@abtnode/auth 1.7.3 → 1.7.6

package/lib/auth.js

@@ -642,8 +642,8 @@ const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, loc
   };
 };
 
-const checkWalletVersion = ({ abtwallet, locale = 'en' }) => {
-  const { os, version } = abtwallet;
+const checkWalletVersion = ({ didwallet, locale = 'en' }) => {
+  const { os, version } = didwallet;
 
   const defaultExpected = '3.0.0';
 

package/lib/lost-passport.js

@@ -85,7 +85,7 @@ const createLostPassportListRoute = ({ node, type }) => ({
     },
   },
 
-  onAuth: async ({ userDid, extraParams, token, storage, req }) => {
+  onAuth: async ({ userDid, extraParams, updateSession, req }) => {
     const { locale } = extraParams;
 
     const { teamDid, issuerDid } = await getTeamInfo({ node, req, type });
@@ -125,9 +125,7 @@ const createLostPassportListRoute = ({ node, type }) => ({
 
     logger.info('get passport type list', { userDid });
 
-    await storage.update(token, {
-      user,
-    });
+    await updateSession({ user });
   },
 });
 
@@ -149,9 +147,9 @@ const createLostPassportIssueRoute = ({ node, type, authServicePrefix }) => ({
       },
     },
     {
-      signature: async ({ extraParams, context: { request, abtwallet } }) => {
+      signature: async ({ extraParams, context: { request, didwallet } }) => {
         const { locale, passportName, receiverDid } = extraParams;
-        checkWalletVersion({ abtwallet, locale });
+        checkWalletVersion({ didwallet, locale });
 
         const { teamDid, issuerDid, issuerName, passportColor } = await getTeamInfo({ node, req: request, type });
         const user = await getUser(node, teamDid, receiverDid);

package/lib/server.js

@@ -0,0 +1,373 @@
+const get = require('lodash/get');
+const last = require('lodash/last');
+const Client = require('@ocap/client');
+const { fromPublicKey } = require('@ocap/wallet');
+const { fromBase58, toAddress } = require('@ocap/util');
+const { toTypeInfo, isFromPublicKey } = require('@arcblock/did');
+const semver = require('semver');
+const {
+  ROLES,
+  VC_TYPE_GENERAL_PASSPORT,
+  VC_TYPE_NODE_PASSPORT,
+  VC_TYPE_BLOCKLET_PURCHASE,
+  NFT_TYPE_SERVER_OWNERSHIP,
+} = require('@abtnode/constant');
+const {
+  messages,
+  getVCFromClaims,
+  getUser,
+  validatePassportStatus,
+  createAuthToken,
+  createAuthTokenByOwnershipNFT,
+  checkWalletVersion,
+} = require('./auth');
+const {
+  validatePassport,
+  isUserPassportRevoked,
+  getRoleFromLocalPassport,
+  getRoleFromExternalPassport,
+  createUserPassport,
+} = require('./passport');
+
+const logger = require('./logger');
+
+const secret = process.env.ABT_NODE_SESSION_SECRET;
+const LAUNCH_BLOCKLET_TOKEN_EXPIRE = '1d';
+const abtnodeVcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+const blockletVcTypes = [VC_TYPE_BLOCKLET_PURCHASE];
+
+const authenticateByVc = async ({ node, locale, userDid, claims, challenge, requireNodeInitialized = true }) => {
+  if (requireNodeInitialized) {
+    if ((await node.isInitialized()) === false) {
+      throw new Error(messages.notInitialized[locale]);
+    }
+  }
+
+  const info = await node.getNodeInfo();
+  const teamDid = info.did;
+  const { name } = info;
+
+  // check user approved
+  const user = await getUser(node, teamDid, userDid);
+  if (user && !user.approved) {
+    throw new Error(messages.notAllowed[locale]);
+  }
+
+  // Get passport
+  const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
+  const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+  const { vc, types: passportTypes } = await getVCFromClaims({
+    claims,
+    challenge,
+    trustedIssuers,
+    vcTypes: abtnodeVcTypes,
+    locale,
+  });
+
+  if (!vc) {
+    throw new Error(messages.missingCredentialClaim[locale]);
+  }
+
+  // Get user passport from vc
+  let passport = createUserPassport(vc);
+  if (user && isUserPassportRevoked(user, passport)) {
+    throw new Error(messages.passportRevoked[locale](name));
+  }
+
+  // Get role from vc
+  let role;
+  if (passportTypes.some((x) => [VC_TYPE_GENERAL_PASSPORT].includes(x))) {
+    await validatePassport(get(vc, 'credentialSubject.passport'));
+    const issuerId = get(vc, 'issuer.id');
+    if (issuerId === teamDid) {
+      role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
+    } else {
+      // map external passport to local role
+      const { mappings = [] } = (info.trustedPassports || []).find((x) => x.issuerDid === issuerId) || {};
+      role = await getRoleFromExternalPassport({
+        passport: get(vc, 'credentialSubject.passport'),
+        node,
+        teamDid,
+        locale,
+        mappings,
+      });
+
+      // check status of external passport if passport has an endpoint
+      const endpoint = get(vc, 'credentialStatus.id');
+      if (endpoint) {
+        if (endpoint) {
+          await validatePassportStatus({ vcId: vc.id, endpoint, locale });
+        }
+      }
+    }
+  } else if (passportTypes.some((x) => [NFT_TYPE_SERVER_OWNERSHIP].includes(x))) {
+    role = ROLES.OWNER;
+  } else {
+    logger.error('cannot get role from passport, use "guest" for default', { passportTypes, vcId: vc.id });
+    role = ROLES.GUEST;
+  }
+
+  // Recreate passport with correct role
+  passport = createUserPassport(vc, { role });
+
+  return { role, user, teamDid, passport };
+};
+
+const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) => {
+  const info = await node.getNodeInfo();
+  const client = new Client(info.launcher.chainHost);
+
+  const claim = claims.find((x) => x.type === 'asset');
+  if (!claim) {
+    throw new Error(messages.missingNftClaim[locale]);
+  }
+
+  const fields = ['asset', 'ownerProof', 'ownerPk', 'ownerDid'];
+  for (const field of fields) {
+    if (!claim[field]) {
+      throw new Error(messages.invalidNftClaim[locale]);
+    }
+  }
+
+  const address = claim.asset;
+  const ownerDid = toAddress(claim.ownerDid);
+  const ownerPk = fromBase58(claim.ownerPk);
+  const ownerProof = fromBase58(claim.ownerProof);
+  if (isFromPublicKey(ownerDid, ownerPk) === false) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+
+  const owner = fromPublicKey(ownerPk, toTypeInfo(ownerDid));
+  if (owner.verify(challenge, ownerProof) === false) {
+    throw new Error(messages.invalidNftProof[locale]);
+  }
+
+  const { state } = await client.getAssetState({ address }, { ignoreFields: ['context'] });
+  if (!state) {
+    throw new Error(messages.invalidNft[locale]);
+  }
+  if (state.owner !== ownerDid || state.owner !== info.ownerNft.holder) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+  if (state.issuer !== info.launcher.did) {
+    throw new Error(messages.invalidNftIssuer[locale]);
+  }
+
+  // enforce tag match
+  if (last(state.tags) !== info.launcher.tag) {
+    throw new Error(messages.tagNotMatch[locale]);
+  }
+
+  const user = await getUser(node, info.did, userDid);
+  return { role: ROLES.OWNER, teamDid: info.did, nft: state, user, passport: null };
+};
+
+const getAuthVcClaim =
+  (node) =>
+  async ({ extraParams: { locale }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+    const info = await node.getNodeInfo();
+    const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
+    const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+    return {
+      description: messages.requestPassport[locale],
+      optional: false,
+      item: abtnodeVcTypes,
+      trustedIssuers,
+    };
+  };
+
+const getLaunchFreeBlockletClaims = (node, authMethod) => {
+  if (authMethod === 'vc') {
+    return {
+      serverPassport: ['verifiableCredential', getAuthVcClaim(node)],
+    };
+  }
+
+  return {
+    serverNFT: [
+      'asset',
+      async ({ extraParams: { locale }, context: { didwallet } }) => {
+        checkWalletVersion({ didwallet, locale });
+        return getOwnershipNFTClaim(node, locale);
+      },
+    ],
+  };
+};
+
+const getLaunchPaidBlockletClaims = (node, authMethod) => {
+  const claims = getLaunchFreeBlockletClaims(node, authMethod);
+
+  claims.blockletPurchaseNft = [
+    'verifiableCredential',
+    async ({ extraParams: { locale, blockletMetaUrl }, context: { didwallet } }) => {
+      checkWalletVersion({ didwallet, locale });
+      const registryUrl = new URL(blockletMetaUrl).origin;
+      const [registry, { meta }] = await Promise.all([
+        node.getRegistryMeta(registryUrl),
+        node.getBlockletMetaFromUrl({ url: blockletMetaUrl }),
+      ]);
+
+      return {
+        description: messages.requestBlockletNft[locale],
+        item: blockletVcTypes,
+        trustedIssuers: [registry.id],
+        tag: meta.did,
+      };
+    },
+  ];
+
+  return claims;
+};
+
+const getOwnershipNFTClaim = async (node, locale) => {
+  const info = await node.getNodeInfo();
+  if (!info.ownerNft && !info.ownerNft.holder && !info.ownerNft.issuer) {
+    throw new Error(messages.noNft[locale]);
+  }
+
+  const tag = get(info, 'launcher.tag', '');
+  const chainHost = get(info, 'launcher.chainHost', '');
+  if (!tag) {
+    throw new Error(messages.noTag[locale]);
+  }
+  if (!chainHost) {
+    throw new Error(messages.noChainHost[locale]);
+  }
+
+  return {
+    description: messages.requestNft[locale],
+    trustedIssuers: [info.ownerNft.issuer],
+    tag, // tag is an unique identifier for the server in launcher
+  };
+};
+
+const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale }) => {
+  let result;
+  if (authMethod === 'vc') {
+    result = await authenticateByVc({
+      node,
+      userDid,
+      claims,
+      challenge,
+      requireNodeInitialized: false,
+      locale,
+    });
+  } else {
+    result = await authenticateByNFT({
+      node,
+      locale,
+      userDid,
+      claims,
+      challenge,
+    });
+  }
+  const { teamDid, role } = result;
+
+  const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
+  if (!permissions.some((item) => item.name === 'mutate_blocklet')) {
+    throw new Error(messages.notAuthorized[locale]);
+  }
+
+  return result;
+};
+
+const createLaunchBlockletHandler =
+  (node, authMethod) =>
+  async ({ claims, challenge, userDid, updateSession, extraParams: { locale, blockletMetaUrl } }) => {
+    if (!blockletMetaUrl) {
+      throw new Error(messages.invalidParams[locale]);
+    }
+
+    const { role, passport } = await ensureBlockletPermission({ authMethod, node, userDid, claims, challenge, locale });
+
+    const result = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
+    if (!result.meta) {
+      throw new Error(messages.invalidBlocklet[locale]);
+    }
+
+    const { did } = result.meta;
+
+    let blockletPurchaseVerified;
+    if (!result.isFree) {
+      const registryUrl = new URL(blockletMetaUrl).origin;
+      const registryMeta = await node.getRegistryMeta(registryUrl);
+
+      const { vc: blockletVc } = await getVCFromClaims({
+        claims,
+        challenge,
+        trustedIssuers: [registryMeta.id],
+        vcTypes: blockletVcTypes,
+        locale,
+      });
+
+      if (!blockletVc) {
+        throw new Error(messages.missingBlockletCredentialClaim[locale]);
+      }
+
+      if (get(blockletVc, 'credentialSubject.purchased.blocklet.id') !== did) {
+        throw new Error(messages.invalidBlockletVc[locale]);
+      }
+
+      blockletPurchaseVerified = true;
+    }
+
+    let sessionToken = '';
+    if (authMethod === 'vc') {
+      sessionToken = createAuthToken({
+        did: userDid,
+        passport,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    } else {
+      sessionToken = createAuthTokenByOwnershipNFT({
+        did: userDid,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    }
+
+    // 检查是否已安装，这里不做升级的处理
+    const existedBlocklet = await node.getBlocklet({ did });
+    await updateSession({ sessionToken }, true);
+
+    if (existedBlocklet) {
+      const storageData = { did: userDid };
+
+      if (semver.gt(result.meta.version, existedBlocklet.meta.version)) {
+        const appDidEnv = existedBlocklet.environments.find((e) => e.key === 'BLOCKLET_APP_ID');
+        storageData.upgradeAvailable = {
+          appDid: appDidEnv ? appDidEnv.value : '',
+          did: existedBlocklet.meta.did,
+          currentVersion: existedBlocklet.meta.version,
+          version: result.meta.version,
+        };
+      }
+
+      await updateSession(storageData);
+      logger.info('blocklet already exists', { did });
+      return;
+    }
+
+    const context = {};
+    if (typeof blockletPurchaseVerified !== 'undefined') {
+      context.blockletPurchaseVerified = blockletPurchaseVerified;
+    }
+
+    await node.installBlocklet({ url: blockletMetaUrl }, context);
+    logger.info('start install blocklet', { did });
+  };
+
+module.exports = {
+  getAuthVcClaim,
+  authenticateByVc,
+  authenticateByNFT,
+  getOwnershipNFTClaim,
+  getLaunchFreeBlockletClaims,
+  getLaunchPaidBlockletClaims,
+  createLaunchBlockletHandler,
+  ensureBlockletPermission,
+};

package/lib/util/get-auth-method.js

@@ -0,0 +1,21 @@
+const get = require('lodash/get');
+
+const getServerAuthMethod = (info) => {
+  if (info.initialized) {
+    return 'vc';
+  }
+
+  if (
+    get(info, 'ownerNft.holder') &&
+    get(info, 'ownerNft.issuer') &&
+    get(info, 'launcher.tag') &&
+    get(info, 'launcher.chainHost') &&
+    get(info, 'launcher.did') === get(info, 'ownerNft.issuer')
+  ) {
+    return 'nft';
+  }
+
+  return 'vc';
+};
+
+module.exports = { getServerAuthMethod };

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.7.3",
+  "version": "1.7.6",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,15 +20,16 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.7.3",
-    "@abtnode/logger": "1.7.3",
-    "@abtnode/util": "1.7.3",
-    "@arcblock/did": "^1.15.3",
-    "@arcblock/vc": "^1.15.3",
-    "@blocklet/meta": "1.7.3",
-    "@ocap/mcrypto": "^1.15.3",
-    "@ocap/util": "^1.15.3",
-    "@ocap/wallet": "^1.15.3",
+    "@abtnode/constant": "1.7.6",
+    "@abtnode/logger": "1.7.6",
+    "@abtnode/util": "1.7.6",
+    "@arcblock/did": "^1.16.0",
+    "@arcblock/vc": "^1.16.0",
+    "@blocklet/meta": "1.7.6",
+    "@ocap/client": "1.16.0",
+    "@ocap/mcrypto": "^1.16.0",
+    "@ocap/util": "^1.16.0",
+    "@ocap/wallet": "^1.16.0",
     "axios": "^0.25.0",
     "joi": "^17.6.0",
     "jsonwebtoken": "^8.5.1",
@@ -39,5 +40,5 @@
   "devDependencies": {
     "jest": "^27.4.5"
   },
-  "gitHead": "2b965b42a59a2d98642018749a6afb6e4014a698"
+  "gitHead": "47a9dbd6ea74419ff586336824ebb9b2fe7694aa"
 }