@abtnode/blocklet-services 1.6.23

package/services/auth/index.js

@@ -0,0 +1,290 @@
+/* eslint-disable arrow-parens */
+const path = require('path');
+const get = require('lodash/get');
+const minimatch = require('minimatch');
+const bearerToken = require('express-bearer-token');
+const validators = require('@blocklet/sdk/lib/validators');
+const {
+  genPermissionName,
+  NODE_SERVICES,
+  NODE_SERVICES_PREFIX,
+  WELLKNOWN_AUTH_PATH_PREFIX,
+} = require('@abtnode/constant');
+const { BLOCKLET_MODES, BlockletStatus } = require('@blocklet/meta/lib/constants');
+
+const getBlockletNotRunningTemplate = require('@abtnode/router-templates/lib/blocklet-not-running');
+const getBlockletMaintenanceTemplate = require('@abtnode/router-templates/lib/blocklet-maintenance');
+const { getBaseUrl } = require('@abtnode/router-adapter');
+const { setUserInfoHeaders } = require('@abtnode/auth/lib/auth');
+const logger = require('@abtnode/logger')(require('./meta.json').name);
+
+const { name, description, version } = require('./meta.json');
+
+const initJwt = require('./libs/jwt');
+const initAuth = require('./libs/auth');
+const createLoginRoutes = require('./routes/login');
+const createInviteRoutes = require('./routes/invite');
+const createIssuePassportAuth = require('./routes/issue-passport');
+const createLostPassportListAuth = require('./routes/lost-passport-list');
+const createLostPassportIssueAuth = require('./routes/lost-passport-issue');
+const createSessionRoutes = require('./routes/session');
+const createEnvRoutes = require('./routes/env');
+const createBlockletRoutes = require('./routes/blocklet-info');
+const createPassportRoutes = require('./routes/passport');
+const { init: initNotification } = require('./routes/notification');
+const { init: initStates } = require('./state/index');
+
+const defaultOptions = {
+  dataDir: '',
+  sessionSecret: 'your_should_change_this',
+  sessionTtl: '7d',
+  webWalletUrl: 'https://web.abtwallet.io',
+  loginTokenKey: 'login_token',
+};
+
+const init = ({ node, httpRouter, serviceHttpRouter, wsRouter, options }) => {
+  if (!options.dataDir) {
+    throw new Error('Auth service requires dataDir to start');
+  }
+  if (!options.sessionSecret) {
+    throw new Error('Auth service requires sessionSecret to start');
+  }
+
+  const isProduction = process.env.NODE_ENV === 'production' || process.env.ABT_NODE_SERVICE_ENV === 'production';
+  const isE2E = process.env.NODE_ENV === 'e2e';
+  const distDir = path.resolve(__dirname, '../../build');
+
+  logger.info('init params', { isProduction, distDir });
+
+  const opts = { ...defaultOptions, ...options, name, description, version, prefix: NODE_SERVICES_PREFIX.AUTH_SERVICE };
+  if (opts.sessionSecret === defaultOptions.sessionSecret) {
+    logger.warn('session secret should be set to make things secure');
+  }
+
+  /**
+   * set user info to req.user
+   */
+  const ensureUser = async ({ req, token } = {}) => {
+    try {
+      if (token) {
+        const teamDid = req.getBlockletDid();
+        const result = await verify(token, teamDid);
+        req.user = result;
+      }
+    } catch {
+      // Do nothing
+    }
+  };
+
+  /**
+   * @returns {object} res
+   *  {boolean} res.blocked
+   *  {boolean} res.authenticated
+   *  {boolean} res.authorized
+   */
+  const checkAuth = async ({ req } = {}) => {
+    if (!isProduction && !isE2E) {
+      return {};
+    }
+
+    const config = (await req.getServiceConfig(NODE_SERVICES.AUTH_SERVICE)) || {};
+
+    const ignoreUrls = (get(config, 'ignoreUrls') || []).filter(Boolean);
+
+    const shouldIgnore = ignoreUrls.some((s) => minimatch(req.url, s)) || req.url.startsWith(`${opts.prefix}/api`);
+    if (shouldIgnore) {
+      return {};
+    }
+
+    if (config.blockUnauthenticated === false) {
+      return {};
+    }
+
+    if (!req.user) {
+      return { blocked: true, authenticated: false };
+    }
+
+    if (!config.blockUnauthorized) {
+      return {};
+    }
+
+    const rule = await req.getRoutingRule();
+    if (rule.to && rule.to.interfaceName) {
+      const permissionName = genPermissionName(rule.to.interfaceName);
+      const teamDid = req.getBlockletDid();
+      const rbac = await node.getRBAC(teamDid);
+
+      if (await rbac.can(req.user.role, ...permissionName.split('_'))) {
+        return {};
+      }
+
+      return { blocked: true, authenticated: true, authorized: false };
+    }
+
+    return {};
+  };
+
+  initStates(opts.dataDir);
+
+  initNotification(node, httpRouter, wsRouter, opts);
+
+  const { login, verify } = initJwt(node, opts);
+  const { authenticator, handlers } = initAuth(node, opts);
+
+  // auth middleware for http request
+  serviceHttpRouter.use(
+    bearerToken({
+      queryKey: opts.loginTokenKey,
+      bodyKey: opts.loginTokenKey,
+      headerKey: 'Bearer',
+      cookie: {
+        signed: true,
+        secret: opts.sessionSecret,
+        key: opts.loginTokenKey,
+      },
+    })
+  );
+
+  // set user info to req.user
+  serviceHttpRouter.use(async (req, res, next) => {
+    const { token } = req;
+    await ensureUser({ req, token });
+    next();
+  });
+
+  // set user info to req.headers
+  serviceHttpRouter.use(async (req, res, next) => {
+    setUserInfoHeaders(req);
+    next();
+  });
+
+  // public did-auth api
+  handlers.attach(Object.assign({ app: serviceHttpRouter }, createLoginRoutes(node, authenticator, login, opts)));
+  handlers.attach(Object.assign({ app: serviceHttpRouter }, createInviteRoutes(node, authenticator, login, opts)));
+  handlers.attach(Object.assign({ app: serviceHttpRouter }, createIssuePassportAuth(node, authenticator, login, opts)));
+  handlers.attach(
+    Object.assign({ app: serviceHttpRouter }, createLostPassportListAuth(node, authenticator, login, opts))
+  );
+  handlers.attach(
+    Object.assign({ app: serviceHttpRouter }, createLostPassportIssueAuth(node, authenticator, login, opts))
+  );
+
+  // public page
+  [`${WELLKNOWN_AUTH_PATH_PREFIX}/issue-passport`, `${WELLKNOWN_AUTH_PATH_PREFIX}/lost-passport`].forEach((x) => {
+    serviceHttpRouter.get(x, (req, res) => {
+      res.sendFile(path.join(distDir, 'index.html'));
+    });
+  });
+
+  // public http api
+  createEnvRoutes.init(httpRouter, node, opts);
+  createBlockletRoutes.init(httpRouter, node, opts);
+  createPassportRoutes.init(httpRouter, node, opts);
+
+  // check blocklet running
+  // Request would not arrive here before blocklet is installed, because there is no config in router provider(nginx)
+  serviceHttpRouter.use(async (req, res, next) => {
+    const blocklet = await req.getBlocklet();
+    if (
+      ![
+        BlockletStatus.running,
+        // Waiting, Downloading should be allowed because blocklet is currently being upgrading
+        BlockletStatus.waiting,
+        BlockletStatus.downloading,
+      ].includes(blocklet.status)
+    ) {
+      const nodeInfo = await req.getNodeInfo();
+      res.status(500);
+      // return json if json has high priority, e.g. "*/*,application/json"
+      if (req.accepts(['html', 'json']) === 'json') {
+        res.json({ code: 'error', error: 'blocklet is not running' });
+      } else if (blocklet.status === BlockletStatus.starting) {
+        res.send(getBlockletMaintenanceTemplate(blocklet, nodeInfo));
+      } else {
+        res.send(getBlockletNotRunningTemplate(blocklet, nodeInfo));
+      }
+      return;
+    }
+
+    next();
+  });
+
+  // auth middleware for websocket connect
+  wsRouter.use('**', async (req, socket, head, next) => {
+    const { searchParams } = new URL(req.url, `http://${req.headers.host || 'unknown'}`);
+    const token = searchParams.get('token');
+
+    // ignore some dev path in dev mode
+    const blocklet = await req.getBlocklet();
+    const devUrls = ['/sockjs-node'];
+    const mode = get(blocklet, 'mode');
+    if (mode === BLOCKLET_MODES.DEVELOPMENT && devUrls.includes(req.url)) {
+      next();
+      return;
+    }
+
+    await ensureUser({ req, token });
+
+    setUserInfoHeaders(req);
+
+    const { blocked, authenticated, authorized } = await checkAuth({ req });
+    if (blocked) {
+      let message = '401 Unauthorized';
+      if (authenticated && !authorized) {
+        message = '403 Forbidden';
+      }
+      socket.write(`HTTP/1.1 ${message}\r\n\r\n`);
+      socket.destroy();
+      return;
+    }
+
+    next();
+  });
+
+  serviceHttpRouter.use(async (req, res, next) => {
+    const { blocked, authenticated, authorized } = await checkAuth({ req });
+
+    if (blocked) {
+      if (!authenticated) {
+        if (req.path !== '/') {
+          // redirect to root path for login
+          // redirect to target path after login
+          const baseUrl = getBaseUrl(req);
+          const redirect = encodeURIComponent(`${baseUrl.replace(/\/+$/, '')}/${req.url.replace(/^\/+/, '')}`);
+          res.redirect(`${baseUrl.replace(/\/+$/, '')}/?redirect=${redirect}`);
+        } else {
+          res.sendFile(path.join(distDir, 'index.html'));
+        }
+        return;
+      }
+
+      if (!authorized) {
+        res.status(403).json({ code: 'forbidden', error: 'not allowed' });
+        return;
+      }
+    }
+
+    next();
+  });
+
+  // Note: this api depends on the user decoding logic
+  createSessionRoutes.init(serviceHttpRouter, node, opts);
+
+  // Block /.service/@abtnode/auth-service/<invalid_path>
+  serviceHttpRouter.use((req, res, next) => {
+    if (req.path.startsWith(opts.prefix)) {
+      res.status(400).send('Bad request');
+      return;
+    }
+
+    next();
+  });
+};
+
+module.exports = {
+  name,
+  description,
+  version,
+  init,
+  validators,
+};

package/services/auth/libs/auth.js

@@ -0,0 +1,76 @@
+const path = require('path');
+const get = require('lodash/get');
+const joinUrl = require('url-join');
+const DiskStorage = require('@arcblock/did-auth-storage-nedb');
+const { WalletAuthenticator } = require('@arcblock/did-auth');
+const WalletHandlers = require('@blocklet/sdk/lib/wallet-handler');
+const sendNotification = require('@blocklet/sdk/lib/util/send-notification');
+
+const { getBlockletLogo } = require('../util');
+
+module.exports = (node, opts) => {
+  const authenticator = new WalletAuthenticator({
+    wallet: async ({ request }) => {
+      const { wallet } = await request.getBlockletInfo();
+      return wallet.toJSON();
+    },
+
+    appInfo: async ({ request, baseUrl }) => {
+      const groupPathPrefix = request.headers['x-group-path-prefix'] || '/';
+
+      const [blocklet, meta, info] = await Promise.all([
+        request.getBlocklet(),
+        request.getBlockletInfo(),
+        request.getNodeInfo(),
+      ]);
+
+      // logo
+      const logo = getBlockletLogo({ baseUrl: joinUrl(baseUrl, opts.prefix), blocklet, nodeInfo: info });
+
+      return {
+        name: meta.name,
+        description: meta.description || `Login to ${meta.name}`,
+        icon: logo,
+        updateSubEndpoint: true,
+        subscriptionEndpoint: joinUrl(groupPathPrefix, opts.prefix, 'websocket'),
+        nodeDid: info.did,
+      };
+    },
+
+    chainInfo: async ({ request } = {}) => {
+      if (!request || !request.getBlocklet) {
+        return { host: 'none', id: 'none' };
+      }
+
+      const blocklet = await request.getBlocklet();
+      const chainHost = get(blocklet, 'configObj.CHAIN_HOST');
+      return chainHost ? { host: chainHost, id: 'chain' } : { host: 'none', id: 'none' };
+    },
+  });
+
+  const handlers = new WalletHandlers({
+    authenticator,
+    options: {
+      prefix: `${opts.prefix}/api/did`,
+    },
+    tokenGenerator: () => Date.now().toString(),
+    tokenStorage: new DiskStorage({
+      dbPath: path.join(opts.dataDir, 'auth.db'),
+      dbPort: process.env.NODE_ENV === 'test' ? null : Number(process.env.NEDB_MULTI_PORT),
+    }),
+    sendNotificationFn: async (connectedDid, message, { req }) => {
+      const { wallet } = await req.getBlockletInfo();
+      const sender = {
+        appId: wallet.address,
+        appSk: wallet.secretKey,
+        did: req.getBlockletDid(),
+      };
+      return sendNotification(connectedDid, message, sender, process.env.ABT_NODE_SERVICE_PORT);
+    },
+  });
+
+  return {
+    authenticator,
+    handlers,
+  };
+};

package/services/auth/libs/jwt.js

@@ -0,0 +1,73 @@
+/* eslint-disable no-underscore-dangle */
+const jwt = require('jsonwebtoken');
+const { createAuthToken } = require('@abtnode/auth/lib/auth');
+const { isUserPassportRevoked } = require('@abtnode/auth/lib/passport');
+
+const getUser = async (node, teamDid, userDid) => {
+  const user = await node.getUser({ teamDid, user: { did: userDid } });
+  if (user && user.approved) {
+    return user;
+  }
+  return null;
+};
+
+// eslint-disable-next-line no-unused-vars
+const initJwt = (node, options) => {
+  const secret = options.sessionSecret;
+  const ttl = options.sessionTtl || '1d';
+
+  if (!secret) {
+    throw new Error('Auth service require a non-empty session secret to start');
+  }
+
+  const login = async (did, { role, passport }) =>
+    createAuthToken({
+      did,
+      passport,
+      role,
+      secret,
+      expiresIn: ttl,
+    });
+
+  const verify = (token, teamDid) =>
+    // eslint-disable-next-line implicit-arrow-linebreak
+    new Promise((resolve, reject) => {
+      jwt.verify(token, secret, async (err, decoded) => {
+        if (err) {
+          return reject(err);
+        }
+
+        const { did, role, passport } = decoded;
+        if (!did) {
+          return reject(new Error('Invalid jwt token: invalid did'));
+        }
+
+        const user = await getUser(node, teamDid, did);
+        if (!user) {
+          return reject(new Error('Invalid jwt token: invalid user'));
+        }
+
+        if (passport && passport.id && isUserPassportRevoked(user, passport)) {
+          return reject(new Error(`Passport ${passport.name} has been revoked`));
+        }
+
+        user.role = role;
+
+        // backward compatible
+        if (!role && passport && !passport.id) {
+          user.role = passport.name;
+        }
+
+        return resolve(user);
+      });
+    });
+
+  return {
+    login,
+    verify,
+  };
+};
+
+initJwt.getUser = getUser;
+
+module.exports = initJwt;

package/services/auth/meta.json

@@ -0,0 +1,61 @@
+{
+  "name": "@abtnode/auth-service",
+  "description": "Neat and easy to use user authentication and authorization service for blocklets",
+  "version": "1.0.0",
+  "schema": {
+    "JSONSchema": {
+      "title": "Config Auth Service",
+      "description": "Customize how Auth Service works",
+      "type": "object",
+      "required": ["profileFields", "webWalletUrl"],
+      "properties": {
+        "invitedUserOnly": {
+          "type": "string",
+          "title": "Only invited users are allowed to login",
+          "enum": ["yes", "no", "not-first"],
+          "default": "no"
+        },
+        "profileFields": {
+          "type": "array",
+          "title": "What info do you want user to provide when login?",
+          "items": {
+            "type": "string",
+            "enum": ["fullName", "email", "avatar", "phone"]
+          },
+          "default": ["fullName", "email", "avatar"],
+          "uniqueItems": true
+        },
+        "webWalletUrl": {
+          "type": "string",
+          "title": "The URL of your preferred web wallet instance",
+          "pattern": "^https?://",
+          "default": "https://web.abtwallet.io"
+        },
+        "ignoreUrls": {
+          "type": "array",
+          "title": "Which URLs do not need to be protected. e.g: /public/**",
+          "items": {
+            "type": "string",
+            "minLength": 1
+          },
+          "default": []
+        },
+        "blockUnauthenticated": {
+          "type": "boolean",
+          "title": "Do you want Auth Service block unauthenticated requests for you?",
+          "default": true
+        },
+        "blockUnauthorized": {
+          "type": "boolean",
+          "title": "Do you want Auth Service block unauthorized requests for you?",
+          "default": false
+        }
+      }
+    },
+    "UISchema": {
+      "profileFields": {
+        "ui:widget": "checkboxes"
+      }
+    }
+  }
+}

package/services/auth/routes/blocklet-info.js

@@ -0,0 +1,33 @@
+/* eslint-disable no-console */
+const fs = require('fs');
+const path = require('path');
+const get = require('lodash/get');
+const logger = require('@abtnode/logger')(require('../meta.json').name);
+
+module.exports = {
+  init(server, node, opts) {
+    server.get(`${opts.prefix}/blocklet/logo/:did`, async (req, res) => {
+      const staticDir = path.resolve(__dirname, './build');
+      const sendOptions = { maxAge: '1d' };
+
+      let blocklet = null;
+      try {
+        blocklet = await node.ensureBlockletIntegrity(req.params.did);
+
+        if (blocklet && get(blocklet, 'env.appDir') && blocklet.meta.logo) {
+          const logoFile = path.join(get(blocklet, 'env.appDir'), blocklet.meta.logo);
+
+          if (fs.existsSync(logoFile)) {
+            res.sendFile(logoFile, sendOptions);
+            return;
+          }
+        }
+
+        res.sendFile('/images/blocklet.png', { root: staticDir, ...sendOptions });
+      } catch (err) {
+        logger.error('failed to send blocklet logo', { did: req.params.did, error: err });
+        res.sendFile('/images/blocklet.png', { root: staticDir, ...sendOptions });
+      }
+    });
+  },
+};

package/services/auth/routes/env.js

@@ -0,0 +1,33 @@
+const { WELLKNOWN_AUTH_PATH_PREFIX } = require('@abtnode/constant');
+
+module.exports = {
+  init(server, node, opts) {
+    server.get(`**${opts.prefix}/api/env`, async (req, res) => {
+      res.type('js');
+
+      const [blocklet, config, info] = await Promise.all([
+        req.getBlockletInfo(),
+        req.getServiceConfig(opts.name),
+        req.getNodeInfo(),
+      ]);
+      let pathPrefix = req.headers['x-path-prefix'] || '/';
+      let groupPathPrefix = req.headers['x-group-path-prefix'];
+
+      // fix pathPrefix && groupPathPrefix
+      // FIXME: pathPrefix and groupPathPrefix should be correct in service gateway
+      pathPrefix = pathPrefix.replace(WELLKNOWN_AUTH_PATH_PREFIX, '') || '/';
+      if (groupPathPrefix) {
+        groupPathPrefix = groupPathPrefix.replace(WELLKNOWN_AUTH_PATH_PREFIX, '') || '/';
+      }
+
+      res.send(`window.env = {
+  appId: "${blocklet.did}",
+  appName: "${blocklet.name}",
+  pathPrefix: "${pathPrefix}",
+  apiPrefix: "${pathPrefix.replace(/\/+$/, '')}${opts.prefix}",
+  ${groupPathPrefix ? `groupPathPrefix: "${groupPathPrefix}",` : ''}
+  webWalletUrl: "${info.webWalletUrl || config.webWalletUrl || opts.webWalletUrl}",
+}`);
+    });
+  },
+};

package/services/auth/routes/invite.js

@@ -0,0 +1,80 @@
+const get = require('lodash/get');
+const joinUrl = require('url-join');
+const {
+  createInvitationRequest,
+  handleInvitationResponse,
+  messages,
+  checkWalletVersion,
+  beforeInvitationRequest,
+} = require('@abtnode/auth/lib/auth');
+const logger = require('@abtnode/logger')(require('../meta.json').name);
+
+module.exports = function createRoutes(node, authenticator, login, opts) {
+  return {
+    action: 'invite',
+
+    onStart: async ({ extraParams, req }) => {
+      const { locale = 'en', inviteId } = extraParams;
+      const teamDid = req.headers['x-blocklet-did'];
+
+      await beforeInvitationRequest({ node, teamDid, locale, inviteId });
+    },
+
+    claims: {
+      profile: async ({ extraParams, context }) => {
+        const { locale } = extraParams;
+
+        const config = await context.request.getServiceConfig();
+        const profileFields = get(config, 'profileFields');
+
+        return {
+          fields: profileFields || ['fullName', 'avatar'],
+          description: messages.description[locale],
+        };
+      },
+
+      signature: async ({ extraParams, context: { request, abtwallet } }) => {
+        const { locale, inviteId } = extraParams;
+        checkWalletVersion({ abtwallet, locale });
+        const nodeInfo = await request.getNodeInfo();
+        const teamDid = request.headers['x-blocklet-did'];
+
+        return createInvitationRequest({
+          node,
+          nodeInfo,
+          teamDid,
+          inviteId,
+          locale,
+        });
+      },
+    },
+
+    onAuth: async ({ claims, userDid, userPk, token, storage, extraParams, req, baseUrl }) => {
+      const { locale, inviteId } = extraParams;
+      const nodeInfo = await req.getNodeInfo();
+      const teamDid = req.headers['x-blocklet-did'];
+      const statusEndpointBaseUrl = joinUrl(baseUrl, opts.prefix);
+      const endpoint = baseUrl;
+
+      const { passport, response, role } = await handleInvitationResponse({
+        node,
+        nodeInfo,
+        teamDid,
+        userDid,
+        userPk,
+        inviteId,
+        locale,
+        claims,
+        statusEndpointBaseUrl,
+        endpoint,
+      });
+
+      // Generate new session token that client can save to localStorage
+      const loginToken = await login(userDid, { passport, role });
+      await storage.update(token, { did: userDid, loginToken });
+      logger.info('login.success', { userDid });
+
+      return response;
+    },
+  };
+};