@abtnode/auth 1.8.35 → 1.8.37

package/lib/auth.js

@@ -48,6 +48,10 @@ const messages = {
     en: 'Please provide passport',
     zh: '请提供通行证',
   },
+  requestOwnerPassport: {
+    en: 'Please provide owner passport',
+    zh: '请提供节点的所有者通行证',
+  },
   requestBlockletNft: {
     en: 'Please provide Blocklet Purchase NFT',
     zh: '请提供 Blocklet Purchase NFT',
@@ -225,6 +229,10 @@ const messages = {
     en: 'Not allowed to transfer the Server to yourself',
     zh: '不能将节点转移给自己',
   },
+  tagRequired: {
+    en: 'tag is required',
+    zh: 'tag 不能为空',
+  },
 };
 
 const PASSPORT_STATUS_KEY = 'passport-status';

package/lib/server.js

@@ -11,8 +11,8 @@ const {
   VC_TYPE_GENERAL_PASSPORT,
   VC_TYPE_NODE_PASSPORT,
   NFT_TYPE_SERVER_OWNERSHIP,
-  VC_TYPE_SERVER_SHARE,
   SERVER_ROLES,
+  NFT_TYPE_SERVER_USAGE_CREDENTIAL,
 } = require('@abtnode/constant');
 const { toExternalBlocklet } = require('@blocklet/meta/lib/did');
 const {
@@ -41,46 +41,27 @@ const LAUNCH_BLOCKLET_TOKEN_EXPIRE = '1d';
 // Assuming the blocklet installation will take no more than 20 min
 const EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE = '20m';
 
-const abtnodeVcTypes = (launchBlocklet) =>
-  launchBlocklet
-    ? [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT, VC_TYPE_SERVER_SHARE]
-    : [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+const BLOCKLET_SERVER_VC_TYPES = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
 
 const ensureLauncherIssuer = (issuers, nodeInfo) => {
-  // TODO: server 开启共享后, 才接收 launcher 颁发的 nft
-
   const launcherDid = get(nodeInfo, 'launcher.did');
   if (launcherDid) {
     issuers.push(launcherDid);
   }
 };
 
-const getExternalPassport = async (vc, nodeInfo) => {
-  // TODO: server 开启共享后, 才接收 launcher 颁发的 nft
-
-  const launcherDid = get(nodeInfo, 'launcher.did');
-  if (!launcherDid) {
-    return null;
-  }
-
-  if (vc.issuer.id !== launcherDid) {
-    return null;
-  }
-
-  if (!vc.type.includes(VC_TYPE_SERVER_SHARE)) {
-    throw new Error('Cannot get NFT issued by launcher: Invalid type');
-  }
+const getTrustedIssuers = (nodeInfo) => {
+  const trustedPassports = (nodeInfo.trustedPassports || []).map((x) => x.issuerDid);
+  return [nodeInfo.did, ...trustedPassports].filter(Boolean);
+};
 
-  if (vc.credentialSubject.serverDid !== nodeInfo.did) {
-    throw new Error('Cannot get NFT issued by launcher: Invalid Server DID');
-  }
+const getExternalPassport = async (nft) => {
+  const data = JSON.parse(nft.data.value);
 
-  // TODO more info from vc and launcher
-  // FIXME expireDate 需要动态获取
   return {
     name: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
-    appMaxCount: vc.credentialSubject.appMaxCount || 1,
-    expireDate: vc.credentialSubject.expireDate,
+    appMaxCount: data.appMaxCount || 1,
+    expireDate: last(data.expirationDate),
   };
 };
 
@@ -104,9 +85,7 @@ const authenticateByVc = async ({
   const teamDid = info.did;
   const { name } = info;
 
-  // Get passport
-  const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
-  const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+  const trustedIssuers = getTrustedIssuers(info);
 
   if (launchBlocklet) {
     ensureLauncherIssuer(trustedIssuers, info);
@@ -116,7 +95,7 @@ const authenticateByVc = async ({
     claims,
     challenge,
     trustedIssuers,
-    vcTypes: abtnodeVcTypes(launchBlocklet),
+    vcTypes: BLOCKLET_SERVER_VC_TYPES,
     locale,
     vcId: blocklet?.controller?.vcId,
   });
@@ -125,27 +104,6 @@ const authenticateByVc = async ({
     throw new Error(messages.missingCredentialClaim[locale]);
   }
 
-  // external user
-  if (launchBlocklet) {
-    const externalPassport = await getExternalPassport(vc, info);
-    if (externalPassport) {
-      return {
-        role: externalPassport.name,
-        extra: {
-          controller: {
-            vcId: vc.id,
-            appMaxCount: externalPassport.appMaxCount,
-            expireDate: externalPassport.expireDate,
-          },
-        },
-        user: {
-          did: userDid,
-        },
-        teamDid,
-      };
-    }
-  }
-
   // check user approved
   const user = await getUser(node, teamDid, userDid);
   if (user && !user.approved) {
@@ -179,12 +137,10 @@ const authenticateByVc = async ({
       // check status of external passport if passport has an endpoint
       const endpoint = get(vc, 'credentialStatus.id');
       if (endpoint) {
-        if (endpoint) {
-          await validatePassportStatus({ vcId: vc.id, endpoint, locale });
-        }
+        await validatePassportStatus({ vcId: vc.id, endpoint, locale });
       }
     }
-  } else if (passportTypes.some((x) => [NFT_TYPE_SERVER_OWNERSHIP].includes(x))) {
+  } else if (passportTypes.includes(NFT_TYPE_SERVER_OWNERSHIP)) {
     role = ROLES.OWNER;
   } else {
     logger.error('cannot get role from passport, use "guest" for default', { passportTypes, vcId: vc.id });
@@ -237,6 +193,26 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) =
     throw new Error(messages.invalidNftIssuer[locale]);
   }
 
+  if (state.tags.includes(NFT_TYPE_SERVER_USAGE_CREDENTIAL) && state.tags.includes(info.did)) {
+    const passport = await getExternalPassport(state);
+
+    return {
+      role: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
+      extra: {
+        controller: {
+          nftId: address,
+          nftOwner: state.owner,
+          appMaxCount: passport.appMaxCount,
+          expireDate: passport.expireDate,
+        },
+      },
+      user: {
+        did: userDid,
+      },
+      teamDid: info.did,
+    };
+  }
+
   // enforce tag match
   if (last(state.tags) !== info.launcher.tag) {
     throw new Error(messages.tagNotMatch[locale]);
@@ -247,14 +223,14 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) =
 };
 
 const getAuthVcClaim =
-  ({ node, launchBlocklet, blocklet }) =>
+  ({ node, launchBlocklet, blocklet, options }) =>
   async ({ extraParams: { locale, passportId }, context: { didwallet } }) => {
     checkWalletVersion({ didwallet, locale });
 
     const baseClaim = {
       description: messages.requestPassport[locale],
       optional: false,
-      item: abtnodeVcTypes(launchBlocklet),
+      item: BLOCKLET_SERVER_VC_TYPES,
     };
 
     if (blocklet && blocklet?.controller?.vcId) {
@@ -272,9 +248,7 @@ const getAuthVcClaim =
     }
 
     const info = await node.getNodeInfo();
-    const trustedPassports = (info.trustedPassports || []).map((x) => x.issuerDid);
-
-    const trustedIssuers = [info.did, ...trustedPassports].filter(Boolean);
+    const trustedIssuers = getTrustedIssuers(info);
 
     if (launchBlocklet) {
       ensureLauncherIssuer(trustedIssuers, info);
@@ -283,13 +257,18 @@ const getAuthVcClaim =
     return {
       ...baseClaim,
       trustedIssuers,
+      ...(options || {}),
     };
   };
 
 const getAuthNFTClaim =
   ({ node }) =>
-  async ({ extraParams: { locale }, context: { didwallet } }) => {
+  async ({ extraParams: { locale, launchType }, context: { didwallet } }) => {
     checkWalletVersion({ didwallet, locale });
+    if (launchType === 'serverless') {
+      return getUsageCredentialNFTClaim(node, locale);
+    }
+
     return getOwnershipNFTClaim(node, locale);
   };
 
@@ -319,7 +298,7 @@ const getSetupBlockletClaims = (node, authMethod, blocklet) => {
 
 const getOwnershipNFTClaim = async (node, locale) => {
   const info = await node.getNodeInfo();
-  if (!info.ownerNft && !info.ownerNft.issuer) {
+  if (!info.ownerNft || !info.ownerNft.issuer) {
     throw new Error(messages.noNft[locale]);
   }
 
@@ -339,6 +318,25 @@ const getOwnershipNFTClaim = async (node, locale) => {
   };
 };
 
+const getUsageCredentialNFTClaim = async (node, locale) => {
+  const info = await node.getNodeInfo();
+  if (!info.ownerNft || !info.ownerNft.issuer) {
+    throw new Error(messages.noNft[locale]);
+  }
+
+  const chainHost = get(info, 'launcher.chainHost', '');
+
+  if (!chainHost) {
+    throw new Error(messages.noChainHost[locale]);
+  }
+
+  return {
+    description: messages.requestNft[locale],
+    trustedIssuers: [info.ownerNft.issuer],
+    tag: info.did,
+  };
+};
+
 const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale, blocklet }) => {
   let result;
   if (authMethod === 'vc') {
@@ -364,7 +362,7 @@ const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, cha
   const { teamDid, role } = result;
 
   const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
-  if (!permissions.some((item) => ['mutate_blockets'].includes(item.name))) {
+  if (!permissions.some((item) => ['mutate_blocklets'].includes(item.name))) {
     throw new Error(messages.notAuthorized[locale]);
   }
 
@@ -409,25 +407,22 @@ const createLaunchBlockletHandler =
 
     let sessionToken = '';
     if (authMethod === 'vc') {
-      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
-        // TODO get more info from vc and launcher
-        controller = extra.controller;
-        sessionToken = createBlockletControllerAuthToken({
-          did: userDid,
-          role,
-          controller,
-          secret,
-          expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-        });
-      } else {
-        sessionToken = createAuthToken({
-          did: userDid,
-          passport,
-          role,
-          secret,
-          expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-        });
-      }
+      sessionToken = createAuthToken({
+        did: userDid,
+        passport,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    } else if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+      controller = extra.controller;
+      sessionToken = createBlockletControllerAuthToken({
+        did: userDid,
+        role,
+        controller,
+        secret,
+        expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
     } else {
       sessionToken = createAuthTokenByOwnershipNFT({
         did: userDid,
@@ -491,4 +486,6 @@ module.exports = {
   createLaunchBlockletHandler,
   ensureBlockletPermission,
   getSetupBlockletClaims,
+  getTrustedIssuers,
+  getUsageCredentialNFTClaim,
 };

package/lib/util/get-auth-method.js

@@ -1,6 +1,10 @@
 const get = require('lodash/get');
 
-const getServerAuthMethod = (info) => {
+const getServerAuthMethod = (info, type) => {
+  if (type === 'serverless') {
+    return 'nft';
+  }
+
   if (info.initialized) {
     return 'vc';
   }

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.8.35",
+  "version": "1.8.37",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,14 +20,14 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.8.35",
-    "@abtnode/logger": "1.8.35",
-    "@abtnode/util": "1.8.35",
+    "@abtnode/constant": "1.8.37",
+    "@abtnode/logger": "1.8.37",
+    "@abtnode/util": "1.8.37",
     "@arcblock/did": "1.18.15",
     "@arcblock/jwt": "^1.18.15",
     "@arcblock/vc": "1.18.15",
-    "@blocklet/constant": "1.8.35",
-    "@blocklet/meta": "1.8.35",
+    "@blocklet/constant": "1.8.37",
+    "@blocklet/meta": "1.8.37",
     "@ocap/client": "1.18.15",
     "@ocap/mcrypto": "1.18.15",
     "@ocap/util": "1.18.15",
@@ -42,5 +42,5 @@
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "dd89e7a61dc8cff64302608ad5ab6545dd903daa"
+  "gitHead": "f26f451c6e2b1168b36f78269eafdf3f671236bf"
 }