@lobehub/chat 1.99.6 → 1.100.1

package/src/libs/oidc-provider/jwt.ts

@@ -0,0 +1,135 @@
+import { TRPCError } from '@trpc/server';
+import debug from 'debug';
+import { importJWK, jwtVerify } from 'jose';
+
+import { oidcEnv } from '@/envs/oidc';
+
+const log = debug('oidc-jwt');
+
+/**
+ * 从环境变量中获取 JWKS
+ * 该 JWKS 是一个包含 RS256 私钥的 JSON 对象
+ */
+export const getJWKS = (): object => {
+  try {
+    const jwksString = oidcEnv.OIDC_JWKS_KEY;
+
+    if (!jwksString) {
+      throw new Error(
+        'OIDC_JWKS_KEY 环境变量是必需的。请使用 scripts/generate-oidc-jwk.mjs 生成 JWKS。',
+      );
+    }
+
+    // 尝试解析 JWKS JSON 字符串
+    const jwks = JSON.parse(jwksString);
+
+    // 检查 JWKS 格式是否正确
+    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
+    }
+
+    // 检查是否有 RS256 算法的密钥
+    const hasRS256Key = jwks.keys.some((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
+    if (!hasRS256Key) {
+      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
+    }
+
+    return jwks;
+  } catch (error) {
+    console.error('解析 JWKS 失败:', error);
+    throw new Error(`OIDC_JWKS_KEY 解析错误: ${(error as Error).message}`);
+  }
+};
+
+/**
+ * 从环境变量中获取 JWKS 并提取第一个 RSA 密钥
+ */
+const getJWKSPublicKey = async () => {
+  try {
+    const jwksString = oidcEnv.OIDC_JWKS_KEY;
+
+    if (!jwksString) {
+      throw new Error('OIDC_JWKS_KEY 环境变量未设置');
+    }
+
+    const jwks = JSON.parse(jwksString);
+
+    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
+    }
+
+    // 查找 RS256 算法的 RSA 密钥
+    const rsaKey = jwks.keys.find((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
+
+    if (!rsaKey) {
+      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
+    }
+
+    // 导入 JWK 为公钥
+    const publicKey = await importJWK(rsaKey, 'RS256');
+
+    return publicKey;
+  } catch (error) {
+    log('获取 JWKS 公钥失败: %O', error);
+    throw new Error(`JWKS 公钥获取失败: ${(error as Error).message}`);
+  }
+};
+
+/**
+ * 验证 OIDC JWT Access Token
+ * @param token - JWT access token
+ * @returns 解析后的 token payload 和用户信息
+ */
+export const validateOIDCJWT = async (token: string) => {
+  try {
+    log('开始验证 OIDC JWT token');
+
+    // 获取公钥
+    const publicKey = await getJWKSPublicKey();
+
+    // 验证 JWT
+    const { payload } = await jwtVerify(token, publicKey, {
+      algorithms: ['RS256'],
+      // 可以添加其他验证选项，如 issuer、audience 等
+    });
+
+    log('JWT 验证成功，payload: %O', payload);
+
+    // 提取用户信息
+    const userId = payload.sub;
+    const clientId = payload.aud;
+
+    if (!userId) {
+      throw new TRPCError({
+        code: 'UNAUTHORIZED',
+        message: 'JWT token 中缺少用户 ID (sub)',
+      });
+    }
+
+    return {
+      clientId,
+      payload,
+      tokenData: {
+        aud: clientId,
+        client_id: clientId,
+        exp: payload.exp,
+        iat: payload.iat,
+        jti: payload.jti,
+        scope: payload.scope,
+        sub: userId,
+      },
+      userId,
+    };
+  } catch (error) {
+    if (error instanceof TRPCError) {
+      throw error;
+    }
+
+    log('JWT 验证失败: %O', error);
+
+    throw new TRPCError({
+      code: 'UNAUTHORIZED',
+      message: `JWT token 验证失败: ${(error as Error).message}`,
+    });
+  }
+};

package/src/libs/oidc-provider/provider.ts

@@ -1,12 +1,12 @@
 import debug from 'debug';
-import Provider, { Configuration, KoaContextWithOIDC } from 'oidc-provider';
+import Provider, { Configuration, KoaContextWithOIDC, errors } from 'oidc-provider';
 import urlJoin from 'url-join';
 
 import { serverDBEnv } from '@/config/db';
 import { UserModel } from '@/database/models/user';
 import { LobeChatDatabase } from '@/database/type';
 import { appEnv } from '@/envs/app';
-import { oidcEnv } from '@/envs/oidc';
+import { getJWKS } from '@/libs/oidc-provider/jwt';
 
 import { DrizzleAdapter } from './adapter';
 import { defaultClaims, defaultClients, defaultScopes } from './config';
@@ -14,40 +14,7 @@ import { createInteractionPolicy } from './interaction-policy';
 
 const logProvider = debug('lobe-oidc:provider'); // <--- 添加 provider 日志实例
 
-/**
- * 从环境变量中获取 JWKS
- * 该 JWKS 是一个包含 RS256 私钥的 JSON 对象
- */
-const getJWKS = (): object => {
-  try {
-    const jwksString = oidcEnv.OIDC_JWKS_KEY;
-
-    if (!jwksString) {
-      throw new Error(
-        'OIDC_JWKS_KEY 环境变量是必需的。请使用 scripts/generate-oidc-jwk.mjs 生成 JWKS。',
-      );
-    }
-
-    // 尝试解析 JWKS JSON 字符串
-    const jwks = JSON.parse(jwksString);
-
-    // 检查 JWKS 格式是否正确
-    if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
-      throw new Error('JWKS 格式无效: 缺少或为空的 keys 数组');
-    }
-
-    // 检查是否有 RS256 算法的密钥
-    const hasRS256Key = jwks.keys.some((key: any) => key.alg === 'RS256' && key.kty === 'RSA');
-    if (!hasRS256Key) {
-      throw new Error('JWKS 中没有找到 RS256 算法的 RSA 密钥');
-    }
-
-    return jwks;
-  } catch (error) {
-    console.error('解析 JWKS 失败:', error);
-    throw new Error(`OIDC_JWKS_KEY 解析错误: ${(error as Error).message}`);
-  }
-};
+export const API_AUDIENCE = 'urn:lobehub:chat'; // <-- 把这里换成你自己的 API 标识符
 
 /**
  * 获取 Cookie 密钥，使用 KEY_VAULTS_SECRET
@@ -123,7 +90,24 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
       devInteractions: { enabled: false },
       deviceFlow: { enabled: false },
       introspection: { enabled: true },
-      resourceIndicators: { enabled: false },
+      resourceIndicators: {
+        defaultResource: () => API_AUDIENCE,
+        enabled: true,
+        getResourceServerInfo: (ctx, resourceIndicator) => {
+          logProvider('getResourceServerInfo called with indicator: %s', resourceIndicator); // <-- 添加这行日志
+          if (resourceIndicator === API_AUDIENCE) {
+            logProvider('Indicator matches API_AUDIENCE, returning JWT config.'); // <-- 添加这行日志
+            return {
+              accessTokenFormat: 'jwt',
+              audience: API_AUDIENCE,
+              scope: ctx.oidc.client?.scope || 'read',
+            };
+          }
+
+          logProvider('Indicator does not match API_AUDIENCE, throwing InvalidTarget.'); // <-- 添加这行日志
+          throw new errors.InvalidTarget();
+        },
+      },
       revocation: { enabled: true },
       rpInitiatedLogout: { enabled: true },
       userinfo: { enabled: true },
@@ -256,7 +240,7 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
 
     // 8. 令牌有效期
     ttl: {
-      AccessToken: 7 * 24 * 60 * 60, // 1 week temporarily,need to revert 1 hour with better implement
+      AccessToken: 25 * 3600, // 25 hour
       AuthorizationCode: 600, // 10 minutes
       DeviceCode: 600, // 10 minutes (if enabled)
 

package/src/libs/trpc/client/async.ts

@@ -3,8 +3,7 @@ import superjson from 'superjson';
 
 import { isDesktop } from '@/const/version';
 import { AsyncRouter } from '@/server/routers/async';
-
-import { fetchWithDesktopRemoteRPC } from './helpers/desktopRemoteRPCFetch';
+import { fetchWithDesktopRemoteRPC } from '@/utils/electron/desktopRemoteRPCFetch';
 
 export const asyncClient = createTRPCClient<AsyncRouter>({
   links: [

package/src/libs/trpc/client/edge.ts

@@ -4,8 +4,7 @@ import superjson from 'superjson';
 import { isDesktop } from '@/const/version';
 import type { EdgeRouter } from '@/server/routers/edge';
 import { withBasePath } from '@/utils/basePath';
-
-import { fetchWithDesktopRemoteRPC } from './helpers/desktopRemoteRPCFetch';
+import { fetchWithDesktopRemoteRPC } from '@/utils/electron/desktopRemoteRPCFetch';
 
 export const edgeClient = createTRPCClient<EdgeRouter>({
   links: [

package/src/libs/trpc/client/lambda.ts

@@ -15,7 +15,7 @@ const links = [
   httpBatchLink({
     fetch: async (input, init) => {
       if (isDesktop) {
-        const { desktopRemoteRPCFetch } = await import('./helpers/desktopRemoteRPCFetch');
+        const { desktopRemoteRPCFetch } = await import('@/utils/electron/desktopRemoteRPCFetch');
 
         const res = await desktopRemoteRPCFetch(input as string, init);
 

package/src/libs/trpc/client/tools.ts

@@ -3,8 +3,7 @@ import superjson from 'superjson';
 
 import { isDesktop } from '@/const/version';
 import type { ToolsRouter } from '@/server/routers/tools';
-
-import { fetchWithDesktopRemoteRPC } from './helpers/desktopRemoteRPCFetch';
+import { fetchWithDesktopRemoteRPC } from '@/utils/electron/desktopRemoteRPCFetch';
 
 export const toolsClient = createTRPCClient<ToolsRouter>({
   links: [

package/src/libs/trpc/lambda/context.ts

@@ -6,7 +6,7 @@ import { NextRequest } from 'next/server';
 import { JWTPayload, LOBE_CHAT_AUTH_HEADER, enableClerk, enableNextAuth } from '@/const/auth';
 import { oidcEnv } from '@/envs/oidc';
 import { ClerkAuth, IClerkAuth } from '@/libs/clerk-auth';
-import { extractBearerToken } from '@/utils/server/auth';
+import { validateOIDCJWT } from '@/libs/oidc-provider/jwt';
 
 // Create context logger namespace
 const log = debug('lobe-trpc:lambda:context');
@@ -98,26 +98,19 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
   let auth;
   let oidcAuth = null;
 
-  // Prioritize checking the standard Authorization header for OIDC Bearer Token validation
+  // Prioritize checking for OIDC authentication (both standard Authorization and custom Oidc-Auth headers)
   if (oidcEnv.ENABLE_OIDC) {
     log('OIDC enabled, attempting OIDC authentication');
     const standardAuthorization = request.headers.get('Authorization');
+    const oidcAuthToken = request.headers.get('Oidc-Auth');
     log('Standard Authorization header: %s', standardAuthorization ? 'exists' : 'not found');
+    log('Oidc-Auth header: %s', oidcAuthToken ? 'exists' : 'not found');
 
     try {
-      // Use extractBearerToken from utils
-      const bearerToken = extractBearerToken(standardAuthorization);
-
-      log('Extracted Bearer Token: %s', bearerToken ? 'valid' : 'invalid');
-      if (bearerToken) {
-        const { OIDCService } = await import('@/server/services/oidc');
-
-        // Initialize OIDC service
-        log('Initializing OIDC service');
-        const oidcService = await OIDCService.initialize();
-        // Validate token using OIDCService
-        log('Validating OIDC token');
-        const tokenInfo = await oidcService.validateToken(bearerToken);
+      if (oidcAuthToken) {
+        // Use direct JWT validation instead of database lookup
+        const tokenInfo = await validateOIDCJWT(oidcAuthToken);
+
         oidcAuth = {
           payload: tokenInfo.tokenData,
           ...tokenInfo.tokenData, // Spread payload into oidcAuth
@@ -136,7 +129,7 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
       }
     } catch (error) {
       // If OIDC authentication fails, log error and continue with other authentication methods
-      if (standardAuthorization?.startsWith('Bearer ')) {
+      if (oidcAuthToken) {
         log('OIDC authentication failed, error: %O', error);
         console.error('OIDC authentication failed, trying other methods:', error);
       }

package/src/locales/default/electron.ts

@@ -101,7 +101,10 @@ const electron = {
   waitingOAuth: {
     cancel: '取消',
     description: '浏览器已打开授权页面，请在浏览器中完成授权',
+    error: '授权失败: {{error}}',
+    errorTitle: '授权连接失败',
     helpText: '如果浏览器没有自动打开，请点击取消后重新尝试',
+    retry: '重试',
     title: '等待授权连接',
   },
 };

package/src/locales/default/oauth.ts

@@ -29,10 +29,14 @@ const oauth = {
     },
     title: '授权 {{clientName}}',
   },
-  failed: {
+  error: {
     backToHome: '返回首页',
-    subTitle: '您已拒绝授权应用访问您的 LobeChat 账户',
-    title: '授权被拒绝',
+    desc: 'OAuth 授权失败，失败原因：{{reason}}',
+    reason: {
+      internal_error: '服务端错误',
+      invalid_request: '无效的请求参数',
+    },
+    title: '授权失败',
   },
   handoff: {
     desc: {
@@ -51,7 +55,7 @@ const oauth = {
     userWelcome: '欢迎回来，',
   },
   success: {
-    subTitle: '您已成功授权应用访问您的 LobeChat 账户，可以关闭该页面了',
+    subTitle: '您已成功授权应用访问您的账户，可以关闭该页面了',
     title: '授权成功',
   },
 };

package/src/middleware.ts

@@ -18,9 +18,9 @@ import { OAUTH_AUTHORIZED } from './const/auth';
 import { oidcEnv } from './envs/oidc';
 
 // Create debug logger instances
-const logDefault = debug('lobe-middleware:default');
-const logNextAuth = debug('lobe-middleware:next-auth');
-const logClerk = debug('lobe-middleware:clerk');
+const logDefault = debug('middleware:default');
+const logNextAuth = debug('middleware:next-auth');
+const logClerk = debug('middleware:clerk');
 
 // OIDC session pre-sync constant
 const OIDC_SESSION_HEADER = 'x-oidc-session-sync';
@@ -146,13 +146,19 @@ const defaultMiddleware = (request: NextRequest) => {
 };
 
 const isPublicRoute = createRouteMatcher([
+  // backend api
   '/api/auth(.*)',
+  '/api/webhooks(.*)',
+  '/webapi(.*)',
   '/trpc(.*)',
   // next auth
   '/next-auth/(.*)',
   // clerk
   '/login',
   '/signup',
+  // oauth
+  '/oidc/handoff',
+  '/oidc/token',
 ]);
 
 const isProtectedRoute = createRouteMatcher([
@@ -164,7 +170,7 @@ const isProtectedRoute = createRouteMatcher([
 ]);
 
 // Initialize an Edge compatible NextAuth middleware
-const nextAuthMiddleware = NextAuthEdge.auth((req) => {
+const nextAuthMiddleware = NextAuthEdge.auth(async (req) => {
   logNextAuth('NextAuth middleware processing request: %s %s', req.method, req.url);
 
   const response = defaultMiddleware(req);

package/src/server/globalConfig/genServerAiProviderConfig.test.ts

@@ -0,0 +1,235 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { ModelProvider } from '@/libs/model-runtime';
+import { AiFullModelCard } from '@/types/aiModel';
+
+import { genServerAiProvidersConfig } from './genServerAiProviderConfig';
+
+// Mock dependencies using importOriginal to preserve real provider data
+vi.mock('@/config/aiModels', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('@/config/aiModels')>();
+  return {
+    ...actual,
+    // Keep the original exports but we can override specific ones if needed
+  };
+});
+
+vi.mock('@/config/llm', () => ({
+  getLLMConfig: vi.fn(() => ({
+    ENABLED_OPENAI: true,
+    ENABLED_ANTHROPIC: false,
+    ENABLED_AI21: false,
+  })),
+}));
+
+vi.mock('@/utils/parseModels', () => ({
+  extractEnabledModels: vi.fn((providerId: string, modelString?: string) => {
+    if (!modelString) return undefined;
+    return [`${providerId}-model-1`, `${providerId}-model-2`];
+  }),
+  transformToAiModelList: vi.fn((params) => {
+    return params.defaultModels;
+  }),
+}));
+
+describe('genServerAiProvidersConfig', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Clear environment variables
+    Object.keys(process.env).forEach((key) => {
+      if (key.includes('MODEL_LIST')) {
+        delete process.env[key];
+      }
+    });
+  });
+
+  it('should generate basic provider config with default settings', () => {
+    const result = genServerAiProvidersConfig({});
+
+    expect(result).toHaveProperty('openai');
+    expect(result).toHaveProperty('anthropic');
+
+    expect(result.openai).toEqual({
+      enabled: true,
+      enabledModels: undefined,
+      serverModelLists: expect.any(Array),
+    });
+
+    expect(result.anthropic).toEqual({
+      enabled: false,
+      enabledModels: undefined,
+      serverModelLists: expect.any(Array),
+    });
+  });
+
+  it('should use custom enabled settings from specificConfig', () => {
+    const specificConfig = {
+      openai: {
+        enabled: false,
+      },
+      anthropic: {
+        enabled: true,
+      },
+    };
+
+    const result = genServerAiProvidersConfig(specificConfig);
+
+    expect(result.openai.enabled).toBe(false);
+    expect(result.anthropic.enabled).toBe(true);
+  });
+
+  it('should use custom enabledKey from specificConfig', async () => {
+    const specificConfig = {
+      openai: {
+        enabledKey: 'CUSTOM_OPENAI_ENABLED',
+      },
+    };
+
+    // Mock the LLM config to include our custom key
+    const { getLLMConfig } = vi.mocked(await import('@/config/llm'));
+    getLLMConfig.mockReturnValue({
+      ENABLED_OPENAI: true,
+      ENABLED_ANTHROPIC: false,
+      CUSTOM_OPENAI_ENABLED: true,
+    } as any);
+
+    const result = genServerAiProvidersConfig(specificConfig);
+
+    expect(result.openai.enabled).toBe(true);
+  });
+
+  it('should use environment variables for model lists', async () => {
+    process.env.OPENAI_MODEL_LIST = '+gpt-4,+gpt-3.5-turbo';
+
+    const { extractEnabledModels } = vi.mocked(await import('@/utils/parseModels'));
+    extractEnabledModels.mockReturnValue(['gpt-4', 'gpt-3.5-turbo']);
+
+    const result = genServerAiProvidersConfig({});
+
+    expect(extractEnabledModels).toHaveBeenCalledWith('openai', '+gpt-4,+gpt-3.5-turbo', false);
+    expect(result.openai.enabledModels).toEqual(['gpt-4', 'gpt-3.5-turbo']);
+  });
+
+  it('should use custom modelListKey from specificConfig', async () => {
+    const specificConfig = {
+      openai: {
+        modelListKey: 'CUSTOM_OPENAI_MODELS',
+      },
+    };
+
+    process.env.CUSTOM_OPENAI_MODELS = '+custom-model';
+
+    const { extractEnabledModels } = vi.mocked(await import('@/utils/parseModels'));
+
+    genServerAiProvidersConfig(specificConfig);
+
+    expect(extractEnabledModels).toHaveBeenCalledWith('openai', '+custom-model', false);
+  });
+
+  it('should handle withDeploymentName option', async () => {
+    const specificConfig = {
+      openai: {
+        withDeploymentName: true,
+      },
+    };
+
+    process.env.OPENAI_MODEL_LIST = '+gpt-4->deployment1';
+
+    const { extractEnabledModels, transformToAiModelList } = vi.mocked(
+      await import('@/utils/parseModels'),
+    );
+
+    genServerAiProvidersConfig(specificConfig);
+
+    expect(extractEnabledModels).toHaveBeenCalledWith('openai', '+gpt-4->deployment1', true);
+    expect(transformToAiModelList).toHaveBeenCalledWith({
+      defaultModels: expect.any(Array),
+      modelString: '+gpt-4->deployment1',
+      providerId: 'openai',
+      withDeploymentName: true,
+    });
+  });
+
+  it('should include fetchOnClient when specified in config', () => {
+    const specificConfig = {
+      openai: {
+        fetchOnClient: true,
+      },
+    };
+
+    const result = genServerAiProvidersConfig(specificConfig);
+
+    expect(result.openai).toHaveProperty('fetchOnClient', true);
+  });
+
+  it('should not include fetchOnClient when not specified in config', () => {
+    const result = genServerAiProvidersConfig({});
+
+    expect(result.openai).not.toHaveProperty('fetchOnClient');
+  });
+
+  it('should handle all available providers', () => {
+    const result = genServerAiProvidersConfig({});
+
+    // Check that result includes some key providers
+    expect(result).toHaveProperty('openai');
+    expect(result).toHaveProperty('anthropic');
+
+    // Check structure for each provider
+    Object.keys(result).forEach((provider) => {
+      expect(result[provider]).toHaveProperty('enabled');
+      expect(result[provider]).toHaveProperty('serverModelLists');
+      // enabled can be boolean or undefined (when no config is provided)
+      expect(['boolean', 'undefined']).toContain(typeof result[provider].enabled);
+      expect(Array.isArray(result[provider].serverModelLists)).toBe(true);
+    });
+  });
+});
+
+describe('genServerAiProvidersConfig Error Handling', () => {
+  it('should throw error when a provider is not found in aiModels', async () => {
+    // Reset all mocks to create a clean test environment
+    vi.resetModules();
+
+    // Mock dependencies with a missing provider scenario
+    vi.doMock('@/config/aiModels', () => ({
+      // Explicitly set openai to undefined to simulate missing provider
+      openai: undefined,
+      anthropic: [
+        {
+          id: 'claude-3',
+          displayName: 'Claude 3',
+          type: 'chat',
+          enabled: true,
+        },
+      ],
+    }));
+
+    vi.doMock('@/config/llm', () => ({
+      getLLMConfig: vi.fn(() => ({})),
+    }));
+
+    vi.doMock('@/utils/parseModels', () => ({
+      extractEnabledModels: vi.fn(() => undefined),
+      transformToAiModelList: vi.fn(() => []),
+    }));
+
+    // Mock ModelProvider to include the missing provider
+    vi.doMock('@/libs/model-runtime', () => ({
+      ModelProvider: {
+        openai: 'openai', // This exists in enum
+        anthropic: 'anthropic', // This exists in both enum and aiModels
+      },
+    }));
+
+    // Import the function with the new mocks
+    const { genServerAiProvidersConfig } = await import(
+      './genServerAiProviderConfig?v=' + Date.now()
+    );
+
+    // This should throw because 'openai' is in ModelProvider but not in aiModels
+    expect(() => {
+      genServerAiProvidersConfig({});
+    }).toThrow();
+  });
+});