npm - @abtnode/blocklet-services - Versions diffs - 1.16.26-beta-818ea1c5 → 1.16.26-beta-cca12425 - Mend

@abtnode/blocklet-services 1.16.26-beta-818ea1c5 → 1.16.26-beta-cca12425

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/api/libs/auth/adapters/apple.js ADDED Viewed

@@ -0,0 +1,78 @@
+const jwt = require('jsonwebtoken');
+// https://appleid.apple.com/.well-known/openid-configuration
+/**
+ * @typedef {Object} AppleUserProfile
+ * @property {string} iss - issuer of oauth provider
+ * @property {string} aud
+ * @property {string} at_hash
+ * @property {string} iat
+ * @property {string} exp
+ * @property {string} sub - user's usb
+ * @property {string} email - user's email
+ * @property {boolean} email_verified - user's email is verified
+ * @property {boolean} is_private_email - user's email is verified
+ */
+function Apple(options) {
+  return {
+    id: 'apple',
+    name: 'Apple',
+    type: 'oidc',
+    issuer: 'https://appleid.apple.com',
+    jwks_uri: 'https://appleid.apple.com/auth/keys',
+    token: 'https://appleid.apple.com/auth/token',
+    authorization: {
+      url: 'https://appleid.apple.com/auth/authorize',
+      params: {
+        scope: 'name email',
+        response_mode: 'form_post',
+        prompt: 'login',
+      },
+    },
+    /**
+     * @param {AppleUserProfile} profile
+     * @returns {Object}
+     */
+    profile(profile) {
+      return {
+        sub: `appleid|${profile.sub}`,
+        // HACK: apple 可能无法正确获得用户名，使用 email 做为兜底方案
+        name: profile.name || profile.email,
+        email: profile.email,
+        picture: null,
+        emailVerified: profile.email_verified,
+        extraData: {
+          isPrivateEmail: profile.is_private_email,
+        },
+      };
+    },
+    getClientId() {
+      return options.serviceId;
+    },
+    getClientSecret() {
+      const headers = {
+        alg: 'ES256',
+        kid: options.keyId,
+      };
+      const timeNow = Math.floor(Date.now() / 1000);
+      const claims = {
+        iss: options.teamId,
+        aud: 'https://appleid.apple.com',
+        sub: options.serviceId,
+        iat: timeNow,
+        exp: timeNow + 86400,
+      };
+      const token = jwt.sign(claims, options.authKey, {
+        algorithm: 'ES256',
+        header: headers,
+      });
+      return token;
+    },
+    options,
+  };
+}
+module.exports = Apple;

package/api/libs/auth/adapters/auth0.js ADDED Viewed

@@ -0,0 +1,56 @@
+// https://auth0.openai.com/.well-known/openid-configuration
+/**
+ * @typedef {Object} Auth0UserProfile
+ * @property {string} sub - The subject of the user profile.
+ * @property {string} name - The name of the user.
+ * @property {string} picture - The picture URL of the user.
+ * @property {string} email - The email of the user.
+ * @property {boolean} email_verified - Indicates if the user's email is verified.
+ * @property {string} locale - The locale of the user.
+ * @property {string} nickname - The nickname of the user.
+ * @property {string} updated_at - The last time the user profile was updated.
+ * @property {string} iss - The issuer of the token.
+ * @property {string} aud - The audience of the token.
+ * @property {number} iat - The issued at time of the token.
+ * @property {number} exp - The expiration time of the token.
+ * @property {string} sid
+ */
+const { joinURL } = require('ufo');
+function Auth0(options) {
+  const { issuer } = options;
+  return {
+    id: 'auth0',
+    name: 'Auth0',
+    type: 'oidc',
+    issuer,
+    jwks_uri: joinURL(issuer, '/.well-known/jwks.json'),
+    authorization: {
+      url: joinURL(issuer, '/authorize'),
+      params: {
+        prompt: 'login',
+        scope: 'openid profile email',
+      },
+    },
+    token: joinURL(issuer, '/oauth/token'),
+    userinfo: {
+      url: joinURL(issuer, '/userinfo'),
+    },
+    /**
+     * @param {Auth0UserProfile} profile - The profile object to be modified.
+     * @return {Object} The modified profile object.
+     */
+    profile(profile) {
+      return {
+        ...profile,
+        name: profile.nickname || profile.name,
+        emailVerified: profile.email_verified,
+      };
+    },
+    options,
+  };
+}
+module.exports = Auth0;

package/api/libs/auth/adapters/facebook.js ADDED Viewed

@@ -0,0 +1,34 @@
+function Facebook(options) {
+  return {
+    id: 'facebook',
+    name: 'Facebook',
+    type: 'oauth',
+    authorization: {
+      url: 'https://www.facebook.com/v15.0/dialog/oauth',
+      params: {
+        scope: 'email',
+      },
+    },
+    token: 'https://graph.facebook.com/oauth/access_token',
+    userinfo: {
+      // https://developers.facebook.com/docs/graph-api/reference/user/#fields
+      url: 'https://graph.facebook.com/me?fields=id,name,email,picture',
+      request({ tokens, provider }) {
+        return fetch(provider.userinfo?.url, {
+          headers: { Authorization: `Bearer ${tokens.access_token}` },
+        }).then((res) => res.json());
+      },
+    },
+    profile(profile) {
+      return {
+        id: profile.id,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture.data.url,
+      };
+    },
+    options,
+  };
+}
+module.exports = Facebook;

package/api/libs/auth/adapters/github.js ADDED Viewed

@@ -0,0 +1,75 @@
+const { default: axios } = require('axios');
+const logger = require('../../logger')('blocklet-services:oauth');
+function GitHub(options) {
+  const baseUrl = 'https://github.com';
+  const apiBaseUrl = 'https://api.github.com';
+  return {
+    id: 'github',
+    name: 'GitHub',
+    type: 'oauth',
+    authorization: {
+      url: `${baseUrl}/login/oauth/authorize`,
+      params: {
+        scope: 'read:user user:email',
+        // HACK: prompt: login 对 github 没效果，如果当前只登录了一个 github 账号，则会跳过登录页面直接成功，只能设置为 consent，让页面不直接登录
+        prompt: 'consent',
+      },
+    },
+    token: `${baseUrl}/login/oauth/access_token`,
+    userinfo: {
+      async request({ tokens }) {
+        const url = `${apiBaseUrl}/user`;
+        const { data } = await axios.get(url, {
+          headers: {
+            Authorization: `token ${tokens.access_token}`,
+            'User-Agent': '@blocklet/auth',
+            Accept: 'application/json',
+          },
+        });
+        if (!data.email) {
+          // If the user does not have a public email, get another via the GitHub API
+          // See https://docs.github.com/en/rest/users/emails#list-public-email-addresses-for-the-authenticated-user
+          try {
+            const { data: emails } = await axios.get(`${apiBaseUrl}/user/emails`, {
+              headers: {
+                Authorization: `Bearer ${tokens.access_token}`,
+                'User-Agent': '@blocklet/auth',
+                Accept: 'application/json',
+              },
+            });
+            data.email = (emails.find((e) => e.primary) ?? emails[0]).email;
+          } catch (err) {
+            logger.error('Failed to get github user email');
+          }
+        }
+        return data;
+      },
+    },
+    profile(profile) {
+      return {
+        sub: `github|${profile.id}`,
+        name: profile.name ?? profile.login,
+        email: profile.email,
+        picture: profile.avatar_url,
+        extraData: {
+          login: profile.login,
+          nodeId: profile.node_id,
+          company: profile.company,
+          blog: profile.blog,
+          location: profile.location,
+          hireable: profile.hireable,
+          bio: profile.bio,
+          twitterUsername: profile.twitter_username,
+          twoFactorAuthentication: profile.two_factor_authentication,
+        },
+      };
+    },
+    options,
+  };
+}
+module.exports = GitHub;

package/api/libs/auth/adapters/google.js ADDED Viewed

@@ -0,0 +1,66 @@
+// https://accounts.google.com/.well-known/openid-configuration
+/**
+ * @typedef {Object} GoogleUserProfile
+ * @property {string} iss - issuer of oauth provider
+ * @property {string} azp
+ * @property {string} aud
+ * @property {string} at_hash
+ * @property {string} iat
+ * @property {string} exp
+ * @property {string} sub - user's usb
+ * @property {string} email - user's email
+ * @property {string} name - user's name
+ * @property {string} picture - user's avatar url
+ * @property {string} email_verified - user's email is verifyed
+ * @property {string} given_name
+ * @property {string} family_name
+ */
+/**
+ * @typedef {Object} UserProfile
+ * @property {string} sub - The subject of the user profile.
+ * @property {string} name - The name of the user.
+ * @property {string} picture - The picture URL of the user.
+ * @property {string} email - The email of the user.
+ * @property {boolean} [email_verified] - Indicates if the user's email is verified.
+ */
+function Google(options) {
+  return {
+    id: 'google',
+    name: 'Google',
+    type: 'oidc',
+    issuer: 'https://accounts.google.com',
+    jwks_uri: 'https://www.googleapis.com/oauth2/v3/certs',
+    authorization: {
+      url: 'https://accounts.google.com/o/oauth2/v2/auth',
+      params: {
+        scope: 'openid profile email',
+        prompt: 'login',
+      },
+    },
+    token: 'https://oauth2.googleapis.com/token',
+    userinfo: 'https://openidconnect.googleapis.com/v1/userinfo',
+    options,
+    /**
+     * @param {GoogleUserProfile} profile
+     * @returns {UserProfile}
+     */
+    profile(profile) {
+      return {
+        sub: `google-oauth2|${profile.sub}`,
+        name: profile.name,
+        picture: profile.picture,
+        email: profile.email,
+        emailVerified: profile.email_verified,
+        extraData: {
+          givenName: profile.given_name,
+          familyName: profile.family_name,
+        },
+      };
+    },
+  };
+}
+module.exports = Google;

package/api/libs/auth/adapters/twitter.js ADDED Viewed

@@ -0,0 +1,22 @@
+function Twitter(options) {
+  return {
+    id: 'twitter',
+    name: 'Twitter',
+    type: 'oauth',
+    checks: ['pkce', 'state'],
+    authorization: 'https://twitter.com/i/oauth2/authorize?scope=users.read tweet.read offline.access',
+    token: 'https://api.twitter.com/2/oauth2/token',
+    userinfo: 'https://api.twitter.com/2/users/me?user.fields=profile_image_url',
+    profile({ data }) {
+      return {
+        id: data.id,
+        name: data.name,
+        email: data.email ?? null,
+        image: data.profile_image_url,
+      };
+    },
+    options,
+  };
+}
+module.exports = Twitter;

package/api/libs/auth/index.js ADDED Viewed

@@ -0,0 +1,170 @@
+const { default: axios } = require('axios');
+const logger = require('../logger')('blocklet-services:oauth');
+const { verifyIdToken } = require('../../services/oauth');
+/**
+ * @typedef {Object} Provider
+ * @property {string} id - provider id
+ * @property {string} name - provider 名称
+ * @property {string} authorizeUrl - 授权的 url
+ * @property {string} [scope] - 获取的授权范围，以空格分隔
+ * @property {string} clientId - client id
+ * @property {string} clientSecret - client secret
+ */
+/**
+ * @typedef {Object} AuthorizationToken
+ * @property {string} access_token
+ * @property {string} [id_token] - 包含了用户信息，通过 jwt 解码可获取
+ */
+/**
+ * @typedef {Object} UserProfile
+ * @property {string} sub - The subject of the user profile.
+ * @property {string} name - The name of the user.
+ * @property {string} picture - The picture URL of the user.
+ * @property {string} email - The email of the user.
+ * @property {boolean} [email_verified] - Indicates if the user's email is verified.
+ */
+/**
+ * 根据 url 和 params 参数生成最终的 url
+ * @param {string | {url: string, params: object}} urlLike - The URL string or an object containing the URL and parameters.
+ * @param {object} params - The parameters to append to the URL.
+ * @return {string} The complete URL string with parameters appended.
+ */
+function getUrl(urlLike, params) {
+  const uri = typeof urlLike === 'string' ? urlLike : urlLike.url;
+  const appendParams =
+    typeof urlLike === 'string'
+      ? { ...params }
+      : {
+          ...urlLike.params,
+          ...params,
+        };
+  const url = new URL(uri);
+  for (const k of Object.keys(appendParams)) {
+    const v = appendParams[k];
+    if (v !== undefined) {
+      url.searchParams.set(k, v);
+    }
+  }
+  return url.toString();
+}
+class OAuthClient {
+  /**
+   * Constructor for initializing providers.
+   * @param {Object} options
+   * @param {Provider} options.provider
+   */
+  constructor({ provider }) {
+    this.provider = provider;
+  }
+  /**
+   * 获取 oauth 授权 code 用的地址
+   *
+   * @return {string}
+   */
+  getAuthorizationUrl() {
+    if (this.provider.authorization?.request) {
+      return this.provider.authorization.request();
+    }
+    return getUrl(this.provider.authorization, {
+      response_type: 'code',
+      client_id: this.provider?.getClientId?.() || this.provider.options.clientId,
+      redirect_uri: this.provider.options.callbackUrl,
+    });
+  }
+  /**
+   * 通过授权码换取 token
+   *
+   * @param {Object} code - oauth 步骤的授权码
+   * @return {Promise<AuthorizationToken>}
+   */
+  async getToken({ code }) {
+    try {
+      if (this.provider.token?.request) {
+        return this.provider.token.request();
+      }
+      const params = {
+        grant_type: 'authorization_code',
+        client_id: this.provider?.getClientId?.() || this.provider.options.clientId,
+        client_secret: this.provider?.getClientSecret?.() || this.provider.options.clientSecret,
+        code,
+        redirect_uri: this.provider.options.callbackUrl,
+      };
+      // 标准的 oauth code-flow 协议要求是使用 application/x-www-form-urlencoded 来携带数据，所以此处使用 URLSearchParams 来传递数据
+      const { data } = await axios.post(this.provider.token, new URLSearchParams(params), {
+        headers: { Accept: 'application/json' },
+      });
+      return data;
+    } catch (err) {
+      logger.error('Failed get token', { error: err });
+      throw new Error(`Failed get token: ${err.message}`);
+    }
+  }
+  /**
+   * 通过授权 token 获取用户信息
+   * @param {AuthorizationToken} tokens
+   * @returns {Object} user info, 具体信息根据不同平台有不同的结构
+   */
+  async getUserInfo(tokens) {
+    try {
+      if (tokens.id_token) {
+        const cliams = await verifyIdToken({
+          clientId: this.provider?.getClientId?.() || this.provider.options.clientId,
+          idToken: tokens.id_token,
+          iss: this.provider.issuer,
+          jwksUri: this.provider.jwks_uri,
+          nonce: tokens.nonce,
+        });
+        return cliams;
+      }
+      if (this.provider.userinfo?.request) {
+        return this.provider.userinfo.request({ tokens });
+      }
+      const url = new URL(this.provider.userinfo?.url || this.provider.userinfo);
+      const { data } = await axios.get(url.toString(), {
+        headers: {
+          Authorization: `Bearer ${tokens.access_token}`,
+          'User-Agent': '@blocklet/auth',
+          Accept: 'application/json',
+        },
+      });
+      return data;
+    } catch (err) {
+      logger.error('Failed get user info', { error: err });
+      throw new Error(`Failed get user info: ${err.message}`);
+    }
+  }
+  /**
+   * 通过授权 token 获取标准格式化后的用户信息
+   * @param {AuthorizationToken} tokens
+   * @returns {UserProfile} 返回标准格式化后的用户信息
+   */
+  async getProfile(tokens) {
+    try {
+      const userInfo = await this.getUserInfo(tokens);
+      if (this.provider.profile) {
+        return this.provider.profile(userInfo);
+      }
+      return userInfo;
+    } catch (err) {
+      logger.error('Failed get user profile', { error: err });
+      throw new Error(`Failed get user profile: ${err.message}`);
+    }
+  }
+}
+module.exports = {
+  OAuthClient,
+};

package/api/routes/federated.js CHANGED Viewed

@@ -95,6 +95,27 @@ async function syncConnectAccount(user, { node, teamDid, dataDir, blocklet }) {
   });
 }
+async function syncDisconnectAccount(user, { node, teamDid, blocklet }) {
+  const { disconnectedAccount, sourceAppPid, did, pk } = user;
+  const masterSite = getFederatedMaster(blocklet);
+  if (masterSite.appPid !== teamDid) {
+    await getUserWithinFederated(
+      {
+        sourceAppPid,
+        teamDid,
+        userDid: did,
+        userPk: pk,
+      },
+      { blocklet, node }
+    );
+  }
+  await node.disconnectUserAccount({
+    teamDid,
+    connectedAccount: disconnectedAccount,
+  });
+}
 /**
  * member 站点向 master 站点请求拉取一个用户信息
  */
@@ -127,7 +148,7 @@ async function pullUserAccount(user, { node, teamDid, blocklet }) {
   syncUser.avatar = getUserAvatarUrl(currentUser.avatar, blocklet);
   syncUser.email = syncUser.email || '';
   syncUser.connectedAccounts = currentUser.connectedAccounts.map((x) => {
-    const connectAccount = pick(x, ['did', 'pk', 'provider', 'id']);
+    const connectAccount = pick(x, ['did', 'pk', 'provider', 'id', 'userInfo']);
     if (!connectAccount.id) {
       delete connectAccount.id;
     }
@@ -140,6 +161,7 @@ async function pullUserAccount(user, { node, teamDid, blocklet }) {
 const syncFnMaps = {
   switchProfile: syncSwitchProfile,
   connectAccount: syncConnectAccount,
+  disconnectAccount: syncDisconnectAccount,
   pullAccount: pullUserAccount,
 };