@lobehub/lobehub 2.0.0-next.123 → 2.0.0-next.125

package/src/libs/better-auth/sso/providers/wechat.ts

@@ -0,0 +1,140 @@
+import { authEnv } from '@/envs/auth';
+
+import type { GenericProviderDefinition } from '../types';
+
+const WECHAT_AUTHORIZATION_URL = 'https://open.weixin.qq.com/connect/qrconnect';
+const WECHAT_TOKEN_URL = 'https://api.weixin.qq.com/sns/oauth2/access_token';
+const WECHAT_USERINFO_URL = 'https://api.weixin.qq.com/sns/userinfo';
+
+type WeChatTokenResponse = {
+  access_token?: string;
+  errcode?: number;
+  errmsg?: string;
+  expires_in?: number;
+  openid?: string;
+  refresh_token?: string;
+  scope?: string;
+  token_type?: string;
+  unionid?: string;
+};
+
+const parseWechatScopes = (scope: string | undefined) =>
+  scope ? scope.split(' ').filter(Boolean) : [];
+
+const provider: GenericProviderDefinition<{
+  AUTH_WECHAT_ID: string;
+  AUTH_WECHAT_SECRET: string;
+}> = {
+  build: (env) => {
+    const clientId = env.AUTH_WECHAT_ID;
+    const clientSecret = env.AUTH_WECHAT_SECRET;
+
+    return {
+      authorizationUrl: WECHAT_AUTHORIZATION_URL,
+      authorizationUrlParams: {
+        appid: clientId,
+        response_type: 'code',
+        scope: 'snsapi_login',
+      },
+      clientId,
+      clientSecret,
+      /**
+       * WeChat uses a non-standard token endpoint (GET with appid/secret/code)
+       * and returns openid/unionid alongside tokens, so we exchange the code
+       * manually instead of proxying through a custom API route.
+       */
+      getToken: async ({ code }) => {
+        const tokenUrl = new URL(WECHAT_TOKEN_URL);
+        tokenUrl.searchParams.set('appid', clientId);
+        tokenUrl.searchParams.set('secret', clientSecret);
+        tokenUrl.searchParams.set('code', code);
+        tokenUrl.searchParams.set('grant_type', 'authorization_code');
+
+        const response = await fetch(tokenUrl, { cache: 'no-store' });
+        const data = (await response.json()) as WeChatTokenResponse;
+
+        if (!response.ok || data.errcode) {
+          throw new Error(data.errmsg ?? 'Failed to fetch WeChat OAuth token');
+        }
+
+        if (!data.access_token || !data.openid) {
+          throw new Error('WeChat token response is missing required fields');
+        }
+
+        return {
+          accessToken: data.access_token,
+          accessTokenExpiresAt: data.expires_in
+            ? new Date(Date.now() + data.expires_in * 1000)
+            : undefined,
+          expiresIn: data.expires_in,
+          raw: data,
+          refreshToken: data.refresh_token,
+          refreshTokenExpiresAt: undefined,
+          scopes: parseWechatScopes(data.scope),
+          tokenType: data.token_type ?? 'Bearer',
+        };
+      },
+      /**
+       * Use openid/unionid returned in the token response; no custom scope encoding needed.
+       */
+      getUserInfo: async (tokens) => {
+        const accessToken = tokens.accessToken;
+        const openId = (tokens as { raw?: WeChatTokenResponse }).raw?.openid;
+        const unionId = (tokens as { raw?: WeChatTokenResponse }).raw?.unionid;
+
+        if (!accessToken || !openId) {
+          return null;
+        }
+
+        const url = new URL(WECHAT_USERINFO_URL);
+        url.searchParams.set('access_token', accessToken);
+        url.searchParams.set('openid', openId);
+        url.searchParams.set('lang', 'zh_CN');
+
+        const response = await fetch(url, { cache: 'no-store' });
+        if (!response.ok) {
+          return null;
+        }
+
+        const profile = (await response.json()) as {
+          headimgurl?: string;
+          nickname?: string;
+          unionid?: string;
+        };
+
+        const finalUnionId = unionId ?? profile.unionid ?? openId;
+        const syntheticEmail = `${finalUnionId}@wechat.lobehub`;
+
+        return {
+          email: syntheticEmail,
+          emailVerified: false,
+          id: finalUnionId,
+          image: profile.headimgurl,
+          name: profile.nickname ?? finalUnionId,
+          ...profile,
+        };
+      },
+
+      pkce: false,
+
+      providerId: 'wechat',
+
+      responseMode: 'query',
+
+      scopes: ['snsapi_login'],
+    };
+  },
+
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_WECHAT_ID && authEnv.AUTH_WECHAT_SECRET)
+      ? {
+          AUTH_WECHAT_ID: authEnv.AUTH_WECHAT_ID,
+          AUTH_WECHAT_SECRET: authEnv.AUTH_WECHAT_SECRET,
+        }
+      : false;
+  },
+  id: 'wechat',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/zitadel.ts

@@ -0,0 +1,54 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig, pickEnv } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+type ZitadelEnv = {
+  AUTH_ZITADEL_ID?: string;
+  AUTH_ZITADEL_ISSUER?: string;
+  AUTH_ZITADEL_SECRET?: string;
+  ZITADEL_CLIENT_ID?: string;
+  ZITADEL_CLIENT_SECRET?: string;
+  ZITADEL_ISSUER?: string;
+};
+
+const getClientId = (env: ZitadelEnv) => {
+  return pickEnv(env.ZITADEL_CLIENT_ID, env.AUTH_ZITADEL_ID);
+};
+
+const getClientSecret = (env: ZitadelEnv) => {
+  return pickEnv(env.ZITADEL_CLIENT_SECRET, env.AUTH_ZITADEL_SECRET);
+};
+
+const getIssuer = (env: ZitadelEnv) => {
+  return pickEnv(env.ZITADEL_ISSUER, env.AUTH_ZITADEL_ISSUER);
+};
+
+const provider: GenericProviderDefinition<ZitadelEnv> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: getClientId(env)!,
+      clientSecret: getClientSecret(env)!,
+      issuer: getIssuer(env)!,
+      providerId: 'zitadel',
+    }),
+  checkEnvs: () => {
+    const clientId = getClientId(authEnv);
+    const clientSecret = getClientSecret(authEnv);
+    const issuer = getIssuer(authEnv);
+    return !!(clientId && clientSecret && issuer)
+      ? {
+          AUTH_ZITADEL_ID: authEnv.AUTH_ZITADEL_ID,
+          AUTH_ZITADEL_ISSUER: authEnv.AUTH_ZITADEL_ISSUER,
+          AUTH_ZITADEL_SECRET: authEnv.AUTH_ZITADEL_SECRET,
+          ZITADEL_CLIENT_ID: authEnv.ZITADEL_CLIENT_ID,
+          ZITADEL_CLIENT_SECRET: authEnv.ZITADEL_CLIENT_SECRET,
+          ZITADEL_ISSUER: authEnv.ZITADEL_ISSUER,
+        }
+      : false;
+  },
+  id: 'zitadel',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/types.ts

@@ -0,0 +1,25 @@
+import type { GenericOAuthConfig } from 'better-auth/plugins';
+import type { SocialProviders } from 'better-auth/social-providers';
+
+export type BuiltinProviderDefinition<
+  E extends Record<string, string | undefined>,
+  Id extends keyof SocialProviders = keyof SocialProviders,
+> = {
+  aliases?: string[];
+  build: (env: E) => SocialProviders[Id];
+  checkEnvs: () => E | false;
+  id: Id;
+  type: 'builtin';
+};
+
+export type GenericProviderDefinition<E extends Record<string, string | undefined>> = {
+  aliases?: string[];
+  build: (env: E) => GenericOAuthConfig;
+  checkEnvs: () => E | false;
+  id: string;
+  type: 'generic';
+};
+
+export type BetterAuthProviderDefinition =
+  | BuiltinProviderDefinition<Record<string, string | undefined>>
+  | GenericProviderDefinition<Record<string, string | undefined>>;

package/src/libs/better-auth/utils/client.ts

@@ -0,0 +1 @@
+export { isBuiltinProvider, normalizeProviderId } from './common';

package/src/libs/better-auth/utils/common.ts

@@ -0,0 +1,20 @@
+import { BUILTIN_BETTER_AUTH_PROVIDERS, PROVIDER_ALIAS_MAP } from '@/libs/better-auth/constants';
+
+/**
+ * Normalize provider id using configured alias map (e.g. microsoft-entra-id -> microsoft).
+ */
+export const normalizeProviderId = (provider: string) => {
+  return PROVIDER_ALIAS_MAP[provider] || provider;
+};
+
+/**
+ * Check whether a provider is handled by Better-Auth's built-in social providers.
+ * Uses alias normalization so callers can pass either canonical ids or aliases.
+ */
+export const isBuiltinProvider = (provider: string) => {
+  const normalized = normalizeProviderId(provider);
+
+  return BUILTIN_BETTER_AUTH_PROVIDERS.includes(
+    normalized as (typeof BUILTIN_BETTER_AUTH_PROVIDERS)[number],
+  );
+};

package/src/libs/better-auth/utils/server.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it } from 'vitest';
+
+import { parseSSOProviders } from './server';
+
+describe('parseSSOProviders', () => {
+  it('should return empty array when input is undefined', () => {
+    expect(parseSSOProviders(undefined)).toEqual([]);
+  });
+
+  it('should return empty array when input is empty string', () => {
+    expect(parseSSOProviders('')).toEqual([]);
+  });
+
+  it('should return empty array when input contains only whitespace', () => {
+    expect(parseSSOProviders('   ')).toEqual([]);
+  });
+
+  it('should parse single provider', () => {
+    expect(parseSSOProviders('google')).toEqual(['google']);
+  });
+
+  it('should parse multiple providers separated by English comma', () => {
+    expect(parseSSOProviders('google,github,microsoft')).toEqual(['google', 'github', 'microsoft']);
+  });
+
+  it('should parse multiple providers separated by Chinese comma', () => {
+    expect(parseSSOProviders('google，github，microsoft')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should parse providers with mixed comma separators', () => {
+    expect(parseSSOProviders('google,github，microsoft')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should trim whitespace from providers', () => {
+    expect(parseSSOProviders(' google , github , microsoft ')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should filter out empty entries', () => {
+    expect(parseSSOProviders('google,,github,，,microsoft')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should trim leading and trailing whitespace from input', () => {
+    expect(parseSSOProviders('  google,github  ')).toEqual(['google', 'github']);
+  });
+});

package/src/libs/better-auth/utils/server.ts

@@ -0,0 +1,18 @@
+/**
+ * Parse Better-Auth SSO providers from environment variable
+ * Supports comma-separated list (both English and Chinese commas)
+ * @param providersEnv - Raw environment variable value (e.g., "google,github")
+ * @returns Array of enabled provider names
+ */
+export const parseSSOProviders = (providersEnv?: string): string[] => {
+  const providers = providersEnv?.trim();
+
+  if (!providers) {
+    return [];
+  }
+
+  return providers
+    .split(/[,，]/)
+    .map((p) => p.trim())
+    .filter(Boolean);
+};

package/src/libs/trpc/lambda/context.test.ts

@@ -0,0 +1,116 @@
+import { describe, expect, it } from 'vitest';
+
+import { createContextInner } from './context';
+
+describe('createContextInner', () => {
+  it('should create context with default values when no params provided', async () => {
+    const context = await createContextInner();
+
+    expect(context).toMatchObject({
+      authorizationHeader: undefined,
+      clerkAuth: undefined,
+      marketAccessToken: undefined,
+      nextAuth: undefined,
+      oidcAuth: undefined,
+      userAgent: undefined,
+      userId: undefined,
+    });
+    expect(context.resHeaders).toBeInstanceOf(Headers);
+  });
+
+  it('should create context with userId', async () => {
+    const context = await createContextInner({ userId: 'user-123' });
+
+    expect(context.userId).toBe('user-123');
+  });
+
+  it('should create context with authorization header', async () => {
+    const context = await createContextInner({
+      authorizationHeader: 'Bearer token-abc',
+    });
+
+    expect(context.authorizationHeader).toBe('Bearer token-abc');
+  });
+
+  it('should create context with user agent', async () => {
+    const context = await createContextInner({
+      userAgent: 'Mozilla/5.0',
+    });
+
+    expect(context.userAgent).toBe('Mozilla/5.0');
+  });
+
+  it('should create context with market access token', async () => {
+    const context = await createContextInner({
+      marketAccessToken: 'mp-token-xyz',
+    });
+
+    expect(context.marketAccessToken).toBe('mp-token-xyz');
+  });
+
+  it('should create context with OIDC auth data', async () => {
+    const oidcAuth = {
+      sub: 'oidc-user-123',
+      payload: { iss: 'https://issuer.com', aud: 'client-id' },
+    };
+
+    const context = await createContextInner({ oidcAuth });
+
+    expect(context.oidcAuth).toEqual(oidcAuth);
+  });
+
+  it('should create context with Clerk auth data', async () => {
+    const clerkAuth = {
+      userId: 'clerk-user-id',
+      sessionId: 'session-id',
+      getToken: async () => 'clerk-token',
+    } as any;
+
+    const context = await createContextInner({ clerkAuth });
+
+    expect(context.clerkAuth).toBe(clerkAuth);
+  });
+
+  it('should create context with NextAuth user data', async () => {
+    const nextAuth = {
+      id: 'next-auth-user-id',
+      name: 'Test User',
+      email: 'test@example.com',
+    };
+
+    const context = await createContextInner({ nextAuth });
+
+    expect(context.nextAuth).toEqual(nextAuth);
+  });
+
+  it('should create context with all parameters combined', async () => {
+    const params = {
+      authorizationHeader: 'Bearer token',
+      userId: 'user-123',
+      userAgent: 'Test Agent',
+      marketAccessToken: 'mp-token',
+      oidcAuth: {
+        sub: 'oidc-sub',
+        payload: { data: 'test' },
+      },
+    };
+
+    const context = await createContextInner(params);
+
+    expect(context).toMatchObject({
+      authorizationHeader: 'Bearer token',
+      userId: 'user-123',
+      userAgent: 'Test Agent',
+      marketAccessToken: 'mp-token',
+      oidcAuth: { sub: 'oidc-sub', payload: { data: 'test' } },
+    });
+  });
+
+  it('should always include response headers', async () => {
+    const context1 = await createContextInner();
+    const context2 = await createContextInner({ userId: 'test' });
+
+    expect(context1.resHeaders).toBeInstanceOf(Headers);
+    expect(context2.resHeaders).toBeInstanceOf(Headers);
+  });
+});

package/src/libs/trpc/lambda/context.ts

@@ -7,6 +7,7 @@ import { NextRequest } from 'next/server';
 import {
   LOBE_CHAT_AUTH_HEADER,
   LOBE_CHAT_OIDC_AUTH_HEADER,
+  enableBetterAuth,
   enableClerk,
   enableNextAuth,
 } from '@/const/auth';
@@ -163,6 +164,32 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
     });
   }
 
+  if (enableBetterAuth) {
+    log('Attempting Better Auth authentication');
+    try {
+      const { auth: betterAuth } = await import('@/auth');
+
+      const session = await betterAuth.api.getSession({
+        headers: request.headers,
+      });
+
+      if (session && session?.user?.id) {
+        userId = session.user.id;
+        log('Better Auth authentication successful, userId: %s', userId);
+      } else {
+        log('Better Auth authentication failed, no valid session');
+      }
+
+      return createContextInner({
+        ...commonContext,
+        userId,
+      });
+    } catch (e) {
+      log('Better Auth authentication error: %O', e);
+      console.error('better auth err', e);
+    }
+  }
+
   if (enableNextAuth) {
     log('Attempting NextAuth authentication');
     try {

package/src/libs/trpc/middleware/userAuth.ts

@@ -1,6 +1,6 @@
 import { TRPCError } from '@trpc/server';
 
-import { enableClerk } from '@/const/auth';
+import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
 import { DESKTOP_USER_ID } from '@/const/desktop';
 import { isDesktop } from '@/const/version';
 
@@ -19,7 +19,9 @@ export const userAuth = trpc.middleware(async (opts) => {
   if (!ctx.userId) {
     if (enableClerk) {
       console.log('clerk auth:', ctx.clerkAuth);
-    } else {
+    } else if (enableBetterAuth) {
+      console.log('better auth: no session found in context');
+    } else if (enableNextAuth) {
       console.log('next auth:', ctx.nextAuth);
     }
     throw new TRPCError({ code: 'UNAUTHORIZED' });

package/src/locales/default/auth.ts

@@ -52,6 +52,104 @@ export default {
       required: '内容不得为空',
     },
   },
+  betterAuth: {
+    errors: {
+      emailInvalid: '请输入有效的邮箱地址',
+      emailNotRegistered: '该邮箱尚未注册',
+      emailNotVerified: '邮箱尚未验证，请先验证邮箱',
+      emailRequired: '请输入邮箱地址',
+      firstNameRequired: '请输入名字',
+      lastNameRequired: '请输入姓氏',
+      loginFailed: '登录失败，请检查邮箱和密码',
+      passwordFormat: '密码必须同时包含字母和数字',
+      passwordMaxLength: '密码最多不超过 64 个字符',
+      passwordMinLength: '密码至少需要 8 个字符',
+      passwordRequired: '请输入密码',
+      usernameRequired: '请输入用户名',
+    },
+    resetPassword: {
+      backToSignIn: '返回登录',
+      confirmPasswordPlaceholder: '确认新密码',
+      confirmPasswordRequired: '请确认新密码',
+      description: '请输入您的新密码',
+      error: '重置密码失败，请重试',
+      invalidToken: '无效或已过期的重置链接',
+      newPasswordPlaceholder: '输入新密码',
+      passwordMismatch: '两次输入的密码不一致',
+      submit: '重置密码',
+      success: '密码重置成功，请使用新密码登录',
+      title: '重置密码',
+    },
+    signin: {
+      backToEmail: '返回修改邮箱',
+      continueWithAuth0: '使用 Auth0 登录',
+      continueWithAuthelia: '使用 Authelia 登录',
+      continueWithAuthentik: '使用 Authentik 登录',
+      continueWithCasdoor: '使用 Casdoor 登录',
+      continueWithCloudflareZeroTrust: '使用 Cloudflare Zero Trust 登录',
+      continueWithCognito: '使用 AWS Cognito 登录',
+      continueWithFeishu: '使用飞书登录',
+      continueWithGithub: '使用 GitHub 登录',
+      continueWithGoogle: '使用 Google 登录',
+      continueWithKeycloak: '使用 Keycloak 登录',
+      continueWithLogto: '使用 Logto 登录',
+      continueWithMicrosoft: '使用 Microsoft 登录',
+      continueWithOIDC: '使用 OIDC 登录',
+      continueWithOkta: '使用 Okta 登录',
+      continueWithWechat: '使用微信登录',
+      continueWithZitadel: '使用 Zitadel 登录',
+      emailPlaceholder: '请输入邮箱地址',
+      emailStep: {
+        subtitle: '请输入您的邮箱地址以继续',
+        title: '登录',
+      },
+      error: '登录失败，请检查邮箱和密码',
+      forgotPassword: '忘记密码？',
+      forgotPasswordError: '发送重置密码链接失败',
+      forgotPasswordSent: '重置密码链接已发送，请检查邮箱',
+      magicLinkButton: '发送登录链接',
+      magicLinkError: '发送登录链接失败，请稍后再试',
+      magicLinkSent: '登录链接已发送，请检查邮箱',
+      nextStep: '下一步',
+      noAccount: '还没有账号？',
+      orContinueWith: '或',
+      passwordPlaceholder: '请输入密码',
+      passwordStep: {
+        subtitle: '请输入密码以继续',
+      },
+      signupLink: '立即注册',
+      socialError: '社交登录失败，请重试',
+      socialOnlyHint: '该邮箱使用社交账号注册，请使用社交账号登录',
+      submit: '登录',
+    },
+    signup: {
+      emailPlaceholder: '请输入邮箱地址',
+      error: '注册失败，请重试',
+      firstNamePlaceholder: '名字',
+      hasAccount: '已有账号？',
+      lastNamePlaceholder: '姓氏',
+      passwordPlaceholder: '请输入密码',
+      signinLink: '立即登录',
+      submit: '注册',
+      subtitle: '加入 LobeChat 社区',
+      success: '注册成功！请检查您的邮箱验证邮件',
+      title: '创建账号',
+      usernamePlaceholder: '请输入用户名',
+    },
+    verifyEmail: {
+      backToSignIn: '返回登录',
+      checkSpam: '如果没有收到邮件，请检查垃圾邮件文件夹',
+      descriptionPrefix: '我们已向',
+      descriptionSuffix: '发送了验证邮件',
+      resend: {
+        button: '重新发送验证邮件',
+        error: '发送失败，请稍后重试',
+        noEmail: '邮箱地址缺失',
+        success: '验证邮件已重新发送，请检查您的邮箱',
+      },
+      title: '验证您的邮箱',
+    },
+  },
   date: {
     prevMonth: '上个月',
     recent30Days: '最近30天',
@@ -86,17 +184,32 @@ export default {
   loginOrSignup: '登录 / 注册',
   profile: {
     avatar: '头像',
+    cancel: '取消',
+    changePassword: '重置密码',
     email: '电子邮件地址',
+    fullName: '全名',
+    fullNameInputHint: '请输入新的全名',
+    password: '密码',
+    resetPasswordError: '发送密码重置链接失败',
+    resetPasswordSent: '密码重置链接已发送，请检查邮箱',
+    save: '保存',
     sso: {
+      link: {
+        button: '连接帐户',
+        success: '账户关联成功',
+      },
       loading: '正在加载已绑定的第三方账户',
       providers: '连接的帐户',
       unlink: {
         description:
-          '解绑后，您将无法使用 {{provider}} 账户“{{providerAccountId}}”登录。如果您需要重新绑定 {{provider}} 账户到当前账户，请确保 {{provider}} 账户的邮件地址为 {{email}} ，我们会在登陆时为你自动绑定到当前登录账户。',
+          '解绑后，您将无法使用 {{provider}} 账户"{{providerAccountId}}"登录。如果您需要重新绑定 {{provider}} 账户到当前账户，请确保 {{provider}} 账户的邮件地址为 {{email}} ，我们会在登陆时为你自动绑定到当前登录账户。',
         forbidden: '您至少需要保留一个第三方账户绑定。',
         title: '是否解绑该第三方账户 {{provider}} ？',
       },
     },
+    title: '个人资料详情',
+    updateAvatar: '更新头像',
+    updateFullName: '更新全名',
     username: '用户名',
   },
   signout: '退出登录',