@abtnode/blocklet-services 1.16.0-beta-1d6c582e → 1.16.0-beta-62b42401

package/api/index.js

@@ -8,7 +8,7 @@ const compression = require('compression');
 const cookieParser = require('cookie-parser');
 const bodyParser = require('body-parser');
 const httpProxy = require('http-proxy');
-const moment = require('dayjs');
+const dayjs = require('dayjs');
 const minimatch = require('minimatch');
 
 const { getAccessLogStream } = require('@abtnode/logger');
@@ -33,6 +33,7 @@ const { init: initDashboard } = require('./services/dashboard');
 const StaticService = require('./services/static');
 const StudioService = require('./services/studio');
 const createEnvRoutes = require('./routes/env');
+const createOAuthRoutes = require('./routes/oauth');
 const createBlockletRoutes = require('./routes/blocklet');
 const createConnectRelayRoutes = require('./routes/connect/relay');
 const createConnectSessionRoutes = require('./routes/connect/session');
@@ -48,7 +49,7 @@ const logFileGenerator = (time, index) => {
     return 'service.log';
   }
 
-  let filename = `service-${moment(time).subtract(1, 'day').format('YYYY-MM-DD')}`; // prev date
+  let filename = `service-${dayjs(time).subtract(1, 'day').format('YYYY-MM-DD')}`; // prev date
 
   if (index > 1) {
     filename = `${filename}-${index}`;
@@ -220,6 +221,7 @@ module.exports = function createServer(node, serverOptions = {}) {
   server.use(authMiddlewares.userInfo);
 
   // API: auth
+  createOAuthRoutes.init(server, node, options);
   createEnvRoutes.init(server, node, options);
   createBlockletRoutes.init(server, node);
   createConnectSessionRoutes.init(server, node, options);

package/api/libs/auth/adapters/auth0/authentication-client.js

@@ -0,0 +1,16 @@
+const { AuthenticationClient: Auth0AuthenticationClient } = require('auth0');
+
+class AuthenticationClient {
+  constructor(options) {
+    this.instance = new Auth0AuthenticationClient({
+      domain: options.domain,
+      clientId: options.clientId,
+    });
+  }
+
+  getProfile(...args) {
+    return this.instance.getProfile(...args);
+  }
+}
+
+module.exports = AuthenticationClient;

package/api/libs/auth/adapters/auth0/index.js

@@ -0,0 +1,7 @@
+const AuthenticationClient = require('./authentication-client');
+const ManagementClient = require('./management-client');
+
+module.exports = {
+  AuthenticationClient,
+  ManagementClient,
+};

package/api/libs/auth/adapters/auth0/management-client.js

@@ -0,0 +1,36 @@
+const { ManagementClient: Auth0ManagementClient } = require('auth0');
+
+class ManagementClient {
+  constructor(options) {
+    this.config = {
+      domain: options.domain,
+      token: options.token,
+    };
+    this.instance = new Auth0ManagementClient({
+      domain: options.domain,
+      token: options.token,
+    });
+  }
+
+  async getClient(...args) {
+    return this.instance.getClient(...args);
+  }
+
+  getClients(...args) {
+    return this.instance.getClients(...args);
+  }
+
+  createClient(...args) {
+    return this.instance.createClient(...args);
+  }
+
+  updateClient(...args) {
+    return this.instance.updateClient(...args);
+  }
+
+  deleteClient(...args) {
+    return this.instance.deleteClient(...args);
+  }
+}
+
+module.exports = ManagementClient;

package/api/libs/auth/utils.js

@@ -0,0 +1,90 @@
+const md5 = require('md5');
+const axios = require('axios');
+const logger = require('@abtnode/auth/lib/logger');
+const { getPassportStatusEndpoint, getApplicationInfo } = require('@abtnode/auth/lib/auth');
+const { createPassportVC } = require('@abtnode/auth/lib/passport');
+const { VC_TYPE_NODE_PASSPORT } = require('@abtnode/constant');
+const { parseUserAvatar } = require('@abtnode/util/lib/user-avatar');
+const pick = require('lodash/pick');
+
+const { sendToUser } = require('../notification');
+
+function getEmailHash(email = '') {
+  const cleanEmail = email.trim().toLowerCase();
+  return md5(cleanEmail);
+}
+
+async function getAvatarByEmail(email = '') {
+  try {
+    const emailHash = getEmailHash(email);
+    const gravatarUrl = `https://www.gravatar.com/avatar/${emailHash}`;
+    const { data } = await axios.get(gravatarUrl, {
+      responseType: 'arraybuffer',
+    });
+    const base64Content = Buffer.from(data, 'binary').toString('base64');
+
+    return `data:image/png;base64,${base64Content}`;
+  } catch {
+    logger.error(`Fetch gravatar failed: ${email}`);
+    return null;
+  }
+}
+
+async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo }) {
+  const {
+    name: issuerName,
+    wallet: issuerWallet,
+    passportColor,
+    dataDir,
+  } = await getApplicationInfo({ node, nodeInfo, teamDid });
+
+  const waitPassportList = fromUser.passports || [];
+  const attachments = await Promise.all(
+    waitPassportList.map(async (item) => {
+      const avatar = await parseUserAvatar(toUser.avatar, { dataDir });
+      const vcParams = {
+        issuerName,
+        issuerWallet,
+        ownerDid: toUser.did,
+        passport: pick(item, ['name', 'title', 'endpoint', 'specVersion']),
+        endpoint: getPassportStatusEndpoint({
+          baseUrl: item.endpoint,
+          userDid: toUser.did,
+          teamDid,
+        }),
+        types: teamDid === nodeInfo.did ? [VC_TYPE_NODE_PASSPORT] : [],
+        ownerProfile: {
+          email: toUser.email,
+          fullName: toUser.fullName,
+          avatar,
+        },
+        preferredColor: passportColor,
+      };
+
+      const vc = createPassportVC(vcParams);
+      return {
+        type: 'vc',
+        data: {
+          credential: vc,
+          tag: item.name,
+        },
+      };
+    })
+  );
+
+  await sendToUser(
+    toUser.did,
+    {
+      title: 'Transfer passports',
+      body: `Transfer ${fromUser.did}'s passports to ${toUser.did}`,
+      attachments,
+    },
+    { req }
+  );
+}
+
+module.exports = {
+  getEmailHash,
+  getAvatarByEmail,
+  transferPassport,
+};

package/api/libs/connect/session.js

@@ -9,6 +9,7 @@ const {
   getVCFromClaims,
   validatePassportStatus,
   getPassportStatusEndpoint,
+  getApplicationInfo,
 } = require('@abtnode/auth/lib/auth');
 const {
   NODE_SERVICES,
@@ -18,6 +19,7 @@ const {
   VC_TYPE_NODE_PASSPORT,
   WHO_CAN_ACCESS,
   WHO_CAN_ACCESS_PREFIX_ROLES,
+  USER_TYPE,
 } = require('@abtnode/constant');
 const {
   validatePassport,
@@ -30,33 +32,17 @@ const {
   upsertToPassports,
 } = require('@abtnode/auth/lib/passport');
 const { getKeyPairClaim } = require('@abtnode/auth/lib/server');
+const sortBy = require('lodash/sortBy');
+const head = require('lodash/head');
 
 const { getRolesFromAuthConfig, getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 
 const logger = require('@abtnode/logger')(require('../../../package.json').name);
 
-const vcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
-
-/**
- * @returns {Array} config
- * @returns {Boolean} config[0] is invited user only
- * @returns {String} config[1] default role
- * @returns {Boolean} config[2] issue passport
- */
-const isInvitedUserOnly = async (config, node, teamDid) => {
-  const count = await node.getUsersCount({ teamDid });
-
-  // issue owner passport for first login user
-  if (count === 0) {
-    return [false, ROLES.OWNER, true];
-  }
+const { isInvitedUserOnly } = require('../../util');
+const { transferPassport } = require('../auth/utils');
 
-  if (config.whoCanAccess && config.whoCanAccess !== WHO_CAN_ACCESS.ALL) {
-    return [true];
-  }
-
-  return [false, ROLES.GUEST];
-};
+const vcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
 
 const getPassportVc = async ({ blocklet, claims, challenge, locale }) => {
   const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
@@ -256,7 +242,10 @@ module.exports = {
             did: userDid,
             pk: userPk,
             locale,
-            passports: upsertToPassports(user.passports || [], passport).filter(Boolean),
+            passports: upsertToPassports(
+              user.passports || [],
+              passport && { ...passport, lastLoginAt: new Date().toISOString() }
+            ).filter(Boolean),
             lastLoginAt: new Date().toISOString(),
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
           },
@@ -490,6 +479,17 @@ module.exports = {
       // Recreate passport with correct role
       passport = vc ? createUserPassport(vc, { role }) : null;
 
+      await node.updateUser({
+        teamDid,
+        user: {
+          did: user.did,
+          passports: upsertToPassports(
+            user.passports || [],
+            passport && { ...passport, lastLoginAt: new Date().toISOString() }
+          ),
+        },
+      });
+
       // Audit log
       const passportForLog = passport || { name: 'Guest', role: 'guest' };
       await node.createAuditLog(
@@ -508,6 +508,181 @@ module.exports = {
     },
   },
 
+  // 基本流程与 login 一致，但在创建更新用户信息的逻辑不一样
+  bindWallet: {
+    onConnect: async ({ node, request, userDid, locale, passportId = '', componentId, previousUserDid }) => {
+      const translations = {
+        en: {
+          notFound: "Can't get bind account infomation",
+          notDerivedAccount: "Current account is not a derived account, can't bind a DID Wallet account",
+          notWalletAccount: "Bind account is a derived account, can't bind",
+          alreadyBind: 'Bind account already bind with another account',
+        },
+        zh: {
+          notFound: '获取绑定账户信息失败',
+          notDerivedAccount: '当前账户不是一个派生账号，无法绑定 DID Wallet 账户',
+          notWalletAccount: '绑定的账户是一个派生账号，无法绑定',
+          alreadyBind: '该账户已绑定 OAuth 账户',
+        },
+      };
+      const blocklet = await request.getBlocklet();
+      const config = await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
+      const { did: teamDid } = await request.getBlockletInfo();
+      const oauthUser = await getUser(node, teamDid, previousUserDid);
+      const bindUser = await node.getUser({ teamDid: blocklet.meta.did, user: { did: userDid } });
+
+      if (!oauthUser) {
+        throw new Error(translations[locale].notFound);
+      }
+      if (oauthUser.source !== USER_TYPE.DERIVED) {
+        throw new Error(translations[locale].notDerivedAccount);
+      }
+      if (bindUser) {
+        if (bindUser.source === USER_TYPE.DERIVED) {
+          throw new Error(translations[locale].notWalletAccount);
+        }
+        if (bindUser.derivedAccount) {
+          throw new Error(translations[locale].alreadyBind);
+        }
+      }
+
+      const profileFields = get(config, 'profileFields');
+      const claims = {
+        profile: {
+          type: 'profile',
+          description: messages.description[locale],
+          items: profileFields || ['fullName', 'avatar'],
+        },
+      };
+
+      // 至少需要一个 claim
+      // if (oauthUser.avatar) {
+      //   delete claims.profile;
+      // }
+
+      if (passportId) {
+        claims.verifiableCredential.target = passportId;
+      }
+
+      return claims;
+    },
+    onApprove: async ({ node, request, locale, userDid, userPk, claims, createSessionToken, previousUserDid }) => {
+      const { did: teamDid } = await request.getBlockletInfo();
+
+      const oauthUser = await getUser(node, teamDid, previousUserDid);
+      const nodeInfo = await request.getNodeInfo();
+      // Check user approved
+      let bindUser = await getUser(node, teamDid, userDid);
+      if (bindUser && !bindUser.approved) {
+        throw new Error(messages.notAllowed[locale]);
+      }
+
+      const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
+
+      const profileold = claims.find((x) => x.type === 'profile') || { avatar: null };
+      const avatar = await extractUserAvatar(oauthUser.avatar || profileold.avatar, { dataDir });
+      const profile = {
+        fullName: oauthUser.fullName,
+        avatar,
+        email: oauthUser.email,
+      };
+
+      // TODO: 获取当前登录使用的 passport（无法获取到 passport.id）
+      // 使用最近一次使用的 passport 来代替
+      const validPassports = oauthUser.passports.filter((item) => item.status === 'valid');
+      const lastUsedPassport = head(sortBy(validPassports, 'lastLoginAt'));
+      const passport = lastUsedPassport || { name: 'Guest', role: 'guest' };
+      if (bindUser) {
+        const mergePassport = (oauthUser.passports || []).reduce((sum, cur) => {
+          return upsertToPassports(sum, cur);
+        }, bindUser.passports || []);
+        // Update bindUser account
+        await node.updateUser({
+          teamDid,
+          user: {
+            derivedAccount: {
+              provider: oauthUser.sourceProvider,
+              did: oauthUser.did,
+              pk: oauthUser.pk,
+            },
+            connectedAccounts: [
+              {
+                provider: oauthUser.sourceProvider,
+                id: oauthUser.sourceId,
+                lastLoginAt: oauthUser.lastLoginAt,
+              },
+            ],
+            did: userDid,
+            pk: userPk,
+            locale,
+            passports: mergePassport,
+            lastLoginAt: new Date().toISOString(),
+            lastLoginIp: get(request, 'headers[x-real-ip]') || '',
+          },
+        });
+        // FIXME: @zhanghan 将来是否需要移除 derived account
+        // await node.removeUser({
+        //   teamDid,
+        //   user: {
+        //     did: previousUserDid,
+        //   },
+        // });
+        // TODO: @zhanghan 需要增加 auditLog
+      } else {
+        const doc = await node.addUser({
+          teamDid,
+          user: {
+            ...profile,
+            source: USER_TYPE.WALLET,
+            derivedAccount: {
+              provider: oauthUser.sourceProvider,
+              did: oauthUser.did,
+              pk: oauthUser.pk,
+            },
+            connectedAccounts: [
+              {
+                provider: oauthUser.sourceProvider,
+                id: oauthUser.sourceId,
+                lastLoginAt: oauthUser.lastLoginAt,
+              },
+            ],
+            avatar,
+            did: userDid,
+            pk: userPk,
+            approved: true,
+            locale,
+            passports: oauthUser.passports,
+            firstLoginAt: new Date().toISOString(),
+            lastLoginAt: new Date().toISOString(),
+            lastLoginIp: get(request, 'headers[x-real-ip]') || '',
+          },
+        });
+        bindUser = doc;
+        // remove derived account (updateUser use did as key, so did can't be update)
+        await node.removeUser({
+          teamDid,
+          user: {
+            did: previousUserDid,
+          },
+        });
+        // TODO: @zhanghan 需要增加 auditLog
+      }
+
+      await transferPassport(oauthUser, bindUser, { req: request, node, nodeInfo, teamDid });
+
+      // Generate new session token that client can save to localStorage
+      const sessionToken = await createSessionToken(userDid, { passport, role: passport.role });
+      logger.info('login.success', { userDid, role: passport.role });
+
+      return {
+        sessionToken,
+        nextWorkflowData: {
+          userDid,
+        },
+      };
+    },
+  },
+
   migrateToStructV2: {
     getClaims: ({ node }) => ({
       verifiableCredential: async ({ extraParams: { locale }, context: { request } }) => {

package/api/libs/notification.js

@@ -0,0 +1,19 @@
+const Notification = require('@blocklet/sdk/lib/util/send-notification');
+
+async function sendToUser(userDid, notification, { req }) {
+  const { wallet } = await req.getBlockletInfo();
+  const notificationRes = await Notification.sendToUser(
+    userDid,
+    notification,
+    {
+      appDid: wallet.address,
+      appSk: wallet.secretKey,
+    },
+    process.env.ABT_NODE_SERVICE_PORT
+  );
+  return notificationRes;
+}
+
+module.exports = {
+  sendToUser,
+};