@abtnode/blocklet-services 1.16.13 → 1.16.14-beta-0c29907f

package/api/index.js

@@ -35,6 +35,7 @@ const StudioService = require('./services/studio');
 const AnalyticService = require('./services/analytics');
 const createEnvRoutes = require('./routes/env');
 const createOAuthRoutes = require('./routes/oauth');
+const createFederatedRoutes = require('./routes/federated');
 const createUserRoutes = require('./routes/user');
 const createBlockletRoutes = require('./routes/blocklet');
 const createConnectRelayRoutes = require('./routes/connect/relay');
@@ -188,6 +189,9 @@ module.exports = function createServer(node, serverOptions = {}) {
     })
   );
 
+  // HACK: 必须放在 `server.use(cors());` 前面，否则会影响其原来的作用
+  createFederatedRoutes.preInit(server, node, options);
+
   // NOTE: will be overwrite by Blocklet Server in production
   server.use(cors());
 
@@ -244,6 +248,7 @@ module.exports = function createServer(node, serverOptions = {}) {
 
   // API: auth
   createOAuthRoutes.init(server, node, options);
+  createFederatedRoutes.init(server, node, options);
   createUserRoutes.init(server, node, options);
   createEnvRoutes.init(server, node, options);
   createBlockletRoutes.init(server, node);

package/api/libs/auth/utils.js

@@ -1,7 +1,7 @@
 const { getPassportStatusEndpoint, getApplicationInfo } = require('@abtnode/auth/lib/auth');
 const { createPassportVC } = require('@abtnode/auth/lib/passport');
 const { VC_TYPE_NODE_PASSPORT, PASSPORT_STATUS } = require('@abtnode/constant');
-const { parseUserAvatar, getAvatarByEmail, getAvatarByUrl } = require('@abtnode/util/lib/user');
+const { getAvatarByEmail, getAvatarByUrl, getUserAvatarUrl } = require('@abtnode/util/lib/user');
 const { getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 const pick = require('lodash/pick');
 const uniq = require('lodash/uniq');
@@ -18,7 +18,6 @@ async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo
     name: issuerName,
     wallet: issuerWallet,
     passportColor,
-    dataDir,
   } = await getApplicationInfo({ node, nodeInfo, teamDid });
 
   const blocklet = await req.getBlockletInfo();
@@ -43,15 +42,14 @@ async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo
   }
 
   const attachments = await Promise.all(
-    waitPassportList.map(async (item) => {
-      const avatar = await parseUserAvatar(toUser.avatar, { dataDir });
+    waitPassportList.map((x) => {
       const vcParams = {
         issuerName,
         issuerWallet,
         ownerDid: toUser.did,
-        passport: pick(item, ['name', 'title', 'endpoint', 'specVersion']),
+        passport: pick(x, ['name', 'title', 'endpoint', 'specVersion']),
         endpoint: getPassportStatusEndpoint({
-          baseUrl: item.endpoint,
+          baseUrl: x.endpoint,
           userDid: toUser.did,
           teamDid,
         }),
@@ -59,7 +57,7 @@ async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo
         ownerProfile: {
           email: toUser.email,
           fullName: toUser.fullName,
-          avatar,
+          avatar: getUserAvatarUrl(x.endpoint, toUser.avatar),
         },
         preferredColor: passportColor,
       };
@@ -69,7 +67,7 @@ async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo
         type: 'vc',
         data: {
           credential: vc,
-          tag: item.name,
+          tag: x.name,
         },
       };
     })

package/api/libs/connect/session.js

@@ -2,7 +2,7 @@
 const get = require('lodash/get');
 const joinUrl = require('url-join');
 const formatContext = require('@abtnode/util/lib/format-context');
-const { extractUserAvatar } = require('@abtnode/util/lib/user');
+const { extractUserAvatar, getAppAvatarUrl } = require('@abtnode/util/lib/user');
 const {
   messages,
   getVCFromClaims,
@@ -35,6 +35,9 @@ const {
 const { getKeyPairClaim, getAuthPrincipalForMigrateAppToV2 } = require('@abtnode/auth/lib/server');
 const merge = require('lodash/merge');
 const { fromAppDid } = require('@arcblock/did-ext');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const { signV2 } = require('@arcblock/jwt');
+const pick = require('lodash/pick');
 
 const { getRolesFromAuthConfig, getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 
@@ -44,6 +47,9 @@ const { isInvitedUserOnly, createTokenFn, getDidConnectVersion } = require('../.
 const { transferPassport } = require('../auth/utils');
 const { generateTranslate } = require('../translate');
 const { migrateAccount, declareAccount } = require('../../services/oauth');
+const { getTrustedIssuers, getLoginProvider } = require('../../util/blocklet-utils');
+const { getFederatedMaster, getUserAvatarUrl } = require('../../util/federated');
+const { api } = require('../api');
 
 const vcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
 
@@ -136,6 +142,7 @@ module.exports = {
       const blocklet = await request.getBlocklet();
       const config = await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
       const { did: teamDid, wallet: blockletWallet } = await request.getBlockletInfo();
+      const provider = getLoginProvider(request);
 
       const profileFields = get(config, 'profileFields');
 
@@ -148,8 +155,8 @@ module.exports = {
       };
       if (action === 'login') {
         const [invitedUserOnly] = config ? await isInvitedUserOnly(config, node, teamDid) : [false];
-        const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
-        const trustedIssuers = [...getBlockletAppIdList(blocklet), ...trustedPassports].filter(Boolean);
+
+        const trustedIssuers = getTrustedIssuers(blocklet, { provider });
         claims.verifiableCredential = {
           type: 'verifiableCredential',
           description: messages.requestPassport[locale],
@@ -283,6 +290,7 @@ module.exports = {
         vc = createPassportVC({
           issuerName: name,
           issuerWallet: wallet,
+          issuerAvatarUrl: getAppAvatarUrl(baseUrl),
           ownerDid: realDid,
           passport: await createPassport({
             name: defaultRole,
@@ -325,9 +333,11 @@ module.exports = {
       let fullName = user?.fullName;
       // Update profile
       const passportForLog = passport || { name: 'Guest', role: 'guest' };
+      const provider = getLoginProvider(request);
+      let updatedUser;
       if (user) {
         // Update user
-        const doc = await node.loginUser({
+        updatedUser = await node.loginUser({
           teamDid,
           user: {
             did: user.did,
@@ -335,15 +345,15 @@ module.exports = {
             locale,
             passport,
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
-            connectedAccount: [{ provider: 'wallet', did: realDid }, connectedNft],
+            connectedAccount: [{ provider, did: realDid }, connectedNft],
           },
         });
         await node.createAuditLog(
           {
             action,
-            args: { teamDid, userDid: realDid, passport: passportForLog, provider: 'wallet' },
-            context: formatContext(Object.assign(request, { user: doc })),
-            result: doc,
+            args: { teamDid, userDid: realDid, passport: passportForLog, provider },
+            context: formatContext(Object.assign(request, { user: updatedUser })),
+            result: updatedUser,
           },
           node
         );
@@ -352,7 +362,7 @@ module.exports = {
         const profile = claims.find((x) => x.type === 'profile');
         fullName = profile.fullName;
 
-        const doc = await node.loginUser({
+        updatedUser = await node.loginUser({
           teamDid,
           user: {
             ...profile,
@@ -366,7 +376,7 @@ module.exports = {
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
             connectedAccount: [
               {
-                provider: 'wallet',
+                provider,
                 did: realDid,
                 pk: realPk,
               },
@@ -378,8 +388,8 @@ module.exports = {
           {
             action: 'addUser',
             args: { teamDid, userDid: realDid, reason: `first login as ${passportForLog.role}` },
-            context: formatContext(Object.assign(request, { user: doc })),
-            result: doc,
+            context: formatContext(Object.assign(request, { user: updatedUser })),
+            result: updatedUser,
           },
           node
         );
@@ -390,7 +400,14 @@ module.exports = {
       const sessionConfig = blocklet.settings?.session || {};
       const { sessionToken, refreshToken } = createToken(
         realDid,
-        { secret, passport, role, fullName },
+        {
+          secret,
+          passport,
+          role,
+          fullName,
+          // NOTE: token 中存储当前的 login provider
+          provider,
+        },
         { ...sessionConfig, didConnectVersion: getDidConnectVersion(request) }
       );
       logger.info(`${action}.success`, { userDid: realDid, role });
@@ -405,6 +422,37 @@ module.exports = {
         await node.setBlockletInitialized({ did: teamDid, owner: { did: realDid, pk: realPk } });
       }
 
+      const { permanentWallet } = await request.getBlockletInfo();
+
+      const masterSite = getFederatedMaster(blocklet);
+      let federatedSessionToken;
+      let federatedRefreshToken;
+      if (masterSite) {
+        const postUser = pick(updatedUser, ['did', 'pk', 'fullName', 'locale']);
+        postUser.lastLoginAt = get(request, 'headers[x-real-ip]') || '';
+
+        if (updatedUser.email) {
+          postUser.email = updatedUser.email;
+        }
+        if (updatedUser.avatar) {
+          postUser.avatar = getUserAvatarUrl(updatedUser.avatar, blocklet);
+        }
+
+        const { data } = await api.post(
+          joinUrl(masterSite.appUrl, WELLKNOWN_SERVICE_PATH_PREFIX, '/api/federated/loginByMember'),
+          {
+            signer: permanentWallet.address,
+            data: signV2(permanentWallet.address, permanentWallet.secretKey, {
+              user: postUser,
+              appId: blocklet.did,
+              passport,
+            }),
+          }
+        );
+        federatedSessionToken = data.sessionToken;
+        federatedRefreshToken = data.refreshToken;
+      }
+
       // issue passport for the first login user in a invite-only team
       if (issuePassport) {
         return {
@@ -413,6 +461,8 @@ module.exports = {
           data: vc,
           sessionToken,
           refreshToken,
+          federatedSessionToken,
+          federatedRefreshToken,
           nextWorkflowData: {
             userDid: realDid,
           },
@@ -422,6 +472,8 @@ module.exports = {
       return {
         sessionToken,
         refreshToken,
+        federatedSessionToken,
+        federatedRefreshToken,
         nextWorkflowData: {
           userDid: realDid,
         },
@@ -462,7 +514,7 @@ module.exports = {
         profile: {
           type: 'profile',
           description: messages.description[locale],
-          items: get(config, 'profileFields') || ['fullName', 'avatar'],
+          items: get(config, 'profileFields') || ['fullName', 'avatar', 'email'],
         },
       };
     },
@@ -540,8 +592,8 @@ module.exports = {
       const [invitedUserOnly] = await isInvitedUserOnly(config, node, teamDid);
 
       const blocklet = await request.getBlocklet();
-      const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
-      const trustedIssuers = [...getBlockletAppIdList(blocklet), ...trustedPassports].filter(Boolean);
+      const provider = getLoginProvider(request);
+      const trustedIssuers = getTrustedIssuers(blocklet, { provider });
 
       return {
         verifiableCredential: {
@@ -633,7 +685,7 @@ module.exports = {
       await node.createAuditLog(
         {
           action: 'switchPassport',
-          args: { teamDid, userDid, passport: passportForLog, provider: 'wallet' },
+          args: { teamDid, userDid, passport: passportForLog, provider: LOGIN_PROVIDER.WALLET },
           context: formatContext(Object.assign(request, { user })),
           result: {},
         },
@@ -702,8 +754,8 @@ module.exports = {
         throw new Error(t('notFound', locale));
       }
       const oauthConnectedAccounts = oauthUser.connectedAccounts || [];
-      const sourceProvider = oauthUser.sourceProvider || 'wallet';
-      if (oauthConnectedAccounts.find((item) => item.provider === 'wallet')) {
+      const sourceProvider = oauthUser.sourceProvider || LOGIN_PROVIDER.WALLET;
+      if (oauthConnectedAccounts.find((item) => item.provider === LOGIN_PROVIDER.WALLET)) {
         throw new Error(t('alreadyBindWallet', locale));
       }
 
@@ -743,7 +795,7 @@ module.exports = {
 
       return [];
     },
-    onApprove: async ({ node, request, locale, userDid, userPk, claims, previousUserDid }) => {
+    onApprove: async ({ node, request, locale, userDid, userPk, claims, previousUserDid, baseUrl }) => {
       const blocklet = await request.getBlocklet();
       const { did: teamDid, wallet: blockletWallet } = await request.getBlockletInfo();
 
@@ -786,7 +838,7 @@ module.exports = {
       const currentTime = new Date().toISOString();
 
       const connectedAccount = {
-        provider: 'wallet',
+        provider: LOGIN_PROVIDER.WALLET,
         did: userDid,
         pk: userPk,
         lastLoginAt: currentTime,
@@ -815,7 +867,7 @@ module.exports = {
         };
       }
 
-      await transferPassport(oauthUser, bindUser, { req: request, node, nodeInfo, teamDid });
+      await transferPassport(oauthUser, bindUser, { req: request, node, nodeInfo, teamDid, baseUrl });
 
       const connectedAccounts = oauthUser?.connectedAccounts || [];
       const sourceProvider = oauthUser?.sourceProvider;
@@ -826,7 +878,7 @@ module.exports = {
       await node.createAuditLog(
         {
           action: 'connectAccount',
-          args: { teamDid, connectedAccount, provider: 'wallet', userDid: oauthUser.did },
+          args: { teamDid, connectedAccount, provider: LOGIN_PROVIDER.WALLET, userDid: oauthUser.did },
           context: formatContext(Object.assign(request, { user: oauthUser })),
           result: bindUser,
         },

package/api/libs/connect/shared.js

@@ -2,9 +2,11 @@ const get = require('lodash/get');
 const joinUrl = require('url-join');
 const { getConnectAppUrl, getChainInfo } = require('@blocklet/meta/lib/util');
 const { WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const { getProvider } = require('../../util/federated');
 
 module.exports = {
-  appInfo: async ({ request, baseUrl }) => {
+  appInfo: async ({ request, baseUrl, extraParams }) => {
     const groupPathPrefix = request.headers['x-group-path-prefix'] || '/';
 
     const [blocklet, meta, info] = await Promise.all([
@@ -12,6 +14,13 @@ module.exports = {
       request.getBlockletInfo(),
       request.getNodeInfo(),
     ]);
+    // NOTE: 这里应该使用当前 blocklet 的 did，而不是 pid
+    let agentDid;
+    const provider = getProvider(request, extraParams);
+    // federated 登录模式下，需要告知原有的 blocklet-did
+    if (provider === LOGIN_PROVIDER.FEDERATED) {
+      agentDid = blocklet.appDid;
+    }
 
     const version = get(blocklet, 'meta.version', '');
 
@@ -23,6 +32,8 @@ module.exports = {
       updateSubEndpoint: true,
       subscriptionEndpoint: joinUrl(groupPathPrefix, WELLKNOWN_SERVICE_PATH_PREFIX, 'websocket'),
       nodeDid: info.did,
+      // NOTE: publisher 是 WalletAuthenticator 中自动添加的
+      agentDid,
     };
   },
 

package/api/libs/connect/v1.js

@@ -2,15 +2,19 @@ const path = require('path');
 const get = require('lodash/get');
 const { toAddress } = require('@ocap/util');
 const { WalletAuthenticator } = require('@arcblock/did-auth');
+const { types } = require('@ocap/mcrypto');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
 const WalletHandlers = require('@blocklet/sdk/lib/wallet-handler');
 const { getDelegation } = require('@blocklet/sdk/lib/connect/shared');
 const { sendToUser, sendToRelay } = require('@blocklet/sdk/lib/util/send-notification');
 const { WELLKNOWN_SERVICE_PATH_PREFIX, NODE_SERVICES_PREFIX } = require('@abtnode/constant');
 const DynamicStorage = require('@abtnode/connect-storage');
+const { fromPublicKey } = require('@ocap/wallet');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
 
 const cache = require('../../cache');
 const { appInfo, chainInfo } = require('./shared');
+const { getProvider } = require('../../util/federated');
 
 module.exports = (node, opts) => {
   const authenticator = new WalletAuthenticator({
@@ -20,15 +24,40 @@ module.exports = (node, opts) => {
       const { wallet } = await request.getBlockletInfo();
       return wallet.toJSON();
     },
-    delegator: async ({ request }) => {
+    delegator: async ({ request, extraParams }) => {
+      const provider = getProvider(request, extraParams);
+
+      const blocklet = await request.getBlocklet();
+      if (provider === LOGIN_PROVIDER.FEDERATED) {
+        const pk = get(blocklet, 'settings.federated.sites[0].pk');
+
+        // NOTE: 这里的 type 参数必须保持跟生成 blocklet 时使用的是一致的
+        const type = {
+          role: types.RoleType.ROLE_APPLICATION,
+          pk: types.KeyType.ED25519,
+          hash: types.HashType.SHA3,
+          address: types.EncodingType.BASE58,
+        };
+        const delegator = fromPublicKey(pk, type);
+        delegator.provider = LOGIN_PROVIDER.FEDERATED;
+        return delegator;
+      }
+
       const { wallet: delegatee, permanentWallet: delegator } = await request.getBlockletInfo();
       if (delegatee.address !== delegator.address) {
         return delegator;
       }
       return null;
     },
-    delegation: async ({ request }) => {
+    delegation: async ({ request, extraParams }) => {
       const { wallet: delegatee, permanentWallet: delegator } = await request.getBlockletInfo();
+      const provider = getProvider(request, extraParams);
+      if (provider === LOGIN_PROVIDER.FEDERATED) {
+        const blocklet = await request.getBlocklet();
+        const delegation = get(blocklet, 'settings.federated.config.delegation');
+        return delegation;
+      }
+
       if (delegatee.address !== delegator.address) {
         return getDelegation(delegator, delegatee);
       }
@@ -55,7 +84,7 @@ module.exports = (node, opts) => {
 
     // Only handles did-connect updates, because we need to determine the actual app
     sendToRelayFn: async (topic, event, data) => {
-      const publisher = get(data, 'appInfo.publisher', '');
+      const publisher = get(data, 'appInfo.agentDid', '') || get(data, 'appInfo.publisher', '');
       if (!publisher) {
         return null;
       }

package/api/libs/jwt.js

@@ -1,6 +1,7 @@
 /* eslint-disable no-underscore-dangle */
 const jwt = require('jsonwebtoken');
 const { createAuthToken } = require('@abtnode/auth/lib/auth');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
 
 const getUser = async (node, teamDid, userDid) => {
   const user = await node.getUserByDid({ teamDid, userDid });
@@ -15,7 +16,10 @@ const initJwt = (node, options) => {
   // 保持默认有效期为 1 天
   const ttl = options.sessionTtl || '1d';
 
-  const createSessionToken = (did, { role, secret, passport, expiresIn, tokenType, fullName }) =>
+  const createSessionToken = (
+    did,
+    { role, secret, passport, expiresIn, tokenType, fullName, provider = LOGIN_PROVIDER.WALLET }
+  ) =>
     createAuthToken({
       did,
       passport,
@@ -24,6 +28,7 @@ const initJwt = (node, options) => {
       expiresIn: expiresIn || ttl,
       tokenType,
       fullName,
+      provider,
     });
 
   const verifySessionToken = (token, secret, { checkFromDb, teamDid, checkToken } = {}) =>
@@ -42,7 +47,7 @@ const initJwt = (node, options) => {
           }
         }
 
-        const { did, role, passport, fullName } = decoded;
+        const { did, role, passport, fullName, provider = LOGIN_PROVIDER.WALLET } = decoded;
         let user;
         if (!did) {
           return reject(new Error('Invalid jwt token: invalid did'));
@@ -70,7 +75,7 @@ const initJwt = (node, options) => {
           user.role = role;
           user.passport = passport;
         } else {
-          user = { did, role, passport, fullName };
+          user = { did, role, passport, fullName, provider };
         }
 
         return resolve(user);

package/api/middlewares/check-federated-cors-call.js

@@ -0,0 +1,15 @@
+function checkFederatedCorsCall() {
+  return (req, res, next) => {
+    const caller = req.headers.origin;
+    const { blocklet } = req;
+    const federated = blocklet.settings.federated || {};
+    const sites = federated?.sites || [];
+    if (sites.find((item) => item.appUrl === caller && item.status === 'approved')) {
+      next();
+      return;
+    }
+    res.status(403).send('Unauthorized');
+  };
+}
+
+module.exports = checkFederatedCorsCall;

package/api/middlewares/ensure-blocklet.js

@@ -0,0 +1,13 @@
+function ensureBlocklet() {
+  return async (req, res, next) => {
+    const blocklet = await req.getBlocklet();
+    if (!blocklet) {
+      res.status(404).send('blocklet not found');
+      return;
+    }
+    req.blocklet = blocklet;
+    next();
+  };
+}
+
+module.exports = ensureBlocklet;

package/api/middlewares/verify-federated-call.js

@@ -0,0 +1,35 @@
+const { verify, decode } = require('@arcblock/jwt');
+
+function verifyFederatedCall({ isMaster = false } = { isMaster: false }) {
+  return (req, res, next) => {
+    const { signer, data } = req.body;
+    const { blocklet } = req;
+    const federated = blocklet.settings.federated || {};
+    const sites = federated?.sites || [];
+
+    // TODO: @zhanghan 是否需要检查 status === approved？
+    // 暂时先不检查，member 只能更新自己的信息，无法更新自身的 status，目前没有任何有权限的信息的修改能力
+    const validSite = sites.find((siteItem) => {
+      let result = siteItem.appPid === signer;
+      if (isMaster) {
+        result = result && siteItem.isMaster !== false;
+      }
+      return result;
+    });
+
+    if (!validSite) {
+      res.status(403).send('Unauthorized');
+      return;
+    }
+
+    if (!verify(data, validSite.pk)) {
+      res.status(403).send('Invalid signature');
+      return;
+    }
+
+    req.body.verifyData = decode(data);
+    next();
+  };
+}
+
+module.exports = verifyFederatedCall;

package/api/routes/blocklet.js

@@ -3,13 +3,14 @@ const fs = require('fs');
 const cloneDeep = require('lodash/cloneDeep');
 const dayjs = require('@abtnode/util/lib/dayjs');
 const JWT = require('@arcblock/jwt');
+const { isValid } = require('@arcblock/did');
 const joinUrl = require('url-join');
 const handleInstanceInStore = require('@abtnode/core/lib/util/public-to-store');
 const { getPassportStatusEndpoint } = require('@abtnode/auth/lib/auth');
 const { createPassportVC, createPassport, createUserPassport } = require('@abtnode/auth/lib/passport');
 
 const formatContext = require('@abtnode/util/lib/format-context');
-const { parseUserAvatar, getAvatarFile } = require('@abtnode/util/lib/user');
+const { getUserAvatarUrl, getAvatarFile, getAppAvatarUrl } = require('@abtnode/util/lib/user');
 const {
   attachSendLogoContext,
   ensureBlockletExist,
@@ -27,7 +28,12 @@ const {
   findComponentByIdV2,
   forEachComponentV2Sync,
 } = require('@blocklet/meta/lib/util');
-const { WELLKNOWN_SERVICE_PATH_PREFIX, USER_AVATAR_PATH_PREFIX, ROLES } = require('@abtnode/constant');
+const {
+  WELLKNOWN_SERVICE_PATH_PREFIX,
+  USER_AVATAR_PATH_PREFIX,
+  ROLES,
+  USER_AVATAR_URL_PREFIX,
+} = require('@abtnode/constant');
 const logger = require('@abtnode/logger')(require('../../package.json').name);
 
 const { createDownloadLogStream } = require('@abtnode/util/lib/log');
@@ -109,7 +115,14 @@ module.exports = {
 
       try {
         const blocklet = await req.getBlocklet();
-        const { fileName } = req.params;
+        let { fileName } = req.params;
+
+        if (isValid(fileName)) {
+          const user = await node.getUser({ teamDid: blocklet.appPid, user: { did: fileName } });
+          if (user && user.avatar.startsWith(USER_AVATAR_URL_PREFIX)) {
+            fileName = user.avatar.split('/').pop();
+          }
+        }
 
         const avatarFile = getAvatarFile(blocklet.env.dataDir, fileName);
 
@@ -174,7 +187,8 @@ module.exports = {
         const { wallet, name, passportColor } = await req.getBlockletInfo();
         // NOTICE: 这里的 did 是从 session 中取到的永久 did，不需要查询 connectedAccount
         const user = await node.getUser({ teamDid, user: { did: userDid } });
-        user.avatar = await parseUserAvatar(user.avatar, { dataDir: blocklet.env.dataDir });
+        const appUrl = blocklet.environments.find((x) => x.key === 'BLOCKLET_APP_URL').value;
+        user.avatar = getUserAvatarUrl(appUrl, user.avatar);
 
         const { pk, locale = 'en' } = user;
 
@@ -200,12 +214,11 @@ module.exports = {
         const role = ROLES.OWNER;
         const hasOwnerPassport = (user.passports || []).some((x) => x.name === role);
         if (hasOwnerPassport === false) {
-          const appUrl = blocklet.environments.find((item) => item.key === 'BLOCKLET_APP_URL').value;
-
           // create vc
           const vc = createPassportVC({
             issuerName: name,
             issuerWallet: wallet,
+            issuerAvatarUrl: getAppAvatarUrl(appUrl),
             ownerDid: userDid,
             passport: await createPassport({
               name: role,