@abtnode/blocklet-services 1.16.18 → 1.16.19-beta-e6aac665

package/api/libs/connect/session.js

@@ -48,7 +48,13 @@ const { isInvitedUserOnly, createTokenFn, getDidConnectVersion } = require('../.
 const { transferPassport } = require('../auth/utils');
 const { migrateAccount, declareAccount } = require('../../services/oauth');
 const { getTrustedIssuers, getFederatedTrustedIssuers } = require('../../util/blocklet-utils');
-const { getUserAvatarUrl, migrateAuth0, getFederatedMaster, shouldSyncFederated } = require('../../util/federated');
+const {
+  getUserAvatarUrl,
+  migrateAuth0,
+  getFederatedMaster,
+  shouldSyncFederated,
+  getUserWithinFederated,
+} = require('../../util/federated');
 
 const vcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
 
@@ -215,23 +221,16 @@ module.exports = {
       const blocklet = await request.getBlocklet();
       const blockletInfo = await request.getBlockletInfo();
       const { wallet, secret, name, passportColor, did: teamDid } = blockletInfo;
+      const sourceAppPid = getSourceAppPid(request);
 
       // Check user approved
-      const user = await node.getUser({
-        teamDid,
-        user: {
-          did: userDid,
-        },
-        options: {
-          enableConnectedAccount: true,
-        },
-      });
-      if (user && !user.approved) {
+      const currentUser = await getUserWithinFederated({ sourceAppPid, teamDid, userDid, userPk }, { node, blocklet });
+      if (currentUser && !currentUser.approved) {
         throw new Error(messages.notAllowed[locale]);
       }
 
-      const realDid = user?.did || userDid;
-      const realPk = user?.pk || userPk;
+      const realDid = currentUser?.did || userDid;
+      const realPk = currentUser?.pk || userPk;
 
       // Get auth config
       const authConfig = (await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId })) || {};
@@ -244,7 +243,6 @@ module.exports = {
       let defaultTtlPolicy = 'never';
       let issuePassport = false;
 
-      const sourceAppPid = getSourceAppPid(request);
       const provider = getLoginProvider(request);
       const masterSite = getFederatedMaster(blocklet);
 
@@ -318,7 +316,7 @@ module.exports = {
 
       // Get user passport from vc
       let passport = vc ? createUserPassport(vc) : null;
-      if (user && passport && isUserPassportRevoked(user, passport)) {
+      if (currentUser && passport && isUserPassportRevoked(currentUser, passport)) {
         throw new Error(messages.passportRevoked[locale](passport.title, name));
       }
 
@@ -342,19 +340,19 @@ module.exports = {
           }
         : null;
 
-      let fullName = user?.fullName;
+      let fullName = currentUser?.fullName;
       // Update profile
       const passportForLog = passport || { name: 'Guest', role: 'guest' };
 
       const connectAccount = { provider, did: userDid, pk: userPk };
 
       let updatedUser;
-      if (user) {
+      if (currentUser) {
         updatedUser = await node.loginUser({
           teamDid,
           user: {
-            did: user.did,
-            pk: user.pk,
+            did: currentUser.did,
+            pk: currentUser.pk,
             locale,
             passport,
             sourceAppPid,

package/api/libs/connect/v1.js

@@ -66,7 +66,11 @@ module.exports = (node, opts) => {
 
   const handlerOpts = {
     authenticator,
-    tokenStorage: new DynamicStorage({ dbPath: path.join(opts.dataDir, 'connections.db') }),
+    tokenStorage: new DynamicStorage({
+      dbPath: path.join(opts.dataDir, 'connections.db'),
+      model: 'Connection',
+      primaryKey: 'token',
+    }),
     sendNotificationFn: async (connectedDid, message, { req }) => {
       const { wallet } = await req.getBlockletInfo();
       return sendToUser(

package/api/libs/connect/v2.js

@@ -1,5 +1,5 @@
 const path = require('path');
-const { NedbStorage } = require('@did-connect/storage-nedb');
+const DynamicStorage = require('@abtnode/connect-storage');
 const { Authenticator } = require('@did-connect/authenticator');
 const createHandlers = require('@blocklet/sdk/lib/connect/handler');
 const { sendToUser } = require('@blocklet/sdk/lib/util/send-notification');
@@ -22,9 +22,10 @@ module.exports = (node, opts) => {
   const handlers = createHandlers({
     logger,
     authenticator,
-    storage: new NedbStorage({
-      // FIXME: @wangshijun this does not work anymore
-      dbPath: path.join(opts.dataDir, 'sessions.db'),
+    storage: new DynamicStorage({
+      dbPath: path.join(opts.dataDir, 'connections.db'),
+      model: 'ConnectionV2',
+      primaryKey: 'sessionId',
     }),
     socketPathname: `${WELLKNOWN_SERVICE_PATH_PREFIX}/api/connect/relay/websocket`,
     sendNotificationFn: async (connectedDid, message, { request }) => {

package/api/libs/image.js

@@ -235,7 +235,7 @@ const processImage = (src, extension, dest, params) => {
       dimensions.height = height;
     }
 
-    const pipeline = sharp({ animated: true }).timeout({ seconds: 30 });
+    const pipeline = sharp({ animated: true, limitInputPixels: 0 }).timeout({ seconds: 60 });
     if (rotate) {
       pipeline.rotate(rotate);
     }
@@ -268,7 +268,7 @@ const processImage = (src, extension, dest, params) => {
       pipeline.negate();
     }
 
-    pipeline[format || EXTENSIONS[extension]]({ quality, progressive: !!progressive, force: true });
+    pipeline[format || EXTENSIONS[extension]]({ quality, progressive: !!progressive, dither: 0, force: true });
 
     pipeline.on('error', (err) => {
       reject(err);

package/api/routes/federated.js

@@ -1,4 +1,4 @@
-const { WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
+const { WELLKNOWN_SERVICE_PATH_PREFIX, FEDERATED } = require('@abtnode/constant');
 const { signV2 } = require('@arcblock/jwt');
 const normalizePathPrefix = require('@abtnode/util/lib/normalize-path-prefix');
 const cloneDeep = require('lodash/cloneDeep');
@@ -25,13 +25,12 @@ const { createTokenFn, getDidConnectVersion } = require('../util');
 const ensureBlocklet = require('../middlewares/ensure-blocklet');
 const verifyFederatedCall = require('../middlewares/verify-federated-call');
 const checkFederatedCorsCall = require('../middlewares/check-federated-cors-call');
-const { getUserAvatarUrl, getFederatedMaster } = require('../util/federated');
+const { getUserAvatarUrl, getFederatedMaster, getUserWithinFederated } = require('../util/federated');
 const { declareAccount, migrateAccount } = require('../services/oauth');
 
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
 
 const prefix = `${PREFIX}/api/federated`;
-const limitSync = pLimit(1);
 
 function getAuditLogActorByFederatedSite(blocklet) {
   return {
@@ -60,8 +59,13 @@ async function syncSwitchProfile(user, { node, teamDid, dataDir }) {
   });
 }
 
-async function syncConnectAccount(user, { node, teamDid, dataDir }) {
+/**
+ * 处理站点群中某一站点推送的同步 connectAccount 的请求
+ */
+
+async function syncConnectAccount(user, { node, teamDid, dataDir, blocklet }) {
   const tempUser = pick(user, ['did', 'pk', 'avatar', 'fullName', 'email', 'connectedAccount', 'sourceAppPid']);
+  const masterSite = getFederatedMaster(blocklet);
 
   // 处理 avatar
   if (tempUser.avatar) {
@@ -73,15 +77,71 @@ async function syncConnectAccount(user, { node, teamDid, dataDir }) {
     }
   }
 
+  // NOTICE: 如果当前站点不是 master，就需要考虑该 member 需要向 master 请求同步一次指定账户，因为指定账户可能存在于站点群，而不存在于当前站点中的情况
+  if (masterSite.appPid !== teamDid) {
+    await getUserWithinFederated(
+      {
+        sourceAppPid: tempUser.sourceAppPid,
+        teamDid,
+        userDid: tempUser.did,
+        userPk: tempUser.pk,
+      },
+      { blocklet, node }
+    );
+  }
+
   await node.loginUser({
     teamDid,
     user: tempUser,
   });
 }
 
+/**
+ * member 站点向 master 站点请求拉取一个用户信息
+ */
+async function pullUserAccount(user, { node, teamDid, blocklet }) {
+  const { did } = user;
+  const currentUser = await node.getUser({
+    teamDid,
+    user: {
+      did,
+    },
+    options: {
+      enableConnectedAccount: true,
+    },
+  });
+
+  if (!currentUser) return null;
+
+  const syncUser = pick(currentUser, [
+    'did',
+    'pk',
+    'fullName',
+    'email',
+    'remark',
+    'sourceProvider',
+    'locale',
+    'approved',
+    'extra',
+    'sourceAppPid',
+  ]);
+  syncUser.avatar = getUserAvatarUrl(currentUser.avatar, blocklet);
+  syncUser.email = syncUser.email || '';
+  syncUser.connectedAccounts = currentUser.connectedAccounts.map((x) => {
+    const connectAccount = pick(x, ['did', 'pk', 'provider', 'id']);
+    if (!connectAccount.id) {
+      delete connectAccount.id;
+    }
+    return connectAccount;
+  });
+
+  return syncUser;
+}
+
 const syncFnMaps = {
   switchProfile: syncSwitchProfile,
   connectAccount: syncConnectAccount,
+  pullAccount: pullUserAccount,
 };
 
 module.exports = {
@@ -186,6 +246,7 @@ module.exports = {
         signer: permanentWallet.address,
         data: signV2(permanentWallet.address, permanentWallet.secretKey, { sites: federated.sites }),
       };
+      const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
 
       const waitingList = federated.sites
         .filter((item) => item.appId !== federated.config.appId)
@@ -313,9 +374,15 @@ module.exports = {
       const { verifySite } = req.body;
       const teamDid = blocklet.appPid;
       const { users = null, sites = null, userSessions = null } = req.body.verifyData;
+      const resultData = {
+        users: [],
+        sites: [],
+        userSessions: [],
+      };
 
       // FIXME: @zhanghan 校验 users 和 sites 数据合法性
       if (!isNil(sites)) {
+        const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
         const pendingSiteList = [];
         const federated = cloneDeep(blocklet.settings.federated || {});
         federated.sites = sites;
@@ -327,34 +394,39 @@ module.exports = {
             });
           })
         );
-        await Promise.all(pendingSiteList);
+        const resList = await Promise.all(pendingSiteList);
+        resultData.sites = resList;
       }
 
       if (!isNil(users)) {
         if (Array.isArray(users)) {
+          const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
           const pendingUserList = [];
           const nodeInfo = await req.getNodeInfo();
           const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
           for (const user of users) {
             pendingUserList.push(
               limitSync(async () => {
-                await syncFnMaps[user.action]?.(
+                const result = await syncFnMaps[user.action]?.(
                   {
                     ...user,
                     sourceAppPid: user.sourceAppPid === teamDid ? null : user.sourceAppPid,
                   },
-                  { node, teamDid, dataDir }
+                  { node, teamDid, dataDir, blocklet }
                 );
+                return result;
               })
             );
           }
-          await Promise.all(pendingUserList);
+          const resList = await Promise.all(pendingUserList);
+          resultData.users = resList;
         }
       }
 
       if (!isNil(userSessions)) {
         if (Array.isArray(userSessions)) {
           const pendingUserSessionList = [];
+          const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
           for (const userSession of userSessions) {
             const { action, ...userSessionItem } = userSession;
             pendingUserSessionList.push(
@@ -367,7 +439,8 @@ module.exports = {
               })
             );
           }
-          await Promise.all(pendingUserSessionList);
+          const resList = await Promise.all(pendingUserSessionList);
+          resultData.userSessions = resList;
         }
       }
 
@@ -381,10 +454,13 @@ module.exports = {
         },
         node
       );
-      res.json({});
+      res.json(resultData);
     });
 
-    // step 4 检测自动登录条件(member 向 master 发起请求)
+    /**
+     * @deprecated
+     * step 4 检测自动登录条件(member 向 master 发起请求)
+     */
     server.post(
       `${prefix}/prelogin`,
       cors({ credentials: true, origin: true }),
@@ -425,7 +501,10 @@ module.exports = {
       }
     );
 
-    // step 5 完成 member 的自动登录(member 向 master 请求)
+    /**
+     * @deprecated
+     * step 5 完成 member 的自动登录(member 向 master 请求)
+     */
     server.post(
       `${prefix}/login`,
       cors({ credentials: true, origin: true }),
@@ -591,7 +670,10 @@ module.exports = {
       res.json({ sessionToken, refreshToken });
     });
 
-    // member 要求 master 退出登录
+    /**
+     * @deprecated
+     * member 要求 master 退出登录
+     */
     server.post(
       `${prefix}/logout`,
       cors({ credentials: true, origin: true }),
@@ -698,11 +780,18 @@ module.exports = {
       const teamDid = blocklet.appPid;
 
       const sessionConfig = blocklet.settings?.session || {};
-      const prevUser = await node.getUser({
-        teamDid,
-        user: { did: user.did },
-        options: { enableConnectedAccount: true },
-      });
+      const prevUser = await getUserWithinFederated(
+        {
+          teamDid,
+          sourceAppPid: verifySite.appPid,
+          userDid: user.did,
+          userPk: user.pk,
+        },
+        {
+          node,
+          blocklet,
+        }
+      );
       // HACK: member 调用 master 时，将 passport 的 role 还原为 master 中原有的 role
       const targetPassport = passport?.id ? (prevUser?.passports || []).find((item) => item.id === passport.id) : null;
 
@@ -718,7 +807,6 @@ module.exports = {
       }
       const realDid = prevUser?.did || user.did;
       const realPk = prevUser?.pk || user.pk;
-      // NOTICE: 这里是 Master 登录，不需要 sourceAppPid 字段
       const newUser = await node.loginUser({
         teamDid,
         user: {
@@ -726,6 +814,7 @@ module.exports = {
           did: realDid,
           pk: realPk,
           passport: targetPassport,
+          sourceAppPid: verifySite.appPid,
           connectedAccount: {
             provider: provider || LOGIN_PROVIDER.WALLET,
             did: user.did,

package/api/routes/oauth.js

@@ -23,7 +23,12 @@ const initJwt = require('../libs/jwt');
 const { sendToUser } = require('../libs/notification');
 const { isInvitedUserOnly, createTokenFn, getDidConnectVersion } = require('../util');
 const { ApiError } = require('../util/error');
-const { loginAuth0, getFederatedMaster, getOAuthUserInfo, shouldSyncFederated } = require('../util/federated');
+const {
+  getFederatedMaster,
+  getOAuthUserInfo,
+  shouldSyncFederated,
+  getUserWithinFederated,
+} = require('../util/federated');
 
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
 
@@ -99,15 +104,7 @@ async function login(req, node, options) {
 
   const lastLoginIp = get(req, 'headers[x-real-ip]') || '';
   let passport = { name: 'Guest', role: 'guest' };
-  let currentUser = await node.getUser({
-    teamDid,
-    user: {
-      did: userDid,
-    },
-    options: {
-      enableConnectedAccount: true,
-    },
-  });
+  let currentUser = await getUserWithinFederated({ sourceAppPid, teamDid, userDid, userPk }, { node, blocklet });
   let doc;
   let passportForLog;
   const fullName = currentUser?.fullName || oauthInfo?.nickname;
@@ -117,6 +114,7 @@ async function login(req, node, options) {
     pk: userPk,
     id: oauthInfo.sub,
   };
+  const masterSite = getFederatedMaster(blocklet);
   let profile;
   // 当前账户已存在，更新账户信息
   if (currentUser) {
@@ -156,6 +154,7 @@ async function login(req, node, options) {
     if (invitedUserOnly) {
       throw new ApiError(403, t('needInviteToLogin', locale));
     }
+
     passportForLog = { name: 'Guest', role: 'guest' };
     profile = {
       fullName: oauthInfo.nickname,
@@ -186,7 +185,6 @@ async function login(req, node, options) {
     node
   );
 
-  const masterSite = getFederatedMaster(blocklet);
   const ua = req.headers['user-agent'];
   const userSessionDoc = await node.upsertUserSession({
     teamDid,
@@ -279,15 +277,16 @@ async function invite(req, node, options) {
 
   // NOTICE: 如果是统一登录，则向 master 站点发起 oauth 登录请求，auth0 的账户信息必须由 master 来生成
   if (sourceAppPid) {
-    const data = await loginAuth0({
+    const data = await getOAuthUserInfo({
       request: req,
       blocklet,
-      locale,
       provider,
       token,
       sourceAppPid,
+      locale,
     });
-    ({ oauthInfo, userWallet } = data);
+    userWallet = data.wallet;
+    oauthInfo = data.info;
   } else {
     const authClient = getAuthClient(blocklet, provider);
     oauthInfo = await authClient.getProfile(token);
@@ -299,15 +298,9 @@ async function invite(req, node, options) {
   let userPk = userWallet.publicKey;
 
   let profile;
-  const currentUser = await node.getUser({
-    teamDid,
-    user: {
-      did: userDid,
-    },
-    options: {
-      enableConnectedAccount: true,
-    },
-  });
+
+  const currentUser = await getUserWithinFederated({ sourceAppPid, teamDid, userDid, userPk }, { node, blocklet });
+
   const { dataDir, name: applicationName } = await getApplicationInfo({ node, nodeInfo, teamDid });
   if (currentUser) {
     profile = {
@@ -340,8 +333,8 @@ async function invite(req, node, options) {
     profile,
     statusEndpointBaseUrl,
     teamDid,
-    userDid,
-    userPk,
+    userDid: userWallet.address,
+    userPk: userWallet.publicKey,
     locale,
     provider,
   });
@@ -506,7 +499,7 @@ async function bind(req, node, options) {
   if (!avatar) {
     const nodeInfo = await req.getNodeInfo();
     const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
-    avatar = await getAvatarByEmail(userInfo.email);
+    avatar = userInfo.picture ? await getAvatarByUrl(userInfo.picture) : await getAvatarByEmail(userInfo.email);
     avatar = await extractUserAvatar(avatar, { dataDir });
   }
 

package/api/routes/user-session.js

@@ -7,6 +7,7 @@ const defaults = require('lodash/defaults');
 const cloneDeep = require('lodash/cloneDeep');
 const pLimit = require('p-limit');
 const logger = require('@abtnode/logger')('blocklet-services:user-session');
+const { getSourceProvider } = require('@blocklet/meta/lib/did-utils');
 
 const ensureBlocklet = require('../middlewares/ensure-blocklet');
 const { getUserAvatarUrl } = require('../util/federated');
@@ -103,6 +104,9 @@ module.exports = {
           },
           sites: [],
         });
+        const sourceProvider = getSourceProvider(user);
+
+        const provider = sourceProvider || LOGIN_PROVIDER.WALLET;
 
         const memberSite = federated.sites.find((item) => item.appPid === appPid);
         const postUser = pick(user, ['did', 'pk', 'fullName', 'locale']);
@@ -121,7 +125,7 @@ module.exports = {
             user: postUser,
             passport: passportId ? { id: passportId } : undefined,
             walletOS: 'web',
-            provider: LOGIN_PROVIDER.WALLET,
+            provider,
           },
           site: memberSite,
         });

package/api/routes/user.js

@@ -175,6 +175,7 @@ async function loginOAuth(
     throw new ApiError(400, error.message);
   }
 
+  // FIXME: @zhanghan 如果有 sourceAppPid，则这里拿到的 userWallet 是不对的？
   const userWallet = fromAppDid(id, blockletWallet.secretKey);
   const userDid = userWallet.address;
   const userPk = userWallet.publicKey;

package/api/services/auth/connect/invite.js

@@ -13,6 +13,7 @@ const { LOGIN_PROVIDER } = require('@blocklet/constant');
 const logger = require('@abtnode/logger')(require('../../../../package.json').name);
 
 const { createTokenFn, getDidConnectVersion } = require('../../../util');
+const { getUserWithinFederated } = require('../../../util/federated');
 
 module.exports = function createRoutes(node, authenticator, createSessionToken) {
   return {
@@ -65,7 +66,9 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
       const statusEndpointBaseUrl = joinUrl(baseUrl, WELLKNOWN_SERVICE_PATH_PREFIX);
       const endpoint = baseUrl;
 
-      const { passport, response, role, profile } = await handleInvitationResponse({
+      await getUserWithinFederated({ sourceAppPid, teamDid, userDid, userPk }, { node, blocklet });
+
+      const { passport, response, role, profile, user } = await handleInvitationResponse({
         req,
         node,
         nodeInfo,
@@ -85,7 +88,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
       const createToken = createTokenFn(createSessionToken);
       const sessionConfig = blocklet.settings?.session || {};
       const { sessionToken, refreshToken } = createToken(
-        userDid,
+        user.did,
         {
           secret,
           passport,
@@ -102,7 +105,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
       const userSessionDoc = await node.upsertUserSession({
         teamDid,
         visitorId,
-        userDid,
+        userDid: user.did,
         appPid: teamDid,
         passportId: response.data.id,
         status: 'online',
@@ -111,7 +114,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
       });
       node.syncUserSession({
         teamDid,
-        userDid,
+        userDid: user.did,
         visitorId: userSessionDoc.visitorId,
         passportId: passport?.id,
         targetAppPid: sourceAppPid,
@@ -127,7 +130,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
         true
       );
       await updateSession({ passportId: response.data.id });
-      logger.info('invite.success', { userDid });
+      logger.info('invite.success', { userDid: user.did });
 
       return response;
     },

package/api/util/federated.js

@@ -115,6 +115,50 @@ function shouldSyncFederated(sourceAppPid, blocklet) {
   return false;
 }
 
+async function getUserWithinFederated({ userDid, userPk, teamDid, sourceAppPid }, { node, blocklet }) {
+  let currentUser = await node.getUser({
+    teamDid,
+    user: {
+      did: userDid,
+    },
+    options: {
+      enableConnectedAccount: true,
+    },
+  });
+  if (!currentUser && shouldSyncFederated(sourceAppPid, blocklet)) {
+    const masterSite = getFederatedMaster(blocklet);
+    const syncResults = await node.syncFederated({
+      did: teamDid,
+      data: {
+        users: [
+          {
+            did: userDid,
+            pk: userPk,
+            action: 'pullAccount',
+          },
+        ],
+      },
+      syncSites: [masterSite],
+    });
+    const resultItem = syncResults.find((x) => x.site.appPid === masterSite.appPid);
+    if (resultItem) {
+      const { result } = resultItem;
+      const [pullUser] = result?.users || [];
+      if (pullUser) {
+        pullUser.sourceAppPid = masterSite.appPid;
+        pullUser.connectedAccount = pullUser.connectedAccounts;
+        delete pullUser.connectedAccounts;
+        currentUser = await node.loginUser({
+          teamDid,
+          user: pullUser,
+        });
+      }
+    }
+  }
+
+  return currentUser;
+}
+
 module.exports = {
   isMaster,
   shouldSyncFederated,
@@ -124,4 +168,5 @@ module.exports = {
   migrateAuth0,
   getOAuthUserInfo,
   loginByMember,
+  getUserWithinFederated,
 };

package/api/validators/login.js

@@ -25,7 +25,7 @@ const loginUserWalletSchema = Joi.object({
   nonce: Joi.string().required(),
   visitorId: Joi.string().optional(),
   passportId: Joi.string().optional(),
-  sourceAppPid: Joi.DID().trim().optional(),
+  sourceAppPid: Joi.DID().trim().empty(null),
   locale: Joi.string().optional(),
 }).empty(null);