@lobehub/chat 1.79.6 → 1.79.8

package/locales/zh-CN/oauth.json

@@ -0,0 +1,39 @@
+{
+  "consent": {
+    "buttons": {
+      "accept": "授权",
+      "deny": "拒绝"
+    },
+    "description": "应用 {clientId} 请求访问您的 LobeChat 账户",
+    "error": {
+      "sessionInvalid": {
+        "message": "授权会话已过期或无效，请重新发起授权流程。",
+        "title": "授权会话无效"
+      },
+      "title": "发生错误",
+      "unsupportedInteraction": {
+        "message": "不支持的交互类型: {promptName}",
+        "title": "不支持的交互类型"
+      }
+    },
+    "permissionsTitle": "应用请求以下权限：",
+    "scope": {
+      "email": "访问您的电子邮件地址",
+      "offline_access": "在您离线时继续访问您的数据",
+      "openid": "使用您的 LobeChat 账户进行身份验证",
+      "profile": "访问您的基本资料信息（名称、头像等）",
+      "sync:read": "读取您的同步数据",
+      "sync:write": "写入并更新您的同步数据"
+    },
+    "title": "授权请求"
+  },
+  "failed": {
+    "backToHome": "返回首页",
+    "subTitle": "您已拒绝授权应用访问您的 LobeChat 账户",
+    "title": "授权被拒绝"
+  },
+  "success": {
+    "subTitle": "您已成功授权应用访问您的 LobeChat 账户，可以关闭该页面了",
+    "title": "授权成功"
+  }
+}

package/locales/zh-TW/models.json

@@ -1109,6 +1109,18 @@
   "grok-2-vision-1212": {
     "description": "該模型在準確性、指令遵循和多語言能力方面有所改進。"
   },
+  "grok-3-beta": {
+    "description": "旗艦級模型，擅長數據提取、程式設計和文本摘要等企業級應用，擁有金融、醫療、法律和科學等領域的深厚知識。"
+  },
+  "grok-3-fast-beta": {
+    "description": "旗艦級模型，擅長數據提取、程式設計和文本摘要等企業級應用，擁有金融、醫療、法律和科學等領域的深厚知識。"
+  },
+  "grok-3-mini-beta": {
+    "description": "輕量級模型，會在對話前先思考。運行快速、智能，適用於不需要深層領域知識的邏輯任務，並能獲取原始的思維軌跡。"
+  },
+  "grok-3-mini-fast-beta": {
+    "description": "輕量級模型，會在對話前先思考。運行快速、智能，適用於不需要深層領域知識的邏輯任務，並能獲取原始的思維軌跡。"
+  },
   "grok-beta": {
     "description": "擁有與 Grok 2 相當的性能，但具備更高的效率、速度和功能。"
   },

package/locales/zh-TW/oauth.json

@@ -0,0 +1,39 @@
+{
+  "consent": {
+    "buttons": {
+      "accept": "授權",
+      "deny": "拒絕"
+    },
+    "description": "應用 {clientId} 請求訪問您的 LobeChat 帳戶",
+    "error": {
+      "sessionInvalid": {
+        "message": "授權會話已過期或無效，請重新發起授權流程。",
+        "title": "授權會話無效"
+      },
+      "title": "發生錯誤",
+      "unsupportedInteraction": {
+        "message": "不支援的互動類型: {promptName}",
+        "title": "不支援的互動類型"
+      }
+    },
+    "permissionsTitle": "應用請求以下權限：",
+    "scope": {
+      "email": "訪問您的電子郵件地址",
+      "offline_access": "在您離線時繼續訪問您的數據",
+      "openid": "使用您的 LobeChat 帳戶進行身份驗證",
+      "profile": "訪問您的基本資料信息（名稱、頭像等）",
+      "sync:read": "讀取您的同步數據",
+      "sync:write": "寫入並更新您的同步數據"
+    },
+    "title": "授權請求"
+  },
+  "failed": {
+    "backToHome": "返回首頁",
+    "subTitle": "您已拒絕授權應用訪問您的 LobeChat 帳戶",
+    "title": "授權被拒絕"
+  },
+  "success": {
+    "subTitle": "您已成功授權應用訪問您的 LobeChat 帳戶，可以關閉該頁面了",
+    "title": "授權成功"
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/chat",
-  "version": "1.79.6",
+  "version": "1.79.8",
   "description": "Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -33,7 +33,7 @@
     "postbuild": "npm run build-sitemap && npm run build-migrate-db",
     "build-migrate-db": "bun run db:migrate",
     "build-sitemap": "tsx ./scripts/buildSitemapIndex/index.ts",
-    "build:analyze": "ANALYZE=true next build",
+    "build:analyze": "NODE_OPTIONS=--max-old-space-size=6144 ANALYZE=true next build",
     "build:docker": "DOCKER=true next build && npm run build-sitemap",
     "prebuild:electron": "cross-env NEXT_PUBLIC_IS_DESKTOP_APP=1 tsx scripts/prebuild.mts",
     "build:electron": "cross-env NODE_OPTIONS=--max-old-space-size=6144 NEXT_PUBLIC_IS_DESKTOP_APP=1 NEXT_PUBLIC_SERVICE_MODE=server next build",
@@ -188,6 +188,7 @@
     "jose": "^5.10.0",
     "js-sha256": "^0.11.0",
     "jsonl-parse-stringify": "^1.0.3",
+    "keyv": "^4.5.4",
     "langchain": "^0.3.19",
     "langfuse": "^3.37.1",
     "langfuse-core": "^3.37.1",
@@ -204,6 +205,7 @@
     "numeral": "^2.0.6",
     "nuqs": "^2.4.1",
     "officeparser": "^5.1.1",
+    "oidc-provider": "^8.4.0",
     "ollama": "^0.5.14",
     "openai": "^4.91.1",
     "openapi-fetch": "^0.9.8",
@@ -286,6 +288,7 @@
     "@types/lodash-es": "^4.17.12",
     "@types/node": "^22.13.17",
     "@types/numeral": "^2.0.5",
+    "@types/oidc-provider": "^8.8.1",
     "@types/pg": "^8.11.11",
     "@types/react": "^19.1.0",
     "@types/react-dom": "^19.1.1",

package/scripts/generate-oidc-jwk.mjs

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+/**
+ * OIDC JWKS 密钥生成脚本
+ * 用于生成 OIDC Provider 使用的 RSA 密钥对并转换为 JWKS 格式
+ *
+ * 使用方法:
+ * node scripts/generate-oidc-jwk.mjs
+ *
+ * 将输出的单行 JSON 字符串设置为环境变量 OIDC_JWKS_KEY
+ */
+import crypto from 'node:crypto';
+import { exportJWK, generateKeyPair } from 'jose';
+
+// 生成密钥 ID
+function generateKeyId() {
+  return crypto.randomBytes(8).toString('hex');
+}
+
+async function generateJwks() {
+  try {
+    console.error('正在生成 RSA 密钥对...');
+
+    // 生成 RS256 密钥对
+    const { privateKey } = await generateKeyPair('RS256');
+
+    // 导出为 JWK 格式
+    const jwk = await exportJWK(privateKey);
+
+    // 添加必要的字段
+    jwk.use = 'sig'; // 用途: 签名
+    jwk.kid = generateKeyId(); // 密钥 ID
+    jwk.alg = 'RS256'; // 算法
+
+    // 创建 JWKS (JSON Web Key Set)
+    const jwks = { keys: [jwk] };
+
+    // 转换为JSON字符串
+    const jwksString = JSON.stringify(jwks);
+
+    // 输出 JWKS JSON 单行字符串
+    console.log(jwksString);
+
+    // 控制台提示
+    console.error('\n✅ JWKS 已生成');
+    console.error('请将上面输出的 JSON 字符串直接设置为环境变量 OIDC_JWKS_KEY');
+    console.error('例如在 .env 文件中添加:');
+    console.error('\n> 环境变量配置行 (可直接复制):');
+    console.error(`OIDC_JWKS_KEY='${jwksString}'`);
+    console.error('\n⚠️ 重要: 请妥善保管此密钥，它用于签署所有 OIDC 令牌');
+
+    return jwks;
+  } catch (error) {
+    console.error('❌ 生成 JWKS 时出错:', error);
+    process.exit(1);
+  }
+}
+
+// 执行主函数
+generateJwks();

package/scripts/migrateServerDB/index.ts

@@ -3,7 +3,6 @@ import { migrate as neonMigrate } from 'drizzle-orm/neon-serverless/migrator';
 import { migrate as nodeMigrate } from 'drizzle-orm/node-postgres/migrator';
 import { join } from 'node:path';
 
-import { serverDB } from '../../src/database/server';
 import { DB_FAIL_INIT_HINT, PGVECTOR_HINT } from './errorHint';
 
 // Read the `.env` file if it exists, or a file specified by the
@@ -13,7 +12,10 @@ dotenv.config();
 const migrationsFolder = join(__dirname, '../../src/database/migrations');
 
 const isDesktop = process.env.NEXT_PUBLIC_IS_DESKTOP_APP === '1';
+
 const runMigrations = async () => {
+  const { serverDB } = await import('../../src/database/server');
+
   if (process.env.DATABASE_DRIVER === 'node') {
     await nodeMigrate(serverDB, { migrationsFolder });
   } else {

package/src/app/(backend)/oidc/[...oidc]/route.ts

@@ -0,0 +1,270 @@
+import debug from 'debug';
+import { NextRequest, NextResponse } from 'next/server';
+import { randomUUID } from 'node:crypto';
+import { URL } from 'node:url';
+
+import { getDBInstance } from '@/database/core/web-server';
+import { oidcEnv } from '@/envs/oidc';
+import { DrizzleAdapter } from '@/libs/oidc-provider/adapter';
+import { createNodeRequest, createNodeResponse } from '@/libs/oidc-provider/http-adapter';
+import { getOIDCProvider } from '@/server/services/oidc/oidcProvider';
+
+const log = debug('lobe-oidc:route'); // Create a debug instance with a namespace
+
+// 会话同步标头
+const OIDC_SESSION_HEADER = 'x-oidc-session-sync';
+
+/**
+ * 处理会话同步
+ * 如果请求中包含 x-oidc-session-sync 头，预先创建一个 OIDC 会话
+ */
+const syncOIDCSession = async (req: NextRequest): Promise<void> => {
+  const externalUserId = req.headers.get(OIDC_SESSION_HEADER);
+
+  if (!externalUserId) {
+    log('没有找到 x-oidc-session-sync 头，跳过会话同步');
+    return;
+  }
+
+  log('找到会话同步请求，外部用户 ID: %s', externalUserId);
+
+  try {
+    const db = getDBInstance();
+    const sessionAdapter = new DrizzleAdapter('Session', db);
+
+    // 查找是否已有对应的 OIDC 会话
+    // 使用新方法按用户 ID 查找会话
+    const existingSession = await sessionAdapter.findSessionByUserId(externalUserId);
+
+    if (existingSession) {
+      log(
+        '已找到与用户 %s 关联的现有 OIDC 会话，ID: %s',
+        externalUserId,
+        existingSession.uid || existingSession.jti,
+      );
+      return;
+    }
+
+    // 创建新的会话
+    const sessionId = randomUUID();
+    const now = Math.floor(Date.now() / 1000);
+    const expiresIn = 30 * 24 * 60 * 60; // 30 天，与 provider.ts 中的 TTL 配置一致
+
+    // 创建基本会话数据
+    const sessionData = {
+      accountId: externalUserId,
+
+      // 添加额外会话信息
+      authTime: now,
+
+      // 添加所有必要的 OIDC 会话字段
+      cookie: `oidc.session.${sessionId}`,
+
+      exp: now + expiresIn,
+
+      iat: now,
+
+      jti: sessionId,
+
+      // 为 findAccount 添加必要的字段
+      login: {
+        accountId: externalUserId,
+        remember: true,
+      },
+
+      uid: sessionId,
+      username: externalUserId,
+    };
+
+    // 使用适配器创建会话
+    await sessionAdapter.upsert(sessionId, sessionData, expiresIn);
+    log('成功为外部用户 %s 创建 OIDC 会话 %s', externalUserId, sessionId);
+  } catch (error) {
+    log('同步 OIDC 会话时出错: %O', error);
+    console.error('同步 OIDC 会话错误:', error);
+    // 不抛出错误，让请求继续处理
+  }
+};
+
+/**
+ * 处理 catch-all 路由下的所有 OIDC 请求
+ * 这个处理器会捕获所有 /oauth/[...oidc] 的请求
+ * 例如: /oauth/auth, /oauth/token, /oauth/userinfo 等
+ */
+export async function GET(req: NextRequest) {
+  const requestUrl = new URL(req.url);
+  log('Received GET request: %s %s', req.method, req.url);
+  log('Path: %s, Pathname: %s', requestUrl.pathname, requestUrl.pathname);
+  log('Headers: %O', Object.fromEntries(req.headers.entries())); // Log headers object
+
+  // 声明响应收集器
+  let responseCollector;
+
+  try {
+    if (!oidcEnv.ENABLE_OIDC) {
+      log('OIDC is not enabled');
+      return new NextResponse('OIDC is not enabled', { status: 404 });
+    }
+
+    // 在获取 OIDC 提供者实例前同步会话
+    await syncOIDCSession(req);
+
+    // 获取 OIDC Provider 实例
+    const provider = await getOIDCProvider();
+
+    log('Calling provider.callback() for GET');
+    await new Promise<void>((resolve, reject) => {
+      let middleware: any;
+      try {
+        log('Attempting to get middleware from provider.callback()');
+        middleware = provider.callback();
+        log('Successfully obtained middleware function.');
+      } catch (syncError) {
+        log('SYNC ERROR during provider.callback() call itself: %O', syncError);
+        reject(syncError);
+        return;
+      }
+
+      // 使用辅助方法创建响应收集器
+      responseCollector = createNodeResponse(resolve);
+      const nodeResponse = responseCollector.nodeResponse;
+
+      // 使用辅助方法创建 Node.js 请求对象
+      const nodeRequest = createNodeRequest(req);
+
+      log('Calling the obtained middleware...');
+      middleware(nodeRequest, nodeResponse, (error?: Error) => {
+        log('Middleware callback function HAS BEEN EXECUTED.');
+        if (error) {
+          log('Middleware error reported via callback: %O', error);
+          reject(error); // Reject if callback reports error
+        } else {
+          log(
+            'Middleware completed successfully via callback (may be redundant if .end() was called).',
+          );
+          // Ensure promise resolves even if end() wasn't called but callback was
+          resolve();
+        }
+      });
+      log('Middleware call initiated, waiting for its callback OR nodeResponse.end()...');
+    });
+
+    log('Promise surrounding middleware call resolved.');
+
+    if (!responseCollector) {
+      throw new Error('ResponseCollector was not initialized.');
+    }
+
+    const {
+      responseStatus: finalStatus,
+      responseBody: finalBody,
+      responseHeaders: finalHeaders,
+    } = responseCollector;
+
+    log('Final Response Status: %d', finalStatus);
+    log('Final Response Headers: %O', finalHeaders);
+
+    return new NextResponse(finalBody, {
+      // eslint-disable-next-line no-undef
+      headers: finalHeaders as HeadersInit,
+      status: finalStatus,
+    });
+  } catch (error) {
+    log('Error handling OIDC GET request: %O', error); // Log the full error object
+    // Ensure responseCollector is checked even in catch block if needed, though error likely occurred before/during promise
+    return new NextResponse(`Internal Server Error: ${(error as Error).message}`, { status: 500 });
+  }
+}
+
+/**
+ * 处理 POST 请求 (用于令牌端点等)
+ */
+export async function POST(req: NextRequest) {
+  log('Received POST request: %s %s', req.method, req.url);
+  const bodyText = await req.text(); // Read body first
+  log('Body: %s', bodyText); // Log body as string
+
+  // 声明响应收集器
+  let responseCollector;
+
+  try {
+    if (!oidcEnv.ENABLE_OIDC) {
+      log('OIDC is not enabled');
+      return new NextResponse('OIDC is not enabled', { status: 404 });
+    }
+
+    // 在获取 OIDC 提供者实例前同步会话
+    await syncOIDCSession(req);
+
+    // 获取 OIDC Provider 实例
+    const provider = await getOIDCProvider();
+
+    log('Calling provider.callback() for POST');
+    await new Promise<void>((resolve, reject) => {
+      let middleware: any;
+      try {
+        log('Attempting to get middleware from provider.callback()');
+        middleware = provider.callback();
+        log('Successfully obtained middleware function.');
+      } catch (syncError) {
+        log('SYNC ERROR during provider.callback() call itself: %O', syncError);
+        reject(syncError);
+        return;
+      }
+
+      // 使用辅助方法创建响应收集器
+      responseCollector = createNodeResponse(resolve);
+      const nodeResponse = responseCollector.nodeResponse;
+
+      // 使用辅助方法创建 Node.js 请求对象，包含 POST 请求体
+      const nodeRequest = createNodeRequest(req, '/oauth', bodyText);
+
+      log('Calling the obtained middleware...');
+      middleware(nodeRequest, nodeResponse, (error?: Error) => {
+        log('Middleware callback function HAS BEEN EXECUTED.');
+        if (error) {
+          log('Middleware error reported via callback: %O', error);
+          reject(error);
+        } else {
+          log(
+            'Middleware completed successfully via callback (may be redundant if .end() was called).',
+          );
+          resolve();
+        }
+      });
+      log('Middleware call initiated, waiting for its callback OR nodeResponse.end()...');
+    });
+
+    log('Promise surrounding middleware call resolved.');
+
+    // 访问最终的响应状态
+    if (!responseCollector) {
+      throw new Error('ResponseCollector was not initialized.');
+    }
+
+    const {
+      responseStatus: finalStatus,
+      responseBody: finalBody,
+      responseHeaders: finalHeaders,
+    } = responseCollector;
+
+    log('Final Response Status: %d', finalStatus);
+    log('Final Response Headers: %O', finalHeaders);
+
+    return new NextResponse(finalBody, {
+      // eslint-disable-next-line no-undef
+      headers: finalHeaders as HeadersInit,
+      status: finalStatus,
+    });
+  } catch (error) {
+    log('Error handling OIDC POST request: %O', error); // Log the full error object
+    return new NextResponse(`Internal Server Error: ${(error as Error).message}`, { status: 500 });
+  }
+}
+
+/**
+ * 同样处理其他 HTTP 方法
+ */
+export const PUT = POST;
+export const DELETE = POST;
+export const PATCH = POST;

package/src/app/(backend)/oidc/consent/route.ts

@@ -0,0 +1,97 @@
+import debug from 'debug';
+import { NextRequest, NextResponse } from 'next/server';
+import urlJoin from 'url-join';
+
+import { appEnv } from '@/config/app';
+import { OIDCService } from '@/server/services/oidc';
+
+const log = debug('lobe-oidc:consent');
+
+export async function POST(request: NextRequest) {
+  try {
+    const formData = await request.formData();
+    const consent = formData.get('consent') as string;
+    const uid = formData.get('uid') as string;
+
+    log('POST /oauth/consent - uid=%s, choice=%s', uid, consent);
+
+    const oidcService = await OIDCService.initialize();
+
+    let details;
+    try {
+      details = await oidcService.getInteractionDetails(uid);
+      log(
+        'Interaction details found - prompt=%s, client=%s',
+        details.prompt.name,
+        details.params.client_id,
+      );
+    } catch (error) {
+      log(
+        'Error: Interaction details not found - %s',
+        error instanceof Error ? error.message : 'unknown error',
+      );
+      if (error instanceof Error && error.message.includes('interaction session not found')) {
+        return NextResponse.json(
+          {
+            error: 'invalid_request',
+            error_description:
+              'Authorization session expired or invalid, please restart the authorization flow',
+          },
+          { status: 400 },
+        );
+      }
+      throw error;
+    }
+
+    let result;
+    if (consent === 'accept') {
+      if (details.prompt.name === 'login') {
+        result = {
+          login: { accountId: details.session?.accountId, remember: true },
+        };
+      } else {
+        result = {
+          consent: {
+            rejectedClaims: [],
+            rejectedScopes: [],
+          },
+        };
+      }
+      log('User %s the authorization', consent);
+    } else {
+      result = {
+        error: 'access_denied',
+        error_description: 'User denied the authorization request',
+      };
+      log('User %s the authorization', consent);
+    }
+
+    // 获取OIDC提供商的默认重定向URL，但不会直接使用它
+    const redirectUrl = await oidcService.getInteractionResult(uid, result);
+    log('Default redirectUrl: %s', redirectUrl);
+
+    // 根据用户选择定制重定向地址
+
+    if (consent === 'accept') {
+      // 用户同意授权，跳转到success页面
+      const successUrl = urlJoin(appEnv.APP_URL!, `/oauth/consent/${uid}/success`);
+      log('Redirecting to success page: %s', successUrl);
+      return NextResponse.redirect(successUrl);
+    } else {
+      // 用户拒绝授权，跳转到failed页面
+      const failedUrl = urlJoin(appEnv.APP_URL!, `/oauth/consent/${uid}/failed`);
+      log('Redirecting to failed page: %s', failedUrl);
+      return NextResponse.redirect(failedUrl);
+    }
+  } catch (error) {
+    log('Error processing consent: %s', error instanceof Error ? error.message : 'unknown error');
+    console.error('Error processing consent:', error);
+    return NextResponse.json(
+      {
+        error: 'server_error',
+        error_description: 'Error processing consent',
+      },
+      { status: 500 },
+    );
+  }
+}

package/src/app/[variants]/oauth/consent/[uid]/Client.tsx

@@ -0,0 +1,97 @@
+'use client';
+
+import { Button, Card, Typography } from 'antd';
+import { createStyles } from 'antd-style';
+import React, { memo } from 'react';
+import { useTranslation } from 'react-i18next';
+import { Center, Flexbox } from 'react-layout-kit';
+
+type ClientProps = {
+  clientId: string;
+  error?: {
+    message: string;
+    title: string;
+  };
+  scopes: string[];
+  uid: string;
+};
+
+const { Title, Text, Paragraph } = Typography;
+
+const useStyles = createStyles(({ css, token }) => ({
+  error: css`
+    text-align: center;
+  `,
+  scope: css`
+    margin-block: 8px;
+    padding: 12px;
+    border-radius: 4px;
+    background: ${token.colorFillTertiary};
+  `,
+  scopes: css`
+    width: 100%;
+    margin-block: 16px;
+  `,
+}));
+
+/**
+ * 获取 Scope 的描述
+ */
+function getScopeDescription(scope: string, t: any): string {
+  return t(`consent.scope.${scope}`, scope);
+}
+
+const ConsentClient = memo(({ uid, clientId, scopes, error }: ClientProps) => {
+  const { styles } = useStyles();
+  const { t } = useTranslation('oauth');
+
+  // 如果有错误，显示错误信息
+  if (error) {
+    return (
+      <Center height="100vh">
+        <div className={styles.error}>
+          <Title level={2}>{error.title}</Title>
+          <Paragraph>{error.message}</Paragraph>
+        </div>
+      </Center>
+    );
+  }
+
+  return (
+    <Center height="100vh">
+      <Card style={{ maxWidth: 500, width: '100%' }}>
+        <Flexbox gap={24}>
+          <Title level={3} style={{ margin: 0 }}>
+            {t('consent.title')}
+          </Title>
+          <Paragraph>{t('consent.description', { clientId })}</Paragraph>
+
+          <div className={styles.scopes}>
+            <Paragraph>{t('consent.permissionsTitle')}</Paragraph>
+            {scopes.map((scope) => (
+              <div className={styles.scope} key={scope}>
+                <Text>{getScopeDescription(scope, t)}</Text>
+              </div>
+            ))}
+          </div>
+
+          <form action="/oidc/consent" method="post">
+            <input name="uid" type="hidden" value={uid} />
+            <Flexbox gap={12} horizontal justify="flex-end">
+              <Button htmlType="submit" name="consent" value="deny">
+                {t('consent.buttons.deny')}
+              </Button>
+              <Button htmlType="submit" name="consent" type="primary" value="accept">
+                {t('consent.buttons.accept')}
+              </Button>
+            </Flexbox>
+          </form>
+        </Flexbox>
+      </Card>
+    </Center>
+  );
+});
+
+ConsentClient.displayName = 'ConsentClient';
+
+export { ConsentClient };