@abtnode/blocklet-services 1.6.23

package/services/auth/routes/issue-passport.js

@@ -0,0 +1,58 @@
+const joinUrl = require('url-join');
+const {
+  createIssuePassportRequest,
+  handleIssuePassportResponse,
+  checkWalletVersion,
+  beforeIssuePassportRequest,
+} = require('@abtnode/auth/lib/auth');
+
+module.exports = function createRoutes(node, authenticator, login, opts) {
+  return {
+    action: 'issue-passport',
+
+    onStart: async ({ extraParams, req }) => {
+      const { locale = 'en', id } = extraParams;
+      const teamDid = req.headers['x-blocklet-did'];
+
+      await beforeIssuePassportRequest({ node, teamDid, locale, id });
+    },
+
+    claims: {
+      signature: async ({ extraParams, context: { request, abtwallet } }) => {
+        const { id, locale } = extraParams;
+        checkWalletVersion({ abtwallet, locale });
+        const nodeInfo = await node.getNodeInfo();
+        const teamDid = request.headers['x-blocklet-did'];
+
+        return createIssuePassportRequest({
+          node,
+          nodeInfo,
+          teamDid,
+          id,
+          locale,
+        });
+      },
+    },
+
+    onAuth: async ({ userDid, userPk, claims, extraParams, req, baseUrl }) => {
+      const { locale, id } = extraParams;
+      const nodeInfo = await node.getNodeInfo();
+      const teamDid = req.headers['x-blocklet-did'];
+      const statusEndpointBaseUrl = joinUrl(baseUrl, opts.prefix);
+      const endpoint = baseUrl;
+
+      return handleIssuePassportResponse({
+        node,
+        nodeInfo,
+        teamDid,
+        userDid,
+        userPk,
+        id,
+        locale,
+        claims,
+        statusEndpointBaseUrl,
+        endpoint,
+      });
+    },
+  };
+};

package/services/auth/routes/login.js

@@ -0,0 +1,230 @@
+/* eslint-disable arrow-parens */
+const get = require('lodash/get');
+const joinUrl = require('url-join');
+const {
+  messages,
+  getVCFromClaims,
+  checkWalletVersion,
+  getUser,
+  getPassportStatusEndpoint,
+  validatePassportStatus,
+} = require('@abtnode/auth/lib/auth');
+const { ROLES, VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT } = require('@abtnode/constant');
+const {
+  createPassportVC,
+  createPassport,
+  validatePassport,
+  isUserPassportRevoked,
+  upsertToPassports,
+  getRoleFromLocalPassport,
+  getRoleFromExternalPassport,
+  createUserPassport,
+} = require('@abtnode/auth/lib/passport');
+const logger = require('@abtnode/logger')(require('../meta.json').name);
+
+const vcTypes = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+
+/**
+ * @returns {Array} config
+ * @returns {Boolean} config[0] is invited user only
+ * @returns {String} config[1] default role
+ * @returns {Boolean} config[2] issue passport
+ */
+const isInvitedUserOnly = async (invitedUserOnly, node, teamDid) => {
+  const count = await node.getUsersCount({ teamDid });
+  if (invitedUserOnly === 'not-first') {
+    return count > 0 ? [true] : [false, ROLES.OWNER, true];
+  }
+
+  if (invitedUserOnly === true || invitedUserOnly === 'yes') {
+    return [true];
+  }
+
+  return [false, ROLES.GUEST];
+};
+
+module.exports = function createRoutes(node, authenticator, login, opts) {
+  return {
+    action: 'login',
+    claims: {
+      profile: async ({ extraParams, context }) => {
+        const { locale } = extraParams;
+
+        const config = await context.request.getServiceConfig();
+        const profileFields = get(config, 'profileFields');
+
+        return {
+          fields: profileFields || ['fullName', 'avatar'],
+          description: messages.description[locale],
+        };
+      },
+
+      verifiableCredential: async ({ context, extraParams: { locale } }) => {
+        const { request, abtwallet } = context;
+        const { wallet, did: teamDid } = await request.getBlockletInfo();
+
+        checkWalletVersion({ abtwallet, locale });
+
+        const blocklet = await request.getBlocklet();
+        const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
+        const trustedIssuers = [wallet.address, ...trustedPassports].filter(Boolean);
+
+        const config = (await request.getServiceConfig()) || {};
+        const [invitedUserOnly] = await isInvitedUserOnly(config.invitedUserOnly, node, teamDid);
+
+        return {
+          description: messages.requestPassport[locale],
+          item: vcTypes,
+          trustedIssuers,
+          optional: !invitedUserOnly,
+        };
+      },
+    },
+
+    // eslint-disable-next-line consistent-return
+    onAuth: async ({ claims, challenge, userDid, userPk, token, storage, extraParams, req, baseUrl }) => {
+      const { locale } = extraParams;
+      const blocklet = await req.getBlocklet();
+      const { wallet, name, passportColor, did: teamDid } = await req.getBlockletInfo();
+      const teamAppDid = wallet.address;
+
+      // check user approved
+      const user = await getUser(node, teamDid, userDid);
+      if (user && !user.approved) {
+        throw new Error(messages.notAllowed[locale]);
+      }
+
+      // Get passport
+      const trustedPassports = (blocklet.trustedPassports || []).map((x) => x.issuerDid);
+      const trustedIssuers = [teamAppDid, ...trustedPassports].filter(Boolean);
+      let { vc } = await getVCFromClaims({
+        claims,
+        challenge,
+        trustedIssuers,
+        vcTypes,
+        locale,
+      });
+
+      const config = (await req.getServiceConfig()) || {};
+      const [invitedUserOnly, defaultRole, issuePassport] = await isInvitedUserOnly(
+        config.invitedUserOnly,
+        node,
+        teamDid
+      );
+
+      if (invitedUserOnly && !vc) {
+        throw new Error(messages.missingCredentialClaim[locale]);
+      }
+
+      // issue passport for the first login user in a invite-only team
+      if (issuePassport) {
+        logger.info('issue passport to user at the login workflow', { role: defaultRole });
+        vc = createPassportVC({
+          issuerName: name,
+          issuerWallet: wallet,
+          ownerDid: userDid,
+          passport: await createPassport({
+            name: defaultRole,
+            node,
+            teamDid,
+            locale,
+            endpoint: baseUrl,
+          }),
+          endpoint: getPassportStatusEndpoint({
+            baseUrl: joinUrl(baseUrl, opts.prefix),
+            userDid,
+            teamDid,
+          }),
+          ownerProfile: user,
+          preferredColor: passportColor,
+        });
+      }
+
+      // Get user passport from vc
+      let passport = vc ? createUserPassport(vc) : null;
+      if (user && passport && isUserPassportRevoked(user, passport)) {
+        throw new Error(messages.passportRevoked[locale](name));
+      }
+
+      // Get role
+      let role = ROLES.GUEST;
+      if (vc) {
+        await validatePassport(get(vc, 'credentialSubject.passport'));
+        const issuerId = get(vc, 'issuer.id');
+        if (issuerId === teamAppDid) {
+          role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
+        } else {
+          // map external passport to local role
+          const { mappings = [] } = (blocklet.trustedPassports || []).find((x) => x.issuerDid === issuerId) || {};
+          role = await getRoleFromExternalPassport({
+            passport: get(vc, 'credentialSubject.passport'),
+            node,
+            teamDid,
+            locale,
+            mappings,
+          });
+
+          // check status of external passport if passport has an endpoint
+          const endpoint = get(vc, 'credentialStatus.id');
+          if (endpoint) {
+            await validatePassportStatus({ vcId: vc.id, endpoint, locale });
+          }
+        }
+      }
+
+      // Recreate passport with correct role
+      passport = vc ? createUserPassport(vc, { role }) : null;
+
+      // Update profile
+      try {
+        const profile = claims.find((x) => x.type === 'profile');
+        if (user) {
+          // Update user
+          await node.updateUser({
+            teamDid,
+            user: {
+              ...profile,
+              did: userDid,
+              pk: userPk,
+              locale,
+              passports: upsertToPassports(user.passports || [], passport),
+              lastLoginAt: new Date().toISOString(),
+            },
+          });
+        } else {
+          // Create user
+          await node.addUser({
+            teamDid,
+            user: {
+              ...profile,
+              did: userDid,
+              pk: userPk,
+              approved: true,
+              locale,
+              passports: [passport].filter(Boolean),
+              firstLoginAt: new Date().toISOString(),
+              lastLoginAt: new Date().toISOString(),
+            },
+          });
+        }
+
+        // Generate new session token that client can save to localStorage
+        const loginToken = await login(userDid, { passport, role });
+        await storage.update(token, { did: userDid, loginToken });
+        logger.info('login.success', { userDid, role });
+
+        // issue passport for the first login user in a invite-only team
+        if (issuePassport) {
+          return {
+            disposition: 'attachment',
+            type: 'VerifiableCredential',
+            data: vc,
+          };
+        }
+      } catch (err) {
+        logger.error('login.error', { error: err, userDid });
+        throw new Error(err.message);
+      }
+    },
+  };
+};

package/services/auth/routes/lost-passport-issue.js

@@ -0,0 +1,5 @@
+const { createLostPassportIssueRoute, TEAM_TYPES } = require('@abtnode/auth/lib/lost-passport');
+
+module.exports = function createRoutes(node, authenticator, login, opts) {
+  return createLostPassportIssueRoute({ node, type: TEAM_TYPES.BLOCKLET, authServicePrefix: opts.prefix });
+};

package/services/auth/routes/lost-passport-list.js

@@ -0,0 +1,6 @@
+const { createLostPassportListRoute } = require('@abtnode/auth/lib/lost-passport');
+
+// eslint-disable-next-line no-unused-vars
+module.exports = function createRoutes(node, authenticator, login, opts) {
+  return createLostPassportListRoute({ node, type: 'blocklet' });
+};

package/services/auth/routes/notification.js

@@ -0,0 +1,257 @@
+/* eslint-disable arrow-parens */
+const JWT = require('@arcblock/jwt');
+const { WsServer } = require('@arcblock/ws');
+const uuid = require('uuid');
+const Cron = require('@abtnode/cron');
+const {
+  validateNotification,
+  validateReceiver,
+  validateMessage,
+} = require('@blocklet/sdk/lib/validators/notification');
+// eslint-disable-next-line global-require
+const logger = require('@abtnode/logger')(`${require('../meta.json').name}:notification`);
+const { getTeamInfo } = require('@abtnode/auth/lib/auth');
+const { NODE_MODES } = require('@abtnode/constant');
+
+const states = require('../state');
+const { getBlockletLogo } = require('../util');
+
+const getDid = (jwt) => jwt.iss.replace(/^did:abt:/, '');
+
+const authenticate = (req, cb) => {
+  const { searchParams } = new URL(req.url, `http://${req.headers.host || 'unknown'}`);
+  const token = searchParams.get('token');
+  const pk = searchParams.get('pk');
+
+  if (!token) {
+    cb(new Error('token not found'), null);
+    return;
+  }
+
+  if (!JWT.verify(token, pk)) {
+    cb(new Error('token verify failed'));
+    return;
+  }
+
+  cb(null, { did: getDid(JWT.decode(token)) });
+};
+
+/**
+ *
+ * @param {ABTNode} node
+ * @param {Object} payload
+ *   {Object} sender: blocklet
+ *     {String} sender.did: blocklet did
+ *     {String} sender.token: for the verification
+ *   {Array|String} receiver: user did
+ *   {Array|Object} notification
+ * @returns
+ */
+const onSendToUser = async (node, payload, wsServer) => {
+  const { sender, receiver, notification } = payload;
+
+  await validateReceiver(receiver);
+
+  const nodeInfo = await node.getNodeInfo();
+
+  if (nodeInfo.mode !== NODE_MODES.DEBUG) {
+    await validateNotification(notification);
+  }
+
+  let senderInfo;
+  try {
+    senderInfo = await getTeamInfo({ node, nodeInfo, teamDid: sender.did });
+  } catch (err) {
+    if (err.message === 'Blocklet state must be an object') {
+      err.message = `Sender blocklet does not exist: ${sender.did}`;
+    }
+    throw err;
+  }
+
+  const { wallet, name, type: senderType } = senderInfo;
+  if (!JWT.verify(sender.token, wallet.publicKey)) {
+    throw new Error(`Invalid authentication token for sender blocklet: ${sender.did}`);
+  }
+
+  if (sender.appDid !== wallet.address) {
+    throw new Error(`Invalid app did, expected: ${wallet.address}, actual: ${sender.appDid}`);
+  }
+
+  let blocklet;
+  if (senderType === 'blocklet') {
+    blocklet = await node.getBlocklet({ did: sender.did, attachRuntimeInfo: false });
+  }
+
+  // parse notifications
+
+  const notifications = [].concat(notification);
+
+  notifications.forEach((x) => {
+    x.id = uuid.v4();
+    x.sender = {
+      did: sender.appDid,
+      name,
+      icon: senderType === 'blocklet' ? getBlockletLogo({ blocklet }) : null, // deprecated: did wallet will find icon locally by sender appDid
+    };
+    x.createdAt = new Date();
+  });
+
+  // parse receivers
+
+  const receivers = [].concat(receiver);
+
+  // send notification
+
+  const EVENT_NAME = 'message';
+  const createTask = async (did, data) => {
+    try {
+      await new Promise((resolve, reject) => {
+        try {
+          wsServer.broadcast(did, EVENT_NAME, data, ({ count } = {}) => {
+            if (count <= 0) {
+              logger.info('Online client for the user was not found', { userDid: did });
+              reject(new Error('Online client for the user was not found'));
+            } else {
+              resolve();
+            }
+          });
+        } catch (error) {
+          logger.error('Failed on broadcast message', { error });
+          reject(error);
+        }
+      });
+    } catch {
+      // failed on broadcast or online client not found
+      await states.message.insert({ did, event: EVENT_NAME, data });
+    }
+  };
+
+  const tasks = [];
+  receivers.forEach((did) => {
+    notifications.forEach((data) => {
+      tasks.push(createTask(did, data));
+    });
+  });
+
+  // FIXME: Enhance task reliability. e.g. resend after timeout or error; add message status: sent, received, staged
+  await Promise.allSettled(tasks);
+};
+
+const verify = async ({ topic, payload }) => {
+  const did = getDid(JWT.decode(payload.token));
+
+  // Support the web wallet to continue to run for one day
+  //
+  // if abtnode is restarted when there is a wallet wallet connection
+  // then the web wallet will auto reconnect to the abtnode and auto rejoin the channels
+  // the web wallet will reuse the JWT token when rejoin channel
+  // so we need to support token is valid for one day
+  const tolerance = 3600 * 24;
+
+  if (!JWT.verify(payload.token, payload.pk, { tolerance })) {
+    throw new Error(`verify did failed: ${did}`);
+  }
+
+  if (did !== topic) {
+    throw new Error(`verified did and topic does not match. did: ${did}, topic: ${topic}`);
+  }
+
+  if (payload.message) {
+    await validateMessage(payload.message);
+  }
+};
+
+const receiveMessage = async ({ topic, event, payload, wsServer, node }) => {
+  if (event !== 'message') {
+    throw new Error(`Invalid event. expect: "message". got: "${event}"`);
+  }
+
+  await validateMessage(payload);
+
+  const { receiver, ...data } = payload;
+
+  // FIXME: use node.getBlocklet() when support index by appID
+  const blocklet = await node.getBlocklet({ did: receiver.did, attachConfig: false });
+  if (!blocklet) {
+    throw new Error('App is not installed in the server');
+  }
+
+  logger.info('send message to blocklet', { sender: topic, receiver });
+  wsServer.broadcast(payload.receiver.did, 'message', {
+    ...data,
+    sender: {
+      did: topic,
+    },
+  });
+};
+
+const sendCachedMessages = async (wsServer, payload) => {
+  try {
+    const did = getDid(JWT.decode(payload.token));
+
+    const messages = await states.message.find({ did });
+    if (!messages.length) {
+      return;
+    }
+
+    messages.forEach(({ did: d, event, data }) => {
+      wsServer.broadcast(d, event, data);
+    });
+
+    await states.message.remove({ did }, { multi: true });
+  } catch (error) {
+    logger.error('Error on sending cached messages', { error });
+  }
+};
+
+const init = (node, httpRouter, wsRouter, opts) => {
+  // Create ws server
+  const wsServer = new WsServer({
+    logger,
+    authenticate,
+    hooks: {
+      preJoinChannel: (param) => verify({ ...param, wsServer, node }),
+      postJoinChannel: async ({ topic, payload }) => {
+        logger.info('Subscribe notification success', { account: topic });
+        await sendCachedMessages(wsServer, payload);
+        if (payload.message) {
+          await receiveMessage({ topic, event: 'message', payload: payload.message, wsServer, node });
+        }
+      },
+      receiveMessage: (param) => receiveMessage({ ...param, wsServer, node }),
+    },
+  });
+
+  // Let first worker process do something as master
+  if (process.env.NODE_APP_INSTANCE === '0') {
+    // cron
+    Cron.init({
+      jobs: [
+        {
+          name: 'prune messages',
+          time: '0 0 0 * * 1', // every Monday per week
+          fn: () => states.message.prune(),
+        },
+      ],
+      onError: (error, name) => {
+        logger.error('Run job failed', { name, error });
+      },
+    });
+  }
+
+  // mount
+  wsRouter.use(`${opts.prefix}/websocket`, wsServer.onConnect.bind(wsServer));
+
+  httpRouter.post(`${opts.prefix}/api/sendToUser`, async (req, res) => {
+    try {
+      await onSendToUser(node, req.body.data, wsServer);
+      res.status(200).send('');
+    } catch (error) {
+      logger.error('Send message to user failed', { error });
+      res.statusMessage = error.message;
+      res.status(400).send(error.message);
+    }
+  });
+};
+
+module.exports = { init };

package/services/auth/routes/passport.js

@@ -0,0 +1,18 @@
+const { getPassportStatus } = require('@abtnode/auth/lib/auth');
+
+module.exports = {
+  init(server, node, opts) {
+    server.get(`${opts.prefix}/api/passport/status`, async (req, res) => {
+      const { vcId, userDid, locale } = req.query;
+      const teamDid = req.headers['x-blocklet-did'];
+
+      if (teamDid !== req.query.teamDid) {
+        throw new Error('teamDid is invalid');
+      }
+
+      const status = await getPassportStatus({ node, teamDid, userDid, vcId, locale });
+
+      res.json(status);
+    });
+  },
+};

package/services/auth/routes/session.js

@@ -0,0 +1,27 @@
+const nocache = require('nocache');
+
+module.exports = {
+  init(server, node, opts) {
+    const prefix = `${opts.prefix}/api/did/session`;
+
+    const handler = async (req, res) => {
+      if (!req.user) {
+        res.json({ user: null });
+        return;
+      }
+
+      const user = { ...req.user };
+      if (user.role) {
+        const teamDid = req.getBlockletDid();
+        // FIXME: this code may have performance issue
+        const rbac = await node.getRBAC(teamDid);
+        user.permissions = await rbac.getScope(req.user.role);
+      }
+
+      res.json({ user });
+    };
+
+    server.get(prefix, nocache(), handler);
+    server.post(prefix, nocache(), handler);
+  },
+};

package/services/auth/state/index.js

@@ -0,0 +1,30 @@
+const BaseState = require('@abtnode/core/lib/states/base');
+const MessageState = require('./message');
+
+const states = {};
+
+// eslint-disable-next-line no-unused-vars
+const init = (dataDir, options = {}) => {
+  const messageState = new MessageState(dataDir);
+
+  Object.assign(states, {
+    message: messageState,
+  });
+};
+
+module.exports = new Proxy(
+  {},
+  {
+    get(target, prop) {
+      if (prop === 'init') {
+        return init;
+      }
+
+      if (states[prop] instanceof BaseState) {
+        return states[prop];
+      }
+
+      throw new Error(`State ${String(prop)} may not be initialized`);
+    },
+  }
+);

package/services/auth/state/message.js

@@ -0,0 +1,32 @@
+const BaseState = require('@abtnode/core/lib/states/base');
+const logger = require('@abtnode/logger')('auth-service:states:message');
+
+class MessageState extends BaseState {
+  constructor(baseDir, options = {}) {
+    super(baseDir, { filename: 'message.db', ...options });
+
+    this.db.ensureIndex({ fieldName: 'did' }, (error) => {
+      if (error) {
+        logger.error('ensure index failed', { error });
+      }
+    });
+  }
+
+  insert(doc, ...args) {
+    return super.insert(
+      {
+        ...doc,
+        created: Date.now(),
+        updated: Date.now(),
+      },
+      ...args
+    );
+  }
+
+  prune(time) {
+    const t = time || 30 * 24 * 60 * 60 * 1000; // 30 day
+    return this.remove({ created: { $lt: Date.now() - t } });
+  }
+}
+
+module.exports = MessageState;

package/services/auth/util/index.js

@@ -0,0 +1,35 @@
+const { BlockletSource } = require('@blocklet/meta/lib/constants');
+
+const getLogoFromLogoUrl = (blocklet) => {
+  try {
+    if (blocklet.source === BlockletSource.registry) {
+      return new URL(blocklet.meta.logoUrl, blocklet.deployedFrom).href;
+    }
+    return blocklet.meta.logoUrl || null;
+  } catch (error) {
+    return null;
+  }
+};
+
+const getBlockletLogo = ({ baseUrl, blocklet }) => {
+  if (!baseUrl) {
+    return getLogoFromLogoUrl(blocklet);
+  }
+
+  let logo = `${baseUrl}/images/blocklet.png`;
+  try {
+    if (blocklet.meta.logoUrl) {
+      logo = getLogoFromLogoUrl(blocklet);
+    } else if (blocklet.meta.logo) {
+      logo = `${baseUrl}/blocklet/logo/${blocklet.meta.did}`;
+    }
+  } catch (err) {
+    // Do nothing
+  }
+
+  return logo;
+};
+
+module.exports = {
+  getBlockletLogo,
+};