@lobehub/chat 1.122.4 → 1.122.5

package/src/libs/next-auth/auth.config.ts

@@ -1,23 +1,32 @@
 import type { NextAuthConfig } from 'next-auth';
 
-import { authEnv } from '@/config/auth';
-
 import { ssoProviders } from './sso-providers';
+import { LobeNextAuthDbAdapter } from './adapter';
+import { getAuthConfig } from '@/config/auth';
+
+const {
+  NEXT_AUTH_DEBUG,
+  NEXT_AUTH_SECRET,
+  NEXT_AUTH_SSO_SESSION_STRATEGY,
+  NEXT_AUTH_SSO_PROVIDERS,
+  NEXT_PUBLIC_ENABLE_NEXT_AUTH
+} = getAuthConfig();
 
 export const initSSOProviders = () => {
-  return authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH
-    ? authEnv.NEXT_AUTH_SSO_PROVIDERS.split(/[,，]/).map((provider) => {
-        const validProvider = ssoProviders.find((item) => item.id === provider.trim());
+  return NEXT_PUBLIC_ENABLE_NEXT_AUTH
+    ? NEXT_AUTH_SSO_PROVIDERS.split(/[,，]/).map((provider) => {
+      const validProvider = ssoProviders.find((item) => item.id === provider.trim());
 
-        if (validProvider) return validProvider.provider;
+      if (validProvider) return validProvider.provider;
 
-        throw new Error(`[NextAuth] provider ${provider} is not supported`);
-      })
+      throw new Error(`[NextAuth] provider ${provider} is not supported`);
+    })
     : [];
 };
 
 // Notice this is only an object, not a full Auth.js instance
 export default {
+  adapter: LobeNextAuthDbAdapter(),
   callbacks: {
     // Note: Data processing order of callback: authorize --> jwt --> session
     async jwt({ token, user }) {
@@ -39,12 +48,15 @@ export default {
       return session;
     },
   },
-  debug: authEnv.NEXT_AUTH_DEBUG,
+  debug: NEXT_AUTH_DEBUG,
   pages: {
     error: '/next-auth/error',
     signIn: '/next-auth/signin',
   },
   providers: initSSOProviders(),
-  secret: authEnv.NEXT_AUTH_SECRET,
+  secret: NEXT_AUTH_SECRET,
+  session: {
+    strategy: NEXT_AUTH_SSO_SESSION_STRATEGY,
+  },
   trustHost: process.env?.AUTH_TRUST_HOST ? process.env.AUTH_TRUST_HOST === 'true' : true,
 } satisfies NextAuthConfig;

package/src/libs/next-auth/index.ts

@@ -1,33 +1,20 @@
 import NextAuth from 'next-auth';
 
-import { getServerDBConfig } from '@/config/db';
-import { serverDB } from '@/database/server';
-
-import { LobeNextAuthDbAdapter } from './adapter';
-import config from './auth.config';
-
-const { NEXT_PUBLIC_ENABLED_SERVER_SERVICE } = getServerDBConfig();
+import authConfig from './auth.config';
 
 /**
- * NextAuth initialization with Database adapter
+ * NextAuth initialization without Database adapter
+ *
+ * @note
+ * We currently use `jwt` strategy for session management.
+ * So you don't need to import `signIn` or `signOut` from
+ * this module, just import from `next-auth` directly.
  *
+ * Inside react component
  * @example
  * ```ts
- * import NextAuthNode from '@/libs/next-auth';
- * const { handlers } = NextAuthNode;
+ * import { signOut } from 'next-auth/react';
+ * signOut();
  * ```
- *
- * @note
- * If you meet the edge runtime compatible problem,
- * you can import from `@/libs/next-auth/edge` which is not initial with the database adapter.
- *
- * The difference and usage of the two different NextAuth modules is can be
- * ref to: https://github.com/lobehub/lobe-chat/pull/2935
  */
-export default NextAuth({
-  ...config,
-  adapter: NEXT_PUBLIC_ENABLED_SERVER_SERVICE ? LobeNextAuthDbAdapter(serverDB) : undefined,
-  session: {
-    strategy: 'jwt',
-  },
-});
+export default NextAuth(authConfig);

package/src/libs/trpc/edge/context.ts

@@ -54,9 +54,9 @@ export const createEdgeContext = async (request: NextRequest): Promise<EdgeConte
 
   if (enableNextAuth) {
     try {
-      const { default: NextAuthEdge } = await import('@/libs/next-auth/edge');
+      const { default: NextAuth } = await import('@/libs/next-auth');
 
-      const session = await NextAuthEdge.auth();
+      const session = await NextAuth.auth();
       if (session && session?.user?.id) {
         auth = session.user;
         userId = session.user.id;

package/src/libs/trpc/lambda/context.ts

@@ -161,9 +161,9 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
   if (enableNextAuth) {
     log('Attempting NextAuth authentication');
     try {
-      const { default: NextAuthEdge } = await import('@/libs/next-auth/edge');
+      const { default: NextAuth } = await import('@/libs/next-auth');
 
-      const session = await NextAuthEdge.auth();
+      const session = await NextAuth.auth();
       if (session && session?.user?.id) {
         auth = session.user;
         userId = session.user.id;

package/src/middleware.ts

@@ -10,7 +10,7 @@ import { OAUTH_AUTHORIZED } from '@/const/auth';
 import { LOBE_LOCALE_COOKIE } from '@/const/locale';
 import { LOBE_THEME_APPEARANCE } from '@/const/theme';
 import { appEnv } from '@/envs/app';
-import NextAuthEdge from '@/libs/next-auth/edge';
+import NextAuth from '@/libs/next-auth';
 import { Locales } from '@/locales/resources';
 
 import { oidcEnv } from './envs/oidc';
@@ -170,7 +170,7 @@ const isProtectedRoute = createRouteMatcher([
 ]);
 
 // Initialize an Edge compatible NextAuth middleware
-const nextAuthMiddleware = NextAuthEdge.auth(async (req) => {
+const nextAuthMiddleware = NextAuth.auth((req) => {
   logNextAuth('NextAuth middleware processing request: %s %s', req.method, req.url);
 
   const response = defaultMiddleware(req);

package/src/server/routers/lambda/user.test.ts

@@ -6,8 +6,8 @@ import { MessageModel } from '@/database/models/message';
 import { SessionModel } from '@/database/models/session';
 import { UserModel, UserNotFoundError } from '@/database/models/user';
 import { serverDB } from '@/database/server';
-import { LobeNextAuthDbAdapter } from '@/libs/next-auth/adapter';
 import { KeyVaultsGateKeeper } from '@/server/modules/KeyVaultsEncrypt';
+import { NextAuthUserService } from '@/server/services/nextAuthUser';
 import { UserService } from '@/server/services/user';
 
 import { userRouter } from './user';
@@ -24,10 +24,10 @@ vi.mock('@/database/server', () => ({
 vi.mock('@/database/models/message');
 vi.mock('@/database/models/session');
 vi.mock('@/database/models/user');
-vi.mock('@/libs/next-auth/adapter');
 vi.mock('@/server/modules/KeyVaultsEncrypt');
 vi.mock('@/server/modules/S3');
 vi.mock('@/server/services/user');
+vi.mock('@/server/services/nextAuthUser');
 vi.mock('@/const/auth', () => ({
   enableClerk: true,
 }));
@@ -221,7 +221,7 @@ describe('userRouter', () => {
         type: 'oauth',
       };
 
-      vi.mocked(LobeNextAuthDbAdapter).mockReturnValue({
+      vi.mocked(NextAuthUserService).mockReturnValue({
         getAccount: vi.fn().mockResolvedValue(mockAccount),
         unlinkAccount: vi.fn().mockResolvedValue(undefined),
       } as any);
@@ -237,7 +237,7 @@ describe('userRouter', () => {
         providerAccountId: '123',
       };
 
-      vi.mocked(LobeNextAuthDbAdapter).mockReturnValue({
+      vi.mocked(NextAuthUserService).mockReturnValue({
         getAccount: vi.fn().mockResolvedValue(null),
         unlinkAccount: vi.fn(),
       } as any);
@@ -246,19 +246,6 @@ describe('userRouter', () => {
         userRouter.createCaller({ ...mockCtx }).unlinkSSOProvider(mockInput),
       ).rejects.toThrow('The account does not exist');
     });
-
-    it('should throw error if adapter methods are not implemented', async () => {
-      const mockInput = {
-        provider: 'google',
-        providerAccountId: '123',
-      };
-
-      vi.mocked(LobeNextAuthDbAdapter).mockReturnValue({} as any);
-
-      await expect(
-        userRouter.createCaller({ ...mockCtx }).unlinkSSOProvider(mockInput),
-      ).rejects.toThrow('The method in LobeNextAuthDbAdapter `unlinkAccount` is not implemented');
-    });
   });
 
   describe('updateSettings', () => {

package/src/server/routers/lambda/user.ts

@@ -9,12 +9,12 @@ import { SessionModel } from '@/database/models/session';
 import { UserModel, UserNotFoundError } from '@/database/models/user';
 import { ClerkAuth } from '@/libs/clerk-auth';
 import { pino } from '@/libs/logger';
-import { LobeNextAuthDbAdapter } from '@/libs/next-auth/adapter';
 import { authedProcedure, router } from '@/libs/trpc/lambda';
 import { serverDatabase } from '@/libs/trpc/lambda/middleware';
 import { KeyVaultsGateKeeper } from '@/server/modules/KeyVaultsEncrypt';
 import { S3 } from '@/server/modules/S3';
 import { FileService } from '@/server/services/file';
+import { NextAuthUserService } from '@/server/services/nextAuthUser';
 import { UserService } from '@/server/services/user';
 import {
   NextAuthAccountSchame,
@@ -29,7 +29,7 @@ const userProcedure = authedProcedure.use(serverDatabase).use(async ({ ctx, next
     ctx: {
       clerkAuth: new ClerkAuth(),
       fileService: new FileService(ctx.serverDB, ctx.userId),
-      nextAuthDbAdapter: LobeNextAuthDbAdapter(ctx.serverDB),
+      nextAuthUserService: new NextAuthUserService(ctx.serverDB),
       userModel: new UserModel(ctx.serverDB, ctx.userId),
     },
   });
@@ -134,19 +134,10 @@ export const userRouter = router({
 
   unlinkSSOProvider: userProcedure.input(NextAuthAccountSchame).mutation(async ({ ctx, input }) => {
     const { provider, providerAccountId } = input;
-    if (
-      ctx.nextAuthDbAdapter?.unlinkAccount &&
-      typeof ctx.nextAuthDbAdapter.unlinkAccount === 'function' &&
-      ctx.nextAuthDbAdapter?.getAccount &&
-      typeof ctx.nextAuthDbAdapter.getAccount === 'function'
-    ) {
-      const account = await ctx.nextAuthDbAdapter.getAccount(providerAccountId, provider);
-      // The userId can either get from ctx.nextAuth?.id or ctx.userId
-      if (!account || account.userId !== ctx.userId) throw new Error('The account does not exist');
-      await ctx.nextAuthDbAdapter.unlinkAccount({ provider, providerAccountId });
-    } else {
-      throw new Error('The method in LobeNextAuthDbAdapter `unlinkAccount` is not implemented');
-    }
+    const account = await ctx.nextAuthUserService.getAccount(providerAccountId, provider);
+    // The userId can either get from ctx.nextAuth?.id or ctx.userId
+    if (!account || account.userId !== ctx.userId) throw new Error('The account does not exist');
+    await ctx.nextAuthUserService.unlinkAccount({ provider, providerAccountId });
   }),
 
   // 服务端上传头像

package/src/server/services/nextAuthUser/index.ts

@@ -1,18 +1,33 @@
+import { and, eq } from 'drizzle-orm';
+import { Adapter, AdapterAccount } from 'next-auth/adapters';
 import { NextResponse } from 'next/server';
 
 import { UserModel } from '@/database/models/user';
-import { UserItem } from '@/database/schemas';
+import {
+  UserItem,
+  nextauthAccounts,
+  nextauthAuthenticators,
+  nextauthSessions,
+  nextauthVerificationTokens,
+  users,
+} from '@/database/schemas';
 import { LobeChatDatabase } from '@/database/type';
 import { pino } from '@/libs/logger';
-import { LobeNextAuthDbAdapter } from '@/libs/next-auth/adapter';
+import { merge } from '@/utils/merge';
+
+import { AgentService } from '../agent';
+import {
+  mapAdapterUserToLobeUser,
+  mapAuthenticatorQueryResutlToAdapterAuthenticator,
+  mapLobeUserToAdapterUser,
+  partialMapAdapterUserToLobeUser,
+} from './utils';
 
 export class NextAuthUserService {
-  adapter;
   private db: LobeChatDatabase;
 
   constructor(db: LobeChatDatabase) {
     this.db = db;
-    this.adapter = LobeNextAuthDbAdapter(db);
   }
 
   safeUpdateUser = async (
@@ -21,8 +36,7 @@ export class NextAuthUserService {
   ) => {
     pino.info(`updating user "${JSON.stringify({ provider, providerAccountId })}" due to webhook`);
     // 1. Find User by account
-    // @ts-expect-error: Already impl in `LobeNextauthDbAdapter`
-    const user = await this.adapter.getUserByAccount({
+    const user = await this.getUserByAccount({
       provider,
       providerAccountId,
     });
@@ -44,4 +58,266 @@ export class NextAuthUserService {
     }
     return NextResponse.json({ message: 'user updated', success: true }, { status: 200 });
   };
+
+  safeSignOutUser = async ({
+    providerAccountId,
+    provider,
+  }: {
+    provider: string;
+    providerAccountId: string;
+  }) => {
+    pino.info(`Signing out user "${JSON.stringify({ provider, providerAccountId })}"`);
+    const user = await this.getUserByAccount({
+      provider,
+      providerAccountId,
+    });
+
+    // 2. If found, Update user data from provider
+    if (user?.id) {
+      // Perform update
+      await this.db.delete(nextauthSessions).where(eq(nextauthSessions.userId, user.id));
+    } else {
+      pino.warn(
+        `[${provider}]: Webhooks handler user "${JSON.stringify({ provider, providerAccountId })}" to signout", but no user was found by the providerAccountId.`,
+      );
+    }
+    return NextResponse.json({ message: 'user signed out', success: true }, { status: 200 });
+  };
+
+  createAuthenticator: NonNullable<Adapter['createAuthenticator']> = async (authenticator) => {
+    return await this.db
+      .insert(nextauthAuthenticators)
+      .values(authenticator)
+      .returning()
+      .then((res: any) => res[0] ?? undefined);
+  };
+
+  createSession: NonNullable<Adapter['createSession']> = async (data) => {
+    return await this.db
+      .insert(nextauthSessions)
+      .values(data)
+      .returning()
+      .then((res: any) => res[0]);
+  };
+
+  createUser: NonNullable<Adapter['createUser']> = async (user) => {
+    const { id, name, email, emailVerified, image, providerAccountId } = user;
+    // return the user if it already exists
+    let existingUser =
+      email && typeof email === 'string' && email.trim()
+        ? await UserModel.findByEmail(this.db, email)
+        : undefined;
+    // If the user is not found by email, try to find by providerAccountId
+    if (!existingUser && providerAccountId) {
+      existingUser = await UserModel.findById(this.db, providerAccountId);
+    }
+    if (existingUser) {
+      const adapterUser = mapLobeUserToAdapterUser(existingUser);
+      return adapterUser;
+    }
+
+    // create a new user if it does not exist
+    // Use id from provider if it exists, otherwise use id assigned by next-auth
+    // ref: https://github.com/lobehub/lobe-chat/pull/2935
+    const uid = providerAccountId ?? id;
+    await UserModel.createUser(
+      this.db,
+      mapAdapterUserToLobeUser({
+        email,
+        emailVerified,
+        // Use providerAccountId as userid to identify if the user exists in a SSO provider
+        id: uid,
+        image,
+        name,
+      }),
+    );
+
+    // 3. Create an inbox session for the user
+    const agentService = new AgentService(this.db, uid);
+    await agentService.createInbox();
+
+    return { ...user, id: uid };
+  };
+
+  createVerificationToken: NonNullable<Adapter['createVerificationToken']> = async (data) => {
+    return await this.db
+      .insert(nextauthVerificationTokens)
+      .values(data)
+      .returning()
+      .then((res: any) => res[0]);
+  };
+
+  deleteSession: NonNullable<Adapter['deleteSession']> = async (sessionToken) => {
+    await this.db.delete(nextauthSessions).where(eq(nextauthSessions.sessionToken, sessionToken));
+  };
+
+  deleteUser: NonNullable<Adapter['deleteUser']> = async (id) => {
+    const user = await UserModel.findById(this.db, id);
+    if (!user) throw new Error('NextAuth: Delete User not found');
+    await UserModel.deleteUser(this.db, id);
+  };
+
+  getAccount: NonNullable<Adapter['getAccount']> = async (providerAccountId, provider) => {
+    return (await this.db
+      .select()
+      .from(nextauthAccounts)
+      .where(
+        and(
+          eq(nextauthAccounts.provider, provider),
+          eq(nextauthAccounts.providerAccountId, providerAccountId),
+        ),
+      )
+      .then((res: any) => res[0] ?? null)) as Promise<AdapterAccount | null>;
+  };
+
+  getAuthenticator: NonNullable<Adapter['getAuthenticator']> = async (credentialID) => {
+    const result = await this.db
+      .select()
+      .from(nextauthAuthenticators)
+      .where(eq(nextauthAuthenticators.credentialID, credentialID))
+      .then((res) => res[0] ?? null);
+    if (!result) throw new Error('NextAuthUserService: Failed to get authenticator');
+    return mapAuthenticatorQueryResutlToAdapterAuthenticator(result);
+  };
+
+  getSessionAndUser: NonNullable<Adapter['getSessionAndUser']> = async (sessionToken) => {
+    const result = await this.db
+      .select({
+        session: nextauthSessions,
+        user: users,
+      })
+      .from(nextauthSessions)
+      .where(eq(nextauthSessions.sessionToken, sessionToken))
+      .innerJoin(users, eq(users.id, nextauthSessions.userId))
+      .then((res: any) => (res.length > 0 ? res[0] : null));
+
+    if (!result) return null;
+    const adapterUser = mapLobeUserToAdapterUser(result.user);
+    if (!adapterUser) return null;
+    return {
+      session: result.session,
+      user: adapterUser,
+    };
+  };
+
+  getUser: NonNullable<Adapter['getUser']> = async (id) => {
+    const lobeUser = await UserModel.findById(this.db, id);
+    if (!lobeUser) return null;
+    return mapLobeUserToAdapterUser(lobeUser);
+  };
+
+  getUserByAccount: NonNullable<Adapter['getUserByAccount']> = async (account) => {
+    const result = await this.db
+      .select({
+        account: nextauthAccounts,
+        users,
+      })
+      .from(nextauthAccounts)
+      .innerJoin(users, eq(nextauthAccounts.userId, users.id))
+      .where(
+        and(
+          eq(nextauthAccounts.provider, account.provider),
+          eq(nextauthAccounts.providerAccountId, account.providerAccountId),
+        ),
+      )
+      .then((res: any) => res[0]);
+
+    return result?.users ? mapLobeUserToAdapterUser(result.users) : null;
+  };
+
+  getUserByEmail: NonNullable<Adapter['getUserByEmail']> = async (email) => {
+    const lobeUser =
+      email && typeof email === 'string' && email.trim()
+        ? await UserModel.findByEmail(this.db, email)
+        : undefined;
+    return lobeUser ? mapLobeUserToAdapterUser(lobeUser) : null;
+  };
+
+  linkAccount: NonNullable<Adapter['linkAccount']> = async (data) => {
+    const [account] = await this.db
+      .insert(nextauthAccounts)
+      .values(data as any)
+      .returning();
+    if (!account) throw new Error('NextAuthAccountModel: Failed to create account');
+    // TODO Update type annotation
+    return account as any;
+  };
+
+  listAuthenticatorsByUserId: NonNullable<Adapter['listAuthenticatorsByUserId']> = async (
+    userId,
+  ) => {
+    const result = await this.db
+      .select()
+      .from(nextauthAuthenticators)
+      .where(eq(nextauthAuthenticators.userId, userId))
+      .then((res: any) => res);
+    if (result.length === 0)
+      throw new Error('NextAuthUserService: Failed to get authenticator list');
+    return result.map((r: any) => mapAuthenticatorQueryResutlToAdapterAuthenticator(r));
+  };
+
+  unlinkAccount: NonNullable<Adapter['unlinkAccount']> = async (account) => {
+    await this.db
+      .delete(nextauthAccounts)
+      .where(
+        and(
+          eq(nextauthAccounts.provider, account.provider),
+          eq(nextauthAccounts.providerAccountId, account.providerAccountId),
+        ),
+      );
+  };
+
+  updateAuthenticatorCounter: NonNullable<Adapter['updateAuthenticatorCounter']> = async (
+    credentialID,
+    counter,
+  ) => {
+    const result = await this.db
+      .update(nextauthAuthenticators)
+      .set({ counter })
+      .where(eq(nextauthAuthenticators.credentialID, credentialID))
+      .returning()
+      .then((res: any) => res[0]);
+    if (!result) throw new Error('NextAuthUserService: Failed to update authenticator counter');
+    return mapAuthenticatorQueryResutlToAdapterAuthenticator(result);
+  };
+
+  updateSession: NonNullable<Adapter['updateSession']> = async (data) => {
+    const res = await this.db
+      .update(nextauthSessions)
+      .set(data)
+      .where(eq(nextauthSessions.sessionToken, data.sessionToken))
+      .returning();
+    return res[0];
+  };
+
+  updateUser: NonNullable<Adapter['updateUser']> = async (user) => {
+    const lobeUser = await UserModel.findById(this.db, user?.id);
+    if (!lobeUser) throw new Error('NextAuth: User not found');
+    const userModel = new UserModel(this.db, user.id);
+
+    const updatedUser = await userModel.updateUser({
+      ...partialMapAdapterUserToLobeUser(user),
+    });
+    if (!updatedUser) throw new Error('NextAuth: Failed to update user');
+
+    // merge new user data with old user data
+    const newAdapterUser = mapLobeUserToAdapterUser(lobeUser);
+    if (!newAdapterUser) {
+      throw new Error('NextAuth: Failed to map user data to adapter user');
+    }
+    return merge(newAdapterUser, user);
+  };
+
+  useVerificationToken: NonNullable<Adapter['useVerificationToken']> = async (identifier_token) => {
+    return await this.db
+      .delete(nextauthVerificationTokens)
+      .where(
+        and(
+          eq(nextauthVerificationTokens.identifier, identifier_token.identifier),
+          eq(nextauthVerificationTokens.token, identifier_token.token),
+        ),
+      )
+      .returning()
+      .then((res: any) => (res.length > 0 ? res[0] : null));
+  };
 }