npm - @abtnode/auth - Versions diffs - 1.8.66 → 1.8.67-beta-794a8082 - Mend

@abtnode/auth 1.8.66 → 1.8.67-beta-794a8082

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/auth.js CHANGED Viewed

@@ -156,6 +156,18 @@ const messages = {
     en: 'Invalid Params',
     zh: '无效的参数',
   },
+  missingKeyPair: {
+    en: 'Missing app key pair',
+    zh: '缺少应用钥匙对',
+  },
+  missingBlockletUrl: {
+    en: 'Missing blocklet url',
+    zh: '缺少应用下载地址',
+  },
+  missingChainHost: {
+    en: 'Missing chain host',
+    zh: '缺少链的端点地址',
+  },
   invalidBlocklet: {
     en: 'Invalid Blocklet',
     zh: '无效的 Blocklet',
@@ -809,9 +821,9 @@ const handleIssuePassportResponse = async ({
 };
 const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
-  const credential = claims.find(
-    (x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item))
-  );
+  const credential = claims
+    .filter(Boolean) // FIXES: https://github.com/ArcBlock/did-connect/issues/74
+    .find((x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item)));
   if (!credential || !credential.presentation) {
     return {};

package/lib/server.js CHANGED Viewed

@@ -1,11 +1,14 @@
 const get = require('lodash/get');
+const pick = require('lodash/pick');
 const isEmpty = require('lodash/isEmpty');
 const last = require('lodash/last');
 const { isNFTExpired, isNFTConsumed } = require('@abtnode/util/lib/nft');
 const Client = require('@ocap/client');
 const { fromPublicKey } = require('@ocap/wallet');
-const { fromBase58, toAddress } = require('@ocap/util');
+const { fromBase58, toAddress, toHex } = require('@ocap/util');
 const { toTypeInfo, isFromPublicKey } = require('@arcblock/did');
+const urlFriendly = require('@blocklet/meta/lib/url-friendly').default;
+const { slugify } = require('transliteration');
 const formatContext = require('@abtnode/util/lib/format-context');
 const {
   ROLES,
@@ -219,6 +222,15 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isA
   return { role: ROLES.OWNER, teamDid: info.did, nft: state, user, passport: null, ownerDid, ownerNFT: address };
 };
+const authenticateBySession = async ({ node, userDid }) => {
+  const info = await node.getNodeInfo();
+  const user = await getUser(node, info.did, userDid);
+  const passport = (user.passports || []).find(
+    (x) => x.status === 'valid' && ['owner', 'admin', 'member'].includes(x.role)
+  );
+  return { role: passport ? passport.role : ROLES.GUEST, teamDid: info.did, user, passport: null };
+};
 const getAuthVcClaim =
   ({ node, launchBlocklet, blocklet, options }) =>
   async ({ extraParams: { locale, passportId }, context: { didwallet } }) => {
@@ -273,28 +285,57 @@ const getAuthNFTClaim =
     return getOwnershipNFTClaim(node, locale);
   };
-const getLaunchBlockletClaims = (node, authMethod) => {
-  if (authMethod === 'vc') {
+const getKeyPairClaim =
+  () =>
+  async ({ extraParams: { locale, title }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+    const description = {
+      en: 'Please generate a new key-pair for this application',
+      zh: '请为应用创建新的钥匙对',
+    };
     return {
-      serverPassport: ['verifiableCredential', getAuthVcClaim({ node, launchBlocklet: true })],
+      mfa: !process.env.DID_CONNECT_MFA_DISABLED,
+      description: description[locale] || description.en,
+      moniker: (urlFriendly(slugify(title)) || 'application').toLowerCase(),
+      targetType: {
+        role: 'application',
+        hash: 'sha3',
+        key: 'ed25519',
+        encoding: 'base58',
+      },
     };
-  }
+  };
-  return {
-    serverNFT: ['asset', getAuthNFTClaim({ node })],
+const getLaunchBlockletClaims = (node, authMethod) => {
+  const claims = {
+    blockletAppKeypair: ['keyPair', getKeyPairClaim()],
   };
+  if (authMethod === 'vc') {
+    claims.serverPassport = ['verifiableCredential', getAuthVcClaim({ node, launchBlocklet: true })];
+  }
+  if (authMethod === 'nft') {
+    claims.serverNFT = ['asset', getAuthNFTClaim({ node })];
+  }
+  return claims;
 };
+// FIXME: @wangshijun should be changed to blocklet appSK owner claim?
 const getSetupBlockletClaims = (node, authMethod, blocklet) => {
+  const claims = {};
   if (authMethod === 'vc') {
-    return {
-      serverPassport: ['verifiableCredential', getAuthVcClaim({ node, blocklet })],
-    };
+    claims.serverPassport = ['verifiableCredential', getAuthVcClaim({ node, blocklet })];
+  }
+  if (authMethod === 'nft') {
+    claims.serverNFT = ['asset', getAuthNFTClaim({ node })];
   }
-  return {
-    serverNFT: ['asset', getAuthNFTClaim({ node })],
-  };
+  return claims;
 };
 const getOwnershipNFTClaim = async (node, locale) => {
@@ -361,7 +402,7 @@ const ensureBlockletPermission = async ({
       launchBlocklet: true,
       blocklet,
     });
-  } else {
+  } else if (authMethod === 'nft') {
     result = await authenticateByNFT({
       node,
       locale,
@@ -371,9 +412,14 @@ const ensureBlockletPermission = async ({
       isAuth,
       chainHost,
     });
+  } else {
+    result = await authenticateBySession({
+      node,
+      userDid,
+    });
   }
-  const { teamDid, role } = result;
+  const { teamDid, role } = result;
   const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
   if (!permissions.some((item) => ['mutate_blocklets'].includes(item.name))) {
     throw new Error(messages.notAuthorized[locale]);
@@ -385,17 +431,38 @@ const ensureBlockletPermission = async ({
 const createLaunchBlockletHandler =
   (node, authMethod) =>
   async ({ claims, challenge, userDid, updateSession, req, extraParams }) => {
-    const { locale, blockletMetaUrl, chainHost } = extraParams;
+    const { locale, blockletMetaUrl, title, description, chainHost } = extraParams;
     logger.info('createLaunchBlockletHandler', extraParams);
-    if (!blockletMetaUrl) {
-      logger.error('blockletMetaUrl must be provided');
-      throw new Error(messages.invalidParams[locale]);
+    const keyPair = claims.find((x) => x.type === 'keyPair');
+    if (!keyPair) {
+      logger.error('app keyPair must be provided');
+      throw new Error(messages.missingKeyPair[locale]);
+    }
+    if (!blockletMetaUrl && !title && !description) {
+      logger.error('blockletMetaUrl | title + description must be provided');
+      throw new Error(messages.missingBlockletUrl[locale]);
     }
     if (authMethod === 'nft' && !chainHost) {
       logger.error('chainHost must be provided');
-      throw new Error(messages.invalidParams[locale]);
+      throw new Error(messages.missingChainHost[locale]);
+    }
+    let blocklet;
+    if (blockletMetaUrl) {
+      blocklet = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
+      if (!blocklet.meta) {
+        throw new Error(messages.invalidBlocklet[locale]);
+      }
+      if (!blocklet.isFree) {
+        if (isEmpty(extraParams?.previousWorkflowData?.downloadTokenList)) {
+          logger.error('downloadTokenList must be provided');
+          throw new Error(messages.invalidParams[locale]);
+        }
+      }
     }
     const { role, passport, user, extra, nft } = await ensureBlockletPermission({
@@ -407,22 +474,9 @@ const createLaunchBlockletHandler =
       locale,
       isAuth: false,
       chainHost,
+      blocklet,
     });
-    const blocklet = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
-    if (!blocklet.meta) {
-      throw new Error(messages.invalidBlocklet[locale]);
-    }
-    if (!blocklet.isFree) {
-      if (isEmpty(extraParams?.previousWorkflowData?.downloadTokenList)) {
-        logger.error('downloadTokenList must be provided');
-        throw new Error(messages.invalidParams[locale]);
-      }
-    }
-    const { did } = blocklet.meta;
     let controller;
     let sessionToken = '';
@@ -434,76 +488,109 @@ const createLaunchBlockletHandler =
         secret,
         expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
       });
-    } else if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
-      controller = extra.controller;
-      sessionToken = createBlockletControllerAuthToken({
-        did: userDid,
-        role,
-        controller,
-        secret,
-        expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-      });
-    } else {
-      sessionToken = createAuthTokenByOwnershipNFT({
-        did: userDid,
-        role,
-        secret,
-        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-      });
+    }
+    if (authMethod === 'nft') {
+      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+        controller = extra.controller;
+        sessionToken = createBlockletControllerAuthToken({
+          did: userDid,
+          role,
+          controller,
+          secret,
+          expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      } else {
+        sessionToken = createAuthTokenByOwnershipNFT({
+          did: userDid,
+          role,
+          secret,
+          expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      }
     }
-    await updateSession({ sessionToken }, true);
+    if (sessionToken) {
+      await updateSession({ sessionToken }, true);
+    }
-    const blockletDid =
-      role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
-        ? toExternalBlocklet(blocklet.meta.name, controller.nftId, { didOnly: true })
-        : blocklet.meta.did;
+    if (blocklet) {
+      const blockletDid =
+        role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
+          ? toExternalBlocklet(blocklet.meta.name, controller.nftId, { didOnly: true })
+          : blocklet.meta.did;
-    await updateSession({
-      blockletDid,
-    });
+      await updateSession({ blockletDid });
-    // 检查是否已安装，这里不做升级的处理
-    const existedBlocklet = await node.getBlocklet({ did: blockletDid, attachRuntimeInfo: false });
+      // 检查是否已安装，这里不做升级的处理
+      const existedBlocklet = await node.getBlocklet({ did: blockletDid, attachRuntimeInfo: false });
-    // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
-    if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
-      throw new Error(messages.nftAlreadyConsume[locale]);
-    }
+      // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
+      if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
+        throw new Error(messages.nftAlreadyConsume[locale]);
+      }
-    if (existedBlocklet) {
-      await updateSession({ isInstalled: true });
-      logger.info('blocklet already exists', { blockletDid });
-      return;
+      if (existedBlocklet) {
+        await updateSession({ isInstalled: true });
+        logger.info('blocklet already exists', { blockletDid });
+        return;
+      }
     }
-    const tmp = await node.installBlocklet({
-      url: blockletMetaUrl,
-      delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
-      downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
-      controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
-    });
-    await node.createAuditLog(
+    logger.info('start install blocklet', { blockletMetaUrl, title, description });
+    const tmp = await node.installBlocklet(
       {
-        action: 'installBlocklet',
-        args: { url: blockletMetaUrl },
-        context: formatContext(Object.assign(req, { user })),
-        result: tmp,
+        url: blockletMetaUrl,
+        title,
+        description,
+        appSk: toHex(keyPair.secret),
+        delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
+        downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
+        controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
       },
-      node
+      formatContext(Object.assign(req, { user: { ...pick(user, ['did', 'fullName']), role } }))
     );
-    logger.info('start install blocklet', { blockletDid, bundleDid: did });
+    await updateSession({ blockletDid: tmp.meta.did });
+  };
+const getBlockletPermissionChecker =
+  (node) =>
+  async ({ userDid, extraParams }) => {
+    const { locale = 'en', connectedDid } = extraParams;
+    if (!connectedDid || userDid !== connectedDid) {
+      throw new Error(
+        {
+          en: 'Please use current connected wallet to install blocklet',
+          zh: '请使用当前登录的钱包来安装应用',
+        }[locale]
+      );
+    }
+    const info = await node.getNodeInfo();
+    const user = await getUser(node, info.did, userDid);
+    const passport = (user.passports || []).find((x) => x.status === 'valid' && ['owner', 'admin'].includes(x.role));
+    if (!passport) {
+      throw new Error(
+        {
+          en: 'You do not have permission to install blocklets on this server',
+          zh: '你无权在此节点上安装应用',
+        }[locale]
+      );
+    }
   };
 module.exports = {
   getAuthVcClaim,
+  getKeyPairClaim,
   authenticateByVc,
   authenticateByNFT,
+  authenticateBySession,
   getOwnershipNFTClaim,
   getLaunchBlockletClaims,
   createLaunchBlockletHandler,
   ensureBlockletPermission,
+  getBlockletPermissionChecker,
   getSetupBlockletClaims,
   getTrustedIssuers,
   getServerlessNFTClaim,

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.8.66",
+  "version": "1.8.67-beta-794a8082",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,27 +20,28 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.8.66",
-    "@abtnode/logger": "1.8.66",
-    "@abtnode/util": "1.8.66",
-    "@arcblock/did": "1.18.42",
-    "@arcblock/jwt": "^1.18.42",
-    "@arcblock/vc": "1.18.42",
-    "@blocklet/constant": "1.8.66",
-    "@blocklet/meta": "1.8.66",
-    "@ocap/client": "1.18.42",
-    "@ocap/mcrypto": "1.18.42",
-    "@ocap/util": "1.18.42",
-    "@ocap/wallet": "1.18.42",
+    "@abtnode/constant": "1.8.67-beta-794a8082",
+    "@abtnode/logger": "1.8.67-beta-794a8082",
+    "@abtnode/util": "1.8.67-beta-794a8082",
+    "@arcblock/did": "1.18.54",
+    "@arcblock/jwt": "^1.18.54",
+    "@arcblock/vc": "1.18.54",
+    "@blocklet/constant": "1.8.67-beta-794a8082",
+    "@blocklet/meta": "1.8.67-beta-794a8082",
+    "@ocap/client": "1.18.54",
+    "@ocap/mcrypto": "1.18.54",
+    "@ocap/util": "1.18.54",
+    "@ocap/wallet": "1.18.54",
     "axios": "^0.27.2",
     "joi": "17.7.0",
     "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.21",
     "semver": "^7.3.8",
+    "transliteration": "^2.3.5",
     "url-join": "^4.0.1"
   },
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "282247fd0ce6702e1d6920e90e2b3be0408cf879"
+  "gitHead": "f4ad32bea4d80b12971fb6bef941bdbe2af6a834"
 }