npm - @abtnode/blocklet-services - Versions diffs - 1.16.26-beta-818ea1c5 → 1.16.26-beta-cca12425 - Mend

@abtnode/blocklet-services 1.16.26-beta-818ea1c5 → 1.16.26-beta-cca12425

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/api/routes/oauth.js CHANGED Viewed

@@ -10,25 +10,27 @@ const last = require('lodash/last');
 const pick = require('lodash/pick');
 const uniqBy = require('lodash/uniqBy');
 const sortBy = require('lodash/sortBy');
+const cloneDeep = require('lodash/cloneDeep');
 const joinUrl = require('url-join');
-const { getWalletDid } = require('@blocklet/meta/lib/did-utils');
+const { getWalletDid, getConnectedAccounts, getSourceProvider } = require('@blocklet/meta/lib/did-utils');
 const formatContext = require('@abtnode/util/lib/format-context');
 const createTranslator = require('@abtnode/util/lib/translate');
 const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const { withHttps, withTrailingSlash } = require('ufo');
 const logger = require('../libs/logger')('oauth');
-const { AuthenticationClient } = require('../libs/auth/adapters/auth0');
+const { OAuthClient } = require('../libs/auth');
+const OAuthAuth0 = require('../libs/auth/adapters/auth0');
+const OAuthAuth0Legacy = require('../libs/auth/adapters/auth0-legacy');
+const OAuthGithub = require('../libs/auth/adapters/github');
+const OAuthGoogle = require('../libs/auth/adapters/google');
+const OAuthApple = require('../libs/auth/adapters/apple');
 const { getAvatarByEmail, transferPassport, getAvatarByUrl } = require('../libs/auth/utils');
 const initJwt = require('../libs/jwt');
 const { sendToUser } = require('../libs/notification');
 const { isInvitedUserOnly, createTokenFn, getDidConnectVersion } = require('../util');
 const { ApiError } = require('../util/error');
-const {
-  getFederatedMaster,
-  getOAuthUserInfo,
-  shouldSyncFederated,
-  getUserWithinFederated,
-} = require('../util/federated');
+const federatedUtil = require('../util/federated');
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
@@ -40,65 +42,142 @@ const translations = {
     needInviteToLogin: '你需要被邀请才可以登录此应用',
     alreadyMainAccount: '当前邮箱已经绑定过该应用，不过你可以先以此邮箱登陆，然后再绑定钱包账户',
     alreadyBindWallet: '当前邮箱已经绑定过钱包账户 {did}。',
+    alreadyExist: '当前账户已存在，无法完成绑定操作。',
+    alreadyBindProvider: '当前账户绑定过 {provider}，无法完成绑定操作。',
     oauthCantBeOwner: '第三方登录的账户不能成为应用的拥有者',
     oauthCantBindOauth: '第三方登录的账户无法绑定另一个第三方登录的账户',
+    cantUnbindWalletAccount: '不能解绑钱包账户',
+    cantUnbindSourceProvider: '不能解绑源账户',
+    accountNotExist: '第三方登录的账户不存在，无法完成解绑操作',
   },
   en: {
     needInviteToLogin: 'You need to be invited to login in to this app',
     alreadyMainAccount:
       'Your email has already logged in to the app, so binding cannot be completed. However, you can first log in with this email and then bind your wallet account.',
     alreadyBindWallet: 'Your account is already bond to wallet account {did}, so binding can not be completed.',
+    alreadyExist: 'Your account already exists, so binding cannot be completed.',
+    alreadyBindProvider: 'Your account is already bind to {provider}, so binding can not be completed.',
     oauthCantBeOwner: "Can't login oauth account as owner",
     oauthCantBindOauth: "Current account can't bind to a third party account",
+    cantUnbindWalletAccount: 'Cannot unbind wallet provider',
+    cantUnbindSourceProvider: 'Cannot unbind source provider',
+    accountNotExist: "Connected account is not exist, can't finish disconnect",
   },
 };
 const t = createTranslator({ translations });
-function getAuthClient(blocklet, provider) {
-  const oauthConfig = blocklet?.settings?.oauth || {};
-  const providerConfig = oauthConfig?.[provider];
-  if (!providerConfig) {
-    throw new ApiError(400, `Provider ${provider} is not valid`);
-  }
-  const authClient = new AuthenticationClient({
-    domain: providerConfig.domain,
+async function getOAuthUserInfo({ blocklet, provider, token, idToken, code, appPid }) {
+  let oauthInfo;
+  const authClient = getAuthClient(blocklet, provider, {
+    appPid,
+    legacy: Boolean(token && provider === 'auth0'),
   });
-  return authClient;
-}
-async function login(req, node, options) {
-  const blocklet = await req.getBlocklet();
-  const { token, locale = 'en', provider, componentId, sourceAppPid = null, visitorId } = req.body;
-  if (!blocklet.settings?.owner) {
-    throw new ApiError(400, t('oauthCantBeOwner', locale));
+  // FIXME: @zhanghan 临时兼容 auth0 这种直接传 token 的方式，将来要废弃这种方式
+  if (token && provider === 'auth0') {
+    oauthInfo = await authClient.getProfile(token);
+  } else if (idToken) {
+    // FIXME: @zhanghan 临时提供 id_token 方案，将来要废弃这种方式
+    oauthInfo = await authClient.getProfile({ id_token: idToken });
+  } else if (code) {
+    const oauthToken = await authClient.getToken({ code });
+    oauthInfo = await authClient.getProfile(oauthToken);
   }
-  const { did: teamDid, wallet: blockletWallet, secret, appUrl } = await req.getBlockletInfo();
+  return oauthInfo;
+}
+async function getOAuthFederatedUserInfo(req, { blocklet }) {
   let userWallet;
   let oauthInfo;
+  const { token, idToken, code, provider, sourceAppPid = null } = req.body;
+  // appUrl
+  const { wallet: blockletWallet } = await req.getBlockletInfo();
   // NOTICE: 如果是统一登录，则向 master 站点发起 oauth 用户信息查询请求，auth0 的账户信息必须由 master 来生成
   if (sourceAppPid) {
-    const data = await getOAuthUserInfo({
+    const data = await federatedUtil.getOAuthUserInfo({
       request: req,
       blocklet,
       provider,
-      token,
       sourceAppPid,
+      // 三种用于获取用户信息的方式，任选其一即可
+      token,
+      idToken,
+      code,
     });
     userWallet = data.wallet;
     oauthInfo = data.info;
   } else {
-    const authClient = getAuthClient(blocklet, provider);
-    oauthInfo = await authClient.getProfile(token);
+    oauthInfo = await getOAuthUserInfo({ blocklet, provider, code, idToken, token });
     userWallet = fromAppDid(oauthInfo.sub, blockletWallet.secretKey);
   }
+  return { info: oauthInfo, wallet: userWallet };
+}
+function getAuthClient(blocklet, provider, { legacy = false, appPid } = {}) {
+  const oauthConfig = cloneDeep(blocklet?.settings?.oauth || {});
+  const providerConfig = oauthConfig?.[provider];
+  if (!providerConfig) {
+    throw new ApiError(400, `Provider ${provider} is not valid`);
+  }
+  let appUrl = blocklet?.environmentObj?.BLOCKLET_APP_URL;
+  if (appPid) {
+    const federatedSites = blocklet.settings?.federated?.sites || [];
+    const loginSite = federatedSites.find((x) => x.appPid === appPid);
+    appUrl = loginSite.appUrl;
+  }
+  providerConfig.callbackUrl = `${appUrl}/.well-known/service/oauth/callback/${provider}`;
+  if (provider === 'auth0') {
+    if (legacy) {
+      // FIXME: @zhanghan 将来需要移除 legacy auth0 的支持
+      return new OAuthAuth0Legacy.AuthenticationClient({
+        domain: providerConfig.domain,
+      });
+    }
+    if (!providerConfig.clientSecret) {
+      throw new Error('missing client secret');
+    }
+    return new OAuthClient({
+      provider: OAuthAuth0({
+        // HACK: auth0 比较奇葩，它的 issuer 有斜杠后缀
+        issuer: withTrailingSlash(withHttps(providerConfig.domain)),
+        clientId: providerConfig.clientId,
+        clientSecret: providerConfig.clientSecret,
+        callbackUrl: providerConfig.callbackUrl,
+      }),
+    });
+  }
+  if (provider === 'github') {
+    return new OAuthClient({ provider: OAuthGithub(providerConfig) });
+  }
+  if (provider === 'google') {
+    return new OAuthClient({ provider: OAuthGoogle(providerConfig) });
+  }
+  if (provider === 'apple') {
+    return new OAuthClient({ provider: OAuthApple(providerConfig) });
+  }
+  return null;
+}
+async function login(req, node, options) {
+  const blocklet = await req.getBlocklet();
+  const { locale = 'en', provider, componentId, sourceAppPid = null, visitorId } = req.body;
+  if (!blocklet.settings?.owner) {
+    throw new ApiError(400, t('oauthCantBeOwner', locale));
+  }
+  const { did: teamDid, secret, appUrl } = await req.getBlockletInfo();
+  const { info: oauthInfo, wallet: userWallet } = await getOAuthFederatedUserInfo(req, {
+    blocklet,
+  });
   const userDid = userWallet.address;
   const userPk = userWallet.publicKey;
+  // FIXME: @zhanghan 这里通过 componentId 来判断权限的方式实际上没有意义，因为用户可以尝试从别的 url 来登录
   const config = await req.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
   const nodeInfo = await req.getNodeInfo();
   const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
@@ -106,17 +185,21 @@ async function login(req, node, options) {
   const lastLoginIp = get(req, 'headers[x-real-ip]') || '';
   let passport = { name: 'Guest', role: 'guest' };
-  let currentUser = await getUserWithinFederated({ sourceAppPid, teamDid, userDid, userPk }, { node, blocklet });
+  let currentUser = await federatedUtil.getUserWithinFederated(
+    { sourceAppPid, teamDid, userDid, userPk },
+    { node, blocklet }
+  );
   let doc;
   let passportForLog;
-  const fullName = currentUser?.fullName || oauthInfo?.nickname;
+  const fullName = currentUser?.fullName || oauthInfo?.name;
   const connectedAccount = {
     provider,
     did: userDid,
     pk: userPk,
     id: oauthInfo.sub,
+    userInfo: oauthInfo,
   };
-  const masterSite = getFederatedMaster(blocklet);
+  const masterSite = federatedUtil.getFederatedMaster(blocklet);
   let profile;
   // 当前账户已存在，更新账户信息
   if (currentUser) {
@@ -159,7 +242,7 @@ async function login(req, node, options) {
     passportForLog = { name: 'Guest', role: 'guest' };
     profile = {
-      fullName: oauthInfo.nickname,
+      fullName: oauthInfo.name,
       email: oauthInfo.email,
       avatar,
     };
@@ -202,7 +285,7 @@ async function login(req, node, options) {
     },
   });
-  if (shouldSyncFederated(sourceAppPid, blocklet)) {
+  if (federatedUtil.shouldSyncFederated(sourceAppPid, blocklet)) {
     const syncUserData = {
       did: userDid,
       pk: userPk,
@@ -270,38 +353,14 @@ async function login(req, node, options) {
 }
 async function invite(req, node, options) {
-  const {
-    locale,
-    inviteId,
-    token,
-    baseUrl,
-    provider = LOGIN_PROVIDER.AUTH0,
-    sourceAppPid = null,
-    visitorId,
-  } = req.body;
+  const { locale, inviteId, baseUrl, provider = LOGIN_PROVIDER.AUTH0, sourceAppPid = null, visitorId } = req.body;
   const blocklet = await req.getBlocklet();
-  let userWallet;
-  let oauthInfo;
-  const { did: teamDid, wallet: blockletWallet, secret } = await req.getBlockletInfo();
+  const { did: teamDid, secret } = await req.getBlockletInfo();
-  // NOTICE: 如果是统一登录，则向 master 站点发起 oauth 登录请求，auth0 的账户信息必须由 master 来生成
-  if (sourceAppPid) {
-    const data = await getOAuthUserInfo({
-      request: req,
-      blocklet,
-      provider,
-      token,
-      sourceAppPid,
-      locale,
-    });
-    userWallet = data.wallet;
-    oauthInfo = data.info;
-  } else {
-    const authClient = getAuthClient(blocklet, provider);
-    oauthInfo = await authClient.getProfile(token);
-    userWallet = fromAppDid(oauthInfo.sub, blockletWallet.secretKey);
-  }
+  const { info: oauthInfo, wallet: userWallet } = await getOAuthFederatedUserInfo(req, {
+    blocklet,
+  });
   const nodeInfo = await req.getNodeInfo();
   let userDid = userWallet.address;
@@ -309,7 +368,10 @@ async function invite(req, node, options) {
   let profile;
-  const currentUser = await getUserWithinFederated({ sourceAppPid, teamDid, userDid, userPk }, { node, blocklet });
+  const currentUser = await federatedUtil.getUserWithinFederated(
+    { sourceAppPid, teamDid, userDid, userPk },
+    { node, blocklet }
+  );
   const { dataDir, name: applicationName } = await getApplicationInfo({ node, nodeInfo, teamDid });
   if (currentUser) {
@@ -321,12 +383,11 @@ async function invite(req, node, options) {
     userDid = currentUser.did;
     userPk = currentUser.pk;
   } else {
-    const { picture, email, nickname: fullName } = oauthInfo;
-    let avatar = picture ? await getAvatarByUrl(picture) : await getAvatarByEmail(email);
+    let avatar = oauthInfo.picture ? await getAvatarByUrl(oauthInfo.picture) : await getAvatarByEmail(oauthInfo.email);
     avatar = await extractUserAvatar(avatar, { dataDir });
     profile = {
-      email,
-      fullName,
+      email: oauthInfo.email,
+      fullName: oauthInfo.name,
       avatar: getUserAvatarUrl(baseUrl, avatar),
     };
   }
@@ -348,7 +409,7 @@ async function invite(req, node, options) {
     locale,
     provider,
   });
-  const masterSite = getFederatedMaster(blocklet);
+  const masterSite = federatedUtil.getFederatedMaster(blocklet);
   const syncData = {
     users: [],
   };
@@ -381,6 +442,7 @@ async function invite(req, node, options) {
       id: oauthInfo.sub,
       did: userWallet.address,
       pk: userWallet.publicKey,
+      userInfo: oauthInfo,
     };
     await node.loginUser({
       teamDid,
@@ -391,7 +453,7 @@ async function invite(req, node, options) {
         sourceAppPid,
       },
     });
-    if (shouldSyncFederated(sourceAppPid, blocklet)) {
+    if (federatedUtil.shouldSyncFederated(sourceAppPid, blocklet)) {
       const syncUserData = {
         did: userDid,
         pk: userPk,
@@ -422,7 +484,7 @@ async function invite(req, node, options) {
     },
   });
-  if (shouldSyncFederated(sourceAppPid, blocklet)) {
+  if (federatedUtil.shouldSyncFederated(sourceAppPid, blocklet)) {
     node
       .syncFederated({
         did: teamDid,
@@ -470,22 +532,12 @@ async function invite(req, node, options) {
 // 给 DID Wallet 绑定 Auth0 的流程
 // eslint-disable-next-line no-unused-vars
 async function bind(req, node, options) {
-  const { token, locale = 'en', provider, sourceAppPid } = req.body;
+  const { locale = 'en', provider, sourceAppPid } = req.body;
   const blocklet = await req.getBlocklet();
-  const { did: teamDid, wallet: blockletWallet, appUrl } = await req.getBlockletInfo();
+  const { did: teamDid, appUrl } = await req.getBlockletInfo();
   const userDid = req.user.did;
-  let userWallet;
-  let userInfo;
-  if (sourceAppPid) {
-    const data = await getOAuthUserInfo({ blocklet, provider, token, request: req, sourceAppPid });
-    userWallet = data.wallet;
-    userInfo = data.info;
-  } else {
-    const authClient = getAuthClient(blocklet, provider);
-    userInfo = await authClient.getProfile(token);
-    userWallet = fromAppDid(userInfo.sub, blockletWallet.secretKey);
-  }
+  const { info: oauthInfo, wallet: userWallet } = await getOAuthFederatedUserInfo(req, { blocklet });
   let oauthUser = await node.getUser({
     teamDid,
     user: { did: userWallet.address },
@@ -494,17 +546,16 @@ async function bind(req, node, options) {
     },
   });
   if (oauthUser) {
-    if (oauthUser.sourceProvider === LOGIN_PROVIDER.AUTH0) {
-      throw new ApiError(400, t('alreadyMainAccount', locale, { email: userInfo.email }));
-    }
-    throw new ApiError(400, t('alreadyBindWallet', locale, { email: userInfo.email, did: oauthUser.did }));
+    throw new ApiError(400, t('alreadyExist', locale, { email: oauthInfo.email, did: oauthUser.did }));
   }
   // NOTICE: 这里获得的 did 是当前登录用户的永久 did，无需再去查询 connectedAccount
   const bindUser = await node.getUser({ teamDid, user: { did: userDid } });
-  if (bindUser.sourceProvider !== LOGIN_PROVIDER.WALLET) {
-    throw new ApiError(400, t('oauthCantBindOauth', locale));
+  const connectAccounts = getConnectedAccounts(bindUser);
+  if (connectAccounts.some((x) => x.provider === provider)) {
+    throw new ApiError(400, t('alreadyBindProvider', locale, { provider }));
   }
   const mergePassport = (oauthUser?.passports || []).reduce((sum, cur) => {
@@ -515,13 +566,13 @@ async function bind(req, node, options) {
   if (!avatar) {
     const nodeInfo = await req.getNodeInfo();
     const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
-    avatar = userInfo.picture ? await getAvatarByUrl(userInfo.picture) : await getAvatarByEmail(userInfo.email);
+    avatar = oauthInfo.picture ? await getAvatarByUrl(oauthInfo.picture) : await getAvatarByEmail(oauthInfo.email);
     avatar = await extractUserAvatar(avatar, { dataDir });
   }
   const mergeProfile = {
-    fullName: bindUser.fullName || userInfo.nickname,
-    email: bindUser.email || userInfo.email,
+    fullName: bindUser.fullName || oauthInfo.name,
+    email: bindUser.email || oauthInfo.email,
     avatar,
   };
@@ -529,11 +580,12 @@ async function bind(req, node, options) {
   const connectedAccount = {
     provider,
-    id: userInfo.sub,
+    id: oauthInfo.sub,
     did: userWallet.address,
     pk: userWallet.publicKey,
     firstLoginAt: currentTime,
     lastLoginAt: currentTime,
+    userInfo: oauthInfo,
   };
   await node.updateUser({
@@ -548,8 +600,8 @@ async function bind(req, node, options) {
     },
   });
-  const masterSite = getFederatedMaster(blocklet);
-  if (shouldSyncFederated(sourceAppPid, blocklet)) {
+  const masterSite = federatedUtil.getFederatedMaster(blocklet);
+  if (federatedUtil.shouldSyncFederated(sourceAppPid, blocklet)) {
     // NOTICE: 采用异步来更新，不阻塞接口的正常响应
     const syncUserData = {
       did: bindUser.did,
@@ -593,6 +645,55 @@ async function bind(req, node, options) {
   );
 }
+async function unbind(req, node) {
+  const { locale = 'en', connectedAccount, sourceAppPid } = req.body;
+  const userDid = req.user.did;
+  const blocklet = await req.getBlocklet();
+  const { did: teamDid } = await req.getBlockletInfo();
+  const bindUser = await node.getUser({ teamDid, user: { did: userDid } });
+  if (connectedAccount.provider === LOGIN_PROVIDER.WALLET) {
+    throw new Error(t('cantUnbindWalletAccount', locale));
+  }
+  if (getSourceProvider(bindUser) === connectedAccount.provider) {
+    throw new Error(t('cantUnbindSourceProvider', locale));
+  }
+  if (
+    !getConnectedAccounts(bindUser).some(
+      (x) => x.provider === connectedAccount.provider && x.did === connectedAccount.did && x.pk === connectedAccount.pk
+    )
+  ) {
+    throw new Error(t('accountNotExist', locale));
+  }
+  await node.disconnectUserAccount({
+    teamDid,
+    connectedAccount,
+  });
+  const masterSite = federatedUtil.getFederatedMaster(blocklet);
+  if (federatedUtil.shouldSyncFederated(sourceAppPid, blocklet)) {
+    // NOTICE: 采用异步来更新，不阻塞接口的正常响应
+    const syncUserData = {
+      did: bindUser.did,
+      pk: bindUser.pk,
+      disconnectedAccount: connectedAccount,
+    };
+    node.syncFederated({
+      did: teamDid,
+      data: {
+        users: [
+          {
+            ...syncUserData,
+            action: 'disconnectAccount',
+            sourceAppPid: sourceAppPid || masterSite?.appPid,
+          },
+        ],
+      },
+    });
+  }
+}
 module.exports = {
   init(server, node, options) {
     async function configsFn(req, res) {
@@ -686,6 +787,22 @@ module.exports = {
     server.post(`${prefix}/bind`, bindFn);
     server.post(`${prefixApi}/bind`, bindFn);
+    async function unbindFn(req, res) {
+      try {
+        await unbind(req, node, options);
+        res.status(200).json({});
+      } catch (err) {
+        logger.error('Failed unbind oauth', { error: err });
+        if (err instanceof ApiError) {
+          res.status(err.code).send(err.message);
+          return;
+        }
+        throw err;
+      }
+    }
+    server.post(`${prefixApi}/unbind`, unbindFn);
     async function switchFn(req, res) {
       const { did: userDid, provider } = req.user;
       const { passportId } = req.body;
@@ -751,11 +868,10 @@ module.exports = {
     server.post(`${prefixApi}/login`, loginFn);
     async function getUserFn(req, res) {
-      const { token, provider } = req.body;
-      const { wallet: blockletWallet } = await req.getBlockletInfo();
+      const { provider, token, idToken, code, appPid } = req.body;
       const blocklet = await req.getBlocklet();
-      const authClient = getAuthClient(blocklet, provider);
-      const oauthInfo = await authClient.getProfile(token);
+      const oauthInfo = await getOAuthUserInfo({ blocklet, provider, token, idToken, code, appPid });
+      const { wallet: blockletWallet } = await req.getBlockletInfo();
       const userWallet = fromAppDid(oauthInfo.sub, blockletWallet.secretKey);
       res.json({
@@ -765,5 +881,44 @@ module.exports = {
     }
     server.post(`${prefix}/getUser`, getUserFn);
     server.post(`${prefixApi}/getUser`, getUserFn);
+    server.get(`${prefix}/login/:provider`, async (req, res) => {
+      const { provider } = req.params;
+      const blocklet = await req.getBlocklet();
+      const avaliableProviderList = Object.keys(blocklet.settings?.oauth).filter(
+        (x) => blocklet.settings?.oauth[x]?.enabled === true
+      );
+      if (!avaliableProviderList.includes(provider)) {
+        res.status(400).send(`Provider: ${provider} is not supported`);
+        return;
+      }
+      const client = getAuthClient(blocklet, provider);
+      const authUrl = client.getAuthorizationUrl();
+      res.redirect(authUrl);
+    });
+    // HACK: apple 需要特殊处理，callback 使用的是 post 请求返回的，通过特殊处理转为 get 请求，转由前端继续处理
+    // 此处改为所有 provider 都兼容的模式
+    server.post(`${prefix}/callback/:provider`, (req, res) => {
+      /**
+       * @type {{code?: string, user?: {name: {firstName: string, lastName: string}, email: string}}}
+       */
+      const { code, user } = req.body;
+      // HACK: URL 构造函数必须传入一个域名
+      const redirectUrl = new URL(req.url, 'http://127.0.0.1');
+      if (code) {
+        redirectUrl.searchParams.set('code', code);
+        if (user) {
+          // FIXME: @zhanghan apple 的用户名信息只会在首次获取 code 时出现，该如何将这个值传递给另一个接口中？
+          // 即使如此处理，也无法完全解决后续无法获取到用户名的问题。如果一个已有的 oauth 配置配置到了另一个应用中，对于 apple 来说，该用户已经不是第一次登录了，就不会返回用户名信息
+          // redirectUrl.searchParams.set('name', `${user.name.firstName} ${user.name.lastName}`);
+        }
+      } else {
+        const error = 'true';
+        const errorDescription = 'invalid code';
+        redirectUrl.searchParams.set('error', error);
+        redirectUrl.searchParams.set('error_description', errorDescription);
+      }
+      res.redirect(`${redirectUrl.pathname}${redirectUrl.search}`);
+    });
   },
 };

package/api/services/auth/connect/receive-transfer-app-owner.js CHANGED Viewed

@@ -252,7 +252,13 @@ module.exports = function createRoutes(node, _, createSessionToken) {
             locale,
             lastLoginIp: get(req, 'headers[x-real-ip]') || '',
             passports: [passport],
-            connectedAccounts: [{ provider: LOGIN_PROVIDER.WALLET, did: userDid, pk: userPk }],
+            connectedAccounts: [
+              {
+                provider: LOGIN_PROVIDER.WALLET,
+                did: userDid,
+                pk: userPk,
+              },
+            ],
             ...profile,
             avatar,
           },

package/api/services/oauth/index.js CHANGED Viewed

@@ -3,6 +3,8 @@ const { default: urlFriendly } = require('@blocklet/meta/lib/url-friendly');
 const { slugify } = require('transliteration');
 const { MAIN_CHAIN_ENDPOINT } = require('@abtnode/constant');
 const { getBlockletChainInfo } = require('@blocklet/meta/lib/util');
+const jwt = require('jsonwebtoken');
+const jwksClient = require('jwks-rsa');
 const logger = require('../../libs/logger')('blocklet-services:oauth');
@@ -78,7 +80,75 @@ async function migrateAccount({ wallet, blocklet, user }) {
   await Promise.all(waitingList);
 }
+async function getJWK(kid, jwksUri) {
+  const client = jwksClient({
+    cache: true,
+    jwksUri,
+  });
+  const key = await new Promise((resolve, reject) => {
+    client.getSigningKey(kid, (error, result) => {
+      if (error) {
+        return reject(error);
+      }
+      return resolve(result);
+    });
+  });
+  return {
+    publicKey: key.getPublicKey(),
+    kid: key.kid,
+    alg: key.alg,
+  };
+}
+/**
+ * Verify the authenticity of a token by decoding, verifying the algorithm, and matching claims.
+ *
+ * @param {Object} params - Object containing idToken, jwksUri, nonce, iss, clientId
+ * @param {string} params.idToken - JWT token
+ * @param {string} params.jwksUri - JWK set URI
+ * @param {string} params.nonce - Nonce
+ * @param {string} params.iss - Issuer
+ * @param {string} params.clientId - Client ID
+ * @return {Object} Decoded JWT claims if token is valid
+ */
+async function verifyIdToken(params) {
+  const decoded = jwt.decode(params.idToken, { complete: true });
+  const { kid, alg: jwtAlg } = decoded.header;
+  const { publicKey, alg: jwkAlg } = await getJWK(kid, params.jwksUri);
+  if (jwtAlg !== jwkAlg) {
+    throw new Error(`The alg does not match the jwk configuration - alg: ${jwtAlg} | expected: ${jwkAlg}`);
+  }
+  const jwtClaims = jwt.verify(params.idToken, publicKey, {
+    algorithms: [jwkAlg],
+    nonce: params.nonce,
+  });
+  if (jwtClaims?.iss !== params.iss) {
+    throw new Error(`The iss does not match the Apple URL - iss: ${jwtClaims.iss} | expected: ${params.iss}`);
+  }
+  const isFounded = [].concat(jwtClaims.aud).some((aud) => [].concat(params.clientId).includes(aud));
+  if (isFounded) {
+    ['email_verified', 'is_private_email'].forEach((field) => {
+      if (jwtClaims[field] !== undefined) {
+        jwtClaims[field] = Boolean(jwtClaims[field]);
+      }
+    });
+    return jwtClaims;
+  }
+  throw new Error(
+    `The aud parameter does not include this client - is: ${jwtClaims.aud} | expected: ${params.clientId}`
+  );
+}
 module.exports = {
   declareAccount,
   migrateAccount,
+  verifyIdToken,
 };