hailin
/
rwadurian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(co-managed-wallet): 添加分布式共管钱包 API 和 gRPC 代理 

## 功能概述
实现分布式多方共管钱包创建功能的后端 API 和网络基础设施,
支持 Service Party App 通过公网连接参与 TSS 协议。

## 主要变更

### 1. Account Service - 共管钱包 API (新增)
- 新增 co_managed_handler.go - 独立的共管钱包 HTTP handler
- 新增 API 端点:
  - POST /api/v1/co-managed/sessions - 创建共管钱包会话
  - POST /api/v1/co-managed/sessions/:id/join - 加入会话
  - GET /api/v1/co-managed/sessions/:id - 获取会话状态
- 扩展 session_coordinator_client.go:
  - 添加 CreateCoManagedKeygenSession 方法
  - 添加 JoinSession 方法
  - 添加响应类型定义
- 更新 main.go 注册新路由 (SkipPaths 免认证)

### 2. Nginx gRPC 代理 (新增)
- 新增 mpc-grpc.szaiai.com.conf - gRPC over TLS 代理配置
- 新增 install-mpc-grpc.sh - 自动化安装脚本
- 支持 Let's Encrypt SSL 证书
- 代理到后端 Message Router (192.168.1.111:50051)

### 3. Service Party App 更新
- grpc-client.ts: 支持 TLS 连接,自动检测端口 443
- Settings.tsx: 默认地址改为 mpc-grpc.szaiai.com:443
- Home.tsx/Create.tsx: UI 样式优化

## 架构

```
Service Party App (用户电脑)
        │
        │ gRPC over TLS (端口 443)
        ▼
Nginx (mpc-grpc.szaiai.com:443)
        │
        │ grpc_pass
        ▼
Message Router (192.168.1.111:50051)
        │
        ▼
Session Coordinator → Server Parties
```

## 100% 不影响现有功能

- 所有修改均为新增代码,不修改现有逻辑
- 共管钱包 API 完全独立于现有 RWADurian 系统
- Nginx 配置为独立文件,不影响现有 rwaapi.szaiai.com
- 使用现有 proto 定义 (co_managed_keygen, wallet_name, invite_code)

## 部署步骤

1. DNS: 添加 mpc-grpc.szaiai.com A 记录
2. 安装: sudo ./install-mpc-grpc.sh
3. 验证: curl https://mpc-grpc.szaiai.com/health

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
hailin 2025-12-28 18:11:57 -08:00
parent a830a88cc3
commit c457d15829
11 changed files with 1241 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
backend/api-gateway/nginx/install-mpc-grpc.sh Normal file
View File

@ -0,0 +1,276 @@
#!/bin/bash
# =============================================================================
# MPC gRPC 代理 - Nginx 配置安装脚本
# =============================================================================
# 用途: 为 Service Party App 提供 gRPC 连接到 Message Router
# 域名: mpc-grpc.szaiai.com
#
# 前提条件:
# 1. Nginx 已安装并运行
# 2. Certbot 已安装
# 3. DNS 已配置 mpc-grpc.szaiai.com 指向此服务器
# 4. Message Router 在后端服务器 (192.168.1.111:50051) 运行
#
# 此脚本完全独立,不影响现有服务
# =============================================================================
set -e
DOMAIN="mpc-grpc.szaiai.com"
EMAIL="admin@szaiai.com"
BACKEND_HOST="192.168.1.111"
BACKEND_PORT="50051"
# 颜色
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# 检查 root 权限
check_root() {
if [ "$EUID" -ne 0 ]; then
log_error "请使用 root 权限运行: sudo ./install-mpc-grpc.sh"
exit 1
fi
}
# 检查前提条件
check_prerequisites() {
log_info "检查前提条件..."
# 检查 Nginx
if ! command -v nginx &> /dev/null; then
log_error "Nginx 未安装,请先安装 Nginx"
exit 1
fi
# 检查 Certbot
if ! command -v certbot &> /dev/null; then
log_error "Certbot 未安装,请先安装 Certbot"
exit 1
fi
# 检查 Nginx 是否支持 http2 和 grpc
if ! nginx -V 2>&1 | grep -q "http_v2_module"; then
log_warn "Nginx 可能不支持 HTTP/2gRPC 需要 HTTP/2 支持"
fi
log_success "前提条件检查通过"
}
# 步骤 1: 创建临时 HTTP 配置用于证书申请
configure_http() {
log_info "步骤 1/4: 创建临时 HTTP 配置..."
# 确保 certbot webroot 目录存在
mkdir -p /var/www/certbot
# 创建临时 HTTP 配置
cat > /etc/nginx/sites-available/$DOMAIN << EOF
# 临时 HTTP 配置 - 用于 Let's Encrypt 验证
server {
listen 80;
listen [::]:80;
server_name $DOMAIN;
# Let's Encrypt 验证目录
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 200 'MPC gRPC proxy - waiting for SSL certificate';
add_header Content-Type text/plain;
}
}
EOF
# 启用站点
ln -sf /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/
# 测试并重载
nginx -t && systemctl reload nginx
log_success "临时 HTTP 配置完成"
}
# 步骤 2: 申请 SSL 证书
obtain_certificate() {
log_info "步骤 2/4: 申请 Let's Encrypt SSL 证书..."
# 检查证书是否已存在
if [ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
log_warn "证书已存在,跳过申请"
return 0
fi
# 申请证书
certbot certonly \
--webroot \
--webroot-path=/var/www/certbot \
--email $EMAIL \
--agree-tos \
--no-eff-email \
-d $DOMAIN
log_success "SSL 证书申请成功"
}
# 步骤 3: 配置 gRPC 代理
configure_grpc() {
log_info "步骤 3/4: 配置 Nginx gRPC 代理..."
# 获取脚本所在目录
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# 复制 gRPC 配置
cp "$SCRIPT_DIR/mpc-grpc.szaiai.com.conf" /etc/nginx/sites-available/$DOMAIN
# 测试并重载
nginx -t && systemctl reload nginx
log_success "gRPC 代理配置完成"
}
# 步骤 4: 验证配置
verify_setup() {
log_info "步骤 4/4: 验证配置..."
# 检查 Nginx 状态
if systemctl is-active --quiet nginx; then
log_success "Nginx 运行正常"
else
log_error "Nginx 未运行"
exit 1
fi
# 检查证书
if [ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
log_success "SSL 证书已就绪"
else
log_error "SSL 证书未找到"
exit 1
fi
# 检查配置语法
if nginx -t 2>/dev/null; then
log_success "Nginx 配置语法正确"
else
log_error "Nginx 配置语法错误"
exit 1
fi
log_success "验证完成"
}
# 显示完成信息
show_completion() {
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN} MPC gRPC 代理安装完成!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo -e "gRPC 端点: ${BLUE}mpc-grpc.szaiai.com:443${NC}"
echo ""
echo "架构:"
echo " Service Party App → Nginx (SSL/gRPC) → Message Router"
echo " ↓"
echo " $DOMAIN:443"
echo " ↓"
echo " $BACKEND_HOST:$BACKEND_PORT"
echo ""
echo "Service Party App 连接配置:"
echo " gRPC 地址: mpc-grpc.szaiai.com:443"
echo " TLS: 启用"
echo ""
echo "常用命令:"
echo " 查看 Nginx 状态: systemctl status nginx"
echo " 重载 Nginx: systemctl reload nginx"
echo " 查看证书: certbot certificates"
echo " 查看日志: tail -f /var/log/nginx/$DOMAIN.access.log"
echo ""
echo -e "${YELLOW}注意: 确保后端 Message Router ($BACKEND_HOST:$BACKEND_PORT) 正在运行${NC}"
echo ""
}
# 显示使用帮助
show_help() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --help, -h 显示帮助信息"
echo " --verify 仅验证现有配置"
echo " --uninstall 卸载配置"
echo ""
}
# 卸载配置
uninstall() {
log_info "卸载 MPC gRPC 代理配置..."
# 移除站点配置
rm -f /etc/nginx/sites-enabled/$DOMAIN
rm -f /etc/nginx/sites-available/$DOMAIN
# 重载 Nginx
nginx -t && systemctl reload nginx
log_success "配置已卸载"
log_info "注意: SSL 证书未删除,如需删除请运行: certbot delete --cert-name $DOMAIN"
}
# 主函数
main() {
case "${1:-}" in
--help|-h)
show_help
exit 0
;;
--verify)
check_prerequisites
verify_setup
exit 0
;;
--uninstall)
check_root
uninstall
exit 0
;;
esac
echo ""
echo "============================================"
echo " MPC gRPC 代理 - Nginx 安装脚本"
echo " 域名: $DOMAIN"
echo " 后端: $BACKEND_HOST:$BACKEND_PORT"
echo "============================================"
echo ""
check_root
check_prerequisites
echo ""
log_warn "请确保以下条件已满足:"
echo " 1. 域名 $DOMAIN 的 DNS A 记录已指向本服务器 IP"
echo " 2. Message Router 已在 $BACKEND_HOST:$BACKEND_PORT 运行"
echo ""
read -p "是否继续安装? (y/n): " confirm
if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then
log_info "安装已取消"
exit 0
fi
configure_http
obtain_certificate
configure_grpc
verify_setup
show_completion
}
main "$@"

95
backend/api-gateway/nginx/mpc-grpc.szaiai.com.conf Normal file
View File

@ -0,0 +1,95 @@
# =============================================================================
# MPC Message Router gRPC 代理配置
# =============================================================================
# 域名: mpc-grpc.szaiai.com
# 用途: 为 Service Party App 提供 gRPC 连接到 Message Router
# 后端: Message Router gRPC 服务 (端口 50051)
#
# 部署步骤:
# 1. 放置到: /etc/nginx/sites-available/mpc-grpc.szaiai.com
# 2. 启用: ln -s /etc/nginx/sites-available/mpc-grpc.szaiai.com /etc/nginx/sites-enabled/
# 3. 申请证书: certbot certonly --nginx -d mpc-grpc.szaiai.com
# 4. 重载: nginx -t && systemctl reload nginx
#
# 注意: 此配置完全独立,不影响现有服务
# =============================================================================
# HTTP 重定向到 HTTPS (gRPC 必须使用 HTTPS)
server {
listen 80;
listen [::]:80;
server_name mpc-grpc.szaiai.com;
# Let's Encrypt 验证目录
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# 重定向到 HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS + gRPC 配置
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mpc-grpc.szaiai.com;
# SSL 证书 (Let's Encrypt)
# 首次部署前需要先申请证书:
# certbot certonly --nginx -d mpc-grpc.szaiai.com
ssl_certificate /etc/letsencrypt/live/mpc-grpc.szaiai.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mpc-grpc.szaiai.com/privkey.pem;
# SSL 配置优化
ssl_session_timeout 1d;
ssl_session_cache shared:MPC_SSL:10m;
ssl_session_tickets off;
# 现代加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# 日志
access_log /var/log/nginx/mpc-grpc.szaiai.com.access.log;
error_log /var/log/nginx/mpc-grpc.szaiai.com.error.log;
# gRPC 代理到 Message Router
# 后端服务器: 192.168.1.111 (与其他服务相同)
# Message Router gRPC 端口: 50051
location / {
# gRPC 代理
grpc_pass grpc://192.168.1.111:50051;
# gRPC 超时设置
# 会话等待时间较长 (24小时倒计时),需要较长超时
grpc_read_timeout 300s;
grpc_send_timeout 300s;
grpc_connect_timeout 60s;
# 错误处理
error_page 502 = /error502grpc;
}
# gRPC 错误处理
location = /error502grpc {
internal;
default_type application/grpc;
add_header grpc-status 14;
add_header grpc-message "Message Router unavailable";
return 204;
}
# HTTP 健康检查端点 (用于监控)
location = /health {
access_log off;
return 200 '{"status":"ok","service":"mpc-grpc-proxy"}';
add_header Content-Type application/json;
}
}

302
backend/mpc-system/services/account/adapters/input/http/co_managed_handler.go Normal file
View File

@ -0,0 +1,302 @@
package http
import (
"context"
"crypto/rand"
"encoding/hex"
"fmt"
"net/http"
"time"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
grpcclient "github.com/rwadurian/mpc-system/services/account/adapters/output/grpc"
"github.com/rwadurian/mpc-system/pkg/logger"
"go.uber.org/zap"
)
// CoManagedHTTPHandler handles HTTP requests for co-managed wallets
// This is a completely independent handler that does not affect existing functionality
type CoManagedHTTPHandler struct {
sessionCoordinatorClient *grpcclient.SessionCoordinatorClient
}
// NewCoManagedHTTPHandler creates a new CoManagedHTTPHandler
func NewCoManagedHTTPHandler(
sessionCoordinatorClient *grpcclient.SessionCoordinatorClient,
) *CoManagedHTTPHandler {
return &CoManagedHTTPHandler{
sessionCoordinatorClient: sessionCoordinatorClient,
}
}
// RegisterRoutes registers HTTP routes for co-managed wallets
func (h *CoManagedHTTPHandler) RegisterRoutes(router *gin.RouterGroup) {
coManaged := router.Group("/co-managed")
{
coManaged.POST("/sessions", h.CreateSession)
coManaged.POST("/sessions/:sessionId/join", h.JoinSession)
coManaged.GET("/sessions/:sessionId", h.GetSessionStatus)
}
}
// generateInviteCode generates a random invite code in format XXXX-XXXX-XXXX
func generateInviteCode() string {
bytes := make([]byte, 6)
rand.Read(bytes)
code := fmt.Sprintf("%X", bytes)
return fmt.Sprintf("%s-%s-%s", code[0:4], code[4:8], code[8:12])
}
// ============================================
// Create Co-Managed Wallet Session
// ============================================
// CreateCoManagedSessionRequest represents the request for creating a co-managed wallet session
type CreateCoManagedSessionRequest struct {
WalletName string `json:"wallet_name" binding:"required"` // Wallet name
ThresholdT int `json:"threshold_t" binding:"required,min=1"` // Signing threshold (actual signers needed = t+1)
ThresholdN int `json:"threshold_n" binding:"required,min=2"` // Total parties
InitiatorPartyID string `json:"initiator_party_id" binding:"required"` // Initiator's party ID
InitiatorName string `json:"initiator_name"` // Initiator's display name
PersistentCount int `json:"persistent_count"` // Number of server parties (default 2)
}
// CreateSession handles creating a new co-managed wallet session
func (h *CoManagedHTTPHandler) CreateSession(c *gin.Context) {
var req CreateCoManagedSessionRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Validate threshold
if req.ThresholdT >= req.ThresholdN {
c.JSON(http.StatusBadRequest, gin.H{"error": "threshold_t must be less than threshold_n"})
return
}
// Default persistent count is 2 (platform backup parties)
persistentCount := req.PersistentCount
if persistentCount <= 0 {
persistentCount = 2
}
// Calculate external party count
externalCount := req.ThresholdN - persistentCount
if externalCount < 1 {
c.JSON(http.StatusBadRequest, gin.H{
"error": "threshold_n must be greater than persistent_count to allow external participants",
})
return
}
// Generate invite code
inviteCode := generateInviteCode()
// Call session coordinator via gRPC
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
logger.Info("Creating co-managed keygen session",
zap.String("wallet_name", req.WalletName),
zap.Int("threshold_n", req.ThresholdN),
zap.Int("threshold_t", req.ThresholdT),
zap.Int("persistent_count", persistentCount),
zap.Int("external_count", externalCount),
zap.String("initiator_party_id", req.InitiatorPartyID))
resp, err := h.sessionCoordinatorClient.CreateCoManagedKeygenSession(
ctx,
req.WalletName,
inviteCode,
int32(req.ThresholdN),
int32(req.ThresholdT),
int32(persistentCount),
int32(externalCount),
3600, // 1 hour expiry for session creation phase
)
if err != nil {
logger.Error("Failed to create co-managed keygen session", zap.Error(err))
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
// Get wildcard join token for external participants
wildcardToken := ""
if token, ok := resp.JoinTokens["*"]; ok {
wildcardToken = token
}
logger.Info("Co-managed keygen session created successfully",
zap.String("session_id", resp.SessionID),
zap.String("invite_code", inviteCode),
zap.Int("num_server_parties", len(resp.SelectedServerParties)))
c.JSON(http.StatusCreated, gin.H{
"session_id": resp.SessionID,
"wallet_name": req.WalletName,
"invite_code": inviteCode,
"join_token": wildcardToken, // Token for external participants
"threshold_n": req.ThresholdN,
"threshold_t": req.ThresholdT,
"selected_server_parties": resp.SelectedServerParties,
"status": "waiting_for_participants",
"current_participants": len(resp.SelectedServerParties), // Server parties auto-joined
"required_participants": req.ThresholdN,
"expires_at": resp.ExpiresAt,
})
}
// ============================================
// Join Co-Managed Wallet Session
// ============================================
// JoinSessionRequest represents the request for joining a session
type JoinSessionRequest struct {
PartyID string `json:"party_id" binding:"required"` // Participant's party ID
JoinToken string `json:"join_token" binding:"required"` // Join token (from invite)
ParticipantName string `json:"participant_name"` // Display name
DeviceType string `json:"device_type"` // Device type (pc, android, ios)
DeviceID string `json:"device_id"` // Device ID
}
// JoinSession handles joining an existing co-managed session
func (h *CoManagedHTTPHandler) JoinSession(c *gin.Context) {
sessionID := c.Param("sessionId")
if sessionID == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "session_id is required"})
return
}
// Validate session ID format
if _, err := uuid.Parse(sessionID); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid session_id format"})
return
}
var req JoinSessionRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Default device type
deviceType := req.DeviceType
if deviceType == "" {
deviceType = "pc"
}
deviceID := req.DeviceID
if deviceID == "" {
deviceID = req.PartyID // Use party ID as device ID if not provided
}
// Call session coordinator via gRPC
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
logger.Info("Joining co-managed session",
zap.String("session_id", sessionID),
zap.String("party_id", req.PartyID),
zap.String("participant_name", req.ParticipantName))
resp, err := h.sessionCoordinatorClient.JoinSession(
ctx,
sessionID,
req.PartyID,
req.JoinToken,
deviceType,
deviceID,
)
if err != nil {
logger.Error("Failed to join session", zap.Error(err))
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
if !resp.Success {
c.JSON(http.StatusBadRequest, gin.H{"error": "failed to join session"})
return
}
// Build other parties list
otherParties := make([]gin.H, 0, len(resp.OtherParties))
for _, p := range resp.OtherParties {
otherParties = append(otherParties, gin.H{
"party_id": p.PartyID,
"party_index": p.PartyIndex,
})
}
result := gin.H{
"success": true,
"party_index": resp.PartyIndex,
"other_parties": otherParties,
}
if resp.SessionInfo != nil {
result["session_info"] = gin.H{
"session_id": resp.SessionInfo.SessionID,
"session_type": resp.SessionInfo.SessionType,
"threshold_n": resp.SessionInfo.ThresholdN,
"threshold_t": resp.SessionInfo.ThresholdT,
"status": resp.SessionInfo.Status,
"wallet_name": resp.SessionInfo.WalletName,
}
}
logger.Info("Joined co-managed session successfully",
zap.String("session_id", sessionID),
zap.String("party_id", req.PartyID),
zap.Int32("party_index", resp.PartyIndex))
c.JSON(http.StatusOK, result)
}
// ============================================
// Get Session Status
// ============================================
// GetSessionStatus handles getting the status of a co-managed session
func (h *CoManagedHTTPHandler) GetSessionStatus(c *gin.Context) {
sessionID := c.Param("sessionId")
if sessionID == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "session_id is required"})
return
}
// Validate session ID format
if _, err := uuid.Parse(sessionID); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid session_id format"})
return
}
// Call session coordinator via gRPC
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
resp, err := h.sessionCoordinatorClient.GetSessionStatus(ctx, sessionID)
if err != nil {
logger.Error("Failed to get session status", zap.Error(err))
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
result := gin.H{
"session_id": sessionID,
"status": resp.Status,
"session_type": resp.SessionType,
"completed_parties": resp.CompletedParties,
"total_parties": resp.TotalParties,
}
// Add public key if keygen completed
if resp.SessionType == "co_managed_keygen" && len(resp.PublicKey) > 0 {
result["public_key"] = hex.EncodeToString(resp.PublicKey)
}
c.JSON(http.StatusOK, result)
}

164
backend/mpc-system/services/account/adapters/output/grpc/session_coordinator_client.go
View File

@ -298,3 +298,167 @@ type DelegateShareInfo struct {
PartyIndex int32
PartyID string
}
// CreateCoManagedSessionResponse contains the created co-managed session info
type CreateCoManagedSessionResponse struct {
SessionID string
InviteCode string
WalletName string
SelectedServerParties []string // Auto-selected server parties
JoinTokens map[string]string // Includes wildcard token for external parties
ExpiresAt int64
ThresholdN int32
ThresholdT int32
}
// CreateCoManagedKeygenSession creates a new co-managed keygen session
// This session waits for external participants to join via invite code
func (c *SessionCoordinatorClient) CreateCoManagedKeygenSession(
ctx context.Context,
walletName string,
inviteCode string,
thresholdN int32,
thresholdT int32,
persistentCount int32, // Number of server parties to auto-select
externalCount int32, // Number of external parties (Service Party Apps)
expiresInSeconds int64,
) (*CreateCoManagedSessionResponse, error) {
req := &coordinatorpb.CreateSessionRequest{
SessionType: "co_managed_keygen",
ThresholdN: thresholdN,
ThresholdT: thresholdT,
Participants: nil, // External participants will join later
ExpiresInSeconds: expiresInSeconds,
PartyComposition: &coordinatorpb.PartyComposition{
PersistentCount: persistentCount,
DelegateCount: 0,
TemporaryCount: externalCount, // External parties treated as temporary
},
WalletName: walletName,
InviteCode: inviteCode,
}
logger.Info("Sending CreateCoManagedKeygenSession gRPC request",
zap.String("session_type", "co_managed_keygen"),
zap.String("wallet_name", walletName),
zap.Int32("threshold_n", thresholdN),
zap.Int32("threshold_t", thresholdT),
zap.Int32("persistent_count", persistentCount),
zap.Int32("external_count", externalCount))
resp, err := c.client.CreateSession(ctx, req)
if err != nil {
logger.Error("CreateCoManagedKeygenSession gRPC call failed", zap.Error(err))
return nil, fmt.Errorf("failed to create co-managed keygen session: %w", err)
}
// Extract selected server parties
var serverParties []string
for partyID := range resp.JoinTokens {
if partyID != "*" { // Exclude wildcard token
serverParties = append(serverParties, partyID)
}
}
logger.Info("CreateCoManagedKeygenSession gRPC call succeeded",
zap.String("session_id", resp.SessionId),
zap.Int("num_server_parties", len(serverParties)))
return &CreateCoManagedSessionResponse{
SessionID: resp.SessionId,
InviteCode: inviteCode,
WalletName: walletName,
SelectedServerParties: serverParties,
JoinTokens: resp.JoinTokens,
ExpiresAt: resp.ExpiresAt,
ThresholdN: thresholdN,
ThresholdT: thresholdT,
}, nil
}
// JoinSessionResponse contains join session result
type JoinSessionResponse struct {
Success bool
PartyIndex int32
SessionInfo *SessionInfoResponse
OtherParties []PartyInfoResponse
}
// SessionInfoResponse contains session info from join response
type SessionInfoResponse struct {
SessionID string
SessionType string
ThresholdN int32
ThresholdT int32
Status string
WalletName string
InviteCode string
KeygenSessionID string
}
// PartyInfoResponse contains party info
type PartyInfoResponse struct {
PartyID string
PartyIndex int32
}
// JoinSession joins an existing session
func (c *SessionCoordinatorClient) JoinSession(
ctx context.Context,
sessionID string,
partyID string,
joinToken string,
deviceType string,
deviceID string,
) (*JoinSessionResponse, error) {
req := &coordinatorpb.JoinSessionRequest{
SessionId: sessionID,
PartyId: partyID,
JoinToken: joinToken,
DeviceInfo: &coordinatorpb.DeviceInfo{
DeviceType: deviceType,
DeviceId: deviceID,
},
}
logger.Info("Sending JoinSession gRPC request",
zap.String("session_id", sessionID),
zap.String("party_id", partyID))
resp, err := c.client.JoinSession(ctx, req)
if err != nil {
logger.Error("JoinSession gRPC call failed", zap.Error(err))
return nil, fmt.Errorf("failed to join session: %w", err)
}
result := &JoinSessionResponse{
Success: resp.Success,
PartyIndex: resp.PartyIndex,
}
if resp.SessionInfo != nil {
result.SessionInfo = &SessionInfoResponse{
SessionID: resp.SessionInfo.SessionId,
SessionType: resp.SessionInfo.SessionType,
ThresholdN: resp.SessionInfo.ThresholdN,
ThresholdT: resp.SessionInfo.ThresholdT,
Status: resp.SessionInfo.Status,
WalletName: resp.SessionInfo.WalletName,
InviteCode: resp.SessionInfo.InviteCode,
KeygenSessionID: resp.SessionInfo.KeygenSessionId,
}
}
for _, p := range resp.OtherParties {
result.OtherParties = append(result.OtherParties, PartyInfoResponse{
PartyID: p.PartyId,
PartyIndex: p.PartyIndex,
})
}
logger.Info("JoinSession gRPC call succeeded",
zap.Bool("success", resp.Success),
zap.Int32("party_index", resp.PartyIndex))
return result, nil
}

9
backend/mpc-system/services/account/cmd/server/main.go
View File

@ -300,14 +300,18 @@ func startHTTPServer(
})
})
// Create co-managed wallet handler (independent from existing functionality)
coManagedHandler := httphandler.NewCoManagedHTTPHandler(sessionCoordinatorClient)
// Configure authentication middleware
// Skip paths that don't require authentication
authConfig := middleware.AuthConfig{
JWTService: jwtService,
SkipPaths: []string{
"/health",
"/api/v1/auth/*", // Auth endpoints (login, refresh, challenge)
"/api/v1/auth/*", // Auth endpoints (login, refresh, challenge)
"/api/v1/accounts/from-keygen", // Internal API from coordinator
"/api/v1/co-managed/*", // Co-managed wallet API (public for Service Party App)
},
AllowAnonymous: false,
}
@ -317,6 +321,9 @@ func startHTTPServer(
api.Use(middleware.BearerAuth(authConfig))
httpHandler.RegisterRoutes(api)
// Register co-managed wallet routes (public API)
coManagedHandler.RegisterRoutes(api)
logger.Info("Starting HTTP server",
zap.Int("port", cfg.Server.HTTPPort),
zap.String("environment", cfg.Server.Environment),

29
backend/mpc-system/services/service-party-app/electron/modules/grpc-client.ts
View File

@ -80,6 +80,10 @@ interface SessionEvent {
/**
* gRPC - Message Router
*
* :
* - 开发环境: localhost:50051 ()
* - 生产环境: mpc-grpc.szaiai.com:443 (TLS )
*/
export class GrpcClient extends EventEmitter {
private client: grpc.Client | null = null;
@ -95,8 +99,10 @@ export class GrpcClient extends EventEmitter {
/**
* Message Router
* @param address 格式: host:port ( mpc-grpc.szaiai.com:443 localhost:50051)
* @param useTLS 使 TLS (默认: 自动检测 443 使 TLS)
*/
async connect(host: string, port: number): Promise<void> {
async connect(address: string, useTLS?: boolean): Promise<void> {
return new Promise((resolve, reject) => {
const proto = grpc.loadPackageDefinition(packageDefinition) as ProtoPackage;
const MessageRouter = proto.mpc?.router?.v1?.MessageRouter;
@ -106,9 +112,26 @@ export class GrpcClient extends EventEmitter {
return;
}
// 解析地址,如果没有端口则默认使用 443
let targetAddress = address;
if (!address.includes(':')) {
targetAddress = `${address}:443`;
}
// 自动检测是否使用 TLS: 端口 443 或显式指定
const port = parseInt(targetAddress.split(':')[1], 10);
const shouldUseTLS = useTLS !== undefined ? useTLS : (port === 443);
// 创建凭证
const credentials = shouldUseTLS
? grpc.credentials.createSsl() // TLS 加密 (生产环境)
: grpc.credentials.createInsecure(); // 不加密 (开发环境)
console.log(`Connecting to Message Router: ${targetAddress} (TLS: ${shouldUseTLS})`);
this.client = new MessageRouter(
`${host}:${port}`,
grpc.credentials.createInsecure()
targetAddress,
credentials
) as grpc.Client;
// 等待连接就绪

38
backend/mpc-system/services/service-party-app/src/pages/Create.module.css
View File

@ -35,6 +35,44 @@
gap: var(--spacing-lg);
}
/* Info Box */
.infoBox {
display: flex;
gap: var(--spacing-md);
padding: var(--spacing-md);
background-color: rgba(0, 90, 156, 0.08);
border: 1px solid rgba(0, 90, 156, 0.2);
border-radius: var(--radius-md);
}
.infoIcon {
font-size: 20px;
flex-shrink: 0;
}
.infoContent {
font-size: 13px;
color: var(--text-primary);
line-height: 1.5;
}
.infoContent strong {
color: var(--primary-color);
}
.infoList {
margin: var(--spacing-sm) 0 0;
padding-left: var(--spacing-md);
}
.infoList li {
margin-bottom: 4px;
}
.infoList li:last-child {
margin-bottom: 0;
}
.inputGroup {
display: flex;
flex-direction: column;

18
backend/mpc-system/services/service-party-app/src/pages/Create.tsx
View File

@ -91,10 +91,24 @@ export default function Create() {
<div className={styles.container}>
<div className={styles.card}>
<h1 className={styles.title}></h1>
<p className={styles.subtitle}></p>
<p className={styles.subtitle}>3-of-5 - </p>
{step === 'config' && (
<div className={styles.form}>
{/* 混合托管说明 */}
<div className={styles.infoBox}>
<div className={styles.infoIcon}></div>
<div className={styles.infoContent}>
<strong></strong>
<ul className={styles.infoList}>
<li><strong>5 </strong>: 2 + 3 </li>
<li><strong></strong>: 3 </li>
<li><strong></strong>: 2 使</li>
<li><strong></strong>: </li>
</ul>
</div>
</div>
<div className={styles.inputGroup}>
<label className={styles.label}></label>
<input
@ -157,7 +171,7 @@ export default function Create() {
</div>
</div>
<p className={styles.hint}>
{thresholdT}
{thresholdT} ( 2 )
</p>
</div>

160
backend/mpc-system/services/service-party-app/src/pages/Home.module.css
View File

@ -213,3 +213,163 @@
border-color: var(--primary-color);
background-color: rgba(0, 90, 156, 0.05);
}
.dangerButton {
color: #dc3545;
margin-left: var(--spacing-sm);
}
.dangerButton:hover {
border-color: #dc3545;
background-color: rgba(220, 53, 69, 0.05);
}
/* Address Section */
.addressSection {
display: flex;
align-items: center;
gap: var(--spacing-md);
padding: var(--spacing-md);
margin-bottom: var(--spacing-md);
background-color: var(--background-color);
border-radius: var(--radius-md);
cursor: pointer;
transition: background-color 0.2s;
}
.addressSection:hover {
background-color: rgba(0, 90, 156, 0.05);
}
.qrPreview {
flex-shrink: 0;
padding: var(--spacing-xs);
background: white;
border-radius: var(--radius-sm);
}
.addressInfo {
display: flex;
flex-direction: column;
gap: 4px;
overflow: hidden;
}
.addressLabel {
font-size: 11px;
color: var(--text-secondary);
text-transform: uppercase;
letter-spacing: 0.5px;
}
.addressValue {
font-size: 13px;
color: var(--text-primary);
font-family: monospace;
}
.addressHint {
font-size: 11px;
color: var(--primary-color);
}
/* Modal */
.modalOverlay {
position: fixed;
top: 0;
left: 0;
right: 0;
bottom: 0;
background-color: rgba(0, 0, 0, 0.5);
display: flex;
align-items: center;
justify-content: center;
z-index: 1000;
}
.modal {
background-color: var(--surface-color);
border-radius: var(--radius-lg);
box-shadow: var(--shadow-lg);
max-width: 400px;
width: 90%;
overflow: hidden;
}
.modalHeader {
display: flex;
align-items: center;
justify-content: space-between;
padding: var(--spacing-md) var(--spacing-lg);
border-bottom: 1px solid var(--border-color);
}
.modalTitle {
font-size: 18px;
font-weight: 600;
color: var(--text-primary);
}
.modalClose {
background: none;
border: none;
font-size: 24px;
color: var(--text-secondary);
cursor: pointer;
padding: 0;
line-height: 1;
}
.modalClose:hover {
color: var(--text-primary);
}
.modalBody {
padding: var(--spacing-lg);
display: flex;
flex-direction: column;
align-items: center;
}
.qrContainer {
padding: var(--spacing-md);
background: white;
border-radius: var(--radius-md);
margin-bottom: var(--spacing-lg);
}
.fullAddress {
text-align: center;
margin-bottom: var(--spacing-lg);
}
.addressLabelLarge {
display: block;
font-size: 12px;
color: var(--text-secondary);
margin-bottom: var(--spacing-sm);
}
.addressValueLarge {
display: block;
font-size: 14px;
color: var(--text-primary);
font-family: monospace;
word-break: break-all;
background-color: var(--background-color);
padding: var(--spacing-sm) var(--spacing-md);
border-radius: var(--radius-sm);
}
.modalActions {
display: flex;
gap: var(--spacing-md);
width: 100%;
}
.modalActions .primaryButton,
.modalActions .secondaryButton {
flex: 1;
text-align: center;
text-decoration: none;
}

173
backend/mpc-system/services/service-party-app/src/pages/Home.tsx
View File

@ -1,6 +1,8 @@
import { useState, useEffect } from 'react';
import { useState, useEffect, useCallback } from 'react';
import { useNavigate } from 'react-router-dom';
import { QRCodeSVG } from 'qrcode.react';
import styles from './Home.module.css';
import { deriveEvmAddress, formatAddress, getKavaExplorerUrl } from '../utils/address';
interface ShareItem {
id: string;
@ -14,10 +16,30 @@ interface ShareItem {
};
}
interface ShareWithAddress extends ShareItem {
evmAddress?: string;
}
export default function Home() {
const navigate = useNavigate();
const [shares, setShares] = useState<ShareItem[]>([]);
const [shares, setShares] = useState<ShareWithAddress[]>([]);
const [loading, setLoading] = useState(true);
const [selectedShare, setSelectedShare] = useState<ShareWithAddress | null>(null);
const [showQrModal, setShowQrModal] = useState(false);
const deriveAddresses = useCallback(async (shareList: ShareItem[]): Promise<ShareWithAddress[]> => {
const sharesWithAddresses: ShareWithAddress[] = [];
for (const share of shareList) {
try {
const evmAddress = await deriveEvmAddress(share.publicKey);
sharesWithAddresses.push({ ...share, evmAddress });
} catch (error) {
console.warn(`Failed to derive address for share ${share.id}:`, error);
sharesWithAddresses.push({ ...share });
}
}
return sharesWithAddresses;
}, []);
useEffect(() => {
loadShares();
@ -25,19 +47,25 @@ export default function Home() {
const loadShares = async () => {
try {
let shareList: ShareItem[] = [];
// 检测是否在 Electron 环境中
if (window.electronAPI) {
const result = await window.electronAPI.storage.listShares();
if (result.success) {
setShares(result.data as ShareItem[]);
if (result.success && result.data) {
shareList = result.data as ShareItem[];
}
} else {
// 浏览器环境,使用 localStorage 或 API
const stored = localStorage.getItem('shares');
if (stored) {
setShares(JSON.parse(stored));
shareList = JSON.parse(stored);
}
}
// 为每个 share 派生 EVM 地址
const sharesWithAddresses = await deriveAddresses(shareList);
setShares(sharesWithAddresses);
} catch (error) {
console.error('Failed to load shares:', error);
} finally {
@ -51,9 +79,17 @@ export default function Home() {
try {
if (window.electronAPI) {
// 先让用户选择保存位置
const savePath = await window.electronAPI.dialog.saveFile(
`share-backup-${id.slice(0, 8)}.dat`,
[{ name: 'Share Backup', extensions: ['dat'] }]
);
if (!savePath) return;
const result = await window.electronAPI.storage.exportShare(id, password);
if (result.success && result.data) {
// 触发下载
// 通过 IPC 写入文件
const blob = new Blob([result.data], { type: 'application/octet-stream' });
const url = URL.createObjectURL(blob);
const a = document.createElement('a');
@ -61,6 +97,9 @@ export default function Home() {
a.download = `share-backup-${id.slice(0, 8)}.dat`;
a.click();
URL.revokeObjectURL(url);
alert('备份文件导出成功!');
} else {
alert('导出失败: ' + (result.error || '未知错误'));
}
}
} catch (error) {
@ -68,6 +107,34 @@ export default function Home() {
}
};
const handleDelete = async (id: string) => {
const confirmed = window.confirm('确定要删除这个钱包吗?删除后无法恢复,请确保已备份。');
if (!confirmed) return;
try {
if (window.electronAPI) {
const result = await window.electronAPI.storage.deleteShare(id);
if (result.success) {
setShares(shares.filter((s) => s.id !== id));
} else {
alert('删除失败: ' + (result.error || '未知错误'));
}
}
} catch (error) {
alert('删除失败: ' + (error as Error).message);
}
};
const handleShowQr = (share: ShareWithAddress) => {
setSelectedShare(share);
setShowQrModal(true);
};
const handleCopyAddress = (address: string) => {
navigator.clipboard.writeText(address);
alert('地址已复制到剪贴板');
};
const formatDate = (dateStr: string) => {
return new Date(dateStr).toLocaleDateString('zh-CN', {
year: 'numeric',
@ -78,13 +145,6 @@ export default function Home() {
});
};
const truncateKey = (key: string) => {
if (key.length > 16) {
return `${key.slice(0, 8)}...${key.slice(-8)}`;
}
return key;
};
if (loading) {
return (
<div className={styles.loading}>
@ -98,7 +158,7 @@ export default function Home() {
<div className={styles.container}>
<header className={styles.header}>
<h1 className={styles.title}></h1>
<p className={styles.subtitle}></p>
<p className={styles.subtitle}> (3-of-5 )</p>
</header>
{shares.length === 0 ? (
@ -134,12 +194,30 @@ export default function Home() {
</span>
</div>
<div className={styles.cardBody}>
<div className={styles.infoRow}>
<span className={styles.infoLabel}></span>
<code className={styles.infoValue}>
{truncateKey(share.publicKey)}
</code>
</div>
{/* 地址区域 - 可点击显示二维码 */}
{share.evmAddress && (
<div
className={styles.addressSection}
onClick={() => handleShowQr(share)}
>
<div className={styles.qrPreview}>
<QRCodeSVG
value={share.evmAddress}
size={80}
level="M"
includeMargin={false}
/>
</div>
<div className={styles.addressInfo}>
<span className={styles.addressLabel}>Kava EVM </span>
<code className={styles.addressValue}>
{formatAddress(share.evmAddress)}
</code>
<span className={styles.addressHint}></span>
</div>
</div>
)}
<div className={styles.infoRow}>
<span className={styles.infoLabel}></span>
<span className={styles.infoValue}>
@ -168,11 +246,66 @@ export default function Home() {
>
</button>
<button
className={`${styles.actionButton} ${styles.dangerButton}`}
onClick={() => handleDelete(share.id)}
>
</button>
</div>
</div>
))}
</div>
)}
{/* 二维码弹窗 */}
{showQrModal && selectedShare && (
<div className={styles.modalOverlay} onClick={() => setShowQrModal(false)}>
<div className={styles.modal} onClick={(e) => e.stopPropagation()}>
<div className={styles.modalHeader}>
<h2 className={styles.modalTitle}>{selectedShare.walletName}</h2>
<button
className={styles.modalClose}
onClick={() => setShowQrModal(false)}
>
×
</button>
</div>
<div className={styles.modalBody}>
<div className={styles.qrContainer}>
<QRCodeSVG
value={selectedShare.evmAddress || ''}
size={240}
level="H"
includeMargin={true}
/>
</div>
<div className={styles.fullAddress}>
<span className={styles.addressLabelLarge}>Kava EVM </span>
<code className={styles.addressValueLarge}>
{selectedShare.evmAddress}
</code>
</div>
<div className={styles.modalActions}>
<button
className={styles.primaryButton}
onClick={() => handleCopyAddress(selectedShare.evmAddress || '')}
>
</button>
<a
href={getKavaExplorerUrl(selectedShare.evmAddress || '', true)}
target="_blank"
rel="noopener noreferrer"
className={styles.secondaryButton}
>
</a>
</div>
</div>
</div>
</div>
)}
</div>
);
}

6
backend/mpc-system/services/service-party-app/src/pages/Settings.tsx
View File

@ -12,7 +12,7 @@ export default function Settings() {
const navigate = useNavigate();
const [settings, setSettings] = useState<Settings>({
messageRouterUrl: 'localhost:50051',
messageRouterUrl: 'mpc-grpc.szaiai.com:443', // 生产环境默认地址
autoBackup: false,
backupPath: '',
});
@ -106,7 +106,7 @@ export default function Settings() {
type="text"
value={settings.messageRouterUrl}
onChange={(e) => setSettings(prev => ({ ...prev, messageRouterUrl: e.target.value }))}
placeholder="localhost:50051"
placeholder="mpc-grpc.szaiai.com:443"
className={styles.input}
/>
<button
@ -117,7 +117,7 @@ export default function Settings() {
</button>
</div>
<p className={styles.hint}>
Message Router gRPC
Message Router gRPC (生产环境: mpc-grpc.szaiai.com:443)
</p>
</div>
</div>