@abtnode/blocklet-services 1.16.16-beta-740ea329 → 1.16.16-beta-d6c5ed65

package/api/libs/auth/utils.js

@@ -6,6 +6,7 @@ const { getBlockletAppIdList } = require('@blocklet/meta/lib/util');
 const pick = require('lodash/pick');
 const uniq = require('lodash/uniq');
 const uniqBy = require('lodash/uniqBy');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
 
 const { sendToUser } = require('../notification');
 
@@ -125,7 +126,7 @@ async function transferPassport(fromUser, toUser, { req, teamDid, node, nodeInfo
     const revokePendingList = waitPassportList
       .filter((item) => item.id)
       .map((item) => {
-        if (fromUser.sourceProvider === 'auth0') {
+        if (fromUser.sourceProvider === LOGIN_PROVIDER.AUTH0) {
           return node.removeUserPassport({ teamDid, userDid: fromUser.did, passportId: item.id });
         }
         return node.revokeUserPassport({ teamDid, userDid: fromUser.did, passportId: item.id });

package/api/libs/connect/session.js

@@ -41,7 +41,7 @@ const pick = require('lodash/pick');
 const createTranslator = require('@abtnode/util/lib/translate');
 
 const { getRolesFromAuthConfig, getBlockletAppIdList } = require('@blocklet/meta/lib/util');
-const { getLoginProvider } = require('@blocklet/sdk/lib/util/login');
+const { getSourceAppPid, getLoginProvider } = require('@blocklet/sdk/lib/util/login');
 
 const logger = require('@abtnode/logger')(require('../../../package.json').name);
 
@@ -54,8 +54,8 @@ const { api } = require('../api');
 
 const vcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
 
-const getPassportVc = async ({ blocklet, claims, challenge, locale, provider }) => {
-  const trustedIssuers = await getTrustedIssuers(blocklet, { provider });
+const getPassportVc = async ({ blocklet, claims, challenge, locale, sourceAppPid }) => {
+  const trustedIssuers = await getTrustedIssuers(blocklet, { sourceAppPid });
   const { vc } = await getVCFromClaims({
     claims,
     challenge,
@@ -67,7 +67,7 @@ const getPassportVc = async ({ blocklet, claims, challenge, locale, provider })
   return vc;
 };
 
-const getRoleFromVC = async ({ vc, node, locale, blocklet, teamDid, provider }) => {
+const getRoleFromVC = async ({ vc, node, locale, blocklet, teamDid, sourceAppPid }) => {
   let role = ROLES.GUEST;
   if (vc) {
     await validatePassport(get(vc, 'credentialSubject.passport'));
@@ -77,8 +77,7 @@ const getRoleFromVC = async ({ vc, node, locale, blocklet, teamDid, provider })
       role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
     } else {
       // MEMO: 如果是 federated，需要将 actualIssuer 做一个转换
-      const actualIssuerList =
-        provider === LOGIN_PROVIDER.FEDERATED ? await getFederatedTrustedIssuers(blocklet) : [actualIssuer];
+      const actualIssuerList = sourceAppPid ? await getFederatedTrustedIssuers(blocklet) : [actualIssuer];
       // map external passport to local role
       const { mappings = [] } =
         (blocklet.trustedPassports || []).find((x) => actualIssuerList.includes(x.issuerDid)) || {};
@@ -146,7 +145,7 @@ module.exports = {
       const blocklet = await request.getBlocklet();
       const config = await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
       const { did: teamDid, wallet: blockletWallet } = await request.getBlockletInfo();
-      const provider = getLoginProvider(request);
+      const sourceAppPid = getSourceAppPid(request);
 
       const profileFields = get(config, 'profileFields');
 
@@ -160,7 +159,7 @@ module.exports = {
       if (action === 'login') {
         const [invitedUserOnly] = config ? await isInvitedUserOnly(config, node, teamDid) : [false];
 
-        const trustedIssuers = await getTrustedIssuers(blocklet, { provider });
+        const trustedIssuers = await getTrustedIssuers(blocklet, { sourceAppPid });
         claims.verifiableCredential = {
           type: 'verifiableCredential',
           description: messages.requestPassport[locale],
@@ -246,11 +245,12 @@ module.exports = {
       let defaultTtlPolicy = 'never';
       let issuePassport = false;
 
+      const sourceAppPid = getSourceAppPid(request);
       const provider = getLoginProvider(request);
 
       // Get passport vc
       if (action === 'login') {
-        vc = await getPassportVc({ blocklet, claims, challenge, locale, provider });
+        vc = await getPassportVc({ blocklet, claims, challenge, locale, sourceAppPid });
         [invitedUserOnly, defaultRole, issuePassport] = await isInvitedUserOnly(authConfig, node, teamDid);
         if (invitedUserOnly && !vc) {
           throw new Error(messages.missingCredentialClaim[locale]);
@@ -323,7 +323,7 @@ module.exports = {
       }
 
       // Get role
-      const role = await getRoleFromVC({ vc, node, locale, blocklet, teamDid, provider });
+      const role = await getRoleFromVC({ vc, node, locale, blocklet, teamDid, sourceAppPid });
       await validateRole({ role, authConfig, locale, node, teamDid });
 
       checkAppOwner({ role, blocklet, userDid, locale });
@@ -347,14 +347,10 @@ module.exports = {
       const passportForLog = passport || { name: 'Guest', role: 'guest' };
 
       const masterSite = getFederatedMaster(blocklet);
-      let connectAccount = { provider, did: userDid, pk: userPk };
+      const connectAccount = { provider, did: userDid, pk: userPk };
 
       let updatedUser;
       if (user) {
-        // Update user
-        if (masterSite && provider === LOGIN_PROVIDER.FEDERATED) {
-          connectAccount = { provider, did: userDid, pk: userPk, id: masterSite.appPid };
-        }
         updatedUser = await node.loginUser({
           teamDid,
           user: {
@@ -362,6 +358,7 @@ module.exports = {
             pk: user.pk,
             locale,
             passport,
+            sourceAppPid,
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
             connectedAccount: [connectAccount, connectedNft],
           },
@@ -369,7 +366,7 @@ module.exports = {
         await node.createAuditLog(
           {
             action,
-            args: { teamDid, userDid: realDid, passport: passportForLog, provider },
+            args: { teamDid, userDid: realDid, passport: passportForLog, provider, sourceAppPid },
             context: formatContext(Object.assign(request, { user: updatedUser })),
             result: updatedUser,
           },
@@ -380,10 +377,6 @@ module.exports = {
         const profile = claims.find((x) => x.type === 'profile');
         fullName = profile.fullName;
 
-        if (masterSite && provider === LOGIN_PROVIDER.FEDERATED) {
-          connectAccount = { provider, did: userDid, pk: userPk, id: masterSite.appPid };
-        }
-
         updatedUser = await node.loginUser({
           teamDid,
           user: {
@@ -395,6 +388,7 @@ module.exports = {
             pk: realPk,
             locale,
             passport,
+            sourceAppPid,
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
             connectedAccount: [connectAccount, connectedNft],
           },
@@ -402,7 +396,13 @@ module.exports = {
         await node.createAuditLog(
           {
             action: 'addUser',
-            args: { teamDid, userDid: realDid, reason: `first login as ${passportForLog.role}` },
+            args: {
+              teamDid,
+              userDid: realDid,
+              sourceAppPid,
+              provider,
+              reason: `first login as ${passportForLog.role}`,
+            },
             context: formatContext(Object.assign(request, { user: updatedUser })),
             result: updatedUser,
           },
@@ -410,6 +410,24 @@ module.exports = {
         );
       }
 
+      // NOTICE: 采用异步来更新，不阻塞接口的正常响应
+      node.syncFederated({
+        did: teamDid,
+        data: {
+          users: [
+            {
+              did: updatedUser.did,
+              pk: updatedUser.pk,
+              fullName: updatedUser.fullName,
+              email: updatedUser.email || '',
+              avatar: getUserAvatarUrl(updatedUser.avatar, blocklet),
+              connectedAccount: [connectAccount, connectedNft],
+              action: 'connectAccount',
+            },
+          ],
+        },
+      });
+
       // Generate new session token that client can save to localStorage
       const createToken = createTokenFn(createSessionToken);
       const sessionConfig = blocklet.settings?.session || {};
@@ -441,8 +459,8 @@ module.exports = {
 
       let federatedSessionToken;
       let federatedRefreshToken;
-      // member 使用 deferated login 时，总是会让 Master 自动登录
-      if (masterSite && provider === LOGIN_PROVIDER.FEDERATED) {
+      // member 使用 federated login 时，总是会让 Master 自动登录
+      if (masterSite && sourceAppPid) {
         const postUser = pick(updatedUser, ['did', 'pk', 'fullName', 'locale']);
         postUser.lastLoginAt = get(request, 'headers[x-real-ip]') || '';
 
@@ -574,6 +592,18 @@ module.exports = {
         },
         node
       );
+
+      const syncUserData = pick(doc, ['did', 'pk', 'fullName', 'avatar', 'email']);
+      if (syncUserData.avatar) {
+        syncUserData.avatar = getUserAvatarUrl(syncUserData.avatar, blocklet);
+      }
+      // NOTICE: 采用异步来更新，不阻塞接口的正常响应
+      node.syncFederated({
+        did: teamDid,
+        data: {
+          users: [{ ...syncUserData, action: 'switchProfile' }],
+        },
+      });
     },
   },
 
@@ -606,8 +636,8 @@ module.exports = {
       const [invitedUserOnly] = await isInvitedUserOnly(config, node, teamDid);
 
       const blocklet = await request.getBlocklet();
-      const provider = getLoginProvider(request);
-      const trustedIssuers = await getTrustedIssuers(blocklet, { provider });
+      const sourceAppPid = getSourceAppPid(request);
+      const trustedIssuers = await getTrustedIssuers(blocklet, { sourceAppPid });
 
       return {
         verifiableCredential: {
@@ -629,7 +659,7 @@ module.exports = {
       userDid,
       createSessionToken,
       componentId,
-      provider,
+      sourceAppPid,
     }) => {
       const blocklet = await request.getBlocklet();
       const { name, did: teamDid, secret } = await request.getBlockletInfo();
@@ -660,7 +690,7 @@ module.exports = {
         claims: [verifiableCredential],
         challenge,
         locale,
-        provider,
+        sourceAppPid,
       });
 
       // Validate passport required
@@ -676,7 +706,7 @@ module.exports = {
       }
 
       // Get role
-      const role = await getRoleFromVC({ vc, node, locale, blocklet, teamDid, provider });
+      const role = await getRoleFromVC({ vc, node, locale, blocklet, teamDid, sourceAppPid });
       await validateRole({ role, authConfig, locale, node, teamDid });
 
       checkAppOwner({ role, blocklet, userDid, locale });
@@ -701,7 +731,7 @@ module.exports = {
       await node.createAuditLog(
         {
           action: 'switchPassport',
-          args: { teamDid, userDid, passport: passportForLog, provider },
+          args: { teamDid, userDid, passport: passportForLog, sourceAppPid },
           context: formatContext(Object.assign(request, { user })),
           result: {},
         },
@@ -713,7 +743,7 @@ module.exports = {
       const sessionConfig = blocklet.settings?.session || {};
       const { sessionToken, refreshToken } = createToken(
         userDid,
-        { secret, passport, role, fullName: user.fullName, provider },
+        { secret, passport, role, fullName: user.fullName, sourceAppPid },
         { ...sessionConfig, didConnectVersion: getDidConnectVersion(request) }
       );
       return { sessionToken, refreshToken };
@@ -875,6 +905,21 @@ module.exports = {
           passports: mergePassport,
         },
       });
+      // NOTICE: 采用异步来更新，不阻塞接口的正常响应
+      node.syncFederated({
+        did: teamDid,
+        data: {
+          users: [
+            {
+              did: oauthUser.did,
+              pk: oauthUser.pk,
+              ...mergeProfile,
+              connectedAccount: [connectedAccount],
+              action: 'connectAccount',
+            },
+          ],
+        },
+      });
 
       if (!bindUser) {
         bindUser = {

package/api/libs/connect/shared.js

@@ -2,11 +2,10 @@ const get = require('lodash/get');
 const joinUrl = require('url-join');
 const { getConnectAppUrl, getChainInfo } = require('@blocklet/meta/lib/util');
 const { WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
-const { LOGIN_PROVIDER } = require('@blocklet/constant');
-const { getLoginProvider } = require('@blocklet/sdk/lib/util/login');
+const { getSourceAppPid } = require('@blocklet/sdk/lib/util/login');
 
 module.exports = {
-  appInfo: async ({ request, baseUrl, extraParams }) => {
+  appInfo: async ({ request, baseUrl }) => {
     const groupPathPrefix = request.headers['x-group-path-prefix'] || '/';
 
     const [blocklet, meta, info] = await Promise.all([
@@ -16,9 +15,9 @@ module.exports = {
     ]);
     // 对于 ux 来说， 要展示的始终是 pid，所以这个给 agentDid 的赋值也需要是 pid
     let agentDid;
-    const provider = getLoginProvider(request, extraParams);
+    const sourceAppPid = getSourceAppPid(request);
     // federated 登录模式下，需要告知原有的 blocklet-did
-    if (provider === LOGIN_PROVIDER.FEDERATED) {
+    if (sourceAppPid) {
       agentDid = blocklet.appPid;
     }
 

package/api/libs/connect/v1.js

@@ -10,8 +10,7 @@ const { sendToUser, sendToRelay } = require('@blocklet/sdk/lib/util/send-notific
 const { WELLKNOWN_SERVICE_PATH_PREFIX, NODE_SERVICES_PREFIX } = require('@abtnode/constant');
 const DynamicStorage = require('@abtnode/connect-storage');
 const { fromPublicKey } = require('@ocap/wallet');
-const { LOGIN_PROVIDER } = require('@blocklet/constant');
-const { getLoginProvider } = require('@blocklet/sdk/lib/util/login');
+const { getSourceAppPid } = require('@blocklet/sdk/lib/util/login');
 
 const cache = require('../../cache');
 const { appInfo, chainInfo } = require('./shared');
@@ -24,11 +23,11 @@ module.exports = (node, opts) => {
       const { wallet } = await request.getBlockletInfo();
       return wallet.toJSON();
     },
-    delegator: async ({ request, extraParams }) => {
-      const provider = getLoginProvider(request, extraParams);
+    delegator: async ({ request }) => {
+      const sourceAppPid = getSourceAppPid(request);
 
       const blocklet = await request.getBlocklet();
-      if (provider === LOGIN_PROVIDER.FEDERATED) {
+      if (sourceAppPid) {
         const pk = get(blocklet, 'settings.federated.sites[0].pk');
 
         // NOTE: 这里的 type 参数必须保持跟生成 blocklet 时使用的是一致的
@@ -39,7 +38,6 @@ module.exports = (node, opts) => {
           address: types.EncodingType.BASE58,
         };
         const delegator = fromPublicKey(pk, type);
-        delegator.provider = LOGIN_PROVIDER.FEDERATED;
         return delegator;
       }
 
@@ -49,10 +47,10 @@ module.exports = (node, opts) => {
       }
       return null;
     },
-    delegation: async ({ request, extraParams }) => {
+    delegation: async ({ request }) => {
       const { wallet: delegatee, permanentWallet: delegator } = await request.getBlockletInfo();
-      const provider = getLoginProvider(request, extraParams);
-      if (provider === LOGIN_PROVIDER.FEDERATED) {
+      const sourceAppPid = getSourceAppPid(request);
+      if (sourceAppPid) {
         const blocklet = await request.getBlocklet();
         const delegation = get(blocklet, 'settings.federated.config.delegation');
         return delegation;

package/api/routes/federated.js

@@ -3,6 +3,7 @@ const { signV2 } = require('@arcblock/jwt');
 const normalizePathPrefix = require('@abtnode/util/lib/normalize-path-prefix');
 const cloneDeep = require('lodash/cloneDeep');
 const get = require('lodash/get');
+const isNil = require('lodash/isNil');
 const pLimit = require('p-limit');
 const pRetry = require('p-retry');
 
@@ -29,8 +30,52 @@ const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
 const prefix = `${PREFIX}/api/federated`;
 const limitSync = pLimit(1);
 
+async function syncSwitchProfile(user, { node, teamDid, dataDir }) {
+  const tempUser = pick(user, ['did', 'pk', 'avatar', 'fullName', 'email']);
+
+  // 处理 avatar
+  if (tempUser.avatar) {
+    try {
+      tempUser.avatar = await getAvatarByUrl(tempUser.avatar);
+      tempUser.avatar = await extractUserAvatar(tempUser.avatar, { dataDir });
+    } catch (err) {
+      logger.error('Failed to convert user avatar', { error: err });
+    }
+  }
+
+  await node.updateUser({
+    teamDid,
+    user: tempUser,
+  });
+}
+
+async function syncConnectAccount(user, { node, teamDid, dataDir }) {
+  const tempUser = pick(user, ['did', 'pk', 'avatar', 'fullName', 'email', 'connectedAccount']);
+
+  // 处理 avatar
+  if (tempUser.avatar) {
+    try {
+      tempUser.avatar = await getAvatarByUrl(tempUser.avatar);
+      tempUser.avatar = await extractUserAvatar(tempUser.avatar, { dataDir });
+    } catch (err) {
+      logger.error('Failed to convert user avatar', { error: err });
+    }
+  }
+
+  await node.loginUser({
+    teamDid,
+    user: tempUser,
+  });
+}
+
+const syncFnMaps = {
+  switchProfile: syncSwitchProfile,
+  connectAccount: syncConnectAccount,
+};
+
 module.exports = {
   preInit(server) {
+    // 这几个 route 是在前端跨域调用的，所以需要单独配置 cors
     server.options(`${prefix}/prelogin`, cors({ credentials: true, origin: true }));
     server.options(`${prefix}/login`, cors({ credentials: true, origin: true }));
     server.options(`${prefix}/logout`, cors({ credentials: true, origin: true }));
@@ -200,16 +245,42 @@ module.exports = {
 
     // step 3 同步站点群信息(master 向 member 广播站点群信息，广播请求在 manager/disk.js 文件中 class FederatedBlockletManager 发起 )
     // 该路由为 member 接受响应的 api(只允许 master 调用)
-    server.post(`${prefix}/sync`, ensureBlocklet(), verifyFederatedCall({ isMaster: true }), async (req, res) => {
-      const { sites } = req.body.verifyData;
+    server.post(`${prefix}/sync`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
       const { blocklet } = req;
-      const federated = cloneDeep(blocklet.settings.federated || {});
-      federated.sites = sites;
-      await node.setFederated({
-        did: blocklet.appPid,
-        config: federated,
-      });
-      res.json(federated);
+      const teamDid = blocklet.appPid;
+      const { users = null, sites = null } = req.body.verifyData;
+
+      // FIXME: @zhanghan 校验 users 和 sites 数据合法性
+      const pendingList = [];
+      if (!isNil(sites)) {
+        const federated = cloneDeep(blocklet.settings.federated || {});
+        federated.sites = sites;
+        pendingList.push(
+          limitSync(async () => {
+            await node.setFederated({
+              did: blocklet.appPid,
+              config: federated,
+            });
+          })
+        );
+      }
+
+      if (!isNil(users)) {
+        if (Array.isArray(users)) {
+          const nodeInfo = await req.getNodeInfo();
+          const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
+          for (const user of users) {
+            pendingList.push(
+              limitSync(async () => {
+                await syncFnMaps[user.action]?.(user, { node, teamDid, dataDir });
+              })
+            );
+          }
+        }
+      }
+
+      await Promise.all(pendingList);
+      res.json({});
     });
 
     // step 4 检测自动登录条件(member 向 master 发起请求)
@@ -365,8 +436,9 @@ module.exports = {
           avatar,
           // HACK: @zhanghan 这里会将 passport 插入到当前用户的 passport 列表中，federated 登录不应该插入 passport
           // passport: findMapping ? targetPassport : null,
+          sourceAppPid: masterPid,
           connectedAccount: {
-            provider: LOGIN_PROVIDER.FEDERATED,
+            provider: LOGIN_PROVIDER.WALLET,
             id: masterPid,
             did: user.did,
             pk: user.pk,
@@ -380,7 +452,7 @@ module.exports = {
           role: targetPassport.role,
           passport: targetPassport,
           fullName: doc.fullName,
-          provider: LOGIN_PROVIDER.FEDERATED,
+          provider: LOGIN_PROVIDER.WALLET,
         },
         {
           ...sessionConfig,
@@ -439,6 +511,7 @@ module.exports = {
       }
       const realDid = prevUser?.did || user.did;
       const realPk = prevUser?.pk || user.pk;
+      // NOTICE: 这里是 Master 登录，不需要 sourceAppPid 字段
       const newUser = await node.loginUser({
         teamDid,
         user: {