@abtnode/auth 1.8.68 → 1.8.69-beta-54faead3

package/lib/auth.js

@@ -156,6 +156,22 @@ const messages = {
     en: 'Invalid Params',
     zh: '无效的参数',
   },
+  missingKeyPair: {
+    en: 'Missing app key pair',
+    zh: '缺少应用钥匙对',
+  },
+  missingBlockletUrl: {
+    en: 'Missing blocklet url',
+    zh: '缺少应用下载地址',
+  },
+  missingBlockletDid: {
+    en: 'Missing blocklet did',
+    zh: '缺少应用 ID',
+  },
+  missingChainHost: {
+    en: 'Missing chain host',
+    zh: '缺少链的端点地址',
+  },
   invalidBlocklet: {
     en: 'Invalid Blocklet',
     zh: '无效的 Blocklet',
@@ -809,9 +825,9 @@ const handleIssuePassportResponse = async ({
 };
 
 const getVCFromClaims = async ({ claims, challenge, trustedIssuers, vcTypes, locale = 'en', vcId }) => {
-  const credential = claims.find(
-    (x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item))
-  );
+  const credential = claims
+    .filter(Boolean) // FIXES: https://github.com/ArcBlock/did-connect/issues/74
+    .find((x) => x.type === 'verifiableCredential' && vcTypes.some((item) => x.item.includes(item)));
 
   if (!credential || !credential.presentation) {
     return {};

package/lib/server.js

@@ -1,11 +1,16 @@
 const get = require('lodash/get');
+const pick = require('lodash/pick');
 const isEmpty = require('lodash/isEmpty');
 const last = require('lodash/last');
 const { isNFTExpired, isNFTConsumed } = require('@abtnode/util/lib/nft');
 const Client = require('@ocap/client');
 const { fromPublicKey } = require('@ocap/wallet');
-const { fromBase58, toAddress } = require('@ocap/util');
+const { fromBase58, toAddress, toHex } = require('@ocap/util');
 const { toTypeInfo, isFromPublicKey } = require('@arcblock/did');
+const urlFriendly = require('@blocklet/meta/lib/url-friendly').default;
+const { slugify } = require('transliteration');
+const { getChainInfo } = require('@blocklet/meta/lib/util');
+const getBlockletInfo = require('@blocklet/meta/lib/info');
 const formatContext = require('@abtnode/util/lib/format-context');
 const {
   ROLES,
@@ -14,6 +19,7 @@ const {
   NFT_TYPE_SERVER_OWNERSHIP,
   SERVER_ROLES,
   NFT_TYPE_SERVERLESS,
+  MAIN_CHAIN_ENDPOINT,
 } = require('@abtnode/constant');
 const { toExternalBlocklet } = require('@blocklet/meta/lib/did');
 const {
@@ -219,6 +225,16 @@ const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isA
   return { role: ROLES.OWNER, teamDid: info.did, nft: state, user, passport: null, ownerDid, ownerNFT: address };
 };
 
+const authenticateBySession = async ({ node, userDid, locale, allowedRoles = ['owner', 'admin', 'member'] }) => {
+  const info = await node.getNodeInfo();
+  const user = await getUser(node, info.did, userDid);
+  if (!user) {
+    throw new Error(messages.userNotFound[locale]);
+  }
+  const passport = (user.passports || []).find((x) => x.status === 'valid' && allowedRoles.includes(x.role));
+  return { role: passport ? passport.role : ROLES.GUEST, teamDid: info.did, user, passport: null };
+};
+
 const getAuthVcClaim =
   ({ node, launchBlocklet, blocklet, options }) =>
   async ({ extraParams: { locale, passportId }, context: { didwallet } }) => {
@@ -273,28 +289,117 @@ const getAuthNFTClaim =
     return getOwnershipNFTClaim(node, locale);
   };
 
-const getLaunchBlockletClaims = (node, authMethod) => {
-  if (authMethod === 'vc') {
+const getKeyPairClaim =
+  (node) =>
+  async ({ extraParams: { locale, appDid, title }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+
+    const description = {
+      en: 'Please generate a new key-pair for this application',
+      zh: '请为应用创建新的钥匙对',
+    };
+
+    let appName = title;
+    let migrateFrom = '';
+
+    // We are rotating a key-pair for existing application
+    if (appDid) {
+      const blocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+      if (!blocklet) {
+        throw new Error(messages.invalidBlocklet[locale]);
+      }
+
+      const info = await node.getNodeInfo();
+      const { name, wallet } = getBlockletInfo(blocklet, info.sk);
+      appName = name;
+      migrateFrom = wallet.address;
+    }
+
     return {
-      serverPassport: ['verifiableCredential', getAuthVcClaim({ node, launchBlocklet: true })],
+      mfa: !process.env.DID_CONNECT_MFA_DISABLED,
+      description: description[locale] || description.en,
+      moniker: (urlFriendly(slugify(appName)) || 'application').toLowerCase(),
+      migrateFrom,
+      targetType: {
+        role: 'application',
+        hash: 'sha3',
+        key: 'ed25519',
+        encoding: 'base58',
+      },
     };
-  }
+  };
 
-  return {
-    serverNFT: ['asset', getAuthNFTClaim({ node })],
+const getRotateKeyPairClaims = (node) => {
+  return [
+    {
+      authPrincipal: async ({ extraParams: { locale, appDid } }) => {
+        const description = {
+          en: 'Please select ',
+          zh: '请为应用创建新的钥匙对',
+        };
+
+        let chainInfo = { host: 'none', id: 'none', type: 'arcblock' };
+
+        if (!appDid) {
+          throw new Error(messages.missingBlockletDid[locale]);
+        }
+
+        const blocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+        if (!blocklet) {
+          throw new Error(messages.invalidBlocklet[locale]);
+        }
+
+        // Try to use blocklet chain config if possible
+        // Since migration happens on the chain the app holds some actual assets
+        // We must ensure it happens on that chain
+        chainInfo = getChainInfo(blocklet.configObj);
+
+        // Fallback to main chain, since it is the default registry for all DID
+        if (chainInfo.host === 'none') {
+          chainInfo = { host: MAIN_CHAIN_ENDPOINT, id: 'main', type: 'arcblock' };
+        }
+
+        return {
+          chainInfo,
+          description: description[locale] || description.en,
+          target: blocklet.appPid,
+        };
+      },
+    },
+    {
+      keyPair: getKeyPairClaim(node),
+    },
+  ];
+};
+
+const getLaunchBlockletClaims = (node, authMethod) => {
+  const claims = {
+    blockletAppKeypair: ['keyPair', getKeyPairClaim(node)],
   };
+
+  if (authMethod === 'vc') {
+    claims.serverPassport = ['verifiableCredential', getAuthVcClaim({ node, launchBlocklet: true })];
+  }
+
+  if (authMethod === 'nft') {
+    claims.serverNFT = ['asset', getAuthNFTClaim({ node })];
+  }
+
+  return claims;
 };
 
+// FIXME: @wangshijun should be changed to blocklet appSK owner claim?
 const getSetupBlockletClaims = (node, authMethod, blocklet) => {
+  const claims = {};
+
   if (authMethod === 'vc') {
-    return {
-      serverPassport: ['verifiableCredential', getAuthVcClaim({ node, blocklet })],
-    };
+    claims.serverPassport = ['verifiableCredential', getAuthVcClaim({ node, blocklet })];
+  }
+  if (authMethod === 'nft') {
+    claims.serverNFT = ['asset', getAuthNFTClaim({ node })];
   }
 
-  return {
-    serverNFT: ['asset', getAuthNFTClaim({ node })],
-  };
+  return claims;
 };
 
 const getOwnershipNFTClaim = async (node, locale) => {
@@ -348,6 +453,7 @@ const ensureBlockletPermission = async ({
   blocklet,
   isAuth,
   chainHost,
+  allowedRoles = ['owner', 'admin', 'member'],
 }) => {
   let result;
   if (authMethod === 'vc') {
@@ -361,7 +467,7 @@ const ensureBlockletPermission = async ({
       launchBlocklet: true,
       blocklet,
     });
-  } else {
+  } else if (authMethod === 'nft') {
     result = await authenticateByNFT({
       node,
       locale,
@@ -371,9 +477,16 @@ const ensureBlockletPermission = async ({
       isAuth,
       chainHost,
     });
+  } else {
+    result = await authenticateBySession({
+      node,
+      userDid,
+      locale,
+      allowedRoles,
+    });
   }
-  const { teamDid, role } = result;
 
+  const { teamDid, role } = result;
   const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
   if (!permissions.some((item) => ['mutate_blocklets'].includes(item.name))) {
     throw new Error(messages.notAuthorized[locale]);
@@ -385,17 +498,38 @@ const ensureBlockletPermission = async ({
 const createLaunchBlockletHandler =
   (node, authMethod) =>
   async ({ claims, challenge, userDid, updateSession, req, extraParams }) => {
-    const { locale, blockletMetaUrl, chainHost } = extraParams;
+    const { locale, blockletMetaUrl, title, description, chainHost } = extraParams;
     logger.info('createLaunchBlockletHandler', extraParams);
 
-    if (!blockletMetaUrl) {
-      logger.error('blockletMetaUrl must be provided');
-      throw new Error(messages.invalidParams[locale]);
+    const keyPair = claims.find((x) => x.type === 'keyPair');
+    if (!keyPair) {
+      logger.error('app keyPair must be provided');
+      throw new Error(messages.missingKeyPair[locale]);
+    }
+
+    if (!blockletMetaUrl && !title && !description) {
+      logger.error('blockletMetaUrl | title + description must be provided');
+      throw new Error(messages.missingBlockletUrl[locale]);
     }
 
     if (authMethod === 'nft' && !chainHost) {
       logger.error('chainHost must be provided');
-      throw new Error(messages.invalidParams[locale]);
+      throw new Error(messages.missingChainHost[locale]);
+    }
+
+    let blocklet;
+    if (blockletMetaUrl) {
+      blocklet = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
+      if (!blocklet.meta) {
+        throw new Error(messages.invalidBlocklet[locale]);
+      }
+
+      if (!blocklet.isFree) {
+        if (isEmpty(extraParams?.previousWorkflowData?.downloadTokenList)) {
+          logger.error('downloadTokenList must be provided');
+          throw new Error(messages.invalidParams[locale]);
+        }
+      }
     }
 
     const { role, passport, user, extra, nft } = await ensureBlockletPermission({
@@ -407,22 +541,9 @@ const createLaunchBlockletHandler =
       locale,
       isAuth: false,
       chainHost,
+      blocklet,
     });
 
-    const blocklet = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
-    if (!blocklet.meta) {
-      throw new Error(messages.invalidBlocklet[locale]);
-    }
-
-    if (!blocklet.isFree) {
-      if (isEmpty(extraParams?.previousWorkflowData?.downloadTokenList)) {
-        logger.error('downloadTokenList must be provided');
-        throw new Error(messages.invalidParams[locale]);
-      }
-    }
-
-    const { did } = blocklet.meta;
-
     let controller;
 
     let sessionToken = '';
@@ -434,76 +555,149 @@ const createLaunchBlockletHandler =
         secret,
         expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
       });
-    } else if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
-      controller = extra.controller;
-      sessionToken = createBlockletControllerAuthToken({
-        did: userDid,
-        role,
-        controller,
-        secret,
-        expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-      });
-    } else {
-      sessionToken = createAuthTokenByOwnershipNFT({
-        did: userDid,
-        role,
-        secret,
-        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
-      });
+    }
+    if (authMethod === 'nft') {
+      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+        controller = extra.controller;
+        sessionToken = createBlockletControllerAuthToken({
+          did: userDid,
+          role,
+          controller,
+          secret,
+          expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      } else {
+        sessionToken = createAuthTokenByOwnershipNFT({
+          did: userDid,
+          role,
+          secret,
+          expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      }
+    }
+
+    if (sessionToken) {
+      await updateSession({ sessionToken }, true);
     }
 
-    await updateSession({ sessionToken }, true);
+    if (blocklet) {
+      const blockletDid =
+        role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
+          ? toExternalBlocklet(blocklet.meta.name, controller.nftId, { didOnly: true })
+          : blocklet.meta.did;
 
-    const blockletDid =
-      role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER
-        ? toExternalBlocklet(blocklet.meta.name, controller.nftId, { didOnly: true })
-        : blocklet.meta.did;
+      await updateSession({ blockletDid });
 
-    await updateSession({
-      blockletDid,
-    });
+      // 检查是否已安装，这里不做升级的处理
+      const existedBlocklet = await node.getBlocklet({ did: blockletDid, attachRuntimeInfo: false });
 
-    // 检查是否已安装，这里不做升级的处理
-    const existedBlocklet = await node.getBlocklet({ did: blockletDid, attachRuntimeInfo: false });
+      // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
+      if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
+        throw new Error(messages.nftAlreadyConsume[locale]);
+      }
 
-    // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
-    if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
-      throw new Error(messages.nftAlreadyConsume[locale]);
+      if (existedBlocklet) {
+        await updateSession({ isInstalled: true });
+        logger.info('blocklet already exists', { blockletDid });
+        return;
+      }
     }
 
-    if (existedBlocklet) {
-      await updateSession({ isInstalled: true });
-      logger.info('blocklet already exists', { blockletDid });
-      return;
+    logger.info('start install blocklet', { blockletMetaUrl, title, description });
+    const tmp = await node.installBlocklet(
+      {
+        url: blockletMetaUrl,
+        title,
+        description,
+        appSk: toHex(keyPair.secret),
+        delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
+        downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
+        controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
+      },
+      formatContext(Object.assign(req, { user: { ...pick(user, ['did', 'fullName']), role } }))
+    );
+
+    await updateSession({ blockletDid: tmp.meta.did });
+  };
+
+const getBlockletPermissionChecker =
+  (node, allowedRoles = ['owner', 'admin', 'member']) =>
+  async ({ userDid, extraParams }) => {
+    const { locale = 'en', connectedDid } = extraParams;
+
+    if (!connectedDid || userDid !== connectedDid) {
+      throw new Error(
+        {
+          en: 'Please use current connected wallet to install blocklet',
+          zh: '请使用当前登录的钱包来安装应用',
+        }[locale]
+      );
     }
 
-    const tmp = await node.installBlocklet({
-      url: blockletMetaUrl,
-      delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
-      downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
-      controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
-    });
+    const info = await node.getNodeInfo();
+    const user = await getUser(node, info.did, userDid);
+    const passport = (user.passports || []).find((x) => x.status === 'valid' && allowedRoles.includes(x.role));
+    if (!passport) {
+      throw new Error(
+        {
+          en: 'You do not have permission to install blocklets on this server',
+          zh: '你无权在此节点上安装应用',
+        }[locale]
+      );
+    }
+  };
+
+const createRotateKeyPairHandler =
+  (node) =>
+  async ({ claims, userDid, req, extraParams }) => {
+    const { locale, appDid } = extraParams;
+    logger.info('createRotateKeyPairHandler', extraParams);
+
+    const keyPair = claims.find((x) => x.type === 'keyPair');
+    if (!keyPair) {
+      logger.error('app keyPair must be provided');
+      throw new Error(messages.missingKeyPair[locale]);
+    }
+
+    if (!appDid) {
+      logger.error('appDid must be provided');
+      throw new Error(messages.missingBlockletDid[locale]);
+    }
+
+    const blocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+    if (!blocklet) {
+      throw new Error(messages.invalidBlocklet[locale]);
+    }
+
+    // Only the blocklet owner(identified by appPid) can rotate key pair
+    if (blocklet.appPid !== userDid) {
+      throw new Error(messages.notAllowed[locale]);
+    }
 
-    await node.createAuditLog(
+    await node.configBlocklet(
       {
-        action: 'installBlocklet',
-        args: { url: blockletMetaUrl },
-        context: formatContext(Object.assign(req, { user })),
-        result: tmp,
+        did: blocklet.meta.did,
+        configs: [{ key: 'BLOCKLET_APP_SK', value: toHex(keyPair.secret), secure: true }],
+        skipHook: true,
+        skipDidDocument: true,
       },
-      node
+      formatContext(Object.assign(req, { user: { did: userDid, fullName: 'Owner', role: 'owner' } }))
     );
-    logger.info('start install blocklet', { blockletDid, bundleDid: did });
   };
 
 module.exports = {
   getAuthVcClaim,
+  getKeyPairClaim,
   authenticateByVc,
   authenticateByNFT,
+  authenticateBySession,
+  getRotateKeyPairClaims,
   getOwnershipNFTClaim,
   getLaunchBlockletClaims,
   createLaunchBlockletHandler,
+  createRotateKeyPairHandler,
   ensureBlockletPermission,
+  getBlockletPermissionChecker,
   getSetupBlockletClaims,
   getTrustedIssuers,
   getServerlessNFTClaim,

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.8.68",
+  "version": "1.8.69-beta-54faead3",
   "description": "Simple lib to manage auth in ABT Node",
   "main": "lib/index.js",
   "files": [
@@ -20,27 +20,28 @@
   "author": "linchen <linchen1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "MIT",
   "dependencies": {
-    "@abtnode/constant": "1.8.68",
-    "@abtnode/logger": "1.8.68",
-    "@abtnode/util": "1.8.68",
-    "@arcblock/did": "1.18.42",
-    "@arcblock/jwt": "^1.18.42",
-    "@arcblock/vc": "1.18.42",
-    "@blocklet/constant": "1.8.68",
-    "@blocklet/meta": "1.8.68",
-    "@ocap/client": "1.18.42",
-    "@ocap/mcrypto": "1.18.42",
-    "@ocap/util": "1.18.42",
-    "@ocap/wallet": "1.18.42",
+    "@abtnode/constant": "1.8.69-beta-54faead3",
+    "@abtnode/logger": "1.8.69-beta-54faead3",
+    "@abtnode/util": "1.8.69-beta-54faead3",
+    "@arcblock/did": "1.18.57",
+    "@arcblock/jwt": "^1.18.57",
+    "@arcblock/vc": "1.18.57",
+    "@blocklet/constant": "1.8.69-beta-54faead3",
+    "@blocklet/meta": "1.8.69-beta-54faead3",
+    "@ocap/client": "1.18.57",
+    "@ocap/mcrypto": "1.18.57",
+    "@ocap/util": "1.18.57",
+    "@ocap/wallet": "1.18.57",
     "axios": "^0.27.2",
     "joi": "17.7.0",
     "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.21",
     "semver": "^7.3.8",
+    "transliteration": "^2.3.5",
     "url-join": "^4.0.1"
   },
   "devDependencies": {
     "jest": "^27.5.1"
   },
-  "gitHead": "1392044ac5677bde567797adeb9a6d3f0b9264b8"
+  "gitHead": "3dec0c85a77de5ba2d37c19ac769b126bfaafc86"
 }