npm - @abtnode/auth - Versions diffs - 1.8.30 → 1.8.32 - Mend

@abtnode/auth 1.8.30 → 1.8.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/auth.js CHANGED Viewed

@@ -9,7 +9,13 @@ const Mcrypto = require('@ocap/mcrypto');
 const Client = require('@ocap/client');
 const { fromSecretKey, WalletType } = require('@ocap/wallet');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
-const { PASSPORT_STATUS, VC_TYPE_NODE_PASSPORT, ROLES, NODE_DATA_DIR_NAME } = require('@abtnode/constant');
+const {
+  PASSPORT_STATUS,
+  VC_TYPE_NODE_PASSPORT,
+  ROLES,
+  NODE_DATA_DIR_NAME,
+  AUTH_CERT_TYPE,
+} = require('@abtnode/constant');
 const axios = require('@abtnode/util/lib/axios');
 const { extractUserAvatar, parseUserAvatar } = require('@abtnode/util/lib/user-avatar');
@@ -85,6 +91,10 @@ const messages = {
     en: (types) => `Invalid credential type, expect ${types.join(' or ')}`,
     zh: (types) => `无效的凭证类型，必须是 ${types.join(' 或 ')}`,
   },
+  invalidCredentialId: {
+    en: (ids) => `Invalid credential type, expect ${[].concat(ids).join(' or ')}`,
+    zh: (ids) => `无效的凭证，ID 必须是 ${[].concat(ids).join(' 或 ')}`,
+  },
   invalidCredentialHolder: {
     en: 'Invalid credential holder',
     zh: '无效的凭证持有者',
@@ -307,9 +317,20 @@ const createAuthToken = ({ did, passport, role, secret, expiresIn } = {}) => {
   return token;
 };
+const createBlockletControllerAuthToken = ({ did, role, controller, secret, expiresIn } = {}) => {
+  const payload = {
+    type: AUTH_CERT_TYPE.BLOCKLET_CONTROLLER,
+    did,
+    role,
+    controller,
+  };
+  return jwt.sign(payload, secret, { expiresIn });
+};
 const createAuthTokenByOwnershipNFT = ({ did, role, secret, expiresIn } = {}) => {
   const payload = {
-    type: 'ownership_nft',
+    type: AUTH_CERT_TYPE.OWNERSHIP_NFT,
     did,
     role,
   };
@@ -748,7 +769,7 @@ const handleIssuePassportResponse = async ({
   };
 };
-const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en' }) => {
+const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
   const credential = claims.find(
     (x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item))
   );
@@ -777,6 +798,11 @@ const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, loc
     : [presentation.verifiableCredential];
   const vc = JSON.parse(credentials[0]);
+  // verify vc id
+  if (vcId && vc.id !== vcId) {
+    throw new Error(messages.invalidCredentialId[locale](vcId));
+  }
   // verify vc type
   const types = [].concat(vc.type);
   if (!types.some((x) => vcTypes.includes(x))) {
@@ -941,4 +967,5 @@ module.exports = {
   getPassportStatus,
   validatePassportStatus,
   setUserInfoHeaders,
+  createBlockletControllerAuthToken,
 };

package/lib/server.js CHANGED Viewed

@@ -6,13 +6,15 @@ const { fromPublicKey } = require('@ocap/wallet');
 const { fromBase58, toAddress } = require('@ocap/util');
 const { toTypeInfo, isFromPublicKey } = require('@arcblock/did');
 const formatContext = require('@abtnode/util/lib/format-context');
-const semver = require('semver');
 const {
   ROLES,
   VC_TYPE_GENERAL_PASSPORT,
   VC_TYPE_NODE_PASSPORT,
   NFT_TYPE_SERVER_OWNERSHIP,
+  VC_TYPE_SERVER_SHARE,
+  SERVER_ROLES,
 } = require('@abtnode/constant');
+const { toExternalBlocklet } = require('@blocklet/meta/lib/did');
 const {
   messages,
   getVCFromClaims,
@@ -20,6 +22,7 @@ const {
   validatePassportStatus,
   createAuthToken,
   createAuthTokenByOwnershipNFT,
+  createBlockletControllerAuthToken,
   checkWalletVersion,
 } = require('./auth');
 const {
@@ -33,9 +36,64 @@ const logger = require('./logger');
 const secret = process.env.ABT_NODE_SESSION_SECRET;
 const LAUNCH_BLOCKLET_TOKEN_EXPIRE = '1d';
-const abtnodeVcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
-const authenticateByVc = async ({ node, locale, userDid, claims, challenge, requireNodeInitialized = true }) => {
+// External token should expire after 20 min
+// Assuming the blocklet installation will take no more than 20 min
+const EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE = '20m';
+const abtnodeVcTypes = (launchBlocklet) =>
+  launchBlocklet
+    ? [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT, VC_TYPE_SERVER_SHARE]
+    : [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+const ensureLauncherIssuer = (issuers, nodeInfo) => {
+  // TODO: server 开启共享后, 才接收 launcher 颁发的 nft
+  const launcherDid = get(nodeInfo, 'launcher.did');
+  if (launcherDid) {
+    issuers.push(launcherDid);
+  }
+};
+const getExternalPassport = async (vc, nodeInfo) => {
+  // TODO: server 开启共享后, 才接收 launcher 颁发的 nft
+  const launcherDid = get(nodeInfo, 'launcher.did');
+  if (!launcherDid) {
+    return null;
+  }
+  if (vc.issuer.id !== launcherDid) {
+    return null;
+  }
+  if (!vc.type.includes(VC_TYPE_SERVER_SHARE)) {
+    throw new Error('Cannot get NFT issued by launcher: Invalid type');
+  }
+  if (vc.credentialSubject.serverDid !== nodeInfo.did) {
+    throw new Error('Cannot get NFT issued by launcher: Invalid Server DID');
+  }
+  // TODO more info from vc and launcher
+  // FIXME expireDate 需要动态获取
+  return {
+    name: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
+    appMaxCount: vc.credentialSubject.appMaxCount || 1,
+    expireDate: vc.credentialSubject.expireDate,
+  };
+};
+const authenticateByVc = async ({
+  node,
+  locale,
+  userDid,
+  claims,
+  challenge,
+  requireNodeInitialized = true,
+  launchBlocklet,
+  blocklet,
+}) => {
   if (requireNodeInitialized) {
     if ((await node.isInitialized()) === false) {
       throw new Error(messages.notInitialized[locale]);
@@ -46,27 +104,54 @@ const authenticateByVc = async ({ node, locale, userDid, claims, challenge, requ
   const teamDid = info.did;
   const { name } = info;
-  // check user approved
-  const user = await getUser(node, teamDid, userDid);
-  if (user && !user.approved) {
-    throw new Error(messages.notAllowed[locale]);
-  }
   // Get passport
   const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
   const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+  if (launchBlocklet) {
+    ensureLauncherIssuer(trustedIssuers, info);
+  }
   const { vc, types: passportTypes } = await getVCFromClaims({
     claims,
     challenge,
     trustedIssuers,
-    vcTypes: abtnodeVcTypes,
+    vcTypes: abtnodeVcTypes(launchBlocklet),
     locale,
+    vcId: blocklet?.controller?.vcId,
   });
   if (!vc) {
     throw new Error(messages.missingCredentialClaim[locale]);
   }
+  // external user
+  if (launchBlocklet) {
+    const externalPassport = await getExternalPassport(vc, info);
+    if (externalPassport) {
+      return {
+        role: externalPassport.name,
+        extra: {
+          controller: {
+            vcId: vc.id,
+            appMaxCount: externalPassport.appMaxCount,
+            expireDate: externalPassport.expireDate,
+          },
+        },
+        user: {
+          did: userDid,
+        },
+        teamDid,
+      };
+    }
+  }
+  // check user approved
+  const user = await getUser(node, teamDid, userDid);
+  if (user && !user.approved) {
+    throw new Error(messages.notAllowed[locale]);
+  }
   // Get user passport from vc
   let passport = createUserPassport(vc);
   if (user && isUserPassportRevoked(user, passport)) {
@@ -162,41 +247,73 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) =
 };
 const getAuthVcClaim =
-  (node) =>
+  ({ node, launchBlocklet, blocklet }) =>
   async ({ extraParams: { locale, passportId }, context: { didwallet } }) => {
     checkWalletVersion({ didwallet, locale });
-    const info = await node.getNodeInfo();
-    const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
-    const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
-    const claim = {
+    const baseClaim = {
       description: messages.requestPassport[locale],
       optional: false,
-      item: abtnodeVcTypes,
-      trustedIssuers,
+      item: abtnodeVcTypes(launchBlocklet),
     };
+    if (blocklet && blocklet?.controller?.vcId) {
+      return {
+        ...baseClaim,
+        target: blocklet.controller.vcId,
+      };
+    }
     if (passportId) {
-      claim.target = passportId;
+      return {
+        ...baseClaim,
+        target: passportId,
+      };
     }
-    return claim;
+    const info = await node.getNodeInfo();
+    const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
+    const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+    if (launchBlocklet) {
+      ensureLauncherIssuer(trustedIssuers, info);
+    }
+    return {
+      ...baseClaim,
+      trustedIssuers,
+    };
+  };
+const getAuthNFTClaim =
+  ({ node }) =>
+  async ({ extraParams: { locale }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+    return getOwnershipNFTClaim(node, locale);
   };
 const getLaunchBlockletClaims = (node, authMethod) => {
   if (authMethod === 'vc') {
     return {
-      serverPassport: ['verifiableCredential', getAuthVcClaim(node)],
+      serverPassport: ['verifiableCredential', getAuthVcClaim({ node, launchBlocklet: true })],
     };
   }
   return {
-    serverNFT: [
-      'asset',
-      async ({ extraParams: { locale }, context: { didwallet } }) => {
-        checkWalletVersion({ didwallet, locale });
-        return getOwnershipNFTClaim(node, locale);
-      },
-    ],
+    serverNFT: ['asset', getAuthNFTClaim({ node })],
+  };
+};
+const getSetupBlockletClaims = (node, authMethod, blocklet) => {
+  if (authMethod === 'vc') {
+    return {
+      serverPassport: ['verifiableCredential', getAuthVcClaim({ node, blocklet })],
+    };
+  }
+  return {
+    serverNFT: ['asset', getAuthNFTClaim({ node })],
   };
 };
@@ -222,7 +339,7 @@ const getOwnershipNFTClaim = async (node, locale) => {
   };
 };
-const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale }) => {
+const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale, blocklet }) => {
   let result;
   if (authMethod === 'vc') {
     result = await authenticateByVc({
@@ -232,6 +349,8 @@ const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, cha
       challenge,
       requireNodeInitialized: false,
       locale,
+      launchBlocklet: true,
+      blocklet,
     });
   } else {
     result = await authenticateByNFT({
@@ -245,7 +364,7 @@ const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, cha
   const { teamDid, role } = result;
   const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
-  if (!permissions.some((item) => item.name === 'mutate_blocklet')) {
+  if (!permissions.some((item) => ['mutate_blocklet'].includes(item.name))) {
     throw new Error(messages.notAuthorized[locale]);
   }
@@ -263,7 +382,7 @@ const createLaunchBlockletHandler =
       throw new Error(messages.invalidParams[locale]);
     }
-    const { role, passport, user } = await ensureBlockletPermission({
+    const { role, passport, user, extra } = await ensureBlockletPermission({
       authMethod,
       node,
       userDid,
@@ -286,15 +405,29 @@ const createLaunchBlockletHandler =
     const { did } = blocklet.meta;
+    let controller;
     let sessionToken = '';
     if (authMethod === 'vc') {
-      sessionToken = createAuthToken({
-        did: userDid,
-        passport,
-        role,
-        secret,
-        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-      });
+      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+        // TODO get more info from vc and launcher
+        controller = extra.controller;
+        sessionToken = createBlockletControllerAuthToken({
+          did: userDid,
+          role,
+          controller,
+          secret,
+          expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      } else {
+        sessionToken = createAuthToken({
+          did: userDid,
+          passport,
+          role,
+          secret,
+          expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      }
     } else {
       sessionToken = createAuthTokenByOwnershipNFT({
         did: userDid,
@@ -304,31 +437,37 @@ const createLaunchBlockletHandler =
       });
     }
-    // 检查是否已安装，这里不做升级的处理
-    const existedBlocklet = await node.getBlocklet({ did, attachRuntimeInfo: false });
     await updateSession({ sessionToken }, true);
-    if (existedBlocklet) {
-      const storageData = { did: userDid };
-      if (semver.gt(blocklet.meta.version, existedBlocklet.meta.version)) {
-        const appDidEnv = existedBlocklet.environments.find((e) => e.key === 'BLOCKLET_APP_ID');
-        storageData.upgradeAvailable = {
-          appDid: appDidEnv ? appDidEnv.value : '',
-          did: existedBlocklet.meta.did,
-          currentVersion: existedBlocklet.meta.version,
-          version: blocklet.meta.version,
-        };
-      }
+    const blockletDid =
+      role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
+        ? toExternalBlocklet(blocklet.meta.name, userDid, { didOnly: true })
+        : blocklet.meta.did;
-      await updateSession(storageData);
-      logger.info('blocklet already exists', { did });
+    await updateSession({
+      blockletDid,
+    });
+    // 检查是否已安装，这里不做升级的处理
+    const existedBlocklet = await node.getBlocklet({ did: blockletDid, attachRuntimeInfo: false });
+    if (existedBlocklet) {
+      await updateSession({ isInstalled: true });
+      logger.info('blocklet already exists', { blockletDid });
       return;
     }
     const tmp = await node.installBlocklet({
       url: blockletMetaUrl,
+      delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
       downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
+      controller:
+        role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
+          ? {
+              ...controller,
+              id: userDid,
+            }
+          : null,
     });
     await node.createAuditLog(
@@ -340,7 +479,7 @@ const createLaunchBlockletHandler =
       },
       node
     );
-    logger.info('start install blocklet', { did });
+    logger.info('start install blocklet', { blockletDid, bundleDid: did });
   };
 module.exports = {
@@ -351,4 +490,5 @@ module.exports = {
   getLaunchBlockletClaims,
   createLaunchBlockletHandler,
   ensureBlockletPermission,
+  getSetupBlockletClaims,
 };

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.8.30",
+  "version": "1.8.32",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,20 +20,20 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.8.30",
-    "@abtnode/logger": "1.8.30",
-    "@abtnode/util": "1.8.30",
-    "@arcblock/did": "1.17.23",
-    "@arcblock/jwt": "^1.17.23",
-    "@arcblock/vc": "1.17.23",
-    "@blocklet/constant": "1.8.30",
-    "@blocklet/meta": "1.8.30",
-    "@ocap/client": "1.17.23",
-    "@ocap/mcrypto": "1.17.23",
-    "@ocap/util": "1.17.23",
-    "@ocap/wallet": "1.17.23",
+    "@abtnode/constant": "1.8.32",
+    "@abtnode/logger": "1.8.32",
+    "@abtnode/util": "1.8.32",
+    "@arcblock/did": "1.18.1",
+    "@arcblock/jwt": "^1.18.1",
+    "@arcblock/vc": "1.18.1",
+    "@blocklet/constant": "1.8.32",
+    "@blocklet/meta": "1.8.32",
+    "@ocap/client": "1.18.1",
+    "@ocap/mcrypto": "1.18.1",
+    "@ocap/util": "1.18.1",
+    "@ocap/wallet": "1.18.1",
     "axios": "^0.27.2",
-    "joi": "^17.6.2",
+    "joi": "17.6.3",
     "jsonwebtoken": "^8.5.1",
     "lodash": "^4.17.21",
     "semver": "^7.3.8",
@@ -42,5 +42,5 @@
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "cb294f4ee7382c6ef7692b6c2c33ad080fced13e"
+  "gitHead": "8502244aeda5926b3433c1dd9142e63233e3c23c"
 }