@lobehub/chat 1.16.9 → 1.16.11

package/CHANGELOG.md

@@ -2,6 +2,72 @@
 
 # Changelog
 
+### [Version 1.16.11](https://github.com/lobehub/lobe-chat/compare/v1.16.10...v1.16.11)
+
+<sup>Released on **2024-09-12**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Support webhooks for logto.
+
+#### 💄 Styles
+
+- **misc**: Default disable mistral provider useless models.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Support webhooks for logto, closes [#3774](https://github.com/lobehub/lobe-chat/issues/3774) ([0cfee6b](https://github.com/lobehub/lobe-chat/commit/0cfee6b))
+
+#### Styles
+
+- **misc**: Default disable mistral provider useless models, closes [#3922](https://github.com/lobehub/lobe-chat/issues/3922) ([bdbc647](https://github.com/lobehub/lobe-chat/commit/bdbc647))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+### [Version 1.16.10](https://github.com/lobehub/lobe-chat/compare/v1.16.9...v1.16.10)
+
+<sup>Released on **2024-09-12**</sup>
+
+#### ♻ Code Refactoring
+
+- **misc**: Support Environment Variable Inference For NextAuth.
+
+#### 🐛 Bug Fixes
+
+- **misc**: Qwen model param error.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### Code refactoring
+
+- **misc**: Support Environment Variable Inference For NextAuth, closes [#3701](https://github.com/lobehub/lobe-chat/issues/3701) ([b956755](https://github.com/lobehub/lobe-chat/commit/b956755))
+
+#### What's fixed
+
+- **misc**: Qwen model param error, closes [#3902](https://github.com/lobehub/lobe-chat/issues/3902) ([c9f00e5](https://github.com/lobehub/lobe-chat/commit/c9f00e5))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ### [Version 1.16.9](https://github.com/lobehub/lobe-chat/compare/v1.16.8...v1.16.9)
 
 <sup>Released on **2024-09-12**</sup>

package/docs/self-hosting/server-database/docker-compose.mdx

@@ -186,6 +186,7 @@ And the service port without reverse proxy:
 
 <Callout type="warning">
   Please note that CORS cross-origin is configured internally in MinIO / Logto service, do not configure CORS additionally in your reverse proxy, as this will cause errors.
+  For minio ports other than 443, Host must be $http_host (with port number), otherwise a 403 error will occur: proxy_set_header Host $http_host.
 
 If you need to configure SSL certificates, please configure them uniformly in the outer Nginx reverse proxy, rather than in MinIO.
 

package/docs/self-hosting/server-database/docker-compose.zh-CN.mdx

@@ -185,6 +185,7 @@ docker compose up -d
 
 <Callout type="warning">
   请务必注意，CORS 跨域是在 MinIO / Logto 服务端内部配置的，请勿在你的反向代理中额外配置 CORS，这会导致错误。
+  对于minio非443端口时，Host必须是$http_host（带端口号），否则会403错误：proxy_set_header Host $http_host。
 
 如果你需要配置 SSL 证书，请统一在外层的 Nginx 反向代理中配置，而不是在 MinIO 中配置。
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/chat",
-  "version": "1.16.9",
+  "version": "1.16.11",
   "description": "Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -102,7 +102,7 @@
     "@ant-design/icons": "^5.4.0",
     "@ant-design/pro-components": "^2.7.10",
     "@anthropic-ai/sdk": "^0.27.0",
-    "@auth/core": "0.28.0",
+    "@auth/core": "^0.34.2",
     "@aws-sdk/client-bedrock-runtime": "^3.637.0",
     "@aws-sdk/client-s3": "^3.637.0",
     "@aws-sdk/s3-request-presigner": "^3.637.0",
@@ -169,7 +169,7 @@
     "modern-screenshot": "^4.4.39",
     "nanoid": "^5.0.7",
     "next": "14.2.8",
-    "next-auth": "5.0.0-beta.15",
+    "next-auth": "beta",
     "next-sitemap": "^4.2.3",
     "numeral": "^2.0.6",
     "nuqs": "^1.17.8",

package/src/app/api/webhooks/logto/__tests__/route.test.ts

@@ -0,0 +1,92 @@
+import { createHmac } from 'node:crypto';
+import { describe, expect, it } from 'vitest';
+
+interface UserDataUpdatedEvent {
+  event: string;
+  createdAt: string;
+  userAgent: string;
+  ip: string;
+  path: string;
+  method: string;
+  status: number;
+  params: {
+    userId: string;
+  };
+  matchedRoute: string;
+  data: {
+    id: string;
+    username: string;
+    primaryEmail: string;
+    primaryPhone: string | null;
+    name: string;
+    avatar: string | null;
+    customData: Record<string, unknown>;
+    identities: Record<string, unknown>;
+    lastSignInAt: number;
+    createdAt: number;
+    updatedAt: number;
+    profile: Record<string, unknown>;
+    applicationId: string;
+    isSuspended: boolean;
+  };
+  hookId: string;
+}
+
+const userDataUpdatedEvent: UserDataUpdatedEvent = {
+  event: 'User.Data.Updated',
+  createdAt: '2024-09-07T08:29:09.381Z',
+  userAgent:
+    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0',
+  ip: '223.104.76.217',
+  path: '/users/rra41h9vmpnd',
+  method: 'PATCH',
+  status: 200,
+  params: {
+    userId: 'rra41h9vmpnd',
+  },
+  matchedRoute: '/users/:userId',
+  data: {
+    id: 'uid',
+    username: 'test',
+    primaryEmail: 'user@example.com',
+    primaryPhone: null,
+    name: 'test',
+    avatar: null,
+    customData: {},
+    identities: {},
+    lastSignInAt: 1725446291545,
+    createdAt: 1725440405556,
+    updatedAt: 1725697749337,
+    profile: {},
+    applicationId: 'appid',
+    isSuspended: false,
+  },
+  hookId: 'hookId',
+};
+
+const LOGTO_WEBHOOK_SIGNING_KEY = 'logto-signing-key';
+
+// Test Logto Webhooks in Local dev, here is some tips:
+// - Replace the var `LOGTO_WEBHOOK_SIGNING_KEY` with the actual value in your `.env` file
+// - Start web request: If you want to run the test, replace `describe.skip` with `describe` below
+
+describe.skip('Test Logto Webhooks in Local dev', () => {
+  // describe('Test Logto Webhooks in Local dev', () => {
+  it('should send a POST request with logto headers', async () => {
+    const url = 'http://localhost:3010/api/webhooks/logto'; // 替换为目标URL
+    const data = userDataUpdatedEvent;
+    //  Generate data signature
+    const hmac = createHmac('sha256', LOGTO_WEBHOOK_SIGNING_KEY!);
+    hmac.update(JSON.stringify(data));
+    const signature = hmac.digest('hex');
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'logto-signature-sha-256': signature,
+      },
+      body: JSON.stringify(data),
+    });
+    expect(response.status).toBe(200); // 检查响应状态
+  });
+});

package/src/app/api/webhooks/logto/route.ts

@@ -0,0 +1,40 @@
+import { NextResponse } from 'next/server';
+
+import { authEnv } from '@/config/auth';
+import { pino } from '@/libs/logger';
+import { NextAuthUserService } from '@/server/services/nextAuthUser';
+
+import { validateRequest } from './validateRequest';
+
+export const POST = async (req: Request): Promise<NextResponse> => {
+  const payload = await validateRequest(req, authEnv.LOGTO_WEBHOOK_SIGNING_KEY!);
+
+  if (!payload) {
+    return NextResponse.json(
+      { error: 'webhook verification failed or payload was malformed' },
+      { status: 400 },
+    );
+  }
+
+  const { event, data } = payload;
+
+  pino.trace(`logto webhook payload: ${{ data, event }}`);
+
+  const nextAuthUserService = new NextAuthUserService();
+  switch (event) {
+    case 'User.Data.Updated': {
+      return nextAuthUserService.safeUpdateUser(data.id, {
+        avatar: data?.avatar,
+        email: data?.primaryEmail,
+        fullName: data?.name,
+      });
+    }
+
+    default: {
+      pino.warn(
+        `${req.url} received event type "${event}", but no handler is defined for this type`,
+      );
+      return NextResponse.json({ error: `unrecognised payload type: ${event}` }, { status: 400 });
+    }
+  }
+};

package/src/app/api/webhooks/logto/validateRequest.ts

@@ -0,0 +1,50 @@
+import { headers } from 'next/headers';
+import { createHmac } from 'node:crypto';
+
+import { authEnv } from '@/config/auth';
+
+export type LogtToUserEntity = {
+  applicationId?: string;
+  avatar?: string;
+  createdAt?: string;
+  customData?: object;
+  id: string;
+  identities?: object;
+  isSuspended?: boolean;
+  lastSignInAt?: string;
+  name?: string;
+  primaryEmail?: string;
+  primaryPhone?: string;
+  username?: string;
+};
+
+interface LogtoWebhookPayload {
+  // Only support user event currently
+  data: LogtToUserEntity;
+  event: string;
+}
+
+export const validateRequest = async (request: Request, signingKey: string) => {
+  const payloadString = await request.text();
+  const headerPayload = headers();
+  const logtoHeaderSignature = headerPayload.get('logto-signature-sha-256')!;
+  try {
+    const hmac = createHmac('sha256', signingKey);
+    hmac.update(payloadString);
+    const signature = hmac.digest('hex');
+    if (signature === logtoHeaderSignature) {
+      return JSON.parse(payloadString) as LogtoWebhookPayload;
+    } else {
+      console.warn(
+        '[logto]: signature verify failed, please check your logto signature in `LOGTO_WEBHOOK_SIGNING_KEY`',
+      );
+      return;
+    }
+  } catch (e) {
+    if (!authEnv.LOGTO_WEBHOOK_SIGNING_KEY) {
+      throw new Error('`LOGTO_WEBHOOK_SIGNING_KEY` environment variable is missing.');
+    }
+    console.error('[logto]: incoming webhook failed in verification.\n', e);
+    return;
+  }
+};

package/src/config/__tests__/auth.test.ts

@@ -0,0 +1,200 @@
+// @vitest-environment node
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { getAuthConfig } from '../auth';
+
+// Stub the global process object to safely mock environment variables
+vi.stubGlobal('process', {
+  ...process, // Preserve the original process object
+  env: { ...process.env }, // Clone the environment variables object for modification
+});
+
+const spyConsoleWarn = vi.spyOn(console, 'warn');
+
+describe('getAuthConfig', () => {
+  beforeEach(() => {
+    // Clear all environment variables before each test
+    // @ts-expect-error
+    process.env = {};
+  });
+
+  // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+  describe('should warn about deprecated environment variables', () => {
+    it('should warn about Auth0 deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.AUTH0_CLIENT_ID = 'auth0_client_id';
+      process.env.AUTH0_CLIENT_SECRET = 'auth0_client_secret';
+      process.env.AUTH0_ISSUER = 'auth0_issuer';
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      // Example: A warning meassage should incloud: `<Old Env> .* <New Env>`
+      // And the regex should match the warning message: `AUTH0_CLIENT_ID.*AUTH_AUTH0_ID`
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTH0_CLIENT_ID.*AUTH_AUTH0_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTH0_CLIENT_SECRET.*AUTH_AUTH0_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTH0_ISSUER.*AUTH_AUTH0_ISSUER/),
+      );
+    });
+    it('should warn about Authentik deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.AUTHENTIK_CLIENT_ID = 'authentik_client_id';
+      process.env.AUTHENTIK_CLIENT_SECRET = 'authentik_client_secret';
+      process.env.AUTHENTIK_ISSUER = 'authentik_issuer';
+
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTHENTIK_CLIENT_ID.*AUTH_AUTHENTIK_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTHENTIK_CLIENT_SECRET.*AUTH_AUTHENTIK_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTHENTIK_ISSUER.*AUTH_AUTHENTIK_ISSUER/),
+      );
+    });
+    it('should warn about Authelia deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.AUTHELIA_CLIENT_ID = 'authelia_client_id';
+      process.env.AUTHELIA_CLIENT_SECRET = 'authelia_client_secret';
+      process.env.AUTHELIA_ISSUER = 'authelia_issuer';
+
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTHELIA_CLIENT_ID.*AUTH_AUTHELIA_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTHELIA_CLIENT_SECRET.*AUTH_AUTHELIA_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AUTHELIA_ISSUER.*AUTH_AUTHELIA_ISSUER/),
+      );
+    });
+    it('should warn about AzureAD deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.AZURE_AD_CLIENT_ID = 'azure_ad_client_id';
+      process.env.AZURE_AD_CLIENT_SECRET = 'azure_ad_client_secret';
+      process.env.AZURE_AD_TENANT_ID = 'azure_ad_tenant_id';
+
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AZURE_AD_CLIENT_ID.*AUTH_AZURE_AD_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AZURE_AD_CLIENT_SECRET.*AUTH_AZURE_AD_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/AZURE_AD_TENANT_ID.*AUTH_AZURE_AD_TENANT_ID/),
+      );
+    });
+    it('should warn about Cloudflare Zero Trust deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.CLOUDFLARE_ZERO_TRUST_CLIENT_ID = 'cloudflare_zero_trust_client_id';
+      process.env.CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET = 'cloudflare_zero_trust_client_secret';
+      process.env.CLOUDFLARE_ZERO_TRUST_ISSUER = 'cloudflare_zero_trust_issuer';
+
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/CLOUDFLARE_ZERO_TRUST_CLIENT_ID.*AUTH_CLOUDFLARE_ZERO_TRUST_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(
+          /CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET.*AUTH_CLOUDFLARE_ZERO_TRUST_SECRET/,
+        ),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/CLOUDFLARE_ZERO_TRUST_ISSUER.*AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER/),
+      );
+    });
+    it('should warn about Generic OIDC deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.GENERIC_OIDC_CLIENT_ID = 'generic_oidc_client_id';
+      process.env.GENERIC_OIDC_CLIENT_SECRET = 'generic_oidc_client_secret';
+      process.env.GENERIC_OIDC_ISSUER = 'generic_oidc_issuer';
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/GENERIC_OIDC_CLIENT_ID.*AUTH_GENERIC_OIDC_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/GENERIC_OIDC_CLIENT_SECRET.*AUTH_GENERIC_OIDC_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/GENERIC_OIDC_ISSUER.*AUTH_GENERIC_OIDC_ISSUER/),
+      );
+    });
+    it('should warn about GitHub deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.GITHUB_CLIENT_ID = 'github_client_id';
+      process.env.GITHUB_CLIENT_SECRET = 'github_client_secret';
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/GITHUB_CLIENT_ID.*AUTH_GITHUB_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/GITHUB_CLIENT_SECRET.*AUTH_GITHUB_SECRET/),
+      );
+    });
+    it('should warn about Logto deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.LOGTO_CLIENT_ID = 'logto_client_id';
+      process.env.LOGTO_CLIENT_SECRET = 'logto_client_secret';
+      process.env.LOGTO_ISSUER = 'logto_issuer';
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/LOGTO_CLIENT_ID.*AUTH_LOGTO_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/LOGTO_CLIENT_SECRET.*AUTH_LOGTO_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/LOGTO_ISSUER.*AUTH_LOGTO_ISSUER/),
+      );
+    });
+    it('should warn about Zitadel deprecated environment variables', () => {
+      // Set all deprecated environment variables
+      process.env.ZITADEL_CLIENT_ID = 'zitadel_client_id';
+      process.env.ZITADEL_CLIENT_SECRET = 'zitadel_client_secret';
+      process.env.ZITADEL_ISSUER = 'zitadel_issuer';
+      // Call the function
+      getAuthConfig();
+
+      // Check that the spyConsoleWarn function was called for each deprecated environment variable
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/ZITADEL_CLIENT_ID.*AUTH_ZITADEL_ID/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/ZITADEL_CLIENT_SECRET.*AUTH_ZITADEL_SECRET/),
+      );
+      expect(spyConsoleWarn).toHaveBeenCalledWith(
+        expect.stringMatching(/ZITADEL_ISSUER.*AUTH_ZITADEL_ISSUER/),
+      );
+    });
+  });
+  // Remove end
+});

package/src/config/auth.ts

@@ -42,7 +42,102 @@ declare global {
   }
 }
 
+// TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+const removeTipsTemplate = (willBeRemoved: string, replaceOne: string) =>
+  `${willBeRemoved} will be removed in the future. Please set ${replaceOne} instead.`;
+// End
+
 export const getAuthConfig = () => {
+  // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+  if (process.env.AUTH0_CLIENT_ID) {
+    console.warn(removeTipsTemplate('AUTH0_CLIENT_ID', 'AUTH_AUTH0_ID'));
+  }
+  if (process.env.AUTH0_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('AUTH0_CLIENT_SECRET', 'AUTH_AUTH0_SECRET'));
+  }
+  if (process.env.AUTH0_ISSUER) {
+    console.warn(removeTipsTemplate('AUTH0_ISSUER', 'AUTH_AUTH0_ISSUER'));
+  }
+  if (process.env.AUTHENTIK_CLIENT_ID) {
+    console.warn(removeTipsTemplate('AUTHENTIK_CLIENT_ID', 'AUTH_AUTHENTIK_ID'));
+  }
+  if (process.env.AUTHENTIK_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('AUTHENTIK_CLIENT_SECRET', 'AUTH_AUTHENTIK_SECRET'));
+  }
+  if (process.env.AUTHENTIK_ISSUER) {
+    console.warn(removeTipsTemplate('AUTHENTIK_ISSUER', 'AUTH_AUTHENTIK_ISSUER'));
+  }
+  if (process.env.AUTHELIA_CLIENT_ID) {
+    console.warn(removeTipsTemplate('AUTHELIA_CLIENT_ID', 'AUTH_AUTHELIA_ID'));
+  }
+  if (process.env.AUTHELIA_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('AUTHELIA_CLIENT_SECRET', 'AUTH_AUTHELIA_SECRET'));
+  }
+  if (process.env.AUTHELIA_ISSUER) {
+    console.warn(removeTipsTemplate('AUTHELIA_ISSUER', 'AUTH_AUTHELIA_ISSUER'));
+  }
+  if (process.env.AZURE_AD_CLIENT_ID) {
+    console.warn(removeTipsTemplate('AZURE_AD_CLIENT_ID', 'AUTH_AZURE_AD_ID'));
+  }
+  if (process.env.AZURE_AD_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('AZURE_AD_CLIENT_SECRET', 'AUTH_AZURE_AD_SECRET'));
+  }
+  if (process.env.AZURE_AD_TENANT_ID) {
+    console.warn(removeTipsTemplate('AZURE_AD_TENANT_ID', 'AUTH_AZURE_AD_TENANT_ID'));
+  }
+  if (process.env.CLOUDFLARE_ZERO_TRUST_CLIENT_ID) {
+    console.warn(
+      removeTipsTemplate('CLOUDFLARE_ZERO_TRUST_CLIENT_ID', 'AUTH_CLOUDFLARE_ZERO_TRUST_ID'),
+    );
+  }
+  if (process.env.CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET) {
+    console.warn(
+      removeTipsTemplate(
+        'CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET',
+        'AUTH_CLOUDFLARE_ZERO_TRUST_SECRET',
+      ),
+    );
+  }
+  if (process.env.CLOUDFLARE_ZERO_TRUST_ISSUER) {
+    console.warn(
+      removeTipsTemplate('CLOUDFLARE_ZERO_TRUST_ISSUER', 'AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER'),
+    );
+  }
+  if (process.env.GENERIC_OIDC_CLIENT_ID) {
+    console.warn(removeTipsTemplate('GENERIC_OIDC_CLIENT_ID', 'AUTH_GENERIC_OIDC_ID'));
+  }
+  if (process.env.GENERIC_OIDC_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('GENERIC_OIDC_CLIENT_SECRET', 'AUTH_GENERIC_OIDC_SECRET'));
+  }
+  if (process.env.GENERIC_OIDC_ISSUER) {
+    console.warn(removeTipsTemplate('GENERIC_OIDC_ISSUER', 'AUTH_GENERIC_OIDC_ISSUER'));
+  }
+  if (process.env.GITHUB_CLIENT_ID) {
+    console.warn(removeTipsTemplate('GITHUB_CLIENT_ID', 'AUTH_GITHUB_ID'));
+  }
+  if (process.env.GITHUB_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('GITHUB_CLIENT_SECRET', 'AUTH_GITHUB_SECRET'));
+  }
+  if (process.env.LOGTO_CLIENT_ID) {
+    console.warn(removeTipsTemplate('LOGTO_CLIENT_ID', 'AUTH_LOGTO_ID'));
+  }
+  if (process.env.LOGTO_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('LOGTO_CLIENT_SECRET', 'AUTH_LOGTO_SECRET'));
+  }
+  if (process.env.LOGTO_ISSUER) {
+    console.warn(removeTipsTemplate('LOGTO_ISSUER', 'AUTH_LOGTO_ISSUER'));
+  }
+  if (process.env.ZITADEL_CLIENT_ID) {
+    console.warn(removeTipsTemplate('ZITADEL_CLIENT_ID', 'AUTH_ZITADEL_ID'));
+  }
+  if (process.env.ZITADEL_CLIENT_SECRET) {
+    console.warn(removeTipsTemplate('ZITADEL_CLIENT_SECRET', 'AUTH_ZITADEL_SECRET'));
+  }
+  if (process.env.ZITADEL_ISSUER) {
+    console.warn(removeTipsTemplate('ZITADEL_ISSUER', 'AUTH_ZITADEL_ISSUER'));
+  }
+  // End
+
   return createEnv({
     client: {
       NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: z.string().optional(),
@@ -95,7 +190,7 @@ export const getAuthConfig = () => {
       GENERIC_OIDC_CLIENT_ID: z.string().optional(),
       GENERIC_OIDC_CLIENT_SECRET: z.string().optional(),
       GENERIC_OIDC_ISSUER: z.string().optional(),
-      
+
       // ZITADEL
       ZITADEL_CLIENT_ID: z.string().optional(),
       ZITADEL_CLIENT_SECRET: z.string().optional(),
@@ -105,6 +200,7 @@ export const getAuthConfig = () => {
       LOGTO_CLIENT_ID: z.string().optional(),
       LOGTO_CLIENT_SECRET: z.string().optional(),
       LOGTO_ISSUER: z.string().optional(),
+      LOGTO_WEBHOOK_SIGNING_KEY: z.string().optional(),
     },
 
     runtimeEnv: {
@@ -152,7 +248,7 @@ export const getAuthConfig = () => {
       GENERIC_OIDC_CLIENT_ID: process.env.GENERIC_OIDC_CLIENT_ID,
       GENERIC_OIDC_CLIENT_SECRET: process.env.GENERIC_OIDC_CLIENT_SECRET,
       GENERIC_OIDC_ISSUER: process.env.GENERIC_OIDC_ISSUER,
-      
+
       // ZITADEL
       ZITADEL_CLIENT_ID: process.env.ZITADEL_CLIENT_ID,
       ZITADEL_CLIENT_SECRET: process.env.ZITADEL_CLIENT_SECRET,
@@ -162,6 +258,7 @@ export const getAuthConfig = () => {
       LOGTO_CLIENT_ID: process.env.LOGTO_CLIENT_ID,
       LOGTO_CLIENT_SECRET: process.env.LOGTO_CLIENT_SECRET,
       LOGTO_ISSUER: process.env.LOGTO_ISSUER,
+      LOGTO_WEBHOOK_SIGNING_KEY: process.env.LOGTO_WEBHOOK_SIGNING_KEY,
     },
   });
 };

package/src/config/modelProviders/bedrock.ts

@@ -40,6 +40,20 @@ const Bedrock: ModelProviderCard = {
       tokens: 200_000,
       vision: true,
     },
+    {
+      description:
+        'Claude 3 Haiku 是 Anthropic 最快、最紧凑的模型，提供近乎即时的响应速度。它可以快速回答简单的查询和请求。客户将能够构建模仿人类互动的无缝 AI 体验。Claude 3 Haiku 可以处理图像并返回文本输出，具有 200K 的上下文窗口。',
+      displayName: 'Claude 3 Haiku',
+      enabled: true,
+      functionCall: true,
+      id: 'anthropic.claude-3-haiku-20240307-v1:0',
+      pricing: {
+        input: 0.25,
+        output: 1.25,
+      },
+      tokens: 200_000,
+      vision: true,
+    },
     {
       description:
         'Anthropic 的 Claude 3 Sonnet 在智能和速度之间达到了理想的平衡——特别适合企业工作负载。它以低于竞争对手的价格提供最大的效用，并被设计成为可靠的、高耐用的主力机，适用于规模化的 AI 部署。Claude 3 Sonnet 可以处理图像并返回文本输出，具有 200K 的上下文窗口。',
@@ -68,20 +82,6 @@ const Bedrock: ModelProviderCard = {
       tokens: 200_000,
       vision: true,
     },
-    {
-      description:
-        'Claude 3 Haiku 是 Anthropic 最快、最紧凑的模型，提供近乎即时的响应速度。它可以快速回答简单的查询和请求。客户将能够构建模仿人类互动的无缝 AI 体验。Claude 3 Haiku 可以处理图像并返回文本输出，具有 200K 的上下文窗口。',
-      displayName: 'Claude 3 Haiku',
-      enabled: true,
-      functionCall: true,
-      id: 'anthropic.claude-3-haiku-20240307-v1:0',
-      pricing: {
-        input: 0.25,
-        output: 1.25,
-      },
-      tokens: 200_000,
-      vision: true,
-    },
     {
       description:
         'Claude 2 的更新版，具有双倍的上下文窗口，以及在长文档和 RAG 上下文中的可靠性、幻觉率和基于证据的准确性的改进。',

package/src/config/modelProviders/mistral.ts

@@ -8,7 +8,6 @@ const Mistral: ModelProviderCard = {
       description:
         'Mistral 7B是一款紧凑但高性能的模型，擅长批量处理和简单任务，如分类和文本生成，具有良好的推理能力。',
       displayName: 'Mistral 7B',
-      enabled: true,
       id: 'open-mistral-7b',
       tokens: 32_768,
     },
@@ -16,7 +15,6 @@ const Mistral: ModelProviderCard = {
       description:
         'Mixtral 8x7B是一个稀疏专家模型，利用多个参数提高推理速度，适合处理多语言和代码生成任务。',
       displayName: 'Mixtral 8x7B',
-      enabled: true,
       id: 'open-mixtral-8x7b',
       tokens: 32_768,
     },
@@ -57,7 +55,6 @@ const Mistral: ModelProviderCard = {
       description:
         'Codestral Mamba是专注于代码生成的Mamba 2语言模型，为先进的代码和推理任务提供强力支持。',
       displayName: 'Codestral Mamba',
-      enabled: true,
       id: 'open-codestral-mamba',
       tokens: 256_000,
     },

package/src/libs/agent-runtime/qwen/index.test.ts

@@ -161,13 +161,11 @@ describe('LobeQwenAI', () => {
           vi.spyOn(instance['client'].chat.completions, 'create').mockResolvedValue(
             new ReadableStream() as any,
           );
-
           await instance.chat({
             messages: [{ content: 'Hello', role: 'user' }],
             model: 'qwen-turbo',
             temperature: temp,
           });
-
           expect(instance['client'].chat.completions.create).toHaveBeenCalledWith(
             expect.objectContaining({
               messages: expect.any(Array),
@@ -183,13 +181,11 @@ describe('LobeQwenAI', () => {
         vi.spyOn(instance['client'].chat.completions, 'create').mockResolvedValue(
           new ReadableStream() as any,
         );
-
         await instance.chat({
           messages: [{ content: 'Hello', role: 'user' }],
           model: 'qwen-turbo',
           temperature: 1.5,
         });
-
         expect(instance['client'].chat.completions.create).toHaveBeenCalledWith(
           expect.objectContaining({
             messages: expect.any(Array),
@@ -199,6 +195,26 @@ describe('LobeQwenAI', () => {
           expect.any(Object),
         );
       });
+
+      it('should set temperature to Float', async () => {
+        const createMock = vi.fn().mockResolvedValue(new ReadableStream() as any);
+        vi.spyOn(instance['client'].chat.completions, 'create').mockImplementation(createMock);
+        await instance.chat({
+          messages: [{ content: 'Hello', role: 'user' }],
+          model: 'qwen-turbo',
+          temperature: 1,
+        });
+        expect(instance['client'].chat.completions.create).toHaveBeenCalledWith(
+          expect.objectContaining({
+            messages: expect.any(Array),
+            model: 'qwen-turbo',
+            temperature: expect.any(Number),
+          }),
+          expect.any(Object),
+        );
+        const callArgs = createMock.mock.calls[0][0];
+        expect(Number.isInteger(callArgs.temperature)).toBe(false); // Temperature is always not an integer 
+      });
     });
 
     describe('Error', () => {

package/src/libs/agent-runtime/qwen/index.ts

@@ -111,7 +111,7 @@ export class LobeQwenAI implements LobeRuntimeAI {
       temperature: 
         temperature === 0 || temperature >= 2 
         ? undefined 
-        : temperature,
+        : (temperature === 1 ? 0.999 : temperature), // 'temperature' must be Float
       top_p: top_p && top_p >= 1 ? 0.999 : top_p,
     };
 

package/src/libs/next-auth/auth.config.ts

@@ -1,4 +1,5 @@
 import type { NextAuthConfig } from 'next-auth';
+import urlJoin from 'url-join';
 
 import { authEnv } from '@/config/auth';
 
@@ -40,6 +41,7 @@ export default {
     },
   },
   providers: initSSOProviders(),
+  redirectProxyUrl: process.env.APP_URL ? urlJoin(process.env.APP_URL, '/api/auth') : undefined,
   secret: authEnv.NEXT_AUTH_SECRET,
-  trustHost: true,
+  trustHost: process.env?.AUTH_TRUST_HOST ? process.env.AUTH_TRUST_HOST === 'true' : true,
 } satisfies NextAuthConfig;

package/src/libs/next-auth/sso-providers/auth0.ts

@@ -11,9 +11,11 @@ const provider = {
     // Specify auth scope, at least include 'openid email'
     // all scopes in Auth0 ref: https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims
     authorization: { params: { scope: 'openid email profile' } },
-    clientId: authEnv.AUTH0_CLIENT_ID,
-    clientSecret: authEnv.AUTH0_CLIENT_SECRET,
-    issuer: authEnv.AUTH0_ISSUER,
+    // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+    clientId: authEnv.AUTH0_CLIENT_ID ?? process.env.AUTH_AUTH0_ID,
+    clientSecret: authEnv.AUTH0_CLIENT_SECRET ?? process.env.AUTH_AUTH0_SECRET,
+    issuer: authEnv.AUTH0_ISSUER ?? process.env.AUTH_AUTH0_ISSUER,
+    // Remove End
     profile(profile) {
       return {
         email: profile.email,

package/src/libs/next-auth/sso-providers/authelia.ts

@@ -6,11 +6,11 @@ import { CommonProviderConfig } from './sso.config';
 
 export type AutheliaProfile = {
   // The users display name
-  email: string; 
+  email: string;
   // The users email
-  groups: string[]; 
+  groups: string[];
   // The username the user used to login with
-  name: string; 
+  name: string;
   preferred_username: string; // The users groups
   sub: string; // The users id
 };
@@ -21,10 +21,10 @@ const provider = {
     ...CommonProviderConfig,
     authorization: { params: { scope: 'openid email profile' } },
     checks: ['state', 'pkce'],
-    clientId: authEnv.AUTHELIA_CLIENT_ID,
-    clientSecret: authEnv.AUTHELIA_CLIENT_SECRET,
+    clientId: authEnv.AUTHELIA_CLIENT_ID ?? process.env.AUTH_AUTHELIA_ID,
+    clientSecret: authEnv.AUTHELIA_CLIENT_SECRET ?? process.env.AUTH_AUTHELIA_SECRET,
     id: 'authelia',
-    issuer: authEnv.AUTHELIA_ISSUER,
+    issuer: authEnv.AUTHELIA_ISSUER ?? process.env.AUTH_AUTHELIA_ISSUER,
     name: 'Authelia',
     profile(profile) {
       return {

package/src/libs/next-auth/sso-providers/authentik.ts

@@ -11,9 +11,11 @@ const provider = {
     // Specify auth scope, at least include 'openid email'
     // all scopes in Authentik ref: https://goauthentik.io/docs/providers/oauth2
     authorization: { params: { scope: 'openid email profile' } },
-    clientId: authEnv.AUTHENTIK_CLIENT_ID,
-    clientSecret: authEnv.AUTHENTIK_CLIENT_SECRET,
-    issuer: authEnv.AUTHENTIK_ISSUER,
+    // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+    clientId: authEnv.AUTHENTIK_CLIENT_ID ?? process.env.AUTH_AUTHENTIK_ID,
+    clientSecret: authEnv.AUTHENTIK_CLIENT_SECRET ?? process.env.AUTH_AUTHENTIK_SECRET,
+    issuer: authEnv.AUTHENTIK_ISSUER ?? process.env.AUTH_AUTHENTIK_ISSUER,
+    // Remove end
     // TODO(NextAuth): map unique user id to `providerAccountId` field
     //  profile(profile) {
     //   return {

package/src/libs/next-auth/sso-providers/azure-ad.ts

@@ -11,9 +11,11 @@ const provider = {
     // Specify auth scope, at least include 'openid email'
     // all scopes in Azure AD ref: https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#openid-connect-scopes
     authorization: { params: { scope: 'openid email profile' } },
-    clientId: authEnv.AZURE_AD_CLIENT_ID,
-    clientSecret: authEnv.AZURE_AD_CLIENT_SECRET,
-    tenantId: authEnv.AZURE_AD_TENANT_ID,
+    // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+    clientId: authEnv.AZURE_AD_CLIENT_ID ?? process.env.AUTH_AZURE_AD_ID,
+    clientSecret: authEnv.AZURE_AD_CLIENT_SECRET ?? process.env.AUTH_AZURE_AD_SECRET,
+    tenantId: authEnv.AZURE_AD_TENANT_ID ?? process.env.AUTH_AZURE_AD_TENANT_ID,
+    // Remove end
     // TODO(NextAuth): map unique user id to `providerAccountId` field
     // profile(profile) {
     //   return {

package/src/libs/next-auth/sso-providers/cloudflare-zero-trust.ts

@@ -16,10 +16,11 @@ const provider = {
     ...CommonProviderConfig,
     authorization: { params: { scope: 'openid email profile' } },
     checks: ['state', 'pkce'],
-    clientId: authEnv.CLOUDFLARE_ZERO_TRUST_CLIENT_ID,
-    clientSecret: authEnv.CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET,
+    clientId: authEnv.CLOUDFLARE_ZERO_TRUST_CLIENT_ID ?? process.env.AUTH_CLOUDFLARE_ZERO_TRUST_ID,
+    clientSecret:
+      authEnv.CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET ?? process.env.AUTH_CLOUDFLARE_ZERO_TRUST_SECRET,
     id: 'cloudflare-zero-trust',
-    issuer: authEnv.CLOUDFLARE_ZERO_TRUST_ISSUER,
+    issuer: authEnv.CLOUDFLARE_ZERO_TRUST_ISSUER ?? process.env.AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER,
     name: 'Cloudflare Zero Trust',
     profile(profile) {
       return {

package/src/libs/next-auth/sso-providers/generic-oidc.ts

@@ -19,10 +19,10 @@ const provider = {
     ...CommonProviderConfig,
     authorization: { params: { scope: 'email openid profile' } },
     checks: ['state', 'pkce'],
-    clientId: authEnv.GENERIC_OIDC_CLIENT_ID,
-    clientSecret: authEnv.GENERIC_OIDC_CLIENT_SECRET,
+    clientId: authEnv.GENERIC_OIDC_CLIENT_ID ?? process.env.AUTH_GENERIC_OIDC_ID,
+    clientSecret: authEnv.GENERIC_OIDC_CLIENT_SECRET ?? process.env.AUTH_GENERIC_OIDC_SECRET,
     id: 'generic-oidc',
-    issuer: authEnv.GENERIC_OIDC_ISSUER,
+    issuer: authEnv.GENERIC_OIDC_ISSUER ?? process.env.AUTH_GENERIC_OIDC_ISSUER,
     name: 'Generic OIDC',
     profile(profile) {
       return {

package/src/libs/next-auth/sso-providers/github.ts

@@ -10,8 +10,10 @@ const provider = {
     ...CommonProviderConfig,
     // Specify auth scope, at least include 'openid email'
     authorization: { params: { scope: 'read:user user:email' } },
-    clientId: authEnv.GITHUB_CLIENT_ID,
-    clientSecret: authEnv.GITHUB_CLIENT_SECRET,
+    // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+    clientId: authEnv.GITHUB_CLIENT_ID ?? process.env.AUTH_GITHUB_ID,
+    clientSecret: authEnv.GITHUB_CLIENT_SECRET ?? process.env.AUTH_GITHUB_SECRET,
+    // Remove end
     profile: (profile) => {
       return {
         email: profile.email,

package/src/libs/next-auth/sso-providers/logto.ts

@@ -41,9 +41,9 @@ const provider = {
     },
     // You can get the issuer value from the Logto Application Details page,
     // in the field "Issuer endpoint"
-    clientId: authEnv.LOGTO_CLIENT_ID,
-    clientSecret: authEnv.LOGTO_CLIENT_SECRET,
-    issuer: authEnv.LOGTO_ISSUER,
+    clientId: authEnv.LOGTO_CLIENT_ID ?? process.env.AUTH_LOGTO_ID,
+    clientSecret: authEnv.LOGTO_CLIENT_SECRET ?? process.env.AUTH_LOGTO_SECRET,
+    issuer: authEnv.LOGTO_ISSUER ?? process.env.AUTH_LOGTO_ISSUER,
   }),
 };
 

package/src/libs/next-auth/sso-providers/zitadel.ts

@@ -7,9 +7,11 @@ const provider = {
   provider: Zitadel({
     // Available scopes in ZITADEL: https://zitadel.com/docs/apis/openidoauth/scopes
     authorization: { params: { scope: 'openid email profile' } },
-    clientId: authEnv.ZITADEL_CLIENT_ID,
-    clientSecret: authEnv.ZITADEL_CLIENT_SECRET,
-    issuer: authEnv.ZITADEL_ISSUER,
+    // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+    clientId: authEnv.ZITADEL_CLIENT_ID ?? process.env.AUTH_ZITADEL_ID,
+    clientSecret: authEnv.ZITADEL_CLIENT_SECRET ?? process.env.AUTH_ZITADEL_SECRET,
+    issuer: authEnv.ZITADEL_ISSUER ?? process.env.AUTH_ZITADEL_ISSUER,
+    // Remove end
     // TODO(NextAuth): map unique user id to `providerAccountId` field
     // profile(profile) {
     //   return {

package/src/server/services/nextAuthUser/index.ts

@@ -0,0 +1,42 @@
+import { NextResponse } from 'next/server';
+
+import { serverDB } from '@/database/server';
+import { UserModel } from '@/database/server/models/user';
+import { UserItem } from '@/database/server/schemas/lobechat';
+import { pino } from '@/libs/logger';
+import { LobeNextAuthDbAdapter } from '@/libs/next-auth/adapter';
+
+export class NextAuthUserService {
+  userModel;
+  adapter;
+
+  constructor() {
+    this.userModel = new UserModel();
+    this.adapter = LobeNextAuthDbAdapter(serverDB);
+  }
+
+  safeUpdateUser = async (providerAccountId: string, data: Partial<UserItem>) => {
+    pino.info('updating user due to webhook');
+    // 1. Find User by account
+    // @ts-expect-error: Already impl in `LobeNextauthDbAdapter`
+    const user = await this.adapter.getUserByAccount({
+      provider: 'logto',
+      providerAccountId,
+    });
+
+    // 2. If found, Update user data from provider
+    if (user?.id) {
+      // Perform update
+      await this.userModel.updateUser(user.id, {
+        avatar: data?.avatar,
+        email: data?.email,
+        fullName: data?.fullName,
+      });
+    } else {
+      pino.warn(
+        `[logto]: Webhooks handler user update for "${JSON.stringify(data)}", but no user was found by the providerAccountId.`,
+      );
+    }
+    return NextResponse.json({ message: 'user updated', success: true }, { status: 200 });
+  };
+}