@abtnode/blocklet-services 1.16.33-beta-20241024-064549-2c1ad302 → 1.16.33-beta-20241028-005826-60afb7c4

package/api/routes/oauth.js

@@ -1,6 +1,11 @@
 const { handleInvitationReceive, getApplicationInfo } = require('@abtnode/auth/lib/auth');
 const { upsertToPassports, createPassportSvg } = require('@abtnode/auth/lib/passport');
-const { WELLKNOWN_SERVICE_PATH_PREFIX, NODE_SERVICES, PASSPORT_STATUS, ROLES } = require('@abtnode/constant');
+const {
+  WELLKNOWN_SERVICE_PATH_PREFIX,
+  PASSPORT_STATUS,
+  ROLES,
+  SECURITY_RULE_DEFAULT_ID,
+} = require('@abtnode/constant');
 const { extractUserAvatar, getUserAvatarUrl, getAppAvatarUrl } = require('@abtnode/util/lib/user');
 const { fromAppDid } = require('@arcblock/did-ext');
 const { getBlockletAppIdList } = require('@blocklet/meta/lib/util');
@@ -28,7 +33,7 @@ const OAuthApple = require('../libs/auth/adapters/apple');
 const { getAvatarByEmail, transferPassport, getAvatarByUrl } = require('../libs/auth/utils');
 const initJwt = require('../libs/jwt');
 const { sendToUser } = require('../libs/notification');
-const { isInvitedUserOnly, createTokenFn, getDidConnectVersion, redirectWithoutCache } = require('../util');
+const { checkInvitedUserOnly, createTokenFn, getDidConnectVersion, redirectWithoutCache } = require('../util');
 const { ApiError } = require('../util/error');
 const federatedUtil = require('../util/federated');
 const { isOAuthEmailVerified, isEmailUniqueRequired, isEmailKycRequired, isSameEmail } = require('../libs/kyc');
@@ -172,7 +177,7 @@ function getAuthClient(blocklet, provider, { legacy = false, appPid } = {}) {
 
 async function login(req, node, options) {
   const blocklet = await req.getBlocklet();
-  const { locale = 'en', provider, componentId, inviter = null, sourceAppPid = null } = req.body;
+  const { locale = 'en', provider, inviter = null, sourceAppPid = null } = req.body;
   let visitorId = req.body?.visitorId;
   if (!visitorId) {
     visitorId = req.get('x-blocklet-visitor-id');
@@ -189,11 +194,10 @@ async function login(req, node, options) {
   const userDid = userWallet.address;
   const userPk = userWallet.publicKey;
 
-  // FIXME: @zhanghan 这里通过 componentId 来判断权限的方式实际上没有意义，因为用户可以尝试从别的 url 来登录
-  const config = await req.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
+  const { accessPolicyConfig } = await req.getSecurityConfig({ id: SECURITY_RULE_DEFAULT_ID });
   const nodeInfo = await req.getNodeInfo();
   const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
-  const [invitedUserOnly] = await isInvitedUserOnly(config, node, teamDid);
+  const isInvitedUserOnly = await checkInvitedUserOnly(accessPolicyConfig, node, teamDid);
 
   const lastLoginIp = getRequestIP(req);
   let passport = { name: 'Guest', role: 'guest' };
@@ -248,7 +252,7 @@ async function login(req, node, options) {
     let avatar = oauthInfo.picture ? await getAvatarByUrl(oauthInfo.picture) : await getAvatarByEmail(oauthInfo.email);
     avatar = await extractUserAvatar(avatar, { dataDir });
     // 当前 oauth 账户不存在，自动添加一个新用户
-    if (invitedUserOnly) {
+    if (isInvitedUserOnly) {
       throw new ApiError(403, t('needInviteToLogin', locale));
     }
 

package/api/routes/user-session.js

@@ -93,27 +93,27 @@ module.exports = {
     // NOTE: 保留 /login 路由，该功能不是针对于某一个实体来操作的，需要更明确表达意图
     app.post(`${prefix}/login`, ensureBlocklet(), async (req, res) => {
       const { blocklet } = req;
-      const { userDid, appPid, passportId } = req.body;
+      const loginUserSession = req.body;
       let visitorId = req.body?.visitorId;
       if (!visitorId) {
         visitorId = req.get('x-blocklet-visitor-id');
       }
 
-      if (!userDid) {
+      if (!loginUserSession.userDid) {
         res.status(400).json({ error: 'userDid is required' });
         return;
       }
-      if (!appPid) {
+      if (!loginUserSession.appPid) {
         res.status(400).json({ error: 'appPid is required' });
         return;
       }
 
       const teamDid = blocklet.appPid;
-
       const userSessions = await node.getUserSession({
         teamDid,
-        userDid,
+        userDid: loginUserSession.userDid,
         visitorId,
+        id: loginUserSession.id,
       });
       const now = Date.now();
       const sessionTtl = blocklet.settings?.session?.ttl || SESSION_TTL;
@@ -122,7 +122,7 @@ module.exports = {
       const validSession = sortedUserSessions.some((x) => now - new Date(x.updatedAt).getTime() < sessionTtl * 1000);
 
       if (validSession) {
-        const user = await node.getUser({ teamDid, user: { did: userDid } });
+        const user = await node.getUser({ teamDid, user: { did: loginUserSession.userDid } });
         if (!user.approved) {
           res.status(401).json(messages.notAllowedAppUser.en);
           return;
@@ -138,7 +138,9 @@ module.exports = {
 
         const provider = sourceProvider || LOGIN_PROVIDER.WALLET;
 
-        const memberSite = federated.sites.find((item) => item.appPid === appPid && item.isMaster === false);
+        const memberSite = federated.sites.find(
+          (item) => item.appPid === loginUserSession.appPid && item.isMaster === false
+        );
         const postUser = pick(user, ['did', 'pk', 'fullName', 'locale', 'inviter', 'generation']);
         postUser.lastLoginAt = getRequestIP(req);
 
@@ -160,7 +162,7 @@ module.exports = {
               did: teamDid,
               data: {
                 user: postUser,
-                passport: passportId ? { id: passportId } : undefined,
+                passport: loginUserSession.passportId ? { id: loginUserSession.passportId } : undefined,
                 walletOS,
                 provider,
               },
@@ -179,7 +181,9 @@ module.exports = {
           const createToken = createTokenFn(createSessionToken);
           const { secret } = await req.getBlockletInfo();
           const sessionConfig = blocklet.settings?.session || {};
-          const targetPassport = passportId ? (user?.passports || []).find((item) => item.id === passportId) : null;
+          const targetPassport = loginUserSession.passportId
+            ? (user?.passports || []).find((item) => item.id === loginUserSession.passportId)
+            : null;
           const loggedInUser = await node.loginUser({
             teamDid,
             user: {
@@ -219,11 +223,12 @@ module.exports = {
         const walletDeviceId = req.get('wallet-device-id');
 
         const userSessionDoc = await node.upsertUserSession({
+          id: loginUserSession.id,
           teamDid,
-          userDid,
+          userDid: loginUserSession.userDid,
           visitorId,
-          appPid,
-          passportId,
+          appPid: loginUserSession.appPid,
+          passportId: loginUserSession.passportId,
           status: 'online',
           ua,
           lastLoginIp,
@@ -237,10 +242,10 @@ module.exports = {
         if (isFederatedLogin) {
           node.syncUserSession({
             teamDid,
-            userDid,
+            userDid: loginUserSession.userDid,
             visitorId: userSessionDoc.visitorId,
-            passportId,
-            targetAppPid: appPid,
+            passportId: loginUserSession.passportId,
+            targetAppPid: loginUserSession.appPid,
             ua,
             lastLoginIp,
             extra: {
@@ -254,9 +259,9 @@ module.exports = {
         logger.info('quick-login with', {
           teamDid,
           visitorId,
-          userDid,
-          appPid,
-          passportId,
+          userDid: loginUserSession.userDid,
+          appPid: loginUserSession.appPid,
+          passportId: loginUserSession.passportId,
           extra: {
             walletOS,
           },
@@ -267,17 +272,22 @@ module.exports = {
         logger.warn('failed to quick-login with', {
           teamDid,
           visitorId,
-          userDid,
-          appPid,
-          passportId,
+          userDid: loginUserSession.userDid,
+          appPid: loginUserSession.appPid,
+          passportId: loginUserSession.passportId,
         });
-        res.status(403).json({ error: 'session expired' });
+        res.status(401).json({ error: 'session expired' });
       }
     });
 
+    /**
+     * 获取指定用户的所有登录会话
+     */
     app.get(`${prefix}`, ensureBlocklet(), async (req, res) => {
       const { blocklet } = req;
       const teamDid = blocklet.appPid;
+      const requestIp = getRequestIP(req);
+      const userAgent = req.get('user-agent');
 
       // NOTICE: 此处的 visitorId 必须显式传入，否则用户将无法正常查询自己的所有 sessions
       const { userDid, appPid, visitorId } = req.query;
@@ -308,7 +318,12 @@ module.exports = {
 
       // NOTICE: 移除 walletDeviceId 和 walletDeviceMessageToken，避免泄露
       const result = userSessions
-        .filter((x) => x?.user?.approved)
+        .filter((x) => {
+          if (x.lastLoginIp !== requestIp || x.ua !== userAgent || x.status === 'expired') {
+            return false;
+          }
+          return x?.user?.approved;
+        })
         .map((x) => {
           return omit(x, ['extra.walletDeviceId', 'extra.walletDeviceMessageToken']);
         });

package/api/routes/user.js

@@ -1,4 +1,4 @@
-const { NODE_SERVICES, WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
+const { WELLKNOWN_SERVICE_PATH_PREFIX, SECURITY_RULE_DEFAULT_ID } = require('@abtnode/constant');
 const { getApplicationInfo } = require('@abtnode/auth/lib/auth');
 const { fromAppDid } = require('@arcblock/did-ext');
 const { extractUserAvatar } = require('@abtnode/util/lib/user');
@@ -17,7 +17,7 @@ const { Joi } = require('@arcblock/validator');
 const { parse } = require('@abtnode/core/lib/util/ua');
 const getRequestIP = require('@abtnode/util/lib/get-request-ip');
 
-const { isInvitedUserOnly, createTokenFn, getDidConnectVersion } = require('../util');
+const { checkInvitedUserOnly, createTokenFn, getDidConnectVersion } = require('../util');
 const initJwt = require('../libs/jwt');
 const { getAvatarByUrl } = require('../libs/auth/utils');
 const { ApiError } = require('../util/error');
@@ -61,10 +61,10 @@ const translations = {
 
 const t = createTranslator({ translations });
 
-async function checkNeedInvite({ req, node, teamDid, componentId, locale }) {
-  const config = await req.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
-  const [invitedUserOnly] = await isInvitedUserOnly(config, node, teamDid);
-  if (invitedUserOnly) {
+async function checkNeedInvite({ req, node, teamDid, locale }) {
+  const { accessPolicyConfig } = await req.getSecurityConfig({ id: SECURITY_RULE_DEFAULT_ID });
+  const isInvitedUserOnly = await checkInvitedUserOnly(accessPolicyConfig, node, teamDid);
+  if (isInvitedUserOnly) {
     throw new ApiError(403, t('needInviteToLogin', locale));
   }
 }
@@ -467,7 +467,6 @@ module.exports = {
       if (error) {
         throw new ApiError(400, error.message);
       }
-      // FIXME: @zhanghan 需要根据 componentId 来判断当前 component 设置的访问权限，来看当前要登录的用户是否有登录的权限
       const blocklet = await req.getBlocklet();
       const { did: teamDid, secret } = await req.getBlockletInfo();
       const currentUser = await verifyUserSig(

package/api/services/auth/index.js

@@ -4,17 +4,9 @@ const cookie = require('cookie');
 const bearerToken = require('@abtnode/util/lib/express-bearer-token');
 
 const validators = require('@blocklet/sdk/lib/validators');
-const {
-  genPermissionName,
-  NODE_SERVICES,
-  WHO_CAN_ACCESS,
-  WHO_CAN_ACCESS_PREFIX_ROLES,
-  ROLES,
-  WELLKNOWN_SERVICE_PATH_PREFIX,
-} = require('@abtnode/constant');
+const { NODE_SERVICES, ROLES, WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
 const { BLOCKLET_MODES } = require('@blocklet/constant');
 const { setUserInfoHeaders } = require('@abtnode/auth/lib/auth');
-const { getRolesFromAuthConfig } = require('@blocklet/meta/lib/util');
 
 const { createConnectToDidSpacesRoute } = require('@abtnode/auth/lib/connect-to-did-spaces');
 const logger = require('../../libs/logger')('auth');
@@ -90,9 +82,9 @@ const init = ({ node, options }) => {
    * @returns {CheckAuthRes} res
    */
   const checkAuth = async ({ req } = {}) => {
-    const config = (await req.getServiceConfig(NODE_SERVICES.AUTH)) || {};
+    const serviceConfig = (await req.getServiceConfig(NODE_SERVICES.AUTH)) || {};
 
-    const ignoreUrls = (get(config, 'ignoreUrls') || []).filter(Boolean);
+    const ignoreUrls = (get(serviceConfig, 'ignoreUrls') || []).filter(Boolean);
 
     // default public url
     // developers need not config the following urls in blocklet.yml
@@ -105,47 +97,35 @@ const init = ({ node, options }) => {
 
     const teamDid = req.getBlockletDid();
 
-    // 所有人都可以访问的情况
-    if (!config.whoCanAccess || config.whoCanAccess === WHO_CAN_ACCESS.ALL) {
-      if (config.blockUnauthenticated && !req.user) {
-        return {
-          blocked: true,
-          authenticated: false,
-        };
-      }
-    } else if (!req.user) {
-      // 需要被邀请才能访问的情况
-      const rbac = await node.getRBAC(teamDid);
-      const allRoles = await rbac.getRoles(teamDid);
+    const rbac = await node.getRBAC(teamDid);
+    const [allRoles, { accessPolicyConfig }] = await Promise.all([rbac.getRoles(teamDid), req.getSecurityConfig()]);
+
+    const accessRoles = accessPolicyConfig?.accessPolicy?.roles || null;
+    const accessReverse = accessPolicyConfig?.accessPolicy?.reverse || false;
+
+    // public 公开权限，不做任何拦截
+    if (accessRoles === null && accessReverse === false) {
+      return { ignored: true };
+    }
+
+    // invite only, 需要被邀请才能访问的情况
+    // HACK: 不是公开的情况下，就是需要有通行证才能访问，此时只需要判断 req.user 是否存在即可
+    // if (accessRoles.length === 0 && accessReverse === true) {}
+    if (!req.user) {
       const payableRole = allRoles.find((x) => x.extra?.acquire?.pay);
       return {
         blocked: true,
         authenticated: false,
         payable: payableRole?.extra?.acquire?.pay,
       };
-    } else if (config.whoCanAccess === WHO_CAN_ACCESS.OWNER && req.user.role !== ROLES.OWNER) {
-      // 需要 owner 才能访问
-      return {
-        blocked: true,
-        authenticated: true,
-        authorized: false,
-        requiredRoles: [
-          {
-            name: ROLES.OWNER,
-            title: 'Owner',
-            description: 'Owner',
-          },
-        ],
-      };
-    } else if (config.whoCanAccess.startsWith(WHO_CAN_ACCESS_PREFIX_ROLES)) {
-      // 指定 passport 才能访问
-      // 需要用户拥有的权限
-      const roles = getRolesFromAuthConfig(config);
-      if (!roles.includes(req.user.role)) {
-        const rbac = await node.getRBAC(teamDid);
-        // 系统中的所有权限
-        const allRoles = await rbac.getRoles(teamDid);
+    }
 
+    // 指定 role 访问权限
+    if (accessRoles.length > 0) {
+      const roles = accessReverse
+        ? allRoles.filter((role) => !accessRoles.includes(role.name)).map((role) => role.name)
+        : accessRoles;
+      if (!roles.includes(req.user.role)) {
         return {
           blocked: true,
           authenticated: true,
@@ -176,22 +156,6 @@ const init = ({ node, options }) => {
       }
     }
 
-    if (!config.blockUnauthorized) {
-      return { ignored: true, ignoreReason: 'blockUnauthorized' };
-    }
-
-    const rule = await req.getRoutingRule();
-    if (rule.to && rule.to.interfaceName) {
-      const permissionName = genPermissionName(rule.to.interfaceName);
-      const rbac = await node.getRBAC(teamDid);
-
-      if (await rbac.can(req.user.role, ...permissionName.split('_'))) {
-        return {};
-      }
-
-      return { blocked: true, authenticated: true, authorized: false };
-    }
-
     return {};
   };
 
@@ -312,6 +276,7 @@ const init = ({ node, options }) => {
     setUserInfoHeaders(req);
 
     const { blocked } = await checkAuth({ req });
+
     if (blocked) {
       const component = await req.getComponent();
       if (component?.mode === 'development') {
@@ -353,6 +318,7 @@ const init = ({ node, options }) => {
     return next();
   };
 
+  // 检查是否符合访问权限控制，不符合的就进行重定向
   middlewares.checkAuth = async (req, res, next) => {
     res.locals.auth = await checkAuth({ req });
     const { blocked, authenticated, authorized, payable, requiredRoles } = res.locals.auth;
@@ -380,7 +346,11 @@ const init = ({ node, options }) => {
             getRedirectUrl({
               req,
               pagePath: '/login',
-              params: { authenticated: 1, payable, requiredRoles: JSON.stringify(requiredRoles) },
+              params: {
+                authenticated: 1,
+                payable,
+                requiredRoles: JSON.stringify(requiredRoles),
+              },
             })
           );
         } else {

package/api/util/attach-shared-utils.js

@@ -1,14 +1,16 @@
 const get = require('lodash/get');
+const { joinURL, parseURL } = require('ufo');
+const pathToRegExp = require('path-to-regexp');
 
-const { findComponentById, findComponentByIdV2 } = require('@blocklet/meta/lib/util');
+const { findComponentByIdV2, getMountPoints } = require('@blocklet/meta/lib/util');
 const { getDefaultServiceConfig } = require('@blocklet/meta/lib/service');
-const { WHO_CAN_ACCESS } = require('@abtnode/constant');
-const cache = require('../cache');
+const logger = require('@abtnode/logger')('@abtnode/blocklet-services:security');
 
+const cache = require('../cache');
 const formatContext = require('./format-context');
-const getDynamicServiceConfig = require('./get-dynamic-service-config');
 const getStaticServiceConfig = require('./get-static-service-config');
 const initJwt = require('../libs/jwt');
+const { isFeDev } = require('../libs/env');
 
 module.exports = ({ node, req, options }) => {
   req.getBlockletDid = () => req.headers['x-blocklet-did'] || get(options, 'blockletDid', '');
@@ -62,26 +64,14 @@ module.exports = ({ node, req, options }) => {
       return defaultConfig;
     }
 
-    let appDynamicConfig = getDynamicServiceConfig(serviceName, app);
-    if (appDynamicConfig?.whoCanAccess === WHO_CAN_ACCESS.ALL) {
-      appDynamicConfig = null;
-    }
-
     const _componentId = componentId || req.getBlockletComponentId();
 
     const componentStaticConfig = getStaticServiceConfig(serviceName, app, _componentId);
 
-    const config = { ...defaultConfig, ...componentStaticConfig, ...appDynamicConfig };
-
-    const component = findComponentById(app, _componentId);
-
-    if (!component) {
-      return config;
-    }
-
-    const componentDynamicConfig = getDynamicServiceConfig(serviceName, component, { type: 'component' });
+    const config = { ...defaultConfig, ...componentStaticConfig };
+    delete config.whoCanAccess;
 
-    return { ...config, ...componentDynamicConfig };
+    return config;
   };
 
   req.getBlocklet = ({ useCache = true, attachRuntimeInfo = false } = {}) => {
@@ -149,6 +139,106 @@ module.exports = ({ node, req, options }) => {
     }
   };
 
+  /**
+   * @description 获取指定请求的安全配置（默认获取当前请求的安全配置，可以指定 url，也可以指定 ID）
+   * @param {object} [options]
+   * @param {object} [options.req] - 请求对象，默认为当前请求对象
+   * @param {string} [options.url] - 指定的 URL
+   * @param {string} [options.id] - 指定的 security-rule ID
+   * @param {string} [options.componentDid] - 指定的 component DID
+   * @returns {Promise<object | null>}
+   */
+  req.getSecurityConfig = async ({ req: inputReq = req, url: inputUrl, id, componentDid: inputComponentDid } = {}) => {
+    const defaultConfig = {
+      accessPolicyConfig: null,
+      responseHeaderPolicyConfig: null,
+    };
+    const rawUrl = inputUrl || inputReq.originalUrl;
+    const currentUrl = parseURL(rawUrl).pathname;
+    // NOTICE: 排除 node_modules, .yalc 等目录下的请求，这部分没有必要做安全处理
+    if (currentUrl.startsWith('/node_modules') || currentUrl.startsWith('/.yalc') || currentUrl.includes('/@fs/')) {
+      return defaultConfig;
+    }
+    // NOTICE: 如果 service 处于开发环境中，则会有很多 vite 相关的请求，这部分不需要做安全处理
+    if (
+      isFeDev &&
+      (currentUrl.startsWith('/.well-known/service/node_modules/') ||
+        currentUrl.startsWith('/.well-known/service/src/') ||
+        currentUrl.startsWith('/.well-known/service/@react-refresh') ||
+        currentUrl.startsWith('/.well-known/service/@vite/client'))
+    ) {
+      return defaultConfig;
+    }
+    // NOTICE: 如果当前连接是 websocket，则 inputReq 上不包含 get 方法，需要读取 header 只能通过 inputReq.headers 来获取
+    // HACK: ws 链接默认不拦截，ws 不会携带 cookie，无法进行 access 的权限判断，目前只能默认放行
+    if (inputReq.headers.upgrade && inputReq.headers.upgrade.toLowerCase() === 'websocket') {
+      return defaultConfig;
+    }
+
+    const blockletDid = inputReq.getBlockletDid();
+
+    const getDataFn = async () => {
+      try {
+        let componentPrefix = inputReq.get('x-path-prefix') || '/';
+        const blocklet = await inputReq.getBlocklet();
+        const componentMountPoints = getMountPoints(blocklet);
+
+        if (inputComponentDid) {
+          const customComponent = componentMountPoints.find((x) => x.did === inputComponentDid);
+          if (customComponent) {
+            componentPrefix = customComponent.mountPoint;
+          }
+        }
+
+        // NOTICE: 上面拿到的 originalUrl 是被移除了 componentPrefix 的 URL，所以需要重新拼接；如果指定了要匹配的 URL，就不需要拼接 componentPrefix 了
+        const realUrl = inputUrl || joinURL(componentPrefix, currentUrl);
+
+        const { securityRules } = await node.getBlockletSecurityRules({ did: blockletDid, formated: true });
+        if (id) {
+          // NOTICE: 在指定 ID 的情况下，可能会查不到，这时候需要返回默认配置
+          return securityRules.find((rule) => rule.id === id) ?? defaultConfig;
+        }
+        const matchedAccessPolicyRules = [];
+        const matchedResponseHeaderPolicyRules = [];
+
+        for (const securityRuleItem of securityRules) {
+          const keys = [];
+          const matchComponent = componentMountPoints.find(
+            (componentItem) => componentItem.did === securityRuleItem.componentDid
+          );
+          const mergePathPattern = joinURL(matchComponent?.mountPoint || '/', securityRuleItem.pathPattern);
+          const regexp = pathToRegExp(mergePathPattern, keys);
+          const match = regexp.exec(realUrl);
+          if (match) {
+            if (securityRuleItem.accessPolicy) {
+              matchedAccessPolicyRules.push(securityRuleItem);
+            }
+            if (securityRuleItem.responseHeaderPolicy) {
+              matchedResponseHeaderPolicyRules.push(securityRuleItem);
+            }
+          }
+        }
+
+        const matchedRule = {
+          accessPolicyConfig: matchedAccessPolicyRules.length > 0 ? matchedAccessPolicyRules[0] : null,
+          responseHeaderPolicyConfig:
+            matchedResponseHeaderPolicyRules.length > 0 ? matchedResponseHeaderPolicyRules[0] : null,
+        };
+
+        return matchedRule;
+      } catch (error) {
+        logger.error('Failed to getsecurityConfig', { error, rawUrl, blockletDid });
+        return defaultConfig;
+      }
+    };
+    const result = await cache.getSecurityConfig({
+      did: blockletDid,
+      url: currentUrl,
+      getDataFn,
+    });
+    return result;
+  };
+
   req.cache = cache;
 };
 

package/api/util/index.js

@@ -1,6 +1,6 @@
 const { joinURL } = require('ufo');
 const { minimatch } = require('minimatch');
-const { ROLES, WHO_CAN_ACCESS } = require('@abtnode/constant');
+const { ROLES } = require('@abtnode/constant');
 const { BLOCKLET_MODES } = require('@blocklet/constant');
 const { findWebInterfacePort, findComponentByIdV2 } = require('@blocklet/meta/lib/util');
 const { WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
@@ -144,27 +144,27 @@ const getRedirectUrl = ({ req, pagePath, params = {} }) => {
 };
 
 /**
- * @typedef {boolean} invitedUserOnly
- * @typedef {string} defaultRole
- * @typedef {boolean} isIssuePassport
- * @param {import('@abtnode/client').BlockletSettings} config
+ * @param {object} config
  * @param {any} node
  * @param {string} teamDid
- * @returns {Promise<[invitedUserOnly, defaultRole, isIssuePassport]>}
+ * @returns {Promise<boolean>}
  */
-const isInvitedUserOnly = async (config, node, teamDid) => {
+const checkInvitedUserOnly = async (config, node, teamDid) => {
   const count = await node.getUsersCount({ teamDid });
 
   // issue owner passport for first login user
   if (count === 0) {
-    return [false, ROLES.OWNER, true];
+    return false;
   }
 
-  if (config.whoCanAccess && config.whoCanAccess !== WHO_CAN_ACCESS.ALL) {
-    return [true];
+  const accessRoles = config?.accessPolicy?.roles ?? null;
+  const accessRevert = config?.accessPolicy?.revert ?? false;
+  if (accessRoles === null && accessRevert === false) {
+    return false;
   }
 
-  return [false, ROLES.GUEST];
+  // NOTICE: 其他情况都是需要保护的（默认情况应该也是需要保护）
+  return true;
 };
 
 /**
@@ -212,6 +212,7 @@ const shouldIgnoreUrl = (url, urls) => {
   }
   const _url = url.slice(0, length);
   for (let i = 0; i < urls.length; i++) {
+    // FIXME: @zhanghan 这里不应该使用 minimatch 来匹配 url，应该改为使用 path-to-regexp
     if (minimatch(_url, urls[i])) {
       return true;
     }
@@ -231,7 +232,7 @@ module.exports = {
   shouldGotoStartPage,
   ensureProxyUrl,
   getRedirectUrl,
-  isInvitedUserOnly,
+  checkInvitedUserOnly,
   createTokenFn,
   getDidConnectVersion,
   nanoid,

package/dist/assets/{Add-Bl82G48c.js → Add-BQRw67Fa.js}

@@ -1 +1 @@
-import{X as r,Y as t,j as a}from"./index-CES_wWCV.js";var e={},u=t;Object.defineProperty(e,"__esModule",{value:!0});var d=e.default=void 0,v=u(r()),o=a;d=e.default=(0,v.default)((0,o.jsx)("path",{d:"M19 13h-6v6h-2v-6H5v-2h6V5h2v6h6z"}),"Add");export{d};
+import{X as r,Y as t,j as a}from"./index-Cicr8_v0.js";var e={},u=t;Object.defineProperty(e,"__esModule",{value:!0});var d=e.default=void 0,v=u(r()),o=a;d=e.default=(0,v.default)((0,o.jsx)("path",{d:"M19 13h-6v6h-2v-6H5v-2h6V5h2v6h6z"}),"Add");export{d};

package/dist/assets/{Alert-B9Rlqmtk.js → Alert-Cb8GUvFi.js}

@@ -1 +1 @@
-import{aE as w,aF as H,at as c,j as e,aG as d,ai as T,aH as g,cd as y,ce as I,aK as n,r as _,aI as F,aJ as U,aC as V,aM as Z,aN as D}from"./index-CES_wWCV.js";import{u as M}from"./useSlot-BnpRF9Wf.js";function G(t){return H("MuiAlert",t)}const S=w("MuiAlert",["root","action","icon","message","filled","colorSuccess","colorInfo","colorWarning","colorError","filledSuccess","filledInfo","filledWarning","filledError","outlined","outlinedSuccess","outlinedInfo","outlinedWarning","outlinedError","standard","standardSuccess","standardInfo","standardWarning","standardError"]),J=c(e.jsx("path",{d:"M20,12A8,8 0 0,1 12,20A8,8 0 0,1 4,12A8,8 0 0,1 12,4C12.76,4 13.5,4.11 14.2, 4.31L15.77,2.74C14.61,2.26 13.34,2 12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0, 0 22,12M7.91,10.08L6.5,11.5L11,16L21,6L19.59,4.58L11,13.17L7.91,10.08Z"}),"SuccessOutlined"),K=c(e.jsx("path",{d:"M12 5.99L19.53 19H4.47L12 5.99M12 2L1 21h22L12 2zm1 14h-2v2h2v-2zm0-6h-2v4h2v-4z"}),"ReportProblemOutlined"),q=c(e.jsx("path",{d:"M11 15h2v2h-2zm0-8h2v6h-2zm.99-5C6.47 2 2 6.48 2 12s4.47 10 9.99 10C17.52 22 22 17.52 22 12S17.52 2 11.99 2zM12 20c-4.42 0-8-3.58-8-8s3.58-8 8-8 8 3.58 8 8-3.58 8-8 8z"}),"ErrorOutline"),Q=c(e.jsx("path",{d:"M11,9H13V7H11M12,20C7.59,20 4,16.41 4,12C4,7.59 7.59,4 12,4C16.41,4 20,7.59 20, 12C20,16.41 16.41,20 12,20M12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0,0 22,12A10, 10 0 0,0 12,2M11,17H13V11H11V17Z"}),"InfoOutlined"),X=c(e.jsx("path",{d:"M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"}),"Close"),Y=["action","children","className","closeText","color","components","componentsProps","icon","iconMapping","onClose","role","severity","slotProps","slots","variant"],tt=t=>{const{variant:s,color:r,severity:o,classes:l}=t,u={root:["root",`color${g(r||o)}`,`${s}${g(r||o)}`,`${s}`],icon:["icon"],message:["message"],action:["action"]};return D(u,G,l)},ot=d(T,{name:"MuiAlert",slot:"Root",overridesResolver:(t,s)=>{const{ownerState:r}=t;return[s.root,s[r.variant],s[`${r.variant}${g(r.color||r.severity)}`]]}})(({theme:t})=>{const s=t.palette.mode==="light"?y:I,r=t.palette.mode==="light"?I:y;return n({},t.typography.body2,{backgroundColor:"transparent",display:"flex",padding:"6px 16px",variants:[...Object.entries(t.palette).filter(([,o])=>o.main&&o.light).map(([o])=>({props:{colorSeverity:o,variant:"standard"},style:{color:t.vars?t.vars.palette.Alert[`${o}Color`]:s(t.palette[o].light,.6),backgroundColor:t.vars?t.vars.palette.Alert[`${o}StandardBg`]:r(t.palette[o].light,.9),[`& .${S.icon}`]:t.vars?{color:t.vars.palette.Alert[`${o}IconColor`]}:{color:t.palette[o].main}}})),...Object.entries(t.palette).filter(([,o])=>o.main&&o.light).map(([o])=>({props:{colorSeverity:o,variant:"outlined"},style:{color:t.vars?t.vars.palette.Alert[`${o}Color`]:s(t.palette[o].light,.6),border:`1px solid ${(t.vars||t).palette[o].light}`,[`& .${S.icon}`]:t.vars?{color:t.vars.palette.Alert[`${o}IconColor`]}:{color:t.palette[o].main}}})),...Object.entries(t.palette).filter(([,o])=>o.main&&o.dark).map(([o])=>({props:{colorSeverity:o,variant:"filled"},style:n({fontWeight:t.typography.fontWeightMedium},t.vars?{color:t.vars.palette.Alert[`${o}FilledColor`],backgroundColor:t.vars.palette.Alert[`${o}FilledBg`]}:{backgroundColor:t.palette.mode==="dark"?t.palette[o].dark:t.palette[o].main,color:t.palette.getContrastText(t.palette[o].main)})}))]})}),st=d("div",{name:"MuiAlert",slot:"Icon",overridesResolver:(t,s)=>s.icon})({marginRight:12,padding:"7px 0",display:"flex",fontSize:22,opacity:.9}),et=d("div",{name:"MuiAlert",slot:"Message",overridesResolver:(t,s)=>s.message})({padding:"8px 0",minWidth:0,overflow:"auto"}),j=d("div",{name:"MuiAlert",slot:"Action",overridesResolver:(t,s)=>s.action})({display:"flex",alignItems:"flex-start",padding:"4px 0 0 16px",marginLeft:"auto",marginRight:-8}),z={success:e.jsx(J,{fontSize:"inherit"}),warning:e.jsx(K,{fontSize:"inherit"}),error:e.jsx(q,{fontSize:"inherit"}),info:e.jsx(Q,{fontSize:"inherit"})},nt=_.forwardRef(function(s,r){const o=F({props:s,name:"MuiAlert"}),{action:l,children:u,className:$,closeText:v="Close",color:f,components:x={},componentsProps:L={},icon:C,iconMapping:b=z,onClose:A,role:h="alert",severity:p="success",slotProps:P={},slots:R={},variant:O="standard"}=o,k=U(o,Y),a=n({},o,{color:f,severity:p,variant:O,colorSeverity:f||p}),i=tt(a),m={slots:n({closeButton:x.CloseButton,closeIcon:x.CloseIcon},R),slotProps:n({},L,P)},[B,E]=M("closeButton",{elementType:V,externalForwardedProps:m,ownerState:a}),[N,W]=M("closeIcon",{elementType:X,externalForwardedProps:m,ownerState:a});return e.jsxs(ot,n({role:h,elevation:0,ownerState:a,className:Z(i.root,$),ref:r},k,{children:[C!==!1?e.jsx(st,{ownerState:a,className:i.icon,children:C||b[p]||z[p]}):null,e.jsx(et,{ownerState:a,className:i.message,children:u}),l!=null?e.jsx(j,{ownerState:a,className:i.action,children:l}):null,l==null&&A?e.jsx(j,{ownerState:a,className:i.action,children:e.jsx(B,n({size:"small","aria-label":v,title:v,color:"inherit",onClick:A},E,{children:e.jsx(N,n({fontSize:"small"},W))}))}):null]}))});export{nt as A,X as C};
+import{aE as w,aF as H,at as c,j as e,aG as d,ai as T,aH as g,cd as y,ce as I,aK as n,r as _,aI as F,aJ as U,aC as V,aM as Z,aN as D}from"./index-Cicr8_v0.js";import{u as M}from"./useSlot-1YlTOkWf.js";function G(t){return H("MuiAlert",t)}const S=w("MuiAlert",["root","action","icon","message","filled","colorSuccess","colorInfo","colorWarning","colorError","filledSuccess","filledInfo","filledWarning","filledError","outlined","outlinedSuccess","outlinedInfo","outlinedWarning","outlinedError","standard","standardSuccess","standardInfo","standardWarning","standardError"]),J=c(e.jsx("path",{d:"M20,12A8,8 0 0,1 12,20A8,8 0 0,1 4,12A8,8 0 0,1 12,4C12.76,4 13.5,4.11 14.2, 4.31L15.77,2.74C14.61,2.26 13.34,2 12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0, 0 22,12M7.91,10.08L6.5,11.5L11,16L21,6L19.59,4.58L11,13.17L7.91,10.08Z"}),"SuccessOutlined"),K=c(e.jsx("path",{d:"M12 5.99L19.53 19H4.47L12 5.99M12 2L1 21h22L12 2zm1 14h-2v2h2v-2zm0-6h-2v4h2v-4z"}),"ReportProblemOutlined"),q=c(e.jsx("path",{d:"M11 15h2v2h-2zm0-8h2v6h-2zm.99-5C6.47 2 2 6.48 2 12s4.47 10 9.99 10C17.52 22 22 17.52 22 12S17.52 2 11.99 2zM12 20c-4.42 0-8-3.58-8-8s3.58-8 8-8 8 3.58 8 8-3.58 8-8 8z"}),"ErrorOutline"),Q=c(e.jsx("path",{d:"M11,9H13V7H11M12,20C7.59,20 4,16.41 4,12C4,7.59 7.59,4 12,4C16.41,4 20,7.59 20, 12C20,16.41 16.41,20 12,20M12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0,0 22,12A10, 10 0 0,0 12,2M11,17H13V11H11V17Z"}),"InfoOutlined"),X=c(e.jsx("path",{d:"M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"}),"Close"),Y=["action","children","className","closeText","color","components","componentsProps","icon","iconMapping","onClose","role","severity","slotProps","slots","variant"],tt=t=>{const{variant:s,color:r,severity:o,classes:l}=t,u={root:["root",`color${g(r||o)}`,`${s}${g(r||o)}`,`${s}`],icon:["icon"],message:["message"],action:["action"]};return D(u,G,l)},ot=d(T,{name:"MuiAlert",slot:"Root",overridesResolver:(t,s)=>{const{ownerState:r}=t;return[s.root,s[r.variant],s[`${r.variant}${g(r.color||r.severity)}`]]}})(({theme:t})=>{const s=t.palette.mode==="light"?y:I,r=t.palette.mode==="light"?I:y;return n({},t.typography.body2,{backgroundColor:"transparent",display:"flex",padding:"6px 16px",variants:[...Object.entries(t.palette).filter(([,o])=>o.main&&o.light).map(([o])=>({props:{colorSeverity:o,variant:"standard"},style:{color:t.vars?t.vars.palette.Alert[`${o}Color`]:s(t.palette[o].light,.6),backgroundColor:t.vars?t.vars.palette.Alert[`${o}StandardBg`]:r(t.palette[o].light,.9),[`& .${S.icon}`]:t.vars?{color:t.vars.palette.Alert[`${o}IconColor`]}:{color:t.palette[o].main}}})),...Object.entries(t.palette).filter(([,o])=>o.main&&o.light).map(([o])=>({props:{colorSeverity:o,variant:"outlined"},style:{color:t.vars?t.vars.palette.Alert[`${o}Color`]:s(t.palette[o].light,.6),border:`1px solid ${(t.vars||t).palette[o].light}`,[`& .${S.icon}`]:t.vars?{color:t.vars.palette.Alert[`${o}IconColor`]}:{color:t.palette[o].main}}})),...Object.entries(t.palette).filter(([,o])=>o.main&&o.dark).map(([o])=>({props:{colorSeverity:o,variant:"filled"},style:n({fontWeight:t.typography.fontWeightMedium},t.vars?{color:t.vars.palette.Alert[`${o}FilledColor`],backgroundColor:t.vars.palette.Alert[`${o}FilledBg`]}:{backgroundColor:t.palette.mode==="dark"?t.palette[o].dark:t.palette[o].main,color:t.palette.getContrastText(t.palette[o].main)})}))]})}),st=d("div",{name:"MuiAlert",slot:"Icon",overridesResolver:(t,s)=>s.icon})({marginRight:12,padding:"7px 0",display:"flex",fontSize:22,opacity:.9}),et=d("div",{name:"MuiAlert",slot:"Message",overridesResolver:(t,s)=>s.message})({padding:"8px 0",minWidth:0,overflow:"auto"}),j=d("div",{name:"MuiAlert",slot:"Action",overridesResolver:(t,s)=>s.action})({display:"flex",alignItems:"flex-start",padding:"4px 0 0 16px",marginLeft:"auto",marginRight:-8}),z={success:e.jsx(J,{fontSize:"inherit"}),warning:e.jsx(K,{fontSize:"inherit"}),error:e.jsx(q,{fontSize:"inherit"}),info:e.jsx(Q,{fontSize:"inherit"})},nt=_.forwardRef(function(s,r){const o=F({props:s,name:"MuiAlert"}),{action:l,children:u,className:$,closeText:v="Close",color:f,components:x={},componentsProps:L={},icon:C,iconMapping:b=z,onClose:A,role:h="alert",severity:p="success",slotProps:P={},slots:R={},variant:O="standard"}=o,k=U(o,Y),a=n({},o,{color:f,severity:p,variant:O,colorSeverity:f||p}),i=tt(a),m={slots:n({closeButton:x.CloseButton,closeIcon:x.CloseIcon},R),slotProps:n({},L,P)},[B,E]=M("closeButton",{elementType:V,externalForwardedProps:m,ownerState:a}),[N,W]=M("closeIcon",{elementType:X,externalForwardedProps:m,ownerState:a});return e.jsxs(ot,n({role:h,elevation:0,ownerState:a,className:Z(i.root,$),ref:r},k,{children:[C!==!1?e.jsx(st,{ownerState:a,className:i.icon,children:C||b[p]||z[p]}):null,e.jsx(et,{ownerState:a,className:i.message,children:u}),l!=null?e.jsx(j,{ownerState:a,className:i.action,children:l}):null,l==null&&A?e.jsx(j,{ownerState:a,className:i.action,children:e.jsx(B,n({size:"small","aria-label":v,title:v,color:"inherit",onClick:A},E,{children:e.jsx(N,n({fontSize:"small"},W))}))}):null]}))});export{nt as A,X as C};

package/dist/assets/{ArrowDropDown-z6CkvFic.js → ArrowDropDown-BRkkVMO8.js}

@@ -1 +1 @@
-import{X as r,Y as t,j as a}from"./index-CES_wWCV.js";var e={},o=t;Object.defineProperty(e,"__esModule",{value:!0});var u=e.default=void 0,i=o(r()),p=a;u=e.default=(0,i.default)((0,p.jsx)("path",{d:"m7 10 5 5 5-5z"}),"ArrowDropDown");export{u as d};
+import{X as r,Y as t,j as a}from"./index-Cicr8_v0.js";var e={},o=t;Object.defineProperty(e,"__esModule",{value:!0});var u=e.default=void 0,i=o(r()),p=a;u=e.default=(0,i.default)((0,p.jsx)("path",{d:"m7 10 5 5 5-5z"}),"ArrowDropDown");export{u as d};