payment-kit 1.29.1 → 1.29.3

package/api/src/libs/did-space.ts

@@ -1,235 +0,0 @@
-// eslint-disable-next-line import/no-extraneous-dependencies
-import { SpaceClient, GetObjectCommand, PutObjectCommand } from '@blocklet/did-space-js';
-import { blocklet, wallet } from './auth';
-import logger from './logger';
-import env from './env';
-import { streamToString } from './util';
-
-// Get user's DID Space endpoint
-export const getEndpointAndSpaceDid = async (userDid: string): Promise<{ endpoint: string; spaceDid: string }> => {
-  const { user } = await blocklet.getUser(userDid);
-  if (!user) {
-    throw new Error('User not found');
-  }
-  if (!user.didSpace.endpoint) {
-    throw new Error(`DID Space endpoint is not set for user ${userDid}`);
-  }
-  return {
-    endpoint: user.didSpace.endpoint,
-    spaceDid: user.didSpace.did,
-  };
-};
-
-// Initialize DID Space client
-export const getSpaceClient = async (userDid: string, endpoint?: string) => {
-  let spaceEndpoint = endpoint;
-  if (!spaceEndpoint) {
-    const result = await getEndpointAndSpaceDid(userDid);
-    spaceEndpoint = result.endpoint;
-  }
-  return new SpaceClient({
-    endpoint: spaceEndpoint,
-    wallet,
-  });
-};
-
-// Universal billing information format
-export interface BillingInfo {
-  tx_hash: string; // Transaction hash
-  timestamp: number; // Transaction timestamp
-
-  // Basic billing information
-  invoice_id: string; // Invoice ID
-  category: string; // Bill category
-  description?: string; // Bill description: subscription payment, recharge, refund, etc.
-
-  // Payment information
-  amount: string; // Payment amount
-  currency: {
-    // Payment medium information
-    symbol: string; // Currency symbol
-    decimal: number; // Decimal places
-    type: string; // Payment type (arcblock/ethereum)
-    chain_id: string; // Chain ID
-    explorer_host: string; // Explorer host
-    explorer_tx_url: string; // Explorer transaction URL
-  };
-
-  // Related business information
-  related?: {
-    type: string; // Relation type (subscription/invoice)
-    id: string; // Related entity ID
-    name: string; // Related entity name
-    status?: string; // Related entity status
-    link?: string; // Link to the related entity
-    period_start?: number; // Period start time
-    period_end?: number; // Period end time
-  };
-
-  customer_did: string; // Customer DID
-  tags?: string[]; // User defined tags
-  app_pid: string; // App PID
-  link?: string; // Link to the related entity
-}
-
-// Merge billing information, preserving user customizations
-const mergeBillingInfo = (existing: BillingInfo, updated: Partial<BillingInfo>): BillingInfo => {
-  return {
-    ...(existing || {}),
-    ...updated,
-    // Preserve user customizations if they exist
-    description: existing?.description || updated?.description,
-    category: existing?.category || updated?.category || 'other',
-    tags: Array.from(new Set([...(existing.tags || []), ...(updated.tags || [])])),
-  };
-};
-
-// Upload or update billing information to DID Space
-export const uploadBillingInfo = async (
-  userDid: string,
-  billingInfo: BillingInfo,
-  endpoint?: string
-): Promise<boolean> => {
-  try {
-    // Validate required fields
-    if (!billingInfo.tx_hash || !billingInfo.invoice_id || !billingInfo.amount) {
-      logger.error('Missing required fields in billingInfo');
-      return false;
-    }
-
-    const client = await getSpaceClient(userDid, endpoint);
-
-    const key = `txs/${billingInfo.tx_hash}/metadata.json`;
-
-    let finalBillingInfo = {
-      ...billingInfo,
-      app_pid: billingInfo?.app_pid || env.appPid,
-    };
-
-    // Check existing bill
-    const existingBill = await client.send(new GetObjectCommand({ key }));
-    if (existingBill.statusCode === 200 && existingBill.data) {
-      // Merge with existing data if force update
-      const existing = JSON.parse(await streamToString(existingBill.data)) as BillingInfo;
-      finalBillingInfo = mergeBillingInfo(existing, billingInfo);
-      logger.info('Updating existing billing:', { userDid, txHash: billingInfo.tx_hash });
-    }
-
-    const payload = new PutObjectCommand({
-      key,
-      data: JSON.stringify(finalBillingInfo),
-    });
-
-    const result = await client.send(payload);
-
-    if (result.statusCode !== 200) {
-      logger.error('Upload billing info failed:', result);
-      return false;
-    }
-
-    logger.info(existingBill.statusCode === 200 ? 'Bill updated:' : 'Bill created:', {
-      userDid,
-      txHash: billingInfo.tx_hash,
-    });
-    return true;
-  } catch (error) {
-    logger.error('Upload billing info error:', error);
-    return false;
-  }
-};
-
-// Get specific billing information by transaction hash
-export const getBillingInfo = async (
-  userDid: string,
-  txHash: string,
-  endpoint?: string
-): Promise<BillingInfo | null> => {
-  try {
-    if (!txHash) {
-      logger.error('Transaction hash is required');
-      return null;
-    }
-
-    const client = await getSpaceClient(userDid, endpoint);
-    const payload = new GetObjectCommand({
-      key: `txs/${txHash}/metadata.json`,
-    });
-
-    const result = await client.send(payload);
-
-    if (result.statusCode !== 200 || !result.data) {
-      logger.debug('Bill not found:', { userDid, txHash });
-      return null;
-    }
-
-    const billingInfo = JSON.parse(await streamToString(result.data)) as BillingInfo;
-
-    // Validate parsed data
-    if (!billingInfo.tx_hash || !billingInfo.invoice_id) {
-      logger.error('Invalid billing data structure:', { userDid, txHash });
-      return null;
-    }
-
-    return billingInfo;
-  } catch (error) {
-    logger.error('Get billing info error:', { userDid, txHash, error });
-    return null;
-  }
-};
-
-// Update specific fields of billing information
-export const updateBillingInfo = async (
-  userDid: string,
-  txHash: string,
-  updates: Partial<BillingInfo>,
-  endpoint?: string
-): Promise<boolean> => {
-  try {
-    const existing = await getBillingInfo(userDid, txHash, endpoint);
-    if (!existing) {
-      logger.error('Billing not found for update:', { userDid, txHash });
-      return false;
-    }
-
-    const updated = mergeBillingInfo(existing, updates);
-    if (!updated.tx_hash || !updated.invoice_id || !updated.amount) {
-      logger.error('Invalid billing data structure:', { userDid, txHash });
-      return false;
-    }
-    const result = await uploadBillingInfo(userDid, updated, endpoint);
-    return result;
-  } catch (error) {
-    logger.error('Update billing info error:', { userDid, txHash, error });
-    return false;
-  }
-};
-
-// Batch upload/update billing information
-export const uploadBillingInfoBatch = async (
-  userDid: string,
-  billingInfoList: BillingInfo[],
-  endpoint?: string
-): Promise<boolean[]> => {
-  try {
-    if (!Array.isArray(billingInfoList) || billingInfoList.length === 0) {
-      logger.error('Invalid billingInfoList:', { userDid });
-      return [];
-    }
-
-    // Validate all bills before upload
-    const validBills = billingInfoList.filter((bill) => bill.tx_hash && bill.invoice_id && bill.amount);
-
-    if (validBills.length !== billingInfoList.length) {
-      logger.warn('Some bills are invalid and will be skipped');
-    }
-
-    const results = await Promise.all(
-      validBills.map((billingInfo) => uploadBillingInfo(userDid, billingInfo, endpoint))
-    );
-
-    return results;
-  } catch (error) {
-    logger.error('Batch upload error:', { userDid, error });
-    return [];
-  }
-};

package/api/src/libs/middleware.ts

@@ -1,50 +0,0 @@
-/* eslint-disable import/prefer-default-export */
-import type { NextFunction, Request, Response } from 'express';
-import { verify } from '@blocklet/sdk/lib/util/verify-sign';
-import { translate } from '../locales';
-import { context } from './context';
-
-export function ensureI18n() {
-  return (req: Request, _: Response, next: NextFunction) => {
-    req.locale = String(req.query.locale || 'en');
-    req.t = translate;
-    next();
-  };
-}
-
-export async function contextMiddleware(req: Request, _res: Response, next: NextFunction) {
-  const requestId =
-    (req.headers['x-request-id'] as string) || `req_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
-  let requestedBy = 'system';
-
-  // Check component signature
-  const sig = req.get('x-component-sig');
-  const componentDid = req.get('x-component-did');
-  if (sig && componentDid) {
-    const data = typeof req.body === 'undefined' ? {} : req.body;
-    const verified = await verify(data, sig);
-    if (verified) {
-      requestedBy = componentDid;
-    }
-  }
-
-  // Check user DID from headers
-  if (req.headers['x-user-did']) {
-    requestedBy = req.headers['x-user-did'] as string;
-  }
-
-  // Check authenticated user
-  if (req.user?.did) {
-    requestedBy = req.user.did;
-  }
-
-  return context.run(
-    {
-      requestId,
-      requestedBy,
-    },
-    async () => {
-      await next();
-    }
-  );
-}

package/api/src/libs/security.ts

@@ -1,192 +0,0 @@
-import { auth } from '@blocklet/sdk/lib/middlewares';
-import { getVerifyData, verify } from '@blocklet/sdk/lib/util/verify-sign';
-import { verifyLoginToken } from '@blocklet/sdk/lib/util/verify-session';
-import { getWallet } from '@blocklet/sdk/lib/wallet';
-import type { NextFunction, Request, Response } from 'express';
-import type { Model } from 'sequelize';
-
-import { Customer } from '../store/models/customer';
-
-export const ensureAdmin = auth({ roles: ['owner', 'admin'] });
-
-const wallet = getWallet();
-
-type PermissionSpec<T extends Model> = {
-  component?: boolean; // allow component calls
-  roles?: string[]; // allow current session user with one of the specified roles
-  record?: {
-    // allow record owner
-    model: T;
-    field: string;
-    findById?: (id: string) => Promise<T | null>;
-  };
-  mine?: boolean;
-  embed?: boolean;
-  ensureLogin?: boolean;
-};
-
-/**
- * This middleware is used to authenticate request by session or component call.
- * If a request is authenticated, it will set `req.user` to the session user.
- * If a request is authenticated by component call, it will set `req.user` to the component user.
- * If a request is authenticated by record owner, it will set `req.user` to the session user and set `req.doc` to the record.
- */
-export function authenticate<T extends Model>({
-  component,
-  roles,
-  record,
-  mine,
-  embed,
-  ensureLogin,
-}: PermissionSpec<T>) {
-  return async (req: Request, res: Response, next: NextFunction) => {
-    // Dev-only bypass: requires both NODE_ENV=development AND the explicit
-    // opt-in env ENABLE_DEV_FAKE_AUTH=1, plus the x-dev-fake-did header on
-    // the request. Lets mobile demo clients that don't go through DID Connect
-    // (e.g. the local-tunnel backend which bypasses Blocklet Server) still
-    // exercise real handlers. Production never sets ENABLE_DEV_FAKE_AUTH, so
-    // this branch can't trigger there; dev defaults off, so we don't
-    // accidentally regress to fake auth after wiring the real flow.
-    if (process.env.NODE_ENV === 'development' && process.env.ENABLE_DEV_FAKE_AUTH === '1') {
-      const devDid = req.get('x-dev-fake-did');
-      if (devDid) {
-        req.user = {
-          did: devDid,
-          role: 'owner', // satisfies routes that require owner/admin
-          provider: 'dev',
-          fullName: 'dev-fake-user',
-          walletOS: '',
-          via: 'dev',
-        };
-        return next();
-      }
-    }
-
-    // Authenticate by Authorization: Bearer <login-token>. The token is a JWT
-    // signed with this blocklet's session secret (see @blocklet/sdk session
-    // middleware). When clients hit us through a tunnel that bypasses Blocklet
-    // Server (so x-user-did is NOT injected), we need to verify the token
-    // ourselves. verifyLoginToken does local JWT signature verification, no
-    // HTTP callback. On success we forward into the existing x-user-did branch
-    // by populating req.headers so the role/mine/record cascade below applies
-    // unchanged.
-    const authHeader = req.get('authorization');
-    if (authHeader && /^Bearer\s+/i.test(authHeader) && !req.headers['x-user-did']) {
-      const token = authHeader.replace(/^Bearer\s+/i, '').trim();
-      if (token) {
-        const session = await verifyLoginToken({ token, strictMode: false }).catch(() => null);
-        if (session?.did) {
-          // Some BS versions put a bare base58 address in the JWT, others
-          // the canonical `did:abt:…` form. Normalize so downstream code
-          // (entitlement self-check, mine: lookups by req.user.did) sees the
-          // same shape clients send in `customer_did` query params.
-          const canonicalDid = session.did.startsWith('did:abt:') ? session.did : `did:abt:${session.did}`;
-          req.headers['x-user-did'] = canonicalDid;
-          req.headers['x-user-role'] = `blocklet-${session.role || 'user'}`;
-          req.headers['x-user-provider'] = session.provider || 'wallet';
-          req.headers['x-user-fullname'] = encodeURIComponent(session.fullName || '');
-          req.headers['x-user-wallet-os'] = session.walletOS || '';
-        }
-      }
-    }
-
-    // authenticate by component call
-    const sig = req.get('x-component-sig');
-    if (component && sig) {
-      const { data } = getVerifyData(req as any, 'component');
-      const verified = await verify(data, sig);
-      if (!verified) {
-        return res.status(401).json({ error: 'Invalid signature for component call' });
-      }
-
-      req.user = {
-        did: <string>req.get('x-component-did'),
-        role: 'owner',
-        provider: 'wallet',
-        fullName: <string>req.get('x-component-did'),
-        walletOS: '',
-        via: 'api',
-      };
-
-      return next();
-    }
-
-    // authenticate by authToken for embed
-    const token = req.query.authToken || '';
-    const id = req.params.id || req.query.subscription_id || '';
-    if (embed && token && id) {
-      try {
-        const verified = await wallet.verify(id as string, token as string);
-        if (!verified) {
-          return res.status(401).json({ error: `Invalid signature for embed: ${id}` });
-        }
-
-        req.user = {
-          did: wallet.address,
-          role: 'owner',
-          provider: 'wallet',
-          fullName: 'embed',
-          walletOS: '',
-          via: 'embed',
-        };
-
-        return next();
-      } catch (err) {
-        return res.status(401).json({ error: `Invalid signature for embed: ${id}: ${err.message}` });
-      }
-    }
-
-    if (req.headers['x-user-did']) {
-      const role = (<string>req.headers['x-user-role'] || '').replace('blocklet-', '') || 'guest';
-      req.user = {
-        did: <string>req.headers['x-user-did'],
-        role,
-        provider: <string>req.headers['x-user-provider'],
-        fullName: decodeURIComponent(<string>req.headers['x-user-fullname']),
-        walletOS: <string>req.headers['x-user-wallet-os'],
-        via: 'dashboard',
-      };
-
-      // authenticate by session user
-      if (roles) {
-        if (roles.includes(req.user?.role)) {
-          return next();
-        }
-      }
-
-      if (ensureLogin) {
-        req.user.via = 'api';
-        return next();
-      }
-
-      if (mine) {
-        const customer = await Customer.findOne({ where: { did: req.user.did } });
-        if (customer) {
-          req.customer = customer;
-          req.query.customer_id = customer.id;
-          return next();
-        }
-      }
-
-      // authenticate by record owner
-      if (record) {
-        const { model, field = 'customer_id', findById } = record;
-        const doc: T | null =
-          findById && typeof findById === 'function'
-            ? await findById(req.params.id as string)
-            : await (model as any).findByPk(req.params.id);
-        if (doc && doc[field as keyof T]) {
-          const customer = await Customer.findOne({ where: { did: req.user.did } });
-          req.doc = doc;
-          req.customer = customer;
-          if (customer && customer.id === doc[field as keyof T]) {
-            req.user.via = 'portal';
-            return next();
-          }
-        }
-      }
-    }
-
-    return res.status(403).json({ error: 'Not authorized to perform this action' });
-  };
-}