@abtnode/blocklet-services 1.16.5 → 1.16.6-beta-4562aa60

package/api/libs/connect/session.js

@@ -9,6 +9,7 @@ const {
   validatePassportStatus,
   getPassportStatusEndpoint,
   getApplicationInfo,
+  verifyNFT,
 } = require('@abtnode/auth/lib/auth');
 const {
   NODE_SERVICES,
@@ -18,6 +19,7 @@ const {
   VC_TYPE_NODE_PASSPORT,
   WHO_CAN_ACCESS,
   WHO_CAN_ACCESS_PREFIX_ROLES,
+  MAIN_CHAIN_ENDPOINT,
 } = require('@abtnode/constant');
 const {
   validatePassport,
@@ -122,17 +124,20 @@ const validateRole = async ({ role, authConfig, locale, node, teamDid }) => {
   }
 };
 
+const checkAppOwner = ({ role, blocklet, userDid, locale = 'en' }) => {
+  if (role === ROLES.OWNER && blocklet.settings.initialized && userDid !== blocklet.settings.owner.did) {
+    throw new Error(messages.notAppOwner[locale]);
+  }
+};
+
 module.exports = {
   login: {
-    onConnect: async ({ node, request, userDid, locale, passportId = '', componentId }) => {
+    onConnect: async ({ node, request, userDid, locale, passportId = '', componentId, action }) => {
       const blocklet = await request.getBlocklet();
       const config = await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
       const { did: teamDid } = await request.getBlockletInfo();
 
       const profileFields = get(config, 'profileFields');
-      const [invitedUserOnly] = config ? await isInvitedUserOnly(config, node, teamDid) : [false];
-      const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
-      const trustedIssuers = [...getBlockletAppIdList(blocklet), ...trustedPassports].filter(Boolean);
 
       const claims = {
         profile: {
@@ -140,16 +145,31 @@ module.exports = {
           description: messages.description[locale],
           items: profileFields || ['fullName', 'avatar'],
         },
-        verifiableCredential: {
+      };
+      if (action === 'login') {
+        const [invitedUserOnly] = config ? await isInvitedUserOnly(config, node, teamDid) : [false];
+        const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
+        const trustedIssuers = [...getBlockletAppIdList(blocklet), ...trustedPassports].filter(Boolean);
+        claims.verifiableCredential = {
           type: 'verifiableCredential',
           description: messages.requestPassport[locale],
           item: vcTypes,
           trustedIssuers,
           optional: !invitedUserOnly,
-        },
-      };
-      if (passportId) {
-        claims.verifiableCredential.target = passportId;
+        };
+        if (passportId) {
+          claims.verifiableCredential.target = passportId;
+        }
+      }
+
+      if (action === 'exchangePassport') {
+        const trustedFactories = (blocklet.trustedFactories || []).map((x) => x.factoryAddress);
+        claims.asset = {
+          type: 'asset',
+          description: messages.requestNFT[locale],
+          filters: trustedFactories.map((x) => ({ trustedParents: [x] })),
+          optional: false,
+        };
       }
 
       let user = await getRawUser(blocklet.meta.did, userDid, {
@@ -178,6 +198,7 @@ module.exports = {
       baseUrl,
       createSessionToken,
       componentId,
+      action,
     }) => {
       const blocklet = await request.getBlocklet();
       const { wallet, name, passportColor, did: teamDid } = await request.getBlockletInfo();
@@ -201,20 +222,40 @@ module.exports = {
       // Get auth config
       const authConfig = (await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId })) || {};
 
+      let vc;
+      let nftState;
+      let invitedUserOnly = false;
+      let defaultRole = ROLES.GUEST;
+      let defaultTtl = 0;
+      let issuePassport = false;
+
       // Get passport vc
-      const inputVC = await getPassportVc({ blocklet, claims, challenge, locale });
+      if (action === 'login') {
+        vc = await getPassportVc({ blocklet, claims, challenge, locale });
+        [invitedUserOnly, defaultRole, issuePassport] = await isInvitedUserOnly(authConfig, node, teamDid);
+        if (invitedUserOnly && !vc) {
+          throw new Error(messages.missingCredentialClaim[locale]);
+        }
+      } else if (action === 'exchangePassport') {
+        const claim = claims.find((x) => x.type === 'asset');
+        const { users } = await node.getUsers({ teamDid, query: { connectedDid: claim.asset } });
+        if (users.length) {
+          throw new Error(messages.nftAlreadyUsed[locale]);
+        }
 
-      let vc = inputVC;
+        nftState = await verifyNFT({ claims, challenge, locale, chainHost: MAIN_CHAIN_ENDPOINT });
+        const matchFactory = blocklet.trustedFactories.find((x) => x.factoryAddress === nftState.parent);
+        if (!matchFactory) {
+          throw new Error(messages.invalidNftParent[locale]);
+        }
 
-      // Validate passport required
-      const [invitedUserOnly, defaultRole, issuePassport] = await isInvitedUserOnly(authConfig, node, teamDid);
-      if (invitedUserOnly && !vc) {
-        throw new Error(messages.missingCredentialClaim[locale]);
+        defaultRole = matchFactory.passport.role;
+        defaultTtl = matchFactory.passport.ttl;
+        issuePassport = true;
       }
 
-      // Issue passport for the first login user in a invite-only team
       if (issuePassport) {
-        logger.info('issue passport to user at the login workflow', { role: defaultRole });
+        logger.info(`issue passport to user at the ${action} workflow`, { role: defaultRole });
         const profile = claims.find((x) => x.type === 'profile');
         vc = createPassportVC({
           issuerName: name,
@@ -234,6 +275,7 @@ module.exports = {
           }),
           ownerProfile: profile,
           preferredColor: passportColor,
+          expirationDate: defaultTtl ? new Date(Date.now() + defaultTtl * 1000).toISOString() : undefined,
         });
       }
 
@@ -247,10 +289,15 @@ module.exports = {
       const role = await getRoleFromVC({ vc, node, locale, blocklet, teamDid });
       await validateRole({ role, authConfig, locale, node, teamDid });
 
+      checkAppOwner({ role, blocklet, userDid, locale });
+
       // Recreate passport with correct role
       passport = vc ? createUserPassport(vc, { role }) : null;
 
-      const currentTime = new Date().toISOString();
+      const now = new Date().toISOString();
+      const connectedNft = nftState
+        ? { provider: 'nft', did: nftState.address, owner: nftState.owner, firstLoginAt: now, lastLoginAt: now }
+        : null;
 
       // Update profile
       const passportForLog = passport || { name: 'Guest', role: 'guest' };
@@ -262,12 +309,12 @@ module.exports = {
             locale,
             lastUsedPassport: passport,
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
-            connectedAccount: { provider: 'wallet' },
+            connectedAccount: [{ provider: 'wallet', did: realDid }, connectedNft].filter(Boolean),
           }),
         });
         await node.createAuditLog(
           {
-            action: 'login',
+            action,
             args: { teamDid, userDid: realDid, passport: passportForLog },
             context: formatContext(Object.assign(request, { user: doc })),
             result: doc,
@@ -290,8 +337,8 @@ module.exports = {
             approved: true,
             locale,
             passports: [passport].filter(Boolean),
-            firstLoginAt: currentTime,
-            lastLoginAt: currentTime,
+            firstLoginAt: now,
+            lastLoginAt: now,
             lastLoginIp: get(request, 'headers[x-real-ip]') || '',
             extraConfigs: {
               sourceProvider: 'wallet',
@@ -300,10 +347,11 @@ module.exports = {
                   provider: 'wallet',
                   did: realDid,
                   pk: realPk,
-                  firstLoginAt: currentTime,
-                  lastLoginAt: currentTime,
+                  firstLoginAt: now,
+                  lastLoginAt: now,
                 },
-              ],
+                connectedNft,
+              ].filter(Boolean),
             },
           },
         });
@@ -320,11 +368,11 @@ module.exports = {
 
       // Generate new session token that client can save to localStorage
       const sessionToken = await createSessionToken(realDid, { passport, role });
-      logger.info('login.success', { userDid: realDid, role });
+      logger.info(`${action}.success`, { userDid: realDid, role });
 
       if (
         // if user provides owner passport AND app does not have owner, set this user to owner
-        (inputVC && role === ROLES.OWNER && !blocklet.settings?.owner) ||
+        (vc && role === ROLES.OWNER && !blocklet.settings?.owner) ||
         // if the user will receive a owner passport AND app does not have owner, set this user to owner
         (issuePassport && defaultRole === ROLES.OWNER && !blocklet.settings?.owner)
       ) {
@@ -531,6 +579,8 @@ module.exports = {
       const role = await getRoleFromVC({ vc, node, locale, blocklet, teamDid });
       await validateRole({ role, authConfig, locale, node, teamDid });
 
+      checkAppOwner({ role, blocklet, userDid, locale });
+
       // Recreate passport with correct role
       passport = vc ? createUserPassport(vc, { role }) : null;
 
@@ -566,10 +616,10 @@ module.exports = {
 
   // 基本流程与 login 一致，但在创建更新用户信息的逻辑不一样
   bindWallet: {
-    onConnect: async ({ node, request, userDid, locale, passportId = '', componentId }) => {
+    onConnect: async ({ node, request, userDid, locale, passportId = '', componentId, previousUserDid }) => {
       const translations = {
         en: {
-          notFound: "Can't get bind account infomation",
+          notFound: "Can't get bind account information",
           alreadyBindOAuth: 'already bind with another account',
           alreadyBindWallet: 'Current account is already bind a wallet account',
           alreadyMainAccount: 'Current account is already a main account',
@@ -590,7 +640,7 @@ module.exports = {
       }
 
       const config = await request.getServiceConfig(NODE_SERVICES.AUTH, { componentId });
-      let oauthUser = await getRawUser(teamDid, request.user.did, {
+      let oauthUser = await getRawUser(teamDid, previousUserDid, {
         getUser: node.getUser,
         getUsers: node.getUsers,
       });
@@ -644,11 +694,11 @@ module.exports = {
 
       return claims;
     },
-    onApprove: async ({ node, request, locale, userDid, userPk, claims }) => {
+    onApprove: async ({ node, request, locale, userDid, userPk, claims, previousUserDid }) => {
       const blocklet = await request.getBlocklet();
       const { did: teamDid, wallet: blockletWallet } = await request.getBlockletInfo();
 
-      const oauthUser = await node.getUser({ teamDid, user: { did: request.user.did } });
+      const oauthUser = await node.getUser({ teamDid, user: { did: previousUserDid } });
       const nodeInfo = await request.getNodeInfo();
       // Check user approved
       let bindUser = await getRawUser(teamDid, userDid, {
@@ -665,8 +715,8 @@ module.exports = {
 
       const { dataDir } = await getApplicationInfo({ node, nodeInfo, teamDid });
 
-      const profileold = claims.find((x) => x.type === 'profile') || { avatar: null };
-      const avatar = await extractUserAvatar(oauthUser.avatar || profileold.avatar, { dataDir });
+      const profileOld = claims.find((x) => x.type === 'profile') || { avatar: null };
+      const avatar = await extractUserAvatar(oauthUser.avatar || profileOld.avatar, { dataDir });
       const profile = {
         fullName: oauthUser.fullName,
         avatar,
@@ -770,7 +820,7 @@ module.exports = {
             optional: false,
           };
         },
-        keyPair: getKeyPairClaim(node, false),
+        keyPair: getKeyPairClaim(node, { declare: false }),
       },
     ],
 
@@ -804,4 +854,8 @@ module.exports = {
       return { blocklet, keyPair, user: { role, did: userDid } };
     },
   },
+
+  utils: {
+    checkAppOwner,
+  },
 };

package/api/routes/blocklet.js

@@ -351,5 +351,29 @@ module.exports = {
         res.status(500).send(error.message);
       }
     });
+
+    server.get(`${prefix}/api/blocklet/transfer`, async (req, res) => {
+      const { transferId } = req.query;
+
+      if (!transferId) {
+        res.status(400).send('transferId is required');
+        return;
+      }
+
+      try {
+        const blocklet = await req.getBlocklet();
+        const transfer = await node.getTransferAppOwnerSession({ appDid: blocklet.appDid, transferId });
+
+        if (!transfer || Date.now() > new Date(transfer.expireDate).getTime()) {
+          res.status(404).send('Transfer session not found or has been used');
+          return;
+        }
+
+        res.json(transfer);
+      } catch (err) {
+        logger.error('failed to get transfer info', { transferId, error: err });
+        res.status(500).send(err.message);
+      }
+    });
   },
 };

package/api/routes/oauth.js

@@ -130,7 +130,7 @@ async function login(req, node, options) {
         lastLoginIp,
       },
     });
-    await declareAccount({ wallet: userWallet, moniker: oauthInfo.nickname });
+    await declareAccount({ wallet: userWallet, moniker: oauthInfo.nickname, blocklet });
   }
 
   const { createSessionToken } = initJwt(node, options);
@@ -248,7 +248,7 @@ async function invite(req, node, options) {
         }
       ),
     });
-    await declareAccount({ wallet: userWallet, moniker: oauthInfo.nickname });
+    await declareAccount({ wallet: userWallet, moniker: oauthInfo.nickname, blocklet });
   }
 
   const { createSessionToken } = initJwt(node, options);

package/api/services/auth/connect/bind-wallet.js

@@ -7,7 +7,7 @@ const { onConnect, onApprove } = bindWallet;
 module.exports = function createRoutes(node, authenticator, createSessionToken) {
   return {
     action: 'bind-wallet',
-    onConnect: async ({ req, userDid, extraParams: { locale, passportId = '', componentId } }) => {
+    onConnect: async ({ req, userDid, extraParams: { locale, passportId = '', componentId, previousUserDid } }) => {
       return onConnect({
         node,
         request: req,
@@ -15,10 +15,19 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
         locale,
         passportId,
         componentId,
+        previousUserDid,
       });
     },
 
-    onAuth: async ({ claims, challenge, userDid, userPk, extraParams: { locale, componentId }, req, baseUrl }) => {
+    onAuth: async ({
+      claims,
+      challenge,
+      userDid,
+      userPk,
+      extraParams: { locale, componentId, previousUserDid },
+      req,
+      baseUrl,
+    }) => {
       try {
         const result = await onApprove({
           node,
@@ -31,6 +40,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
           claims,
           createSessionToken,
           componentId,
+          previousUserDid,
         });
 
         return result;

package/api/services/auth/connect/exchange-passport.js

@@ -0,0 +1,58 @@
+const logger = require('@abtnode/logger')(require('../../../../package.json').name);
+
+const { messages } = require('@abtnode/auth/lib/auth');
+const { login } = require('../../../libs/connect/session');
+
+const { onConnect, onApprove } = login;
+
+module.exports = function createRoutes(node, authenticator, createSessionToken) {
+  return {
+    action: 'exchange-passport',
+
+    onStart: async ({ extraParams, request }) => {
+      const { locale = 'en' } = extraParams;
+      const blocklet = await request.getBlocklet();
+      if (blocklet.trustedFactories.length === 0) {
+        throw new Error(messages.notAllowed[locale]);
+      }
+    },
+
+    onConnect: async ({ req, userDid, extraParams: { locale, passportId = '', componentId } }) => {
+      return onConnect({ node, request: req, userDid, locale, passportId, componentId, action: 'exchangePassport' });
+    },
+
+    onAuth: async ({
+      claims,
+      challenge,
+      userDid,
+      userPk,
+      updateSession,
+      extraParams: { locale, componentId },
+      req,
+      baseUrl,
+    }) => {
+      try {
+        const result = await onApprove({
+          node,
+          request: req,
+          locale,
+          challenge,
+          userDid,
+          userPk,
+          baseUrl,
+          claims,
+          createSessionToken,
+          componentId,
+          action: 'exchangePassport',
+        });
+
+        await updateSession({ sessionToken: result.sessionToken }, true);
+
+        return result;
+      } catch (err) {
+        logger.error('login.error', { error: err, userDid });
+        throw new Error(err.message);
+      }
+    },
+  };
+};

package/api/services/auth/connect/login.js

@@ -8,7 +8,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
   return {
     action: 'login',
     onConnect: async ({ req, userDid, extraParams: { locale, passportId = '', componentId } }) => {
-      return onConnect({ node, request: req, userDid, locale, passportId, componentId });
+      return onConnect({ node, request: req, userDid, locale, passportId, componentId, action: 'login' });
     },
 
     onAuth: async ({
@@ -33,6 +33,7 @@ module.exports = function createRoutes(node, authenticator, createSessionToken)
           claims,
           createSessionToken,
           componentId,
+          action: 'login',
         });
 
         await updateSession({ sessionToken: result.sessionToken }, true);

package/api/services/auth/connect/pre-setup.js

@@ -1,5 +1,5 @@
 const pick = require('lodash/pick');
-const { getSetupBlockletClaims } = require('@abtnode/auth/lib/server');
+const { getAppDidOwnerClaims } = require('@abtnode/auth/lib/server');
 const verifySignature = require('@abtnode/auth/lib/util/verify-signature');
 
 const logger = require('@abtnode/logger')(require('../../../../package.json').name);
@@ -8,7 +8,7 @@ module.exports = function createRoutes() {
   return {
     action: 'pre-setup',
     authPrincipal: false,
-    claims: getSetupBlockletClaims(),
+    claims: getAppDidOwnerClaims(),
     onAuth: async ({ claims, userDid, userPk, extraParams: { locale } }) => {
       const claim = claims.find((x) => x.type === 'signature');
       verifySignature(claim, userDid, userPk, locale);