@lobehub/chat 1.19.11 → 1.19.13

package/CHANGELOG.md

@@ -2,6 +2,56 @@
 
 # Changelog
 
+### [Version 1.19.13](https://github.com/lobehub/lobe-chat/compare/v1.19.12...v1.19.13)
+
+<sup>Released on **2024-09-20**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Try to implement better ssrf-protect.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Try to implement better ssrf-protect, closes [#4044](https://github.com/lobehub/lobe-chat/issues/4044) ([e960a23](https://github.com/lobehub/lobe-chat/commit/e960a23))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+### [Version 1.19.12](https://github.com/lobehub/lobe-chat/compare/v1.19.11...v1.19.12)
+
+<sup>Released on **2024-09-20**</sup>
+
+#### 💄 Styles
+
+- **misc**: Support webhooks for casdoor.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### Styles
+
+- **misc**: Support webhooks for casdoor, closes [#3942](https://github.com/lobehub/lobe-chat/issues/3942) ([1f2f6a5](https://github.com/lobehub/lobe-chat/commit/1f2f6a5))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ### [Version 1.19.11](https://github.com/lobehub/lobe-chat/compare/v1.19.10...v1.19.11)
 
 <sup>Released on **2024-09-20**</sup>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/chat",
-  "version": "1.19.11",
+  "version": "1.19.13",
   "description": "Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -203,6 +203,7 @@
     "remark": "^14.0.3",
     "remark-gfm": "^3.0.1",
     "remark-html": "^15.0.2",
+    "request-filtering-agent": "^2.0.1",
     "resolve-accept-language": "^3.1.5",
     "rtl-detect": "^1.1.2",
     "semver": "^7.6.3",

package/src/app/api/webhooks/casdoor/__tests__/route.test.ts

@@ -0,0 +1,60 @@
+import { describe, expect, it } from 'vitest';
+
+interface User {
+  name: string;
+  id: string;
+  type: 'normal-user' | 'admin' | 'super-admin';
+  displayName: string;
+  firstName: string;
+  lastName: string;
+  avatar: string;
+  email: string;
+  emailVerified: boolean;
+}
+
+interface UserDataUpdatedEvent {
+  user: string; // 用户名
+  action: 'update-user';
+  extendedUser: User; // 扩展用户信息
+}
+
+const userDataUpdatedEvent: UserDataUpdatedEvent = {
+  user: 'admin',
+  action: 'update-user',
+  extendedUser: {
+    name: 'admin',
+    id: '35edace3-00c6-41e1-895e-97c519b1d8cc',
+    type: 'normal-user',
+    displayName: 'Admin',
+    firstName: '',
+    lastName: '',
+    avatar: 'https://cdn.casbin.org/img/casbin.svg',
+    email: 'admin@example.cn',
+    emailVerified: false,
+  },
+};
+
+const AUTH_CASDOOR_WEBHOOK_SECRET = 'casdoor-secret';
+
+// Test Casdoor Webhooks in Local dev, here is some tips:
+// - Replace the var `AUTH_CASDOOR_WETHOOK_SECRET` with the actual value in your `.env` file
+// - Start web request: If you want to run the test, replace `describe.skip` with `describe` below
+// - Run this test with command:
+// pnpm vitest --run --testNamePattern='^ ?Test Casdoor Webhooks in Local dev'  src/app/api/webhooks/casdoor/__tests__/route.test.ts
+
+describe.skip('Test Casdoor Webhooks in Local dev', () => {
+  // describe('Test Casdoor Webhooks in Local dev', () => {
+  it('should send a POST request with casdoor headers', async () => {
+    const url = 'http://localhost:3010/api/webhooks/casdoor'; // 替换为目标URL
+    const data = userDataUpdatedEvent;
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'casdoor-secret': AUTH_CASDOOR_WEBHOOK_SECRET,
+      },
+      body: JSON.stringify(data),
+    });
+    expect(response.status).toBe(200); // 检查响应状态
+  });
+});

package/src/app/api/webhooks/casdoor/route.ts

@@ -0,0 +1,40 @@
+import { NextResponse } from 'next/server';
+
+import { authEnv } from '@/config/auth';
+import { pino } from '@/libs/logger';
+import { NextAuthUserService } from '@/server/services/nextAuthUser';
+
+import { validateRequest } from './validateRequest';
+
+export const POST = async (req: Request): Promise<NextResponse> => {
+  const payload = await validateRequest(req, authEnv.CASDOOR_WEBHOOK_SECRET);
+
+  if (!payload) {
+    return NextResponse.json(
+      { error: 'webhook verification failed or payload was malformed' },
+      { status: 400 },
+    );
+  }
+
+  const { action, extendedUser } = payload;
+
+  pino.trace(`casdoor webhook payload: ${{ action, extendedUser }}`);
+
+  const nextAuthUserService = new NextAuthUserService();
+  switch (action) {
+    case 'update-user': {
+      return nextAuthUserService.safeUpdateUser(extendedUser.id, {
+        avatar: extendedUser?.avatar,
+        email: extendedUser?.email,
+        fullName: extendedUser.displayName,
+      });
+    }
+
+    default: {
+      pino.warn(
+        `${req.url} received event type "${action}", but no handler is defined for this type`,
+      );
+      return NextResponse.json({ error: `unrecognised payload type: ${action}` }, { status: 400 });
+    }
+  }
+};

package/src/app/api/webhooks/casdoor/validateRequest.ts

@@ -0,0 +1,38 @@
+import { headers } from 'next/headers';
+
+import { authEnv } from '@/config/auth';
+
+export type CasdoorUserEntity = {
+  avatar?: string;
+  displayName: string;
+  email?: string;
+  id: string;
+};
+
+interface CasdoorWebhookPayload {
+  action: string;
+  // Only support user event currently
+  extendedUser: CasdoorUserEntity;
+}
+
+export const validateRequest = async (request: Request, secret?: string) => {
+  const payloadString = await request.text();
+  const headerPayload = headers();
+  const casdoorSecret = headerPayload.get('casdoor-secret')!;
+  try {
+    if (casdoorSecret === secret) {
+      return JSON.parse(payloadString) as CasdoorWebhookPayload;
+    } else {
+      console.warn(
+        '[Casdoor]: secret verify failed, please check your secret in `CASDOOR_WEBHOOK_SECRET`',
+      );
+      return;
+    }
+  } catch (e) {
+    if (!authEnv.CASDOOR_WEBHOOK_SECRET) {
+      throw new Error('`CASDOOR_WEBHOOK_SECRET` environment variable is missing.');
+    }
+    console.error('[Casdoor]: incoming webhook failed in verification.\n', e);
+    return;
+  }
+};

package/src/app/webapi/proxy/route.ts

@@ -0,0 +1,19 @@
+import { NextResponse } from 'next/server';
+import fetch from 'node-fetch';
+import { useAgent as ssrfAgent } from 'request-filtering-agent';
+
+/**
+ * just for a proxy
+ */
+export const POST = async (req: Request) => {
+  const url = await req.text();
+
+  try {
+    const res = await fetch(url, { agent: ssrfAgent(url) });
+
+    return new Response(await res.arrayBuffer(), { headers: { ...res.headers } });
+  } catch (err) {
+    console.error(err); // DNS lookup 127.0.0.1(family:4, host:127.0.0.1.nip.io) is not allowed. Because, It is private IP address.
+    return NextResponse.json({ error: 'Not support internal host proxy' }, { status: 400 });
+  }
+};

package/src/config/auth.ts

@@ -201,6 +201,9 @@ export const getAuthConfig = () => {
       LOGTO_CLIENT_SECRET: z.string().optional(),
       LOGTO_ISSUER: z.string().optional(),
       LOGTO_WEBHOOK_SIGNING_KEY: z.string().optional(),
+
+      // Casdoor
+      CASDOOR_WEBHOOK_SECRET: z.string().optional(),
     },
 
     runtimeEnv: {
@@ -259,6 +262,9 @@ export const getAuthConfig = () => {
       LOGTO_CLIENT_SECRET: process.env.LOGTO_CLIENT_SECRET,
       LOGTO_ISSUER: process.env.LOGTO_ISSUER,
       LOGTO_WEBHOOK_SIGNING_KEY: process.env.LOGTO_WEBHOOK_SIGNING_KEY,
+
+      // Casdoor
+      CASDOOR_WEBHOOK_SECRET: process.env.CASDOOR_WEBHOOK_SECRET,
     },
   });
 };

package/src/libs/next-auth/sso-providers/casdoor.ts

@@ -0,0 +1,49 @@
+import { OIDCConfig, OIDCUserConfig } from '@auth/core/providers';
+
+import { CommonProviderConfig } from './sso.config';
+
+interface CasdoorProfile extends Record<string, any> {
+  avatar: string;
+  displayName: string;
+  email: string;
+  emailVerified: boolean;
+  firstName: string;
+  id: string;
+  lastName: string;
+  name: string;
+  owner: string;
+  permanentAvatar: string;
+}
+
+function LobeCasdoorProvider(config: OIDCUserConfig<CasdoorProfile>): OIDCConfig<CasdoorProfile> {
+  return {
+    ...CommonProviderConfig,
+    ...config,
+    id: 'casdoor',
+    name: 'Casdoor',
+    profile(profile) {
+      return {
+        email: profile.email,
+        emailVerified: profile.emailVerified ? new Date() : null,
+        image: profile.avatar,
+        name: profile.displayName ?? profile.firstName ?? profile.lastName,
+        providerAccountId: profile.id,
+      };
+    },
+    type: 'oidc',
+  };
+}
+
+const provider = {
+  id: 'casdoor',
+  provider: LobeCasdoorProvider({
+    authorization: {
+      params: { scope: 'openid profile email' },
+    },
+    clientId: process.env.AUTH_CASDOOR_ID,
+    clientSecret: process.env.AUTH_CASDOOR_SECRET,
+    issuer: process.env.AUTH_CASDOOR_ISSUER,
+  }),
+};
+
+export default provider;

package/src/libs/next-auth/sso-providers/index.ts

@@ -2,10 +2,22 @@ import Auth0 from './auth0';
 import Authelia from './authelia';
 import Authentik from './authentik';
 import AzureAD from './azure-ad';
+import Casdoor from './casdoor';
 import CloudflareZeroTrust from './cloudflare-zero-trust';
 import GenericOIDC from './generic-oidc';
 import Github from './github';
 import Logto from './logto';
 import Zitadel from './zitadel';
 
-export const ssoProviders = [Auth0, Authentik, AzureAD, GenericOIDC, Github, Zitadel, Authelia, Logto, CloudflareZeroTrust];
+export const ssoProviders = [
+  Auth0,
+  Authentik,
+  AzureAD,
+  GenericOIDC,
+  Github,
+  Zitadel,
+  Authelia,
+  Logto,
+  CloudflareZeroTrust,
+  Casdoor,
+];

package/src/server/routers/lambda/user.ts

@@ -63,7 +63,7 @@ export const userRouter = router({
     const sessionCount = await sessionModel.count();
 
     return {
-      canEnablePWAGuide: messageCount >= 2,
+      canEnablePWAGuide: messageCount >= 4,
       canEnableTrace: messageCount >= 4,
       // 有消息，或者创建过助手，则认为有 conversation
       hasConversation: messageCount > 0 || sessionCount > 1,

package/src/services/_url.ts

@@ -1,4 +1,4 @@
-// TODO: 未来路由需要迁移到 trpc or /webapi
+// TODO: 未来所有核心路由需要迁移到 trpc，部分不需要迁移的则走 webapi
 
 /* eslint-disable sort-keys-fix/sort-keys-fix */
 import { transform } from 'lodash-es';
@@ -17,7 +17,7 @@ const mapWithBasePath = <T extends object>(apis: T): T => {
 };
 
 export const API_ENDPOINTS = mapWithBasePath({
-  proxy: '/api/proxy',
+  proxy: '/webapi/proxy',
   oauth: '/api/auth',
 
   // agent markets

package/src/services/user/client.ts

@@ -23,7 +23,7 @@ export class ClientService implements IUserService {
 
     return {
       avatar: user.avatar,
-      canEnablePWAGuide: messageCount >= 2,
+      canEnablePWAGuide: messageCount >= 4,
       canEnableTrace: messageCount >= 4,
       hasConversation: messageCount > 0 || sessionCount > 0,
       isOnboard: true,

package/src/app/api/proxy/route.ts

@@ -1,34 +0,0 @@
-import { isPrivate } from 'ip';
-import { NextResponse } from 'next/server';
-import dns from 'node:dns';
-import { promisify } from 'node:util';
-
-const lookupAsync = promisify(dns.lookup);
-
-export const runtime = 'nodejs';
-
-/**
- * just for a proxy
- */
-export const POST = async (req: Request) => {
-  const url = new URL(await req.text());
-  let address;
-
-  try {
-    const lookupResult = await lookupAsync(url.hostname);
-    address = lookupResult.address;
-  } catch (err) {
-    console.error(`${url.hostname} DNS parser error:`, err);
-
-    return NextResponse.json({ error: 'DNS parser error' }, { status: 504 });
-  }
-
-  const isInternalHost = isPrivate(address);
-
-  if (isInternalHost)
-    return NextResponse.json({ error: 'Not support internal host proxy' }, { status: 400 });
-
-  const res = await fetch(url.toString());
-
-  return new Response(res.body, { headers: res.headers });
-};