@lobehub/chat 1.105.0 → 1.105.2

package/src/utils/client/xor-obfuscation.test.ts

@@ -0,0 +1,370 @@
+import { describe, expect, it } from 'vitest';
+
+import { SECRET_XOR_KEY } from '@/const/auth';
+
+import { obfuscatePayloadWithXOR } from './xor-obfuscation';
+
+describe('xor-obfuscation', () => {
+  describe('obfuscatePayloadWithXOR', () => {
+    it('应该对简单字符串进行混淆并返回Base64字符串', () => {
+      const payload = 'hello world';
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+
+      // 验证结果长度大于0
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    it('应该对JSON对象进行混淆', () => {
+      const payload = { name: 'test', value: 123, active: true };
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该对数组进行混淆', () => {
+      const payload = [1, 2, 3, 'test', { nested: true }];
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该对复杂嵌套对象进行混淆', () => {
+      const payload = {
+        user: {
+          id: 123,
+          profile: {
+            name: 'John Doe',
+            settings: {
+              theme: 'dark',
+              notifications: true,
+              preferences: ['email', 'sms'],
+            },
+          },
+        },
+        tokens: ['abc123', 'def456'],
+        metadata: null,
+      };
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('相同的输入应该产生相同的输出', () => {
+      const payload = { test: 'consistent' };
+      const result1 = obfuscatePayloadWithXOR(payload);
+      const result2 = obfuscatePayloadWithXOR(payload);
+
+      expect(result1).toBe(result2);
+    });
+
+    it('不同的输入应该产生不同的输出', () => {
+      const payload1 = { test: 'value1' };
+      const payload2 = { test: 'value2' };
+
+      const result1 = obfuscatePayloadWithXOR(payload1);
+      const result2 = obfuscatePayloadWithXOR(payload2);
+
+      expect(result1).not.toBe(result2);
+    });
+
+    it('应该处理包含特殊字符的字符串', () => {
+      const payload = 'Hello! @#$%^&*()_+-=[]{}|;:,.<>?/~`"\'\\';
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理包含Unicode字符的字符串', () => {
+      const payload = '你好世界 🌍 émojis 日本語 한국어';
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理空字符串', () => {
+      const payload = '';
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理空对象', () => {
+      const payload = {};
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理空数组', () => {
+      const result = obfuscatePayloadWithXOR([]);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理null值', () => {
+      const payload = null;
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理数字', () => {
+      const payload = 42;
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理布尔值', () => {
+      const payloadTrue = true;
+      const payloadFalse = false;
+
+      const resultTrue = obfuscatePayloadWithXOR(payloadTrue);
+      const resultFalse = obfuscatePayloadWithXOR(payloadFalse);
+
+      // 验证返回值是字符串
+      expect(typeof resultTrue).toBe('string');
+      expect(typeof resultFalse).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(resultTrue)).not.toThrow();
+      expect(() => atob(resultFalse)).not.toThrow();
+
+      // 验证不同布尔值产生不同结果
+      expect(resultTrue).not.toBe(resultFalse);
+    });
+
+    it('应该处理包含特殊JSON字符的对象', () => {
+      const payload = {
+        quotes: '"double quotes"',
+        singleQuotes: "'single quotes'",
+        backslash: 'back\\slash',
+        newline: 'line1\nline2',
+        tab: 'col1\tcol2',
+        unicode: '\u0041\u0042\u0043',
+      };
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理很长的字符串', () => {
+      const payload = 'a'.repeat(10000);
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+
+      // 验证结果长度合理（Base64编码后长度应该大约是原始长度的4/3）
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    it('应该产生不同长度输入的不同输出长度', () => {
+      const shortPayload = 'short';
+      const longPayload = 'this is a much longer string that should produce different output';
+
+      const shortResult = obfuscatePayloadWithXOR(shortPayload);
+      const longResult = obfuscatePayloadWithXOR(longPayload);
+
+      // 较长的输入应该产生较长的输出
+      expect(longResult.length).toBeGreaterThan(shortResult.length);
+    });
+
+    it('应该验证输出是有效的Base64格式', () => {
+      const payload = { test: 'base64 validation' };
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证Base64格式的正则表达式
+      const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
+      expect(base64Regex.test(result)).toBe(true);
+    });
+
+    it('应该处理包含循环引用的对象（通过JSON.stringify处理）', () => {
+      // JSON.stringify 会抛出错误处理循环引用，但我们测试正常情况
+      const payload = {
+        id: 1,
+        name: 'test',
+        nested: {
+          back: 'reference',
+        },
+      };
+
+      const result = obfuscatePayloadWithXOR(payload);
+      expect(typeof result).toBe('string');
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该对undefined值进行处理', () => {
+      const payload = undefined;
+      const result = obfuscatePayloadWithXOR(payload);
+
+      // 验证返回值是字符串
+      expect(typeof result).toBe('string');
+
+      // 验证返回值是有效的Base64字符串
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该对包含函数的对象进行处理（函数会被JSON.stringify忽略）', () => {
+      const payload = {
+        name: 'test',
+        fn: function () {
+          return 'test';
+        },
+        arrow: () => 'arrow',
+        value: 123,
+      };
+
+      const result = obfuscatePayloadWithXOR(payload);
+      expect(typeof result).toBe('string');
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该确保XOR操作的确定性', () => {
+      const payload = 'deterministic test';
+      const results: any[] = [];
+
+      // 多次运行相同输入
+      for (let i = 0; i < 10; i++) {
+        results.push(obfuscatePayloadWithXOR(payload));
+      }
+
+      // 所有结果应该相同
+      expect(results.every((result) => result === results[0])).toBe(true);
+    });
+
+    it('应该处理包含日期对象的数据', () => {
+      const payload = {
+        timestamp: new Date('2024-01-01T00:00:00Z'),
+        created: new Date(),
+        name: 'date test',
+      };
+
+      const result = obfuscatePayloadWithXOR(payload);
+      expect(typeof result).toBe('string');
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该处理包含Symbol的对象（Symbol会被JSON.stringify忽略）', () => {
+      const sym = Symbol('test');
+      const payload = {
+        name: 'symbol test',
+        [sym]: 'symbol value',
+        normalKey: 'normal value',
+      };
+
+      const result = obfuscatePayloadWithXOR(payload);
+      expect(typeof result).toBe('string');
+      expect(() => atob(result)).not.toThrow();
+    });
+
+    it('应该验证混淆后的数据长度合理性', () => {
+      const originalPayload = { test: 'length check' };
+      const originalJSON = JSON.stringify(originalPayload);
+      const result = obfuscatePayloadWithXOR(originalPayload);
+
+      // Base64 编码后的长度通常是原始长度的 4/3 倍（向上取整到4的倍数）
+      const expectedMinLength = Math.ceil((originalJSON.length * 4) / 3 / 4) * 4;
+      expect(result.length).toBeGreaterThanOrEqual(expectedMinLength - 4); // 允许一些误差
+    });
+
+    it('应该验证XOR操作的正确性（通过逆向操作）', () => {
+      const originalPayload = { message: 'XOR test', value: 42 };
+      const obfuscatedResult = obfuscatePayloadWithXOR(originalPayload);
+
+      // 手动实现逆向操作来验证 XOR 操作的正确性
+      const base64Decoded = atob(obfuscatedResult);
+      const xoredBytes = new Uint8Array(base64Decoded.length);
+      for (let i = 0; i < base64Decoded.length; i++) {
+        xoredBytes[i] = base64Decoded.charCodeAt(i);
+      }
+
+      // 使用相同的密钥进行逆向 XOR 操作
+      const keyBytes = new TextEncoder().encode(SECRET_XOR_KEY);
+      const decodedBytes = new Uint8Array(xoredBytes.length);
+      for (let i = 0; i < xoredBytes.length; i++) {
+        decodedBytes[i] = xoredBytes[i] ^ keyBytes[i % keyBytes.length];
+      }
+
+      // 将结果转换回字符串
+      const decodedString = new TextDecoder().decode(decodedBytes);
+      const decodedPayload = JSON.parse(decodedString);
+
+      // 验证解码后的数据与原始数据相同
+      expect(decodedPayload).toEqual(originalPayload);
+    });
+
+    it('应该验证不同输入产生不同的Base64输出', () => {
+      const payloads = [
+        'test1',
+        'test2',
+        { key: 'value1' },
+        { key: 'value2' },
+        [1, 2, 3],
+        [4, 5, 6],
+      ];
+
+      const results = payloads.map((payload) => obfuscatePayloadWithXOR(payload));
+
+      // 验证所有结果都不相同
+      for (let i = 0; i < results.length; i++) {
+        for (let j = i + 1; j < results.length; j++) {
+          expect(results[i]).not.toBe(results[j]);
+        }
+      }
+    });
+  });
+});

package/src/utils/client/xor-obfuscation.ts

@@ -0,0 +1,39 @@
+import { SECRET_XOR_KEY } from '@/const/auth';
+
+/**
+ * 将字符串转换为 Uint8Array (UTF-8 编码)
+ */
+const stringToUint8Array = (str: string): Uint8Array => {
+  return new TextEncoder().encode(str);
+};
+
+/**
+ * 对 Uint8Array 进行 XOR 运算
+ * @param data 要处理的 Uint8Array
+ * @param key 用于 XOR 的密钥 (Uint8Array)
+ * @returns 经过 XOR 运算的 Uint8Array
+ */
+const xorProcess = (data: Uint8Array, key: Uint8Array): Uint8Array => {
+  const result = new Uint8Array(data.length);
+  for (const [i, datum] of data.entries()) {
+    result[i] = datum ^ key[i % key.length]; // 密钥循环使用
+  }
+  return result;
+};
+
+/**
+ * 对 payload 进行 XOR 混淆并 Base64 编码
+ * @param payload 要混淆的 JSON 对象
+ * @returns Base64 编码后的混淆字符串
+ */
+export const obfuscatePayloadWithXOR = <T>(payload: T): string => {
+  const jsonString = JSON.stringify(payload);
+  const dataBytes = stringToUint8Array(jsonString);
+  const keyBytes = stringToUint8Array(SECRET_XOR_KEY);
+
+  const xoredBytes = xorProcess(dataBytes, keyBytes);
+
+  // 将 Uint8Array 转换为 Base64 字符串
+  // 浏览器环境 btoa 只能处理 Latin-1 字符，所以需要先转换为适合 btoa 的字符串
+  return btoa(String.fromCharCode(...xoredBytes));
+};

package/src/utils/server/xor.test.ts

@@ -0,0 +1,123 @@
+import { describe, expect, it } from 'vitest';
+
+import { obfuscatePayloadWithXOR } from '@/utils/client/xor-obfuscation';
+
+import { getXorPayload } from './xor';
+
+describe('getXorPayload', () => {
+  it('should correctly decode XOR obfuscated payload with user data', () => {
+    const originalPayload = {
+      userId: '001362c3-48c5-4635-bd3b-837bfff58fc0',
+      accessCode: 'test-access-code',
+      apiKey: 'test-api-key',
+      baseURL: 'https://api.example.com',
+    };
+
+    // 使用客户端的混淆函数生成token
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+
+    // 使用服务端的解码函数解码
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with minimal data', () => {
+    const originalPayload = {
+      userId: '12345',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with AWS credentials', () => {
+    const originalPayload = {
+      userId: 'aws-user-123',
+      awsAccessKeyId: 'AKIAIOSFODNN7EXAMPLE',
+      awsSecretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
+      awsRegion: 'us-east-1',
+      awsSessionToken: 'session-token-example',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with Azure data', () => {
+    const originalPayload = {
+      userId: 'azure-user-456',
+      apiKey: 'azure-api-key',
+      baseURL: 'https://your-resource.openai.azure.com',
+      azureApiVersion: '2024-02-15-preview',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with Cloudflare data', () => {
+    const originalPayload = {
+      userId: 'cf-user-789',
+      apiKey: 'cloudflare-api-key',
+      cloudflareBaseURLOrAccountID: 'account-id-example',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should handle empty payload correctly', () => {
+    const originalPayload = {};
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should handle payload with undefined values', () => {
+    const originalPayload = {
+      userId: 'test-user',
+      accessCode: undefined,
+      apiKey: 'test-key',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should throw error for invalid base64 token', () => {
+    const invalidToken = 'invalid-base64-token!@#';
+
+    expect(() => getXorPayload(invalidToken)).toThrow(SyntaxError);
+  });
+
+  it('should throw error for token that cannot be parsed as JSON', () => {
+    // 创建一个能正确base64解码但不是有效JSON的token
+    const invalidJsonString = 'this is not json';
+    const invalidJsonBytes = new TextEncoder().encode(invalidJsonString);
+    const keyBytes = new TextEncoder().encode('LobeHub · LobeHub');
+
+    // 进行XOR处理
+    const result = new Uint8Array(invalidJsonBytes.length);
+    for (const [i, datum] of invalidJsonBytes.entries()) {
+      result[i] = datum ^ keyBytes[i % keyBytes.length];
+    }
+
+    // 转换为base64
+    const invalidToken = Buffer.from(result).toString('base64');
+
+    expect(() => getXorPayload(invalidToken)).toThrow(SyntaxError);
+  });
+});

package/src/utils/server/xor.ts

@@ -0,0 +1,42 @@
+import { ClientSecretPayload, SECRET_XOR_KEY } from '@/const/auth';
+
+/**
+ * 将 Base64 字符串转换为 Uint8Array
+ */
+const base64ToUint8Array = (base64: string): Uint8Array => {
+  // Node.js 环境下直接使用 Buffer
+  return Buffer.from(base64, 'base64');
+};
+
+/**
+ * 对 Uint8Array 进行 XOR 运算 (与客户端的 xorProcess 函数相同)
+ */
+const xorProcess = (data: Uint8Array, key: Uint8Array): Uint8Array => {
+  const result = new Uint8Array(data.length);
+  for (const [i, datum] of data.entries()) {
+    result[i] = datum ^ key[i % key.length];
+  }
+  return result;
+};
+
+/**
+ * 将 Uint8Array 转换为字符串 (UTF-8 解码)
+ */
+const uint8ArrayToString = (arr: Uint8Array): string => {
+  return new TextDecoder().decode(arr);
+};
+
+export const getXorPayload = (token: string): ClientSecretPayload => {
+  const keyBytes = new TextEncoder().encode(SECRET_XOR_KEY);
+
+  // 1. Base64 解码
+  const base64DecodedBytes = base64ToUint8Array(token);
+
+  // 2. XOR 解混淆
+  const xorDecryptedBytes = xorProcess(base64DecodedBytes, keyBytes);
+
+  // 3. 转换为字符串并解析 JSON
+  const decodedJsonString = uint8ArrayToString(xorDecryptedBytes);
+
+  return JSON.parse(decodedJsonString) as ClientSecretPayload;
+};

package/src/utils/jwt.test.ts

@@ -1,27 +0,0 @@
-// @vitest-environment node
-import { describe, expect, it } from 'vitest';
-
-import { NON_HTTP_PREFIX } from '@/const/auth';
-
-import { createJWT } from './jwt';
-
-describe('createJWT', () => {
-  it('should create a JWT token', async () => {
-    const payload = { test: 'test' };
-    const token = await createJWT(payload);
-    expect(token).toBeTruthy();
-  });
-  it('should return a token with NON_HTTP_PREFIX when crypto.subtle does not exist', async () => {
-    const originalCryptoSubtle = crypto.subtle;
-    // @ts-ignore
-    crypto['subtle'] = undefined;
-
-    const payload = { test: 'test' };
-    const token = await createJWT(payload);
-
-    expect(token.startsWith(NON_HTTP_PREFIX)).toBeTruthy();
-
-    // @ts-ignore
-    crypto['subtle'] = originalCryptoSubtle;
-  });
-});

package/src/utils/jwt.ts

@@ -1,37 +0,0 @@
-import { SignJWT, importJWK } from 'jose';
-
-import { JWT_SECRET_KEY, NON_HTTP_PREFIX } from '@/const/auth';
-
-export const createJWT = async <T>(payload: T) => {
-  const now = Math.floor(Date.now() / 1000);
-  const duration = 100; // 100s
-
-  const encoder = new TextEncoder();
-
-  // fix the issue that crypto.subtle is not available in non-HTTPS environment
-  // refs: https://github.com/lobehub/lobe-chat/pull/1238
-  if (!crypto.subtle) {
-    const buffer = encoder.encode(JSON.stringify(payload));
-
-    return `${NON_HTTP_PREFIX}.${Buffer.from(buffer).toString('base64')}`;
-  }
-
-  // create a secret key
-  const secretKey = await crypto.subtle.digest('SHA-256', encoder.encode(JWT_SECRET_KEY));
-
-  // get the JWK from the secret key
-  const jwkSecretKey = await importJWK(
-    {
-      k: Buffer.from(secretKey).toString('base64'),
-      kty: 'oct',
-    },
-    'HS256',
-  );
-
-  // 创建JWT
-  return new SignJWT(payload as Record<string, any>)
-    .setProtectedHeader({ alg: 'HS256' })
-    .setIssuedAt(now) // 设置JWT的iat（签发时间）声明
-    .setExpirationTime(now + duration) // 设置 JWT 的 exp（过期时间）为 100 s
-    .sign(jwkSecretKey);
-};