@lobehub/chat 1.79.7 → 1.79.9

package/src/libs/oidc-provider/http-adapter.ts

@@ -0,0 +1,311 @@
+import debug from 'debug';
+import { cookies } from 'next/headers';
+import { NextRequest } from 'next/server';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import urlJoin from 'url-join';
+
+import { appEnv } from '@/config/app';
+
+const log = debug('lobe-oidc:http-adapter');
+
+/**
+ * 将 Next.js 请求头转换为标准 Node.js HTTP 头格式
+ */
+export const convertHeadersToNodeHeaders = (nextHeaders: Headers): Record<string, string> => {
+  const headers: Record<string, string> = {};
+  nextHeaders.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return headers;
+};
+
+/**
+ * 创建用于 OIDC Provider 的 Node.js HTTP 请求对象
+ * @param req Next.js 请求对象
+ */
+export const createNodeRequest = async (req: NextRequest): Promise<IncomingMessage> => {
+  // 构建 URL 对象
+  const url = new URL(req.url);
+
+  // 计算相对于前缀的路径
+  let providerPath = url.pathname;
+
+  // 确保路径始终以/开头
+  if (!providerPath.startsWith('/')) {
+    providerPath = '/' + providerPath;
+  }
+
+  log('Creating Node.js request from Next.js request');
+  log('Original path: %s, Provider path: %s', url.pathname, providerPath);
+
+  // Attempt to parse and attach body for relevant methods
+  let parsedBody: any = undefined;
+  const methodsWithBody = ['POST', 'PUT', 'PATCH', 'DELETE'];
+  if (methodsWithBody.includes(req.method)) {
+    const contentType = req.headers.get('content-type')?.split(';')[0]; // Get content type without charset etc.
+    log(`Attempting to parse body for ${req.method} with Content-Type: ${contentType}`);
+    try {
+      // Check if body exists and has size before attempting to parse
+      if (req.body && req.headers.get('content-length') !== '0') {
+        if (contentType === 'application/x-www-form-urlencoded') {
+          const formData = await req.formData();
+          parsedBody = {};
+          formData.forEach((value, key) => {
+            // If a key appears multiple times, keep the last one (standard form behavior)
+            // Or convert to array if oidc-provider expects it:
+            // if (parsedBody[key]) {
+            //   if (!Array.isArray(parsedBody[key])) parsedBody[key] = [parsedBody[key]];
+            //   parsedBody[key].push(value);
+            // } else {
+            //   parsedBody[key] = value;
+            // }
+            parsedBody[key] = value;
+          });
+          log('Parsed form data body: %O', parsedBody);
+        } else if (contentType === 'application/json') {
+          parsedBody = await req.json();
+          log('Parsed JSON body: %O', parsedBody);
+        } else {
+          log(`Body parsing skipped for Content-Type: ${contentType}. Trying text() as fallback.`);
+          // Fallback: try reading as text if content type is unknown but body exists
+          parsedBody = await req.text();
+          log('Parsed body as text fallback.');
+        }
+      } else {
+        log('Request has no body or content-length is 0, skipping parsing.');
+      }
+    } catch (error) {
+      log('Error parsing request body: %O', error);
+      // Keep parsedBody as undefined, let oidc-provider handle the potential issue
+    }
+  }
+  const nodeRequest = {
+    // 基本属性
+    headers: convertHeadersToNodeHeaders(req.headers),
+
+    method: req.method,
+    // 模拟可读流行为 (oidc-provider might not rely on this if body is pre-parsed)
+    // eslint-disable-next-line @typescript-eslint/ban-types
+    on: (event: string, handler: Function) => {
+      if (event === 'end') {
+        // Simulate end immediately as body is already processed or will be attached
+        handler();
+      }
+    },
+    // 添加 Node.js 服务器所期望的额外属性
+    socket: {
+      remoteAddress: req.headers.get('x-forwarded-for') || '127.0.0.1',
+    },
+    url: providerPath + url.search,
+    ...(parsedBody !== undefined && { body: parsedBody }), // Attach body if it exists
+  };
+
+  log('Node.js request created with method %s and path %s', nodeRequest.method, nodeRequest.url);
+  if (nodeRequest.body) {
+    log('Attached parsed body to Node.js request.');
+  }
+  // Cast back to IncomingMessage for the function's return signature
+  return nodeRequest as unknown as IncomingMessage;
+};
+
+/**
+ * 响应收集器接口，用于捕获 OIDC Provider 的响应
+ */
+export interface ResponseCollector {
+  nodeResponse: ServerResponse;
+  readonly responseBody: string | Buffer;
+  readonly responseHeaders: Record<string, string | string[]>;
+  readonly responseStatus: number;
+}
+
+/**
+ * 创建用于 OIDC Provider 的 Node.js HTTP 响应对象
+ * @param resolvePromise 当响应完成时调用的解析函数
+ */
+export const createNodeResponse = (resolvePromise: () => void): ResponseCollector => {
+  log('Creating Node.js response collector');
+
+  // 存储响应状态的对象
+  const state = {
+    responseBody: '' as string | Buffer,
+    responseHeaders: {} as Record<string, string | string[]>,
+    responseStatus: 200,
+  };
+
+  let promiseResolved = false;
+
+  const nodeResponse: any = {
+    end: (chunk?: string | Buffer) => {
+      log('NodeResponse.end called');
+      if (chunk) {
+        log('NodeResponse.end chunk: %s', typeof chunk === 'string' ? chunk : '(Buffer)');
+        // @ts-ignore
+        state.responseBody += chunk;
+      }
+
+      const locationHeader = state.responseHeaders['location'];
+      if (locationHeader && state.responseStatus === 200) {
+        log('Location header detected with status 200, overriding to 302');
+        state.responseStatus = 302;
+      }
+
+      if (!promiseResolved) {
+        log('Resolving response promise');
+        promiseResolved = true;
+        resolvePromise();
+      }
+    },
+
+    getHeader: (name: string) => {
+      const lowerName = name.toLowerCase();
+      return state.responseHeaders[lowerName];
+    },
+
+    getHeaderNames: () => {
+      return Object.keys(state.responseHeaders);
+    },
+
+    getHeaders: () => {
+      return state.responseHeaders;
+    },
+
+    headersSent: false,
+
+    removeHeader: (name: string) => {
+      const lowerName = name.toLowerCase();
+      log('Removing header: %s', lowerName);
+      delete state.responseHeaders[lowerName];
+    },
+
+    setHeader: (name: string, value: string | string[]) => {
+      const lowerName = name.toLowerCase();
+      log('Setting header: %s = %s', lowerName, value);
+      state.responseHeaders[lowerName] = value;
+    },
+
+    write: (chunk: string | Buffer) => {
+      log('NodeResponse.write called with chunk');
+      // @ts-ignore
+      state.responseBody += chunk;
+    },
+
+    writeHead: (status: number, headers?: Record<string, string | string[]>) => {
+      log('NodeResponse.writeHead called with status: %d', status);
+      state.responseStatus = status;
+
+      if (headers) {
+        const lowerCaseHeaders = Object.entries(headers).reduce(
+          (acc, [key, value]) => {
+            acc[key.toLowerCase()] = value;
+            return acc;
+          },
+          {} as Record<string, string | string[]>,
+        );
+        state.responseHeaders = { ...state.responseHeaders, ...lowerCaseHeaders };
+      }
+
+      (nodeResponse as any).headersSent = true;
+    },
+  } as unknown as ServerResponse;
+
+  log('Node.js response collector created successfully');
+
+  return {
+    nodeResponse,
+    get responseBody() {
+      return state.responseBody;
+    },
+    get responseHeaders() {
+      return state.responseHeaders;
+    },
+    get responseStatus() {
+      return state.responseStatus;
+    },
+  };
+};
+
+/**
+ * 创建用于调用 provider.interactionDetails 的上下文 (req, res)
+ * @param uid 交互 ID
+ */
+export const createContextForInteractionDetails = async (
+  uid: string,
+): Promise<{ req: IncomingMessage; res: ServerResponse }> => {
+  log('Creating context for interaction details for uid: %s', uid);
+  const baseUrl = appEnv.APP_URL!;
+  log('Using base URL: %s', baseUrl);
+
+  // 从baseUrl提取主机名用于headers
+  const hostName = new URL(baseUrl).host;
+
+  // 1. 获取真实的 Cookies
+  const cookieStore = await cookies();
+  const realCookies: Record<string, string> = {};
+  cookieStore.getAll().forEach((cookie) => {
+    realCookies[cookie.name] = cookie.value;
+  });
+  log('Real cookies found: %o', Object.keys(realCookies));
+
+  // 特别检查交互会话cookie
+  const interactionCookieName = `_interaction_${uid}`;
+  if (realCookies[interactionCookieName]) {
+    log('Found interaction session cookie: %s', interactionCookieName);
+  } else {
+    log('Warning: Interaction session cookie not found: %s', interactionCookieName);
+  }
+
+  // 2. 构建包含真实 Cookie 的 Headers
+  const headers = new Headers({ host: hostName });
+  const cookieString = Object.entries(realCookies)
+    .map(([name, value]) => `${name}=${value}`)
+    .join('; ');
+  if (cookieString) {
+    headers.set('cookie', cookieString);
+    log('Setting cookie header');
+  } else {
+    log('No cookies found to set in header');
+  }
+
+  // 3. 创建模拟的 NextRequest
+  // 注意：这里的 IP, geo, ua 等信息可能是 oidc-provider 某些特性需要的，
+  // 如果遇到相关问题，可能需要从真实请求头中提取 (e.g., 'x-forwarded-for', 'user-agent')
+  const interactionUrl = urlJoin(baseUrl, `/oauth/consent/${uid}`);
+  log('Creating interaction URL: %s', interactionUrl);
+
+  const mockNextRequest = {
+    cookies: {
+      // 模拟 NextRequestCookies 接口
+      get: (name: string) => cookieStore.get(name)?.value,
+      getAll: () => cookieStore.getAll(),
+      has: (name: string) => cookieStore.has(name),
+    },
+    geo: {},
+    headers: headers,
+    ip: '127.0.0.1',
+    method: 'GET',
+    nextUrl: new URL(interactionUrl),
+    page: { name: undefined, params: undefined },
+    ua: undefined,
+    url: new URL(interactionUrl),
+  } as unknown as NextRequest;
+  log('Mock NextRequest created for url: %s', mockNextRequest.url);
+
+  // 4. 使用 createNodeRequest 创建模拟的 Node.js IncomingMessage
+  // pathPrefix 设置为 '/' 因为我们的 URL 已经是 Provider 期望的路径格式 /interaction/:uid
+  const req: IncomingMessage = await createNodeRequest(mockNextRequest);
+  // @ts-ignore - 将解析出的 cookies 附加到模拟的 Node.js 请求上
+  req.cookies = realCookies;
+  log('Node.js IncomingMessage created, attached real cookies');
+
+  // 5. 使用 createNodeResponse 创建模拟的 Node.js ServerResponse
+  let resolveFunc: () => void;
+  new Promise<void>((resolve) => {
+    resolveFunc = resolve;
+  });
+
+  const responseCollector: ResponseCollector = createNodeResponse(() => resolveFunc());
+  const res: ServerResponse = responseCollector.nodeResponse;
+  log('Node.js ServerResponse created');
+
+  return { req, res };
+};

package/src/libs/oidc-provider/interaction-policy.ts

@@ -0,0 +1,37 @@
+import debug from 'debug';
+import { interactionPolicy } from 'oidc-provider';
+
+const { base } = interactionPolicy; // Import Check and base
+const log = debug('lobe-oidc:interaction-policy');
+
+/**
+ * 创建自定义交互策略
+ */
+export const createInteractionPolicy = () => {
+  log('Creating custom interaction policy');
+  const policy = base();
+
+  log('Base policy details: %O', {
+    promptNames: Array.from(policy.keys()),
+    size: policy.length,
+  });
+
+  const loginPrompt = policy.get('login');
+  log('Accessing login prompt from policy: %O', !!loginPrompt);
+
+  if (loginPrompt) {
+    log('Login prompt details: %O', {
+      checks: Array.from(loginPrompt.checks.keys()),
+      name: loginPrompt.name,
+      requestable: loginPrompt.requestable,
+    });
+  } else {
+    console.warn(
+      "Could not find 'login' prompt in the base policy. Custom session check not applied.",
+    );
+    log('WARNING: login prompt not found in base policy');
+  }
+
+  log('Custom interaction policy created successfully');
+  return policy;
+};

package/src/libs/oidc-provider/provider.ts

@@ -0,0 +1,288 @@
+import debug from 'debug';
+import Provider, { Configuration, KoaContextWithOIDC } from 'oidc-provider';
+import urlJoin from 'url-join';
+
+import { appEnv } from '@/config/app';
+import { serverDBEnv } from '@/config/db';
+import { UserModel } from '@/database/models/user';
+import { LobeChatDatabase } from '@/database/type';
+import { oidcEnv } from '@/envs/oidc';
+
+import { DrizzleAdapter } from './adapter';
+import { defaultClaims, defaultClients, defaultScopes } from './config';
+import { createInteractionPolicy } from './interaction-policy';
+
+const logProvider = debug('lobe-oidc:provider'); // <--- 添加 provider 日志实例
+
+/**
+ * 从环境变量中获取 JWKS
+ * 该 JWKS 是一个包含 RS256 私钥的 JSON 对象
+ */
+const getJWKS = (): object => {
+  try {
+    const jwksString = oidcEnv.OIDC_JWKS_KEY;
+
+    if (!jwksString) {
+      throw new Error(
+        'OIDC_JWKS_KEY 环境变量是必需的。请使用 scripts/generate-oidc-jwk.mjs 生成 JWKS。',
+      );
+    }
+
+    // 尝试解析 JWKS JSON 字符串
+    const jwks = JSON.parse(jwksString);
+
+    // 检查 JWKS 格式是否正确
+    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
+    }
+
+    // 检查是否有 RS256 算法的密钥
+    const hasRS256Key = jwks.keys.some((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
+    if (!hasRS256Key) {
+      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
+    }
+
+    return jwks;
+  } catch (error) {
+    console.error('解析 JWKS 失败:', error);
+    throw new Error(`OIDC_JWKS_KEY 解析错误: ${(error as Error).message}`);
+  }
+};
+
+/**
+ * 获取 Cookie 密钥，使用 KEY_VAULTS_SECRET
+ */
+const getCookieKeys = () => {
+  const key = serverDBEnv.KEY_VAULTS_SECRET;
+  if (!key) {
+    throw new Error('KEY_VAULTS_SECRET is required for OIDC Provider cookie encryption');
+  }
+  return [key];
+};
+
+/**
+ * 创建 OIDC Provider 实例
+ * @param db - 数据库实例
+ * @returns 配置好的 OIDC Provider 实例
+ */
+export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider> => {
+  // 获取 JWKS
+  const jwks = getJWKS();
+
+  const cookieKeys = getCookieKeys();
+
+  const configuration: Configuration = {
+    // 11. 数据库适配器
+    adapter: DrizzleAdapter.createAdapterFactory(db),
+
+    // 4. Claims 定义
+    claims: defaultClaims,
+
+    // 新增：客户端 CORS 控制逻辑
+    clientBasedCORS(ctx, origin, client) {
+      // 检查客户端是否允许此来源
+      // 一个常见的策略是允许所有已注册的 redirect_uris 的来源
+      if (!client || !client.redirectUris) {
+        logProvider('clientBasedCORS: No client or redirectUris found, denying origin: %s', origin);
+        return false; // 如果没有客户端或重定向URI，则拒绝
+      }
+
+      const allowed = client.redirectUris.some((uri) => {
+        try {
+          // 比较来源 (scheme, hostname, port)
+          return new URL(uri).origin === origin;
+        } catch {
+          // 如果 redirect_uri 不是有效的 URL (例如自定义协议)，则跳过
+          return false;
+        }
+      });
+
+      logProvider(
+        'clientBasedCORS check for origin [%s] and client [%s]: %s',
+        origin,
+        client.clientId,
+        allowed ? 'Allowed' : 'Denied',
+      );
+      return allowed;
+    },
+
+    // 1. 客户端配置
+    clients: defaultClients,
+
+    // 7. Cookie 配置
+    cookies: {
+      keys: cookieKeys,
+      long: { path: '/', signed: true },
+      short: { path: '/', signed: true },
+    },
+
+    // 5. 特性配置
+    features: {
+      backchannelLogout: { enabled: true },
+      clientCredentials: { enabled: false },
+      devInteractions: { enabled: false },
+      deviceFlow: { enabled: false },
+      introspection: { enabled: true },
+      resourceIndicators: { enabled: false },
+      revocation: { enabled: true },
+      rpInitiatedLogout: { enabled: true },
+      userinfo: { enabled: true },
+    },
+    // 10. 账户查找
+    async findAccount(ctx: KoaContextWithOIDC, id: string) {
+      logProvider('findAccount called for id: %s', id);
+
+      // 检查是否有预先存储的外部账户 ID
+      // @ts-ignore - 自定义属性
+      const externalAccountId = ctx.externalAccountId;
+      if (externalAccountId) {
+        logProvider('Found externalAccountId in context: %s', externalAccountId);
+      }
+
+      // 确定要查找的账户 ID
+      // 优先级: 1. externalAccountId 2. ctx.oidc.session?.accountId 3. 传入的 id
+      const accountIdToFind = externalAccountId || ctx.oidc?.session?.accountId || id;
+
+      logProvider(
+        'Attempting to find account with ID: %s (source: %s)',
+        accountIdToFind,
+        externalAccountId
+          ? 'externalAccountId'
+          : ctx.oidc?.session?.accountId
+            ? 'oidc_session'
+            : 'parameter_id',
+      );
+
+      // 如果没有可用的 ID，返回 undefined
+      if (!accountIdToFind) {
+        logProvider('findAccount: No account ID available, returning undefined.');
+        return undefined;
+      }
+
+      try {
+        const user = await UserModel.findById(db, accountIdToFind);
+        logProvider(
+          'UserModel.findById result for %s: %O',
+          accountIdToFind,
+          user ? { id: user.id, name: user.username } : null,
+        );
+
+        if (!user) {
+          logProvider('No user found for accountId: %s', accountIdToFind);
+          return undefined;
+        }
+
+        return {
+          accountId: user.id,
+          async claims(use, scope): Promise<{ [key: string]: any; sub: string }> {
+            logProvider('claims function called for user %s with scope: %s', user.id, scope);
+            const claims: { [key: string]: any; sub: string } = {
+              sub: user.id,
+            };
+
+            if (scope.includes('profile')) {
+              claims.name =
+                user.fullName ||
+                user.username ||
+                `${user.firstName || ''} ${user.lastName || ''}`.trim();
+              claims.picture = user.avatar;
+            }
+
+            if (scope.includes('email')) {
+              claims.email = user.email;
+              claims.email_verified = !!user.emailVerifiedAt;
+            }
+
+            logProvider('Returning claims: %O', claims);
+            return claims;
+          },
+        };
+      } catch (error) {
+        logProvider('Error finding account or generating claims: %O', error);
+        console.error('Error finding account:', error);
+        return undefined;
+      }
+    },
+
+    // 9. 交互策略
+    interactions: {
+      policy: createInteractionPolicy(),
+      url(ctx, interaction) {
+        // ---> 添加日志 <---
+        logProvider('interactions.url function called');
+        logProvider('Interaction details: %O', interaction);
+        const interactionUrl = `/oauth/consent/${interaction.uid}`;
+        logProvider('Generated interaction URL: %s', interactionUrl);
+        // ---> 添加日志结束 <---
+        return interactionUrl;
+      },
+    },
+
+    // 6. 密钥配置 - 使用 RS256 JWKS
+    jwks: jwks as { keys: any[] },
+
+    // 2. PKCE 配置
+    pkce: {
+      required: () => true,
+    },
+
+    // 12. 其他配置
+    renderError: async (ctx, out, error) => {
+      ctx.type = 'html';
+      ctx.body = `
+        <html>
+          <head>
+            <title>LobeHub OIDC Error</title>
+          </head>
+          <body>
+            <h1>LobeHub OIDC Error</h1>
+            <p>${JSON.stringify(error, null, 2)}</p>
+            <p>${JSON.stringify(out, null, 2)}</p>
+          </body>
+        </html>
+      `;
+    },
+
+    // 新增：启用 Refresh Token 轮换
+    rotateRefreshToken: true,
+
+    routes: {
+      authorization: '/oidc/auth',
+      end_session: '/oidc/session/end',
+      token: '/oidc/token',
+    },
+    // 3. Scopes 定义
+    scopes: defaultScopes,
+
+    // 8. 令牌有效期
+    ttl: {
+      AccessToken: 3600, // 1 hour in seconds
+      AuthorizationCode: 600, // 10 minutes
+      DeviceCode: 600, // 10 minutes (if enabled)
+
+      IdToken: 3600, // 1 hour
+      Interaction: 3600, // 1 hour
+
+      RefreshToken: 30 * 24 * 60 * 60, // 30 days
+      Session: 30 * 24 * 60 * 60, // 30 days
+    },
+  };
+
+  // 创建提供者实例
+  const baseUrl = urlJoin(appEnv.APP_URL!, '/oidc');
+
+  const provider = new Provider(baseUrl, configuration);
+
+  provider.on('server_error', (ctx, err) => {
+    logProvider('OIDC Provider Server Error: %O', err); // Use logProvider
+    console.error('OIDC Provider Error:', err);
+  });
+
+  provider.on('authorization.success', (ctx) => {
+    logProvider('Authorization successful for client: %s', ctx.oidc.client?.clientId); // Use logProvider
+  });
+
+  return provider;
+};
+
+export { type default as OIDCProvider } from 'oidc-provider';

package/src/libs/trpc/async/init.ts

@@ -1,7 +1,7 @@
 import { initTRPC } from '@trpc/server';
 import superjson from 'superjson';
 
-import { AsyncContext } from '@/server/asyncContext';
+import { AsyncContext } from './context';
 
 export const asyncTrpc = initTRPC.context<AsyncContext>().create({
   errorFormatter({ shape }) {

package/src/{server → libs/trpc/edge}/context.ts

@@ -28,13 +28,13 @@ export const createContextInner = async (params?: {
   userId: params?.userId,
 });
 
-export type Context = Awaited<ReturnType<typeof createContextInner>>;
+export type EdgeContext = Awaited<ReturnType<typeof createContextInner>>;
 
 /**
  * Creates context for an incoming request
  * @link https://trpc.io/docs/v11/context
  */
-export const createContext = async (request: NextRequest): Promise<Context> => {
+export const createEdgeContext = async (request: NextRequest): Promise<EdgeContext> => {
   // for API-response caching see https://trpc.io/docs/v11/caching
 
   const authorization = request.headers.get(LOBE_CHAT_AUTH_HEADER);