@lobehub/lobehub 2.0.0-next.124 → 2.0.0-next.126

package/src/libs/better-auth/sso/providers/zitadel.ts

@@ -0,0 +1,54 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig, pickEnv } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+type ZitadelEnv = {
+  AUTH_ZITADEL_ID?: string;
+  AUTH_ZITADEL_ISSUER?: string;
+  AUTH_ZITADEL_SECRET?: string;
+  ZITADEL_CLIENT_ID?: string;
+  ZITADEL_CLIENT_SECRET?: string;
+  ZITADEL_ISSUER?: string;
+};
+
+const getClientId = (env: ZitadelEnv) => {
+  return pickEnv(env.ZITADEL_CLIENT_ID, env.AUTH_ZITADEL_ID);
+};
+
+const getClientSecret = (env: ZitadelEnv) => {
+  return pickEnv(env.ZITADEL_CLIENT_SECRET, env.AUTH_ZITADEL_SECRET);
+};
+
+const getIssuer = (env: ZitadelEnv) => {
+  return pickEnv(env.ZITADEL_ISSUER, env.AUTH_ZITADEL_ISSUER);
+};
+
+const provider: GenericProviderDefinition<ZitadelEnv> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: getClientId(env)!,
+      clientSecret: getClientSecret(env)!,
+      issuer: getIssuer(env)!,
+      providerId: 'zitadel',
+    }),
+  checkEnvs: () => {
+    const clientId = getClientId(authEnv);
+    const clientSecret = getClientSecret(authEnv);
+    const issuer = getIssuer(authEnv);
+    return !!(clientId && clientSecret && issuer)
+      ? {
+          AUTH_ZITADEL_ID: authEnv.AUTH_ZITADEL_ID,
+          AUTH_ZITADEL_ISSUER: authEnv.AUTH_ZITADEL_ISSUER,
+          AUTH_ZITADEL_SECRET: authEnv.AUTH_ZITADEL_SECRET,
+          ZITADEL_CLIENT_ID: authEnv.ZITADEL_CLIENT_ID,
+          ZITADEL_CLIENT_SECRET: authEnv.ZITADEL_CLIENT_SECRET,
+          ZITADEL_ISSUER: authEnv.ZITADEL_ISSUER,
+        }
+      : false;
+  },
+  id: 'zitadel',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/types.ts

@@ -0,0 +1,25 @@
+import type { GenericOAuthConfig } from 'better-auth/plugins';
+import type { SocialProviders } from 'better-auth/social-providers';
+
+export type BuiltinProviderDefinition<
+  E extends Record<string, string | undefined>,
+  Id extends keyof SocialProviders = keyof SocialProviders,
+> = {
+  aliases?: string[];
+  build: (env: E) => SocialProviders[Id];
+  checkEnvs: () => E | false;
+  id: Id;
+  type: 'builtin';
+};
+
+export type GenericProviderDefinition<E extends Record<string, string | undefined>> = {
+  aliases?: string[];
+  build: (env: E) => GenericOAuthConfig;
+  checkEnvs: () => E | false;
+  id: string;
+  type: 'generic';
+};
+
+export type BetterAuthProviderDefinition =
+  | BuiltinProviderDefinition<Record<string, string | undefined>>
+  | GenericProviderDefinition<Record<string, string | undefined>>;

package/src/libs/better-auth/utils/client.ts

@@ -0,0 +1 @@
+export { isBuiltinProvider, normalizeProviderId } from './common';

package/src/libs/better-auth/utils/common.ts

@@ -0,0 +1,20 @@
+import { BUILTIN_BETTER_AUTH_PROVIDERS, PROVIDER_ALIAS_MAP } from '@/libs/better-auth/constants';
+
+/**
+ * Normalize provider id using configured alias map (e.g. microsoft-entra-id -> microsoft).
+ */
+export const normalizeProviderId = (provider: string) => {
+  return PROVIDER_ALIAS_MAP[provider] || provider;
+};
+
+/**
+ * Check whether a provider is handled by Better-Auth's built-in social providers.
+ * Uses alias normalization so callers can pass either canonical ids or aliases.
+ */
+export const isBuiltinProvider = (provider: string) => {
+  const normalized = normalizeProviderId(provider);
+
+  return BUILTIN_BETTER_AUTH_PROVIDERS.includes(
+    normalized as (typeof BUILTIN_BETTER_AUTH_PROVIDERS)[number],
+  );
+};

package/src/libs/better-auth/utils/server.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it } from 'vitest';
+
+import { parseSSOProviders } from './server';
+
+describe('parseSSOProviders', () => {
+  it('should return empty array when input is undefined', () => {
+    expect(parseSSOProviders(undefined)).toEqual([]);
+  });
+
+  it('should return empty array when input is empty string', () => {
+    expect(parseSSOProviders('')).toEqual([]);
+  });
+
+  it('should return empty array when input contains only whitespace', () => {
+    expect(parseSSOProviders('   ')).toEqual([]);
+  });
+
+  it('should parse single provider', () => {
+    expect(parseSSOProviders('google')).toEqual(['google']);
+  });
+
+  it('should parse multiple providers separated by English comma', () => {
+    expect(parseSSOProviders('google,github,microsoft')).toEqual(['google', 'github', 'microsoft']);
+  });
+
+  it('should parse multiple providers separated by Chinese comma', () => {
+    expect(parseSSOProviders('google，github，microsoft')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should parse providers with mixed comma separators', () => {
+    expect(parseSSOProviders('google,github，microsoft')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should trim whitespace from providers', () => {
+    expect(parseSSOProviders(' google , github , microsoft ')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should filter out empty entries', () => {
+    expect(parseSSOProviders('google,,github,，,microsoft')).toEqual([
+      'google',
+      'github',
+      'microsoft',
+    ]);
+  });
+
+  it('should trim leading and trailing whitespace from input', () => {
+    expect(parseSSOProviders('  google,github  ')).toEqual(['google', 'github']);
+  });
+});

package/src/libs/better-auth/utils/server.ts

@@ -0,0 +1,18 @@
+/**
+ * Parse Better-Auth SSO providers from environment variable
+ * Supports comma-separated list (both English and Chinese commas)
+ * @param providersEnv - Raw environment variable value (e.g., "google,github")
+ * @returns Array of enabled provider names
+ */
+export const parseSSOProviders = (providersEnv?: string): string[] => {
+  const providers = providersEnv?.trim();
+
+  if (!providers) {
+    return [];
+  }
+
+  return providers
+    .split(/[,，]/)
+    .map((p) => p.trim())
+    .filter(Boolean);
+};

package/src/libs/trpc/lambda/context.test.ts

@@ -0,0 +1,116 @@
+import { describe, expect, it } from 'vitest';
+
+import { createContextInner } from './context';
+
+describe('createContextInner', () => {
+  it('should create context with default values when no params provided', async () => {
+    const context = await createContextInner();
+
+    expect(context).toMatchObject({
+      authorizationHeader: undefined,
+      clerkAuth: undefined,
+      marketAccessToken: undefined,
+      nextAuth: undefined,
+      oidcAuth: undefined,
+      userAgent: undefined,
+      userId: undefined,
+    });
+    expect(context.resHeaders).toBeInstanceOf(Headers);
+  });
+
+  it('should create context with userId', async () => {
+    const context = await createContextInner({ userId: 'user-123' });
+
+    expect(context.userId).toBe('user-123');
+  });
+
+  it('should create context with authorization header', async () => {
+    const context = await createContextInner({
+      authorizationHeader: 'Bearer token-abc',
+    });
+
+    expect(context.authorizationHeader).toBe('Bearer token-abc');
+  });
+
+  it('should create context with user agent', async () => {
+    const context = await createContextInner({
+      userAgent: 'Mozilla/5.0',
+    });
+
+    expect(context.userAgent).toBe('Mozilla/5.0');
+  });
+
+  it('should create context with market access token', async () => {
+    const context = await createContextInner({
+      marketAccessToken: 'mp-token-xyz',
+    });
+
+    expect(context.marketAccessToken).toBe('mp-token-xyz');
+  });
+
+  it('should create context with OIDC auth data', async () => {
+    const oidcAuth = {
+      sub: 'oidc-user-123',
+      payload: { iss: 'https://issuer.com', aud: 'client-id' },
+    };
+
+    const context = await createContextInner({ oidcAuth });
+
+    expect(context.oidcAuth).toEqual(oidcAuth);
+  });
+
+  it('should create context with Clerk auth data', async () => {
+    const clerkAuth = {
+      userId: 'clerk-user-id',
+      sessionId: 'session-id',
+      getToken: async () => 'clerk-token',
+    } as any;
+
+    const context = await createContextInner({ clerkAuth });
+
+    expect(context.clerkAuth).toBe(clerkAuth);
+  });
+
+  it('should create context with NextAuth user data', async () => {
+    const nextAuth = {
+      id: 'next-auth-user-id',
+      name: 'Test User',
+      email: 'test@example.com',
+    };
+
+    const context = await createContextInner({ nextAuth });
+
+    expect(context.nextAuth).toEqual(nextAuth);
+  });
+
+  it('should create context with all parameters combined', async () => {
+    const params = {
+      authorizationHeader: 'Bearer token',
+      userId: 'user-123',
+      userAgent: 'Test Agent',
+      marketAccessToken: 'mp-token',
+      oidcAuth: {
+        sub: 'oidc-sub',
+        payload: { data: 'test' },
+      },
+    };
+
+    const context = await createContextInner(params);
+
+    expect(context).toMatchObject({
+      authorizationHeader: 'Bearer token',
+      userId: 'user-123',
+      userAgent: 'Test Agent',
+      marketAccessToken: 'mp-token',
+      oidcAuth: { sub: 'oidc-sub', payload: { data: 'test' } },
+    });
+  });
+
+  it('should always include response headers', async () => {
+    const context1 = await createContextInner();
+    const context2 = await createContextInner({ userId: 'test' });
+
+    expect(context1.resHeaders).toBeInstanceOf(Headers);
+    expect(context2.resHeaders).toBeInstanceOf(Headers);
+  });
+});

package/src/libs/trpc/lambda/context.ts

@@ -7,6 +7,7 @@ import { NextRequest } from 'next/server';
 import {
   LOBE_CHAT_AUTH_HEADER,
   LOBE_CHAT_OIDC_AUTH_HEADER,
+  enableBetterAuth,
   enableClerk,
   enableNextAuth,
 } from '@/const/auth';
@@ -163,6 +164,32 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
     });
   }
 
+  if (enableBetterAuth) {
+    log('Attempting Better Auth authentication');
+    try {
+      const { auth: betterAuth } = await import('@/auth');
+
+      const session = await betterAuth.api.getSession({
+        headers: request.headers,
+      });
+
+      if (session && session?.user?.id) {
+        userId = session.user.id;
+        log('Better Auth authentication successful, userId: %s', userId);
+      } else {
+        log('Better Auth authentication failed, no valid session');
+      }
+
+      return createContextInner({
+        ...commonContext,
+        userId,
+      });
+    } catch (e) {
+      log('Better Auth authentication error: %O', e);
+      console.error('better auth err', e);
+    }
+  }
+
   if (enableNextAuth) {
     log('Attempting NextAuth authentication');
     try {

package/src/libs/trpc/middleware/userAuth.ts

@@ -1,6 +1,6 @@
 import { TRPCError } from '@trpc/server';
 
-import { enableClerk } from '@/const/auth';
+import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
 import { DESKTOP_USER_ID } from '@/const/desktop';
 import { isDesktop } from '@/const/version';
 
@@ -19,7 +19,9 @@ export const userAuth = trpc.middleware(async (opts) => {
   if (!ctx.userId) {
     if (enableClerk) {
       console.log('clerk auth:', ctx.clerkAuth);
-    } else {
+    } else if (enableBetterAuth) {
+      console.log('better auth: no session found in context');
+    } else if (enableNextAuth) {
       console.log('next auth:', ctx.nextAuth);
     }
     throw new TRPCError({ code: 'UNAUTHORIZED' });

package/src/locales/default/auth.ts

@@ -52,6 +52,104 @@ export default {
       required: '内容不得为空',
     },
   },
+  betterAuth: {
+    errors: {
+      emailInvalid: '请输入有效的邮箱地址',
+      emailNotRegistered: '该邮箱尚未注册',
+      emailNotVerified: '邮箱尚未验证，请先验证邮箱',
+      emailRequired: '请输入邮箱地址',
+      firstNameRequired: '请输入名字',
+      lastNameRequired: '请输入姓氏',
+      loginFailed: '登录失败，请检查邮箱和密码',
+      passwordFormat: '密码必须同时包含字母和数字',
+      passwordMaxLength: '密码最多不超过 64 个字符',
+      passwordMinLength: '密码至少需要 8 个字符',
+      passwordRequired: '请输入密码',
+      usernameRequired: '请输入用户名',
+    },
+    resetPassword: {
+      backToSignIn: '返回登录',
+      confirmPasswordPlaceholder: '确认新密码',
+      confirmPasswordRequired: '请确认新密码',
+      description: '请输入您的新密码',
+      error: '重置密码失败，请重试',
+      invalidToken: '无效或已过期的重置链接',
+      newPasswordPlaceholder: '输入新密码',
+      passwordMismatch: '两次输入的密码不一致',
+      submit: '重置密码',
+      success: '密码重置成功，请使用新密码登录',
+      title: '重置密码',
+    },
+    signin: {
+      backToEmail: '返回修改邮箱',
+      continueWithAuth0: '使用 Auth0 登录',
+      continueWithAuthelia: '使用 Authelia 登录',
+      continueWithAuthentik: '使用 Authentik 登录',
+      continueWithCasdoor: '使用 Casdoor 登录',
+      continueWithCloudflareZeroTrust: '使用 Cloudflare Zero Trust 登录',
+      continueWithCognito: '使用 AWS Cognito 登录',
+      continueWithFeishu: '使用飞书登录',
+      continueWithGithub: '使用 GitHub 登录',
+      continueWithGoogle: '使用 Google 登录',
+      continueWithKeycloak: '使用 Keycloak 登录',
+      continueWithLogto: '使用 Logto 登录',
+      continueWithMicrosoft: '使用 Microsoft 登录',
+      continueWithOIDC: '使用 OIDC 登录',
+      continueWithOkta: '使用 Okta 登录',
+      continueWithWechat: '使用微信登录',
+      continueWithZitadel: '使用 Zitadel 登录',
+      emailPlaceholder: '请输入邮箱地址',
+      emailStep: {
+        subtitle: '请输入您的邮箱地址以继续',
+        title: '登录',
+      },
+      error: '登录失败，请检查邮箱和密码',
+      forgotPassword: '忘记密码？',
+      forgotPasswordError: '发送重置密码链接失败',
+      forgotPasswordSent: '重置密码链接已发送，请检查邮箱',
+      magicLinkButton: '发送登录链接',
+      magicLinkError: '发送登录链接失败，请稍后再试',
+      magicLinkSent: '登录链接已发送，请检查邮箱',
+      nextStep: '下一步',
+      noAccount: '还没有账号？',
+      orContinueWith: '或',
+      passwordPlaceholder: '请输入密码',
+      passwordStep: {
+        subtitle: '请输入密码以继续',
+      },
+      signupLink: '立即注册',
+      socialError: '社交登录失败，请重试',
+      socialOnlyHint: '该邮箱使用社交账号注册，请使用社交账号登录',
+      submit: '登录',
+    },
+    signup: {
+      emailPlaceholder: '请输入邮箱地址',
+      error: '注册失败，请重试',
+      firstNamePlaceholder: '名字',
+      hasAccount: '已有账号？',
+      lastNamePlaceholder: '姓氏',
+      passwordPlaceholder: '请输入密码',
+      signinLink: '立即登录',
+      submit: '注册',
+      subtitle: '加入 LobeChat 社区',
+      success: '注册成功！请检查您的邮箱验证邮件',
+      title: '创建账号',
+      usernamePlaceholder: '请输入用户名',
+    },
+    verifyEmail: {
+      backToSignIn: '返回登录',
+      checkSpam: '如果没有收到邮件，请检查垃圾邮件文件夹',
+      descriptionPrefix: '我们已向',
+      descriptionSuffix: '发送了验证邮件',
+      resend: {
+        button: '重新发送验证邮件',
+        error: '发送失败，请稍后重试',
+        noEmail: '邮箱地址缺失',
+        success: '验证邮件已重新发送，请检查您的邮箱',
+      },
+      title: '验证您的邮箱',
+    },
+  },
   date: {
     prevMonth: '上个月',
     recent30Days: '最近30天',
@@ -86,17 +184,32 @@ export default {
   loginOrSignup: '登录 / 注册',
   profile: {
     avatar: '头像',
+    cancel: '取消',
+    changePassword: '重置密码',
     email: '电子邮件地址',
+    fullName: '全名',
+    fullNameInputHint: '请输入新的全名',
+    password: '密码',
+    resetPasswordError: '发送密码重置链接失败',
+    resetPasswordSent: '密码重置链接已发送，请检查邮箱',
+    save: '保存',
     sso: {
+      link: {
+        button: '连接帐户',
+        success: '账户关联成功',
+      },
       loading: '正在加载已绑定的第三方账户',
       providers: '连接的帐户',
       unlink: {
         description:
-          '解绑后，您将无法使用 {{provider}} 账户“{{providerAccountId}}”登录。如果您需要重新绑定 {{provider}} 账户到当前账户，请确保 {{provider}} 账户的邮件地址为 {{email}} ，我们会在登陆时为你自动绑定到当前登录账户。',
+          '解绑后，您将无法使用 {{provider}} 账户"{{providerAccountId}}"登录。如果您需要重新绑定 {{provider}} 账户到当前账户，请确保 {{provider}} 账户的邮件地址为 {{email}} ，我们会在登陆时为你自动绑定到当前登录账户。',
         forbidden: '您至少需要保留一个第三方账户绑定。',
         title: '是否解绑该第三方账户 {{provider}} ？',
       },
     },
+    title: '个人资料详情',
+    updateAvatar: '更新头像',
+    updateFullName: '更新全名',
     username: '用户名',
   },
   signout: '退出登录',

package/src/proxy.ts

@@ -5,6 +5,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { UAParser } from 'ua-parser-js';
 import urlJoin from 'url-join';
 
+import { auth } from '@/auth';
 import { OAUTH_AUTHORIZED } from '@/const/auth';
 import { LOBE_LOCALE_COOKIE } from '@/const/locale';
 import { LOBE_THEME_APPEARANCE } from '@/const/theme';
@@ -21,6 +22,7 @@ import { RouteVariants } from './utils/server/routeVariants';
 const logDefault = debug('middleware:default');
 const logNextAuth = debug('middleware:next-auth');
 const logClerk = debug('middleware:clerk');
+const logBetterAuth = debug('middleware:better-auth');
 
 // OIDC session pre-sync constant
 const OIDC_SESSION_HEADER = 'x-oidc-session-sync';
@@ -47,10 +49,12 @@ export const config = {
 
     '/login(.*)',
     '/signup(.*)',
+    '/signin(.*)',
+    '/verify-email(.*)',
+    '/reset-password(.*)',
     '/next-auth/(.*)',
     '/oauth(.*)',
     '/oidc(.*)',
-    // ↓ cloud ↓
   ],
 };
 
@@ -129,8 +133,18 @@ const defaultMiddleware = (request: NextRequest) => {
   // / -> /zh-CN__0__dark
   // /discover -> /zh-CN__0__dark/discover
   // All SPA routes that use react-router-dom should be rewritten to just /${route}
-  const spaRoutes = ['/chat', '/discover', '/knowledge', '/settings', '/image', '/labs', '/changelog', '/profile', '/me'];
-  const isSpaRoute = spaRoutes.some(route => url.pathname.startsWith(route));
+  const spaRoutes = [
+    '/chat',
+    '/discover',
+    '/knowledge',
+    '/settings',
+    '/image',
+    '/labs',
+    '/changelog',
+    '/profile',
+    '/me',
+  ];
+  const isSpaRoute = spaRoutes.some((route) => url.pathname.startsWith(route));
 
   let nextPathname: string;
   if (isSpaRoute) {
@@ -142,7 +156,6 @@ const defaultMiddleware = (request: NextRequest) => {
     ? urlJoin(url.origin, nextPathname)
     : nextPathname;
 
-
   console.log('nextURL', nextURL);
 
   logDefault('URL rewrite: %O', {
@@ -194,6 +207,10 @@ const isPublicRoute = createRouteMatcher([
   // clerk
   '/login',
   '/signup',
+  // better auth
+  '/signin',
+  '/verify-email',
+  '/reset-password',
   // oauth
   // Make only the consent view public (GET page), not other oauth paths
   '/oauth/consent/(.*)',
@@ -304,8 +321,53 @@ const clerkAuthMiddleware = clerkMiddleware(
   },
 );
 
+const betterAuthMiddleware = async (req: NextRequest) => {
+  logBetterAuth('BetterAuth middleware processing request: %s %s', req.method, req.url);
+
+  const response = defaultMiddleware(req);
+
+  // when enable auth protection, only public route is not protected, others are all protected
+  const isProtected = appEnv.ENABLE_AUTH_PROTECTION ? !isPublicRoute(req) : isProtectedRoute(req);
+
+  logBetterAuth('Route protection status: %s, %s', req.url, isProtected ? 'protected' : 'public');
+
+  // Skip session lookup for public routes to reduce latency
+  if (!isProtected) return response;
+
+  // Get full session with user data (Next.js 15.2.0+ feature)
+  const session = await auth.api.getSession({
+    headers: req.headers,
+  });
+
+  const isLoggedIn = !!session?.user;
+
+  logBetterAuth('BetterAuth session status: %O', {
+    isLoggedIn,
+    userId: session?.user?.id,
+  });
+
+  if (!isLoggedIn) {
+    // If request a protected route, redirect to sign-in page
+    if (isProtected) {
+      logBetterAuth('Request a protected route, redirecting to sign-in page');
+      const signInUrl = new URL('/signin', req.nextUrl.origin);
+      signInUrl.searchParams.set('callbackUrl', req.nextUrl.href);
+      const hl = req.nextUrl.searchParams.get('hl');
+      if (hl) {
+        signInUrl.searchParams.set('hl', hl);
+        logBetterAuth('Preserving locale to sign-in: hl=%s', hl);
+      }
+      return Response.redirect(signInUrl);
+    }
+    logBetterAuth('Request a free route but not login, allow visit without auth header');
+  }
+
+  return response;
+};
+
 logDefault('Middleware configuration: %O', {
   enableAuthProtection: appEnv.ENABLE_AUTH_PROTECTION,
+  enableBetterAuth: authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH,
   enableClerk: authEnv.NEXT_PUBLIC_ENABLE_CLERK_AUTH,
   enableNextAuth: authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH,
   enableOIDC: oidcEnv.ENABLE_OIDC,
@@ -313,6 +375,8 @@ logDefault('Middleware configuration: %O', {
 
 export default authEnv.NEXT_PUBLIC_ENABLE_CLERK_AUTH
   ? clerkAuthMiddleware
-  : authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH
-    ? nextAuthMiddleware
-    : defaultMiddleware;
+  : authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH
+    ? betterAuthMiddleware
+    : authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH
+      ? nextAuthMiddleware
+      : defaultMiddleware;

package/src/server/globalConfig/index.ts

@@ -5,6 +5,7 @@ import { fileEnv } from '@/envs/file';
 import { imageEnv } from '@/envs/image';
 import { knowledgeEnv } from '@/envs/knowledge';
 import { langfuseEnv } from '@/envs/langfuse';
+import { parseSSOProviders } from '@/libs/better-auth/utils/server';
 import { parseSystemAgent } from '@/server/globalConfig/parseSystemAgent';
 import { GlobalServerConfig } from '@/types/serverConfig';
 import { cleanObject } from '@/utils/object';
@@ -13,6 +14,14 @@ import { genServerAiProvidersConfig } from './genServerAiProviderConfig';
 import { parseAgentConfig } from './parseDefaultAgent';
 import { parseFilesConfig } from './parseFilesConfig';
 
+/**
+ * Get Better-Auth SSO providers list
+ * Parses AUTH_SSO_PROVIDERS and returns enabled providers
+ */
+const getBetterAuthSSOProviders = () => {
+  return parseSSOProviders(authEnv.AUTH_SSO_PROVIDERS);
+};
+
 export const getServerGlobalConfig = async () => {
   const { ACCESS_CODES, DEFAULT_AGENT_CONFIG } = getAppConfig();
 
@@ -63,7 +72,9 @@ export const getServerGlobalConfig = async () => {
     image: cleanObject({
       defaultImageNum: imageEnv.AI_IMAGE_DEFAULT_IMAGE_NUM,
     }),
-    oAuthSSOProviders: authEnv.NEXT_AUTH_SSO_PROVIDERS.trim().split(/[,，]/),
+    oAuthSSOProviders: authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH
+      ? getBetterAuthSSOProviders()
+      : authEnv.NEXT_AUTH_SSO_PROVIDERS.trim().split(/[,，]/),
     systemAgent: parseSystemAgent(appEnv.SYSTEM_AGENT),
     telemetry: {
       langfuse: langfuseEnv.ENABLE_LANGFUSE,

package/src/server/routers/lambda/user.ts

@@ -198,6 +198,10 @@ export const userRouter = router({
     return ctx.userModel.updateUser({ avatar: input });
   }),
 
+  updateFullName: userProcedure.input(z.string()).mutation(async ({ ctx, input }) => {
+    return ctx.userModel.updateUser({ fullName: input });
+  }),
+
   updateGuide: userProcedure.input(UserGuideSchema).mutation(async ({ ctx, input }) => {
     return ctx.userModel.updateGuide(input);
   }),