@abtnode/auth 1.16.45-beta-20250612-231219-481217be → 1.16.45-beta-20250614-101901-d1700f8d

package/lib/bind-wallet.js

@@ -0,0 +1,65 @@
+const { onConnect, onApprove, authPrincipal } = require('./util/bind-wallet');
+const logger = require('./logger');
+
+const createBindWalletRoute = ({ node }) => ({
+  action: 'bind-wallet',
+  authPrincipal: false,
+  claims: {
+    authPrincipal: ({ extraParams: { locale, previousUserDid, email } }) => {
+      return authPrincipal({ locale, previousUserDid, email });
+    },
+  },
+  onConnect: ({ req, userDid, extraParams: { locale, passportId = '', componentId, previousUserDid, isService } }) => {
+    return onConnect({
+      node,
+      request: req,
+      userDid,
+      locale,
+      passportId,
+      componentId,
+      previousUserDid,
+      isService,
+    });
+  },
+
+  onAuth: async ({
+    claims,
+    userDid,
+    userPk,
+    extraParams: { locale, previousUserDid, skipMigrateAccount, isService },
+    req,
+    baseUrl,
+  }) => {
+    try {
+      const result = await onApprove({
+        node,
+        request: req,
+        locale,
+        userDid,
+        userPk,
+        baseUrl,
+        claims,
+        previousUserDid,
+        skipMigrateAccount:
+          typeof skipMigrateAccount === 'boolean' ? skipMigrateAccount : skipMigrateAccount === 'true',
+        isService: typeof isService === 'boolean' ? isService : isService === 'true',
+      });
+
+      if (result.nextWorkflowData && skipMigrateAccount) {
+        result.nextWorkflowData = {
+          ...result.nextWorkflowData,
+          skipCheckOwner: true,
+        };
+      }
+
+      return result;
+    } catch (err) {
+      logger.error('login.error', { error: err, userDid });
+      throw new Error(err.message);
+    }
+  },
+});
+
+module.exports = {
+  createBindWalletRoute,
+};

package/lib/server.js

@@ -174,7 +174,7 @@ const authenticateByVc = async ({
   }
 
   // check user approved
-  const user = await getUser(node, teamDid, userDid);
+  const user = await getUser(node, teamDid, userDid, { enableConnectedAccount: true });
   if (user && !user.approved) {
     throw new CustomError(403, messages.notAllowed[locale]);
   }
@@ -265,7 +265,7 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isA
     throw new CustomError(400, messages.tagNotMatch[locale]);
   }
 
-  const user = await getUser(node, info.did, userDid);
+  const user = await getUser(node, info.did, userDid, { enableConnectedAccount: true });
   return {
     role: ROLES.OWNER,
     teamDid: info.did,
@@ -307,7 +307,7 @@ const authenticateByLauncher = async ({ node, claims, launcherSessionId, launche
 
 const authenticateBySession = async ({ node, userDid, locale, allowedRoles = ['owner', 'admin', 'member'] }) => {
   const info = await node.getNodeInfo();
-  const user = await getUser(node, info.did, userDid);
+  const user = await getUser(node, info.did, userDid, { enableConnectedAccount: true });
   if (!user) {
     throw new CustomError(404, messages.userNotFound[locale]);
   }
@@ -882,7 +882,7 @@ const getBlockletPermissionChecker =
     const { locale = 'en' } = extraParams;
 
     const info = await node.getNodeInfo();
-    const user = await getUser(node, info.did, userDid);
+    const user = await getUser(node, info.did, userDid, { enableConnectedAccount: true });
     if (!user) {
       throw new CustomError(404, messages.userNotFound[locale]);
     }

package/lib/util/bind-wallet.js

@@ -0,0 +1,299 @@
+const createTranslator = require('@abtnode/util/lib/translate');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const { getSourceAppPid } = require('@blocklet/sdk/lib/util/login');
+const { extractUserAvatar } = require('@abtnode/util/lib/user');
+const { fromAppDid } = require('@arcblock/did-ext');
+const getRequestIP = require('@abtnode/util/lib/get-request-ip');
+const merge = require('lodash/merge');
+const formatContext = require('@abtnode/util/lib/format-context');
+
+const { shouldSyncFederated, getUserAvatarUrl, getFederatedMaster, migrateFederatedAccount } = require('./federated');
+const { messages, getApplicationInfo } = require('../auth');
+const { upsertToPassports } = require('../passport');
+const { transferPassport } = require('./transfer-passport');
+const { declareAccount, migrateAccount } = require('./client');
+const logger = require('../logger');
+
+module.exports = {
+  authPrincipal: ({ email, locale, previousUserDid }) => {
+    const user = email || previousUserDid;
+
+    const message = locale === 'zh' ? `将你的 DID Wallet 与账号 ${user} 绑定` : `Connect your DID Wallet with ${user}`;
+
+    return {
+      description: message,
+      supervised: true,
+    };
+  },
+  onConnect: async ({ node, request, userDid, locale, previousUserDid, isService }) => {
+    const translations = {
+      en: {
+        notFound: "Couldn't find account information.",
+        alreadyBindOAuth: 'Your wallet account ({did}) is already bond to another email.',
+        alreadyBindWallet: 'Your email is already bond to another wallet account {did}.',
+        alreadyMainAccount:
+          'Your wallet account is already bond to this app. You cannot bind it again. Please use another wallet account or create a new one to try again.',
+      },
+      zh: {
+        notFound: '无法获取账户信息。',
+        alreadyBindOAuth: '你的钱包账户 {did} 已经与其他账户绑定。',
+        alreadyBindWallet: '当前账户已经绑定过钱包账户 {did}。',
+        alreadyMainAccount: '你的钱包账户 {did} 已绑定过该应用，无法重复绑定，请切换或新建一个钱包账户再次尝试。',
+      },
+    };
+    const t = createTranslator({ translations });
+    const { did: teamDid } = isService ? await request.getBlockletInfo() : await node.getNodeInfo();
+
+    const walletUser = await node.getUser({ teamDid, user: { did: userDid } });
+    if (walletUser) {
+      throw new Error(t('alreadyMainAccount', locale, { did: userDid }));
+    }
+
+    const oauthUser = await node.getUser({
+      teamDid,
+      user: {
+        did: previousUserDid,
+      },
+      options: {
+        enableConnectedAccount: true,
+      },
+    });
+    if (!oauthUser) {
+      throw new Error(t('notFound', locale, { email: oauthUser.email }));
+    }
+
+    const sourceProvider = oauthUser.sourceProvider || LOGIN_PROVIDER.WALLET;
+    const oauthConnectedAccounts = oauthUser.connectedAccounts || [];
+    const exist = oauthConnectedAccounts.find((item) => item.provider === LOGIN_PROVIDER.WALLET);
+    if (exist) {
+      throw new Error(t('alreadyBindWallet', locale, { email: oauthUser.email, did: exist.did }));
+    }
+
+    const bindUser = await node.getUser({
+      teamDid,
+      user: {
+        did: userDid,
+      },
+      options: {
+        enableConnectedAccount: true,
+      },
+    });
+
+    if (bindUser) {
+      const bindConnectedAccounts = bindUser.connectedAccounts || [];
+      if (bindConnectedAccounts.find((item) => item.provider === sourceProvider)) {
+        throw new Error(t('alreadyBindOAuth', locale, { email: oauthUser.email, did: userDid }));
+      }
+    }
+
+    const claims = {
+      profile: {
+        type: 'profile',
+        description: messages.description[locale],
+        items: ['fullName', 'avatar'],
+      },
+    };
+
+    // 至少需要一个 claim
+    if (oauthUser.avatar) {
+      delete claims.profile;
+    }
+    if (Object.keys(claims).length > 0) {
+      return claims;
+    }
+
+    return [];
+  },
+  onApprove: async ({
+    node,
+    request,
+    locale,
+    userDid,
+    userPk,
+    claims,
+    previousUserDid,
+    baseUrl,
+    skipMigrateAccount = false,
+    isService = false,
+  }) => {
+    // 在这里要对 server 还是 service 进行区分
+    const nodeInfo = await node.getNodeInfo();
+
+    let teamDid = nodeInfo.did;
+    let wallet = null;
+    let blockletInfo = null;
+    let sourceAppPid = null;
+    let blocklet = null;
+    if (isService) {
+      blocklet = await request.getBlocklet();
+      blockletInfo = await request.getBlockletInfo();
+      sourceAppPid = getSourceAppPid(request);
+      const { did: blockletDid, wallet: blockletWallet } = blockletInfo;
+      teamDid = blockletDid;
+      wallet = blockletWallet;
+    }
+
+    const oauthUser = await node.getUser({ teamDid, user: { did: previousUserDid } });
+
+    // Check user approved
+    let bindUser = await node.getUser({
+      teamDid,
+      user: {
+        did: userDid,
+      },
+      options: {
+        enableConnectedAccount: true,
+      },
+    });
+    if (bindUser && !bindUser.approved) {
+      throw new Error(messages.notAllowedAppUser[locale]);
+    }
+
+    const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
+
+    const profileOld = claims.find((x) => x.type === 'profile') || { avatar: null };
+    const avatar = await extractUserAvatar(oauthUser.avatar || profileOld.avatar, { dataDir });
+    const profile = {
+      fullName: oauthUser.fullName,
+      avatar,
+      email: oauthUser.email,
+    };
+
+    if (isService) {
+      if (sourceAppPid) {
+        try {
+          await migrateFederatedAccount({
+            // 目前只允许未注册过的钱包绑定 auth0，所以直接传入钱包生成的 userDid 和 userPk
+            toUserDid: userDid,
+            toUserPk: userPk,
+            fromUserDid: previousUserDid,
+            blockletInfo,
+            blocklet,
+          });
+        } catch (error) {
+          logger.error('Failed to migrate federated account', {
+            error,
+            toUserDid: userDid,
+            fromUserDid: previousUserDid,
+          });
+
+          if (error?.response?.data) {
+            throw new Error(error.response.data);
+          }
+          throw error;
+        }
+      } else {
+        const connectedAccounts = oauthUser?.connectedAccounts || [];
+        const sourceProvider = oauthUser?.sourceProvider;
+        const oauthAccount = connectedAccounts.find((item) => item.provider === sourceProvider);
+        const userWallet = fromAppDid(oauthAccount.id, wallet.secretKey);
+        await declareAccount({ wallet: userWallet, blocklet });
+        if (!skipMigrateAccount) {
+          await migrateAccount({ wallet: userWallet, blocklet, user: { did: userDid, pk: userPk } });
+        }
+      }
+    }
+
+    // TODO: 获取当前登录使用的 passport（无法获取到 passport.id）
+    // 使用最近一次使用的 passport 来代替
+    const mergePassport = (oauthUser.passports || []).reduce((sum, cur) => {
+      return upsertToPassports(sum, cur);
+    }, bindUser?.passports || []);
+    const mergeProfile = merge(profile, {
+      email: bindUser?.email,
+      fullName: bindUser?.fullName,
+      avatar: bindUser?.avatar,
+      inviter: bindUser?.inviter,
+      generation: bindUser?.generation,
+      emailVerified: bindUser?.emailVerified,
+      phoneVerified: bindUser?.phoneVerified,
+    });
+    const currentTime = new Date().toISOString();
+
+    const connectedAccount = {
+      provider: LOGIN_PROVIDER.WALLET,
+      did: userDid,
+      pk: userPk,
+      lastLoginAt: currentTime,
+      firstLoginAt: currentTime,
+      userInfo: {
+        wallet: request.context.didwallet,
+      },
+    };
+
+    await node.updateUser({
+      teamDid,
+      user: {
+        did: oauthUser.did,
+        pk: oauthUser.pk,
+        ...mergeProfile,
+        lastLoginIp: getRequestIP(request),
+        connectedAccounts: [connectedAccount],
+        passports: mergePassport,
+      },
+    });
+
+    if (isService) {
+      const masterSite = getFederatedMaster(blocklet);
+      // NOTICE: 采用异步来更新，不阻塞接口的正常响应
+      if (shouldSyncFederated(sourceAppPid, blocklet)) {
+        const syncUserData = {
+          did: oauthUser.did,
+          pk: oauthUser.pk,
+          ...mergeProfile,
+          connectedAccount: [connectedAccount],
+        };
+        if (syncUserData.avatar) {
+          syncUserData.avatar = getUserAvatarUrl(syncUserData.avatar, blocklet);
+        }
+        node.syncFederated({
+          did: teamDid,
+          data: {
+            users: [
+              {
+                ...syncUserData,
+                action: 'connectAccount',
+                sourceAppPid: sourceAppPid || masterSite.appPid,
+              },
+            ],
+          },
+        });
+      }
+    }
+
+    if (!bindUser) {
+      bindUser = {
+        ...oauthUser,
+        // 发送 passport 的对象要设置为 wallet-did
+        did: userDid,
+        pk: userPk,
+      };
+    }
+
+    // FIXME：@zhanghan 统一登录的 passport 相关问题后续统一处理
+    await transferPassport(oauthUser, bindUser, {
+      req: request,
+      node,
+      nodeInfo,
+      teamDid,
+      baseUrl,
+      revokePassport: true,
+    });
+
+    await node.createAuditLog(
+      {
+        action: 'connectAccount',
+        args: { teamDid, connectedAccount, provider: LOGIN_PROVIDER.WALLET, userDid: oauthUser.did },
+        context: formatContext(Object.assign(request, { user: oauthUser })),
+        result: bindUser,
+      },
+      node
+    );
+
+    return {
+      nextWorkflowData: {
+        userDid,
+      },
+    };
+  },
+};

package/lib/util/client.js

@@ -0,0 +1,185 @@
+const { getChainClient } = require('@abtnode/util/lib/get-chain-client');
+const { MAIN_CHAIN_ENDPOINT } = require('@abtnode/constant');
+const { getBlockletChainInfo } = require('@blocklet/meta/lib/util');
+const jwt = require('jsonwebtoken');
+const jwksClient = require('jwks-rsa');
+const { toStakeAddress } = require('@arcblock/did-util');
+const { sign } = require('@arcblock/jwt');
+const { toBN, fromUnitToToken } = require('@ocap/util');
+const { toTxHash } = require('@ocap/mcrypto');
+const getBlockletInfo = require('@blocklet/meta/lib/info');
+
+const logger = require('../logger');
+
+async function declareAccountByChain({ chainHost, wallet }) {
+  const chainClient = getChainClient(chainHost);
+  const { address } = wallet;
+  const { state } = await chainClient.getAccountState({ address }, { ignoreFields: ['context'] });
+  if (state) {
+    logger.info('skip declare account on chain done', { chain: chainHost, did: address });
+  } else {
+    logger.warn('declare account on chain deprecated', { chain: chainHost, did: address });
+  }
+}
+
+async function declareAccount({ wallet, blocklet }) {
+  const chainHostList = [MAIN_CHAIN_ENDPOINT];
+  // 本质上是获取环境变量为 CHAIN_HOST 的值
+  const { host: chainHost } = getBlockletChainInfo(blocklet);
+  if (chainHost && chainHost !== 'none') {
+    chainHostList.push(chainHost);
+  }
+  const waitingList = [...new Set(chainHostList)].map((item) => declareAccountByChain({ chainHost: item, wallet }));
+  await Promise.all(waitingList);
+}
+
+async function migrateAccountByChain({ chainHost, user, wallet, blocklet }) {
+  const client = getChainClient(chainHost);
+
+  // Do not migrate if target account already exists
+  const { state: exist } = await client.getAccountState({ address: user.did });
+  if (exist) {
+    logger.info('migrate account on chain done', { chain: chainHost, did: user.did });
+    return '';
+  }
+
+  // Ensure staked for gas
+  const info = getBlockletInfo(blocklet);
+  await ensureStakedForGas({ client, chainHost, wallet: info.wallet });
+
+  // send migrate tx with app as gas payer
+  const tx = await client.signAccountMigrateTx({
+    tx: {
+      itx: {
+        address: user.did,
+        pk: user.pk,
+      },
+    },
+    wallet,
+  });
+  const { buffer } = await client.encodeAccountMigrateTx({ tx, wallet });
+  const hash = await client.sendAccountMigrateTx(
+    { tx, wallet },
+    {
+      headers: {
+        'x-gas-payer-sig': sign(info.wallet.address, info.wallet.secretKey, { txHash: toTxHash(buffer) }),
+        'x-gas-payer-pk': info.wallet.publicKey,
+      },
+    }
+  );
+
+  logger.info('migration account done', { chain: chainHost, did: user.did, hash });
+  return hash;
+}
+
+async function migrateAccount({ wallet, blocklet, user }) {
+  const chainHostList = [MAIN_CHAIN_ENDPOINT];
+  const { host: chainHost } = getBlockletChainInfo(blocklet);
+  if (chainHost && chainHost !== 'none') {
+    chainHostList.push(chainHost);
+  }
+  const waitingList = [...new Set(chainHostList)].map((item) =>
+    migrateAccountByChain({ chainHost: item, wallet, user, blocklet })
+  );
+  await Promise.all(waitingList);
+}
+
+async function ensureStakedForGas({ client, chainHost, wallet }) {
+  // check if already staked
+  const address = toStakeAddress(wallet.address, wallet.address);
+  const { state: stake } = await client.getStakeState({ address });
+  if (stake) {
+    return;
+  }
+
+  // try stake for gas if we have enough balance
+  const { state: account } = await client.getAccountState({ address: wallet.address });
+  const result = await client.getForgeState({});
+  const { token, txConfig } = result.state;
+  const holding = (account?.tokens || []).find((x) => x.address === token.address);
+  if (toBN(holding?.value || '0').lte(toBN(txConfig.txGas.minStake))) {
+    throw new Error(`App do not have enough balance to stake for gas on chain: ${chainHost}`);
+  }
+
+  // @ts-ignore
+  const [hash] = await client.stake({
+    to: wallet.address,
+    message: 'stake-for-gas',
+    tokens: [{ address: token.address, value: fromUnitToToken(txConfig.txGas.minStake, token.decimal) }],
+    wallet,
+  });
+  logger.info(`App staked for gas on chain ${chainHost}`, { hash });
+}
+
+async function getJWK(kid, jwksUri) {
+  const client = jwksClient({
+    cache: true,
+    jwksUri,
+  });
+  const key = await new Promise((resolve, reject) => {
+    client.getSigningKey(kid, (error, result) => {
+      if (error) {
+        return reject(error);
+      }
+      return resolve(result);
+    });
+  });
+  return {
+    publicKey: key.getPublicKey(),
+    kid: key.kid,
+    alg: key.alg,
+  };
+}
+
+/**
+ * Verify the authenticity of a token by decoding, verifying the algorithm, and matching claims.
+ * @author https://github.com/stefanprokopdev/verify-apple-id-token
+ * @param {Object} params - Object containing idToken, jwksUri, nonce, iss, clientId
+ * @param {string} params.idToken - JWT token
+ * @param {string} params.jwksUri - JWK set URI
+ * @param {string} params.nonce - Nonce
+ * @param {string} params.iss - Issuer
+ * @param {string} params.clientId - Client ID
+ * @return {Object} Decoded JWT claims if token is valid
+ */
+async function verifyIdToken(params) {
+  const decoded = jwt.decode(params.idToken, { complete: true });
+  const { kid, alg: jwtAlg } = decoded.header;
+
+  const { publicKey, alg: jwkAlg } = await getJWK(kid, params.jwksUri);
+
+  if (jwtAlg !== jwkAlg) {
+    throw new Error(`The alg does not match the jwk configuration - alg: ${jwtAlg} | expected: ${jwkAlg}`);
+  }
+
+  const jwtClaims = jwt.verify(params.idToken, publicKey, {
+    algorithms: [jwkAlg],
+    nonce: params.nonce,
+  });
+
+  if (jwtClaims?.iss !== params.iss) {
+    throw new Error(`The iss does not match the Apple URL - iss: ${jwtClaims.iss} | expected: ${params.iss}`);
+  }
+
+  const isFounded = [].concat(jwtClaims.aud).some((aud) => [].concat(params.clientId).includes(aud));
+
+  if (isFounded) {
+    ['email_verified', 'is_private_email'].forEach((field) => {
+      if (jwtClaims[field] !== undefined) {
+        jwtClaims[field] = Boolean(jwtClaims[field]);
+      }
+    });
+
+    return jwtClaims;
+  }
+
+  throw new Error(
+    `The aud parameter does not include this client - is: ${jwtClaims.aud} | expected: ${params.clientId}`
+  );
+}
+
+module.exports = {
+  declareAccount,
+  migrateAccount,
+  verifyIdToken,
+};

package/lib/util/federated.js

@@ -180,6 +180,18 @@ function generateSiteInfo({ nodeInfo, blocklet, domainAliases }) {
   return siteInfo;
 }
 
+async function migrateFederatedAccount({ blocklet, blockletInfo, fromUserDid, toUserDid, toUserPk }) {
+  const masterSite = getFederatedMaster(blocklet);
+  const { permanentWallet } = blockletInfo;
+  const result = await callFederated({
+    action: 'migrateAccount',
+    site: masterSite,
+    permanentWallet,
+    data: { fromUserDid, toUserDid, toUserPk },
+  });
+  return result;
+}
+
 module.exports = {
   callFederated,
   getFederatedSiteEnv,
@@ -191,4 +203,5 @@ module.exports = {
   generateSiteInfo,
   isMaster,
   safeGetFederated,
+  migrateFederatedAccount,
 };

package/lib/util/transfer-passport.js

@@ -0,0 +1,188 @@
+const isEmpty = require('lodash/isEmpty');
+const { getActivePassports } = require('@abtnode/util/lib/passport');
+const { VC_TYPE_NODE_PASSPORT, VC_TYPE_GENERAL_PASSPORT, NOTIFICATION_SEND_CHANNEL } = require('@abtnode/constant');
+const { getUserAvatarUrl } = require('@abtnode/util/lib/user');
+const { getBlockletAppIdList } = require('@blocklet/meta/lib/util');
+const getNodeWallet = require('@abtnode/util/lib/get-app-wallet');
+const pick = require('lodash/pick');
+const uniq = require('lodash/uniq');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
+
+const { PASSPORT_LOG_ACTION, PASSPORT_ISSUE_ACTION } = require('@abtnode/constant');
+const { sendToUser } = require('@blocklet/sdk/lib/util/send-notification');
+const { getPassportStatusEndpoint, getApplicationInfo } = require('../auth');
+const { createPassportVC, upsertToPassports, createUserPassport } = require('../passport');
+
+const PASSPORT_VC_TYPES = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+
+const getPassportName = (passport) => {
+  return passport?.credentialSubject?.passport?.title || passport?.credentialSubject?.passport?.name || '';
+};
+
+async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo, revokePassport = false, baseUrl }) {
+  if (!fromUser || !toUser || !teamDid) {
+    return;
+  }
+  const info = await getApplicationInfo({ node, nodeInfo, teamDid });
+  const { name: issuerName, wallet: issuerWallet, passportColor } = info;
+
+  const isService = teamDid !== nodeInfo.did;
+
+  let issuerDidList = uniq([info.wallet.address, ...getBlockletAppIdList(info)]);
+
+  let appUrl = null;
+  if (isService) {
+    const blockletInfo = await req.getBlockletInfo();
+    const { wallet: blockletWallet } = blockletInfo;
+    issuerDidList = uniq([blockletWallet.address, ...getBlockletAppIdList(blockletInfo)]);
+    appUrl = blockletInfo.appUrl;
+  }
+
+  const waitPassportList = getActivePassports(fromUser, issuerDidList);
+
+  if (waitPassportList.length === 0) {
+    // 没有待转移的 passport，无需进行下面的步骤
+    return;
+  }
+
+  const attachments = await Promise.all(
+    waitPassportList.map(async (x) => {
+      const _baseUrl = isService ? x.endpoint || appUrl : baseUrl || x.endpoint;
+      const vcParams = {
+        issuerName,
+        issuerWallet: isService ? issuerWallet : getNodeWallet(nodeInfo.sk),
+        ownerDid: toUser.did,
+        passport: { ...pick(x, ['name', 'title', 'specVersion']), endpoint: _baseUrl },
+        endpoint: getPassportStatusEndpoint({
+          baseUrl: _baseUrl,
+          userDid: toUser.did,
+          teamDid,
+        }),
+        ownerProfile: {
+          email: toUser.email,
+          fullName: toUser.fullName,
+          avatar: getUserAvatarUrl(_baseUrl, toUser.avatar),
+        },
+        preferredColor: passportColor,
+        types: !isService ? [VC_TYPE_NODE_PASSPORT] : x.types,
+        purpose: !isService || isEmpty(x.types) ? 'login' : 'verification',
+        display: x.display,
+        tag: info.did,
+      };
+
+      const vc = await createPassportVC(vcParams);
+      return {
+        type: 'vc',
+        data: {
+          credential: vc,
+          tag: x.name,
+        },
+      };
+    })
+  );
+
+  const insertPassportList = attachments.map((item, index) => {
+    const passport = createUserPassport(item.data.credential, { role: item.data.tag, display: item.data.display });
+    return {
+      ...passport,
+      ...pick(waitPassportList[index], ['firstLoginAt', 'lastLoginAt', 'lastLoginIp']),
+      userDid: toUser.did,
+    };
+  });
+
+  const passportNameList = attachments.map((x) => x.data.credential.name || getPassportName(x));
+
+  let sender = {};
+  if (!isService) {
+    sender = {
+      appDid: info.wallet.address,
+      appSk: info.wallet.secretKey,
+    };
+  } else {
+    const { wallet } = await req.getBlockletInfo();
+    sender = {
+      appDid: wallet.address,
+      appSk: wallet.secretKey,
+    };
+  }
+
+  await sendToUser(
+    toUser.did,
+    {
+      title: 'Transfer passports',
+      body: `You received passport ${passportNameList.join(', ')} because you just bind your DID Wallet to ${
+        fromUser.email
+      }`,
+      attachments,
+    },
+    sender,
+    {
+      channels: [NOTIFICATION_SEND_CHANNEL.WALLET, NOTIFICATION_SEND_CHANNEL.PUSH], // 不需要推送到其他 channels
+    }
+  );
+
+  const passports = insertPassportList.reduce((acc, item) => {
+    return upsertToPassports(acc, item);
+  }, fromUser.passports || []);
+  const toUserExist = await node.getUser({
+    teamDid,
+    user: { did: toUser.did },
+    options: {
+      enableConnectedAccount: false,
+    },
+  });
+  // HACK: 默认情况下，应该将新 passport 添加到 toUser，但某些情况下，toUser 是绑定到 fromUser 的 connectAccount，所以需要将新通行证添加到 fromUser
+  if (toUserExist) {
+    await node.updateUser({
+      teamDid,
+      user: {
+        did: toUser.did,
+        pk: toUser.pk,
+        passports,
+      },
+    });
+  } else {
+    await node.updateUser({
+      teamDid,
+      user: {
+        did: fromUser.did,
+        pk: fromUser.pk,
+        passports,
+      },
+    });
+  }
+
+  await Promise.all(
+    insertPassportList.map((item) => {
+      return node.createPassportLog(
+        teamDid,
+        {
+          passportId: item.id,
+          action: PASSPORT_LOG_ACTION.ISSUE,
+          operatorDid: fromUser.did,
+          metadata: {
+            action: PASSPORT_ISSUE_ACTION.ISSUE_ON_TRANSFER,
+          },
+        },
+        req
+      );
+    })
+  );
+
+  if (revokePassport) {
+    const revokePendingList = waitPassportList
+      .filter((item) => item.id)
+      .map((item) => {
+        if (fromUser.sourceProvider === LOGIN_PROVIDER.AUTH0) {
+          return node.removeUserPassport({ teamDid, userDid: fromUser.did, passportId: item.id });
+        }
+        return node.revokeUserPassport({ teamDid, userDid: fromUser.did, passportId: item.id });
+      });
+    await Promise.all(revokePendingList);
+  }
+}
+
+module.exports = {
+  transferPassport,
+  PASSPORT_VC_TYPES,
+};

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.45-beta-20250612-231219-481217be",
+  "version": "1.16.45-beta-20250614-101901-d1700f8d",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,30 +20,33 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.45-beta-20250612-231219-481217be",
-    "@abtnode/logger": "1.16.45-beta-20250612-231219-481217be",
-    "@abtnode/util": "1.16.45-beta-20250612-231219-481217be",
+    "@abtnode/constant": "1.16.45-beta-20250614-101901-d1700f8d",
+    "@abtnode/logger": "1.16.45-beta-20250614-101901-d1700f8d",
+    "@abtnode/util": "1.16.45-beta-20250614-101901-d1700f8d",
     "@arcblock/did": "1.20.14",
     "@arcblock/did-auth": "1.20.14",
+    "@arcblock/did-ext": "1.20.14",
+    "@arcblock/did-util": "1.20.14",
     "@arcblock/jwt": "1.20.14",
-    "@arcblock/nft-display": "^2.13.66",
+    "@arcblock/nft-display": "^2.13.67",
     "@arcblock/validator": "1.20.14",
     "@arcblock/vc": "1.20.14",
-    "@blocklet/constant": "1.16.45-beta-20250612-231219-481217be",
+    "@blocklet/constant": "1.16.45-beta-20250614-101901-d1700f8d",
     "@blocklet/error": "^0.2.5",
-    "@blocklet/meta": "1.16.45-beta-20250612-231219-481217be",
-    "@blocklet/sdk": "1.16.45-beta-20250612-231219-481217be",
+    "@blocklet/meta": "1.16.45-beta-20250614-101901-d1700f8d",
+    "@blocklet/sdk": "1.16.45-beta-20250614-101901-d1700f8d",
     "@ocap/client": "1.20.14",
     "@ocap/mcrypto": "1.20.14",
     "@ocap/util": "1.20.14",
     "@ocap/wallet": "1.20.14",
-    "@simplewebauthn/server": "^13.0.0",
+    "@simplewebauthn/server": "^13.1.1",
     "axios": "^1.7.9",
     "flat": "^5.0.2",
     "fs-extra": "^11.2.0",
     "is-url": "^1.2.4",
     "joi": "17.12.2",
     "jsonwebtoken": "^9.0.0",
+    "jwks-rsa": "^3.1.0",
     "lodash": "^4.17.21",
     "p-retry": "^4.6.2",
     "semver": "^7.6.3",
@@ -53,5 +56,5 @@
   "devDependencies": {
     "jest": "^29.7.0"
   },
-  "gitHead": "01a3fb21f16a515e2565d12797baeda5fdf585b0"
+  "gitHead": "5fb4c294b2754d660fa946ac85c962edb2deaad2"
 }