@blocklet/sdk 1.17.2-beta-20251114-122922-4319f1ac → 1.17.3-beta-20251117-102849-8103f298

package/lib/middlewares/csrf.js

@@ -6,9 +6,12 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.csrf = csrf;
 const isEmpty_1 = __importDefault(require("lodash/isEmpty"));
 const joi_1 = __importDefault(require("joi"));
+const debug_1 = __importDefault(require("debug"));
+const jwt_decode_1 = __importDefault(require("jwt-decode"));
 const csrf_1 = require("../util/csrf");
 const wallet_1 = require("../util/wallet");
 const config_1 = __importDefault(require("../config"));
+const debug = (0, debug_1.default)('@blocklet/sdk:middleware:csrf');
 function printCookieParserNotInstalledWarning() {
     config_1.default.logger.warn('cookie-parser middleware is required for the csrf middleware to work properly.');
 }
@@ -29,6 +32,12 @@ function defaultGenerateToken(req, res) {
         const newCsrfToken = (0, csrf_1.sign)((0, csrf_1.getCsrfSecret)(), req.cookies.login_token);
         const oldCsrfToken = req.cookies['x-csrf-token'];
         if (newCsrfToken !== oldCsrfToken) {
+            debug('defaultGenerateToken.createCsrfToken', {
+                newCsrfToken,
+                oldCsrfToken,
+                loginTokenPart: req.cookies.login_token.slice(-32),
+                loginTokenDecoded: (0, jwt_decode_1.default)(req.cookies.login_token),
+            });
             res.cookie('x-csrf-token', newCsrfToken, {
                 sameSite: 'strict',
                 secure: true,
@@ -52,12 +61,16 @@ function defaultVerifyToken(req) {
         config_1.default.logger.warn('Invalid request: csrf token mismatch', {
             csrfTokenFromReq: req.cookies['x-csrf-token'],
             csrfTokenFromHeader: req.headers['x-csrf-token'],
+            loginTokenPart: req.cookies.login_token.slice(-32),
+            loginTokenDecoded: (0, jwt_decode_1.default)(req.cookies.login_token),
         });
     }
     else {
         config_1.default.logger.warn('Invalid request: csrf token not found', {
             csrfTokenFromReq: req.cookies['x-csrf-token'],
             csrfTokenFromHeader: req.headers['x-csrf-token'],
+            loginTokenPart: req.cookies.login_token.slice(-32),
+            loginTokenDecoded: (0, jwt_decode_1.default)(req.cookies.login_token),
         });
     }
     throw new Error('Invalid request: csrf token mismatch, please refresh the page try again');

package/lib/util/service-api.js

@@ -38,7 +38,6 @@ axios.interceptors.request.use(async (config) => {
         // Compatible with previous version where APP_ASK does not exist
         appSk: process.env.BLOCKLET_APP_ASK || process.env.BLOCKLET_APP_SK,
     });
-    // 同时对 post 和 get 参数做签名，确保同时支持 post get 请求的校验
     // 签名使用的是当前 blocklet 的 appSk，固命名为 x-blocklet-sig，以后可做统一使用
     config.headers['x-blocklet-sig'] = sig;
     config.headers['x-blocklet-sig-iat'] = iat;

package/lib/util/verify-sign.d.ts

@@ -13,7 +13,14 @@ declare const sign: (data: object, { type, appSk }?: SignOptions) => Promise<str
 type SignType = 'component' | 'blocklet';
 declare const getVerifyData: (req: Request, type?: SignType) => {
     sig: string;
-    data: object;
+    data: {
+        iat: number;
+        exp: number;
+        body: any;
+        query: any;
+        method: string;
+        url: string;
+    };
     sigVersion: string;
     sigPk: string;
 };

package/lib/util/verify-sign.js

@@ -11,7 +11,6 @@ const merge_1 = __importDefault(require("lodash/merge"));
 const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
 const ufo_1 = require("ufo");
 const constant_1 = require("@blocklet/constant");
-const semver_1 = __importDefault(require("semver"));
 const qs_1 = __importDefault(require("qs"));
 const wallet_1 = require("../wallet");
 const { getPkWallet } = wallet_1.getWallet;
@@ -50,38 +49,26 @@ const getLatestFn = ({ iat, exp, body, query, method, url, }) => {
     if (exp < now) {
         throw new Error('expired sig');
     }
-    const tmp = (0, ufo_1.parseURL)(url);
+    const parsedUrl = (0, ufo_1.parseURL)(url);
     const data = {
         iat,
         exp,
         body: body ?? {},
-        query: (0, merge_1.default)(qs_1.default.parse(tmp.search.slice(1)), query ?? {}),
+        query: (0, merge_1.default)(qs_1.default.parse(parsedUrl.search.slice(1)), query ?? {}),
         method: method.toLowerCase(),
-        url: tmp.pathname,
+        url: parsedUrl.pathname,
     };
     return data;
 };
-const getLegacyFn = ({ body, query, type = 'component' }) => {
-    // NOTICE: legacy 保持和原来一样，不做 parse 和 stringify 的处理了
-    const data = body ?? {};
-    const params = query ?? {};
-    if (type === 'blocklet') {
-        return { data, params };
-    }
-    return data;
-};
 const getVerifyData = (req, type = 'component') => {
     const sig = req.get(`x-${type}-sig`);
     const sigPk = req.get(`x-${type}-sig-pk`);
-    const sigVersion = req.get(`x-${type}-sig-version`) || constant_1.SIG_VERSION.V0;
+    const sigVersion = req.get(`x-${type}-sig-version`);
     const iat = Number(req.get(`x-${type}-sig-iat`));
     const exp = Number(req.get(`x-${type}-sig-exp`));
     // NOTICE: 从 req 拿到的数据是经过 axios 和 JSON.parse 处理过的，所以 body 和 query 不需要再处理了
     const { body, method, originalUrl: url, query } = req;
-    // FIXME: @zhanghan 2024-11-30 需要移除这个旧的兼容（提升总体的安全性）
-    const data = semver_1.default.gt(semver_1.default.coerce(sigVersion), semver_1.default.coerce(constant_1.SIG_VERSION.V0))
-        ? getLatestFn({ iat, exp, body, query, method, url })
-        : getLegacyFn({ body, query, type });
+    const data = getLatestFn({ iat, exp, body, query, method, url });
     return { sig, data, sigVersion, sigPk };
 };
 exports.getVerifyData = getVerifyData;
@@ -92,13 +79,13 @@ const getSignData = async ({ data, params, method, url, }, signOptions) => {
         iat,
         exp,
     };
-    const tmp = (0, ufo_1.parseURL)(url);
+    const parsedUrl = (0, ufo_1.parseURL)(url);
     // 此处的数据为了保持和 verify 一致，需要做一次 JSON.parse 和 qs.parse
     raw.body = JSON.parse(JSON.stringify(data ?? {}));
     // NOTICE: 为了保持和 verify 一致，需要做一次 qs.stringify 和 qs.parse
-    raw.query = qs_1.default.parse(qs_1.default.stringify((0, merge_1.default)(qs_1.default.parse(tmp.search.slice(1)), params ?? {})));
+    raw.query = qs_1.default.parse(qs_1.default.stringify((0, merge_1.default)(qs_1.default.parse(parsedUrl.search.slice(1)), params ?? {})));
     raw.method = method.toLowerCase();
-    raw.url = tmp.pathname;
+    raw.url = parsedUrl.pathname;
     const sig = await sign(raw, signOptions);
     const version = constant_1.SIG_VERSION.DEFAULT;
     return {

package/lib/version.d.ts

@@ -1,4 +1,4 @@
-declare const version = "1.17.2";
+declare const version = "1.17.3";
 export { version };
 declare const _default: {
     version: string;

package/lib/version.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.version = void 0;
-const version = '1.17.2';
+const version = '1.17.3';
 exports.version = version;
 exports.default = { version };

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.17.2-beta-20251114-122922-4319f1ac",
+  "version": "1.17.3-beta-20251117-102849-8103f298",
   "description": "graphql client to read/write data on abt node",
   "homepage": "https://www.arcblock.io/docs/blocklet-sdk-nodejs",
   "main": "lib/index.js",
@@ -26,33 +26,33 @@
   "author": "linchen1987 <linchen.1987@foxmail.com> (http://github.com/linchen1987)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@abtnode/db-cache": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@abtnode/util": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@arcblock/did": "^1.27.6",
-    "@arcblock/did-connect-js": "^1.27.6",
-    "@arcblock/did-ext": "^1.27.6",
-    "@arcblock/jwt": "^1.27.6",
-    "@arcblock/ws": "^1.27.6",
-    "@blocklet/constant": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@blocklet/env": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@blocklet/error": "^0.3.2",
-    "@blocklet/meta": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@blocklet/server-js": "1.17.2-beta-20251114-122922-4319f1ac",
-    "@blocklet/theme": "^3.2.5",
+    "@abtnode/constant": "1.17.3-beta-20251117-102849-8103f298",
+    "@abtnode/db-cache": "1.17.3-beta-20251117-102849-8103f298",
+    "@abtnode/util": "1.17.3-beta-20251117-102849-8103f298",
+    "@arcblock/did": "^1.27.7",
+    "@arcblock/did-connect-js": "^1.27.7",
+    "@arcblock/did-ext": "^1.27.7",
+    "@arcblock/jwt": "^1.27.7",
+    "@arcblock/ws": "^1.27.7",
+    "@blocklet/constant": "1.17.3-beta-20251117-102849-8103f298",
+    "@blocklet/env": "1.17.3-beta-20251117-102849-8103f298",
+    "@blocklet/error": "^0.3.3",
+    "@blocklet/meta": "1.17.3-beta-20251117-102849-8103f298",
+    "@blocklet/server-js": "1.17.3-beta-20251117-102849-8103f298",
+    "@blocklet/theme": "^3.2.6",
     "@did-connect/authenticator": "^2.2.8",
     "@did-connect/handler": "^2.2.8",
     "@nedb/core": "^2.1.5",
-    "@ocap/mcrypto": "^1.27.6",
-    "@ocap/util": "^1.27.6",
-    "@ocap/wallet": "^1.27.6",
+    "@ocap/mcrypto": "^1.27.7",
+    "@ocap/util": "^1.27.7",
+    "@ocap/wallet": "^1.27.7",
     "axios": "^1.7.9",
-    "cheerio": "1.0.0-rc.12",
     "debug": "^4.4.1",
     "fs-extra": "^11.2.0",
     "joi": "17.12.2",
     "json-stable-stringify": "^1.0.1",
     "jsonwebtoken": "^9.0.0",
+    "jwt-decode": "^3.1.2",
     "lodash": "^4.17.21",
     "lru-cache": "^11.0.2",
     "p-retry": "^4.6.2",
@@ -82,5 +82,5 @@
     "ts-node": "^10.9.1",
     "typescript": "^5.6.3"
   },
-  "gitHead": "eb484ccabce50c438b8eec1be3738da18cd28f75"
+  "gitHead": "f561ece39d3cd479fc6274cb2895ae5423722b38"
 }