@abtnode/core 1.16.52-beta-20251002-030549-0f91dab2 → 1.16.52-beta-20251005-235515-42ad5caf

package/lib/api/team.js

@@ -8,7 +8,6 @@ const cloneDeep = require('@abtnode/util/lib/deep-clone');
 const { joinURL, withoutTrailingSlash } = require('ufo');
 const { Op } = require('sequelize');
 const dayjs = require('@abtnode/util/lib/dayjs');
-const Joi = require('joi');
 const logger = require('@abtnode/logger')('@abtnode/core:api:team');
 const {
   ROLES,
@@ -20,6 +19,7 @@ const {
   USER_AVATAR_URL_PREFIX,
   SESSION_TTL,
   EVENTS,
+  NOTIFICATION_SEND_CHANNEL,
 } = require('@abtnode/constant');
 const { isValid: isValidDid } = require('@arcblock/did');
 const { BlockletEvents, TeamEvents, BlockletInternalEvents } = require('@blocklet/constant');
@@ -49,6 +49,10 @@ const isUrl = require('is-url');
 const { PASSPORT_LOG_ACTION, PASSPORT_SOURCE, PASSPORT_ISSUE_ACTION } = require('@abtnode/constant');
 const ensureServerEndpoint = require('@abtnode/util/lib/ensure-server-endpoint');
 const { CustomError } = require('@blocklet/error');
+const { getEmailServiceProvider } = require('@abtnode/auth/lib/email');
+const md5 = require('@abtnode/util/lib/md5');
+const { sanitizeTag } = require('@abtnode/util/lib/sanitize');
+const { Joi } = require('@arcblock/validator');
 
 const { validateTrustedPassportIssuers } = require('../validators/trusted-passport');
 const { validateTrustedFactories } = require('../validators/trusted-factory');
@@ -60,6 +64,8 @@ const StoreUtil = require('../util/store');
 const { profileSchema } = require('../validators/user');
 const { passportDisplaySchema } = require('../validators/util');
 const { validateUserRolePassport } = require('../util/validate-user-role-passport');
+const { getOrgInviteLink, createOrgValidators, isOrgOwner, isAdmingPath } = require('../util/org');
+const { createOrgInputSchema, updateOrgInputSchema } = require('../validators/org');
 
 const sanitizeUrl = (url) => {
   if (!url) {
@@ -105,7 +111,7 @@ const sendPassportVcNotification = ({ userDid, appWallet: wallet, locale, vc, no
       ];
     }
 
-    sendToUser(receiver, message, sender, { channels: ['wallet'] }).catch((error) => {
+    sendToUser(receiver, message, sender, { channels: [NOTIFICATION_SEND_CHANNEL.WALLET] }).catch((error) => {
       logger.error('Failed send passport vc to wallet', { error });
     });
   } catch (error) {
@@ -374,23 +380,47 @@ class TeamAPI extends EventEmitter {
 
     if (moveTo) {
       const records = await taggingState.find({ tagId: tag.id });
+      const checkPairs = records.map((r) => ({ taggableId: r.taggableId, taggableType: r.taggableType }));
+      const existing = await taggingState.find({ tagId: moveTo, $or: checkPairs });
+
+      const existingSet = new Set(existing.map((e) => `${e.taggableId}:${e.taggableType}`));
+      const toUpdate = [];
+      const toDelete = [];
+
+      for (const record of records) {
+        const key = `${record.taggableId}:${record.taggableType}`;
+        if (existingSet.has(key)) {
+          toDelete.push(record);
+          logger.info('tag already at moveTo, will delete record', { teamDid, tag, record });
+        } else {
+          toUpdate.push(record);
+        }
+      }
 
-      await Promise.all(
-        records.map(async (record) => {
-          const found = await taggingState.findOne({
-            tagId: moveTo,
-            taggableId: record.taggableId,
-            taggableType: record.taggableType,
-          });
-          if (found) {
-            await taggingState.remove(record);
-            logger.info('tag already at moveTo, deleted record', { teamDid, tag, record });
-          } else {
-            await taggingState.update({ tagId: record.tagId }, { $set: { tagId: moveTo } });
-            logger.info('tag moved successfully', { teamDid, tag, record, moveTo });
-          }
-        })
-      );
+      if (toUpdate.length > 0) {
+        await Promise.all(
+          toUpdate.map((record) =>
+            taggingState
+              .update(
+                { tagId: record.tagId, taggableId: record.taggableId, taggableType: record.taggableType },
+                { $set: { tagId: moveTo } }
+              )
+              .then(() => {
+                logger.info('tag moved successfully', { teamDid, tag, record, moveTo });
+              })
+          )
+        );
+      }
+
+      if (toDelete.length > 0) {
+        await Promise.all(
+          toDelete.map((record) =>
+            taggingState.remove(record).then(() => {
+              logger.info('tagging deleted successfully', { teamDid, tag, record });
+            })
+          )
+        );
+      }
     }
 
     const doc = await state.remove({ id: tag.id });
@@ -440,6 +470,8 @@ class TeamAPI extends EventEmitter {
       logger.info('user updated successfully', { teamDid, userDid: user.did });
       this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
     } else if (_action === 'add') {
+      this.crateDefaultOrgForUser({ teamDid, user });
+
       if (teamDid === nodeInfo.did && nodeInfo.nodeOwner && user.did !== nodeInfo.nodeOwner.did && notify) {
         await this.sendNewMemberNotification(this.teamManager, user, nodeInfo);
       }
@@ -603,7 +635,7 @@ class TeamAPI extends EventEmitter {
   async getUsersCountPerRole({ teamDid }) {
     const roles = await this.getRoles({ teamDid });
     const state = await this.getUserState(teamDid);
-    const names = ['$all', ...roles.map((x) => x.name), '$none', '$blocked'];
+    const names = ['$all', ...roles.filter((x) => !x.orgId).map((x) => x.name), '$none', '$blocked'];
     return Promise.all(
       names.map(async (name) => {
         const count = await state.countByPassport({ name, status: PASSPORT_STATUS.VALID });
@@ -1181,7 +1213,17 @@ class TeamAPI extends EventEmitter {
    * @returns
    */
   async createMemberInvitation(
-    { teamDid, role: roleName, expireTime, remark, sourceAppPid, display = null, passportExpireTime = null },
+    {
+      teamDid,
+      role: roleName,
+      expireTime,
+      remark,
+      sourceAppPid,
+      display = null,
+      passportExpireTime = null,
+      orgId = '', // 是否是邀请加入组织
+      inviteUserDids = [], // 邀请用户列表
+    },
     context
   ) {
     await this.teamManager.checkEnablePassportIssuance(teamDid);
@@ -1197,7 +1239,7 @@ class TeamAPI extends EventEmitter {
       throw new Error('Passport expire time must be greater than current time');
     }
 
-    const roles = await this.getRoles({ teamDid });
+    const roles = await this.getRoles({ teamDid, orgId });
     const role = roles.find((r) => r.name === roleName);
     if (!role) {
       throw new Error(`Role does not exist: ${roleName}`);
@@ -1213,7 +1255,8 @@ class TeamAPI extends EventEmitter {
       throw new Error('Inviter does not exist');
     }
 
-    if ((user?.role || '').startsWith('blocklet-')) {
+    // 如果邀请加入组织，则不验证 role 和 passport
+    if (!orgId && (user?.role || '').startsWith('blocklet-')) {
       const userInfo = await this.getUser({ teamDid, user });
       validateUserRolePassport({
         role: (user?.role || '').replace('blocklet-', ''),
@@ -1230,6 +1273,8 @@ class TeamAPI extends EventEmitter {
       expireDate,
       inviter: user,
       teamDid,
+      orgId,
+      inviteUserDids,
       sourceAppPid,
       display,
       passportExpireTime,
@@ -1272,14 +1317,32 @@ class TeamAPI extends EventEmitter {
       receiver: invitation.receiver,
       sourceAppPid: invitation.sourceAppPid || null,
       display: invitation.display || null,
+      orgId: invitation.orgId || null,
+      inviteUserDids: invitation.inviteUserDids || [],
       passportExpireTime: invitation.passportExpireTime || null,
     };
   }
 
-  async getInvitations({ teamDid, filter }) {
+  async getInvitations({ teamDid, filter, orgId = '' }, context = {}) {
     const state = await this.getSessionState(teamDid);
-
-    const invitations = await state.find({ type: 'invite' });
+    let invitations = [];
+    if (orgId) {
+      const org = await this.getOrg({ teamDid, id: orgId }, context);
+      const { user } = context;
+      if (!org) {
+        throw new CustomError(404, `Org does not exist: ${orgId}`);
+      }
+      if (org.ownerDid !== user?.did) {
+        throw new CustomError(403, `You are not the owner of the org: ${orgId}`);
+      }
+    }
+    const query = { type: 'invite' };
+    if (orgId) {
+      query['__data.orgId'] = orgId;
+    } else {
+      query.$or = [{ '__data.orgId': { $exists: false } }, { '__data.orgId': '' }];
+    }
+    invitations = await state.find(query);
 
     return invitations.filter(filter || ((x) => x.status !== 'success')).map((d) => ({
       // eslint-disable-next-line no-underscore-dangle
@@ -1293,6 +1356,8 @@ class TeamAPI extends EventEmitter {
       receiver: d.receiver,
       sourceAppPid: d.sourceAppPid || null,
       display: d.display || null,
+      orgId: d.orgId || null,
+      inviteUserDids: d.inviteUserDids || [],
       passportExpireTime: d.passportExpireTime || null,
     }));
   }
@@ -1328,7 +1393,9 @@ class TeamAPI extends EventEmitter {
     }
 
     const roles = await this.getRoles({ teamDid });
-    if (!roles.some((r) => r.name === role)) {
+    const orgRoles = await this.getRoles({ teamDid, orgId: invitation.orgId });
+    const allRoles = [...roles, ...orgRoles];
+    if (!allRoles.some((r) => r.name === role)) {
       throw new Error(`Role does not exist: ${role}`);
     }
 
@@ -1338,7 +1405,7 @@ class TeamAPI extends EventEmitter {
     };
   }
 
-  async closeInvitation({ teamDid, inviteId, status, receiver, timeout = 30 * 1000 }) {
+  async closeInvitation({ teamDid, inviteId, status, receiver, isOrgInvite, timeout = 30 * 1000 }) {
     const state = await this.getSessionState(teamDid);
 
     const invitation = await state.read(inviteId);
@@ -1346,17 +1413,30 @@ class TeamAPI extends EventEmitter {
     if (!invitation) {
       throw new Error(`The invitation does not exist: ${inviteId}`);
     }
+    let shouldRemoveInviteSession = false;
+    if (isOrgInvite && invitation?.inviteUserDids?.length > 0) {
+      const unReceiverUserDids = invitation.inviteUserDids.filter((did) => did !== receiver.did);
+      shouldRemoveInviteSession = unReceiverUserDids.length === 0;
+      await state.update(inviteId, {
+        receiver,
+        inviteUserDids: unReceiverUserDids,
+        ...(shouldRemoveInviteSession ? { status } : {}),
+      });
+    } else {
+      await state.update(inviteId, { status, receiver });
+      shouldRemoveInviteSession = true;
+    }
 
-    await state.update(inviteId, { status, receiver });
-
-    setTimeout(async () => {
-      try {
-        logger.info('Invitation session closed', { inviteId });
-        await state.end(inviteId);
-      } catch (error) {
-        logger.error('close invitation failed', { error });
-      }
-    }, timeout);
+    if (shouldRemoveInviteSession) {
+      setTimeout(async () => {
+        try {
+          logger.info('Invitation session closed', { inviteId });
+          await state.end(inviteId);
+        } catch (error) {
+          logger.error('close invitation failed', { error });
+        }
+      }, timeout);
+    }
   }
 
   // transfer
@@ -1704,8 +1784,8 @@ class TeamAPI extends EventEmitter {
 
   // Access Control
 
-  getRoles({ teamDid }) {
-    return this.teamManager.getRoles(teamDid);
+  getRoles({ teamDid, orgId }) {
+    return this.teamManager.getRoles(teamDid, orgId);
   }
 
   async getRole({ teamDid, role: { name } = {} }) {
@@ -1714,12 +1794,12 @@ class TeamAPI extends EventEmitter {
     }
     const rbac = await this.getRBAC(teamDid);
     const role = await rbac.getRole(name);
-    return role ? pick(role, ['name', 'grants', 'title', 'description', 'extra']) : null;
+    return role ? pick(role, ['name', 'grants', 'title', 'description', 'extra', 'orgId']) : null;
   }
 
-  async createRole({ teamDid, name, description, title, childName, permissions = [], extra: raw }) {
+  async createRole({ teamDid, name, description, title, childName, permissions = [], extra: raw, orgId }) {
     logger.info('create role', { teamDid, name, description, childName, permissions, raw });
-    const attrs = { name, title, description, childName, permissions };
+    const attrs = { name, title, description, childName, permissions, orgId };
 
     if (raw) {
       try {
@@ -1738,7 +1818,7 @@ class TeamAPI extends EventEmitter {
     let role;
     try {
       role = await rbac.createRole(attrs);
-      return pick(role, ['name', 'title', 'grants', 'description', 'extra']);
+      return pick(role, ['name', 'title', 'grants', 'description', 'extra', 'orgId']);
     } catch (err) {
       if (new RegExp(`Item ${name} already exists`).test(err.message)) {
         throw new Error(`Id ${name} already exists`);
@@ -1747,10 +1827,10 @@ class TeamAPI extends EventEmitter {
     }
   }
 
-  async updateRole({ teamDid, role: { name, title, description, extra: raw } = {} }) {
+  async updateRole({ teamDid, role: { name, title, description, extra: raw } = {}, orgId }) {
     logger.info('update role', { teamDid, name, title, description, raw });
 
-    const attrs = { name, title, description };
+    const attrs = { name, title, description, orgId };
 
     if (raw) {
       try {
@@ -1760,10 +1840,10 @@ class TeamAPI extends EventEmitter {
       }
     }
 
-    await validateUpdateRole(attrs);
+    await validateUpdateRole(pick(attrs, ['name', 'title', 'description', 'extra']));
     const rbac = await this.getRBAC(teamDid);
     const state = await rbac.updateRole(attrs);
-    return pick(state, ['name', 'title', 'grants', 'description', 'extra']);
+    return pick(state, ['name', 'title', 'grants', 'description', 'extra', 'orgId']);
   }
 
   async getPermissions({ teamDid }) {
@@ -2146,6 +2226,10 @@ class TeamAPI extends EventEmitter {
     return this.teamManager.getNotificationState(did);
   }
 
+  getOrgState(did) {
+    return this.teamManager.getOrgState(did);
+  }
+
   // =============
   // Just for test
   // =============
@@ -2703,6 +2787,454 @@ class TeamAPI extends EventEmitter {
     const { oauthClientState } = await this.teamManager.getOAuthState(teamDid);
     return oauthClientState.update(input, context);
   }
+
+  async getOrgs({ teamDid, ...payload }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      const { passports, orgs, ...rest } = await state.list(payload, context);
+      // 获取每个组织的 passports
+      const orgPassports = await Promise.all(orgs.map((o) => this.getRoles({ teamDid, orgId: o.id })));
+
+      orgs.forEach((o, index) => {
+        const roles = orgPassports[index]; // 获取每个组织的角色
+        // 过滤 passports
+        o.passports = passports.filter((p) => roles.some((r) => r.name === p.name));
+      });
+
+      return {
+        ...rest,
+        orgs,
+      };
+    } catch (err) {
+      logger.error('Failed to get orgs', { err, teamDid });
+      throw err;
+    }
+  }
+
+  async getOrg({ teamDid, id }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.get({ id }, context);
+    } catch (err) {
+      logger.error('Failed to get org', { err, teamDid, id });
+      throw err;
+    }
+  }
+
+  async crateDefaultOrgForUser({ teamDid, user }) {
+    try {
+      // 创建失败不要影响主流程
+      await this.createOrg(
+        { teamDid, name: user.fullName, description: `this is a default org for ${user.fullName}` },
+        { user }
+      );
+    } catch (err) {
+      logger.error('Failed to create default org for user', { err, teamDid, user });
+    }
+  }
+
+  async createOrg({ teamDid, ...rest }, context) {
+    try {
+      // 1. 对输入进行转义
+      const sanitizedOrg = {
+        ...rest,
+        description: sanitizeTag(rest.description),
+        name: sanitizeTag(rest.name),
+      };
+
+      const { error } = createOrgInputSchema.validate(sanitizedOrg);
+      if (error) {
+        throw new CustomError(400, error.message);
+      }
+
+      const state = await this.getOrgState(teamDid);
+      const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
+      const orgCount = await state.getOrgCountByUser(context.user.did);
+
+      const { veriftMaxOrgPerUser } = createOrgValidators(blocklet);
+
+      veriftMaxOrgPerUser(orgCount); // 验证用户创建的 org 数量是否超过最大限制, 内部已经验证 org 是否开启
+
+      const result = await state.create({ ...sanitizedOrg }, context);
+
+      // 创建 org 的 owner passport, 并赋值给 owner
+      const roleName = md5(`${result.id}-owner`); // 避免 name 重复
+      await this.createRole({ teamDid, name: roleName, title: result.name, description: 'Owner', orgId: result.id });
+      await this.issuePassportToUser({
+        teamDid,
+        userDid: result.ownerDid,
+        role: roleName,
+        notification: {},
+      });
+
+      return result;
+    } catch (err) {
+      logger.error('Failed to create org', { err, teamDid });
+      throw err;
+    }
+  }
+
+  async updateOrg({ teamDid, org }, context) {
+    try {
+      const sanitizedOrg = {
+        ...org,
+        description: sanitizeTag(org.description),
+        name: sanitizeTag(org.name),
+      };
+
+      const { error } = updateOrgInputSchema.validate(sanitizedOrg);
+      if (error) {
+        throw new CustomError(400, error.message);
+      }
+
+      const state = await this.getOrgState(teamDid);
+      return state.updateOrg({ org: sanitizedOrg }, context);
+    } catch (err) {
+      logger.error('Failed to update org', { err, teamDid });
+      throw err;
+    }
+  }
+
+  async deleteOrg({ teamDid, id }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      // 要同时删除与 org 相关的 passport 和 邀请链接
+      const roles = await this.getRoles({ teamDid, orgId: id });
+      const result = await state.deleteOrg({ id }, context);
+      try {
+        await state.removeOrgRelatedData({ roles, orgId: id });
+      } catch (err) {
+        logger.error('Failed to remove org related data', { err, teamDid, roles, id });
+      }
+      return result;
+    } catch (err) {
+      logger.error('Failed to delete org', { err, teamDid, id });
+      throw err;
+    }
+  }
+
+  async addOrgMember({ teamDid, orgId, userDid }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.addOrgMember({ orgId, userDid }, context);
+    } catch (err) {
+      logger.error('Add member to org failed', { err, teamDid, orgId, userDid });
+      throw err;
+    }
+  }
+
+  async updateOrgMember({ teamDid, orgId, userDid, status }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.updateOrgMember({ orgId, userDid, status }, context);
+    } catch (err) {
+      logger.error('Update member in org failed', { err, teamDid, orgId, userDid, status });
+      throw err;
+    }
+  }
+
+  /**
+   * 发送邀请通知
+   * @param {*} param0
+   */
+  async sendInvitationNotification({
+    teamDid,
+    invitor,
+    org,
+    role,
+    successUserDids,
+    inviteLink,
+    email,
+    inviteType,
+    blocklet,
+  }) {
+    try {
+      const userInfo = await this.getUser({
+        teamDid,
+        user: { did: invitor.did },
+        options: { enableConnectedAccount: true },
+      });
+
+      // 检测是否开启了 email 服务
+      const provider = getEmailServiceProvider(blocklet);
+
+      const translate = {
+        en: {
+          title: 'Inviting you to join the organization',
+          description: `<${userInfo.fullName}(did:abt:${userInfo.did})> invites you to join the ${org.name} organization, role is ${role}.<br/>After accepting, you will be able to access the resources and collaboration content of the organization.<br/><br/>Please click the button below to handle the invitation.<br/><br/>If you don't want to join, you can ignore this notification.`,
+          accept: 'Accept',
+        },
+        zh: {
+          title: '邀请您加入组织',
+          description: `<${userInfo.fullName}(did:abt:${userInfo.did})> 邀请您加入 ${org.name} 组织，角色为 ${role}。<br/>接受后，你将能够访问该组织的资源和协作内容。<br/><br/>请点击下方按钮处理邀请。<br/><br/>如果你不想加入，可以忽略此通知。`,
+          accept: '接受',
+        },
+      };
+      const content = translate[userInfo.locale || 'en'] || translate.en;
+
+      const message = {
+        title: content.title,
+        body: content.description,
+        actions: [
+          {
+            name: content.accept,
+            title: content.accept,
+            link: inviteLink,
+          },
+        ],
+      };
+
+      if (inviteType === 'internal') {
+        await this.createNotification({
+          teamDid,
+          receiver: successUserDids,
+          entityId: teamDid,
+          source: 'system',
+          severity: 'info',
+          ...message,
+        });
+        logger.info('Invite notification sent successfully', {
+          teamDid,
+          orgId: org.id,
+          sentToUsers: successUserDids,
+          sentCount: successUserDids.length,
+        });
+      } else if (inviteType === 'external' && provider && email) {
+        // 当 service 开启 email 服务时才会发送邮件通知
+        const emailInputSchema = Joi.string().email().required();
+        const { error } = emailInputSchema.validate(email);
+        if (error) {
+          throw new CustomError(400, error.message);
+        }
+        const nodeInfo = await this.node.read();
+        const blockletInfo = getBlockletInfo(blocklet, nodeInfo.sk);
+        const sender = {
+          appDid: blockletInfo.wallet.address,
+          appSk: blockletInfo.wallet.secretKey,
+        };
+
+        await sendToUser(email, message, sender, undefined, 'send-to-mail');
+        logger.info('Send invitation notification to email completed', {
+          teamDid,
+          orgId: org.id,
+          email,
+        });
+      }
+    } catch (notificationErr) {
+      // 通知发送失败不影响邀请的成功，只记录警告
+      logger.warn('Failed to send invitation notification, but invitations were created successfully', {
+        notificationErr,
+        teamDid,
+        orgId: org.id,
+        successUserDids,
+      });
+    }
+  }
+
+  /**
+   * 邀请成员到组织
+   *  1. 批量添加成员到组织 - 记录添加成功和添加失败的用户 DID
+   *  2. 创建邀请链接，只创建添加成功的用户邀请链接
+   *  3. 发送邀请通知，只发送添加成功的用户邀请通知
+   * @param {*} param0
+   * @param {*} param0.inviteType 邀请类型，internal 内部邀请，external 外部邀请
+   * @param {*} context
+   * @returns 返回邀请成功的用户和失败的用户 did 列表
+   */
+  async inviteMembersToOrg({ teamDid, orgId, userDids, role, inviteType = 'internal', email }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      const { user } = context || {};
+      if (!user) {
+        throw new CustomError(400, 'User is required');
+      }
+      const org = await this.getOrg({ teamDid, id: orgId }, context);
+      if (!org) {
+        throw new CustomError(400, 'Org not found');
+      }
+
+      // dashboard 或者非 org owner 无法邀请成员
+      if (isAdmingPath(context) || !isOrgOwner(user, org)) {
+        throw new CustomError(403, "You cannot invite members to other users' org");
+      }
+
+      if (inviteType === 'internal' && userDids.length === 0) {
+        throw new CustomError(400, 'You must invite at least one user');
+      }
+
+      // Step 1: 批量添加成员到组织 - 记录添加成功和添加失败的用户 DID
+      const successUserDids = [];
+      const failedUserDids = [];
+
+      // 内部邀请
+      if (inviteType === 'internal') {
+        for (const userDid of userDids) {
+          try {
+            // eslint-disable-next-line no-await-in-loop
+            await state.addOrgMember({ orgId, userDid, status: 'inviting' }, context);
+            successUserDids.push(userDid);
+          } catch (addErr) {
+            failedUserDids.push(userDid);
+            logger.warn('Failed to add user to org', { userDid, orgId, error: addErr.message });
+          }
+        }
+
+        logger.info('Batch add members to org completed', {
+          teamDid,
+          orgId,
+          totalUsers: userDids.length,
+          successCount: successUserDids.length,
+          failedCount: failedUserDids.length,
+        });
+
+        // 如果没有成功添加的用户，直接返回结果
+        if (successUserDids.length === 0) {
+          logger.warn('No users were successfully added to org', { teamDid, orgId, failedUserDids });
+          throw new CustomError(500, 'No users were successfully added to org');
+        }
+      }
+
+      // Step 2: 创建邀请链接，只创建添加成功的用户邀请链接
+      const inviteInfo = await this.createMemberInvitation(
+        {
+          teamDid,
+          role,
+          expireTime: this.memberInvitationExpireTime,
+          orgId,
+          inviteUserDids: inviteType === 'internal' ? successUserDids : [],
+        },
+        context
+      );
+
+      const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
+      const inviteLink = getOrgInviteLink(inviteInfo, blocklet);
+
+      logger.info('Invite link created for successful users', {
+        teamDid,
+        orgId,
+        inviteId: inviteInfo.inviteId,
+        userCount: successUserDids.length,
+      });
+
+      // Step 3: 发送邀请通知，只发送添加成功的用户邀请通知
+
+      this.sendInvitationNotification({
+        teamDid,
+        invitor: user,
+        org,
+        role,
+        successUserDids,
+        email,
+        inviteType,
+        inviteLink,
+        blocklet,
+      });
+
+      // 返回成功和失败的用户列表
+      return {
+        successDids: successUserDids,
+        failedDids: failedUserDids,
+        inviteLink,
+      };
+    } catch (err) {
+      logger.error('Invite users to org failed', { err, teamDid, orgId, userDids, role });
+      throw err;
+    }
+  }
+
+  async removeOrgMember({ teamDid, orgId, userDid }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      const roles = await this.getRoles({ teamDid, orgId });
+      const result = await state.removeOrgMember({ orgId, userDid }, context);
+      try {
+        await state.removeOrgRelatedData({ roles, orgId, userDid });
+      } catch (err) {
+        logger.error('Failed to remove user related passports', { err, teamDid, roles, userDid });
+      }
+      return result;
+    } catch (err) {
+      logger.error('Remove member from org failed', { err, teamDid, orgId, userDid });
+      throw err;
+    }
+  }
+
+  async getOrgMembers({ teamDid, orgId, paging }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      const result = await state.getOrgMembers({ orgId, paging, options: { includePassport: true } }, context);
+      const info = await this.node.read();
+      const isServer = this.teamManager.isNodeTeam(teamDid);
+      const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
+      const baseUrl = blocklet.environmentObj.BLOCKLET_APP_URL;
+      const roles = await this.getRoles({ teamDid, orgId });
+      result.users.forEach((item) => {
+        if (item?.user?.avatar) {
+          item.user.avatar = getUserAvatarUrl(baseUrl, item.user.avatar, info, isServer);
+        }
+        if (item?.user?.passports?.length > 0) {
+          item.user.passports = item.user.passports.filter((passport) =>
+            roles.some((role) => role.name === passport.name)
+          );
+        }
+      });
+
+      return result;
+    } catch (err) {
+      logger.error('Get org members failed', { err, teamDid, orgId });
+      throw err;
+    }
+  }
+
+  async getOrgInvitableUsers({ teamDid, id, query, paging }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.getOrgInvitableUsers({ id, query, paging }, context);
+    } catch (err) {
+      logger.error('Get org invitable users failed', { err, teamDid, id });
+      throw err;
+    }
+  }
+
+  async getOrgResource({ teamDid, orgId, resourceId }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.getOrgResource({ orgId, resourceId }, context);
+    } catch (err) {
+      logger.error('Get org resource failed', { err, teamDid, orgId, resourceId });
+      throw err;
+    }
+  }
+
+  async addOrgResource({ teamDid, orgId, resourceIds, type, metadata }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.addOrgResource({ orgId, resourceIds, type, metadata }, context);
+    } catch (err) {
+      logger.error('Add org resource failed', { err, teamDid, orgId, resourceIds, type, metadata });
+      throw err;
+    }
+  }
+
+  async removeOrgResource({ teamDid, orgId, resourceIds }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.removeOrgResource({ orgId, resourceIds }, context);
+    } catch (err) {
+      logger.error('Remove org resource failed', { err, teamDid, orgId, resourceIds });
+      throw err;
+    }
+  }
+
+  async migrateOrgResource({ teamDid, from, to, resourceIds }, context) {
+    try {
+      const state = await this.getOrgState(teamDid);
+      return state.migrateOrgResource({ from, to, resourceIds }, context);
+    } catch (err) {
+      logger.error('Migrate org resource failed', { err, teamDid, from, to, resourceIds });
+      throw err;
+    }
+  }
 }
 
 module.exports = TeamAPI;