@lobehub/chat 1.99.6 → 1.100.0

package/src/libs/oidc-provider/jwt.ts

@@ -0,0 +1,135 @@
+import { TRPCError } from '@trpc/server';
+import debug from 'debug';
+import { importJWK, jwtVerify } from 'jose';
+
+import { oidcEnv } from '@/envs/oidc';
+
+const log = debug('oidc-jwt');
+
+/**
+ * 从环境变量中获取 JWKS
+ * 该 JWKS 是一个包含 RS256 私钥的 JSON 对象
+ */
+export const getJWKS = (): object => {
+  try {
+    const jwksString = oidcEnv.OIDC_JWKS_KEY;
+
+    if (!jwksString) {
+      throw new Error(
+        'OIDC_JWKS_KEY 环境变量是必需的。请使用 scripts/generate-oidc-jwk.mjs 生成 JWKS。',
+      );
+    }
+
+    // 尝试解析 JWKS JSON 字符串
+    const jwks = JSON.parse(jwksString);
+
+    // 检查 JWKS 格式是否正确
+    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
+    }
+
+    // 检查是否有 RS256 算法的密钥
+    const hasRS256Key = jwks.keys.some((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
+    if (!hasRS256Key) {
+      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
+    }
+
+    return jwks;
+  } catch (error) {
+    console.error('解析 JWKS 失败:', error);
+    throw new Error(`OIDC_JWKS_KEY 解析错误: ${(error as Error).message}`);
+  }
+};
+
+/**
+ * 从环境变量中获取 JWKS 并提取第一个 RSA 密钥
+ */
+const getJWKSPublicKey = async () => {
+  try {
+    const jwksString = oidcEnv.OIDC_JWKS_KEY;
+
+    if (!jwksString) {
+      throw new Error('OIDC_JWKS_KEY 环境变量未设置');
+    }
+
+    const jwks = JSON.parse(jwksString);
+
+    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
+    }
+
+    // 查找 RS256 算法的 RSA 密钥
+    const rsaKey = jwks.keys.find((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
+
+    if (!rsaKey) {
+      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
+    }
+
+    // 导入 JWK 为公钥
+    const publicKey = await importJWK(rsaKey, 'RS256');
+
+    return publicKey;
+  } catch (error) {
+    log('获取 JWKS 公钥失败: %O', error);
+    throw new Error(`JWKS 公钥获取失败: ${(error as Error).message}`);
+  }
+};
+
+/**
+ * 验证 OIDC JWT Access Token
+ * @param token - JWT access token
+ * @returns 解析后的 token payload 和用户信息
+ */
+export const validateOIDCJWT = async (token: string) => {
+  try {
+    log('开始验证 OIDC JWT token');
+
+    // 获取公钥
+    const publicKey = await getJWKSPublicKey();
+
+    // 验证 JWT
+    const { payload } = await jwtVerify(token, publicKey, {
+      algorithms: ['RS256'],
+      // 可以添加其他验证选项，如 issuer、audience 等
+    });
+
+    log('JWT 验证成功，payload: %O', payload);
+
+    // 提取用户信息
+    const userId = payload.sub;
+    const clientId = payload.aud;
+
+    if (!userId) {
+      throw new TRPCError({
+        code: 'UNAUTHORIZED',
+        message: 'JWT token 中缺少用户 ID (sub)',
+      });
+    }
+
+    return {
+      clientId,
+      payload,
+      tokenData: {
+        aud: clientId,
+        client_id: clientId,
+        exp: payload.exp,
+        iat: payload.iat,
+        jti: payload.jti,
+        scope: payload.scope,
+        sub: userId,
+      },
+      userId,
+    };
+  } catch (error) {
+    if (error instanceof TRPCError) {
+      throw error;
+    }
+
+    log('JWT 验证失败: %O', error);
+
+    throw new TRPCError({
+      code: 'UNAUTHORIZED',
+      message: `JWT token 验证失败: ${(error as Error).message}`,
+    });
+  }
+};

package/src/libs/oidc-provider/provider.ts

@@ -1,12 +1,12 @@
 import debug from 'debug';
-import Provider, { Configuration, KoaContextWithOIDC } from 'oidc-provider';
+import Provider, { Configuration, KoaContextWithOIDC, errors } from 'oidc-provider';
 import urlJoin from 'url-join';
 
 import { serverDBEnv } from '@/config/db';
 import { UserModel } from '@/database/models/user';
 import { LobeChatDatabase } from '@/database/type';
 import { appEnv } from '@/envs/app';
-import { oidcEnv } from '@/envs/oidc';
+import { getJWKS } from '@/libs/oidc-provider/jwt';
 
 import { DrizzleAdapter } from './adapter';
 import { defaultClaims, defaultClients, defaultScopes } from './config';
@@ -14,40 +14,7 @@ import { createInteractionPolicy } from './interaction-policy';
 
 const logProvider = debug('lobe-oidc:provider'); // <--- 添加 provider 日志实例
 
-/**
- * 从环境变量中获取 JWKS
- * 该 JWKS 是一个包含 RS256 私钥的 JSON 对象
- */
-const getJWKS = (): object => {
-  try {
-    const jwksString = oidcEnv.OIDC_JWKS_KEY;
-
-    if (!jwksString) {
-      throw new Error(
-        'OIDC_JWKS_KEY 环境变量是必需的。请使用 scripts/generate-oidc-jwk.mjs 生成 JWKS。',
-      );
-    }
-
-    // 尝试解析 JWKS JSON 字符串
-    const jwks = JSON.parse(jwksString);
-
-    // 检查 JWKS 格式是否正确
-    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
-      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
-    }
-
-    // 检查是否有 RS256 算法的密钥
-    const hasRS256Key = jwks.keys.some((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
-    if (!hasRS256Key) {
-      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
-    }
-
-    return jwks;
-  } catch (error) {
-    console.error('解析 JWKS 失败:', error);
-    throw new Error(`OIDC_JWKS_KEY 解析错误: ${(error as Error).message}`);
-  }
-};
+export const API_AUDIENCE = 'urn:lobehub:chat'; // <-- 把这里换成你自己的 API 标识符
 
 /**
  * 获取 Cookie 密钥，使用 KEY_VAULTS_SECRET
@@ -123,7 +90,24 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
       devInteractions: { enabled: false },
       deviceFlow: { enabled: false },
       introspection: { enabled: true },
-      resourceIndicators: { enabled: false },
+      resourceIndicators: {
+        defaultResource: () => API_AUDIENCE,
+        enabled: true,
+        getResourceServerInfo: (ctx, resourceIndicator) => {
+          logProvider('getResourceServerInfo called with indicator: %s', resourceIndicator); // <-- 添加这行日志
+          if (resourceIndicator === API_AUDIENCE) {
+            logProvider('Indicator matches API_AUDIENCE, returning JWT config.'); // <-- 添加这行日志
+            return {
+              accessTokenFormat: 'jwt',
+              audience: API_AUDIENCE,
+              scope: ctx.oidc.client?.scope || 'read',
+            };
+          }
+
+          logProvider('Indicator does not match API_AUDIENCE, throwing InvalidTarget.'); // <-- 添加这行日志
+          throw new errors.InvalidTarget();
+        },
+      },
       revocation: { enabled: true },
       rpInitiatedLogout: { enabled: true },
       userinfo: { enabled: true },
@@ -256,7 +240,7 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
 
     // 8. 令牌有效期
     ttl: {
-      AccessToken: 7 * 24 * 60 * 60, // 1 week temporarily,need to revert 1 hour with better implement
+      AccessToken: 25 * 3600, // 25 hour
       AuthorizationCode: 600, // 10 minutes
       DeviceCode: 600, // 10 minutes (if enabled)
 

package/src/libs/trpc/client/async.ts

@@ -3,8 +3,7 @@ import superjson from 'superjson';
 
 import { isDesktop } from '@/const/version';
 import { AsyncRouter } from '@/server/routers/async';
-
-import { fetchWithDesktopRemoteRPC } from './helpers/desktopRemoteRPCFetch';
+import { fetchWithDesktopRemoteRPC } from '@/utils/electron/desktopRemoteRPCFetch';
 
 export const asyncClient = createTRPCClient<AsyncRouter>({
   links: [

package/src/libs/trpc/client/edge.ts

@@ -4,8 +4,7 @@ import superjson from 'superjson';
 import { isDesktop } from '@/const/version';
 import type { EdgeRouter } from '@/server/routers/edge';
 import { withBasePath } from '@/utils/basePath';
-
-import { fetchWithDesktopRemoteRPC } from './helpers/desktopRemoteRPCFetch';
+import { fetchWithDesktopRemoteRPC } from '@/utils/electron/desktopRemoteRPCFetch';
 
 export const edgeClient = createTRPCClient<EdgeRouter>({
   links: [

package/src/libs/trpc/client/lambda.ts

@@ -15,7 +15,7 @@ const links = [
   httpBatchLink({
     fetch: async (input, init) => {
       if (isDesktop) {
-        const { desktopRemoteRPCFetch } = await import('./helpers/desktopRemoteRPCFetch');
+        const { desktopRemoteRPCFetch } = await import('@/utils/electron/desktopRemoteRPCFetch');
 
         const res = await desktopRemoteRPCFetch(input as string, init);
 

package/src/libs/trpc/client/tools.ts

@@ -3,8 +3,7 @@ import superjson from 'superjson';
 
 import { isDesktop } from '@/const/version';
 import type { ToolsRouter } from '@/server/routers/tools';
-
-import { fetchWithDesktopRemoteRPC } from './helpers/desktopRemoteRPCFetch';
+import { fetchWithDesktopRemoteRPC } from '@/utils/electron/desktopRemoteRPCFetch';
 
 export const toolsClient = createTRPCClient<ToolsRouter>({
   links: [

package/src/libs/trpc/lambda/context.ts

@@ -6,7 +6,7 @@ import { NextRequest } from 'next/server';
 import { JWTPayload, LOBE_CHAT_AUTH_HEADER, enableClerk, enableNextAuth } from '@/const/auth';
 import { oidcEnv } from '@/envs/oidc';
 import { ClerkAuth, IClerkAuth } from '@/libs/clerk-auth';
-import { extractBearerToken } from '@/utils/server/auth';
+import { validateOIDCJWT } from '@/libs/oidc-provider/jwt';
 
 // Create context logger namespace
 const log = debug('lobe-trpc:lambda:context');
@@ -98,26 +98,19 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
   let auth;
   let oidcAuth = null;
 
-  // Prioritize checking the standard Authorization header for OIDC Bearer Token validation
+  // Prioritize checking for OIDC authentication (both standard Authorization and custom Oidc-Auth headers)
   if (oidcEnv.ENABLE_OIDC) {
     log('OIDC enabled, attempting OIDC authentication');
     const standardAuthorization = request.headers.get('Authorization');
+    const oidcAuthToken = request.headers.get('Oidc-Auth');
     log('Standard Authorization header: %s', standardAuthorization ? 'exists' : 'not found');
+    log('Oidc-Auth header: %s', oidcAuthToken ? 'exists' : 'not found');
 
     try {
-      // Use extractBearerToken from utils
-      const bearerToken = extractBearerToken(standardAuthorization);
-
-      log('Extracted Bearer Token: %s', bearerToken ? 'valid' : 'invalid');
-      if (bearerToken) {
-        const { OIDCService } = await import('@/server/services/oidc');
-
-        // Initialize OIDC service
-        log('Initializing OIDC service');
-        const oidcService = await OIDCService.initialize();
-        // Validate token using OIDCService
-        log('Validating OIDC token');
-        const tokenInfo = await oidcService.validateToken(bearerToken);
+      if (oidcAuthToken) {
+        // Use direct JWT validation instead of database lookup
+        const tokenInfo = await validateOIDCJWT(oidcAuthToken);
+
         oidcAuth = {
           payload: tokenInfo.tokenData,
           ...tokenInfo.tokenData, // Spread payload into oidcAuth
@@ -136,7 +129,7 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
       }
     } catch (error) {
       // If OIDC authentication fails, log error and continue with other authentication methods
-      if (standardAuthorization?.startsWith('Bearer ')) {
+      if (oidcAuthToken) {
         log('OIDC authentication failed, error: %O', error);
         console.error('OIDC authentication failed, trying other methods:', error);
       }

package/src/locales/default/electron.ts

@@ -101,7 +101,10 @@ const electron = {
   waitingOAuth: {
     cancel: '取消',
     description: '浏览器已打开授权页面，请在浏览器中完成授权',
+    error: '授权失败: {{error}}',
+    errorTitle: '授权连接失败',
     helpText: '如果浏览器没有自动打开，请点击取消后重新尝试',
+    retry: '重试',
     title: '等待授权连接',
   },
 };

package/src/locales/default/oauth.ts

@@ -29,10 +29,14 @@ const oauth = {
     },
     title: '授权 {{clientName}}',
   },
-  failed: {
+  error: {
     backToHome: '返回首页',
-    subTitle: '您已拒绝授权应用访问您的 LobeChat 账户',
-    title: '授权被拒绝',
+    desc: 'OAuth 授权失败，失败原因：{{reason}}',
+    reason: {
+      internal_error: '服务端错误',
+      invalid_request: '无效的请求参数',
+    },
+    title: '授权失败',
   },
   handoff: {
     desc: {
@@ -51,7 +55,7 @@ const oauth = {
     userWelcome: '欢迎回来，',
   },
   success: {
-    subTitle: '您已成功授权应用访问您的 LobeChat 账户，可以关闭该页面了',
+    subTitle: '您已成功授权应用访问您的账户，可以关闭该页面了',
     title: '授权成功',
   },
 };

package/src/middleware.ts

@@ -18,9 +18,9 @@ import { OAUTH_AUTHORIZED } from './const/auth';
 import { oidcEnv } from './envs/oidc';
 
 // Create debug logger instances
-const logDefault = debug('lobe-middleware:default');
-const logNextAuth = debug('lobe-middleware:next-auth');
-const logClerk = debug('lobe-middleware:clerk');
+const logDefault = debug('middleware:default');
+const logNextAuth = debug('middleware:next-auth');
+const logClerk = debug('middleware:clerk');
 
 // OIDC session pre-sync constant
 const OIDC_SESSION_HEADER = 'x-oidc-session-sync';
@@ -146,13 +146,19 @@ const defaultMiddleware = (request: NextRequest) => {
 };
 
 const isPublicRoute = createRouteMatcher([
+  // backend api
   '/api/auth(.*)',
+  '/api/webhooks(.*)',
+  '/webapi(.*)',
   '/trpc(.*)',
   // next auth
   '/next-auth/(.*)',
   // clerk
   '/login',
   '/signup',
+  // oauth
+  '/oidc/handoff',
+  '/oidc/token',
 ]);
 
 const isProtectedRoute = createRouteMatcher([
@@ -164,7 +170,7 @@ const isProtectedRoute = createRouteMatcher([
 ]);
 
 // Initialize an Edge compatible NextAuth middleware
-const nextAuthMiddleware = NextAuthEdge.auth((req) => {
+const nextAuthMiddleware = NextAuthEdge.auth(async (req) => {
   logNextAuth('NextAuth middleware processing request: %s %s', req.method, req.url);
 
   const response = defaultMiddleware(req);

package/src/server/services/oidc/index.ts

@@ -1,4 +1,3 @@
-import { TRPCError } from '@trpc/server';
 import debug from 'debug';
 
 import { createContextForInteractionDetails } from '@/libs/oidc-provider/http-adapter';
@@ -20,76 +19,6 @@ export class OIDCService {
     return new OIDCService(provider);
   }
 
-  /**
-   * 验证 OIDC Bearer Token 并返回用户信息
-   * 使用 oidc-provider 实例的 AccessToken.find 方法验证 token
-   *
-   * @param token - Bearer Token
-   * @returns 包含用户ID和Token数据的对象
-   * @throws 如果token无效或OIDC未启用则抛出 TRPCError
-   */
-  async validateToken(token: string) {
-    try {
-      log('Validating access token using AccessToken.find');
-
-      // 使用 oidc-provider 的 AccessToken 查找和验证方法
-      const accessToken = await this.provider.AccessToken.find(token);
-
-      if (!accessToken) {
-        log('Access token not found, expired, or consumed');
-        throw new TRPCError({
-          code: 'UNAUTHORIZED',
-          message: 'Access token 无效、已过期或已被使用',
-        });
-      }
-
-      // 从 accessToken 实例中获取必要的数据
-      // 注意：accessToken 没有 payload() 方法，而是直接访问其属性
-      const userId = accessToken.accountId; // 用户 ID 通常存储在 accountId 属性中
-      const clientId = accessToken.clientId;
-
-      // 如果需要更多的声明信息，可以从 accessToken 的其他属性中获取
-      // 例如，scopes、claims、exp 等
-      const tokenData = {
-        client_id: clientId,
-        exp: accessToken.exp,
-        iat: accessToken.iat,
-        jti: accessToken.jti,
-        scope: accessToken.scope,
-        // OIDC 标准中，sub 字段表示用户 ID
-        sub: userId,
-      };
-
-      if (!userId) {
-        log('Access token does not contain user ID (accountId)');
-        throw new TRPCError({
-          code: 'UNAUTHORIZED',
-          message: 'Access token 中未包含用户 ID',
-        });
-      }
-
-      log('Access token validated successfully for user: %s', userId);
-      return {
-        // 包含 token 原始数据，可用于获取更多信息
-        accessToken,
-        // 构建的 token 数据对象
-        tokenData,
-        // 用户 ID
-        userId,
-      };
-    } catch (error) {
-      if (error instanceof TRPCError) throw error;
-
-      // AccessToken.find 可能抛出特定错误
-      log('Error validating access token with AccessToken.find: %O', error);
-      console.error('OIDC 令牌验证错误:', error);
-      throw new TRPCError({
-        code: 'UNAUTHORIZED',
-        message: `OIDC 认证失败: ${(error as Error).message}`,
-      });
-    }
-  }
-
   async getInteractionDetails(uid: string) {
     const { req, res } = await createContextForInteractionDetails(uid);
     return this.provider.interactionDetails(req, res);

package/src/services/chat.ts

@@ -40,6 +40,7 @@ import { ChatImageItem, ChatMessage, MessageToolCall } from '@/types/message';
 import type { ChatStreamPayload, OpenAIChatMessage } from '@/types/openai/chat';
 import { UserMessageContentPart } from '@/types/openai/chat';
 import { parsePlaceholderVariablesMessages } from '@/utils/client/parserPlaceholder';
+import { fetchWithInvokeStream } from '@/utils/electron/desktopRemoteRPCFetch';
 import { createErrorResponse } from '@/utils/errorResponse';
 import {
   FetchSSEOptions,
@@ -361,7 +362,10 @@ class ChatService {
 
     let fetcher: typeof fetch | undefined = undefined;
 
-    if (enableFetchOnClient) {
+    // Add desktop remote RPC fetch support
+    if (isDesktop) {
+      fetcher = fetchWithInvokeStream;
+    } else if (enableFetchOnClient) {
       /**
        * Notes:
        * 1. Browser agent runtime will skip auth check if a key and endpoint provided by

package/src/services/electron/remoteServer.ts

@@ -28,13 +28,6 @@ class RemoteServerService {
   requestAuthorization = async (config: DataSyncConfig) => {
     return dispatch('requestAuthorization', config);
   };
-
-  /**
-   * 刷新访问令牌
-   */
-  refreshAccessToken = async () => {
-    return dispatch('refreshAccessToken');
-  };
 }
 
 export const remoteServerService = new RemoteServerService();

package/src/{libs/trpc/client/helpers → utils/electron}/desktopRemoteRPCFetch.ts

@@ -1,4 +1,4 @@
-import { ProxyTRPCRequestParams, dispatch } from '@lobechat/electron-client-ipc';
+import { ProxyTRPCRequestParams, dispatch, streamInvoke } from '@lobechat/electron-client-ipc';
 import debug from 'debug';
 
 import { isDesktop } from '@/const/version';
@@ -6,7 +6,7 @@ import { getElectronStoreState } from '@/store/electron';
 import { electronSyncSelectors } from '@/store/electron/selectors';
 import { getRequestBody, headersToRecord } from '@/utils/fetch';
 
-const log = debug('lobe-lambda:desktopRemoteRPCFetch');
+const log = debug('utils:desktopRemoteRPCFetch');
 
 // eslint-disable-next-line no-undef
 export const desktopRemoteRPCFetch = async (input: string, init?: RequestInit) => {
@@ -15,8 +15,8 @@ export const desktopRemoteRPCFetch = async (input: string, init?: RequestInit) =
 
   if (isSyncActive) {
     log('Using IPC proxy for tRPC request');
+    const url = input as string;
     try {
-      const url = input as string;
       const parsedUrl = new URL(url, window.location.origin);
       const urlPath = parsedUrl.pathname + parsedUrl.search;
       const method = init?.method?.toUpperCase() || 'GET';
@@ -32,7 +32,7 @@ export const desktopRemoteRPCFetch = async (input: string, init?: RequestInit) =
 
       const ipcResult = await dispatch('proxyTRPCRequest', params);
 
-      log('Received IPC proxy response:', { status: ipcResult.status });
+      log(`Received ${url} IPC proxy response:`, { status: ipcResult.status });
       const response = new Response(ipcResult.body, {
         headers: ipcResult.headers,
         status: ipcResult.status,
@@ -41,7 +41,7 @@ export const desktopRemoteRPCFetch = async (input: string, init?: RequestInit) =
 
       if (!response.ok) {
         console.warn(
-          '[lambda] IPC proxy response indicates an error:',
+          `[lambda] ${url} IPC proxy response indicates an error:`,
           response.status,
           response.statusText,
         );
@@ -49,7 +49,7 @@ export const desktopRemoteRPCFetch = async (input: string, init?: RequestInit) =
 
       return response;
     } catch (error) {
-      console.error('[lambda] Error during IPC proxy call:', error);
+      console.error(`[lambda] Error during ${url} IPC proxy call:`, error);
       return new Response(
         `IPC Proxy Error: ${error instanceof Error ? error.message : 'Unknown error'}`,
         {
@@ -62,11 +62,26 @@ export const desktopRemoteRPCFetch = async (input: string, init?: RequestInit) =
 };
 
 // eslint-disable-next-line no-undef
-export const fetchWithDesktopRemoteRPC = async (input: string, init?: RequestInit) => {
+export const fetchWithDesktopRemoteRPC = (async (input: RequestInfo | URL, init?: RequestInit) => {
   if (isDesktop) {
     const res = await desktopRemoteRPCFetch(input as string, init);
     if (res) return res;
   }
 
+  return fetch(input, init);
+}) as typeof fetch;
+
+// eslint-disable-next-line no-undef
+export const fetchWithInvokeStream = async (input: RequestInfo | URL, init?: RequestInit) => {
+  if (isDesktop) {
+    const isSyncActive = electronSyncSelectors.isSyncActive(getElectronStoreState());
+    log('isSyncActive:', isSyncActive);
+    if (isSyncActive) {
+      log('Using IPC stream proxy for request to:', input);
+
+      return streamInvoke(input, init);
+    }
+  }
+
   return fetch(input, init);
 };

package/src/utils/server/auth.ts

@@ -49,3 +49,25 @@ export const extractBearerToken = (authHeader?: string | null): string | null =>
   // Return the token only if it's not an empty string after trimming
   return token || null;
 };
+
+/**
+ * 从 Oidc-Auth header 中提取 JWT token
+ * @param authHeader - Oidc-Auth header 值 (例如 "Oidc-Auth xxx")
+ * @returns JWT token 或 null（如果授权头无效或不存在）
+ */
+export const extractOidcAuthToken = (authHeader?: string | null): string | null => {
+  if (!authHeader) return null;
+
+  const trimmedHeader = authHeader.trim(); // Trim leading/trailing spaces
+
+  // Check if it starts with 'Oidc-Auth ' (case-insensitive check)
+  if (!trimmedHeader.toLowerCase().startsWith('oidc-auth ')) {
+    return null;
+  }
+
+  // Extract the token part after "Oidc-Auth " and trim potential spaces around the token itself
+  const token = trimmedHeader.slice(10).trim(); // 'Oidc-Auth ' length is 10
+
+  // Return the token only if it's not an empty string after trimming
+  return token || null;
+};

package/src/app/[variants]/oauth/consent/[uid]/failed/page.tsx

@@ -1,36 +0,0 @@
-'use client';
-
-import { Button, Icon } from '@lobehub/ui';
-import { Card, Result } from 'antd';
-import { XCircle } from 'lucide-react';
-import Link from 'next/link';
-import React, { memo } from 'react';
-import { useTranslation } from 'react-i18next';
-import { Center } from 'react-layout-kit';
-
-const FailedPage = memo(() => {
-  const { t } = useTranslation('oauth');
-
-  return (
-    <Center height="100vh">
-      <Card style={{ maxWidth: 500, width: '100%' }}>
-        <Result
-          extra={
-            <Link href="/">
-              <Button type="primary">{t('failed.backToHome')}</Button>
-            </Link>
-          }
-          icon={<Icon icon={XCircle} />}
-          status="error"
-          style={{ padding: 0 }}
-          subTitle={t('failed.subTitle')}
-          title={t('failed.title')}
-        />
-      </Card>
-    </Center>
-  );
-});
-
-FailedPage.displayName = 'FailedPage';
-
-export default FailedPage;