npm - @abtnode/blocklet-services - Versions diffs - 1.16.42-beta-20250413-121549-22e9a196 → 1.16.42-beta-20250415-222652-04c5d2fe - Mend

@abtnode/blocklet-services 1.16.42-beta-20250413-121549-22e9a196 → 1.16.42-beta-20250415-222652-04c5d2fe

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (340) hide show

package/api/index.js CHANGED Viewed

@@ -12,7 +12,6 @@ const httpProxy = require('@arcblock/http-proxy');
 const { minimatch } = require('minimatch');
 const helmet = require('helmet');
 const isUrl = require('is-url');
 const { WELLKNOWN_SERVICE_PATH_PREFIX, EVENTS } = require('@abtnode/constant');
 const {
   BlockletEvents,
@@ -62,7 +61,8 @@ const StudioService = require('./services/studio');
 const AnalyticService = require('./services/analytics');
 const DidSpaceService = require('./services/did-space');
 const createEnvRoutes = require('./routes/env');
-const createOAuthRoutes = require('./routes/oauth');
+const createOauthClientRoutes = require('./routes/oauth/client');
+const createOAuthServerRoutes = require('./routes/oauth/server');
 const createFederatedRoutes = require('./routes/federated');
 const createUserRoutes = require('./routes/user');
 const createOcapRoutes = require('./routes/ocap');
@@ -722,7 +722,8 @@ self.blocklet = {
   createMCPRoutes.init(server, node);
   // API: auth
-  createOAuthRoutes.init(server, node, options);
+  createOauthClientRoutes.init(server, node, options);
+  createOAuthServerRoutes.init(server, node, options);
   createFederatedRoutes.init(server, node, options);
   createUserRoutes.init(server, node, options);
   createOcapRoutes.init(server);

package/api/libs/auth/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const { default: axios } = require('axios');
 const logger = require('../logger')('blocklet-services:oauth');
-const { verifyIdToken } = require('../../services/oauth');
+const { verifyIdToken } = require('../../services/oauth/client');
 /**
  * @typedef {Object} Provider
@@ -53,7 +53,7 @@ function getUrl(urlLike, params) {
   return url.toString();
 }
-class OAuthClient {
+class OauthClient {
   /**
    * Constructor for initializing providers.
    * @param {Object} options
@@ -120,7 +120,7 @@ class OAuthClient {
   async getUserInfo(tokens) {
     try {
       if (tokens.id_token) {
-        const cliams = await verifyIdToken({
+        const claims = await verifyIdToken({
           clientId:
             this.provider?.getClientList?.() || this.provider?.getClientId?.() || this.provider.options.clientId,
           idToken: tokens.id_token,
@@ -128,7 +128,7 @@ class OAuthClient {
           jwksUri: this.provider.jwks_uri,
           nonce: tokens.nonce,
         });
-        return cliams;
+        return claims;
       }
       if (this.provider.userinfo?.request) {
         return this.provider.userinfo.request({ tokens });
@@ -169,5 +169,5 @@ class OAuthClient {
 }
 module.exports = {
-  OAuthClient,
+  OauthClient,
 };

package/api/libs/connect/session.js CHANGED Viewed

@@ -48,11 +48,12 @@ const { getDidSpacesInfoByClaims, silentAuthorizationInConnect } = require('@abt
 const getRequestIP = require('@abtnode/util/lib/get-request-ip');
 const { PASSPORT_LOG_ACTION, PASSPORT_SOURCE, PASSPORT_STATUS } = require('@abtnode/constant');
 const { getDeviceData } = require('@abtnode/util/lib/device');
+const { getVerifyAccessClaims } = require('@abtnode/auth/lib/server');
 const logger = require('../logger')('connect');
 const { createTokenFn, getDidConnectVersion } = require('../../util');
 const { transferPassport, PASSPORT_VC_TYPES } = require('../auth/utils');
-const { migrateAccount, declareAccount } = require('../../services/oauth');
+const { migrateAccount, declareAccount } = require('../../services/oauth/client');
 const { getKycClaims, verifyKycClaims, getPassportVc, getProfileItems } = require('../kyc');
 const { getTrustedIssuers, getFederatedTrustedIssuers } = require('../../util/blocklet-utils');
 const {
@@ -64,6 +65,7 @@ const {
   syncFederatedUser,
 } = require('../../util/federated');
 const { Profile } = require('../../state/profile');
+const { getDefaultPassport } = require('../../util/user-util');
 // do some check if the passport issued by the blocklet itself
 const validateLocalPassport = async ({ vc, node, locale, blocklet, teamDid, userDid }) => {
@@ -184,6 +186,29 @@ const checkAppOwner = async ({ node, role, blocklet, userDid, locale = 'en' }) =
   throw new Error(messages.notAppOwner[locale]);
 };
+const checkUserRole = async ({ node, userDid, locale, request, roles }) => {
+  const blocklet = await request.getBlocklet();
+  const user = await node.getUser({ teamDid: blocklet.appPid, user: { did: userDid } });
+  if (!user) {
+    throw new Error(messages.notAllowed[locale]);
+  }
+  if (!user.approved) {
+    throw new Error(messages.notAuthorized[locale]);
+  }
+  const sourceAppPid = getSourceAppPid(request);
+  return {
+    verifiableCredential: getVerifyAccessClaims({
+      node,
+      passports: user.passports,
+      roles,
+      types: PASSPORT_VC_TYPES,
+      source: 'blocklet',
+      trustedIssuers: await getTrustedIssuers(blocklet, { sourceAppPid }),
+    }),
+  };
+};
 /**
  * @description
  * @param {import('@abtnode/client').BlockletState} blocklet
@@ -519,7 +544,7 @@ module.exports = {
       let fullName = currentUser?.fullName;
       // Update profile
-      const passportForLog = passport || { name: 'Guest', role: 'guest' };
+      const passportForLog = passport || getDefaultPassport();
       const connectAccount = { provider, did: userDid, pk: userPk };
@@ -1039,7 +1064,7 @@ module.exports = {
       });
       // Audit log
-      const passportForLog = passport || { name: 'Guest', role: 'guest' };
+      const passportForLog = passport || getDefaultPassport();
       await node.createAuditLog(
         {
           action: 'switchPassport',
@@ -1390,5 +1415,6 @@ module.exports = {
   utils: {
     checkAppOwner,
+    checkUserRole,
   },
 };

package/api/libs/jwt.js CHANGED Viewed

@@ -17,6 +17,24 @@ const initJwt = (node, options) => {
   // 保持默认有效期为 1 天
   const ttl = options.sessionTtl || '1d';
+  /**
+   * Creates a JWT session token for a user
+   * @param {string} did - The DID of the user
+   * @param {Object} options - Token creation options
+   * @param {string} options.role - User's role
+   * @param {string} options.secret - Secret key used to sign the token
+   * @param {Object} [options.passport] - User's passport information
+   * @param {string} [options.expiresIn] - Token expiration time, defaults to configured ttl
+   * @param {string} [options.tokenType] - Type of token being created
+   * @param {string} [options.fullName] - User's full name
+   * @param {string} [options.provider=LOGIN_PROVIDER.WALLET] - Authentication provider
+   * @param {string} [options.walletOS] - User's wallet operating system
+   * @param {boolean} [options.emailVerified=false] - Whether user's email is verified
+   * @param {boolean} [options.phoneVerified=false] - Whether user's phone is verified
+   * @param {boolean} [options.elevated=false] - Whether the session has elevated privileges
+   * @param {Object} [options.oauth=null] - OAuth related information
+   * @returns {Object} The created token object
+   */
   const createSessionToken = (
     did,
     {
@@ -31,6 +49,7 @@ const initJwt = (node, options) => {
       emailVerified = false,
       phoneVerified = false,
       elevated = false,
+      oauth = null,
     }
   ) =>
     createAuthToken({
@@ -45,8 +64,20 @@ const initJwt = (node, options) => {
       walletOS,
       kyc: encodeKycStatus(emailVerified, phoneVerified),
       elevated,
+      oauth,
     });
+  /**
+   * Verifies a JWT session token
+   * @param {string} token - The JWT token to verify
+   * @param {string} secret - Secret key used to verify the token
+   * @param {Object} [options={}] - Verification options
+   * @param {boolean|Function} options.checkFromDb - Whether to check user from database or a function that returns boolean
+   * @param {string} options.teamDid - The DID of the team/application
+   * @param {Function} options.checkToken - Optional function to perform additional token validation
+   * @param {string} [options.locale='en'] - Locale for error messages, defaults to 'en'
+   * @returns {Promise<Object>} - Resolves with decoded token data if valid
+   */
   const verifySessionToken = (token, secret, { checkFromDb, teamDid, checkToken, locale = 'en' } = {}) =>
     // eslint-disable-next-line implicit-arrow-linebreak
     new Promise((resolve, reject) => {
@@ -72,6 +103,8 @@ const initJwt = (node, options) => {
           walletOS,
           kyc = 0,
           elevated = false,
+          oauth = null,
+          exp,
         } = decoded;
         let user;
         if (!did) {
@@ -107,9 +140,11 @@ const initJwt = (node, options) => {
           user.walletOS = walletOS;
           user.kyc = encodeKycStatus(user.emailVerified, user.phoneVerified);
           user.elevated = elevated;
+          user.oauth = oauth;
+          user.exp = exp;
         } else {
           user = Object.assign(
-            { did, role, passport, fullName, provider, walletOS, kyc, elevated },
+            { did, role, passport, fullName, provider, walletOS, kyc, elevated, oauth, exp },
             decodeKycStatus(kyc)
           );
         }

package/api/routes/federated.js CHANGED Viewed

@@ -27,7 +27,7 @@ const {
   getUserWithinFederated,
   getTrustedDomains,
 } = require('../util/federated');
-const { declareAccount, migrateAccount } = require('../services/oauth');
+const { declareAccount, migrateAccount } = require('../services/oauth/client');
 const { checkFederatedCall } = require('../middlewares/check-federated');
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;

package/api/routes/mcp.js CHANGED Viewed

@@ -1,18 +1,20 @@
-/* eslint-disable no-console */
 const { WELLKNOWN_SERVICE_PATH_PREFIX, SECURITY_RULE_DEFAULT_ID } = require('@abtnode/constant');
 const { joinURL } = require('ufo');
 const get = require('lodash/get');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
 const { checkPublicAccess } = require('@blocklet/meta/lib/util');
 // eslint-disable-next-line import/no-unresolved
-const { SSEServerTransport } = require('@modelcontextprotocol/sdk/server/sse.js');
+const { SSEServerTransport } = require('@blocklet/mcp/server/sse.js');
-const { mcpServer } = require('../services/mcp/server');
+const { initMcpServer } = require('../services/mcp/server');
+const logger = require('../libs/logger')('mcp:server:routes');
 const isMCPSupported = (b) => get(b.meta, 'capabilities.mcp', false);
 module.exports = {
   init(server, node) {
+    const mcpServer = initMcpServer(node);
     // Return all MCP servers
     server.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/servers'), async (req, res) => {
       const blocklet = await req.getBlocklet();
@@ -50,7 +52,7 @@ module.exports = {
         }
       });
-      // TODO: should we include official services? such as chain, did-spaces, name-service, etc.
+      // TODO: @wangshijun should we include official services? such as chain, did-spaces, name-service, etc.
       res.json({
         version: info.version,
         servers: mcpServers,
@@ -61,27 +63,38 @@ module.exports = {
     // to support multiple simultaneous connections we have a lookup object from sessionId to transport
     const transports = {};
-    server.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/sse'), async (_, res) => {
+    server.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/sse'), async (req, res) => {
+      if (!req.user) {
+        res.status(401).json({ error: 'Unauthorized' });
+        return;
+      }
       // Set required headers for SSE
       res.header('X-Accel-Buffering', 'no');
       const transport = new SSEServerTransport(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/messages'), res);
-      transports[transport.sessionId] = transport;
+      transport.authContext = Object.assign({ user: req.user || {} }, { blockletDid: req.getBlockletDid() });
+      const { sessionId } = transport;
+      transports[sessionId] = transport;
+      logger.debug('Client connected', sessionId);
       res.on('close', () => {
-        delete transports[transport.sessionId];
+        logger.debug('Client Disconnected', sessionId);
+        delete transports[sessionId];
       });
       await mcpServer.connect(transport);
     });
     server.post(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/messages'), async (req, res) => {
       const { sessionId } = req.query;
-      const transport = transports[sessionId];
-      if (transport) {
-        // Send the body to the transport since we have already parsed it
-        await transport.handlePostMessage(req, res, req.body);
-      } else {
-        res.status(400).send('No transport found for sessionId');
+      logger.debug('Client Message', { sessionId, body: req.body });
+      let transport = transports[sessionId];
+      if (!transport) {
+        transport = new SSEServerTransport(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/messages'), res);
       }
+      // Send the body to the transport since we have already parsed it
+      transport.authContext = Object.assign({ user: req.user || {} }, { blockletDid: req.getBlockletDid() });
+      await transport.handlePostMessage(req, res, req.body);
     });
   },
 };

package/api/routes/{oauth.js → oauth/client.js} RENAMED Viewed

@@ -13,22 +13,23 @@ const createTranslator = require('@abtnode/util/lib/translate');
 const CustomError = require('@abtnode/util/lib/custom-error');
 const { LOGIN_PROVIDER } = require('@blocklet/constant');
 const { withHttps, withTrailingSlash } = require('ufo');
-const logger = require('../libs/logger')('oauth');
-const { OAuthClient } = require('../libs/auth');
-const OAuthAuth0 = require('../libs/auth/adapters/auth0');
-const OAuthAuth0Legacy = require('../libs/auth/adapters/auth0-legacy');
-const OAuthGithub = require('../libs/auth/adapters/github');
-const OAuthGoogle = require('../libs/auth/adapters/google');
-const OAuthApple = require('../libs/auth/adapters/apple');
-const { getAvatarByEmail, transferPassport, getAvatarByUrl } = require('../libs/auth/utils');
-const initJwt = require('../libs/jwt');
-const { sendToUser } = require('../libs/notification');
-const { createTokenFn, getDidConnectVersion, redirectWithoutCache } = require('../util');
-const federatedUtil = require('../util/federated');
-const userUtil = require('../util/user-util');
-const { isOAuthEmailVerified, isEmailUniqueRequired, isEmailKycRequired, isSameEmail } = require('../libs/kyc');
-const checkUser = require('../middlewares/check-user');
+const { getLastUsedPassport } = require('@abtnode/auth/lib/passport');
+const logger = require('../../libs/logger')('oauth:client');
+const { OauthClient } = require('../../libs/auth');
+const OAuthAuth0 = require('../../libs/auth/adapters/auth0');
+const OAuthAuth0Legacy = require('../../libs/auth/adapters/auth0-legacy');
+const OAuthGithub = require('../../libs/auth/adapters/github');
+const OAuthGoogle = require('../../libs/auth/adapters/google');
+const OAuthApple = require('../../libs/auth/adapters/apple');
+const { getAvatarByEmail, transferPassport, getAvatarByUrl } = require('../../libs/auth/utils');
+const initJwt = require('../../libs/jwt');
+const { sendToUser } = require('../../libs/notification');
+const { createTokenFn, getDidConnectVersion, redirectWithoutCache } = require('../../util');
+const federatedUtil = require('../../util/federated');
+const userUtil = require('../../util/user-util');
+const { isOAuthEmailVerified, isEmailUniqueRequired, isEmailKycRequired, isSameEmail } = require('../../libs/kyc');
+const checkUser = require('../../middlewares/check-user');
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
@@ -143,7 +144,7 @@ function getAuthClient(blocklet, provider, { legacy = false, appPid } = {}) {
     if (!providerConfig.clientSecret) {
       throw new Error('missing client secret');
     }
-    return new OAuthClient({
+    return new OauthClient({
       provider: OAuthAuth0({
         // HACK: auth0 比较奇葩，它的 issuer 有斜杠后缀
         issuer: withTrailingSlash(withHttps(providerConfig.domain)),
@@ -155,13 +156,13 @@ function getAuthClient(blocklet, provider, { legacy = false, appPid } = {}) {
   }
   if (provider === 'github') {
-    return new OAuthClient({ provider: OAuthGithub(providerConfig) });
+    return new OauthClient({ provider: OAuthGithub(providerConfig) });
   }
   if (provider === 'google') {
-    return new OAuthClient({ provider: OAuthGoogle(providerConfig) });
+    return new OauthClient({ provider: OAuthGoogle(providerConfig) });
   }
   if (provider === 'apple') {
-    return new OAuthClient({ provider: OAuthApple(providerConfig) });
+    return new OauthClient({ provider: OAuthApple(providerConfig) });
   }
   return null;
 }
@@ -193,7 +194,7 @@ async function login(req, node, options) {
     userInfo: oauthInfo,
   };
   let profile;
-  const lastUsedPassport = userUtil.getLastUsedPassport({ passports: currentUser?.passports });
+  const lastUsedPassport = getLastUsedPassport(currentUser?.passports, '', { useFallback: false });
   if (!currentUser) {
     currentUser = {
       did: userDid,

package/api/routes/oauth/server.js ADDED Viewed

@@ -0,0 +1,95 @@
+/* eslint-disable import/no-unresolved */
+const { joinURL } = require('ufo');
+const { OAUTH_ENDPOINTS, OAUTH_CLIENT_SECRET_TTL, WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
+const { authorizationHandler } = require('@blocklet/mcp/server/auth/handlers/authorize.js');
+const { tokenHandler } = require('@blocklet/mcp/server/auth/handlers/token.js');
+const { revocationHandler } = require('@blocklet/mcp/server/auth/handlers/revoke.js');
+const { clientRegistrationHandler } = require('@blocklet/mcp/server/auth/handlers/register.js');
+const { createBlockletOAuthServerProvider } = require('../../services/oauth/server');
+const { redirectWithoutCache, getRedirectUrl } = require('../../util');
+const logger = require('../../libs/logger')('oauth:server:routes');
+module.exports = {
+  init(router, node, options) {
+    const prefix = `${WELLKNOWN_SERVICE_PATH_PREFIX}/oauth`;
+    const ensureOAuthProvider = async (req, res, next) => {
+      const [blocklet, info] = await Promise.all([req.getBlocklet(), req.getBlockletInfo()]);
+      if (!blocklet) {
+        return res.status(404).json({ error: 'Blocklet not found' });
+      }
+      // TODO: @wangshijun check if oauth server service is enabled, make it configurable
+      req.provider = createBlockletOAuthServerProvider(node, options, blocklet, info);
+      return next();
+    };
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.AUTHORIZATION), ensureOAuthProvider, (req, res, next) => {
+      if (req.method === 'GET') {
+        if (req.user) {
+          logger.debug('User already logged in, send to consent page');
+          // Send to oauth consent page
+          next();
+        } else {
+          logger.debug('User not logged in, send to login page');
+          // redirect to login page and redirect back once login success
+          redirectWithoutCache(
+            res,
+            getRedirectUrl({
+              req,
+              pagePath: '/login',
+              params: {
+                redirect: req.originalUrl,
+              },
+            })
+          );
+        }
+      } else if (req.method === 'POST') {
+        logger.debug('Handle oauth authorization request', req.body);
+        if (req.body.action === 'deny') {
+          logger.debug('User denied oauth authorization, redirect to redirect_uri');
+          const errorUrl = new URL(req.body.redirect_uri);
+          errorUrl.searchParams.set('error', 'access_denied');
+          errorUrl.searchParams.set('error_description', 'The user denied the request');
+          if (req.body.state) errorUrl.searchParams.set('state', req.body.state);
+          res.redirect(errorUrl.toString());
+          return;
+        }
+        authorizationHandler({ provider: req.provider, rateLimit: false })(req, res, next);
+      } else {
+        res.status(405).json({ error: 'Method not allowed' });
+      }
+    });
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.TOKEN), ensureOAuthProvider, (req, res, next) => {
+      tokenHandler({ provider: req.provider, rateLimit: false })(req, res, next);
+    });
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.REGISTRATION), ensureOAuthProvider, (req, res, next) => {
+      clientRegistrationHandler({
+        clientsStore: req.provider.clientsStore,
+        clientSecretExpirySeconds: OAUTH_CLIENT_SECRET_TTL,
+        rateLimit: false,
+      })(req, res, next);
+    });
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.REVOCATION), ensureOAuthProvider, (req, res, next) => {
+      revocationHandler({ provider: req.provider, rateLimit: false })(req, res, next);
+    });
+    router.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/api/oauth/client'), ensureOAuthProvider, async (req, res) => {
+      const { clientId } = req.query;
+      if (!clientId) {
+        res.status(400).json({ error: 'clientId is required' });
+        return;
+      }
+      const client = await req.provider.clientsStore.getClient(clientId);
+      res.json(client);
+    });
+  },
+};

package/api/routes/user.js CHANGED Viewed

@@ -446,7 +446,7 @@ function checkUserSig({ node }) {
 }
 async function loginEmail(req, node, options) {
-  const { locale = 'en' } = req.query;
+  const locale = req.blockletLocale;
   const { sourceAppPid = null, inviter = null } = req.body;
   const blocklet = await req.getBlocklet();
@@ -482,7 +482,7 @@ async function loginEmail(req, node, options) {
     id: sub,
     userInfo,
   };
-  const lastUsedPassport = userUtil.getLastUsedPassport({ passports: currentUser?.passports });
+  const lastUsedPassport = getLastUsedPassport(currentUser?.passports, '', { useFallback: false });
   if (!currentUser) {
     await userUtil.checkNeedInvite({ req, node, teamDid, locale });
@@ -522,7 +522,7 @@ async function loginEmail(req, node, options) {
 }
 async function inviteEmail(req, node, options) {
-  const { locale = 'en' } = req.query;
+  const locale = req.blockletLocale;
   const { sourceAppPid = null, inviteId, baseUrl } = req.body;
   if (!inviteId) {
@@ -1084,7 +1084,7 @@ module.exports = {
     );
     server.post(`${prefixApi}/email/sendCode`, ensureBlocklet(), ensureCors, async (req, res) => {
-      const { locale = 'en' } = req.query;
+      const locale = req.blockletLocale;
       const { blocklet } = req;
       const teamDid = blocklet.appPid;
       const { email, useCode = true, useMagicLink = true, sourceAppPid = null } = req.body;
@@ -1140,6 +1140,7 @@ module.exports = {
           params: {
             ...emailData,
             subject,
+            locale,
           },
         });
       } else {

package/api/services/auth/connect/gen-access-key.js ADDED Viewed

@@ -0,0 +1,92 @@
+const { getSourceAppPid } = require('@blocklet/sdk/lib/util/login');
+const { messages } = require('@abtnode/auth/lib/auth');
+const { authenticateByVc } = require('@abtnode/auth/lib/server');
+const { PASSPORT_LOG_ACTION } = require('@abtnode/constant');
+const formatContext = require('@abtnode/util/lib/format-context');
+const logger = require('../../../libs/logger')('blocklet-service:connect-cli');
+const { utils } = require('../../../libs/connect/session');
+const { PASSPORT_VC_TYPES } = require('../../../libs/auth/utils');
+const { getTrustedIssuers } = require('../../../util/blocklet-utils');
+const allowedRoles = ['owner', 'admin'];
+module.exports = function createRoutes(node) {
+  return {
+    action: 'gen-access-key',
+    onConnect: async ({ request, userDid, extraParams: { locale } }) => {
+      const checkUserRole = await utils.checkUserRole({ node, userDid, locale, request, roles: allowedRoles });
+      return checkUserRole;
+    },
+    onAuth: async ({ request, userDid, challenge, claims, updateSession, extraParams }) => {
+      const { locale } = extraParams;
+      const sourceAppPid = getSourceAppPid(request);
+      const blocklet = await request.getBlocklet();
+      const { role, user, passport } = await authenticateByVc({
+        node,
+        locale,
+        teamDid: blocklet.appPid,
+        userDid,
+        claims,
+        challenge,
+        types: PASSPORT_VC_TYPES,
+        trustedIssuers: await getTrustedIssuers(blocklet, { sourceAppPid }),
+        action: 'gen-access-key',
+      });
+      if (!allowedRoles.includes(role)) {
+        throw new Error(messages.notAllowed[locale]);
+      }
+      if (passport) {
+        await node.createPassportLog(
+          blocklet.appPid,
+          {
+            passportId: passport.id,
+            action: PASSPORT_LOG_ACTION.USED,
+            operatorDid: userDid,
+            metadata: {
+              action: 'gen-access-key',
+              ownerDid: userDid,
+              userDid: user.did,
+            },
+          },
+          request
+        );
+      }
+      const teamDid = blocklet.meta.did;
+      const { accessKeyId, accessKeySecret, expireAt } = await node.createAccessKey(
+        { teamDid, remark: extraParams.source, createdVia: 'connect', passport: 'ci' },
+        { user }
+      );
+      await node.createAuditLog(
+        {
+          action: 'switchPassport',
+          args: { teamDid, userDid, passport, sourceAppPid },
+          context: formatContext(Object.assign(request, { user })),
+          result: { accessKeyId, expireAt },
+        },
+        node
+      );
+      logger.info('accessKeyId', accessKeyId);
+      await updateSession(
+        {
+          config: {
+            developerDid: userDid,
+            accessKeyId,
+            accessKeySecret,
+            expireAt,
+          },
+        },
+        true
+      );
+    },
+  };
+};

package/api/services/auth/index.js CHANGED Viewed

@@ -40,6 +40,8 @@ const createApproveVaultAuth = require('./connect/approve-vault');
 const createSessionRoutes = require('./session');
 const createPassportRoutes = require('./passport');
 const createPasskeyRoutes = require('./passkey');
+const createGenAccessKeyRoutes = require('./connect/gen-access-key');
 const { getRedirectUrl, shouldIgnoreUrl, redirectWithoutCache } = require('../../util');
 const { createConnectToDidSpacesForUserRoute } = require('./connect/connect-to-did-spaces-for-user');
 const { isEmailKycRequired, isPhoneKycRequired } = require('../../libs/kyc');
@@ -211,6 +213,11 @@ const init = ({ node, options }) => {
     const { token } = req;
     await req.ensureUser({ token });
+    // Saved for oauth server
+    if (req.user) {
+      res.locals.user = req.user;
+    }
     setUserInfoHeaders(req);
     next();
@@ -247,6 +254,7 @@ const init = ({ node, options }) => {
       handler.attach(Object.assign({ app }, createVerifyElevatedAuth(node, authenticator, createSessionToken)));
       handler.attach(Object.assign({ app }, createVerifyDestroyAuth(node, authenticator, createSessionToken)));
       handler.attach(Object.assign({ app }, createDestroyMyselfAuth(node)));
+      handler.attach(Object.assign({ app }, createGenAccessKeyRoutes(node)));
     });
   };

package/api/services/auth/passkey.js CHANGED Viewed

@@ -2,7 +2,7 @@ const { createPasskeyHandlers } = require('@abtnode/auth/lib/passkey');
 const { WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
 const { createPassportList, createPassportSwitcher } = require('@abtnode/auth/lib/oauth');
 const { createTokenFn } = require('../../util');
-const { checkUser } = require('../../routes/oauth');
+const { checkUser } = require('../../routes/oauth/client');
 module.exports = {
   init(router, node, options, createSessionToken) {