@blocklet/sdk 1.16.51-beta-20250904-031834-c611f059 → 1.16.51-beta-20250905-051437-fe05adb2

package/lib/middlewares/csrf.d.ts

@@ -8,7 +8,15 @@ export interface CSRFOptions {
     generateToken?: (req: Request, res: CSRFOptionsResponse) => void | Promise<void>;
     verifyToken?: (req: Request, res: CSRFOptionsResponse) => Promise<void> | void;
 }
-declare function defaultGenerateToken(req: Request, res: Response): Promise<void>;
+/**
+ *
+ * @param req
+ * @param res
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-hmac-csrf-tokens
+ * @note: 我们需要意识到 1. csrf token 不会被攻击者从 cookie 中得到 2. csrf token 的校验是需要当前用户的 login token 的，3. csrf token 不应该有过期时间
+ * @returns
+ */
+declare function defaultGenerateToken(req: Request, res: Response): void;
 declare function defaultVerifyToken(req: Request): void;
 export declare function csrf(options?: CSRFOptions): RequestHandler;
 export {};

package/lib/middlewares/csrf.js

@@ -14,28 +14,39 @@ const wallet = (0, wallet_2.default)();
 function printCookieParserNotInstalledWarning() {
     config_1.default.logger.warn('cookie-parser middleware is required for the csrf middleware to work properly.');
 }
-async function defaultGenerateToken(req, res) {
+/**
+ *
+ * @param req
+ * @param res
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-hmac-csrf-tokens
+ * @note: 我们需要意识到 1. csrf token 不会被攻击者从 cookie 中得到 2. csrf token 的校验是需要当前用户的 login token 的，3. csrf token 不应该有过期时间
+ * @returns
+ */
+function defaultGenerateToken(req, res) {
     if (!req.cookies) {
         printCookieParserNotInstalledWarning();
         return;
     }
     if (req.cookies.login_token) {
-        const csrfToken = await (0, csrf_1.signWithCache)(wallet.secretKey, req.cookies.login_token);
-        res.cookie('x-csrf-token', csrfToken, {
-            sameSite: 'none',
-            secure: true,
-        });
+        const newCsrfToken = (0, csrf_1.sign)(wallet.secretKey, req.cookies.login_token);
+        const oldCsrfToken = req.cookies['x-csrf-token'];
+        if (newCsrfToken !== oldCsrfToken) {
+            res.cookie('x-csrf-token', newCsrfToken, {
+                sameSite: 'strict',
+                secure: true,
+            });
+        }
     }
 }
 function defaultVerifyToken(req) {
     if (!req.cookies) {
         printCookieParserNotInstalledWarning();
     }
-    if (req.cookies &&
+    if (req.cookies?.login_token &&
         !(0, isEmpty_1.default)(req.cookies['x-csrf-token']) &&
         req.cookies['x-csrf-token'] === req.headers['x-csrf-token']) {
-        const csrfToken = req.cookies['x-csrf-token'];
-        if ((0, csrf_1.verify)(wallet.secretKey, csrfToken)) {
+        const csrfTokenFromRequest = req.cookies['x-csrf-token'];
+        if ((0, csrf_1.verify)(wallet.secretKey, csrfTokenFromRequest, req.cookies.login_token)) {
             return;
         }
         config_1.default.logger.warn('Invalid request: csrf token mismatch', {
@@ -49,7 +60,7 @@ function defaultVerifyToken(req) {
             csrfTokenFromHeader: req.headers['x-csrf-token'],
         });
     }
-    throw new Error('Invalid request: csrf token mismatch');
+    throw new Error('Invalid request: csrf token mismatch, please refresh the page try again');
 }
 function shouldGenerateToken(req) {
     return ['GET'].includes(req.method);

package/lib/service/blocklet.d.ts

@@ -77,9 +77,9 @@ interface BlockletService {
     verifyAccessKey(params: OmitTeamDid<Client.RequestVerifyAccessKeyInput>): Promise<Client.ResponseAccessKey>;
     getAccessKeys(params: OmitTeamDid<Client.RequestAccessKeysInput>): Promise<Client.ResponseAccessKeys>;
     getAccessKey(params: OmitTeamDid<Client.RequestAccessKeyInput>): Promise<Client.ResponseAccessKey>;
-    getUserFollowers(args?: OmitTeamDid<Client.RequestUserFollowsInput>): Promise<Client.ResponseUserFollows>;
-    getUserFollowing(args?: OmitTeamDid<Client.RequestUserFollowsInput>): Promise<Client.ResponseUserFollows>;
-    getUserFollowStats(args?: OmitTeamDid<Client.RequestUserFollowsStatsInput>): Promise<Client.ResponseFollowStats>;
+    getUserFollowers(args: OmitTeamDid<Client.RequestUserFollowsInput>, options: RequestHeaders): Promise<Client.ResponseUserFollows>;
+    getUserFollowing(args: OmitTeamDid<Client.RequestUserFollowsInput>, options: RequestHeaders): Promise<Client.ResponseUserFollows>;
+    getUserFollowStats(args: OmitTeamDid<Client.RequestUserFollowsStatsInput>, options: RequestHeaders): Promise<Client.ResponseFollowStats>;
     checkFollowing(args: OmitTeamDid<Client.RequestCheckFollowingInput>): Promise<Client.ResponseCheckFollowing>;
     followUser(args: OmitTeamDid<Client.RequestFollowUserActionInput>): Promise<Client.GeneralResponse>;
     unfollowUser(args: OmitTeamDid<Client.RequestFollowUserActionInput>): Promise<Client.GeneralResponse>;

package/lib/service/blocklet.js

@@ -81,6 +81,9 @@ class BlockletClient extends server_js_1.default {
         return headers;
     }
 }
+// 通用的客户端调用方法，用于减少代码重复
+// 需要 cookie 验证的方法列表
+const AUTH_REQUIRED_METHODS = Object.freeze(['getUserFollowers', 'getUserFollowing', 'getUserFollowStats']);
 // Blocklet 相关的功能 API 都在这里
 // core/state/lib/api/team.js L42
 // 所有可配置调用的函数在这里，如果需要额外增加，则需要在这里新增对应的函数
@@ -302,20 +305,25 @@ class BlockletService {
                 throw new Error((0, error_1.formatError)(err));
             }
         };
-        // 通用的客户端调用方法，用于减少代码重复
-        const callClientMethod = async (methodName, args) => {
+        const callClientMethod = async (methodName, args, options) => {
             try {
+                // 检查是否为需要认证的方法
+                if (AUTH_REQUIRED_METHODS.includes(methodName)) {
+                    if (!options?.headers?.cookie) {
+                        throw new Error('Missing required authentication cookie in request headers');
+                    }
+                }
                 const clientMethod = client[methodName];
-                const res = await clientMethod({ input: { teamDid, ...args } });
+                const res = await clientMethod({ input: { teamDid, ...args } }, options);
                 return res;
             }
             catch (err) {
                 throw new Error((0, error_1.formatError)(err)); // 这几个错误消息需要 format
             }
         };
-        this.getUserFollowers = (args) => callClientMethod('getUserFollowers', args);
-        this.getUserFollowing = (args) => callClientMethod('getUserFollowing', args);
-        this.getUserFollowStats = (args) => callClientMethod('getUserFollowStats', args);
+        this.getUserFollowers = (args, options) => callClientMethod('getUserFollowers', args, options);
+        this.getUserFollowing = (args, options) => callClientMethod('getUserFollowing', args, options);
+        this.getUserFollowStats = (args, options) => callClientMethod('getUserFollowStats', args, options);
         this.checkFollowing = (args) => callClientMethod('checkFollowing', args);
         this.followUser = (args) => callClientMethod('followUser', args);
         this.unfollowUser = (args) => callClientMethod('unfollowUser', args);

package/lib/util/csrf.d.ts

@@ -1,3 +1,5 @@
+import type { LiteralUnion } from 'type-fest';
+export declare function hmac(secretKey: string, message: string, algorithm?: LiteralUnion<'md5' | 'sha256', string>): string;
 /**
  * 生成 CSRF Token
  * @param secretKey 服务器密钥（必填，需保密）
@@ -5,25 +7,11 @@
  * @returns 签名后的Token字符串
  */
 export declare function sign(secretKey: string, loginToken: string): string;
-/**
- * 带缓存的 CSRF Token 生成函数
- * 半小时内，相同的 secretKey 和 loginToken 会返回缓存的结果
- * @param secretKey 服务器密钥（必填，需保密）
- * @param loginToken 登录token
- * @returns 签名后的Token字符串
- */
-export declare function signWithCache(secretKey: string, loginToken: string): Promise<string>;
-/**
- * 清除缓存（主要用于测试）
- * @param secretKey 可选，指定清除特定密钥的缓存
- * @param loginToken 可选，指定清除特定登录token的缓存
- */
-export declare function clearSignCache(secretKey?: string, loginToken?: string): Promise<void>;
 /**
  * 验证CSRF Token有效性
- * @param secret 服务器密钥（需与生成时一致）
- * @param token 待验证的Token
- * @param expiresIn 有效期（需与生成时一致，默认3600）
+ * @param secretKey 服务器密钥（需与生成时一致）
+ * @param csrfTokenFromRequest 待验证的Token
+ * @param expiresIn 有效期（需与生成时一致，默认5400）
  * @returns 是否有效（布尔值）
  */
-export declare function verify(secret: string, token: string, expiresIn?: number): boolean;
+export declare function verify(secretKey: string, csrfTokenFromRequest: string, loginToken: string): boolean;

package/lib/util/csrf.js

@@ -1,32 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.hmac = hmac;
 exports.sign = sign;
-exports.signWithCache = signWithCache;
-exports.clearSignCache = clearSignCache;
 exports.verify = verify;
 const crypto_1 = require("crypto");
-const lru_cache_1 = require("lru-cache");
-const config_1 = require("../config");
-// 常量定义：避免魔法数字，增强可读性
-const TIMESTAMP_LENGTH = 10; // 秒级时间戳长度(10位)
-const RANDOM_LENGTH = 4; // 随机数长度(4位)
-const PREFIX_LENGTH = TIMESTAMP_LENGTH + RANDOM_LENGTH; // 前缀总长度(14位)
-const MIN_TOKEN_LENGTH = PREFIX_LENGTH + 1 + 40; // 最小Token长度(14+1+40)
-const HASH_ALGORITHM = 'sha256'; // 哈希算法
-const CACHE_DURATION = 30 * 60 * 1000; // 缓存时长：30分钟（毫秒）
-// 创建缓存实例
-const cache = new lru_cache_1.LRUCache({ max: 100 * 1000, ttl: CACHE_DURATION });
-/**
- * Base64URL编码去除补位符
- */
-const trimBase64UrlPadding = (str) => str.replace(/=+$/, '');
-/**
- * Base64URL编码补全补位符
- */
-const padBase64Url = (str) => {
-    const padLength = (4 - (str.length % 4)) % 4;
-    return str.padEnd(str.length + padLength, '=');
-};
+function hmac(secretKey, message, algorithm = 'md5') {
+    const hmacFunc = (0, crypto_1.createHmac)(algorithm, secretKey);
+    return hmacFunc.update(message).digest('base64url');
+}
 /**
  * 生成 CSRF Token
  * @param secretKey 服务器密钥（必填，需保密）
@@ -34,116 +15,18 @@ const padBase64Url = (str) => {
  * @returns 签名后的Token字符串
  */
 function sign(secretKey, loginToken) {
-    // 生成10位秒级时间戳
-    const timestamp = Math.floor(Date.now() / 1000);
-    const timestampStr = timestamp.toString().padStart(TIMESTAMP_LENGTH, '0');
-    const salt = loginToken.slice(-4).padStart(4, '0');
-    // 组合前缀：时间戳 + 随机数
-    const prefix = `${timestampStr}${salt}`;
-    // 生成HMAC签名并处理编码
-    const signature = (0, crypto_1.createHmac)(HASH_ALGORITHM, secretKey).update(prefix).digest('base64url');
-    // 拼接前缀和签名，使用.分隔（移除补位符减少长度）
-    return `${prefix}.${trimBase64UrlPadding(signature)}`;
-}
-/**
- * 生成缓存键
- * @param secretKey 服务器密钥
- * @param loginToken 登录token
- * @returns 缓存键
- */
-function generateCacheKey(secretKey, loginToken) {
-    // 使用哈希值作为键的一部分，避免敏感信息直接存储在键中
-    const keyHash = (0, crypto_1.createHmac)('md5', 'cache-key-salt').update(`${secretKey}:${loginToken}`).digest('hex');
-    return `csrf:${keyHash}`;
-}
-/**
- * 带缓存的 CSRF Token 生成函数
- * 半小时内，相同的 secretKey 和 loginToken 会返回缓存的结果
- * @param secretKey 服务器密钥（必填，需保密）
- * @param loginToken 登录token
- * @returns 签名后的Token字符串
- */
-async function signWithCache(secretKey, loginToken) {
-    const cacheKey = generateCacheKey(secretKey, loginToken);
-    // 尝试从缓存获取
-    const cachedToken = await cache.get(cacheKey);
-    if (cachedToken && typeof cachedToken === 'string') {
-        return cachedToken;
-    }
-    // 缓存未命中，生成新的token
-    const newToken = sign(secretKey, loginToken);
-    // 存储到缓存
-    await cache.set(cacheKey, newToken);
-    return newToken;
-}
-/**
- * 清除缓存（主要用于测试）
- * @param secretKey 可选，指定清除特定密钥的缓存
- * @param loginToken 可选，指定清除特定登录token的缓存
- */
-async function clearSignCache(secretKey, loginToken) {
-    if (secretKey && loginToken) {
-        const cacheKey = generateCacheKey(secretKey, loginToken);
-        await cache.delete(cacheKey);
-    }
-    else {
-        await cache.clear();
-    }
+    const xCsrfTokenMd5 = hmac(secretKey, loginToken);
+    const xCsrfTokenSigned = hmac(secretKey, xCsrfTokenMd5, 'sha256');
+    return [xCsrfTokenMd5, xCsrfTokenSigned].join('.');
 }
 /**
  * 验证CSRF Token有效性
- * @param secret 服务器密钥（需与生成时一致）
- * @param token 待验证的Token
- * @param expiresIn 有效期（需与生成时一致，默认3600）
+ * @param secretKey 服务器密钥（需与生成时一致）
+ * @param csrfTokenFromRequest 待验证的Token
+ * @param expiresIn 有效期（需与生成时一致，默认5400）
  * @returns 是否有效（布尔值）
  */
-function verify(secret, token, expiresIn = 3600) {
-    // 基础格式校验
-    if (typeof token !== 'string' || token.length < MIN_TOKEN_LENGTH) {
-        config_1.logger.warn('CSRF token invalid: format error', {
-            token: typeof token === 'string' ? `${token.slice(0, 20)}...` : token,
-        });
-        return false;
-    }
-    // 拆分前缀和签名部分（以.分隔）
-    const dotIndex = token.indexOf('.', PREFIX_LENGTH);
-    if (dotIndex === -1 || dotIndex !== PREFIX_LENGTH) {
-        config_1.logger.warn('CSRF token invalid: separator error', { token: `${token.slice(0, 20)}...` });
-        return false;
-    }
-    const prefix = token.slice(0, PREFIX_LENGTH);
-    const signatureB64Url = token.slice(PREFIX_LENGTH + 1);
-    // 提取时间戳部分（前10位）
-    const timestampStr = prefix.slice(0, TIMESTAMP_LENGTH);
-    // 时间戳格式校验
-    const timestamp = parseInt(timestampStr, 10);
-    if (Number.isNaN(timestamp)) {
-        config_1.logger.warn('CSRF token invalid: timestamp error', { token: `${token.slice(0, 20)}...` });
-        return false;
-    }
-    // 有效期校验
-    const currentTime = Math.floor(Date.now() / 1000);
-    if (currentTime - timestamp > expiresIn) {
-        config_1.logger.warn('CSRF token invalid: expired', { token: `${token.slice(0, 20)}...` });
-        return false;
-    }
-    // 签名校验
-    try {
-        // 补全Base64URL补位符并解码
-        const paddedSignature = padBase64Url(signatureB64Url);
-        const receivedSignature = Buffer.from(paddedSignature, 'base64url');
-        // 重新计算预期签名（使用完整的前缀）
-        const expectedSignature = (0, crypto_1.createHmac)(HASH_ALGORITHM, secret).update(prefix).digest();
-        // 时序安全的对比（防止时序攻击）
-        const isValid = (0, crypto_1.timingSafeEqual)(receivedSignature, expectedSignature);
-        if (!isValid) {
-            config_1.logger.warn('CSRF token invalid: signature error', { token: `${token.slice(0, 20)}...` });
-        }
-        return isValid;
-    }
-    catch (error) {
-        // 任何解码或计算异常都视为无效
-        config_1.logger.warn('CSRF token invalid: decode error', { token: `${token.slice(0, 20)}...` });
-        return false;
-    }
+function verify(secretKey, csrfTokenFromRequest, loginToken) {
+    const expectCsrfToken = sign(secretKey, loginToken);
+    return expectCsrfToken === csrfTokenFromRequest;
 }

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.51-beta-20250904-031834-c611f059",
+  "version": "1.16.51-beta-20250905-051437-fe05adb2",
   "description": "graphql client to read/write data on abt node",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",
@@ -27,19 +27,19 @@
   "author": "linchen1987 <linchen.1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.51-beta-20250904-031834-c611f059",
-    "@abtnode/db-cache": "1.16.51-beta-20250904-031834-c611f059",
-    "@abtnode/util": "1.16.51-beta-20250904-031834-c611f059",
+    "@abtnode/constant": "1.16.51-beta-20250905-051437-fe05adb2",
+    "@abtnode/db-cache": "1.16.51-beta-20250905-051437-fe05adb2",
+    "@abtnode/util": "1.16.51-beta-20250905-051437-fe05adb2",
     "@arcblock/did": "1.24.0",
     "@arcblock/did-connect-js": "1.24.0",
     "@arcblock/jwt": "1.24.0",
     "@arcblock/ws": "1.24.0",
-    "@blocklet/constant": "1.16.51-beta-20250904-031834-c611f059",
-    "@blocklet/env": "1.16.51-beta-20250904-031834-c611f059",
+    "@blocklet/constant": "1.16.51-beta-20250905-051437-fe05adb2",
+    "@blocklet/env": "1.16.51-beta-20250905-051437-fe05adb2",
     "@blocklet/error": "^0.2.5",
-    "@blocklet/meta": "1.16.51-beta-20250904-031834-c611f059",
-    "@blocklet/server-js": "1.16.51-beta-20250904-031834-c611f059",
-    "@blocklet/theme": "^3.1.33",
+    "@blocklet/meta": "1.16.51-beta-20250905-051437-fe05adb2",
+    "@blocklet/server-js": "1.16.51-beta-20250905-051437-fe05adb2",
+    "@blocklet/theme": "^3.1.34",
     "@did-connect/authenticator": "^2.2.8",
     "@did-connect/handler": "^2.2.8",
     "@nedb/core": "^2.1.5",
@@ -85,5 +85,5 @@
     "ts-node": "^10.9.1",
     "typescript": "^5.6.3"
   },
-  "gitHead": "c5cedc16ca7239ec7dcadd8e046b2f8684df335c"
+  "gitHead": "cadff492e3858895a3e0565b0b1778f166fb34f7"
 }