npm - @abtnode/blocklet-services - Versions diffs - 1.16.34-beta-20241204-140321-4d75ca21 → 1.16.34-beta-20241206-124652-493dbc39 - Mend

@abtnode/blocklet-services 1.16.34-beta-20241204-140321-4d75ca21 → 1.16.34-beta-20241206-124652-493dbc39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (303) hide show

package/api/routes/federated.js CHANGED Viewed

@@ -1,26 +1,26 @@
 const { WELLKNOWN_SERVICE_PATH_PREFIX, FEDERATED } = require('@abtnode/constant');
 const { signV2 } = require('@arcblock/jwt');
-const normalizePathPrefix = require('@abtnode/util/lib/normalize-path-prefix');
-const cloneDeep = require('lodash/cloneDeep');
 const isNil = require('lodash/isNil');
+const pick = require('lodash/pick');
+const remove = require('lodash/remove');
 const pLimit = require('p-limit');
-const pRetry = require('p-retry');
-const { joinURL } = require('ufo');
+const pMap = require('p-map');
-const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const { LOGIN_PROVIDER, SIG_VERSION } = require('@blocklet/constant');
 const { getAvatarByUrl, extractUserAvatar } = require('@abtnode/util/lib/user');
 const { getApplicationInfo, messages } = require('@abtnode/auth/lib/auth');
-const pick = require('lodash/pick');
-const defaults = require('lodash/defaults');
-const remove = require('lodash/remove');
+const {
+  callFederated,
+  generateSiteInfo,
+  getFederatedSiteEnv,
+  safeGetFederated,
+} = require('@abtnode/auth/lib/util/federated');
 const { fromAppDid } = require('@arcblock/did-ext');
 const logger = require('../libs/logger')('blocklet-services:federated');
-const { api } = require('../libs/api');
 const initJwt = require('../libs/jwt');
 const { createTokenFn, getDidConnectVersion } = require('../util');
 const ensureBlocklet = require('../middlewares/ensure-blocklet');
-const verifyFederatedCall = require('../middlewares/verify-federated-call');
 const {
   getUserAvatarUrl,
   getFederatedMaster,
@@ -28,10 +28,10 @@ const {
   getTrustedDomains,
 } = require('../util/federated');
 const { declareAccount, migrateAccount } = require('../services/oauth');
+const { checkFederatedCall } = require('../middlewares/check-federated');
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
-const prefix = `${PREFIX}/api/federated`;
+const prefixApi = `${PREFIX}/api/federated`;
 function getAuditLogActorByFederatedSite(blocklet) {
   return {
@@ -145,96 +145,76 @@ async function syncDisconnectAccount(user, { node, teamDid, blocklet }) {
 /**
  * member 站点向 master 站点请求拉取一个用户信息
  */
-async function pullUserAccount(user, { node, teamDid, blocklet }) {
-  const { did } = user;
-  const currentUser = await node.getUser({
-    teamDid,
-    user: {
-      did,
-    },
-    options: {
-      enableConnectedAccount: true,
-    },
-  });
-  if (!currentUser) return null;
-  const syncUser = pick(currentUser, [
-    'did',
-    'pk',
-    'fullName',
-    'email',
-    'phone',
-    'url',
-    'remark',
-    'sourceProvider',
-    'locale',
-    'approved',
-    'extra',
-    'sourceAppPid',
-    'inviter',
-    'emailVerified',
-    'phoneVerified',
-  ]);
-  syncUser.avatar = getUserAvatarUrl(currentUser.avatar, blocklet);
-  syncUser.email = syncUser.email || '';
-  syncUser.connectedAccounts = currentUser.connectedAccounts.map((x) => {
-    const connectAccount = pick(x, ['did', 'pk', 'provider', 'id', 'userInfo']);
-    if (!connectAccount.id) {
-      delete connectAccount.id;
-    }
-    return connectAccount;
-  });
-  return syncUser;
-}
-const syncFnMaps = {
+const syncUserFnMaps = {
+  // 用户更换 profile 通知
   switchProfile: syncSwitchProfile,
+  // 用户绑定第三方登录
   connectAccount: syncConnectAccount,
+  // 用户解绑第三方登录
   disconnectAccount: syncDisconnectAccount,
-  pullAccount: pullUserAccount,
 };
 module.exports = {
   init(server, node, options) {
+    // =============================== 以下为公开的接口 ===============================
+    // 获取当前站点所有可信的域名
+    server.get(`${prefixApi}/getTrustedDomains`, ensureBlocklet(), async (req, res) => {
+      const { blocklet } = req;
+      const result = await getTrustedDomains({ node, req, blocklet });
+      res.json(result);
+    });
+    server.get(`${prefixApi}/env`, ensureBlocklet(), (req, res) => {
+      const { blocklet } = req;
+      const masterSite = getFederatedMaster(blocklet);
+      const result = {
+        sigVersion: SIG_VERSION.DEFAULT,
+        masterAppUrl: masterSite?.appUrl,
+      };
+      res.json(result);
+    });
     // step 1 申请加入(member 向 master 申请)
-    server.post(`${prefix}/join`, ensureBlocklet(), async (req, res) => {
-      // master blocklet
+    // member 发起（master 不能发起），master 处理该路由
+    server.post(`${prefixApi}/join`, ensureBlocklet(), async (req, res) => {
       const { blocklet } = req;
       const { site } = req.body;
       const teamDid = blocklet.appPid;
-      const federated = defaults(cloneDeep(blocklet.settings.federated || {}), {
-        config: {
-          appId: blocklet.appDid,
-          appPid: teamDid,
+      const federated = safeGetFederated(blocklet, { isMaster: true });
+      const exists = federated.sites.find((x) => x.appPid === site.appPid);
+      // 1. 检查当前站点群的数据中是否有目标站点
+      if (exists) {
+        logger.error("already in a federated site group, don't need join again", {
+          teamDid,
+          site,
+        });
+        res.status(401).send("already in a federated site group, don't need join again");
+        return;
+      }
+      // 1. 检查目标站点自身是否已加入其他的站点群
+      const siteEnv = await getFederatedSiteEnv({
+        site: {
+          appUrl: site.appUrl,
         },
-        sites: [],
       });
+      if (siteEnv.masterAppUrl) {
+        logger.error('already in a federated site group, please quit federated site group first', {
+          siteEnv,
+          site,
+        });
+        res.status(401).send('already in a federated site group, please quit federated site group first');
+        return;
+      }
+      // 当前站点未形成站点群，需要先生成 master 的相关信息
       if (federated.sites.length === 0) {
         const nodeInfo = await req.getNodeInfo();
-        const blockletInfo = await req.getBlockletInfo();
         const domainAliases = await node.getBlockletDomainAliases({ blocklet, nodeInfo });
-        const masterSite = {
-          appId: blocklet.appDid,
-          appPid: teamDid,
-          aliasDid: (blocklet.migratedFrom || []).map((item) => item.appDid),
-          appName: blockletInfo.name,
-          appDescription: blockletInfo.description,
-          appUrl: blockletInfo.appUrl,
-          aliasDomain: domainAliases.map((item) => item.value),
-          appLogo:
-            blocklet.environmentObj.BLOCKLET_APP_LOGO ||
-            normalizePathPrefix(`${WELLKNOWN_SERVICE_PATH_PREFIX}/blocklet/logo`) ||
-            '/',
-          appLogoRect: blocklet.environmentObj.BLOCKLET_APP_LOGO_RECT,
-          did: blockletInfo.permanentWallet.address,
-          pk: blockletInfo.permanentWallet.publicKey,
-          serverId: nodeInfo.did,
-          serverVersion: nodeInfo.version,
-          version: blocklet.meta.version,
-        };
+        const masterSite = await generateSiteInfo({ blocklet, domainAliases, nodeInfo });
         federated.sites = [masterSite];
       }
@@ -247,8 +227,8 @@ module.exports = {
         });
       }
       // member 申请后，将 member 展示在列表中
-      // 更新的是自己
-      const newState = await node.setFederated({
+      // 更新的是自己，此时还不用通知其他的子成员站点
+      const newBlockletState = await node.setFederated({
         did: teamDid,
         config: federated,
       });
@@ -260,195 +240,469 @@ module.exports = {
           context: {
             user: getAuditLogActorByFederatedSite(site),
           },
-          result: newState,
+          result: newBlockletState,
         },
         node
       );
-      // 将新增的数据返回给 member
+      // 将新增的数据返回给 member，只返回 master 和申请成员，待审核通过后，才能获取所有的成员站点信息
+      const result = federated.sites.filter((x) => [teamDid, site.appPid].includes(x.appPid));
       res.json({
-        sites: federated.sites,
+        sites: result,
       });
     });
-    // member 向 master 请求退出统一登录
-    server.post(`${prefix}/quit`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { blocklet } = req;
-      const { memberPid } = req.body.verifyData;
-      const teamDid = blocklet.appPid;
+    // =============================== 以下为需要鉴权的接口 ===============================
-      const federated = defaults(cloneDeep(blocklet.settings.federated || {}), {
-        config: {
-          appId: blocklet.appDid,
-          appPid: teamDid,
-        },
-        sites: [],
-      });
+    // ------------------------------- 以下为仅 member 可以发起的请求 -------------------------------
-      const removedSites = remove(federated.sites, (item) => item.appPid === memberPid);
+    // member 向 master 请求退出统一登录，然后 master 把情况同步给所有成员站点
+    // member 发起（master 不能发起），master 处理该路由 (member -> master)
+    server.post(
+      `${prefixApi}/quit`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'memberToMaster', allowStatus: ['approved', 'rejected', 'pending'] }),
+      async (req, res) => {
+        const { blocklet, verifySite } = req;
+        const teamDid = blocklet.appPid;
-      const { permanentWallet } = await req.getBlockletInfo();
-      const postData = {
-        signer: permanentWallet.address,
-        data: signV2(permanentWallet.address, permanentWallet.secretKey, { sites: federated.sites }),
-      };
-      const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
-      const waitingList = federated.sites
-        .filter((item) => item.appId !== federated.config.appId)
-        .map((item) => {
-          return limitSync(async () => {
-            const url = joinURL(item.appUrl, WELLKNOWN_SERVICE_PATH_PREFIX, '/api/federated/sync');
-            // NOTICE: 即使通知其他 member 失败了，也不影响来源 member 退出统一登录
-            try {
-              await pRetry(() => api.post(url, postData), {
-                retries: 3,
-              });
-            } catch (error) {
-              logger.error('Failed to sync federated member', {
-                error,
-                url,
-                did: blocklet.appDid,
-                action: 'quit',
-              });
-            }
+        const federated = safeGetFederated(blocklet, { isMaster: true });
+        const [removedSite] = remove(federated.sites, (item) => item.appPid === verifySite.appPid);
+        const { permanentWallet } = await req.getBlockletInfo();
+        const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
+        const waitingList = federated.sites
+          // 排除 master 和请求退出的 member
+          .filter((item) => ![teamDid, verifySite.appPid].includes(item.appPid))
+          .map((item) => {
+            return limitSync(async () => {
+              // NOTICE: 即使通知其他 member 失败了，也不影响来源 member 退出统一登录
+              try {
+                await callFederated({
+                  action: 'sync',
+                  site: item,
+                  data: { sites: [{ action: 'delete', appPid: verifySite.appPid }] },
+                  permanentWallet,
+                });
+              } catch (error) {
+                logger.error('Failed to sync federated member', {
+                  error,
+                  did: blocklet.appDid,
+                  action: 'quit',
+                  siteItem: item,
+                });
+              }
+            });
           });
+        await Promise.all(waitingList);
+        const newState = await node.setFederated({
+          did: teamDid,
+          config: federated,
         });
-      await Promise.all(waitingList);
-      const newState = await node.setFederated({
-        did: teamDid,
-        config: federated,
-      });
+        await node.createAuditLog(
+          {
+            action: 'quitFederated',
+            args: { memberSite: removedSite, teamDid },
+            context: {
+              user: getAuditLogActorByFederatedSite(removedSite),
+            },
+            result: newState,
+          },
+          node
+        );
-      await node.createAuditLog(
-        {
-          action: 'quitFederated',
-          args: { memberSite: removedSites[0], teamDid },
-          context: {
-            user: getAuditLogActorByFederatedSite(removedSites[0]),
+        res.status(204).send();
+      }
+    );
+    // member 向 master 申请第三方账号的 migrate
+    // member 发起（master 不能发起），master 处理该路由 (member -> master)
+    server.post(
+      `${prefixApi}/migrateAccount`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'memberToMaster' }),
+      async (req, res) => {
+        const { blocklet, verifySite, verifyData } = req;
+        const { did: teamDid, wallet: blockletWallet } = await req.getBlockletInfo();
+        const { fromUserDid, toUserDid, toUserPk } = verifyData;
+        const oauthUser = await node.getUser({ teamDid, user: { did: fromUserDid } });
+        const connectedAccounts = oauthUser?.connectedAccounts || [];
+        const sourceProvider = oauthUser?.sourceProvider;
+        const oauthAccount = connectedAccounts.find((item) => item.provider === sourceProvider);
+        const userWallet = fromAppDid(oauthAccount.id, blockletWallet.secretKey);
+        const bindUser = {
+          did: toUserDid,
+          pk: toUserPk,
+        };
+        await declareAccount({ wallet: userWallet, blocklet });
+        await migrateAccount({ wallet: userWallet, blocklet, user: bindUser });
+        await node.createAuditLog(
+          {
+            action: 'migrateFederatedAccount',
+            args: { fromUserDid, toUserDid, callerSite: verifySite, teamDid },
+            context: {
+              user: getAuditLogActorByFederatedSite(verifySite),
+            },
           },
-          result: newState,
-        },
-        node
-      );
+          node
+        );
+        res.status(204).send();
+      }
+    );
-      res.json({});
-    });
+    // member 向 master 索取 delegation 和 roles 列表
+    // member 发起（master 不能发起），master 处理该路由 (member -> master)
+    server.post(
+      `${prefixApi}/getMasterAuthorization`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'memberToMaster' }),
+      async (req, res) => {
+        const { blocklet, verifySite } = req;
+        const teamDid = blocklet.appPid;
+        const { permanentWallet } = await req.getBlockletInfo();
+        const delegation = signV2(permanentWallet.address, permanentWallet.secretKey, {
+          // HACK: 钱包签名使用的始终是最新的，这里的 dalegation 也保持 agentDid 就是当前应用最新的 did(appId)
+          agentDid: `did:abt:${verifySite.appId}`,
+          permissions: [
+            {
+              role: 'DIDConnectAgent',
+              claims: [
+                'authPrincipal',
+                'profile',
+                'signature',
+                'prepareTx',
+                'agreement',
+                'verifiableCredential',
+                'asset',
+                'assetOrVC',
+                'keyPair',
+                // 'encryptionKey',  // 备份还原应用时使用
+              ],
+            },
+          ],
+          exp: Math.floor(new Date().getTime() / 1000) + 86400 * 365 * 100, // valid for 100 year
+        });
+        const roleList = await node.getRoles({ teamDid });
+        const roles = roleList.map((item) => pick(item, ['name', 'title', 'description']));
+        res.json({ delegation, roles });
+      }
+    );
-    // master 通知 member 当前统一登录要解散
-    server.post(`${prefix}/disband`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { blocklet } = req;
-      const { verifySite } = req.body;
-      const teamDid = blocklet.appPid;
+    server.post(
+      `${prefixApi}/pullFederatedSites`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'memberToMaster' }),
+      (req, res) => {
+        const { blocklet } = req;
+        const federated = safeGetFederated(blocklet, { isMaster: true });
+        const result = federated.sites.filter((x) => !['pending'].includes(x.status));
+        res.json(result);
+      }
+    );
-      const newState = await node.setFederated({
-        did: teamDid,
-        config: null,
-      });
-      await node.createAuditLog(
-        {
-          action: 'disbandFederated',
-          args: { blocklet, masterSite: verifySite, teamDid },
-          context: {
-            user: getAuditLogActorByFederatedSite(verifySite),
+    server.post(
+      `${prefixApi}/pullAccount`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'memberToMaster' }),
+      async (req, res) => {
+        const { blocklet, verifyData } = req;
+        const { users } = verifyData;
+        const result = await pMap(
+          users,
+          async (user) => {
+            const teamDid = blocklet.appPid;
+            const currentUser = await node.getUser({
+              teamDid,
+              user: {
+                did: user.did,
+              },
+              options: {
+                enableConnectedAccount: true,
+              },
+            });
+            if (!currentUser) return null;
+            const syncUser = pick(currentUser, [
+              'did',
+              'pk',
+              'fullName',
+              'email',
+              'phone',
+              'url',
+              'remark',
+              'sourceProvider',
+              'locale',
+              'approved',
+              'extra',
+              'sourceAppPid',
+              'inviter',
+              'emailVerified',
+              'phoneVerified',
+            ]);
+            syncUser.avatar = getUserAvatarUrl(currentUser.avatar, blocklet);
+            syncUser.email = syncUser.email || '';
+            syncUser.connectedAccounts = currentUser.connectedAccounts.map((x) => {
+              const connectAccount = pick(x, ['did', 'pk', 'provider', 'id', 'userInfo']);
+              if (!connectAccount.id) {
+                delete connectAccount.id;
+              }
+              return connectAccount;
+            });
+            return syncUser;
           },
-          result: newState,
-        },
-        node
-      );
-      res.json({});
-    });
+          { concurrency: FEDERATED.SYNC_LIMIT }
+        );
+        res.json(result);
+      }
+    );
+    // ------------------------------- 以下为仅 master 可以发起的请求 -------------------------------
+    // master 通知 member 当前统一登录要解散
+    // master 发起（member 不能发起），member 处理该路由 (master -> member)
+    server.post(
+      `${prefixApi}/disband`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'masterToMember' }),
+      async (req, res) => {
+        const { blocklet, verifySite } = req;
+        const teamDid = blocklet.appPid;
+        const newState = await node.setFederated({
+          did: teamDid,
+          config: null,
+        });
+        await node.createAuditLog(
+          {
+            action: 'disbandFederated',
+            args: { blocklet, masterSite: verifySite, teamDid },
+            context: {
+              user: getAuditLogActorByFederatedSite(verifySite),
+            },
+            result: newState,
+          },
+          node
+        );
+        res.status(204).send();
+      }
+    );
     // step 2 审批(master 申批 member)
     // core/state/lib/blocklet/manager/disk.js -> auditFederatedLogin
-    // audit-res 接受 master 的处理结果同步，保存 delegation
-    server.post(`${prefix}/audit-res`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { blocklet } = req;
-      const { delegation, roles, masterPid, status } = req.body.verifyData;
-      const { verifySite } = req.body;
-      const teamDid = blocklet.appPid;
-      const federated = defaults(cloneDeep(blocklet.settings.federated || {}), {
-        config: {
-          appId: blocklet.appDid,
-          appPid: teamDid,
-          isMaster: false,
-        },
-        sites: [],
-      });
-      federated.config.delegation = delegation;
-      if (status === 'approved') {
-        const trustedPassports = blocklet.trustedPassports || [];
-        const hasTrustedPassport = trustedPassports.find((item) => item.issuerDid === masterPid);
-        if (!hasTrustedPassport) {
-          await node.configTrustedPassports({
-            teamDid,
-            trustedPassports: [
-              ...trustedPassports,
-              {
-                issuerDid: masterPid,
-                remark: 'Generated on join federated login',
-                mappings: roles.map((item) => {
-                  return {
-                    from: { passport: item.name },
-                    to: { role: 'guest' },
-                  };
-                }),
-              },
-            ],
-          });
+    // audit-res 接受 master 的处理结果同步
+    // master 发起（member 不能发起），member 处理该路由 (master -> member)
+    server.post(
+      `${prefixApi}/audit-res`,
+      ensureBlocklet(),
+      checkFederatedCall({
+        mode: 'masterToMember',
+      }),
+      async (req, res) => {
+        const { blocklet, verifySite, verifyData } = req;
+        const { status } = verifyData;
+        const teamDid = blocklet.appPid;
+        if (status === 'approved') {
+          await node.syncMasterAuthorization({ did: teamDid });
+          await node.syncFederatedConfig({ did: teamDid });
+        } else if (status === 'rejected') {
+          const federated = safeGetFederated(blocklet);
+          const selfSite = federated.sites?.find((x) => x.appPid === teamDid);
+          if (selfSite) {
+            selfSite.status = 'rejected';
+            await node.setFederated({
+              did: teamDid,
+              config: federated,
+            });
+          }
         }
+        await node.createAuditLog(
+          {
+            action: 'auditFederated',
+            args: { masterSite: verifySite, status, teamDid },
+            context: {
+              user: getAuditLogActorByFederatedSite(verifySite),
+            },
+            result: blocklet,
+          },
+          node
+        );
+        res.status(204).send();
       }
+    );
-      const newState = await node.setFederated({
-        did: teamDid,
-        config: federated,
-      });
-      await node.createAuditLog(
-        {
-          action: 'auditFederated',
-          args: { masterSite: verifySite, status, teamDid },
-          context: {
-            user: getAuditLogActorByFederatedSite(verifySite),
+    // 用于在 master 站点登录页面获取 member 登录的 token
+    // master 发起（member 不能发起），member 处理该路由 (master -> member)
+    server.post(
+      `${prefixApi}/loginByMaster`,
+      ensureBlocklet(),
+      checkFederatedCall({ mode: 'masterToMember' }),
+      async (req, res) => {
+        const { blocklet, verifySite, verifyData } = req;
+        const { passport, user, walletOS, provider } = verifyData;
+        const { createSessionToken } = initJwt(node, options);
+        const createToken = createTokenFn(createSessionToken);
+        const { secret } = await req.getBlockletInfo();
+        const teamDid = blocklet.appPid;
+        const sessionConfig = blocklet.settings?.session || {};
+        const prevUser = await getUserWithinFederated(
+          {
+            teamDid,
+            sourceAppPid: verifySite.appPid,
+            userDid: user.did,
+            userPk: user.pk,
           },
-          result: newState,
-        },
-        node
-      );
-      res.json(federated);
-    });
+          {
+            node,
+            blocklet,
+          }
+        );
+        if (prevUser?.approved === false) {
+          res.status(401).json({ error: messages.notAllowedAppUser.en });
+          return;
+        }
+        // HACK: member 调用 master 时，将 passport 的 role 还原为 master 中原有的 role
+        const targetPassport = passport?.id
+          ? (prevUser?.passports || []).find((item) => item.id === passport.id)
+          : null;
+        // HACK: 用户在 master 中存在时，不更新任何用户信息；不存在时，将新增一个用户
+        const filterUserInfo = prevUser ? {} : user;
+        if (filterUserInfo.avatar) {
+          let avatar = await getAvatarByUrl(filterUserInfo.avatar);
+          const nodeInfo = await req.getNodeInfo();
+          const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
+          avatar = await extractUserAvatar(avatar, { dataDir });
+          filterUserInfo.avatar = avatar;
+        }
+        const realDid = prevUser?.did || user.did;
+        const realPk = prevUser?.pk || user.pk;
+        const newUser = await node.loginUser({
+          teamDid,
+          user: {
+            ...filterUserInfo,
+            did: realDid,
+            pk: realPk,
+            passport: targetPassport,
+            sourceAppPid: verifySite.appPid,
+            connectedAccount: {
+              provider: provider || LOGIN_PROVIDER.WALLET,
+              did: user.did,
+              pk: user.pk,
+            },
+          },
+        });
+        const { sessionToken, refreshToken } = createToken(
+          user.did,
+          {
+            secret,
+            passport: targetPassport,
+            role: targetPassport?.role || 'guest',
+            fullName: newUser.fullName,
+            provider: provider || LOGIN_PROVIDER.WALLET,
+            walletOS,
+            sourceAppPid: verifySite.appPid,
+            emailVerified: newUser.emailVerified,
+            phoneVerified: newUser.phoneVerified,
+          },
+          {
+            ...sessionConfig,
+            didConnectVersion: getDidConnectVersion(req),
+          }
+        );
+        await node.createAuditLog(
+          {
+            action: 'loginByMaster',
+            args: { masterSite: verifySite, teamDid },
+            context: {
+              user: newUser,
+            },
+            result: blocklet,
+          },
+          node
+        );
+        res.json({ sessionToken, refreshToken });
+      }
+    );
+    // ------------------------------- 以下为站点群内可以互相发起的请求 -------------------------------
     // step 3 同步站点群信息(master 向 member 广播站点群信息，广播请求在 manager/disk.js 文件中 class FederatedBlockletManager 发起 )
-    // 该路由为 member 接受响应的 api(只允许 master 调用)
-    server.post(`${prefix}/sync`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { blocklet } = req;
-      const { verifySite } = req.body;
+    // 站点群互相可以任意获取
+    server.post(`${prefixApi}/sync`, ensureBlocklet(), checkFederatedCall(), async (req, res) => {
+      const { blocklet, verifySite, verifyData } = req;
       const teamDid = blocklet.appPid;
-      const { users = null, sites = null, userSessions = null } = req.body.verifyData;
+      const { users = null, sites = null, userSessions = null } = verifyData;
       const resultData = {
         users: [],
         sites: [],
         userSessions: [],
       };
-      // FIXME: @zhanghan 校验 users 和 sites 数据合法性
+      // sites 支持增量更新
       if (!isNil(sites)) {
         const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
         const pendingSiteList = [];
-        const federated = cloneDeep(blocklet.settings.federated || {});
-        federated.sites = sites;
+        const federated = safeGetFederated(blocklet);
+        for (const site of sites) {
+          const { action, ...siteItem } = site;
+          const findIndex = federated.sites.findIndex((x) => x.appPid === siteItem.appPid);
+          const isMyself = siteItem.appPid === teamDid;
+          if (action === 'update') {
+            if (findIndex > -1) {
+              Object.assign(federated.sites[findIndex], siteItem);
+            }
+          } else if (action === 'upsert') {
+            if (findIndex > -1) {
+              Object.assign(federated.sites[findIndex], siteItem);
+            } else {
+              federated.sites.push(siteItem);
+            }
+            // 不允许增加自己，也不允许删除自己
+          } else if (!isMyself) {
+            if (action === 'add') {
+              if (findIndex === -1) {
+                federated.sites.push(siteItem);
+              }
+            } else if (action === 'delete') {
+              if (findIndex > -1) {
+                federated.sites.splice(findIndex, 1);
+              }
+            }
+          }
+        }
         pendingSiteList.push(
           limitSync(async () => {
-            await node.setFederated({
-              did: teamDid,
-              config: federated,
-            });
+            try {
+              await node.setFederated({
+                did: teamDid,
+                config: federated,
+              });
+            } catch (error) {
+              logger.error('failed to update federated sites', {
+                error,
+                teamDid,
+                sites,
+              });
+            }
           })
         );
         const resList = await Promise.all(pendingSiteList);
         resultData.sites = resList;
       }
+      // users 支持增量更新
       if (!isNil(users)) {
         if (Array.isArray(users)) {
           const limitSync = pLimit(FEDERATED.SYNC_LIMIT);
@@ -458,14 +712,23 @@ module.exports = {
           for (const user of users) {
             pendingUserList.push(
               limitSync(async () => {
-                const result = await syncFnMaps[user.action]?.(
-                  {
-                    ...user,
-                    sourceAppPid: user.sourceAppPid === teamDid ? null : user.sourceAppPid,
-                  },
-                  { node, teamDid, dataDir, blocklet }
-                );
-                return result;
+                try {
+                  const result = await syncUserFnMaps[user.action]?.(
+                    {
+                      ...user,
+                      sourceAppPid: user.sourceAppPid === teamDid ? null : user.sourceAppPid,
+                    },
+                    { node, teamDid, dataDir, blocklet }
+                  );
+                  return result;
+                } catch (error) {
+                  logger.error('failed to update federated users', {
+                    error,
+                    user,
+                  });
+                }
+                return null;
               })
             );
           }
@@ -474,6 +737,7 @@ module.exports = {
         }
       }
+      // userSessions 支持增量更新
       if (!isNil(userSessions)) {
         if (Array.isArray(userSessions)) {
           const pendingUserSessionList = [];
@@ -482,14 +746,27 @@ module.exports = {
             const { action, ...userSessionItem } = userSession;
             pendingUserSessionList.push(
               limitSync(async () => {
-                if (action === 'login') {
-                  await node.upsertUserSession({ ...userSessionItem, teamDid, status: 'online' });
-                } else if (action === 'logout') {
-                  await node.logoutUser({
-                    ...userSessionItem,
+                try {
+                  if (action === 'login') {
+                    const result = await node.upsertUserSession({ ...userSessionItem, teamDid, status: 'online' });
+                    return result;
+                  }
+                  if (action === 'logout') {
+                    const result = await node.logoutUser({
+                      ...userSessionItem,
+                      teamDid,
+                    });
+                    return result;
+                  }
+                } catch (error) {
+                  logger.error('failed to update federated userSession', {
+                    error,
+                    action,
+                    userSessionItem,
                     teamDid,
                   });
                 }
+                return null;
               })
             );
           }
@@ -509,344 +786,23 @@ module.exports = {
       res.json(resultData);
     });
-    // step 6 发放自动登录 token(master 向 member 发起生成 token 请求)
-    server.post(`${prefix}/token`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { user, masterPid, role, passport, walletOS, provider } = req.body.verifyData;
-      const { verifySite } = req.body;
-      const { createSessionToken } = initJwt(node, options);
-      const createToken = createTokenFn(createSessionToken);
-      const { secret } = await req.getBlockletInfo();
-      const { blocklet } = req;
-      const teamDid = blocklet.appPid;
-      const sessionConfig = blocklet.settings?.session || {};
-      const trustedPassports = blocklet.trustedPassports || [];
-      // HACK: 这里只对比 pid，因为自动生成的数据只有 master-site 的 pid
-      const masterPassport = trustedPassports.find((item) => item.issuerDid === masterPid);
-      const findMapping = masterPassport ? masterPassport.mappings.find((item) => item.from.passport === role) : null;
-      const targetPassport = findMapping
-        ? {
-            role: findMapping.to?.role || 'guest',
-            name: findMapping.to?.role || 'Guest',
-            id: passport?.id || '',
-          }
-        : { role: 'guest', name: 'Guest' };
-      let { avatar } = user || {};
-      if (avatar) {
-        try {
-          avatar = await getAvatarByUrl(user.avatar);
-          const nodeInfo = await req.getNodeInfo();
-          const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
-          avatar = await extractUserAvatar(avatar, { dataDir });
-        } catch (err) {
-          logger.error('Failed to convert user avatar', { error: err });
-        }
-      }
-      const doc = await node.loginUser({
-        teamDid,
-        user: {
-          ...user,
-          avatar,
-          // HACK: @zhanghan 这里会将 passport 插入到当前用户的 passport 列表中，federated 登录不应该插入 passport
-          // passport: findMapping ? targetPassport : null,
-          sourceAppPid: masterPid,
-          connectedAccount: {
-            provider: provider || LOGIN_PROVIDER.WALLET,
-            id: masterPid,
-            did: user.did,
-            pk: user.pk,
-          },
-        },
-      });
-      const { sessionToken, refreshToken } = createToken(
-        doc.did,
-        {
-          secret,
-          role: targetPassport.role,
-          passport: targetPassport,
-          fullName: doc.fullName,
-          provider: provider || LOGIN_PROVIDER.WALLET,
-          walletOS,
-          emailVerified: doc.emailVerified,
-          phoneVerified: doc.phoneVerified,
-        },
-        {
-          ...sessionConfig,
-          didConnectVersion: getDidConnectVersion(req),
-        }
-      );
-      await node.createAuditLog(
-        {
-          action: 'loginByMaster',
-          args: { masterSite: verifySite, teamDid },
-          context: {
-            user: doc,
-          },
-          result: blocklet,
-        },
-        node
-      );
-      res.json({ sessionToken, refreshToken });
-    });
-    // member 主动调起 master 登录（实现登录 member 时，自动登录 master）
-    // member 传递过来的 user.did 和 user.pk 均为 master-site 与钱包生成的
-    server.post(`${prefix}/loginByMember`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { verifySite } = req.body;
-      const { user, passport, walletOS, provider } = req.body.verifyData;
-      const { createSessionToken } = initJwt(node, options);
-      const createToken = createTokenFn(createSessionToken);
-      const { secret } = await req.getBlockletInfo();
-      const { blocklet } = req;
-      const teamDid = blocklet.appPid;
-      const sessionConfig = blocklet.settings?.session || {};
-      const prevUser = await node.getUser({
-        teamDid,
-        user: { did: user.did },
-        options: { enableConnectedAccount: true },
-      });
-      // HACK: member 调用 master 时，将 passport 的 role 还原为 master 中原有的 role
-      const targetPassport = passport?.id ? (prevUser?.passports || []).find((item) => item.id === passport.id) : null;
-      // HACK: 用户在 master 中存在时，不更新任何用户信息；不存在时，将新增一个用户
-      const filterUserInfo = prevUser ? {} : user;
-      if (filterUserInfo.avatar) {
-        let avatar = await getAvatarByUrl(filterUserInfo.avatar);
-        const nodeInfo = await req.getNodeInfo();
-        const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
-        avatar = await extractUserAvatar(avatar, { dataDir });
-        filterUserInfo.avatar = avatar;
-      }
-      const realDid = prevUser?.did || user.did;
-      const realPk = prevUser?.pk || user.pk;
-      // NOTICE: 这里是 Master 登录，不需要 sourceAppPid 字段
-      const newUser = await node.loginUser({
-        teamDid,
-        user: {
-          ...filterUserInfo,
-          did: realDid,
-          pk: realPk,
-          passport: targetPassport,
-          connectedAccount: {
-            provider: provider || LOGIN_PROVIDER.WALLET,
-            did: user.did,
-            pk: user.pk,
-          },
-        },
-      });
-      const { sessionToken, refreshToken } = createToken(
-        user.did,
-        {
-          secret,
-          passport: targetPassport,
-          role: targetPassport?.role || 'guest',
-          fullName: newUser.fullName,
-          // 这里是 member 登录了 master 的账号，对于 master 来说，其实还是使用 wallet 来登录的
-          provider: LOGIN_PROVIDER.WALLET,
-          walletOS,
-          emailVerified: newUser.emailVerified,
-          phoneVerified: newUser.phoneVerified,
-        },
-        {
-          ...sessionConfig,
-          didConnectVersion: getDidConnectVersion(req),
-        }
-      );
-      await node.createAuditLog(
-        {
-          action: 'loginByMember',
-          args: { memberSite: verifySite, teamDid },
-          context: {
-            user: newUser,
-          },
-          result: blocklet,
-        },
-        node
-      );
-      res.json({ sessionToken, refreshToken });
-    });
-    // 用于在 master 站点登录页面获取 member 登录的 token
-    server.post(`${prefix}/loginByMaster`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { verifySite } = req.body;
-      const { passport, user, walletOS, provider } = req.body.verifyData;
-      const { createSessionToken } = initJwt(node, options);
-      const createToken = createTokenFn(createSessionToken);
-      const { secret } = await req.getBlockletInfo();
-      const { blocklet } = req;
+    // 获取指定 passportId 的内容
+    // 站点群互相可以任意获取
+    server.post(`${prefixApi}/getPassport`, ensureBlocklet(), checkFederatedCall(), async (req, res) => {
+      const { blocklet, verifyData } = req;
       const teamDid = blocklet.appPid;
-      const sessionConfig = blocklet.settings?.session || {};
-      const prevUser = await getUserWithinFederated(
-        {
-          teamDid,
-          sourceAppPid: verifySite.appPid,
-          userDid: user.did,
-          userPk: user.pk,
-        },
-        {
-          node,
-          blocklet,
-        }
-      );
-      if (prevUser?.approved === false) {
-        res.status(401).json({ error: messages.notAllowedAppUser.en });
-        return;
-      }
-      // HACK: member 调用 master 时，将 passport 的 role 还原为 master 中原有的 role
-      const targetPassport = passport?.id ? (prevUser?.passports || []).find((item) => item.id === passport.id) : null;
-      // HACK: 用户在 master 中存在时，不更新任何用户信息；不存在时，将新增一个用户
-      const filterUserInfo = prevUser ? {} : user;
-      if (filterUserInfo.avatar) {
-        let avatar = await getAvatarByUrl(filterUserInfo.avatar);
-        const nodeInfo = await req.getNodeInfo();
-        const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
-        avatar = await extractUserAvatar(avatar, { dataDir });
-        filterUserInfo.avatar = avatar;
-      }
-      const realDid = prevUser?.did || user.did;
-      const realPk = prevUser?.pk || user.pk;
-      const newUser = await node.loginUser({
-        teamDid,
-        user: {
-          ...filterUserInfo,
-          did: realDid,
-          pk: realPk,
-          passport: targetPassport,
-          sourceAppPid: verifySite.appPid,
-          connectedAccount: {
-            provider: provider || LOGIN_PROVIDER.WALLET,
-            did: user.did,
-            pk: user.pk,
-          },
-        },
-      });
-      const { sessionToken, refreshToken } = createToken(
-        user.did,
-        {
-          secret,
-          passport: targetPassport,
-          role: targetPassport?.role || 'guest',
-          fullName: newUser.fullName,
-          provider: provider || LOGIN_PROVIDER.WALLET,
-          walletOS,
-          sourceAppPid: verifySite.appPid,
-          emailVerified: newUser.emailVerified,
-          phoneVerified: newUser.phoneVerified,
-        },
-        {
-          ...sessionConfig,
-          didConnectVersion: getDidConnectVersion(req),
-        }
-      );
-      await node.createAuditLog(
-        {
-          action: 'loginByMaster',
-          args: { masterSite: verifySite, teamDid },
-          context: {
-            user: newUser,
-          },
-          result: blocklet,
-        },
-        node
-      );
-      res.json({ sessionToken, refreshToken });
-    });
-    // member 向 master 申请 auth0 账号的 migrate
-    server.post(`${prefix}/migrateAuth0`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { blocklet } = req;
-      const { verifySite } = req.body;
-      const { did: teamDid, wallet: blockletWallet } = await req.getBlockletInfo();
-      const { fromUserDid, toUserDid, toUserPk } = req.body.verifyData;
-      const oauthUser = await node.getUser({ teamDid, user: { did: fromUserDid } });
-      const connectedAccounts = oauthUser?.connectedAccounts || [];
-      const sourceProvider = oauthUser?.sourceProvider;
-      const oauthAccount = connectedAccounts.find((item) => item.provider === sourceProvider);
-      const userWallet = fromAppDid(oauthAccount.id, blockletWallet.secretKey);
-      const bindUser = {
-        did: toUserDid,
-        pk: toUserPk,
-      };
-      await declareAccount({ wallet: userWallet, blocklet });
-      await migrateAccount({ wallet: userWallet, blocklet, user: bindUser });
-      await node.createAuditLog(
-        {
-          action: 'migrateFederatedAuth0',
-          args: { fromUserDid, toUserDid, callerSite: verifySite, teamDid },
-          context: {
-            user: getAuditLogActorByFederatedSite(verifySite),
-          },
-        },
-        node
-      );
-      res.json({});
-    });
-    // member 去登录 master
-    // 该监听是由 member 站点来做的，member 向自己的后端来申请要登录 master，member 的后端组装加密数据，由 Master 来接收并执行相应操作
-    server.post(`${prefix}/loginMaster`, ensureBlocklet(), async (req, res) => {
-      if (!req.user) {
-        res.status(401).send('Unauthorized');
-        return;
-      }
-      const { blocklet } = req;
-      const masterSite = getFederatedMaster(blocklet);
-      if (!masterSite) {
-        res.status(400).send('No federated context found');
-        return;
-      }
-      const { did: teamDid, permanentWallet } = await req.getBlockletInfo();
-      const user = await node.getUser({ teamDid, user: { did: req.user.did } });
-      const { passport, walletOS, provider } = req.user;
-      const url = joinURL(masterSite.appUrl, prefix, 'loginByMember');
-      const postData = {
-        signer: permanentWallet.address,
-        data: signV2(permanentWallet.address, permanentWallet.secretKey, { user, passport, walletOS, provider }),
-      };
-      const { data } = await api.post(url, postData);
-      await node.createAuditLog(
-        {
-          action: 'loginFederatedMaster',
-          args: { masterSite, teamDid },
-          context: {
-            user,
-          },
-          result: blocklet,
-        },
-        node
-      );
-      res.json(data);
-    });
-    server.post(`${prefix}/getPassport`, ensureBlocklet(), verifyFederatedCall(), async (req, res) => {
-      const { blocklet } = req;
-      const teamDid = blocklet.appPid;
-      const { passportId } = req.body.verifyData;
+      const { passportId } = verifyData;
       const result = await node.getPassportById({ teamDid, passportId });
       res.json(result);
     });
-    // 获取当前站点所有可信的域名
-    server.get(`${prefix}/getTrustedDomains`, ensureBlocklet(), async (req, res) => {
+    server.post(`${prefixApi}/getConfig`, ensureBlocklet(), checkFederatedCall(), async (req, res) => {
       const { blocklet } = req;
-      const result = await getTrustedDomains({ node, req, blocklet });
-      res.json(result);
+      const nodeInfo = await node.getNodeInfo();
+      const domainAliases = await node.getBlockletDomainAliases({ blocklet, nodeInfo });
+      const siteInfo = await generateSiteInfo({ nodeInfo, blocklet, domainAliases });
+      res.json(siteInfo);
     });
   },
 };