@abtnode/auth 1.17.8-beta-20260121-102603-f9d0176f → 1.17.8-beta-20260125-093329-64b43854

package/lib/auth.js

@@ -544,14 +544,21 @@ const handleInvitationReceive = async ({
 
   const { orgId = '', inviteUserDids = [] } = inviteInfo || {};
   const isOrgInvite = !!orgId;
+  if (isOrgInvite && !user) {
+    throw new CustomError(403, 'Please log in with your account to accept this organization invitation.');
+  }
   // 邀请内部成员时，接收者必须在邀请列表中
   if (orgId && inviteUserDids.length > 0 && !inviteUserDids.includes(userDid)) {
     // 接收者不在邀请列表中，不允许接收通行证
-    throw new CustomError(403, 'You are not allowed to receive passport');
+    throw new CustomError(403, 'You are not invited to this org');
+  }
+
+  const result = await createPassport({ name: inviteInfo.role, node, teamDid, locale, endpoint });
+  let purpose = teamDid === nodeInfo.did || isEmpty(result.types) ? 'login' : 'verification';
+  if (isOrgInvite) {
+    purpose = 'accept-invitation';
   }
 
-  const result = await createPassport({ name: inviteInfo.role, node, teamDid, locale, endpoint, orgId });
-  const purpose = teamDid === nodeInfo.did || isEmpty(result.types) ? 'login' : 'verification';
   const vcParams = {
     issuerName,
     issuerWallet,
@@ -581,7 +588,7 @@ const handleInvitationReceive = async ({
   }
 
   const vc = await createPassportVC(vcParams);
-  const role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
+  let role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
   const passport = createUserPassport(vc, { role, display: inviteInfo.display, source });
 
   // NOTICE: owner 目前必须是 did-wallet 的账户，暂不做额外 did 判断
@@ -618,68 +625,74 @@ const handleInvitationReceive = async ({
 
   let doc;
 
-  if (user) {
-    doc = await node.loginUser({
-      teamDid,
-      user: {
-        ...profile,
-        ...kycUpdates,
-        avatar,
-        did: user.did,
-        pk: user.pk,
-        locale,
-        passport,
-        lastLoginIp: getRequestIP(req),
-        remark: inviteInfo.remark,
-        inviter: inviteInfo.inviter?.did,
-        connectedAccount: {
-          ...connectedAccountUpdates,
-          provider,
-          did: userDid,
-          pk: userPk,
+  if (!isOrgInvite) {
+    if (user) {
+      doc = await node.loginUser({
+        teamDid,
+        user: {
+          ...profile,
+          ...kycUpdates,
+          avatar,
+          did: user.did,
+          pk: user.pk,
+          locale,
+          passport,
+          lastLoginIp: getRequestIP(req),
+          remark: inviteInfo.remark,
+          inviter: inviteInfo.inviter?.did,
+          connectedAccount: {
+            ...connectedAccountUpdates,
+            provider,
+            did: userDid,
+            pk: userPk,
+          },
         },
-      },
-    });
-    await node.createAuditLog(
-      {
-        action: 'updateUser',
-        args: { teamDid, userDid: user.did, passport, inviteId, reason: 'accepted invitation' },
-        context: formatContext(Object.assign(req, { user })),
-        result: doc,
-      },
-      node
-    );
-  } else {
-    doc = await node.loginUser({
-      teamDid,
-      user: {
-        ...profile,
-        ...kycUpdates,
-        avatar,
-        did: userDid,
-        pk: userPk,
-        locale,
-        passport,
-        lastLoginIp: getRequestIP(req),
-        inviter: inviteInfo.inviter?.did,
-        remark: inviteInfo.remark,
-        connectedAccount: {
-          ...connectedAccountUpdates,
-          provider,
+      });
+      await node.createAuditLog(
+        {
+          action: 'updateUser',
+          args: { teamDid, userDid: user.did, passport, inviteId, reason: 'accepted invitation' },
+          context: formatContext(Object.assign(req, { user })),
+          result: doc,
+        },
+        node
+      );
+    } else {
+      doc = await node.loginUser({
+        teamDid,
+        user: {
+          ...profile,
+          ...kycUpdates,
+          avatar,
           did: userDid,
           pk: userPk,
+          locale,
+          passport,
+          lastLoginIp: getRequestIP(req),
+          inviter: inviteInfo.inviter?.did,
+          remark: inviteInfo.remark,
+          connectedAccount: {
+            ...connectedAccountUpdates,
+            provider,
+            did: userDid,
+            pk: userPk,
+          },
         },
-      },
-    });
-    await node.createAuditLog(
-      {
-        action: 'addUser',
-        args: { teamDid, userDid: user?.did || userDid, passport, inviteId, reason: 'accepted invitation' },
-        context: formatContext(Object.assign(req, { user: doc })),
-        result: doc,
-      },
-      node
-    );
+      });
+      await node.createAuditLog(
+        {
+          action: 'addUser',
+          args: { teamDid, userDid: user?.did || userDid, passport, inviteId, reason: 'accepted invitation' },
+          context: formatContext(Object.assign(req, { user: doc })),
+          result: doc,
+        },
+        node
+      );
+    }
+  } else {
+    const roles = await node.getRoles({ teamDid });
+    const orgPassports = roles.filter((r) => r.orgId).map((r) => r.name);
+    role = (user.passports || []).filter((p) => !orgPassports.includes(p.role))[0]?.role || 'guest';
   }
 
   logger.info('invite success', { userDid: user?.did || userDid, inviter: inviteInfo?.inviter });
@@ -729,7 +742,7 @@ const handleInvitationReceive = async ({
       data: vc,
     },
     profile,
-    user: doc,
+    user: isOrgInvite ? user : doc,
     inviteInfo,
     purpose,
   };

package/lib/lost-passport.js

@@ -146,8 +146,10 @@ const createLostPassportListRoute = ({ node, type }) => ({
       throw new CustomError(403, messages.notAllowedAppUser[locale]);
     }
 
+    const roles = await node.getRoles({ teamDid });
+    const orgPassportList = roles.filter((x) => x.orgId).map((x) => x.name);
     const passportList = getActivePassports(user, issuerDidList);
-    user.passportTypes = passportList.filter((x) => x.scope === scope);
+    user.passportTypes = passportList.filter((x) => x.scope === scope && !orgPassportList.includes(x.name));
     if (!user.passportTypes.length) {
       throw new CustomError(404, messages.noPassportFound[locale]);
     }
@@ -477,7 +479,6 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
           });
         }
 
-        const org = await request?.getUserOrg?.();
         const { sessionToken, refreshToken } = await createToken(
           userPid,
           {
@@ -491,7 +492,6 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix, createTok
             elevated: canSessionBeElevated(role, blocklet?.settings),
             emailVerified: !!updatedUser.emailVerified,
             phoneVerified: !!updatedUser.phoneVerified,
-            org,
           },
           { ...sessionConfig, didConnectVersion: getDidConnectVersion(req) }
         );

package/lib/oauth.js

@@ -120,7 +120,6 @@ function createPassportSwitcher(node, createToken, mode = 'server') {
     );
 
     const role = passport.scope === 'passport' ? passport.role : ROLES.GUEST;
-    const org = typeof req.getUserOrg === 'function' ? await req.getUserOrg(role) : '';
     const { sessionToken, refreshToken } = await createToken(
       userDid,
       {
@@ -132,7 +131,6 @@ function createPassportSwitcher(node, createToken, mode = 'server') {
         walletOS: 'web',
         emailVerified: !!user?.emailVerified,
         phoneVerified: !!user?.phoneVerified,
-        org,
       },
       { ...(await getSessionConfig(req)) }
     );

package/lib/passkey.js

@@ -620,7 +620,6 @@ function createPasskeyHandlers(node, mode, createToken) {
 
       const createTokens = async (updated, passport, role, profile, result) => {
         const { secret } = await getApplicationInfo({ node, nodeInfo: info, teamDid });
-        const org = typeof req.getUserOrg === 'function' ? await req.getUserOrg(role) : '';
         const { sessionToken, refreshToken } = await createToken(
           updated.did,
           {
@@ -636,7 +635,6 @@ function createPasskeyHandlers(node, mode, createToken) {
               role,
               mode === 'service' ? (await node.getBlocklet({ did: teamDid }))?.settings : info
             ),
-            org,
           },
           { ...(await getSessionConfig(req)) }
         );
@@ -788,7 +786,6 @@ function createPasskeyHandlers(node, mode, createToken) {
           result.refreshToken = refreshToken;
         } else {
           const { secret } = await getApplicationInfo({ node, nodeInfo: info, teamDid });
-          const org = typeof req.getUserOrg === 'function' ? await req.getUserOrg() : '';
           const { sessionToken, refreshToken } = await createToken(
             user.did,
             {
@@ -801,7 +798,6 @@ function createPasskeyHandlers(node, mode, createToken) {
               emailVerified: user.emailVerified,
               phoneVerified: user.phoneVerified,
               elevated,
-              org,
             },
             { ...(await getSessionConfig(req)) }
           );
@@ -846,14 +842,12 @@ function createPasskeyHandlers(node, mode, createToken) {
           action: passkeySession.data.action,
         });
         logger.info('passkey.auth.issuePassportToUser', { teamDid, userDid: user.did });
-        const org = typeof req.getUserOrg === 'function' ? await req.getUserOrg() : '';
         const { sessionToken, refreshToken } = await createToken(user.did, {
           secret: await node.getSessionSecret(),
           passport: null,
           role: ROLES.OWNER,
           fullName: user.fullName,
           elevated: true,
-          org,
         });
 
         result.sessionToken = sessionToken;

package/lib/server.js

@@ -1285,6 +1285,7 @@ const getVerifyAccessClaims = ({
   types = BLOCKLET_SERVER_VC_TYPES,
   source = 'server',
   trustedIssuers = [],
+  optional = false,
 }) => {
   return async ({ extraParams: { locale }, context: { didwallet, baseUrl } }) => {
     checkWalletVersion({ didwallet, locale });
@@ -1313,7 +1314,7 @@ const getVerifyAccessClaims = ({
     return {
       description: messages.requestPassport[locale],
       claimUrl: getPassportClaimUrl(baseUrl, source === 'server' ? info.routing.adminPath : ''),
-      optional: false,
+      optional,
       filters: targets.map((x) => ({
         type: types,
         target: x.id,

package/lib/util/user-info.js

@@ -10,10 +10,13 @@ const { omit, pick } = require('lodash');
 const { getUserAvatarUrl } = require('./federated');
 
 const getUserPublicInfo = async ({ req, teamDid, node }) => {
-  const inputSchema = Joi.DID().required();
-  const { error, value } = inputSchema.validate(req.query.did);
-  if (error) {
-    throw new CustomError(400, 'Invalid user did');
+  const inputSchema = Joi.object({
+    did: Joi.DID().optional(),
+    name: Joi.string().optional(),
+  });
+  const { error, value } = inputSchema.validate(req.query);
+  if (error || (!value.did && !value.name)) {
+    throw new CustomError(400, 'Invalid user did or name');
   }
 
   let _teamDid = teamDid;
@@ -33,7 +36,16 @@ const getUserPublicInfo = async ({ req, teamDid, node }) => {
 
   const isService = !nodeInfo || nodeInfo.did !== _teamDid;
 
-  const user = await node.getUser({ teamDid: _teamDid, user: { did: value } });
+  let options;
+  if (value.name) {
+    options = { name: value.name };
+  }
+
+  const user = await node.getUser({
+    teamDid: _teamDid,
+    user: { did: value.did },
+    options,
+  });
   if (!user || !user?.approved) {
     return null;
   }
@@ -48,7 +60,7 @@ const getUserPublicInfo = async ({ req, teamDid, node }) => {
     }
   }
 
-  let returnFields = ['avatar', 'did', 'fullName', 'sourceAppPid', 'createdAt', 'metadata'];
+  let returnFields = ['avatar', 'did', 'name', 'fullName', 'sourceAppPid', 'createdAt', 'metadata'];
 
   // 默认隐藏 phone，请求者是本人时显示完整信息
   const isOwner = req.user?.did === user.did;

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.17.8-beta-20260121-102603-f9d0176f",
+  "version": "1.17.8-beta-20260125-093329-64b43854",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -18,25 +18,25 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@abtnode/logger": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@abtnode/util": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@arcblock/did": "^1.28.5",
-    "@arcblock/did-connect-js": "^1.28.5",
-    "@arcblock/did-ext": "^1.28.5",
-    "@arcblock/did-util": "^1.28.5",
-    "@arcblock/jwt": "^1.28.5",
-    "@arcblock/nft-display": "^3.4.8",
-    "@arcblock/validator": "^1.28.5",
-    "@arcblock/vc": "^1.28.5",
-    "@blocklet/constant": "1.17.8-beta-20260121-102603-f9d0176f",
+    "@abtnode/constant": "1.17.8-beta-20260125-093329-64b43854",
+    "@abtnode/logger": "1.17.8-beta-20260125-093329-64b43854",
+    "@abtnode/util": "1.17.8-beta-20260125-093329-64b43854",
+    "@arcblock/did": "^1.28.6",
+    "@arcblock/did-connect-js": "^1.28.6",
+    "@arcblock/did-ext": "^1.28.6",
+    "@arcblock/did-util": "^1.28.6",
+    "@arcblock/jwt": "^1.28.6",
+    "@arcblock/nft-display": "^3.4.10",
+    "@arcblock/validator": "^1.28.6",
+    "@arcblock/vc": "^1.28.6",
+    "@blocklet/constant": "1.17.8-beta-20260125-093329-64b43854",
     "@blocklet/error": "^0.3.5",
-    "@blocklet/meta": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@blocklet/sdk": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@ocap/client": "^1.28.5",
-    "@ocap/mcrypto": "^1.28.5",
-    "@ocap/util": "^1.28.5",
-    "@ocap/wallet": "^1.28.5",
+    "@blocklet/meta": "1.17.8-beta-20260125-093329-64b43854",
+    "@blocklet/sdk": "1.17.8-beta-20260125-093329-64b43854",
+    "@ocap/client": "^1.28.6",
+    "@ocap/mcrypto": "^1.28.6",
+    "@ocap/util": "^1.28.6",
+    "@ocap/wallet": "^1.28.6",
     "@simplewebauthn/server": "^13.1.1",
     "axios": "^1.7.9",
     "flat": "^5.0.2",
@@ -55,5 +55,5 @@
   "devDependencies": {
     "axios-mock-adapter": "^2.1.0"
   },
-  "gitHead": "7ae816f51ed511037e5b7ac0008012ebf4afc987"
+  "gitHead": "241254785bda907be2296228869b4fc9c1679a6b"
 }