@abtnode/auth 1.16.5 → 1.16.6-beta-8be2fe37

package/lib/auth.js

@@ -6,8 +6,11 @@ const get = require('lodash/get');
 const { verifyPresentation, createCredentialList } = require('@arcblock/vc');
 const formatContext = require('@abtnode/util/lib/format-context');
 const getNodeWallet = require('@abtnode/util/lib/get-app-wallet');
+const { getChainClient } = require('@abtnode/util/lib/get-chain-client');
+const { fromPublicKey } = require('@ocap/wallet');
+const { fromBase58, toAddress } = require('@ocap/util');
+const { toTypeInfo, isFromPublicKey } = require('@arcblock/did');
 const Mcrypto = require('@ocap/mcrypto');
-const Client = require('@ocap/client');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
 const {
   PASSPORT_STATUS,
@@ -41,6 +44,10 @@ const messages = {
     en: 'Please provide following information to continue',
     zh: '请提供如下信息以继续',
   },
+  requestNFT: {
+    en: 'Please present NFT to exchange for passport',
+    zh: '请提供 NFT 以换取通行证',
+  },
   requestCredential: {
     en: 'Please provide credential',
     zh: '请提供凭证',
@@ -72,6 +79,10 @@ const messages = {
     en: 'This node is not initialized, login is disabled',
     zh: '节点初始化未完成，禁止任何 DID 登录',
   },
+  appNotInitialized: {
+    en: 'This application is not initialized',
+    zh: '应用未初始化未完成',
+  },
   alreadyInitiated: {
     en: 'This Node already have an owner verified',
     zh: '该节点已经绑定所有者',
@@ -80,6 +91,10 @@ const messages = {
     en: 'You are not allowed to login to this node',
     zh: '你没有权限登录该节点',
   },
+  notAppOwner: {
+    en: 'You are not the owner of this application',
+    zh: '你不是该应用的所有者',
+  },
   missingCredentialClaim: {
     en: 'Credential is not provided',
     zh: '请提供凭证',
@@ -214,6 +229,10 @@ const messages = {
     en: 'Invalid server ownership NFT issuer',
     zh: '无效的节点所有权 NFT 颁发者',
   },
+  invalidNftParent: {
+    en: 'Unexpected NFT Collection',
+    zh: '无效的 NFT 集合',
+  },
   tagNotMatch: {
     en: 'This NFT is for another blocklet server',
     zh: '您所提供的所有权 NFT 不属于当前节点',
@@ -234,6 +253,10 @@ const messages = {
     en: 'This NFT has expired',
     zh: '该 NFT 已经过期',
   },
+  nftAlreadyUsed: {
+    en: 'This NFT has already been connected to another user',
+    zh: '该 NFT 已经被起它用户使用过',
+  },
   missingNftClaim: {
     en: 'Ownership NFT not provided',
     zh: '节点所有权 NFT 必须提供',
@@ -266,6 +289,10 @@ const messages = {
     en: 'tag is required',
     zh: 'tag 不能为空',
   },
+  appIsRunning: {
+    en: 'Please stop the app before transferring ownership',
+    zh: '转移所有权之前请停止应用',
+  },
 };
 
 const PASSPORT_STATUS_KEY = 'passport-status';
@@ -288,7 +315,7 @@ const getRandomMessage = (len = 16) => {
   return hex.replace(/^0x/, '').toUpperCase();
 };
 
-const getApplicationInfo = async ({ node, nodeInfo, teamDid }) => {
+const getApplicationInfo = async ({ node, nodeInfo = {}, teamDid }) => {
   let type;
   let name;
   let wallet;
@@ -454,7 +481,7 @@ const handleInvitationReceive = async ({
 
     if (get(nodeInfo, 'ownerNft.holder')) {
       // 这种情况下是 Transfer 有 Owner NFT 的 Blocklet Server
-      const client = new Client(nodeInfo.launcher.chainHost);
+      const client = getChainClient(nodeInfo.launcher.chainHost);
       const ownerNftDid = get(nodeInfo, 'ownerNft.did');
 
       const { state: assetState } = await client.getAssetState({ address: ownerNftDid });
@@ -516,6 +543,11 @@ const handleInvitationReceive = async ({
   const user = await getUser(node, teamDid, userDid);
 
   if (role === 'owner') {
+    if (issuerType === TEAM_TYPE.blocklet) {
+      // should not be here
+      throw new Error('not allowed to transfer application ownership');
+    }
+
     if (user && user.role === 'owner') {
       throw new Error(messages.alreadyTransferred[locale](userDid));
     }
@@ -1052,9 +1084,48 @@ const setUserInfoHeaders = (req) => {
   }
 };
 
+const verifyNFT = async ({ claims, challenge, chainHost, locale }) => {
+  const client = getChainClient(chainHost);
+  const claim = claims.find((x) => x.type === 'asset');
+  if (!claim) {
+    throw new Error(messages.missingNftClaim[locale]);
+  }
+
+  const fields = ['asset', 'ownerProof', 'ownerPk', 'ownerDid'];
+  for (const field of fields) {
+    if (!claim[field]) {
+      throw new Error(messages.invalidNftClaim[locale]);
+    }
+  }
+
+  const address = claim.asset;
+  const ownerDid = toAddress(claim.ownerDid);
+  const ownerPk = fromBase58(claim.ownerPk);
+  const ownerProof = fromBase58(claim.ownerProof);
+  if (isFromPublicKey(ownerDid, ownerPk) === false) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+
+  const owner = fromPublicKey(ownerPk, toTypeInfo(ownerDid));
+  if (owner.verify(challenge, ownerProof) === false) {
+    throw new Error(messages.invalidNftProof[locale]);
+  }
+
+  const { state } = await client.getAssetState({ address }, { ignoreFields: ['context'] });
+  if (!state) {
+    throw new Error(messages.invalidNft[locale]);
+  }
+  if (state.owner !== ownerDid) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+
+  return state;
+};
+
 module.exports = {
   getUser,
   getApplicationInfo,
+  verifyNFT,
   createAuthToken,
   createAuthTokenByOwnershipNFT,
   beforeInvitationRequest,

package/lib/passport.js

@@ -63,6 +63,7 @@ const createPassportVC = ({
   tag,
   ownerProfile,
   preferredColor,
+  expirationDate,
 } = {}) => {
   validatePassport(passport);
 
@@ -87,6 +88,7 @@ const createPassportVC = ({
         }),
       },
     },
+    expirationDate,
     endpoint,
     tag,
   });

package/lib/server.js

@@ -6,11 +6,9 @@ const uniq = require('lodash/uniq');
 const pRetry = require('p-retry');
 const { isNFTExpired, isNFTConsumed } = require('@abtnode/util/lib/nft');
 const axios = require('@abtnode/util/lib/axios');
-const Client = require('@ocap/client');
-const { fromPublicKey } = require('@ocap/wallet');
 const { types } = require('@ocap/mcrypto');
-const { fromBase58, toAddress, toHex } = require('@ocap/util');
-const { toTypeInfo, isFromPublicKey, DidType, isEthereumType } = require('@arcblock/did');
+const { toHex } = require('@ocap/util');
+const { DidType, isEthereumType } = require('@arcblock/did');
 const urlPathFriendly = require('@blocklet/meta/lib/url-path-friendly').default;
 const getApplicationWallet = require('@blocklet/meta/lib/wallet');
 const { slugify } = require('transliteration');
@@ -38,6 +36,7 @@ const {
   createBlockletControllerAuthToken,
   checkWalletVersion,
   checkWalletVersionForMigrateAppToV2,
+  verifyNFT,
 } = require('./auth');
 const {
   validatePassport,
@@ -193,41 +192,9 @@ const authenticateByVc = async ({
 
 const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isAuth, chainHost }) => {
   const info = await node.getNodeInfo();
-  // serverless 应用通过 querystring 传递 chainHost
-  const client = new Client(chainHost || info.launcher.chainHost);
-
-  const claim = claims.find((x) => x.type === 'asset');
-  if (!claim) {
-    throw new Error(messages.missingNftClaim[locale]);
-  }
 
-  const fields = ['asset', 'ownerProof', 'ownerPk', 'ownerDid'];
-  for (const field of fields) {
-    if (!claim[field]) {
-      throw new Error(messages.invalidNftClaim[locale]);
-    }
-  }
-
-  const address = claim.asset;
-  const ownerDid = toAddress(claim.ownerDid);
-  const ownerPk = fromBase58(claim.ownerPk);
-  const ownerProof = fromBase58(claim.ownerProof);
-  if (isFromPublicKey(ownerDid, ownerPk) === false) {
-    throw new Error(messages.invalidNftHolder[locale]);
-  }
-
-  const owner = fromPublicKey(ownerPk, toTypeInfo(ownerDid));
-  if (owner.verify(challenge, ownerProof) === false) {
-    throw new Error(messages.invalidNftProof[locale]);
-  }
-
-  const { state } = await client.getAssetState({ address }, { ignoreFields: ['context'] });
-  if (!state) {
-    throw new Error(messages.invalidNft[locale]);
-  }
-  if (state.owner !== ownerDid) {
-    throw new Error(messages.invalidNftHolder[locale]);
-  }
+  // serverless 应用通过 querystring 传递 chainHost
+  const state = await verifyNFT({ claims, challenge, chainHost: chainHost || info.launcher.chainHost, locale });
 
   const trustedLaunchers = await getLauncherAppIdList(get(info, 'launcher.url'));
   if (!trustedLaunchers.includes(state.issuer)) {
@@ -246,7 +213,7 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isA
       nft: state,
       extra: {
         controller: {
-          nftId: address,
+          nftId: state.address,
           nftOwner: state.owner,
           chainHost,
           appMaxCount: state.data.value.appMaxCount || 1,
@@ -265,7 +232,15 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isA
   }
 
   const user = await getUser(node, info.did, userDid);
-  return { role: ROLES.OWNER, teamDid: info.did, nft: state, user, passport: null, ownerDid, ownerNFT: address };
+  return {
+    role: ROLES.OWNER,
+    teamDid: info.did,
+    nft: state,
+    user,
+    passport: null,
+    ownerDid: state.owner,
+    ownerNFT: state.address,
+  };
 };
 
 const authenticateBySession = async ({ node, userDid, locale, allowedRoles = ['owner', 'admin', 'member'] }) => {
@@ -372,17 +347,21 @@ const getAuthPrincipalForMigrateAppToV2 = (node) => async (param) => {
   };
 };
 
+const getAuthPrincipalForTransferAppOwnerShip = getAuthPrincipalForMigrateAppToV2;
+
 const getKeyPairClaim =
-  (node, declare = true) =>
+  (node, opts = {}) =>
   async ({ extraParams: { locale, appDid, wt = 'default', title }, context: { didwallet } }) => {
     checkWalletVersion({ didwallet, locale });
 
+    const { declare = true } = opts;
+
     const description = {
       en: 'Please generate a new key-pair for this application',
       zh: '请为应用创建新的钥匙对',
     };
 
-    let appName = title;
+    let appName = title || opts.title;
     let migrateFrom = '';
 
     let type;
@@ -416,7 +395,7 @@ const getKeyPairClaim =
     const result = {
       mfa: !process.env.DID_CONNECT_MFA_DISABLED,
       description: description[locale] || description.en,
-      moniker: (urlPathFriendly(slugify(appName)) || 'application').toLowerCase(),
+      moniker: (urlPathFriendly(slugify(appName || 'application')) || 'application').toLowerCase(),
       declare: !!declare,
       migrateFrom: declare ? migrateFrom : '',
       chainInfo,
@@ -502,7 +481,7 @@ const getLaunchBlockletClaims = (node, authMethod) => {
   return claims;
 };
 
-const getSetupBlockletClaims = () => {
+const getAppDidOwnerClaims = () => {
   const description = {
     en: 'Sign following message to prove that you are the owner of the app',
     zh: '签名如下消息以证明你是应用的拥有者',
@@ -713,7 +692,7 @@ const createLaunchBlockletHandler =
 
       // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
       if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
-        throw new Error(messages.nftAlreadyConsume[locale]);
+        throw new Error(messages.nftAlreadyConsumed[locale]);
       }
 
       if (existedBlocklet) {
@@ -853,10 +832,11 @@ module.exports = {
   createRestoreOnServerlessHandler,
   ensureBlockletPermission,
   getBlockletPermissionChecker,
-  getSetupBlockletClaims,
+  getAppDidOwnerClaims,
   getTrustedIssuers,
   getAuthNFTClaim,
   getServerlessNFTClaim,
   getLauncherAppIdList,
   getAuthPrincipalForMigrateAppToV2,
+  getAuthPrincipalForTransferAppOwnerShip,
 };

package/lib/util/create-passport-svg.js

@@ -3,14 +3,18 @@ const { getNftBGColor, DEFAULT_COLOR, getNftBGColorFromDid } = require('./passpo
 /**
  * Generate Passport SVG
  *
- * @param {string} title passport title
- * @param {string} issuer issuer name
- * @param {string} issuerDid
- * @param {boolean} ownerName
- * @param {string} preferredColor
- * @param {boolean} ownerAvatarUrl
- * @param {boolean} revoked 是否撤销
- * @param {boolean} isDataUrl 返回生成 data url
+ * @param {object} params
+ * @param {string} params.title passport title
+ * @param {string} params.issuer issuer name
+ * @param {string} params.issuerDid
+ * @param {string} params.ownerName
+ * @param {string} params.ownerAvatarUrl
+ * @param {string} [params.preferredColor]
+ * @param {string} [params.width]
+ * @param {string} [params.height]
+ * @param {boolean} [params.ownerAvatarUrl]
+ * @param {boolean} [params.revoked] 是否撤销
+ * @param {boolean} [params.isDataUrl] 返回生成 data url
  * @returns {string} svg xml or image data url
  */
 const createPassportSvg = ({
@@ -18,13 +22,13 @@ const createPassportSvg = ({
   title = '',
   issuerDid = '',
   ownerName = '',
-  preferredColor = 'default',
   ownerAvatarUrl = '',
-  revoked,
-  isDataUrl,
+  preferredColor = 'default',
+  revoked = false,
+  isDataUrl = false,
   width = '100%',
   height = '100%',
-} = {}) => {
+}) => {
   let colors;
   if (preferredColor === 'default') {
     colors = DEFAULT_COLOR;

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.5",
+  "version": "1.16.6-beta-8be2fe37",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,18 +20,18 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.16.5",
-    "@abtnode/logger": "1.16.5",
-    "@abtnode/util": "1.16.5",
-    "@arcblock/did": "1.18.68",
-    "@arcblock/jwt": "^1.18.68",
-    "@arcblock/vc": "1.18.68",
-    "@blocklet/constant": "1.16.5",
-    "@blocklet/meta": "1.16.5",
-    "@ocap/client": "1.18.68",
-    "@ocap/mcrypto": "1.18.68",
-    "@ocap/util": "1.18.68",
-    "@ocap/wallet": "1.18.68",
+    "@abtnode/constant": "1.16.6-beta-8be2fe37",
+    "@abtnode/logger": "1.16.6-beta-8be2fe37",
+    "@abtnode/util": "1.16.6-beta-8be2fe37",
+    "@arcblock/did": "1.18.71",
+    "@arcblock/jwt": "^1.18.71",
+    "@arcblock/vc": "1.18.71",
+    "@blocklet/constant": "1.16.6-beta-8be2fe37",
+    "@blocklet/meta": "1.16.6-beta-8be2fe37",
+    "@ocap/client": "1.18.71",
+    "@ocap/mcrypto": "1.18.71",
+    "@ocap/util": "1.18.71",
+    "@ocap/wallet": "1.18.71",
     "axios": "^0.27.2",
     "joi": "17.7.0",
     "jsonwebtoken": "^9.0.0",
@@ -44,5 +44,5 @@
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "229effc24ce7e12a0dbe551b2cc57825c3803745"
+  "gitHead": "27229a1a62850e95907b7a53e0259a809d99377b"
 }