@abtnode/auth 1.16.42 → 1.16.43-beta-20250419-231352-c78ac93d

package/lib/lost-passport.js

@@ -9,6 +9,7 @@ const formatContext = require('@abtnode/util/lib/format-context');
 const getRandomMessage = require('@abtnode/util/lib/get-random-message');
 const getNodeWallet = require('@abtnode/util/lib/get-app-wallet');
 const CustomError = require('@abtnode/util/lib/custom-error');
+const getOrigin = require('@abtnode/util/lib/get-origin');
 const { getActivePassports } = require('@abtnode/util/lib/passport');
 const { getDisplayName, getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 const {
@@ -433,6 +434,8 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
             walletOS,
             device: deviceData,
           },
+          locale,
+          origin: await getOrigin({ req }),
         });
 
         if (shouldSyncFederated(sourceAppPid, blocklet)) {

package/lib/oauth.js

@@ -6,6 +6,7 @@ const { ROLES } = require('@abtnode/constant');
 const formatContext = require('@abtnode/util/lib/format-context');
 const { getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const getOrigin = require('@abtnode/util/lib/get-origin');
 
 const { getApplicationInfo } = require('./auth');
 
@@ -79,8 +80,9 @@ function createPassportSwitcher(node, createToken, mode = 'server') {
 
     const { passportId } = req.body;
     const userDid = req.user.did;
-    const teamDid = mode === 'server' ? info.did : req.getBlockletDid();
-    const secret = mode === 'server' ? await node.getSessionSecret() : (await req.getBlockletInfo()).secret;
+    const isServer = mode === 'server';
+    const teamDid = isServer ? info.did : req.getBlockletDid();
+    const secret = isServer ? await node.getSessionSecret() : (await req.getBlockletInfo()).secret;
 
     // NOTICE: 这里获取的 did 是当前登录用户的永久 did，无需查询 connectedAccount
     const user = await node.getUser({ teamDid, user: { did: userDid } });
@@ -91,15 +93,19 @@ function createPassportSwitcher(node, createToken, mode = 'server') {
       ? passports.find((item) => item.id === passportId)
       : { name: 'Guest', role: 'guest', scope: 'passport' };
 
-    // 需要更新用户会话中记录的 passportId
-    await node.upsertUserSession({
-      teamDid,
-      userDid: user.did,
-      visitorId,
-      appPid: teamDid,
-      passportId: passport?.id ?? null,
-      status: 'online',
-    });
+    if (!isServer) {
+      // 需要更新用户会话中记录的 passportId
+      await node.upsertUserSession({
+        teamDid,
+        userDid: user.did,
+        visitorId,
+        appPid: teamDid,
+        passportId: passport?.id ?? null,
+        status: 'online',
+        locale: req.blockletLocale,
+        origin: await getOrigin({ req }),
+      });
+    }
 
     await node.createAuditLog(
       {

package/lib/passkey.js

@@ -17,11 +17,13 @@ const {
   verifyRegistrationResponse,
 } = require('@simplewebauthn/server');
 const { updateConnectedAccount, getAvatarByEmail, extractUserAvatar } = require('@abtnode/util/lib/user');
+const getOrigin = require('@abtnode/util/lib/get-origin');
 
 const { getApplicationInfo, handleInvitationReceive, canSessionBeElevated } = require('./auth');
 const { validateVerifyDestroyRequest } = require('./server');
 const { getLastUsedPassport } = require('./passport');
 const { getSessionConfig, checkInvitedUserOnly } = require('./oauth');
+const { findFederatedSite, getUserAvatarUrl } = require('./util/federated');
 
 const PASSKEY_TIMEOUT = 60000;
 const PASSKEY_ACTIONS = {
@@ -43,7 +45,7 @@ const shouldVerifyUser = (action) =>
 
 const isRegisterAction = (action) => ['register', 'connect-owner'].includes(action);
 
-const getOrigin = (req) => req.get('host').split(':')[0];
+const getDomain = (req) => req.get('host').split(':')[0];
 const emailSchema = Joi.string().email().required();
 const tryDecodeEmail = (encoded) => {
   try {
@@ -78,6 +80,16 @@ const formatBuffersToBase64 = (obj) => {
   return obj;
 };
 
+const getTrustOrigins = ({ blocklet, req }) => {
+  const result = [`https://${getDomain(req)}`];
+  if (blocklet) {
+    const trustOrigins = blocklet.configObj?.TRUST_ORIGINS;
+    if (trustOrigins) result.push(...trustOrigins.split(','));
+  }
+
+  return result;
+};
+
 function createPasskeyHandlers(node, mode, createToken) {
   const ensurePasskeySession = async (req, res, next) => {
     const { challenge } = req.query;
@@ -204,7 +216,7 @@ function createPasskeyHandlers(node, mode, createToken) {
         data: {
           ...req.query,
           user: user?.did,
-          origin: getOrigin(req),
+          origin: getDomain(req),
           email,
           userName,
         },
@@ -225,7 +237,7 @@ function createPasskeyHandlers(node, mode, createToken) {
     });
 
     const options = {
-      rpID: getOrigin(req),
+      rpID: getDomain(req),
       rpName: info.name,
       userID: toBuffer(userID),
       userName,
@@ -275,8 +287,8 @@ function createPasskeyHandlers(node, mode, createToken) {
       const { verified, registrationInfo } = await verifyRegistrationResponse({
         response: body,
         expectedChallenge: toBase64(req.passkeySession.challenge),
-        expectedOrigin: `https://${getOrigin(req)}`,
-        expectedRPID: getOrigin(req),
+        expectedOrigin: getTrustOrigins({ blocklet: req.blocklet, req }),
+        expectedRPID: getDomain(req),
         requireUserVerification: shouldVerifyUser(action),
       });
       logger.info('passkey.register.verified', { teamDid, verified, registrationInfo });
@@ -445,7 +457,7 @@ function createPasskeyHandlers(node, mode, createToken) {
         data: {
           ...req.query,
           user: req.userExpanded?.did,
-          origin: getOrigin(req),
+          origin: getDomain(req),
         },
       },
     });
@@ -464,7 +476,7 @@ function createPasskeyHandlers(node, mode, createToken) {
       req.userExpanded = await node.getUser({ teamDid, user: { did: exist.userDid } });
     }
 
-    const expectedRPID = getOrigin(req);
+    const expectedRPID = getDomain(req);
     let allowedCredentials = [];
     if (req.query.credentialId) {
       allowedCredentials = (req.userExpanded?.connectedAccounts || [])
@@ -522,8 +534,8 @@ function createPasskeyHandlers(node, mode, createToken) {
       const verification = await verifyAuthenticationResponse({
         response: body,
         expectedChallenge: toBase64(passkeySession.challenge),
-        expectedOrigin: `https://${getOrigin(req)}`,
-        expectedRPID: getOrigin(req),
+        expectedOrigin: getTrustOrigins({ blocklet: req.blocklet, req }),
+        expectedRPID: getDomain(req),
         credential: {
           id: passkey.id,
           publicKey: fromBase64(passkey.pk),
@@ -537,20 +549,40 @@ function createPasskeyHandlers(node, mode, createToken) {
       }
       logger.info('passkey.auth.verified', { verified, authenticationInfo });
 
-      const createUserSession = () =>
-        node.upsertUserSession({
+      const createUserSession = async ({ targetAppPid } = {}) => {
+        const ua = req.get('user-agent');
+        const lastLoginIp = getRequestIP(req);
+        const userSessionDoc = await node.upsertUserSession({
           teamDid,
           userDid: user.did,
           visitorId: req.get('x-blocklet-visitor-id'),
           appPid: teamDid,
           passportId: null,
           status: 'online',
-          ua: req.get('user-agent'),
+          ua,
           lastLoginIp: getRequestIP(req),
           extra: {
             walletOS: 'passkey',
           },
+          locale: getLocale(req),
+          origin: await getOrigin({ req }),
         });
+        if (targetAppPid) {
+          node.syncUserSession({
+            teamDid,
+            userDid: userSessionDoc.userDid,
+            visitorId: userSessionDoc.visitorId,
+            passportId: null,
+            targetAppPid,
+            ua,
+            lastLoginIp,
+            extra: {
+              walletOS: 'passkey',
+            },
+          });
+        }
+        return userSessionDoc;
+      };
 
       const createTokens = async (updated, passport, role, profile, result) => {
         const { secret } = await getApplicationInfo({ node, nodeInfo: info, teamDid });
@@ -581,8 +613,8 @@ function createPasskeyHandlers(node, mode, createToken) {
         return result;
       };
 
-      const loginUser = () =>
-        node.loginUser({
+      const loginUser = async () => {
+        const _result = await node.loginUser({
           teamDid,
           user: {
             did: user.did,
@@ -593,6 +625,8 @@ function createPasskeyHandlers(node, mode, createToken) {
             },
           },
         });
+        return _result;
+      };
 
       const result = { verified, userDid: user.did };
 
@@ -604,10 +638,45 @@ function createPasskeyHandlers(node, mode, createToken) {
           PASSKEY_ACTIONS['connect-to-did-domain'],
         ].includes(passkeySession.data.action)
       ) {
-        const updated = await loginUser();
-        const passport = getLastUsedPassport(updated.passports);
-        await createTokens(updated, passport, passport.role, user, result);
-        logger.info('passkey.auth.loggedIn', { teamDid, userDid: user.did, passport });
+        const { targetAppPid } = req.query;
+        // FIXME: @zhanghan 这里目前只是一个 hack 的方式，passkey 和 federated 结合的流程需要重新梳理优化
+        const isFederatedHack = targetAppPid && targetAppPid !== teamDid;
+        if (mode === 'service' && isFederatedHack) {
+          const findMemberSite = findFederatedSite(req.blocklet, targetAppPid);
+          if (findMemberSite) {
+            const postUser = pick(user, ['did', 'pk', 'fullName', 'locale', 'inviter', 'generation']);
+            postUser.lastLoginAt = getRequestIP(req);
+
+            if (user.email) {
+              postUser.email = user.email;
+            }
+            if (user.avatar) {
+              postUser.avatar = getUserAvatarUrl(user.avatar, req.blocklet);
+            }
+            // 这里是为了在 member 上创建用户
+            const _result = await node.loginFederated({
+              did: teamDid,
+              data: {
+                user: postUser,
+                walletOS: 'passkey',
+                provider: LOGIN_PROVIDER.PASSKEY,
+              },
+              site: findMemberSite,
+            });
+            result.sessionToken = _result.sessionToken;
+            result.refreshToken = _result.refreshToken;
+
+            const session = await createUserSession({ targetAppPid });
+            result.visitorId = session.visitorId;
+          } else {
+            throw new Error('Target site not found');
+          }
+        } else {
+          const updated = await loginUser();
+          const passport = getLastUsedPassport(updated.passports);
+          await createTokens(updated, passport, passport.role, user, result);
+          logger.info('passkey.auth.loggedIn', { teamDid, userDid: user.did, passport });
+        }
       }
 
       if (passkeySession.data.action === 'disconnect') {
@@ -764,6 +833,6 @@ function createPasskeyHandlers(node, mode, createToken) {
 module.exports = {
   createPasskeyHandlers,
   getSessionConfig,
-  getOrigin,
+  getDomain,
   formatBuffersToBase64,
 };

package/lib/server.js

@@ -41,6 +41,7 @@ const {
 } = require('@abtnode/constant');
 const parseBooleanString = require('@abtnode/util/lib/parse-boolean-string');
 const { getDeviceData } = require('@abtnode/util/lib/device');
+const getOrigin = require('@abtnode/util/lib/get-origin');
 
 const {
   messages,
@@ -862,6 +863,7 @@ const createLaunchBlockletHandler =
         walletOS: didwallet?.os,
         userDid,
         device: context ? deviceData : null,
+        origin: await getOrigin({ req }),
       },
     });
     await updateSession({ setupToken: result.setupToken, visitorId: result.visitorId });

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.42",
+  "version": "1.16.43-beta-20250419-231352-c78ac93d",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,22 +20,22 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.42",
-    "@abtnode/logger": "1.16.42",
-    "@abtnode/util": "1.16.42",
-    "@arcblock/did": "1.20.0",
-    "@arcblock/did-auth": "1.20.0",
-    "@arcblock/jwt": "^1.20.0",
-    "@arcblock/nft-display": "^2.13.0",
-    "@arcblock/validator": "^1.20.0",
-    "@arcblock/vc": "1.20.0",
-    "@blocklet/constant": "1.16.42",
-    "@blocklet/meta": "1.16.42",
-    "@blocklet/sdk": "1.16.42",
-    "@ocap/client": "^1.20.0",
-    "@ocap/mcrypto": "1.20.0",
-    "@ocap/util": "1.20.0",
-    "@ocap/wallet": "1.20.0",
+    "@abtnode/constant": "1.16.43-beta-20250419-231352-c78ac93d",
+    "@abtnode/logger": "1.16.43-beta-20250419-231352-c78ac93d",
+    "@abtnode/util": "1.16.43-beta-20250419-231352-c78ac93d",
+    "@arcblock/did": "1.20.1",
+    "@arcblock/did-auth": "1.20.1",
+    "@arcblock/jwt": "^1.20.1",
+    "@arcblock/nft-display": "^2.13.7",
+    "@arcblock/validator": "^1.20.1",
+    "@arcblock/vc": "1.20.1",
+    "@blocklet/constant": "1.16.43-beta-20250419-231352-c78ac93d",
+    "@blocklet/meta": "1.16.43-beta-20250419-231352-c78ac93d",
+    "@blocklet/sdk": "1.16.43-beta-20250419-231352-c78ac93d",
+    "@ocap/client": "^1.20.1",
+    "@ocap/mcrypto": "1.20.1",
+    "@ocap/util": "1.20.1",
+    "@ocap/wallet": "1.20.1",
     "@simplewebauthn/server": "^13.0.0",
     "axios": "^1.7.9",
     "flat": "^5.0.2",
@@ -52,5 +52,5 @@
   "devDependencies": {
     "jest": "^29.7.0"
   },
-  "gitHead": "04e4adf8f2c1d6289850c66159c0a68ea946d5e6"
+  "gitHead": "207acad34e8ccf318cd7539c1ac717cee7951b53"
 }