npm - @abtnode/auth - Versions diffs - 1.7.4 → 1.7.5 - Mend

@abtnode/auth 1.7.4 → 1.7.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/server.js +377 -0
package/lib/util/get-auth-method.js +21 -0
package/package.json +12 -11

package/lib/server.js ADDED Viewed

@@ -0,0 +1,377 @@
+const get = require('lodash/get');
+const last = require('lodash/last');
+const Client = require('@ocap/client');
+const { fromPublicKey } = require('@ocap/wallet');
+const { fromBase58, toAddress } = require('@ocap/util');
+const { toTypeInfo, isFromPublicKey } = require('@arcblock/did');
+const semver = require('semver');
+const {
+  ROLES,
+  VC_TYPE_GENERAL_PASSPORT,
+  VC_TYPE_NODE_PASSPORT,
+  VC_TYPE_BLOCKLET_PURCHASE,
+  NFT_TYPE_SERVER_OWNERSHIP,
+} = require('@abtnode/constant');
+const {
+  messages,
+  getVCFromClaims,
+  getUser,
+  validatePassportStatus,
+  createAuthToken,
+  createAuthTokenByOwnershipNFT,
+  checkWalletVersion,
+} = require('./auth');
+const {
+  validatePassport,
+  isUserPassportRevoked,
+  getRoleFromLocalPassport,
+  getRoleFromExternalPassport,
+  createUserPassport,
+} = require('./passport');
+const logger = require('./logger');
+const secret = process.env.ABT_NODE_SESSION_SECRET;
+const LAUNCH_BLOCKLET_TOKEN_EXPIRE = '1d';
+const abtnodeVcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+const blockletVcTypes = [VC_TYPE_BLOCKLET_PURCHASE];
+const authenticateByVc = async ({ node, locale, userDid, claims, challenge, requireNodeInitialized = true }) => {
+  if (requireNodeInitialized) {
+    if ((await node.isInitialized()) === false) {
+      throw new Error(messages.notInitialized[locale]);
+    }
+  }
+  const info = await node.getNodeInfo();
+  const teamDid = info.did;
+  const { name } = info;
+  // check user approved
+  const user = await getUser(node, teamDid, userDid);
+  if (user && !user.approved) {
+    throw new Error(messages.notAllowed[locale]);
+  }
+  // Get passport
+  const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
+  const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+  const { vc, types: passportTypes } = await getVCFromClaims({
+    claims,
+    challenge,
+    trustedIssuers,
+    vcTypes: abtnodeVcTypes,
+    locale,
+  });
+  if (!vc) {
+    throw new Error(messages.missingCredentialClaim[locale]);
+  }
+  // Get user passport from vc
+  let passport = createUserPassport(vc);
+  if (user && isUserPassportRevoked(user, passport)) {
+    throw new Error(messages.passportRevoked[locale](name));
+  }
+  // Get role from vc
+  let role;
+  if (passportTypes.some((x) => [VC_TYPE_GENERAL_PASSPORT].includes(x))) {
+    await validatePassport(get(vc, 'credentialSubject.passport'));
+    const issuerId = get(vc, 'issuer.id');
+    if (issuerId === teamDid) {
+      role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
+    } else {
+      // map external passport to local role
+      const { mappings = [] } = (info.trustedPassports || []).find((x) => x.issuerDid === issuerId) || {};
+      role = await getRoleFromExternalPassport({
+        passport: get(vc, 'credentialSubject.passport'),
+        node,
+        teamDid,
+        locale,
+        mappings,
+      });
+      // check status of external passport if passport has an endpoint
+      const endpoint = get(vc, 'credentialStatus.id');
+      if (endpoint) {
+        if (endpoint) {
+          await validatePassportStatus({ vcId: vc.id, endpoint, locale });
+        }
+      }
+    }
+  } else if (passportTypes.some((x) => [NFT_TYPE_SERVER_OWNERSHIP].includes(x))) {
+    role = ROLES.OWNER;
+  } else {
+    logger.error('cannot get role from passport, use "guest" for default', { passportTypes, vcId: vc.id });
+    role = ROLES.GUEST;
+  }
+  // Recreate passport with correct role
+  passport = createUserPassport(vc, { role });
+  return { role, user, teamDid, passport };
+};
+const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) => {
+  const info = await node.getNodeInfo();
+  const client = new Client(info.launcher.chainHost);
+  const claim = claims.find((x) => x.type === 'asset');
+  if (!claim) {
+    throw new Error(messages.missingNftClaim[locale]);
+  }
+  const fields = ['asset', 'ownerProof', 'ownerPk', 'ownerDid'];
+  for (const field of fields) {
+    if (!claim[field]) {
+      throw new Error(messages.invalidNftClaim[locale]);
+    }
+  }
+  const address = claim.asset;
+  const ownerDid = toAddress(claim.ownerDid);
+  const ownerPk = fromBase58(claim.ownerPk);
+  const ownerProof = fromBase58(claim.ownerProof);
+  if (isFromPublicKey(ownerDid, ownerPk) === false) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+  const owner = fromPublicKey(ownerPk, toTypeInfo(ownerDid));
+  if (owner.verify(challenge, ownerProof) === false) {
+    throw new Error(messages.invalidNftProof[locale]);
+  }
+  const { state } = await client.getAssetState({ address }, { ignoreFields: ['context'] });
+  if (!state) {
+    throw new Error(messages.invalidNft[locale]);
+  }
+  if (state.owner !== ownerDid || state.owner !== info.ownerNft.holder) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+  if (state.issuer !== info.launcher.did) {
+    throw new Error(messages.invalidNftIssuer[locale]);
+  }
+  // enforce tag match
+  if (last(state.tags) !== info.launcher.tag) {
+    throw new Error(messages.tagNotMatch[locale]);
+  }
+  const user = await getUser(node, info.did, userDid);
+  return { role: ROLES.OWNER, teamDid: info.did, nft: state, user, passport: null };
+};
+const getAuthVcClaim =
+  (node) =>
+  async ({ extraParams: { locale }, context: { abtwallet } }) => {
+    checkWalletVersion({ abtwallet, locale });
+    const info = await node.getNodeInfo();
+    const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
+    const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+    return {
+      description: messages.requestPassport[locale],
+      optional: false,
+      item: abtnodeVcTypes,
+      trustedIssuers,
+    };
+  };
+const getLaunchFreeBlockletClaims = (node, authMethod) => {
+  if (authMethod === 'vc') {
+    return {
+      serverPassport: ['verifiableCredential', getAuthVcClaim(node)],
+    };
+  }
+  return {
+    serverNFT: [
+      'asset',
+      async ({ extraParams: { locale }, context: { abtwallet } }) => {
+        checkWalletVersion({ abtwallet, locale });
+        return getOwnershipNFTClaim(node, locale);
+      },
+    ],
+  };
+};
+const getLaunchPaidBlockletClaims = (node, authMethod) => {
+  const claims = getLaunchFreeBlockletClaims(node, authMethod);
+  claims.blockletPurchaseNft = [
+    'verifiableCredential',
+    async ({ extraParams: { locale, blockletMetaUrl }, context: { abtwallet } }) => {
+      checkWalletVersion({ abtwallet, locale });
+      const registryUrl = new URL(blockletMetaUrl).origin;
+      const [registry, { meta }] = await Promise.all([
+        node.getRegistryMeta(registryUrl),
+        node.getBlockletMetaFromUrl({ url: blockletMetaUrl }),
+      ]);
+      return {
+        description: messages.requestBlockletNft[locale],
+        item: blockletVcTypes,
+        trustedIssuers: [registry.id],
+        tag: meta.did,
+      };
+    },
+  ];
+  return claims;
+};
+const getOwnershipNFTClaim = async (node, locale) => {
+  const info = await node.getNodeInfo();
+  if (!info.ownerNft && !info.ownerNft.holder && !info.ownerNft.issuer) {
+    throw new Error(messages.noNft[locale]);
+  }
+  const tag = get(info, 'launcher.tag', '');
+  const chainHost = get(info, 'launcher.chainHost', '');
+  if (!tag) {
+    throw new Error(messages.noTag[locale]);
+  }
+  if (!chainHost) {
+    throw new Error(messages.noChainHost[locale]);
+  }
+  return {
+    description: messages.requestNft[locale],
+    trustedIssuers: [info.ownerNft.issuer],
+    tag, // tag is an unique identifier for the server in launcher
+  };
+};
+const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale }) => {
+  let result;
+  if (authMethod === 'vc') {
+    result = await authenticateByVc({
+      node,
+      userDid,
+      claims,
+      challenge,
+      requireNodeInitialized: false,
+      locale,
+    });
+  } else {
+    result = await authenticateByNFT({
+      node,
+      locale,
+      userDid,
+      claims,
+      challenge,
+    });
+  }
+  const { teamDid, role } = result;
+  const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
+  if (!permissions.some((item) => item.name === 'mutate_blocklet')) {
+    throw new Error(messages.notAuthorized[locale]);
+  }
+  return result;
+};
+const createLaunchBlockletHandler =
+  (node, authMethod) =>
+  async ({ claims, challenge, userDid, token, storage, extraParams: { locale, blockletMetaUrl } }) => {
+    if (!blockletMetaUrl) {
+      throw new Error(messages.invalidParams[locale]);
+    }
+    const { role, passport } = await ensureBlockletPermission({ authMethod, node, userDid, claims, challenge, locale });
+    const result = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
+    if (!result.meta) {
+      throw new Error(messages.invalidBlocklet[locale]);
+    }
+    const { did } = result.meta;
+    let blockletPurchaseVerified;
+    if (!result.isFree) {
+      const registryUrl = new URL(blockletMetaUrl).origin;
+      const registryMeta = await node.getRegistryMeta(registryUrl);
+      const { vc: blockletVc } = await getVCFromClaims({
+        claims,
+        challenge,
+        trustedIssuers: [registryMeta.id],
+        vcTypes: blockletVcTypes,
+        locale,
+      });
+      if (!blockletVc) {
+        throw new Error(messages.missingBlockletCredentialClaim[locale]);
+      }
+      if (get(blockletVc, 'credentialSubject.purchased.blocklet.id') !== did) {
+        throw new Error(messages.invalidBlockletVc[locale]);
+      }
+      blockletPurchaseVerified = true;
+    }
+    let sessionToken = '';
+    if (authMethod === 'vc') {
+      sessionToken = createAuthToken({
+        did: userDid,
+        passport,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    } else {
+      sessionToken = createAuthTokenByOwnershipNFT({
+        did: userDid,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    }
+    // 检查是否已安装，这里不做升级的处理
+    const existedBlocklet = await node.getBlocklet({ did });
+    if (existedBlocklet) {
+      const storageData = {
+        did: userDid,
+        sessionToken,
+      };
+      if (semver.gt(result.meta.version, existedBlocklet.meta.version)) {
+        const appDidEnv = existedBlocklet.environments.find((e) => e.key === 'BLOCKLET_APP_ID');
+        storageData.upgradeAvailable = {
+          appDid: appDidEnv ? appDidEnv.value : '',
+          did: existedBlocklet.meta.did,
+          currentVersion: existedBlocklet.meta.version,
+          version: result.meta.version,
+        };
+      }
+      await storage.update(token, storageData);
+      logger.info('blocklet already exists', { did });
+      return;
+    }
+    await storage.update(token, { did: userDid, sessionToken });
+    const context = {};
+    if (typeof blockletPurchaseVerified !== 'undefined') {
+      context.blockletPurchaseVerified = blockletPurchaseVerified;
+    }
+    await node.installBlocklet({ url: blockletMetaUrl }, context);
+    logger.info('start install blocklet', { did });
+  };
+module.exports = {
+  getAuthVcClaim,
+  authenticateByVc,
+  authenticateByNFT,
+  getOwnershipNFTClaim,
+  getLaunchFreeBlockletClaims,
+  getLaunchPaidBlockletClaims,
+  createLaunchBlockletHandler,
+  ensureBlockletPermission,
+};

package/lib/util/get-auth-method.js ADDED Viewed

@@ -0,0 +1,21 @@
+const get = require('lodash/get');
+const getServerAuthMethod = (info) => {
+  if (info.initialized) {
+    return 'vc';
+  }
+  if (
+    get(info, 'ownerNft.holder') &&
+    get(info, 'ownerNft.issuer') &&
+    get(info, 'launcher.tag') &&
+    get(info, 'launcher.chainHost') &&
+    get(info, 'launcher.did') === get(info, 'ownerNft.issuer')
+  ) {
+    return 'nft';
+  }
+  return 'vc';
+};
+module.exports = { getServerAuthMethod };

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.7.4",
+  "version": "1.7.5",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,15 +20,16 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.7.4",
-    "@abtnode/logger": "1.7.4",
-    "@abtnode/util": "1.7.4",
-    "@arcblock/did": "^1.15.3",
-    "@arcblock/vc": "^1.15.3",
-    "@blocklet/meta": "1.7.4",
-    "@ocap/mcrypto": "^1.15.3",
-    "@ocap/util": "^1.15.3",
-    "@ocap/wallet": "^1.15.3",
+    "@abtnode/constant": "1.7.5",
+    "@abtnode/logger": "1.7.5",
+    "@abtnode/util": "1.7.5",
+    "@arcblock/did": "^1.15.7",
+    "@arcblock/vc": "^1.15.7",
+    "@blocklet/meta": "1.7.5",
+    "@ocap/client": "1.15.7",
+    "@ocap/mcrypto": "^1.15.7",
+    "@ocap/util": "^1.15.7",
+    "@ocap/wallet": "^1.15.7",
     "axios": "^0.25.0",
     "joi": "^17.6.0",
     "jsonwebtoken": "^8.5.1",
@@ -39,5 +40,5 @@
   "devDependencies": {
     "jest": "^27.4.5"
   },
-  "gitHead": "02b25a877e5b56b389ab318a851bea01212e10df"
+  "gitHead": "b17d83773e5a4c06bae390fc70398d49d6dd86b3"
 }