@abtnode/auth 1.8.37 → 1.8.39

package/lib/auth.js

@@ -15,6 +15,7 @@ const {
   ROLES,
   NODE_DATA_DIR_NAME,
   AUTH_CERT_TYPE,
+  WELLKNOWN_BLOCKLET_ADMIN_PATH,
 } = require('@abtnode/constant');
 const axios = require('@abtnode/util/lib/axios');
 const { extractUserAvatar, parseUserAvatar } = require('@abtnode/util/lib/user-avatar');
@@ -201,6 +202,22 @@ const messages = {
     en: 'Please provide server ownership NFT',
     zh: '请提供节点所有权 NFT',
   },
+  requestServerlessNFT: {
+    en: 'Please provide serverless NFT',
+    zh: '请提供无服务 NFT',
+  },
+  serverlessNftIdRequired: {
+    en: 'Serverless NFT ID is required',
+    zh: '无服务 NFT ID 是必须的',
+  },
+  nftAlreadyConsume: {
+    en: 'This NFT has already been used',
+    zh: '该 NFT 已经被使用过了',
+  },
+  nftAlreadyExpired: {
+    en: 'This NFT has expired',
+    zh: '该 NFT 已经过期',
+  },
   missingNftClaim: {
     en: 'Ownership NFT not provided',
     zh: '节点所有权 NFT 必须提供',
@@ -237,6 +254,11 @@ const messages = {
 
 const PASSPORT_STATUS_KEY = 'passport-status';
 
+const TEAM_TYPE = {
+  NODE: 'node',
+  BLOCKLET: 'blocklet',
+};
+
 const getPassportStatusEndpoint = ({ baseUrl, userDid, teamDid }) => {
   if (!baseUrl) {
     return null;
@@ -279,7 +301,7 @@ const getTeamInfo = async ({ node, nodeInfo, teamDid }) => {
     name = nodeInfo.name;
     description = nodeInfo.description;
     wallet = getNodeWallet(nodeInfo.sk);
-    type = 'node';
+    type = TEAM_TYPE.NODE;
     passportColor = 'default';
     owner = nodeInfo.nodeOwner;
     dataDir = path.join(node.dataDirs.data, NODE_DATA_DIR_NAME);
@@ -290,7 +312,7 @@ const getTeamInfo = async ({ node, nodeInfo, teamDid }) => {
     description = blockletInfo.description;
     wallet = blockletInfo.wallet;
     passportColor = blockletInfo.passportColor;
-    type = 'blocklet';
+    type = TEAM_TYPE.BLOCKLET;
     owner = get(blocklet, 'settings.owner');
     dataDir = blocklet.env.dataDir;
   }
@@ -493,7 +515,7 @@ const handleInvitationResponse = async ({
     preferredColor: passportColor,
   };
 
-  if (issuerType === 'node') {
+  if (issuerType === TEAM_TYPE.NODE) {
     vcParams.tag = nodeInfo.did;
   }
 
@@ -731,7 +753,7 @@ const handleIssuePassportResponse = async ({
     preferredColor: passportColor,
   };
 
-  if (issuerType === 'node') {
+  if (issuerType === TEAM_TYPE.NODE) {
     vcParams.tag = nodeInfo.did;
   }
 
@@ -763,7 +785,7 @@ const handleIssuePassportResponse = async ({
     node
   );
 
-  if (name === ROLES.OWNER && issuerType === 'blocklet') {
+  if (name === ROLES.OWNER && issuerType === TEAM_TYPE.BLOCKLET) {
     logger.info('Bind owner for blocklet', { teamDid, userDid });
     await node.setBlockletInitialized({ did: teamDid, owner: { did: userDid, pk: userPk } });
   }
@@ -846,8 +868,14 @@ const getPassportStatus = async ({ node, teamDid, userDid, vcId, locale = 'en' }
   const { wallet: issuerWallet, name: issuerName, type: issuerType } = await getTeamInfo({ node, nodeInfo, teamDid });
 
   const actionLabel = {
-    zh: `${issuerType === 'node' ? '管理节点' : '查看 Blocklet'}`,
-    en: `${issuerType === 'node' ? 'Manage Node' : 'View Blocklet'}`,
+    open: {
+      zh: `${issuerType === TEAM_TYPE.NODE ? '管理节点' : '查看 Blocklet'}`,
+      en: `${issuerType === TEAM_TYPE.NODE ? 'Manage Node' : 'View Blocklet'}`,
+    },
+    manage: {
+      zh: '管理 Blocklet',
+      en: 'Manage Blocklet',
+    },
   };
 
   const user = await node.getUser({ teamDid, user: { did: userDid } });
@@ -875,18 +903,33 @@ const getPassportStatus = async ({ node, teamDid, userDid, vcId, locale = 'en' }
 
   const actionList = [];
   if (passport.endpoint) {
+    const claims = [];
+
+    // open blocklet
+    claims.push({
+      id: passport.endpoint,
+      type: 'navigate',
+      name: issuerType === TEAM_TYPE.NODE ? 'open-node' : 'open-blocklet',
+      scope: 'public',
+      label: actionLabel.open[locale],
+    });
+
+    // manage blocklet
+    const { name } = passport;
+    if ([ROLES.OWNER, ROLES.ADMIN].includes(name) && issuerType === TEAM_TYPE.BLOCKLET) {
+      claims.push({
+        id: joinUrl(passport.endpoint, WELLKNOWN_BLOCKLET_ADMIN_PATH),
+        type: 'navigate',
+        name: 'open-blocklet-admin',
+        scope: 'public',
+        label: actionLabel.manage[locale],
+      });
+    }
+
     actionList.push(
       ...createCredentialList({
         issuer,
-        claims: [
-          {
-            id: passport.endpoint,
-            type: 'navigate',
-            name: issuerType === 'node' ? 'open-node' : 'open-blocklet',
-            scope: 'public',
-            label: actionLabel[locale],
-          },
-        ],
+        claims,
       })
     );
   }
@@ -976,4 +1019,5 @@ module.exports = {
   validatePassportStatus,
   setUserInfoHeaders,
   createBlockletControllerAuthToken,
+  TEAM_TYPE,
 };

package/lib/server.js

@@ -1,6 +1,7 @@
 const get = require('lodash/get');
 const isEmpty = require('lodash/isEmpty');
 const last = require('lodash/last');
+const { isNFTExpired, isNFTConsumed } = require('@abtnode/util/lib/nft');
 const Client = require('@ocap/client');
 const { fromPublicKey } = require('@ocap/wallet');
 const { fromBase58, toAddress } = require('@ocap/util');
@@ -12,7 +13,7 @@ const {
   VC_TYPE_NODE_PASSPORT,
   NFT_TYPE_SERVER_OWNERSHIP,
   SERVER_ROLES,
-  NFT_TYPE_SERVER_USAGE_CREDENTIAL,
+  NFT_TYPE_SERVERLESS,
 } = require('@abtnode/constant');
 const { toExternalBlocklet } = require('@blocklet/meta/lib/did');
 const {
@@ -55,16 +56,6 @@ const getTrustedIssuers = (nodeInfo) => {
   return [nodeInfo.did, ...trustedPassports].filter(Boolean);
 };
 
-const getExternalPassport = async (nft) => {
-  const data = JSON.parse(nft.data.value);
-
-  return {
-    name: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
-    appMaxCount: data.appMaxCount || 1,
-    expireDate: last(data.expirationDate),
-  };
-};
-
 const authenticateByVc = async ({
   node,
   locale,
@@ -153,7 +144,7 @@ const authenticateByVc = async ({
   return { role, user, teamDid, passport };
 };
 
-const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) => {
+const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isAuth }) => {
   const info = await node.getNodeInfo();
   const client = new Client(info.launcher.chainHost);
 
@@ -193,8 +184,16 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) =
     throw new Error(messages.invalidNftIssuer[locale]);
   }
 
-  if (state.tags.includes(NFT_TYPE_SERVER_USAGE_CREDENTIAL) && state.tags.includes(info.did)) {
-    const passport = await getExternalPassport(state);
+  if (state.tags.includes(NFT_TYPE_SERVERLESS)) {
+    state.data.value = JSON.parse(state.data.value);
+
+    if (!isAuth && isNFTConsumed(state)) {
+      throw new Error(messages.nftAlreadyConsume[locale]);
+    }
+
+    if (!isAuth && isNFTExpired(state)) {
+      throw new Error(messages.nftAlreadyExpired[locale]);
+    }
 
     return {
       role: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
@@ -202,8 +201,7 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale }) =
         controller: {
           nftId: address,
           nftOwner: state.owner,
-          appMaxCount: passport.appMaxCount,
-          expireDate: passport.expireDate,
+          appMaxCount: state.data.value.appMaxCount || 1,
         },
       },
       user: {
@@ -263,10 +261,14 @@ const getAuthVcClaim =
 
 const getAuthNFTClaim =
   ({ node }) =>
-  async ({ extraParams: { locale, launchType }, context: { didwallet } }) => {
+  async ({ extraParams: { locale, launchType, nftId }, context: { didwallet } }) => {
     checkWalletVersion({ didwallet, locale });
     if (launchType === 'serverless') {
-      return getUsageCredentialNFTClaim(node, locale);
+      if (!nftId) {
+        throw new Error(messages.serverlessNftIdRequired[locale]);
+      }
+
+      return getServerlessNFTClaim(node, nftId, locale);
     }
 
     return getOwnershipNFTClaim(node, locale);
@@ -318,7 +320,7 @@ const getOwnershipNFTClaim = async (node, locale) => {
   };
 };
 
-const getUsageCredentialNFTClaim = async (node, locale) => {
+const getServerlessNFTClaim = async (node, nftId, locale) => {
   const info = await node.getNodeInfo();
   if (!info.ownerNft || !info.ownerNft.issuer) {
     throw new Error(messages.noNft[locale]);
@@ -331,13 +333,13 @@ const getUsageCredentialNFTClaim = async (node, locale) => {
   }
 
   return {
-    description: messages.requestNft[locale],
+    description: messages.requestServerlessNFT[locale],
     trustedIssuers: [info.ownerNft.issuer],
-    tag: info.did,
+    address: nftId,
   };
 };
 
-const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale, blocklet }) => {
+const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, challenge, locale, blocklet, isAuth }) => {
   let result;
   if (authMethod === 'vc') {
     result = await authenticateByVc({
@@ -357,6 +359,7 @@ const ensureBlockletPermission = async ({ authMethod, node, userDid, claims, cha
       userDid,
       claims,
       challenge,
+      isAuth,
     });
   }
   const { teamDid, role } = result;
@@ -387,6 +390,7 @@ const createLaunchBlockletHandler =
       claims,
       challenge,
       locale,
+      isAuth: false,
     });
 
     const blocklet = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
@@ -436,7 +440,7 @@ const createLaunchBlockletHandler =
 
     const blockletDid =
       role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
-        ? toExternalBlocklet(blocklet.meta.name, userDid, { didOnly: true })
+        ? toExternalBlocklet(blocklet.meta.name, controller.nftId, { didOnly: true })
         : blocklet.meta.did;
 
     await updateSession({
@@ -456,13 +460,7 @@ const createLaunchBlockletHandler =
       url: blockletMetaUrl,
       delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
       downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
-      controller:
-        role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
-          ? {
-              ...controller,
-              id: userDid,
-            }
-          : null,
+      controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
     });
 
     await node.createAuditLog(
@@ -487,5 +485,5 @@ module.exports = {
   ensureBlockletPermission,
   getSetupBlockletClaims,
   getTrustedIssuers,
-  getUsageCredentialNFTClaim,
+  getServerlessNFTClaim,
 };

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.8.37",
+  "version": "1.8.39",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,18 +20,18 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.8.37",
-    "@abtnode/logger": "1.8.37",
-    "@abtnode/util": "1.8.37",
-    "@arcblock/did": "1.18.15",
-    "@arcblock/jwt": "^1.18.15",
-    "@arcblock/vc": "1.18.15",
-    "@blocklet/constant": "1.8.37",
-    "@blocklet/meta": "1.8.37",
-    "@ocap/client": "1.18.15",
-    "@ocap/mcrypto": "1.18.15",
-    "@ocap/util": "1.18.15",
-    "@ocap/wallet": "1.18.15",
+    "@abtnode/constant": "1.8.39",
+    "@abtnode/logger": "1.8.39",
+    "@abtnode/util": "1.8.39",
+    "@arcblock/did": "1.18.18",
+    "@arcblock/jwt": "^1.18.18",
+    "@arcblock/vc": "1.18.18",
+    "@blocklet/constant": "1.8.39",
+    "@blocklet/meta": "1.8.39",
+    "@ocap/client": "1.18.18",
+    "@ocap/mcrypto": "1.18.18",
+    "@ocap/util": "1.18.18",
+    "@ocap/wallet": "1.18.18",
     "axios": "^0.27.2",
     "joi": "17.6.3",
     "jsonwebtoken": "^8.5.1",
@@ -42,5 +42,5 @@
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "f26f451c6e2b1168b36f78269eafdf3f671236bf"
+  "gitHead": "cf2223c4d9a999993b2be1c943dd75b4221593c3"
 }