@lobehub/chat 1.79.6 → 1.79.8

package/src/libs/oidc-provider/http-adapter.ts

@@ -0,0 +1,279 @@
+import debug from 'debug';
+import { cookies } from 'next/headers';
+import { NextRequest } from 'next/server';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import urlJoin from 'url-join';
+
+import { appEnv } from '@/config/app';
+
+const log = debug('lobe-oidc:http-adapter');
+
+/**
+ * 将 Next.js 请求头转换为标准 Node.js HTTP 头格式
+ */
+export const convertHeadersToNodeHeaders = (nextHeaders: Headers): Record<string, string> => {
+  const headers: Record<string, string> = {};
+  nextHeaders.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return headers;
+};
+
+/**
+ * 创建用于 OIDC Provider 的 Node.js HTTP 请求对象
+ * @param req Next.js 请求对象
+ * @param pathPrefix 路径前缀
+ * @param bodyText 可选的请求体文本，用于 POST 请求
+ */
+export const createNodeRequest = (
+  req: NextRequest,
+  pathPrefix: string = '/oidc',
+  bodyText?: string,
+): IncomingMessage => {
+  // 构建 URL 对象
+  const url = new URL(req.url);
+
+  // 计算相对于前缀的路径
+  let providerPath = url.pathname;
+  if (pathPrefix && url.pathname.startsWith(pathPrefix)) {
+    providerPath = url.pathname.slice(pathPrefix.length);
+  }
+
+  // 确保路径始终以/开头
+  if (!providerPath.startsWith('/')) {
+    providerPath = '/' + providerPath;
+  }
+
+  log('Creating Node.js request from Next.js request');
+  log('Original path: %s, Provider path: %s', url.pathname, providerPath);
+
+  const nodeRequest = {
+    // 基本属性
+    headers: convertHeadersToNodeHeaders(req.headers),
+    method: req.method,
+    // 模拟可读流行为
+    // eslint-disable-next-line @typescript-eslint/ban-types
+    on: (event: string, handler: Function) => {
+      if (event === 'data' && bodyText) {
+        handler(bodyText);
+      }
+      if (event === 'end') {
+        handler();
+      }
+    },
+
+    url: providerPath + url.search,
+
+    // POST 请求所需属性
+    ...(bodyText && {
+      body: bodyText,
+      readable: true,
+    }),
+
+    // 添加 Node.js 服务器所期望的额外属性
+    socket: {
+      remoteAddress: req.headers.get('x-forwarded-for') || '127.0.0.1',
+    },
+  } as unknown as IncomingMessage;
+
+  log('Node.js request created with method %s and path %s', nodeRequest.method, nodeRequest.url);
+  return nodeRequest;
+};
+
+/**
+ * 响应收集器接口，用于捕获 OIDC Provider 的响应
+ */
+export interface ResponseCollector {
+  nodeResponse: ServerResponse;
+  readonly responseBody: string | Buffer;
+  readonly responseHeaders: Record<string, string | string[]>;
+  readonly responseStatus: number;
+}
+
+/**
+ * 创建用于 OIDC Provider 的 Node.js HTTP 响应对象
+ * @param resolvePromise 当响应完成时调用的解析函数
+ */
+export const createNodeResponse = (resolvePromise: () => void): ResponseCollector => {
+  log('Creating Node.js response collector');
+
+  // 存储响应状态的对象
+  const state = {
+    responseBody: '' as string | Buffer,
+    responseHeaders: {} as Record<string, string | string[]>,
+    responseStatus: 200,
+  };
+
+  let promiseResolved = false;
+
+  const nodeResponse: any = {
+    end: (chunk?: string | Buffer) => {
+      log('NodeResponse.end called');
+      if (chunk) {
+        log('NodeResponse.end chunk: %s', typeof chunk === 'string' ? chunk : '(Buffer)');
+        // @ts-ignore
+        state.responseBody += chunk;
+      }
+
+      const locationHeader = state.responseHeaders['location'];
+      if (locationHeader && state.responseStatus === 200) {
+        log('Location header detected with status 200, overriding to 302');
+        state.responseStatus = 302;
+      }
+
+      if (!promiseResolved) {
+        log('Resolving response promise');
+        promiseResolved = true;
+        resolvePromise();
+      }
+    },
+
+    getHeader: (name: string) => {
+      const lowerName = name.toLowerCase();
+      return state.responseHeaders[lowerName];
+    },
+
+    getHeaderNames: () => {
+      return Object.keys(state.responseHeaders);
+    },
+
+    getHeaders: () => {
+      return state.responseHeaders;
+    },
+
+    headersSent: false,
+
+    setHeader: (name: string, value: string | string[]) => {
+      const lowerName = name.toLowerCase();
+      log('Setting header: %s = %s', lowerName, value);
+      state.responseHeaders[lowerName] = value;
+    },
+
+    write: (chunk: string | Buffer) => {
+      log('NodeResponse.write called with chunk');
+      // @ts-ignore
+      state.responseBody += chunk;
+    },
+
+    writeHead: (status: number, headers?: Record<string, string | string[]>) => {
+      log('NodeResponse.writeHead called with status: %d', status);
+      state.responseStatus = status;
+
+      if (headers) {
+        const lowerCaseHeaders = Object.entries(headers).reduce(
+          (acc, [key, value]) => {
+            acc[key.toLowerCase()] = value;
+            return acc;
+          },
+          {} as Record<string, string | string[]>,
+        );
+        state.responseHeaders = { ...state.responseHeaders, ...lowerCaseHeaders };
+      }
+
+      (nodeResponse as any).headersSent = true;
+    },
+  } as unknown as ServerResponse;
+
+  log('Node.js response collector created successfully');
+
+  return {
+    nodeResponse,
+    get responseBody() {
+      return state.responseBody;
+    },
+    get responseHeaders() {
+      return state.responseHeaders;
+    },
+    get responseStatus() {
+      return state.responseStatus;
+    },
+  };
+};
+
+/**
+ * 创建用于调用 provider.interactionDetails 的上下文 (req, res)
+ * @param uid 交互 ID
+ */
+export const createContextForInteractionDetails = async (
+  uid: string,
+): Promise<{ req: IncomingMessage; res: ServerResponse }> => {
+  log('Creating context for interaction details for uid: %s', uid);
+
+  // 使用APP_URL环境变量来构建URL基础部分
+  const baseUrl = appEnv.APP_URL!;
+  log('Using base URL: %s', baseUrl);
+
+  // 从baseUrl提取主机名用于headers
+  const hostName = new URL(baseUrl).host;
+
+  // 1. 获取真实的 Cookies
+  const cookieStore = await cookies();
+  const realCookies: Record<string, string> = {};
+  cookieStore.getAll().forEach((cookie) => {
+    realCookies[cookie.name] = cookie.value;
+  });
+  log('Real cookies found: %o', Object.keys(realCookies));
+
+  // 特别检查交互会话cookie
+  const interactionCookieName = `_interaction_${uid}`;
+  if (realCookies[interactionCookieName]) {
+    log('Found interaction session cookie: %s', interactionCookieName);
+  } else {
+    log('Warning: Interaction session cookie not found: %s', interactionCookieName);
+  }
+
+  // 2. 构建包含真实 Cookie 的 Headers
+  const headers = new Headers({ host: hostName });
+  const cookieString = Object.entries(realCookies)
+    .map(([name, value]) => `${name}=${value}`)
+    .join('; ');
+  if (cookieString) {
+    headers.set('cookie', cookieString);
+    log('Setting cookie header');
+  } else {
+    log('No cookies found to set in header');
+  }
+
+  // 3. 创建模拟的 NextRequest
+  // 注意：这里的 IP, geo, ua 等信息可能是 oidc-provider 某些特性需要的，
+  // 如果遇到相关问题，可能需要从真实请求头中提取 (e.g., 'x-forwarded-for', 'user-agent')
+  const interactionUrl = urlJoin(baseUrl, `/oauth/consent/${uid}`);
+  log('Creating interaction URL: %s', interactionUrl);
+
+  const mockNextRequest = {
+    cookies: {
+      // 模拟 NextRequestCookies 接口
+      get: (name: string) => cookieStore.get(name)?.value,
+      getAll: () => cookieStore.getAll(),
+      has: (name: string) => cookieStore.has(name),
+    },
+    geo: {},
+    headers: headers,
+    ip: '127.0.0.1',
+    method: 'GET',
+    nextUrl: new URL(interactionUrl),
+    page: { name: undefined, params: undefined },
+    ua: undefined,
+    url: new URL(interactionUrl),
+  } as unknown as NextRequest;
+  log('Mock NextRequest created for url: %s', mockNextRequest.url);
+
+  // 4. 使用 createNodeRequest 创建模拟的 Node.js IncomingMessage
+  // pathPrefix 设置为 '/' 因为我们的 URL 已经是 Provider 期望的路径格式 /interaction/:uid
+  const req: IncomingMessage = createNodeRequest(mockNextRequest, '/');
+  // @ts-ignore - 将解析出的 cookies 附加到模拟的 Node.js 请求上
+  req.cookies = realCookies;
+  log('Node.js IncomingMessage created, attached real cookies');
+
+  // 5. 使用 createNodeResponse 创建模拟的 Node.js ServerResponse
+  let resolveFunc: () => void;
+  new Promise<void>((resolve) => {
+    resolveFunc = resolve;
+  });
+
+  const responseCollector: ResponseCollector = createNodeResponse(() => resolveFunc());
+  const res: ServerResponse = responseCollector.nodeResponse;
+  log('Node.js ServerResponse created');
+
+  return { req, res };
+};

package/src/libs/oidc-provider/interaction-policy.ts

@@ -0,0 +1,37 @@
+import debug from 'debug';
+import { interactionPolicy } from 'oidc-provider';
+
+const { base } = interactionPolicy; // Import Check and base
+const log = debug('lobe-oidc:interaction-policy');
+
+/**
+ * 创建自定义交互策略
+ */
+export const createInteractionPolicy = () => {
+  log('Creating custom interaction policy');
+  const policy = base();
+
+  log('Base policy details: %O', {
+    promptNames: Array.from(policy.keys()),
+    size: policy.length,
+  });
+
+  const loginPrompt = policy.get('login');
+  log('Accessing login prompt from policy: %O', !!loginPrompt);
+
+  if (loginPrompt) {
+    log('Login prompt details: %O', {
+      checks: Array.from(loginPrompt.checks.keys()),
+      name: loginPrompt.name,
+      requestable: loginPrompt.requestable,
+    });
+  } else {
+    console.warn(
+      "Could not find 'login' prompt in the base policy. Custom session check not applied.",
+    );
+    log('WARNING: login prompt not found in base policy');
+  }
+
+  log('Custom interaction policy created successfully');
+  return policy;
+};

package/src/libs/oidc-provider/provider.ts

@@ -0,0 +1,260 @@
+import debug from 'debug';
+import Provider, { Configuration, KoaContextWithOIDC } from 'oidc-provider';
+
+import { serverDBEnv } from '@/config/db';
+import { UserModel } from '@/database/models/user';
+import { LobeChatDatabase } from '@/database/type';
+import { oidcEnv } from '@/envs/oidc';
+
+import { DrizzleAdapter } from './adapter';
+import { defaultClaims, defaultClients, defaultScopes } from './config';
+import { createInteractionPolicy } from './interaction-policy';
+
+const logProvider = debug('lobe-oidc:provider'); // <--- 添加 provider 日志实例
+
+/**
+ * 从环境变量中获取 JWKS
+ * 该 JWKS 是一个包含 RS256 私钥的 JSON 对象
+ */
+const getJWKS = (): object => {
+  try {
+    const jwksString = oidcEnv.OIDC_JWKS_KEY;
+
+    if (!jwksString) {
+      throw new Error(
+        'OIDC_JWKS_KEY 环境变量是必需的。请使用 scripts/generate-oidc-jwk.mjs 生成 JWKS。',
+      );
+    }
+
+    // 尝试解析 JWKS JSON 字符串
+    const jwks = JSON.parse(jwksString);
+
+    // 检查 JWKS 格式是否正确
+    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
+    }
+
+    // 检查是否有 RS256 算法的密钥
+    const hasRS256Key = jwks.keys.some((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
+    if (!hasRS256Key) {
+      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
+    }
+
+    return jwks;
+  } catch (error) {
+    console.error('解析 JWKS 失败:', error);
+    throw new Error(`OIDC_JWKS_KEY 解析错误: ${(error as Error).message}`);
+  }
+};
+
+/**
+ * 获取 Cookie 密钥，使用 KEY_VAULTS_SECRET
+ */
+const getCookieKeys = () => {
+  const key = serverDBEnv.KEY_VAULTS_SECRET;
+  if (!key) {
+    throw new Error('KEY_VAULTS_SECRET is required for OIDC Provider cookie encryption');
+  }
+  return [key];
+};
+
+/**
+ * 创建 OIDC Provider 实例
+ * @param db - 数据库实例
+ * @param baseUrl - 服务部署的基础URL
+ * @returns 配置好的 OIDC Provider 实例
+ */
+export const createOIDCProvider = async (
+  db: LobeChatDatabase,
+  baseUrl: string,
+): Promise<Provider> => {
+  const issuerUrl = `${baseUrl}/oidc`;
+  if (!issuerUrl) {
+    throw new Error('Base URL is required for OIDC Provider');
+  }
+
+  // 获取 JWKS
+  const jwks = getJWKS();
+
+  const cookieKeys = getCookieKeys();
+
+  const configuration: Configuration = {
+    // 11. 数据库适配器
+    adapter: DrizzleAdapter.createAdapterFactory(db),
+
+    // 4. Claims 定义
+    claims: defaultClaims,
+
+    // 1. 客户端配置
+    clients: defaultClients,
+
+    // 7. Cookie 配置
+    cookies: {
+      keys: cookieKeys,
+      long: { signed: true },
+      short: { path: '/', signed: true },
+    },
+
+    // 5. 特性配置
+    features: {
+      backchannelLogout: { enabled: true },
+      clientCredentials: { enabled: false },
+      devInteractions: { enabled: false },
+      deviceFlow: { enabled: false },
+      introspection: { enabled: true },
+      resourceIndicators: { enabled: false },
+      revocation: { enabled: true },
+      rpInitiatedLogout: { enabled: true },
+      userinfo: { enabled: true },
+    },
+
+    // 10. 账户查找
+    async findAccount(ctx: KoaContextWithOIDC, id: string) {
+      logProvider('findAccount called for id: %s', id);
+
+      // 检查是否有预先存储的外部账户 ID
+      // @ts-ignore - 自定义属性
+      const externalAccountId = ctx.externalAccountId;
+      if (externalAccountId) {
+        logProvider('Found externalAccountId in context: %s', externalAccountId);
+      }
+
+      // 确定要查找的账户 ID
+      // 优先级: 1. externalAccountId 2. ctx.oidc.session?.accountId 3. 传入的 id
+      const accountIdToFind = externalAccountId || ctx.oidc?.session?.accountId || id;
+
+      logProvider(
+        'Attempting to find account with ID: %s (source: %s)',
+        accountIdToFind,
+        externalAccountId
+          ? 'externalAccountId'
+          : ctx.oidc?.session?.accountId
+            ? 'oidc_session'
+            : 'parameter_id',
+      );
+
+      // 如果没有可用的 ID，返回 undefined
+      if (!accountIdToFind) {
+        logProvider('findAccount: No account ID available, returning undefined.');
+        return undefined;
+      }
+
+      try {
+        const user = await UserModel.findById(db, accountIdToFind);
+        logProvider(
+          'UserModel.findById result for %s: %O',
+          accountIdToFind,
+          user ? { id: user.id, name: user.username } : null,
+        );
+
+        if (!user) {
+          logProvider('No user found for accountId: %s', accountIdToFind);
+          return undefined;
+        }
+
+        return {
+          accountId: user.id,
+          async claims(use, scope): Promise<{ [key: string]: any; sub: string }> {
+            logProvider('claims function called for user %s with scope: %s', user.id, scope);
+            const claims: { [key: string]: any; sub: string } = {
+              sub: user.id,
+            };
+
+            if (scope.includes('profile')) {
+              claims.name =
+                user.fullName ||
+                user.username ||
+                `${user.firstName || ''} ${user.lastName || ''}`.trim();
+              claims.picture = user.avatar;
+            }
+
+            if (scope.includes('email')) {
+              claims.email = user.email;
+              claims.email_verified = !!user.emailVerifiedAt;
+            }
+
+            logProvider('Returning claims: %O', claims);
+            return claims;
+          },
+        };
+      } catch (error) {
+        logProvider('Error finding account or generating claims: %O', error);
+        console.error('Error finding account:', error);
+        return undefined;
+      }
+    },
+    // 9. 交互策略
+    interactions: {
+      policy: createInteractionPolicy(),
+      url(ctx, interaction) {
+        // ---> 添加日志 <---
+        logProvider('interactions.url function called');
+        logProvider('Interaction details: %O', interaction);
+        const interactionUrl = `/oauth/consent/${interaction.uid}`;
+        logProvider('Generated interaction URL: %s', interactionUrl);
+        // ---> 添加日志结束 <---
+        return interactionUrl;
+      },
+    },
+
+    // 6. 密钥配置 - 使用 RS256 JWKS
+    jwks: jwks as { keys: any[] },
+
+    // 2. PKCE 配置
+    pkce: {
+      required: () => true,
+    },
+
+    // 12. 其他配置
+    renderError: async (ctx, out, error) => {
+      ctx.type = 'html';
+      ctx.body = `
+        <html>
+          <head>
+            <title>LobeHub OIDC Error</title>
+          </head>
+          <body>
+            <h1>LobeHub OIDC Error</h1>
+            <p>${JSON.stringify(error, null, 2)}</p>
+            <p>${JSON.stringify(out, null, 2)}</p>
+          </body>
+        </html>
+      `;
+    },
+
+    // 新增：启用 Refresh Token 轮换
+    rotateRefreshToken: true,
+
+    // 3. Scopes 定义
+    scopes: defaultScopes,
+
+    // 8. 令牌有效期
+    ttl: {
+      AccessToken: 3600, // 1 hour in seconds
+      AuthorizationCode: 600, // 10 minutes
+      DeviceCode: 600, // 10 minutes (if enabled)
+
+      IdToken: 3600, // 1 hour
+      Interaction: 3600, // 1 hour
+
+      RefreshToken: 30 * 24 * 60 * 60, // 30 days
+      Session: 30 * 24 * 60 * 60, // 30 days
+    },
+  };
+
+  // 创建提供者实例
+  const provider = new Provider(issuerUrl, configuration);
+
+  provider.on('server_error', (ctx, err) => {
+    logProvider('OIDC Provider Server Error: %O', err); // Use logProvider
+    console.error('OIDC Provider Error:', err);
+  });
+
+  provider.on('authorization.success', (ctx) => {
+    logProvider('Authorization successful for client: %s', ctx.oidc.client?.clientId); // Use logProvider
+  });
+
+  return provider;
+};
+
+export { type default as OIDCProvider } from 'oidc-provider';

package/src/locales/default/index.ts

@@ -13,6 +13,7 @@ import metadata from './metadata';
 import migration from './migration';
 import modelProvider from './modelProvider';
 import models from './models';
+import oauth from './oauth';
 import plugin from './plugin';
 import portal from './portal';
 import providers from './providers';
@@ -39,6 +40,7 @@ const resources = {
   migration,
   modelProvider,
   models,
+  oauth,
   plugin,
   portal,
   providers,

package/src/locales/default/oauth.ts

@@ -0,0 +1,41 @@
+const oauth = {
+  consent: {
+    buttons: {
+      accept: '授权',
+      deny: '拒绝',
+    },
+    description: '应用 {clientId} 请求访问您的 LobeChat 账户',
+    error: {
+      sessionInvalid: {
+        message: '授权会话已过期或无效，请重新发起授权流程。',
+        title: '授权会话无效',
+      },
+      title: '发生错误',
+      unsupportedInteraction: {
+        message: '不支持的交互类型: {promptName}',
+        title: '不支持的交互类型',
+      },
+    },
+    permissionsTitle: '应用请求以下权限：',
+    scope: {
+      'email': '访问您的电子邮件地址',
+      'offline_access': '在您离线时继续访问您的数据',
+      'openid': '使用您的 LobeChat 账户进行身份验证',
+      'profile': '访问您的基本资料信息（名称、头像等）',
+      'sync:read': '读取您的同步数据',
+      'sync:write': '写入并更新您的同步数据',
+    },
+    title: '授权请求',
+  },
+  failed: {
+    backToHome: '返回首页',
+    subTitle: '您已拒绝授权应用访问您的 LobeChat 账户',
+    title: '授权被拒绝',
+  },
+  success: {
+    subTitle: '您已成功授权应用访问您的 LobeChat 账户，可以关闭该页面了',
+    title: '授权成功',
+  },
+};
+
+export default oauth;