npm - @abtnode/blocklet-services - Versions diffs - 1.16.34-beta-20241204-140321-4d75ca21 → 1.16.34-beta-20241206-124652-493dbc39 - Mend

@abtnode/blocklet-services 1.16.34-beta-20241204-140321-4d75ca21 → 1.16.34-beta-20241206-124652-493dbc39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (303) hide show

package/api/routes/user-session.js CHANGED Viewed

@@ -1,21 +1,23 @@
 /* eslint-disable no-await-in-loop */
 const { WELLKNOWN_SERVICE_PATH_PREFIX, SESSION_TTL } = require('@abtnode/constant');
-// const { LOGIN_PROVIDER } = require('@blocklet/constant');
-// const pick = require('lodash/pick');
+const { LOGIN_PROVIDER } = require('@blocklet/constant');
+const pick = require('lodash/pick');
 const defaults = require('lodash/defaults');
 const cloneDeep = require('lodash/cloneDeep');
-// const sortBy = require('lodash/sortBy');
 const omit = require('lodash/omit');
 const pLimit = require('p-limit');
-// const { getSourceProvider } = require('@blocklet/meta/lib/did-utils');
+const { getSourceProvider } = require('@blocklet/meta/lib/did-utils');
 const getRequestIP = require('@abtnode/util/lib/get-request-ip');
-// const { messages } = require('@abtnode/auth/lib/auth');
+const { getFederatedMembers, getFederatedMaster } = require('@abtnode/auth/lib/util/federated');
+const { messages } = require('@abtnode/auth/lib/auth');
+const { Joi } = require('@arcblock/validator');
-// const logger = require('../libs/logger')('blocklet-services:user-session');
+const logger = require('../libs/logger')('blocklet-services:user-session');
 const ensureBlocklet = require('../middlewares/ensure-blocklet');
 const { getUserAvatarUrl } = require('../util/federated');
-// const initJwt = require('../libs/jwt');
-// const { createTokenFn, getDidConnectVersion } = require('../util');
+const initJwt = require('../libs/jwt');
+const { createTokenFn, getDidConnectVersion } = require('../util');
+const checkUser = require('../middlewares/check-user');
 const prefix = `${WELLKNOWN_SERVICE_PATH_PREFIX}/api/user-session`;
 const limit = pLimit(5);
@@ -88,228 +90,251 @@ async function patchUserSessionData(userSession, { blocklet, appPid, teamDid, no
   userSession.user.roleTitle = passport?.title || 'guest';
 }
+const loginSessionSchema = Joi.object({
+  // uuid 版本需要保持跟数据库 model 定义一致
+  id: Joi.string().uuid({ version: 'uuidv4' }).required(),
+  userDid: Joi.DID().required(),
+  appPid: Joi.DID().required(),
+  passportId: Joi.string().allow('', null).optional(),
+}).unknown(true);
 module.exports = {
   // eslint-disable-next-line no-unused-vars
   init(app, node, options) {
-    // FIXME: @zhanghan 登录要确保安全性
     // NOTE: 保留 /login 路由，该功能不是针对于某一个实体来操作的，需要更明确表达意图
-    app.post(`${prefix}/login`, ensureBlocklet(), (req, res) => {
-      res.status(400).json({ error: 'not supported' });
-      // const { blocklet } = req;
-      // const loginUserSession = req.body;
-      // // let visitorId = req.body?.visitorId;
-      // // if (!visitorId) {
-      // //   visitorId = req.get('x-blocklet-visitor-id');
-      // // }
-      // if (!loginUserSession.id) {
-      //   res.status(400).json({ error: 'not supported' });
-      //   return;
-      // }
-      // if (!loginUserSession.userDid) {
-      //   res.status(400).json({ error: 'userDid is required' });
-      //   return;
-      // }
-      // if (!loginUserSession.appPid) {
-      //   res.status(400).json({ error: 'appPid is required' });
-      //   return;
-      // }
-      // const teamDid = blocklet.appPid;
-      // const userSessions = await node.getUserSession({
-      //   teamDid,
-      //   userDid: loginUserSession.userDid,
-      //   // visitorId,
-      //   id: loginUserSession.id,
-      // });
-      // const now = Date.now();
-      // const sessionTtl = blocklet.settings?.session?.ttl || SESSION_TTL;
-      // // NOTICE: 保持与前端一致的排序方式，确保此时续期的是前端展示的 walletOS
-      // const sortedUserSessions = sortBy(userSessions, (x) => now - new Date(x.updatedAt).getTime());
-      // const validSession = sortedUserSessions.some((x) => now - new Date(x.updatedAt).getTime() < sessionTtl * 1000);
-      // if (validSession) {
-      //   const user = await node.getUser({ teamDid, user: { did: loginUserSession.userDid } });
-      //   if (!user.approved) {
-      //     res.status(401).json(messages.notAllowedAppUser.en);
-      //     return;
-      //   }
-      //   const federated = defaults(cloneDeep(blocklet.settings.federated || {}), {
-      //     config: {
-      //       appId: blocklet.appDid,
-      //       appPid: teamDid,
-      //     },
-      //     sites: [],
-      //   });
-      //   const sourceProvider = getSourceProvider(user);
-      //   const provider = sourceProvider || LOGIN_PROVIDER.WALLET;
-      //   const memberSite = federated.sites.find(
-      //     (item) => item.appPid === loginUserSession.appPid && item.isMaster === false
-      //   );
-      //   const postUser = pick(user, ['did', 'pk', 'fullName', 'locale', 'inviter', 'generation']);
-      //   postUser.lastLoginAt = getRequestIP(req);
-      //   if (user.email) {
-      //     postUser.email = user.email;
-      //   }
-      //   if (user.avatar) {
-      //     postUser.avatar = getUserAvatarUrl(user.avatar, blocklet);
-      //   }
-      //   let result = {};
-      //   const walletOS = validSession?.extra?.walletOS || 'web';
-      //   const isFederatedLogin = !!memberSite;
-      //   if (isFederatedLogin) {
-      //     try {
-      //       result = await node.loginFederated({
-      //         did: teamDid,
-      //         data: {
-      //           user: postUser,
-      //           passport: loginUserSession.passportId ? { id: loginUserSession.passportId } : undefined,
-      //           walletOS,
-      //           provider,
-      //         },
-      //         site: memberSite,
-      //       });
-      //     } catch (err) {
-      //       if (err.response) {
-      //         const { status, data } = err.response;
-      //         res.status(status).json(data);
-      //         return;
-      //       }
-      //       throw err;
-      //     }
-      //   } else {
-      //     const { createSessionToken } = initJwt(node, options);
-      //     const createToken = createTokenFn(createSessionToken);
-      //     const { secret } = await req.getBlockletInfo();
-      //     const sessionConfig = blocklet.settings?.session || {};
-      //     const targetPassport = loginUserSession.passportId
-      //       ? (user?.passports || []).find((item) => item.id === loginUserSession.passportId)
-      //       : null;
-      //     const loggedInUser = await node.loginUser({
-      //       teamDid,
-      //       user: {
-      //         did: postUser.did,
-      //         pk: postUser.pk,
-      //         passport: targetPassport,
-      //         connectedAccount: {
-      //           provider,
-      //           did: user.did,
-      //           pk: user.pk,
-      //         },
-      //       },
-      //     });
-      //     result = createToken(
-      //       user.did,
-      //       {
-      //         secret,
-      //         passport: targetPassport,
-      //         role: targetPassport?.role || 'guest',
-      //         fullName: loggedInUser.fullName,
-      //         provider,
-      //         walletOS,
-      //         emailVerified: !!user?.emailVerified,
-      //         phoneVerified: !!user?.phoneVerified,
-      //       },
-      //       {
-      //         ...sessionConfig,
-      //         didConnectVersion: getDidConnectVersion(req),
-      //       }
-      //     );
-      //   }
-      //   const lastLoginIp = getRequestIP(req);
-      //   const ua = req.get('user-agent');
-      //   const walletDeviceMessageToken = req.get('wallet-device-message-token');
-      //   const walletDeviceId = req.get('wallet-device-id');
-      //   const userSessionDoc = await node.upsertUserSession({
-      //     id: loginUserSession.id,
-      //     teamDid,
-      //     userDid: loginUserSession.userDid,
-      //     // visitorId,
-      //     appPid: loginUserSession.appPid,
-      //     passportId: loginUserSession.passportId,
-      //     status: 'online',
-      //     ua,
-      //     lastLoginIp,
-      //     extra: {
-      //       walletOS,
-      //       walletDeviceMessageToken,
-      //       walletDeviceId,
-      //     },
-      //   });
-      //   if (isFederatedLogin) {
-      //     node.syncUserSession({
-      //       teamDid,
-      //       userDid: loginUserSession.userDid,
-      //       visitorId: userSessionDoc.visitorId,
-      //       passportId: loginUserSession.passportId,
-      //       targetAppPid: loginUserSession.appPid,
-      //       ua,
-      //       lastLoginIp,
-      //       extra: {
-      //         walletOS,
-      //         walletDeviceMessageToken,
-      //         walletDeviceId,
-      //       },
-      //     });
-      //   }
-      //   logger.info('quick-login with', {
-      //     teamDid,
-      //     // visitorId,
-      //     userDid: loginUserSession.userDid,
-      //     appPid: loginUserSession.appPid,
-      //     passportId: loginUserSession.passportId,
-      //     extra: {
-      //       walletOS,
-      //     },
-      //   });
-      //   res.json({ ...result, visitorId: userSessionDoc.visitorId });
-      // } else {
-      //   logger.warn('failed to quick-login with', {
-      //     teamDid,
-      //     // visitorId,
-      //     userDid: loginUserSession.userDid,
-      //     appPid: loginUserSession.appPid,
-      //     passportId: loginUserSession.passportId,
-      //   });
-      //   res.status(401).json({ error: 'session expired' });
-      // }
+    app.post(`${prefix}/login`, ensureBlocklet(), async (req, res) => {
+      const { blocklet } = req;
+      const loginUserSession = req.body;
+      const { value: validUserSession, error } = loginSessionSchema.validate(loginUserSession);
+      if (error) {
+        logger.error('Failed to login by user-session', {
+          error,
+          loginUserSession,
+        });
+        res.status(400).json({ error });
+        return;
+      }
+      const teamDid = blocklet.appPid;
+      const [validSession] = await node.getUserSession({
+        teamDid,
+        userDid: validUserSession.userDid,
+        id: validUserSession.id,
+      });
+      if (validSession) {
+        const user = await node.getUser({ teamDid, user: { did: validUserSession.userDid } });
+        if (!user.approved) {
+          res.status(401).json(messages.notAllowedAppUser.en);
+          return;
+        }
+        const sourceProvider = getSourceProvider(user);
+        const provider = sourceProvider || LOGIN_PROVIDER.WALLET;
+        const masterSite = getFederatedMaster(blocklet);
+        const memberSiteList = getFederatedMembers(blocklet);
+        const memberSite = memberSiteList.find((item) => item.appPid === validUserSession.appPid);
+        const postUser = pick(user, ['did', 'pk', 'fullName', 'locale', 'inviter', 'generation']);
+        postUser.lastLoginAt = getRequestIP(req);
+        if (user.email) {
+          postUser.email = user.email;
+        }
+        if (user.avatar) {
+          postUser.avatar = getUserAvatarUrl(user.avatar, blocklet);
+        }
+        let result = {};
+        const walletOS = validSession?.extra?.walletOS || 'web';
+        const isFederatedLogin = memberSite && masterSite.appPid === teamDid;
+        if (isFederatedLogin) {
+          try {
+            result = await node.loginFederated({
+              did: teamDid,
+              data: {
+                user: postUser,
+                passport: validUserSession.passportId ? { id: validUserSession.passportId } : undefined,
+                walletOS,
+                provider,
+              },
+              site: memberSite,
+            });
+          } catch (err) {
+            logger.error('Failed to login federated', { error: err, memberSite });
+            if (err.response) {
+              const { status, data } = err.response;
+              res.status(status).json(data);
+              return;
+            }
+            throw err;
+          }
+        } else {
+          const { createSessionToken } = initJwt(node, options);
+          const createToken = createTokenFn(createSessionToken);
+          const { secret } = await req.getBlockletInfo();
+          const sessionConfig = blocklet.settings?.session || {};
+          const targetPassport = validUserSession.passportId
+            ? (user?.passports || []).find((item) => item.id === validUserSession.passportId)
+            : null;
+          const loggedInUser = await node.loginUser({
+            teamDid,
+            user: {
+              did: postUser.did,
+              pk: postUser.pk,
+              passport: targetPassport,
+              connectedAccount: {
+                provider,
+                did: user.did,
+                pk: user.pk,
+              },
+            },
+          });
+          result = createToken(
+            user.did,
+            {
+              secret,
+              passport: targetPassport,
+              role: targetPassport?.role || 'guest',
+              fullName: loggedInUser.fullName,
+              provider,
+              walletOS,
+              emailVerified: !!user?.emailVerified,
+              phoneVerified: !!user?.phoneVerified,
+            },
+            {
+              ...sessionConfig,
+              didConnectVersion: getDidConnectVersion(req),
+            }
+          );
+        }
+        const lastLoginIp = getRequestIP(req);
+        const ua = req.get('user-agent');
+        const walletDeviceMessageToken = req.get('wallet-device-message-token');
+        const walletDeviceId = req.get('wallet-device-id');
+        const userSessionDoc = await node.upsertUserSession({
+          id: validUserSession.id,
+          teamDid,
+          userDid: validUserSession.userDid,
+          visitorId: validSession.visitorId,
+          appPid: validUserSession.appPid,
+          passportId: validUserSession.passportId,
+          status: 'online',
+          ua: null,
+          lastLoginIp,
+          extra: {
+            walletOS,
+            walletDeviceMessageToken,
+            walletDeviceId,
+          },
+        });
+        if (isFederatedLogin) {
+          node.syncUserSession({
+            teamDid,
+            userDid: validUserSession.userDid,
+            visitorId: userSessionDoc.visitorId,
+            passportId: validUserSession.passportId,
+            targetAppPid: validUserSession.appPid,
+            ua,
+            lastLoginIp,
+            extra: {
+              walletOS,
+              walletDeviceMessageToken,
+              walletDeviceId,
+            },
+          });
+        }
+        logger.info('quick-login with', {
+          teamDid,
+          visitorId: userSessionDoc.visitorId,
+          // 记录日志应该使用原始的值
+          userDid: loginUserSession.userDid,
+          appPid: loginUserSession.appPid,
+          passportId: loginUserSession.passportId,
+          extra: {
+            walletOS,
+          },
+        });
+        res.json({ ...result, visitorId: userSessionDoc.visitorId });
+      } else {
+        logger.warn('failed to quick-login with', {
+          teamDid,
+          id: loginUserSession.id,
+          userDid: loginUserSession.userDid,
+          appPid: loginUserSession.appPid,
+          passportId: loginUserSession.passportId,
+        });
+        res.status(401).json({ error: 'session expired' });
+      }
+    });
+    app.get(`${prefix}/myself`, ensureBlocklet(), checkUser, async (req, res) => {
+      const { blocklet } = req;
+      const { appPid } = blocklet;
+      const teamDid = appPid;
+      // 用户管理自己所有的登录会话，不限制 visitorId
+      const userSessions = await node.getUserSession({
+        teamDid,
+        appPid, // 不需要向主站查询 member 的会话列表，所以固定为 teamDid 即可
+        userDid: req.user.did,
+      });
+      const pendingList = userSessions.map((item) =>
+        limit(() =>
+          patchUserSessionData(item, {
+            blocklet,
+            appPid,
+            teamDid,
+            node,
+          })
+        )
+      );
+      await Promise.all(pendingList);
+      const result = userSessions
+        .filter((x) => {
+          return x?.user?.approved;
+        })
+        .map((x) => {
+          // NOTICE: 移除 walletDeviceId 和 walletDeviceMessageToken，避免泄露
+          return omit(x, ['extra.walletDeviceId', 'extra.walletDeviceMessageToken']);
+        });
+      res.json(result);
     });
     /**
      * 获取指定用户的所有登录会话
-     * FIXME: @zhanghan 获取要确保安全性
+     * 使用的场景：
+     * 1. 用户在未登录状态下，查询当前设备符合快捷登录的会话，实现快速登录
+     * 2. 用户在登录状态下，查询当前设备可以使用快捷登录切换的账号
      */
     app.get(`${prefix}`, ensureBlocklet(), async (req, res) => {
       const { blocklet } = req;
-      const teamDid = blocklet.appPid;
+      const { appPid } = blocklet;
+      const teamDid = appPid;
       const requestIp = getRequestIP(req);
-      const userAgent = req.get('user-agent');
+      const currentUserAgent = req.get('user-agent');
+      const visitorId = req.get('x-blocklet-visitor-id');
-      // NOTICE: 此处的 visitorId 必须显式传入，否则用户将无法正常查询自己的所有 sessions
-      const { userDid, appPid, visitorId } = req.query;
-      if (!visitorId && !userDid) {
+      if (!visitorId) {
         res.json([]);
         return;
       }
       const userSessions = await node.getUserSession({
-        appPid,
         teamDid,
-        userDid,
         visitorId,
       });
@@ -317,7 +342,7 @@ module.exports = {
         limit(() =>
           patchUserSessionData(item, {
             blocklet,
-            appPid,
+            appPid: item.appPid,
             teamDid,
             node,
           })
@@ -325,15 +350,15 @@ module.exports = {
       );
       await Promise.all(pendingList);
-      // NOTICE: 移除 walletDeviceId 和 walletDeviceMessageToken，避免泄露
       const result = userSessions
         .filter((x) => {
-          if (x.lastLoginIp !== requestIp || x.ua !== userAgent || x.status === 'expired') {
+          if (x.lastLoginIp !== requestIp || x.ua !== currentUserAgent || x.status === 'expired') {
             return false;
           }
           return x?.user?.approved;
         })
         .map((x) => {
+          // NOTICE: 移除 walletDeviceId 和 walletDeviceMessageToken，避免泄露
           return omit(x, ['extra.walletDeviceId', 'extra.walletDeviceMessageToken']);
         });