lodash/isFunction');
 const { getUserAvatarUrl, getAppAvatarUrl, getServerAvatarUrl, extractUserAvatar } = require('@abtnode/util/lib/user');
 const getRequestIP = require('@abtnode/util/lib/get-request-ip');
 const { getWalletDid } = require('@blocklet/meta/lib/did-utils');
+const { Hasher } = require('@ocap/mcrypto');
 const { getSourceAppPid, getLoginProvider } = require('@blocklet/sdk/lib/util/login');
 const {
   getFederatedMaster,
@@ -28,6 +29,7 @@ const {
   upsertToPassports,
   createUserPassport,
   getRoleFromLocalPassport,
+  createKycVC,
 } = require('./passport');
 const verifySignature = require('./util/verify-signature');
 
@@ -183,7 +185,7 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
     },
     {
       signature: async ({ extraParams, context: { baseUrl, request, didwallet } }) => {
-        const { locale, passportName, receiverDid } = extraParams;
+        const { locale, passportId, receiverDid } = extraParams;
         checkWalletVersion({ didwallet, locale });
 
         const { teamDid, issuerDid, issuerName, issuerLogo, passportColor, info, dataDir } = await getApplicationInfo({
@@ -193,7 +195,13 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
           baseUrl,
         });
         const user = await getUser(node, teamDid, receiverDid, { enableConnectedAccount: true });
-        const passport = await createPassport({ name: passportName, node, teamDid, locale });
+        const oldPassport = await node.getPassportById({ teamDid, passportId });
+
+        let { title } = oldPassport;
+        if (oldPassport.scope === 'passport') {
+          const passport = await createPassport({ name: oldPassport.name, node, teamDid, locale });
+          title = passport.title;
+        }
 
         const avatar = await extractUserAvatar(user.avatar, { dataDir });
 
@@ -204,8 +212,10 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
           display: JSON.stringify({
             type: 'svg',
             content: createPassportSvg({
+              scope: oldPassport.scope,
+              role: oldPassport.role,
               issuer: issuerName,
-              title: passport.title,
+              title: oldPassport.scope === 'kyc' ? oldPassport.name : title,
               issuerDid,
               issuerAvatarUrl: issuerLogo,
               ownerDid: receiverDid,
@@ -220,10 +230,11 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
   ],
 
   onAuth: async ({ claims, userDid, userPk, extraParams, updateSession, baseUrl, req, request }) => {
-    const { locale = 'en', receiverDid, passportName } = extraParams;
+    const { locale = 'en', receiverDid, passportId } = extraParams;
 
     const { teamDid, issuerDidList, issuerName, issuerLogo, issuerWallet, passportColor, info, dataDir } =
       await getApplicationInfo({ node, req, type, baseUrl });
+    const oldPassport = await node.getPassportById({ teamDid, passportId });
     const statusEndpointBaseUrl = getStatusEndpointBaseUrl(type, baseUrl, authServicePrefix);
 
     // Verify signature
@@ -258,7 +269,7 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
     // check passport
     const exist = (user.passports || []).find(
       (x) =>
-        x.name === passportName &&
+        x.name === oldPassport.name &&
         x.status === PASSPORT_STATUS.VALID &&
         issuerDidList.includes(x.issuer.id) &&
         (!x.expirationDate || Date.now() > new Date(x.expirationDate).getTime())
@@ -275,37 +286,69 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
 
     const avatar = await extractUserAvatar(user.avatar, { dataDir });
 
-    const vcParams = {
-      issuerName,
-      issuerWallet,
-      issuerAvatarUrl: issuerLogo,
-      ownerDid: userDid,
-      passport: await createPassport({
-        name: passportName,
-        node,
-        teamDid,
-        locale,
-        endpoint: baseUrl,
-      }),
-      endpoint: getPassportStatusEndpoint({
-        baseUrl: statusEndpointBaseUrl,
-        userDid,
-        teamDid,
-      }),
-      types: [],
-      ownerProfile: { ...user, avatar: getUserAvatarUrl(baseUrl, avatar, info, info.did === teamDid) },
-      preferredColor: passportColor,
-    };
-
-    if (type === TEAM_TYPES.NODE) {
-      vcParams.types = [VC_TYPE_NODE_PASSPORT];
-      vcParams.tag = teamDid;
-    }
+    let vc;
+    let role;
+    let passport;
+
+    if (oldPassport.scope === 'passport') {
+      const vcParams = {
+        issuerName,
+        issuerWallet,
+        issuerAvatarUrl: issuerLogo,
+        ownerDid: userDid,
+        passport: await createPassport({
+          name: oldPassport.name,
+          node,
+          teamDid,
+          locale,
+          endpoint: baseUrl,
+        }),
+        endpoint: getPassportStatusEndpoint({
+          baseUrl: statusEndpointBaseUrl,
+          userDid,
+          teamDid,
+        }),
+        types: [],
+        ownerProfile: { ...user, avatar: getUserAvatarUrl(baseUrl, avatar, info, info.did === teamDid) },
+        preferredColor: passportColor,
+      };
 
-    const vc = createPassportVC(vcParams);
+      if (type === TEAM_TYPES.NODE) {
+        vcParams.types = [VC_TYPE_NODE_PASSPORT];
+        vcParams.tag = teamDid;
+      }
 
-    const role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
-    const passport = createUserPassport(vc, { role });
+      vc = createPassportVC(vcParams);
+      role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
+      passport = createUserPassport(vc, { role });
+    }
+    if (oldPassport.scope === 'kyc') {
+      vc = createKycVC({
+        issuerName,
+        issuerWallet,
+        issuerAvatarUrl: issuerLogo,
+        ownerDid: userDid,
+        kyc: {
+          scope: oldPassport.role,
+          subject: oldPassport.name,
+          digest: Hasher.SHA3.hash256(oldPassport.name),
+          specVersion: oldPassport.specVersion,
+        },
+        endpoint: getPassportStatusEndpoint({
+          baseUrl: statusEndpointBaseUrl,
+          userDid,
+          teamDid,
+        }),
+        types: {
+          email: ['VerifiedEmailCredential'],
+          phone: ['VerifiedPhoneCredential'],
+        }[oldPassport.role],
+        ownerProfile: { ...user, avatar: getUserAvatarUrl(baseUrl, avatar, info, info.did === teamDid) },
+        preferredColor: passportColor,
+      });
+      role = oldPassport.role;
+      passport = createUserPassport(vc, { role });
+    }
 
     const result = await node.updateUser({
       teamDid,
@@ -325,7 +368,7 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
       node
     );
 
-    if (isFunction(createToken)) {
+    if (oldPassport.scope === 'passport' && isFunction(createToken)) {
       if (type === TEAM_TYPES.BLOCKLET) {
         const lastLoginIp = getRequestIP(request);
         const walletDeviceMessageToken = request.get('wallet-device-message-token');

package/lib/passport.js

@@ -1,8 +1,9 @@
 /* eslint-disable max-len */
 
 const Joi = require('joi');
-const { joinURL } = require('ufo');
+const { joinURL, withQuery } = require('ufo');
 const pick = require('lodash/pick');
+const uniq = require('lodash/uniq');
 const { create: createVC } = require('@arcblock/vc');
 const {
   ROLES,
@@ -29,6 +30,27 @@ const validatePassport = (d) => {
   return value;
 };
 
+const kycSchema = Joi.object({
+  scope: Joi.string().valid('email', 'phone').required(),
+  subject: Joi.alternatives().conditional('scope', {
+    is: 'email',
+    then: Joi.string().email().required(),
+    otherwise: Joi.string()
+      .pattern(/^\+?[1-9]\d{1,14}$/)
+      .required(),
+  }),
+  digest: Joi.string().required().trim(),
+  specVersion: Joi.string().trim(),
+}).options({ stripUnknown: true });
+
+const validateKyc = (d) => {
+  const { value, error } = kycSchema.validate(d);
+  if (error) {
+    throw Array.isArray(error) ? error[0] : error;
+  }
+  return value;
+};
+
 const createPassport = async ({ name, node, locale = 'en', teamDid, endpoint, role: inputRole = null } = {}) => {
   const passportNotFound = {
     en: (x) => `The passport was not found: ${x}`,
@@ -86,6 +108,7 @@ const createPassportVC = ({
       display: {
         type: 'svg',
         content: createPassportSvg({
+          scope: 'passport',
           issuer: issuerName,
           issuerDid: issuerWallet.address,
           issuerAvatarUrl,
@@ -103,6 +126,48 @@ const createPassportVC = ({
   });
 };
 
+const createKycVC = ({
+  issuerWallet,
+  issuerName,
+  issuerAvatarUrl,
+  ownerDid,
+  kyc,
+  endpoint,
+  types = [],
+  ownerProfile,
+  preferredColor,
+} = {}) => {
+  validateKyc(kyc);
+
+  return createVC({
+    type: uniq(['KycCredential', 'VerifiableCredential', ...types].filter(Boolean)),
+    issuer: {
+      wallet: issuerWallet,
+      name: issuerName,
+    },
+    subject: {
+      id: ownerDid,
+      kyc,
+      display: {
+        type: 'svg',
+        content: createPassportSvg({
+          scope: 'kyc',
+          role: kyc.scope,
+          issuer: issuerName,
+          issuerDid: issuerWallet.address,
+          issuerAvatarUrl,
+          title: kyc.subject || { email: 'VerifiedEmailCredential', phone: 'VerifiedPhoneCredential' }[kyc.scope],
+          ownerDid,
+          ownerName: ownerProfile ? ownerProfile.fullName : '',
+          ownerAvatarUrl: ownerProfile ? ownerProfile.avatar : '',
+          preferredColor,
+        }),
+      },
+    },
+    endpoint,
+  });
+};
+
 /**
  * insert or update passport to passports
  */
@@ -173,15 +238,34 @@ const createUserPassport = (vc, { status = PASSPORT_STATUS.VALID, role = ROLES.G
   }
 
   const x = pick(vc, ['id', 'type', 'issuer', 'issuanceDate', 'expirationDate']);
-  Object.assign(x, vc.credentialSubject.passport);
   x.status = status;
   x.role = role;
 
+  if (['email', 'phone'].includes(role)) {
+    Object.assign(x, {
+      ...vc.credentialSubject.kyc,
+      title: { email: 'VerifiedEmailCredential', phone: 'VerifiedPhoneCredential' }[role],
+      name: vc.credentialSubject.kyc.subject,
+      scope: 'kyc',
+      role,
+    });
+  } else {
+    Object.assign(x, {
+      ...vc.credentialSubject.passport,
+      scope: 'passport',
+    });
+  }
+
   return x;
 };
 
-const getPassportClaimUrl = (baseUrl, prefix = '') =>
-  baseUrl ? joinURL(new URL(baseUrl).origin, prefix, WELLKNOWN_SERVICE_PATH_PREFIX, '/lost-passport') : '';
+const getPassportClaimUrl = (baseUrl, prefix = '', role = undefined) =>
+  baseUrl
+    ? withQuery(joinURL(new URL(baseUrl).origin, prefix, WELLKNOWN_SERVICE_PATH_PREFIX, '/lost-passport'), { role })
+    : '';
+
+const getKycAcquireUrl = (baseUrl, prefix = '', role = 'email') =>
+  baseUrl ? joinURL(new URL(baseUrl).origin, prefix, WELLKNOWN_SERVICE_PATH_PREFIX, `/kyc/${role}`) : '';
 
 module.exports = {
   validatePassport,
@@ -196,4 +280,8 @@ module.exports = {
   getRoleFromExternalPassport,
   createUserPassport,
   getPassportClaimUrl,
+  getKycAcquireUrl,
+  kycSchema,
+  createKycVC,
+  validateKyc,
 };

package/lib/server.js

@@ -137,7 +137,7 @@ const authenticateByVc = async ({
     claims,
     challenge,
     trustedIssuers,
-    vcTypes: BLOCKLET_SERVER_VC_TYPES,
+    types: BLOCKLET_SERVER_VC_TYPES,
     locale,
     vcId: blocklet?.controller?.vcId,
   });

package/lib/util/create-passport-svg.js

@@ -28,7 +28,7 @@ const getTextColor = (background) => {
  * @param {string} params.title passport title
  * @param {string} params.issuer issuer name
  * @param {string} params.issuerDid
- * @param {string} params.ownerName
+ * @param {string} [params.ownerName]
  * @param {string} params.ownerDid
  * @param {string} params.ownerAvatarUrl
  * @param {string} [params.preferredColor]
@@ -38,6 +38,9 @@ const getTextColor = (background) => {
  * @param {string} [params.issuerAvatarUrl]
  * @param {boolean} [params.revoked] 是否撤销
  * @param {boolean} [params.isDataUrl] 返回生成 data url
+ * @param {object} [params.extra]
+ * @param {string} [params.scope]
+ * @param {string} [params.role]
  * @returns {string} svg xml or image data url
  */
 const createPassportSvg = ({
@@ -53,6 +56,9 @@ const createPassportSvg = ({
   isDataUrl = false,
   width = '100%',
   height = '100%',
+  extra = null,
+  scope = 'passport',
+  role = '',
 }) => {
   const color = getPassportColor(preferredColor, issuerDid);
 
@@ -66,7 +72,7 @@ const createPassportSvg = ({
     color,
 
     did: ownerDid,
-    variant: 'app-passport' || ownerName,
+    variant: `app-${scope}`,
     verifiable: true,
 
     issuer: {
@@ -75,15 +81,11 @@ const createPassportSvg = ({
     },
 
     header: {
-      name: title,
+      name: scope === 'passport' ? title : ownerName,
       icon: ownerAvatarUrl,
     },
 
-    // FIXME: @wangshijun this should be dynamic
-    extra: {
-      key: 'Exp',
-      value: '2123-01-01',
-    },
+    extra: scope === 'kyc' ? { key: role, value: title } : extra || { key: 'Exp', value: '2123-01-01' },
   });
 
   if (isDataUrl) {

package/locales/ar.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'لا يُسمَح لك بتسجيل الدخول إلى هذا العُقدة',
   notAppOwner: 'أنت لست مالك هذا التطبيق',
   notSupported: 'هذا التطبيق غير مدعوم على هذا الخادم',
-  missingCredentialClaim: 'لم يتم توفير أوراق الاعتماد',
   missingBlockletCredentialClaim: 'لم يتم توفير بيانات اعتماد Blocklet',
   missingChallenge: 'عرض الاعتماد لا يتضمن تحدي صالح.',
   invalidCredentialHolder: 'حامل بيانات اعتماد غير صحيحة',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'لم يتم العثور على المشغّل من معلومات مشغّل الخادم',
   noNftDid: 'لم يتم العثور على NFT من معلومات مشغل الخادم',
   notAllowedAppUser: 'تم إلغاء وصولك إلى هذا التطبيق',
+  requestEmailKyc: 'يرجى تقديم شهادة بريد إلكتروني موثقة',
+  receiveEmailKyc: 'يرجى توقيع النص للحصول على شهادة بريد إلكتروني موثقة',
+  requestPhoneKyc: 'يرجى تقديم شهادة موثقة بالهاتف',
+  receivePhoneKyc: 'يرجى توقيع النص للحصول على شهادة هاتف موثقة',
+  missingPassport: 'الجواز غير مقدم',
+  missingEmailKyc: 'شهادة البريد الإلكتروني المتحققة غير متوفرة',
+  emailAlreadyUsed: 'البريد الإلكتروني مستخدم بالفعل',
+  emailMismatch: 'عدم تطابق البريد الإلكتروني بين الملف الشخصي والشهادة الموثقة',
+  missingPhoneKyc: 'الشهادة الموثقة بالهاتف غير متوفرة',
+  phoneAlreadyUsed: 'تم استخدام الهاتف بالفعل',
+  phoneMismatch: 'عدم تطابق الهاتف بين الملف الشخصي والشهادة الموثقة',
 };

package/locales/de.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'Sie dürfen sich nicht bei diesem Knotenpunkt anmelden',
   notAppOwner: 'Sie sind nicht der Besitzer dieser Anwendung',
   notSupported: 'Diese Anwendung wird auf diesem Server nicht unterstützt',
-  missingCredentialClaim: 'Anmeldedaten werden nicht bereitgestellt',
   missingBlockletCredentialClaim: 'Blocklet-Credential wird nicht bereitgestellt',
   missingChallenge: 'Die Vorlage von Referenzen beinhaltet keine gültige Herausforderung.',
   invalidCredentialHolder: 'Ungültiger Berechtigungsinhaber',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Launcher wurde nicht von der Server Launcher Info gefunden',
   noNftDid: 'NFT wurde in den Server-Launcher-Informationen nicht gefunden',
   notAllowedAppUser: 'Ihr Zugriff auf diese App wurde widerrufen',
+  requestEmailKyc: 'Bitte geben Sie ein verifiziertes E-Mail-Zertifikat an',
+  receiveEmailKyc: 'Bitte unterschreiben Sie den Text, um ein verifiziertes E-Mail-Zertifikat zu erhalten',
+  requestPhoneKyc: 'Bitte geben Sie ein telefonisch verifiziertes Zertifikat an',
+  receivePhoneKyc: 'Bitte unterschreiben Sie den Text, um ein verifiziertes Telefonzertifikat zu erhalten',
+  missingPassport: 'Pass ist nicht vorhanden',
+  missingEmailKyc: 'Verifiziertes E-Mail-Zertifikat wird nicht bereitgestellt',
+  emailAlreadyUsed: 'E-Mail bereits verwendet',
+  emailMismatch: 'E-Mail-Unstimmigkeit zwischen Profil und verifiziertem Zertifikat',
+  missingPhoneKyc: 'Telefonverifiziertes Zertifikat wird nicht bereitgestellt',
+  phoneAlreadyUsed: 'Telefon bereits verwendet',
+  phoneMismatch: 'Telefonabweichung zwischen Profil und verifiziertem Zertifikat',
 };

package/locales/en.js

@@ -9,6 +9,10 @@ module.exports = {
   requestOwnerPassport: 'Please provide owner passport',
   requestBlockletNft: 'Please provide Blocklet Purchase NFT',
   receivePassport: 'Please sign the text to get passport',
+  requestEmailKyc: 'Please provide verified email certificate',
+  receiveEmailKyc: 'Please sign the text to get verified email certificate',
+  requestPhoneKyc: 'Please provide phone verified certificate',
+  receivePhoneKyc: 'Please sign the text to get verified phone certificate',
   actionForbidden: 'You are not allowed perform this action',
   notInitialized: 'This node is not initialized, login is disabled',
   appNotInitialized: 'This application is not initialized',
@@ -17,7 +21,13 @@ module.exports = {
   notAllowedAppUser: 'You access to this app has been revoked',
   notAppOwner: 'You are not the owner of this application',
   notSupported: 'This application is not supported on this server',
-  missingCredentialClaim: 'Credential is not provided',
+  missingPassport: 'Passport is not provided',
+  missingEmailKyc: 'Verified email certificate is not provided',
+  emailAlreadyUsed: 'Email already used',
+  emailMismatch: 'Email mismatch between profile and verified certificate',
+  missingPhoneKyc: 'Phone verified certificate is not provided',
+  phoneAlreadyUsed: 'Phone already used',
+  phoneMismatch: 'Phone mismatch between profile and verified certificate',
   missingBlockletCredentialClaim: 'Blocklet credential is not provided',
   missingChallenge: 'Credential presentation does not include valid challenge',
   invalidCredentialHolder: 'Invalid credential holder',

package/locales/es.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'No tienes permitido iniciar sesión en este nodo',
   notAppOwner: 'No eres el propietario de esta aplicación',
   notSupported: 'Esta aplicación no es compatible en este servidor',
-  missingCredentialClaim: 'Credencial no proporcionada',
   missingBlockletCredentialClaim: 'El credencial de Blocklet no se proporciona',
   missingChallenge: 'La presentación de credenciales no incluye un desafío válido',
   invalidCredentialHolder: 'Credencial inválida',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'El lanzador NO fue encontrado en la información del lanzador del servidor',
   noNftDid: 'NFT DID no encontrada en el lanzador del servidor',
   notAllowedAppUser: 'El acceso a esta aplicación ha sido revocado',
+  requestEmailKyc: 'Proporcione un certificado de correo electrónico verificado',
+  receiveEmailKyc: 'Por favor firmar el texto para obtener un certificado de correo electrónico verificado',
+  requestPhoneKyc: 'Proporcione un certificado verificado por teléfono',
+  receivePhoneKyc: 'Por favor firma el texto para obtener el certificado de teléfono verificado',
+  missingPassport: 'Pasaporte no proporcionado',
+  missingEmailKyc: 'Certificado de correo electrónico verificado no proporcionado',
+  emailAlreadyUsed: 'Correo electrónico ya utilizado',
+  emailMismatch: 'Email no coincide entre el perfil y el certificado verificado',
+  missingPhoneKyc: 'Certificado verificado por teléfono no proporcionado',
+  phoneAlreadyUsed: 'Teléfono ya utilizado',
+  phoneMismatch: 'Desajuste telefónico entre el perfil y el certificado verificado',
 };

package/locales/fr.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: "Vous n'êtes pas autorisé à vous connecter à ce nœud",
   notAppOwner: "Vous n'êtes pas le propriétaire de cette application",
   notSupported: "Cette application n'est pas prise en charge sur ce serveur",
-  missingCredentialClaim: "Les informations d'identification ne sont pas fournies",
   missingBlockletCredentialClaim: "L'identifiant du blocklet n'est pas fourni",
   missingChallenge: 'La présentation des références ne comprend pas de défi valide.',
   invalidCredentialHolder: 'Détenteur de référence invalide',
@@ -69,4 +68,15 @@ module.exports = {
   noLauncherDid: "Launcher n'a pas été trouvé depuis les informations du serveur Launcher",
   noNftDid: 'Aucun NFT trouvé dans les informations du lanceur de serveur',
   notAllowedAppUser: 'Votre accès à cette application a été révoqué',
+  requestEmailKyc: "Veuillez fournir un certificat d'e-mail vérifié",
+  receiveEmailKyc: 'Veuillez signer le texte pour obtenir un certificat e-mail vérifié',
+  requestPhoneKyc: 'Veuillez fournir un certificat vérifié par téléphone',
+  receivePhoneKyc: 'Veuillez signer le texte pour obtenir un certificat de téléphone vérifié',
+  missingPassport: "Le passeport n'est pas fourni",
+  missingEmailKyc: "Certificat d'e-mail vérifié n'est pas fourni",
+  emailAlreadyUsed: 'Email déjà utilisé',
+  emailMismatch: "Incompatibilité d'e-mail entre le profil et le certificat vérifié",
+  missingPhoneKyc: "Certificat vérifié par téléphone n'est pas fourni",
+  phoneAlreadyUsed: 'Téléphone déjà utilisé',
+  phoneMismatch: 'Incompatibilité des téléphones entre le profil et le certificat vérifié',
 };

package/locales/hi.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'आपको इस नोड में लॉगिन करने की अनुमति नहीं है',
   notAppOwner: 'आप इस ऐप्लिकेशन के मालिक नहीं हैं',
   notSupported: 'इस सर्वर पर यह एप्लिकेशन समर्थित नहीं है',
-  missingCredentialClaim: 'प्रमाणपत्र उपलब्ध नहीं है',
   missingBlockletCredentialClaim: 'ब्लॉकलेट प्रमाणपत्र उपलब्ध नहीं है',
   missingChallenge: 'प्रमाण प्रस्तुति में वैध चुनौती शामिल नहीं है।',
   invalidCredentialHolder: 'अमान्य प्रमाण प्राथमिकताधारी',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Launcher सर्वर लॉन्चर जानकारी से नहीं मिला',
   noNftDid: 'NFT सर्वर लॉन्चर जानकारी से नहीं मिला',
   notAllowedAppUser: 'आपके पास इस ऐप का पहुंच रद्द कर दी गई है',
+  requestEmailKyc: 'कृपया सत्यापित ईमेल प्रमाणपत्र प्रदान करें',
+  receiveEmailKyc: 'कृपया पाठ पर हस्ताक्षर करें ताकि पुष्टिकृत ईमेल प्रमाणपत्र प्राप्त करें',
+  requestPhoneKyc: 'कृपया फ़ोन सत्यापित प्रमाणपत्र प्रदान करें',
+  receivePhoneKyc: 'कृपया पाठ पर हस्ताक्षर करें ताकि पुष्टि किया जा सके फोन प्रमाणपत्र',
+  missingPassport: 'पासपोर्ट नहीं है',
+  missingEmailKyc: 'सत्यापित ईमेल प्रमाणपत्र उपलब्ध नहीं है',
+  emailAlreadyUsed: 'ईमेल पहले से उपयोग किया गया है',
+  emailMismatch: 'प्रोफ़ाइल और सत्यापित प्रमाणपत्र के बीच ईमेल असंगति',
+  missingPhoneKyc: 'फोन सत्यापित प्रमाणपत्र प्रदान नहीं किया जाता है',
+  phoneAlreadyUsed: 'फ़ोन पहले से उपयोग किया गया है',
+  phoneMismatch: 'प्रोफ़ाइल और सत्यापित प्रमाणपत्र के बीच फ़ोन असंगति',
 };

package/locales/id.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'Anda tidak diizinkan untuk login ke simpul ini',
   notAppOwner: 'Anda bukan pemilik aplikasi ini',
   notSupported: 'Aplikasi ini tidak didukung di server ini',
-  missingCredentialClaim: 'Kredensial tidak disediakan',
   missingBlockletCredentialClaim: 'Kredensial Blocklet tidak disediakan',
   missingChallenge: 'Penyajian kredensial tidak mencakup tantangan valid',
   invalidCredentialHolder: 'Pemegang kredensial tidak valid',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Launcher TIDAK ditemukan dari info launcher server',
   noNftDid: 'NFT DID tidak ditemukan dari info peluncur server',
   notAllowedAppUser: 'Akses Anda ke aplikasi ini telah dicabut',
+  requestEmailKyc: 'Harap berikan sertifikat email yang terverifikasi',
+  receiveEmailKyc: 'Silakan tandatangani teks untuk mendapatkan sertifikat email yang diverifikasi',
+  requestPhoneKyc: 'Silakan berikan sertifikat yang diverifikasi telepon',
+  receivePhoneKyc: 'Tolong tandatangani teks untuk mendapatkan sertifikat telepon yang terverifikasi',
+  missingPassport: 'Paspor tidak disediakan',
+  missingEmailKyc: 'Sertifikat email yang diverifikasi tidak disediakan',
+  emailAlreadyUsed: 'Email sudah digunakan',
+  emailMismatch: 'Kesalahan pemasangan email antara profil dan sertifikat terverifikasi',
+  missingPhoneKyc: 'Sertifikat yang diverifikasi oleh telepon tidak disediakan',
+  phoneAlreadyUsed: 'Telepon sudah digunakan',
+  phoneMismatch: 'Kesalahan nomor telepon antara profil dan sertifikat terverifikasi',
 };

package/locales/ja.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'このノードへのログインは許可されていません',
   notAppOwner: 'あなたはこのアプリケーションの所有者ではありません',
   notSupported: 'このアプリケーションはこのサーバーではサポートされていません',
-  missingCredentialClaim: '認証情報が提供されていません',
   missingBlockletCredentialClaim: 'Blockletのクレデンシャルが提供されていません',
   missingChallenge: '証明書の提示には有効なチャレンジが含まれていません',
   invalidCredentialHolder: '無効な資格証',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'ランチャーがサーバーランチャー情報から見つかりませんでした',
   noNftDid: 'NFT DID がサーバーランチャー情報から見つかりませんでした',
   notAllowedAppUser: 'このアプリへのアクセスが取り消されました',
+  requestEmailKyc: '検証済みの電子メール証明書を提供してください',
+  receiveEmailKyc: '検証された電子メール証明書を取得するためにテキストにサインしてください',
+  requestPhoneKyc: '電話で確認された証明書を提供してください',
+  receivePhoneKyc: '携帯電話の証明書を受け取るためにテキストにサインしてください',
+  missingPassport: 'パスポートが提供されていません',
+  missingEmailKyc: '検証された電子メール証明書が提供されていません',
+  emailAlreadyUsed: 'メールアドレスはすでに使用されています',
+  emailMismatch: 'プロフィールと検証済み証明書の電子メールが一致しません',
+  missingPhoneKyc: '電話で確認された証明書は提供されていません',
+  phoneAlreadyUsed: '電話はすでに使用されています',
+  phoneMismatch: 'プロフィールと検証済証明書の間での電話不一致',
 };

package/locales/ko.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: '이 노드에 로그인할 수 없습니다',
   notAppOwner: '이 응용 프로그램의 소유자가 아닙니다',
   notSupported: '이 응용 프로그램은이 서버에서 지원되지 않습니다',
-  missingCredentialClaim: '자격증명이 제공되지 않았습니다',
   missingBlockletCredentialClaim: '블록렛 자격 증명서가 제공되지 않았습니다',
   missingChallenge: '자격 증명 프레젠테이션에 유효한 도전이 포함되지 않습니다',
   invalidCredentialHolder: '잘못된 자격 증명 보유자',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: '서버 런처 정보에서 런처를 찾지 못했습니다',
   noNftDid: '서버 런처 정보에서 NFT DID를 찾지 못했습니다',
   notAllowedAppUser: '이 앱에 대한 액세스가 취소되었습니다',
+  requestEmailKyc: '인증된 이메일 인증서를 제공해주세요',
+  receiveEmailKyc: '인증된 이메일 인증서를 받기 위해 텍스트에 서명해주세요',
+  requestPhoneKyc: '전화 인증된 인증서를 제공해주세요',
+  receivePhoneKyc: '휴대폰 인증서를 받으려면 텍스트에 서명해주세요',
+  missingPassport: '여권이 제공되지 않았습니다',
+  missingEmailKyc: '인증된 이메일 인증서가 제공되지 않았습니다',
+  emailAlreadyUsed: '이미 사용된 이메일입니다',
+  emailMismatch: '프로필과 검증된 인증서 간의 이메일 불일치',
+  missingPhoneKyc: '전화 인증 된 인증서가 제공되지 않았습니다',
+  phoneAlreadyUsed: '이미 사용된 전화번호',
+  phoneMismatch: '프로필과 확인된 인증서 사이의 전화번호 불일치',
 };

package/locales/pt.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'Você não está autorizado a fazer login neste nó',
   notAppOwner: 'Você não é o proprietário desta aplicação',
   notSupported: 'Esta aplicação não é suportada neste servidor',
-  missingCredentialClaim: 'Credencial não fornecida',
   missingBlockletCredentialClaim: 'A credencial do Blocklet não é fornecida',
   missingChallenge: 'A apresentação de credenciais não inclui um desafio válido',
   invalidCredentialHolder: 'Titular de credencial inválido',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Launcher NÃO foi encontrado nas informações do Launcher do servidor',
   noNftDid: 'NFT DID não encontrado nas informações do iniciador do servidor',
   notAllowedAppUser: 'O seu acesso a este aplicativo foi revogado',
+  requestEmailKyc: 'Por favor, forneça certificado de e-mail verificado',
+  receiveEmailKyc: 'Por favor, assine o texto para obter um certificado de e-mail verificado',
+  requestPhoneKyc: 'Por favor, forneça certificado verificado por telefone',
+  receivePhoneKyc: 'Por favor, assine o texto para obter o certificado de telefone verificado',
+  missingPassport: 'Passaporte não fornecido',
+  missingEmailKyc: 'Certificado de e-mail verificado não é fornecido',
+  emailAlreadyUsed: 'Email já utilizado',
+  emailMismatch: 'Discrepância de e-mail entre o perfil e o certificado verificado',
+  missingPhoneKyc: 'Certificado verificado por telefone não fornecido',
+  phoneAlreadyUsed: 'Telefone já utilizado',
+  phoneMismatch: 'Discrepância de telefone entre o perfil e o certificado verificado',
 };

package/locales/ru.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'Вам запрещено входить в этот узел',
   notAppOwner: 'Вы не являетесь владельцем данного приложения',
   notSupported: 'Это приложение не поддерживается на этом сервере',
-  missingCredentialClaim: 'Учетные данные не предоставлены',
   missingBlockletCredentialClaim: 'Учетные данные блоклета не предоставлены',
   missingChallenge: 'Представление учетных данных не включает в себя действительное испытание.',
   invalidCredentialHolder: 'Недействительный держатель учетных данных',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Laucnher не был найден в информации о запуске сервера',
   noNftDid: 'NFT не найден в информации о запускающем сервере',
   notAllowedAppUser: 'Ваш доступ к этому приложению отозван',
+  requestEmailKyc: 'Пожалуйста, предоставьте проверенный сертификат электронной почты',
+  receiveEmailKyc: 'Пожалуйста, подпишите текст, чтобы получить подтвержденное электронное письмо',
+  requestPhoneKyc: 'Пожалуйста, предоставьте телефонно проверенный сертификат',
+  receivePhoneKyc: 'Пожалуйста, подпишите текст, чтобы получить проверенное телефонное удостоверение',
+  missingPassport: 'Паспорт не предоставлен',
+  missingEmailKyc: 'Проверенный электронный сертификат не предоставляется',
+  emailAlreadyUsed: 'Электронная почта уже использовалась',
+  emailMismatch: 'Несоответствие электронной почты между профилем и проверенным сертификатом',
+  missingPhoneKyc: 'Телефонное подтверждение сертификата не предоставляется',
+  phoneAlreadyUsed: 'Телефон уже использовался',
+  phoneMismatch: 'Несоответствие телефона между профилем и подтвержденным сертификатом',
 };

package/locales/th.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'คุณไม่ได้รับอนุญาตให้เข้าสู่ระบบนี้',
   notAppOwner: 'คุณไม่ใช่เจ้าของแอปพลิเคชันนี้',
   notSupported: 'แอปพลิเคชันนี้ไม่รองรับบนเซิร์ฟเวอร์นี้',
-  missingCredentialClaim: 'ไม่ได้ระบุข้อมูลประจำตัว',
   missingBlockletCredentialClaim: 'ไม่ได้รับสรรพากร Blocklet',
   missingChallenge: 'การนำเสนอข้อมูลประจำตัวไม่รวมถึงความท้าทายที่ถูกต้อง',
   invalidCredentialHolder: 'ผู้ถือข้อมูลประจักษ์ไม่ถูกต้อง',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Launcher หาไม่พบจากข้อมูล launcher ของ server',
   noNftDid: 'ไม่พบ NFT DID จากข้อมูลตัวเปิดใช้เซิร์ฟเวอร์',
   notAllowedAppUser: 'การเข้าถึงแอปนี้ของคุณถูกยกเลิกแล้ว',
+  requestEmailKyc: 'โปรดให้ใบรับรองอีเมลที่ตรวจสอบแล้ว',
+  receiveEmailKyc: 'โปรดเซ็นเอกสารเพื่อรับใบรับรองอีเมลที่ตรวจสอบแล้ว',
+  requestPhoneKyc: 'โปรดให้ใบรับรองที่ยืนยันโทรศัพท์',
+  receivePhoneKyc: 'โปรดเซ็นข้อความเพื่อรับใบร่างในโทรศัพท์ที่ได้รับการตรวจสอบ',
+  missingPassport: 'ไม่มีหนังสือเดินทาง',
+  missingEmailKyc: 'ไม่มีใบรับรองอีเมลที่ตรวจสอบ',
+  emailAlreadyUsed: 'อีเมลถูกใช้แล้ว',
+  emailMismatch: 'อีเมลที่ไม่สอดคล้องกันระหว่างโปรไฟล์และใบรับรองที่ตรวจสอบแล้ว',
+  missingPhoneKyc: 'ไม่มีใบรับรองที่ได้รับการยืนยันทางโทรศัพท์',
+  phoneAlreadyUsed: 'โทรศัพท์ถูกใช้แล้ว',
+  phoneMismatch: 'หมายเลขโทรศัพท์ไม่ตรงกันระหว่างโปรไฟล์และใบรับรองที่ตรวจสอบ',
 };

package/locales/vi.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: 'Bạn không được phép đăng nhập vào nút này',
   notAppOwner: 'Bạn không phải chủ sở hữu của ứng dụng này',
   notSupported: 'Ứng dụng này không được hỗ trợ trên máy chủ này',
-  missingCredentialClaim: 'Mã đăng nhập không được cung cấp',
   missingBlockletCredentialClaim: 'Không cung cấp chứng chỉ Blocklet',
   missingChallenge: 'Trình bày phẩm chứng không bao gồm thách thức hợp lệ',
   invalidCredentialHolder: 'Người sở hữu thông tin đăng nhập không hợp lệ',
@@ -68,4 +67,15 @@ module.exports = {
   noLauncherDid: 'Launcher KHÔNG tìm thấy từ thông tin launcher của máy chủ',
   noNftDid: 'NFT DID không tìm thấy từ thông tin trình khởi chạy máy chủ',
   notAllowedAppUser: 'Quyền truy cập của bạn vào ứng dụng này đã bị thu hồi',
+  requestEmailKyc: 'Vui lòng cung cấp chứng chỉ email đã xác minh',
+  receiveEmailKyc: 'Vui lòng ký văn bản để nhận chứng chỉ email được xác minh',
+  requestPhoneKyc: 'Vui lòng cung cấp chứng chỉ đã xác minh điện thoại',
+  receivePhoneKyc: 'Vui lòng ký vào văn bản để nhận chứng chỉ điện thoại được xác minh',
+  missingPassport: 'Không cung cấp hộ chiếu',
+  missingEmailKyc: 'Chứng chỉ email đã xác minh không được cung cấp',
+  emailAlreadyUsed: 'Email đã được sử dụng',
+  emailMismatch: 'Mã nguồn email giữa hồ sơ và chứng chỉ đã xác minh',
+  missingPhoneKyc: 'Chứng chỉ đã xác minh qua điện thoại không được cung cấp',
+  phoneAlreadyUsed: 'Điện thoại đã được sử dụng',
+  phoneMismatch: 'Không khớp số điện thoại giữa hồ sơ và chứng chỉ đã xác minh',
 };

package/locales/zh-tw.js

@@ -15,7 +15,6 @@ module.exports = {
   notAllowed: '您無權登錄此節點',
   notAppOwner: '你不是這個應用的所有者',
   notSupported: '此應用程式在此伺服器上不受支援',
-  missingCredentialClaim: '未提供憑證',
   missingBlockletCredentialClaim: '未提供Blocklet憑證',
   missingChallenge: '憑證演示不包括有效的挑戰',
   invalidCredentialHolder: '憑證持有者無效',
@@ -66,4 +65,15 @@ module.exports = {
   noLauncherDid: '從伺服器啟動器資訊中沒有發現啟動器',
   noNftDid: 'NFT DID 沒有在伺服器啟動程式資訊中找到',
   notAllowedAppUser: '您對此應用的訪問權限已被撤銷',
+  requestEmailKyc: '請提供經過驗證的電子郵件證書',
+  receiveEmailKyc: '請簽署文字以獲得驗證電子郵件證書',
+  requestPhoneKyc: '請提供電話驗證的憑證',
+  receivePhoneKyc: '請簽署文字以獲得驗證電話證書',
+  missingPassport: '護照未提供',
+  missingEmailKyc: '未提供驗證電子郵件證書',
+  emailAlreadyUsed: '電子郵件已被使用',
+  emailMismatch: '個人檔案和已驗證證書之間的電子郵件不匹配',
+  missingPhoneKyc: '未提供電話驗證的證書',
+  phoneAlreadyUsed: '電話已經使用',
+  phoneMismatch: '個人檔案和已驗證憑證之間的電話不匹配',
 };

package/locales/zh.js

@@ -16,7 +16,6 @@ module.exports = {
   notAllowed: '你没有权限登录该节点',
   notAppOwner: '你不是该应用的所有者',
   notSupported: '此应用不支持在当前节点安装',
-  missingCredentialClaim: '请提供凭证',
   missingBlockletCredentialClaim: '请提供 Blocklet 凭证',
   missingChallenge: '凭证中缺少正确的随机因子',
   invalidCredentialHolder: '无效的凭证持有者',
@@ -66,4 +65,15 @@ module.exports = {
   noLauncherDid: '从服务器启动器信息中没有发现启动器',
   noNftDid: 'NFT DID 没有在服务器启动程序信息中找到',
   notAllowedAppUser: '您对此应用的访问权限已被撤销',
+  requestEmailKyc: '请提供经过验证的电子邮件证书',
+  receiveEmailKyc: '请签署文字以获得验证电子邮件证书',
+  requestPhoneKyc: '请提供电话验证的证书',
+  receivePhoneKyc: '请签署文字以获得验证电话证书',
+  missingPassport: '护照未提供',
+  missingEmailKyc: '未提供验证电子邮件证书',
+  emailAlreadyUsed: '电子邮件已被使用',
+  emailMismatch: '个人资料和已验证证书之间的电子邮件不匹配',
+  missingPhoneKyc: '未提供电话验证的证书',
+  phoneAlreadyUsed: '电话已经使用',
+  phoneMismatch: '个人资料和已验证证书之间的电话不匹配',
 };

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.32-beta-4d47ae7f",
+  "version": "1.16.32-beta-0593a408",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,17 +20,17 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.32-beta-4d47ae7f",
-    "@abtnode/logger": "1.16.32-beta-4d47ae7f",
-    "@abtnode/util": "1.16.32-beta-4d47ae7f",
+    "@abtnode/constant": "1.16.32-beta-0593a408",
+    "@abtnode/logger": "1.16.32-beta-0593a408",
+    "@abtnode/util": "1.16.32-beta-0593a408",
     "@arcblock/did": "1.18.135",
     "@arcblock/jwt": "^1.18.135",
-    "@arcblock/nft-display": "^2.10.30",
+    "@arcblock/nft-display": "^2.10.32",
     "@arcblock/validator": "^1.18.135",
     "@arcblock/vc": "1.18.135",
-    "@blocklet/constant": "1.16.32-beta-4d47ae7f",
-    "@blocklet/meta": "1.16.32-beta-4d47ae7f",
-    "@blocklet/sdk": "1.16.32-beta-4d47ae7f",
+    "@blocklet/constant": "1.16.32-beta-0593a408",
+    "@blocklet/meta": "1.16.32-beta-0593a408",
+    "@blocklet/sdk": "1.16.32-beta-0593a408",
     "@ocap/client": "^1.18.135",
     "@ocap/mcrypto": "1.18.135",
     "@ocap/util": "1.18.135",
@@ -50,5 +50,5 @@
   "devDependencies": {
     "jest": "^29.7.0"
   },
-  "gitHead": "740b8032aa02e19b888bf6a257840089696613ef"
+  "gitHead": "5cca981049ad04018d8d361d9cdd33748f47d7d7"
 }

package/lib/auth.test.js

@@ -1,27 +0,0 @@
-const { messages } = require('./auth');
-
-const funcKeys = {
-  invalidCredentialType: 1,
-  invalidCredentialId: 1,
-  passportRevoked: 1,
-  passportStatusCheckFailed: 1,
-};
-
-describe('auth messages has key', () => {
-  const keys = Object.keys(messages);
-  // ensure all keys have values
-  test('auth messages has key', () => {
-    keys.forEach((key) => {
-      const localMap = messages[key];
-      expect(localMap).toBeDefined();
-      ['en', 'zh', 'ja'].forEach((language) => {
-        if (funcKeys[key]) {
-          expect(typeof localMap[language]).toEqual('function');
-        } else {
-          expect(typeof localMap[language]).toEqual('string');
-          expect(localMap[language].length > 0).toBeTruthy();
-        }
-      });
-    });
-  });
-});