@lobehub/chat 1.105.1 → 1.105.2

package/src/utils/server/xor.test.ts

@@ -0,0 +1,123 @@
+import { describe, expect, it } from 'vitest';
+
+import { obfuscatePayloadWithXOR } from '@/utils/client/xor-obfuscation';
+
+import { getXorPayload } from './xor';
+
+describe('getXorPayload', () => {
+  it('should correctly decode XOR obfuscated payload with user data', () => {
+    const originalPayload = {
+      userId: '001362c3-48c5-4635-bd3b-837bfff58fc0',
+      accessCode: 'test-access-code',
+      apiKey: 'test-api-key',
+      baseURL: 'https://api.example.com',
+    };
+
+    // 使用客户端的混淆函数生成token
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+
+    // 使用服务端的解码函数解码
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with minimal data', () => {
+    const originalPayload = {
+      userId: '12345',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with AWS credentials', () => {
+    const originalPayload = {
+      userId: 'aws-user-123',
+      awsAccessKeyId: 'AKIAIOSFODNN7EXAMPLE',
+      awsSecretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
+      awsRegion: 'us-east-1',
+      awsSessionToken: 'session-token-example',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with Azure data', () => {
+    const originalPayload = {
+      userId: 'azure-user-456',
+      apiKey: 'azure-api-key',
+      baseURL: 'https://your-resource.openai.azure.com',
+      azureApiVersion: '2024-02-15-preview',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should correctly decode XOR obfuscated payload with Cloudflare data', () => {
+    const originalPayload = {
+      userId: 'cf-user-789',
+      apiKey: 'cloudflare-api-key',
+      cloudflareBaseURLOrAccountID: 'account-id-example',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should handle empty payload correctly', () => {
+    const originalPayload = {};
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should handle payload with undefined values', () => {
+    const originalPayload = {
+      userId: 'test-user',
+      accessCode: undefined,
+      apiKey: 'test-key',
+    };
+
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const decodedPayload = getXorPayload(obfuscatedToken);
+
+    expect(decodedPayload).toEqual(originalPayload);
+  });
+
+  it('should throw error for invalid base64 token', () => {
+    const invalidToken = 'invalid-base64-token!@#';
+
+    expect(() => getXorPayload(invalidToken)).toThrow(SyntaxError);
+  });
+
+  it('should throw error for token that cannot be parsed as JSON', () => {
+    // 创建一个能正确base64解码但不是有效JSON的token
+    const invalidJsonString = 'this is not json';
+    const invalidJsonBytes = new TextEncoder().encode(invalidJsonString);
+    const keyBytes = new TextEncoder().encode('LobeHub · LobeHub');
+
+    // 进行XOR处理
+    const result = new Uint8Array(invalidJsonBytes.length);
+    for (const [i, datum] of invalidJsonBytes.entries()) {
+      result[i] = datum ^ keyBytes[i % keyBytes.length];
+    }
+
+    // 转换为base64
+    const invalidToken = Buffer.from(result).toString('base64');
+
+    expect(() => getXorPayload(invalidToken)).toThrow(SyntaxError);
+  });
+});

package/src/utils/server/xor.ts

@@ -0,0 +1,42 @@
+import { ClientSecretPayload, SECRET_XOR_KEY } from '@/const/auth';
+
+/**
+ * 将 Base64 字符串转换为 Uint8Array
+ */
+const base64ToUint8Array = (base64: string): Uint8Array => {
+  // Node.js 环境下直接使用 Buffer
+  return Buffer.from(base64, 'base64');
+};
+
+/**
+ * 对 Uint8Array 进行 XOR 运算 (与客户端的 xorProcess 函数相同)
+ */
+const xorProcess = (data: Uint8Array, key: Uint8Array): Uint8Array => {
+  const result = new Uint8Array(data.length);
+  for (const [i, datum] of data.entries()) {
+    result[i] = datum ^ key[i % key.length];
+  }
+  return result;
+};
+
+/**
+ * 将 Uint8Array 转换为字符串 (UTF-8 解码)
+ */
+const uint8ArrayToString = (arr: Uint8Array): string => {
+  return new TextDecoder().decode(arr);
+};
+
+export const getXorPayload = (token: string): ClientSecretPayload => {
+  const keyBytes = new TextEncoder().encode(SECRET_XOR_KEY);
+
+  // 1. Base64 解码
+  const base64DecodedBytes = base64ToUint8Array(token);
+
+  // 2. XOR 解混淆
+  const xorDecryptedBytes = xorProcess(base64DecodedBytes, keyBytes);
+
+  // 3. 转换为字符串并解析 JSON
+  const decodedJsonString = uint8ArrayToString(xorDecryptedBytes);
+
+  return JSON.parse(decodedJsonString) as ClientSecretPayload;
+};

package/src/utils/jwt.test.ts

@@ -1,27 +0,0 @@
-// @vitest-environment node
-import { describe, expect, it } from 'vitest';
-
-import { NON_HTTP_PREFIX } from '@/const/auth';
-
-import { createJWT } from './jwt';
-
-describe('createJWT', () => {
-  it('should create a JWT token', async () => {
-    const payload = { test: 'test' };
-    const token = await createJWT(payload);
-    expect(token).toBeTruthy();
-  });
-  it('should return a token with NON_HTTP_PREFIX when crypto.subtle does not exist', async () => {
-    const originalCryptoSubtle = crypto.subtle;
-    // @ts-ignore
-    crypto['subtle'] = undefined;
-
-    const payload = { test: 'test' };
-    const token = await createJWT(payload);
-
-    expect(token.startsWith(NON_HTTP_PREFIX)).toBeTruthy();
-
-    // @ts-ignore
-    crypto['subtle'] = originalCryptoSubtle;
-  });
-});

package/src/utils/jwt.ts

@@ -1,37 +0,0 @@
-import { SignJWT, importJWK } from 'jose';
-
-import { JWT_SECRET_KEY, NON_HTTP_PREFIX } from '@/const/auth';
-
-export const createJWT = async <T>(payload: T) => {
-  const now = Math.floor(Date.now() / 1000);
-  const duration = 100; // 100s
-
-  const encoder = new TextEncoder();
-
-  // fix the issue that crypto.subtle is not available in non-HTTPS environment
-  // refs: https://github.com/lobehub/lobe-chat/pull/1238
-  if (!crypto.subtle) {
-    const buffer = encoder.encode(JSON.stringify(payload));
-
-    return `${NON_HTTP_PREFIX}.${Buffer.from(buffer).toString('base64')}`;
-  }
-
-  // create a secret key
-  const secretKey = await crypto.subtle.digest('SHA-256', encoder.encode(JWT_SECRET_KEY));
-
-  // get the JWK from the secret key
-  const jwkSecretKey = await importJWK(
-    {
-      k: Buffer.from(secretKey).toString('base64'),
-      kty: 'oct',
-    },
-    'HS256',
-  );
-
-  // 创建JWT
-  return new SignJWT(payload as Record<string, any>)
-    .setProtectedHeader({ alg: 'HS256' })
-    .setIssuedAt(now) // 设置JWT的iat（签发时间）声明
-    .setExpirationTime(now + duration) // 设置 JWT 的 exp（过期时间）为 100 s
-    .sign(jwkSecretKey);
-};

package/src/utils/server/jwt.test.ts

@@ -1,62 +0,0 @@
-import { describe, expect, it, vi } from 'vitest';
-
-import { NON_HTTP_PREFIX } from '@/const/auth';
-
-import { getJWTPayload } from './jwt';
-
-let enableClerkMock = false;
-let enableNextAuthMock = false;
-
-vi.mock('@/const/auth', async (importOriginal) => {
-  const data = await importOriginal();
-
-  return {
-    ...(data as any),
-    get enableClerk() {
-      return enableClerkMock;
-    },
-    get enableNextAuth() {
-      return enableNextAuthMock;
-    },
-  };
-});
-
-vi.mock('@/envs/app', () => ({
-  getAppConfig: vi.fn(),
-}));
-
-describe('getJWTPayload', () => {
-  it('should parse JWT payload for non-HTTPS token', async () => {
-    const token = `${NON_HTTP_PREFIX}.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ`;
-    const payload = await getJWTPayload(token);
-    expect(payload).toEqual({
-      sub: '1234567890',
-      name: 'John Doe',
-      iat: 1516239022,
-    });
-  });
-
-  it('should verify and parse JWT payload for HTTPS token', async () => {
-    const token =
-      'eyJhbGciOiJIUzI1NiJ9.eyJhY2Nlc3NDb2RlIjoiIiwidXNlcklkIjoiMDAxMzYyYzMtNDhjNS00NjM1LWJkM2ItODM3YmZmZjU4ZmMwIiwiYXBpS2V5IjoiYWJjIiwiZW5kcG9pbnQiOiJhYmMiLCJpYXQiOjE3MTY4MDIyMjUsImV4cCI6MTAwMDAwMDAwMDE3MTY4MDIwMDB9.FF0FxsE8Cajs-_hv5GD0TNUDwvekAkI9l_LL_IOPdGQ';
-    const payload = await getJWTPayload(token);
-    expect(payload).toEqual({
-      accessCode: '',
-      apiKey: 'abc',
-      endpoint: 'abc',
-      exp: 10000000001716802000,
-      iat: 1716802225,
-      userId: '001362c3-48c5-4635-bd3b-837bfff58fc0',
-    });
-  });
-
-  it('should not verify success and parse JWT payload for dated token', async () => {
-    const token =
-      'eyJhbGciOiJIUzI1NiJ9.eyJhY2Nlc3NDb2RlIjoiIiwidXNlcklkIjoiYWY3M2JhODktZjFhMy00YjliLWEwM2QtZGViZmZlMzE4NmQxIiwiYXBpS2V5IjoiYWJjIiwiZW5kcG9pbnQiOiJhYmMiLCJpYXQiOjE3MTY3OTk5ODAsImV4cCI6MTcxNjgwMDA4MH0.8AGFsLcwyrQG82kVUYOGFXHIwihm2n16ctyArKW9100';
-    try {
-      await getJWTPayload(token);
-    } catch (e) {
-      expect((e as Error).message).toEqual('"exp" claim timestamp check failed');
-    }
-  });
-});

package/src/utils/server/jwt.ts

@@ -1,28 +0,0 @@
-import { importJWK, jwtVerify } from 'jose';
-
-import { JWTPayload, JWT_SECRET_KEY, NON_HTTP_PREFIX } from '@/const/auth';
-
-export const getJWTPayload = async (token: string): Promise<JWTPayload> => {
-  //如果是 HTTP 协议发起的请求，直接解析 token
-  // 这是一个非常 hack 的解决方案，未来要找更好的解决方案来处理这个问题
-  // refs: https://github.com/lobehub/lobe-chat/pull/1238
-  if (token.startsWith(NON_HTTP_PREFIX)) {
-    const jwtParts = token.split('.');
-
-    const payload = jwtParts[1];
-
-    return JSON.parse(atob(payload));
-  }
-
-  const encoder = new TextEncoder();
-  const secretKey = await crypto.subtle.digest('SHA-256', encoder.encode(JWT_SECRET_KEY));
-
-  const jwkSecretKey = await importJWK(
-    { k: Buffer.from(secretKey).toString('base64'), kty: 'oct' },
-    'HS256',
-  );
-
-  const { payload } = await jwtVerify(token, jwkSecretKey);
-
-  return payload as JWTPayload;
-};