@abtnode/webapp 1.8.63-beta-a36b5e1a → 1.8.63

package/api/index.js

@@ -1,249 +0,0 @@
-const path = require('path');
-const cors = require('cors');
-const compression = require('compression');
-const morgan = require('morgan');
-const express = require('express');
-require('express-async-errors');
-const cookieParser = require('cookie-parser');
-const bodyParser = require('body-parser');
-const bearerToken = require('express-bearer-token');
-const fallback = require('express-history-api-fallback');
-const graphqlUploadExpress = require('graphql-upload/graphqlUploadExpress.js');
-const joinUrl = require('url-join');
-const getRouterAdapter = require('@abtnode/router-adapter');
-const get502Template = require('@abtnode/router-templates/lib/502');
-const getBlockletNotRunningTemplate = require('@abtnode/router-templates/lib/blocklet-not-running');
-const {
-  MAX_UPLOAD_FILE_SIZE,
-  DEFAULT_ADMIN_PATH,
-  USER_AVATAR_URL_PREFIX,
-  USER_AVATAR_PATH_PREFIX,
-} = require('@abtnode/constant');
-const http = require('http');
-const { setUserInfoHeaders } = require('@abtnode/auth/lib/auth');
-const log = require('@abtnode/logger');
-const certificateManager = require('@abtnode/certificate-manager');
-const createInvite = require('@abtnode/auth/lib/invitation');
-
-const { authWithJwt, authWithAccessKey, authWithVcPresentation } = require('./libs/login');
-const { context, handlers } = require('./libs/auth');
-const { protectGQL } = require('./libs/security');
-const gql = require('./gql');
-const createWebSocketServer = require('./ws');
-
-const logger = log('webapp:index');
-
-const createLoginAuth = require('./routes/auth/login');
-const createSwitchProfileAuth = require('./routes/auth/switch-profile');
-const createSwitchPassportAuth = require('./routes/auth/switch-passport');
-const createConnectOwnerAuth = require('./routes/auth/connect-owner');
-const createVerifyOwnerAuth = require('./routes/auth/verify-owner');
-const createAcceptServerAuth = require('./routes/auth/accept-server');
-const createVerifyPurchaseAuth = require('./routes/auth/verify-purchase');
-const createIssuePassportAuth = require('./routes/auth/issue-passport');
-const createLostPassportListAuth = require('./routes/auth/lost-passport-list');
-const createLostPassportIssueAuth = require('./routes/auth/lost-passport-issue');
-const createInviteAuth = require('./routes/auth/invite');
-const createLaunchFreeBlockletAuth = require('./routes/auth/launch-free-blocklet');
-const createLaunchPaidBlockletAuth = require('./routes/auth/launch-paid-blocklet');
-const createLaunchFreeBlockletByNFTAuth = require('./routes/auth/launch-free-blocklet-by-nft');
-const createLaunchPaidBlockletByNFTAuth = require('./routes/auth/launch-paid-blocklet-by-nft');
-const createDelegateTransferOwnerNFTAuth = require('./routes/auth/delegate-transfer-owner-nft');
-const sessionRoutes = require('./routes/session');
-const blockletInfoRoutes = require('./routes/blocklet-info');
-const blockletPreferenceRoutes = require('./routes/blocklet-preference');
-const blockletProxyRoutes = require('./routes/blocklet-proxy');
-const passportRoutes = require('./routes/passport');
-const didResolverRoutes = require('./routes/did-resolver');
-const dnsResolverRoutes = require('./routes/dns-resolver');
-const userRoutes = require('./routes/user');
-const logRoutes = require('./routes/log');
-
-const MAX_FILE_SIZE = Number(process.env.MAX_UPLOAD_FILE_SIZE || MAX_UPLOAD_FILE_SIZE) * 1024 * 1024;
-
-module.exports = function createServer(node) {
-  const isTestBuild = process.env.TEST_BUILD && JSON.parse(process.env.TEST_BUILD);
-  const isProduction = process.env.NODE_ENV === 'production' || isTestBuild;
-
-  if (!process.env.ABT_NODE_DATA_DIR) {
-    throw new Error('Cannot start application without process.env.ABT_NODE_DATA_DIR');
-  }
-
-  context.set('node', node);
-
-  // Create and config express application
-  const app = express();
-
-  app.set('trust proxy', 'loopback');
-  app.disable('x-powered-by');
-
-  app.use(compression());
-  app.use(cookieParser());
-  app.use(bodyParser.json({ limit: '4mb' }));
-  app.use(bodyParser.urlencoded({ extended: true, limit: '2mb' }));
-  app.use(cors());
-
-  app.get('/error/502', async (req, res) => {
-    try {
-      res.type('html');
-      res.status(502);
-
-      const blockletDid = req.get('x-did');
-      const nodeInfo = await node.getNodeInfo();
-      const info = { version: nodeInfo.version, mode: nodeInfo.mode };
-
-      if (blockletDid) {
-        const blocklet = await node.getBlocklet({ did: blockletDid, attachConfig: false });
-        if (!blocklet) {
-          return res.send(get502Template(info));
-        }
-
-        return res.send(getBlockletNotRunningTemplate(blocklet, nodeInfo));
-      }
-
-      return res.send(get502Template(info));
-    } catch (error) {
-      logger.error('render 502 page failed', { error });
-      return res.send('502 Error');
-    }
-  });
-
-  if (isProduction) {
-    // format:
-    // :remote-addr - :remote-user [:date[clf]] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"
-    app.use(morgan('combined', { stream: log.getAccessLogStream(process.env.ABT_NODE_LOG_DIR) }));
-  } else {
-    app.use(
-      morgan((tokens, req, res) => {
-        const format = [
-          tokens.method(req, res),
-          tokens.url(req, res),
-          tokens.status(req, res),
-          tokens.res(req, res, 'content-length'),
-          '-',
-          tokens['response-time'](req, res),
-          'ms',
-        ].join(' ');
-
-        return format;
-      })
-    );
-  }
-
-  app.use(bearerToken());
-  app.use(async (req, res, next) => {
-    try {
-      const { token, headers, body } = req;
-      if (token) {
-        // request by login user
-        const user = await authWithJwt(token, node);
-
-        // parse user avatar
-        if (user && user.avatar && user.avatar.startsWith(USER_AVATAR_URL_PREFIX)) {
-          const nodeInfo = await node.getNodeInfo();
-
-          const adminPath =
-            process.env.NODE_ENV === 'development' ? '' : nodeInfo.routing?.adminPath || DEFAULT_ADMIN_PATH;
-
-          user.avatar = joinUrl(adminPath, USER_AVATAR_PATH_PREFIX, nodeInfo.did, user.avatar.split('/').slice(-1)[0]);
-        }
-
-        req.user = user;
-      } else if (headers['x-access-key-id'] && headers['x-access-stamp'] && headers['x-access-signature']) {
-        // request by accessKey
-        const user = await authWithAccessKey({
-          keyId: headers['x-access-key-id'],
-          stamp: headers['x-access-stamp'],
-          signature: headers['x-access-signature'],
-          node,
-          blockletDid: headers['x-access-blocklet'],
-        });
-        req.user = user;
-      } else if (body['x-authenticate'] && body['x-authenticate'].vcPresentation) {
-        req.user = await authWithVcPresentation({
-          node,
-          vcPresentation: body['x-authenticate'].vcPresentation,
-          challenge: body['x-authenticate'].challenge,
-        });
-      }
-    } catch (error) {
-      // Do nothing
-    }
-    next();
-  });
-
-  app.use(async (req, res, next) => {
-    setUserInfoHeaders(req);
-    next();
-  });
-  app.use(certificateManager.createRoutes(node.dataDirs.certManagerModule));
-
-  const router = express.Router();
-
-  handlers.attach(Object.assign({ app: router }, createLoginAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createSwitchProfileAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createSwitchPassportAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createConnectOwnerAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createVerifyOwnerAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createAcceptServerAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createVerifyPurchaseAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createIssuePassportAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createLostPassportListAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createLostPassportIssueAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createInviteAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createLaunchFreeBlockletAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createLaunchPaidBlockletAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createLaunchFreeBlockletByNFTAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createLaunchPaidBlockletByNFTAuth(node)));
-  handlers.attach(Object.assign({ app: router }, createDelegateTransferOwnerNFTAuth(node)));
-
-  sessionRoutes.init(router, node);
-  blockletInfoRoutes.init(router, node);
-  blockletPreferenceRoutes.init(router, node);
-  blockletProxyRoutes.init(router, node);
-  passportRoutes.init(router, node);
-  didResolverRoutes.init(router, node);
-  dnsResolverRoutes.init(router, node);
-  createInvite.init(app, node, { prefix: '/api' });
-  userRoutes.init(router, node);
-  logRoutes.init(router, node);
-
-  // serve abt node gql
-  const gqlConfig = gql.genConfig(node);
-  app.use(
-    '/api/gql',
-    graphqlUploadExpress({ maxFileSize: MAX_FILE_SIZE, maxFiles: 10 }),
-    protectGQL(node, gqlConfig),
-    gql(gqlConfig, !isProduction)
-  );
-
-  if (isProduction) {
-    app.use(router);
-
-    const staticDir = path.resolve(__dirname, './build');
-
-    app.use(getRouterAdapter());
-    app.use(express.static(staticDir, { maxAge: '365d', index: false }));
-    app.use(fallback('index.html', { root: staticDir }));
-
-    app.use((req, res) => {
-      res.status(404).send('404 NOT FOUND');
-    });
-
-    // eslint-disable-next-line no-unused-vars
-    app.use((err, req, res, next) => {
-      logger.error('Something broke', { error: err });
-      res.status(500).send(`Daemon: Something broke! ${err.message}`);
-    });
-  } else {
-    app.use(router);
-  }
-
-  const httpServer = http.createServer(app);
-  const wsServer = createWebSocketServer(node);
-  wsServer.attach(httpServer);
-
-  httpServer.app = app;
-
-  return httpServer;
-};

package/api/libs/auth.js

@@ -1,78 +0,0 @@
-const path = require('path');
-const joinUrl = require('url-join');
-const Mcrypto = require('@ocap/mcrypto');
-const DiskStorage = require('@arcblock/did-auth-storage-nedb');
-const { fromSecretKey, WalletType } = require('@ocap/wallet');
-const { WalletAuthenticator } = require('@arcblock/did-auth');
-const { DEFAULT_SERVICE_PATH, WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
-const WalletHandlers = require('@blocklet/sdk/lib/wallet-handler');
-const { sendToUser } = require('@blocklet/sdk/lib/util/send-notification');
-
-const env = require('./env');
-
-const type = WalletType({
-  role: Mcrypto.types.RoleType.ROLE_APPLICATION,
-  pk: Mcrypto.types.KeyType.ED25519,
-  hash: Mcrypto.types.HashType.SHA3,
-});
-
-const wallet = fromSecretKey(process.env.ABT_NODE_SK, type);
-
-const context = (() => {
-  const store = {};
-  return {
-    get: key => store[key],
-    set: (key, value) => {
-      store[key] = value;
-    },
-  };
-})();
-
-const authenticator = new WalletAuthenticator({
-  wallet,
-  baseUrl: env.baseUrl,
-  appInfo: async ({ baseUrl }) => {
-    const info = await context.get('node').getNodeInfo();
-    return {
-      name: info.name,
-      description: info.description,
-      icon: `${env.baseUrl || baseUrl}/images/node.png?version=${info.version}`,
-      link: env.baseUrl || baseUrl,
-      updateSubEndpoint: true,
-      subscriptionEndpoint: joinUrl(DEFAULT_SERVICE_PATH, WELLKNOWN_SERVICE_PATH_PREFIX, 'websocket'),
-      nodeDid: info.did,
-    };
-  },
-  chainInfo: {
-    host: 'none',
-    id: 'none',
-  },
-});
-
-const handlers = new WalletHandlers({
-  authenticator,
-  tokenStorage: new DiskStorage({
-    dbPath: path.join(process.env.ABT_NODE_DATA_DIR, 'auth.db'),
-    dbPort: process.env.NODE_ENV === 'test' ? null : Number(process.env.NEDB_MULTI_PORT),
-    onload: err => {
-      if (err) {
-        // eslint-disable-next-line no-console
-        console.error(`Failed to load database from ${path.join(process.env.ABT_NODE_DATA_DIR, 'auth.db')}`, err);
-      }
-    },
-  }),
-  sendNotificationFn: (connectedDid, message) => {
-    const sender = {
-      appDid: wallet.address,
-      appSk: wallet.secretKey,
-    };
-    return sendToUser(connectedDid, message, sender, process.env.ABT_NODE_SERVICE_PORT);
-  },
-});
-
-module.exports = {
-  authenticator,
-  handlers,
-  wallet,
-  context,
-};

package/api/libs/env.js

@@ -1,3 +0,0 @@
-module.exports = {
-  baseUrl: process.env.ABT_NODE_BASE_URL,
-};

package/api/libs/login.js

@@ -1,212 +0,0 @@
-/* eslint-disable implicit-arrow-linebreak */
-/* eslint-disable no-underscore-dangle */
-const jwt = require('jsonwebtoken');
-const get = require('lodash/get');
-const { fromPublicKey } = require('@ocap/wallet');
-const getBlockletInfo = require('@blocklet/meta/lib/info');
-const { VC_TYPE_NODE_PASSPORT, SERVER_ROLES, AUTH_CERT_TYPE } = require('@abtnode/constant');
-const { createAuthToken } = require('@abtnode/auth/lib/auth');
-const { isUserPassportRevoked, getRoleFromLocalPassport, isPassportAvailable } = require('@abtnode/auth/lib/passport');
-const { getVcFromPresentation } = require('@abtnode/util/lib/vc');
-const { verifyPresentation } = require('@arcblock/vc');
-
-const logger = require('../../../auth/lib/logger');
-
-if (!process.env.ABT_NODE_SESSION_SECRET) {
-  throw new Error('ABT_NODE_SESSION_SECRET must be set to start the node');
-}
-
-const secret = process.env.ABT_NODE_SESSION_SECRET;
-// @link checkout https://github.com/auth0/node-jsonwebtoken#usage for ttl syntax
-const ttl = Number(process.env.ABT_NODE_SESSION_TTL) ? Number(process.env.ABT_NODE_SESSION_TTL) : '1d';
-
-async function getUser(node, did) {
-  const user = await node.getNodeUser({ did });
-  if (user && user.approved) {
-    return user;
-  }
-  return null;
-}
-
-const createSessionToken = async (did, { passport, role } = {}) =>
-  createAuthToken({
-    did,
-    passport,
-    role,
-    secret,
-    expiresIn: ttl,
-  });
-
-const parseUserByDecodedJwtToken = async ({ data = {}, node } = {}) => {
-  const { did } = data;
-  if (!did) {
-    throw new Error('Invalid jwt token: invalid did');
-  }
-
-  if (data.type === AUTH_CERT_TYPE.OWNERSHIP_NFT) {
-    return { role: data.role, did: data.did };
-  }
-
-  if (data.type === AUTH_CERT_TYPE.BLOCKLET_USER) {
-    return {
-      did: data.did,
-      role: `blocklet-${data.role}`,
-      blockletDid: data.blockletDid,
-    };
-  }
-
-  if (data.type === AUTH_CERT_TYPE.BLOCKLET_CONTROLLER) {
-    return {
-      role: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
-      did: data.did,
-      controller: data.controller,
-
-      // just for frond-end display
-      passports: [{ name: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER, title: 'External' }],
-    };
-  }
-
-  const { role, passport } = data;
-
-  const user = await getUser(node, did);
-  if (!user) {
-    throw new Error('Invalid jwt token: user not in whitelist');
-  }
-
-  if (passport && passport.id && isUserPassportRevoked(user, passport)) {
-    throw new Error(`Passport ${passport.name} has been revoked`);
-  }
-
-  user.role = role;
-  if (passport) {
-    user.passportId = passport.id;
-  }
-
-  return user;
-};
-
-function authWithJwt(token, node) {
-  return new Promise((resolve, reject) => {
-    jwt.verify(token, secret, async (err, decoded) => {
-      if (err) {
-        return reject(err);
-      }
-
-      return resolve(parseUserByDecodedJwtToken({ data: decoded, node }));
-    });
-  });
-}
-
-async function authWithAccessKey({ keyId, stamp, signature, node, blockletDid }) {
-  // request from blocklet
-  if (blockletDid) {
-    const [blocklet, info] = await Promise.all([
-      node.getBlocklet({ did: blockletDid, attachRuntimeInfo: false }),
-      node.getNodeInfo(),
-    ]);
-    if (!blocklet) {
-      throw new Error(`blocklet is not valid: ${blockletDid}`);
-    }
-
-    const { wallet, name } = getBlockletInfo(blocklet, info.sk);
-    if (wallet.address !== keyId) {
-      throw new Error(`keyId is not valid: ${keyId}`);
-    }
-
-    if (!wallet.verify(`${stamp}-${keyId}`, signature)) {
-      throw new Error(`verify failed. keyId: ${keyId}, stamp: ${stamp}, signature: ${signature}`);
-    }
-
-    return {
-      did: blockletDid,
-      role: SERVER_ROLES.BLOCKLET_SDK,
-      blockletDid,
-      fullName: name,
-    };
-  }
-
-  const accessKey = await node.getAccessKey({ accessKeyId: keyId });
-  if (!accessKey) {
-    throw new Error(`Access Key ${keyId} does not exist`);
-  }
-  const { accessKeyPublic, passport, remark } = accessKey;
-
-  const role = getRoleFromLocalPassport({ name: passport });
-  const wallet = fromPublicKey(accessKeyPublic);
-  if (!wallet.verify(`${stamp}-${keyId}`, signature)) {
-    throw new Error(`verify failed. keyId: ${keyId}, stamp: ${stamp}, signature: ${signature}`);
-  }
-  await node.refreshLastUsed(keyId);
-  return {
-    did: keyId,
-    fullName: remark || keyId,
-    role,
-  };
-}
-
-const authWithVcPresentation = async ({ node, vcPresentation, challenge }) => {
-  const vc = getVcFromPresentation(vcPresentation);
-
-  if (vc.type.includes(VC_TYPE_NODE_PASSPORT)) {
-    const { did } = await node.getNodeInfo();
-    // FIXME: 这个地方需要考虑外部 Passport(trustedPassports) 的权限
-    verifyPresentation({ presentation: vcPresentation, trustedIssuers: [did], challenge });
-
-    const userDid = get(vc, 'credentialSubject.id');
-    const user = await node.getNodeUser(userDid);
-    if (!user) {
-      throw new Error('The user of verifiable credential presentation does not exist');
-    }
-
-    const passport = user.passports.find(x => x.id === vc.id);
-    if (!passport) {
-      throw new Error('The user does not match the passport');
-    }
-
-    if (!isPassportAvailable(passport)) {
-      throw new Error('The passport is no longer available');
-    }
-
-    return {
-      did: user.did,
-      role: passport.name,
-    };
-  }
-
-  if (vc.type.includes('ServiceOwnershipCredential')) {
-    // FIXME: 这里的 trustedIssuers 相当于相信任何 VC，需要想更安全的方法
-    verifyPresentation({ presentation: vcPresentation, trustedIssuers: [get(vc, 'issuer.id')], challenge });
-
-    const { did: abtnodeDid, ownerNft } = await node.getNodeInfo();
-    const abtnodeDidInVc = get(vc, 'credentialSubject.isOwnerOf.abtnode.id');
-    if (abtnodeDidInVc !== abtnodeDid) {
-      logger.error('Invalid ownership vc: ABT Node DID not matched the DID in VC');
-      throw new Error('Invalid Ownership VC');
-    }
-
-    const userDid = get(vc, 'credentialSubject.id');
-    const abtnodeHolder = get(ownerNft, 'holder');
-
-    if (userDid !== abtnodeHolder) {
-      logger.error('Invalid ownership vc: ABT Node holder not matched the owner DID in VC');
-      throw new Error('Invalid Ownership VC');
-    }
-
-    return {
-      did: userDid,
-      role: SERVER_ROLES.OWNER,
-    };
-  }
-
-  throw new Error('Invalid verifiable credential presentation');
-};
-
-module.exports = {
-  createSessionToken,
-  authWithJwt,
-  authWithAccessKey,
-  authWithVcPresentation,
-  getUser,
-  secret,
-  parseUserByDecodedJwtToken,
-};

package/api/libs/security.js

@@ -1,90 +0,0 @@
-const get = require('lodash/get');
-const { parse } = require('graphql');
-const { NODE_MODES, ROLES } = require('@abtnode/constant');
-
-const isDebugMode = info => info.enableWelcomePage && info.mode === NODE_MODES.DEBUG;
-
-const whiteList = {
-  getNodeInfo: true,
-  getBlockletMetaFromUrl: true,
-  getBlocklets: info => isDebugMode(info),
-  getRoutingSites: info => isDebugMode(info),
-  resetNode: () => process.env.NODE_ENV === 'e2e',
-};
-
-const protectGQL = (instance, gqlConfig) => async (req, res, next) => {
-  const query = req.query.query || req.body.query;
-  if (query) {
-    const info = await instance.states.node.read();
-    try {
-      const { definitions } = parse(query);
-
-      // get operations that need checked, excluded by whitelist
-      const operations = definitions
-        .map(x => {
-          const selections = get(x, 'selectionSet.selections') || [];
-          const names = selections.map(y => get(y, 'name.value'));
-          return names;
-        })
-        .reduce((arr, names) => {
-          arr.push(...names);
-          return arr;
-        }, [])
-        .filter(d => d !== '__schema')
-        .filter(name => {
-          if (typeof whiteList[name] === 'function') {
-            return !whiteList[name](info);
-          }
-          return !whiteList[name];
-        });
-
-      // check auth
-      if (!req.user && operations.length) {
-        return res.status(401).json({ code: 'forbidden', error: 'not allowed' });
-      }
-
-      // check batch mutation
-      const isBatchMutation = definitions.filter(x => x.operation === 'mutation').length > 1;
-      if (isBatchMutation) {
-        return res.status(403).json({ code: 'forbidden', error: 'batch mutation not allowed' });
-      }
-
-      // check maintenance
-      const hasMutation = definitions.some(x => x.operation === 'mutation');
-      if (hasMutation && [NODE_MODES.MAINTENANCE].includes(info.mode)) {
-        return res.status(503).json({ code: 'under maintenance', error: 'Blocklet server is under maintenance' });
-      }
-
-      // check permission
-      if (req.user && req.user.role !== ROLES.OWNER && operations.length) {
-        const rbac = await instance.getRBAC();
-
-        const results = await Promise.all(
-          operations.map(async apiName => {
-            if (!gqlConfig[apiName]) {
-              return true;
-            }
-
-            return !!(await rbac.canAny(
-              req.user.role,
-              gqlConfig[apiName].permissions.map(p => p.split('_'))
-            ));
-          })
-        );
-
-        const can = results.every(Boolean);
-        if (!can) {
-          return res.status(403).json({ code: 'forbidden', error: 'no permission' });
-        }
-      }
-    } catch (err) {
-      // eslint-disable-next-line no-console
-      console.error('Failed to validate query', { err, query });
-      return res.json({ code: 'internal', error: err.message });
-    }
-  }
-
-  return next();
-};
-
-module.exports = { protectGQL };