@lobehub/lobehub 2.0.0-next.221 → 2.0.0-next.223

package/packages/utils/src/server/correctOIDCUrl.ts

@@ -5,29 +5,69 @@ import { validateRedirectHost } from './validateRedirectHost';
 
 const log = debug('lobe-oidc:correctOIDCUrl');
 
+// Allowed protocols for security
+const ALLOWED_PROTOCOLS = ['http', 'https'] as const;
+
 /**
  * Fix OIDC redirect URL issues in proxy environments
+ *
+ * This function:
+ * 1. Validates protocol against whitelist (http, https only)
+ * 2. Handles X-Forwarded-Host with multiple values (RFC 7239)
+ * 3. Validates X-Forwarded-Host against APP_URL to prevent open redirect attacks
+ * 4. Provides fallback logic for invalid forwarded values
+ *
+ * Note: Only X-Forwarded-Host is validated, not the Host header. This is because:
+ * - X-Forwarded-Host can be injected by attackers
+ * - Host header comes from the reverse proxy or direct access, which is trusted
+ *
  * @param req - Next.js request object
  * @param url - URL object to fix
  * @returns Fixed URL object
  */
 export const correctOIDCUrl = (req: NextRequest, url: URL): URL => {
+  log('Input URL: %s', url.toString());
+
+  // Get request headers for origin determination
   const requestHost = req.headers.get('host');
   const forwardedHost = req.headers.get('x-forwarded-host');
   const forwardedProto =
     req.headers.get('x-forwarded-proto') || req.headers.get('x-forwarded-protocol');
 
-  log('Input URL: %s', url.toString());
   log(
-    'Request headers - host: %s, x-forwarded-host: %s, x-forwarded-proto: %s',
+    'Getting safe origin - requestHost: %s, forwardedHost: %s, forwardedProto: %s',
     requestHost,
     forwardedHost,
     forwardedProto,
   );
 
-  // Determine actual hostname and protocol with fallback values
-  const actualHost = forwardedHost || requestHost;
-  const actualProto = forwardedProto || (url.protocol === 'https:' ? 'https' : 'http');
+  // Determine actual hostname with fallback values
+  // Handle multiple hosts in X-Forwarded-Host (RFC 7239: comma-separated)
+  let actualHost = forwardedHost || requestHost;
+  if (forwardedHost && forwardedHost.includes(',')) {
+    // Take the first (leftmost) host as the original client's request
+    actualHost = forwardedHost.split(',')[0]!.trim();
+    log('Multiple hosts in X-Forwarded-Host, using first: %s', actualHost);
+  }
+
+  // Determine actual protocol with validation
+  // Use URL's protocol as fallback to preserve original behavior
+  let actualProto: string | null | undefined = forwardedProto;
+  if (actualProto) {
+    // Validate protocol is http or https
+    const protoLower = actualProto.toLowerCase();
+    if (!ALLOWED_PROTOCOLS.includes(protoLower as any)) {
+      log('Warning: Invalid protocol %s, ignoring', actualProto);
+      actualProto = null;
+    } else {
+      actualProto = protoLower;
+    }
+  }
+
+  // Fallback protocol priority: URL protocol > request.nextUrl.protocol > 'https'
+  if (!actualProto) {
+    actualProto = url.protocol === 'https:' ? 'https' : 'http';
+  }
 
   // If unable to determine valid hostname, return original URL
   if (!actualHost || actualHost === 'null') {
@@ -35,9 +75,30 @@ export const correctOIDCUrl = (req: NextRequest, url: URL): URL => {
     return url;
   }
 
-  // Validate target host for security, prevent Open Redirect attacks
-  if (!validateRedirectHost(actualHost)) {
-    log('Warning: Target host %s failed validation, returning original URL', actualHost);
+  // Validate only X-Forwarded-Host for security, prevent Open Redirect attacks
+  // Host header is trusted (comes from reverse proxy or direct access)
+  if (forwardedHost && !validateRedirectHost(actualHost)) {
+    log('Warning: X-Forwarded-Host %s failed validation, falling back to request host', actualHost);
+    // Try to fall back to request host if forwarded host is invalid
+    if (requestHost) {
+      actualHost = requestHost;
+    } else {
+      // No valid host available
+      log('Error: No valid host available after validation, returning original URL');
+      return url;
+    }
+  }
+
+  // Build safe origin
+  const safeOrigin = `${actualProto}://${actualHost}`;
+  log('Safe origin: %s', safeOrigin);
+
+  // Parse safe origin to get hostname and protocol
+  let safeOriginUrl: URL;
+  try {
+    safeOriginUrl = new URL(safeOrigin);
+  } catch (error) {
+    log('Error parsing safe origin: %O', error);
     return url;
   }
 
@@ -46,24 +107,28 @@ export const correctOIDCUrl = (req: NextRequest, url: URL): URL => {
     url.hostname === 'localhost' ||
     url.hostname === '127.0.0.1' ||
     url.hostname === '0.0.0.0' ||
-    url.hostname !== actualHost;
+    url.hostname !== safeOriginUrl.hostname;
+
+  if (!needsCorrection) {
+    log('URL does not need correction, returning original: %s', url.toString());
+    return url;
+  }
 
-  if (needsCorrection) {
-    log('URL needs correction. Original hostname: %s, correcting to: %s', url.hostname, actualHost);
+  log(
+    'URL needs correction. Original hostname: %s, correcting to: %s',
+    url.hostname,
+    safeOriginUrl.hostname,
+  );
 
-    try {
-      const correctedUrl = new URL(url.toString());
-      correctedUrl.protocol = actualProto + ':';
-      correctedUrl.host = actualHost;
+  try {
+    const correctedUrl = new URL(url.toString());
+    correctedUrl.protocol = safeOriginUrl.protocol;
+    correctedUrl.host = safeOriginUrl.host;
 
-      log('Corrected URL: %s', correctedUrl.toString());
-      return correctedUrl;
-    } catch (error) {
-      log('Error creating corrected URL, returning original: %O', error);
-      return url;
-    }
+    log('Corrected URL: %s', correctedUrl.toString());
+    return correctedUrl;
+  } catch (error) {
+    log('Error creating corrected URL, returning original: %O', error);
+    return url;
   }
-
-  log('URL does not need correction, returning original: %s', url.toString());
-  return url;
 };

package/packages/utils/src/server/index.ts

@@ -3,4 +3,5 @@ export * from './correctOIDCUrl';
 export * from './response';
 export * from './responsive';
 export * from './sse';
+export * from './validateRedirectHost';
 export * from './xor';

package/packages/utils/src/server/xor.test.ts

@@ -1,5 +1,7 @@
 import { describe, expect, it } from 'vitest';
 
+import { SECRET_XOR_KEY } from '@/envs/auth';
+
 import { obfuscatePayloadWithXOR } from '../client/xor-obfuscation';
 import { getXorPayload } from './xor';
 
@@ -12,7 +14,7 @@ describe('getXorPayload', () => {
     };
 
     // 使用客户端的混淆函数生成token
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
 
     // 使用服务端的解码函数解码
     const decodedPayload = getXorPayload(obfuscatedToken);
@@ -25,7 +27,7 @@ describe('getXorPayload', () => {
       userId: '12345',
     };
 
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
     const decodedPayload = getXorPayload(obfuscatedToken);
 
     expect(decodedPayload).toEqual(originalPayload);
@@ -40,7 +42,7 @@ describe('getXorPayload', () => {
       awsSessionToken: 'session-token-example',
     };
 
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
     const decodedPayload = getXorPayload(obfuscatedToken);
 
     expect(decodedPayload).toEqual(originalPayload);
@@ -54,7 +56,7 @@ describe('getXorPayload', () => {
       azureApiVersion: '2024-02-15-preview',
     };
 
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
     const decodedPayload = getXorPayload(obfuscatedToken);
 
     expect(decodedPayload).toEqual(originalPayload);
@@ -67,7 +69,7 @@ describe('getXorPayload', () => {
       cloudflareBaseURLOrAccountID: 'account-id-example',
     };
 
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
     const decodedPayload = getXorPayload(obfuscatedToken);
 
     expect(decodedPayload).toEqual(originalPayload);
@@ -76,7 +78,7 @@ describe('getXorPayload', () => {
   it('should handle empty payload correctly', () => {
     const originalPayload = {};
 
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
     const decodedPayload = getXorPayload(obfuscatedToken);
 
     expect(decodedPayload).toEqual(originalPayload);
@@ -89,7 +91,7 @@ describe('getXorPayload', () => {
       apiKey: 'test-key',
     };
 
-    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload);
+    const obfuscatedToken = obfuscatePayloadWithXOR(originalPayload, SECRET_XOR_KEY);
     const decodedPayload = getXorPayload(obfuscatedToken);
 
     expect(decodedPayload).toEqual(originalPayload);

package/packages/utils/src/server/xor.ts

@@ -1,6 +1,6 @@
 import { ClientSecretPayload } from '@lobechat/types';
 
-import { SECRET_XOR_KEY } from '@/const/auth';
+import { SECRET_XOR_KEY } from '@/envs/auth';
 
 /**
  * Convert Base64 string to Uint8Array

package/packages/web-crawler/package.json

@@ -13,7 +13,7 @@
     "happy-dom": "^20.0.11",
     "node-html-markdown": "^1.3.0",
     "query-string": "^9.3.1",
-    "ssrf-safe-fetch": "workspace:*",
+    "@lobechat/ssrf-safe-fetch": "workspace:*",
     "url-join": "^5"
   }
 }

package/packages/web-crawler/src/crawImpl/__tests__/naive.test.ts

@@ -13,7 +13,7 @@ vi.mock('../../utils/withTimeout', () => ({
   withTimeout: vi.fn(),
 }));
 
-vi.mock('ssrf-safe-fetch', () => ({
+vi.mock('@lobechat/ssrf-safe-fetch', () => ({
   ssrfSafeFetch: vi.fn(),
 }));
 

package/packages/web-crawler/src/crawImpl/naive.ts

@@ -1,4 +1,4 @@
-import { ssrfSafeFetch } from 'ssrf-safe-fetch';
+import { ssrfSafeFetch } from '@lobechat/ssrf-safe-fetch';
 
 import { CrawlImpl, CrawlSuccessResult } from '../type';
 import { NetworkConnectionError, PageNotFoundError, TimeoutError } from '../utils/errorType';

package/scripts/prebuild.mts

@@ -1,3 +1,4 @@
+import { execSync } from 'node:child_process';
 import * as dotenv from 'dotenv';
 import dotenvExpand from 'dotenv-expand';
 import { existsSync } from 'node:fs';
@@ -14,6 +15,61 @@ if (isDesktop) {
 } else {
   dotenvExpand.expand(dotenv.config());
 }
+
+// Auth flags - use process.env directly for build-time dead code elimination
+const enableClerk =
+  process.env.NEXT_PUBLIC_ENABLE_CLERK_AUTH === '1'
+    ? true
+    : !!process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY;
+const enableBetterAuth = process.env.NEXT_PUBLIC_ENABLE_BETTER_AUTH === '1';
+const enableNextAuth = process.env.NEXT_PUBLIC_ENABLE_NEXT_AUTH === '1';
+const enableAuth = enableClerk || enableBetterAuth || enableNextAuth || false;
+
+const getCommandVersion = (command: string): string | null => {
+  try {
+    return execSync(`${command} --version`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] })
+      .trim()
+      .split('\n')[0];
+  } catch {
+    return null;
+  }
+};
+
+const printEnvInfo = () => {
+  console.log('\n📋 Build Environment Info:');
+  console.log('─'.repeat(50));
+
+  // Runtime versions
+  console.log(`  Node.js: ${process.version}`);
+  console.log(`  npm: ${getCommandVersion('npm') ?? 'not installed'}`);
+
+  const bunVersion = getCommandVersion('bun');
+  if (bunVersion) console.log(`  bun: ${bunVersion}`);
+
+  const pnpmVersion = getCommandVersion('pnpm');
+  if (pnpmVersion) console.log(`  pnpm: ${pnpmVersion}`);
+
+  // Auth-related env vars
+  console.log('\n  Auth Environment Variables:');
+  console.log(`    NEXT_PUBLIC_AUTH_URL: ${process.env.NEXT_PUBLIC_AUTH_URL ?? '(not set)'}`);
+  console.log(`    NEXTAUTH_URL: ${process.env.NEXTAUTH_URL ?? '(not set)'}`);
+  console.log(`    APP_URL: ${process.env.APP_URL ?? '(not set)'}`);
+  console.log(`    VERCEL_URL: ${process.env.VERCEL_URL ?? '(not set)'}`);
+  console.log(`    AUTH_EMAIL_VERIFICATION: ${process.env.AUTH_EMAIL_VERIFICATION ?? '(not set)'}`);
+  console.log(`    ENABLE_MAGIC_LINK: ${process.env.ENABLE_MAGIC_LINK ?? '(not set)'}`);
+  console.log(`    AUTH_SECRET: ${process.env.AUTH_SECRET ? '✓ set' : '✗ not set'}`);
+  console.log(`    KEY_VAULTS_SECRET: ${process.env.KEY_VAULTS_SECRET ? '✓ set' : '✗ not set'}`);
+
+  // Auth flags
+  console.log('\n  Auth Flags:');
+  console.log(`    enableClerk: ${enableClerk}`);
+  console.log(`    enableBetterAuth: ${enableBetterAuth}`);
+  console.log(`    enableNextAuth: ${enableNextAuth}`);
+  console.log(`    enableAuth: ${enableAuth}`);
+
+  console.log('─'.repeat(50));
+};
+
 // 创建需要排除的特性映射
 /* eslint-disable sort-keys-fix/sort-keys-fix */
 const partialBuildPages = [
@@ -105,8 +161,9 @@ export const runPrebuild = async (targetDir: string = 'src') => {
 const isMainModule = process.argv[1] === fileURLToPath(import.meta.url);
 
 if (isMainModule) {
+  printEnvInfo();
   // 执行删除操作
-  console.log('Starting prebuild cleanup...');
+  console.log('\nStarting prebuild cleanup...');
   await runPrebuild();
   console.log('Prebuild cleanup completed.');
 }

package/src/app/(backend)/api/auth/[...all]/route.ts

@@ -1,6 +1,7 @@
-import { enableBetterAuth, enableNextAuth } from '@lobechat/const';
 import type { NextRequest } from 'next/server';
 
+import { enableBetterAuth, enableNextAuth } from '@/envs/auth';
+
 const createHandler = async () => {
   if (enableBetterAuth) {
     const [{ toNextJsHandler }, { auth }] = await Promise.all([

package/src/app/(backend)/middleware/auth/index.ts

@@ -8,15 +8,15 @@ import { ChatErrorType, type ClientSecretPayload } from '@lobechat/types';
 import { getXorPayload } from '@lobechat/utils/server';
 import { type NextRequest } from 'next/server';
 
+import { getServerDB } from '@/database/core/db-adaptor';
+import { type LobeChatDatabase } from '@/database/type';
 import {
   LOBE_CHAT_AUTH_HEADER,
   LOBE_CHAT_OIDC_AUTH_HEADER,
   OAUTH_AUTHORIZED,
   enableBetterAuth,
   enableClerk,
-} from '@/const/auth';
-import { getServerDB } from '@/database/core/db-adaptor';
-import { type LobeChatDatabase } from '@/database/type';
+} from '@/envs/auth';
 import { ClerkAuth } from '@/libs/clerk-auth';
 import { validateOIDCJWT } from '@/libs/oidc-provider/jwt';
 import { createErrorResponse } from '@/utils/errorResponse';

package/src/app/(backend)/middleware/auth/utils.test.ts

@@ -7,7 +7,7 @@ let enableClerkMock = false;
 let enableNextAuthMock = false;
 let enableBetterAuthMock = false;
 
-vi.mock('@/const/auth', async (importOriginal) => {
+vi.mock('@/envs/auth', async (importOriginal) => {
   const data = await importOriginal();
 
   return {

package/src/app/(backend)/middleware/auth/utils.ts

@@ -2,7 +2,7 @@ import { type AuthObject } from '@clerk/backend';
 import { AgentRuntimeError } from '@lobechat/model-runtime';
 import { ChatErrorType } from '@lobechat/types';
 
-import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
+import { enableBetterAuth, enableClerk, enableNextAuth } from '@/envs/auth';
 
 interface CheckAuthParams {
   apiKey?: string;

package/src/app/(backend)/oidc/callback/desktop/route.ts

@@ -10,41 +10,15 @@ const log = debug('lobe-oidc:callback:desktop');
 const errorPathname = '/oauth/callback/error';
 
 /**
- * 安全地构建重定向URL
+ * 安全地构建重定向URL，使用经过验证的 correctOIDCUrl 防止开放重定向攻击
  */
 const buildRedirectUrl = (req: NextRequest, pathname: string): URL => {
-  const forwardedHost = req.headers.get('x-forwarded-host');
-  const requestHost = req.headers.get('host');
-  const forwardedProto =
-    req.headers.get('x-forwarded-proto') || req.headers.get('x-forwarded-protocol');
-
-  // 确定实际的主机名，提供后备值
-  const actualHost = forwardedHost || requestHost;
-  const actualProto = forwardedProto || 'https';
-
-  log(
-    'Building redirect URL - host: %s, proto: %s, pathname: %s',
-    actualHost,
-    actualProto,
-    pathname,
-  );
-
-  // 如果主机名仍然无效，使用req.nextUrl作为后备
-  if (!actualHost) {
-    log('Warning: Invalid host detected, using req.nextUrl as fallback');
-    const fallbackUrl = req.nextUrl.clone();
-    fallbackUrl.pathname = pathname;
-    return fallbackUrl;
-  }
+  // 使用 req.nextUrl 作为基础URL，然后通过 correctOIDCUrl 进行验证和修正
+  const baseUrl = req.nextUrl.clone();
+  baseUrl.pathname = pathname;
 
-  try {
-    return new URL(`${actualProto}://${actualHost}${pathname}`);
-  } catch (error) {
-    log('Error constructing URL, using req.nextUrl as fallback: %O', error);
-    const fallbackUrl = req.nextUrl.clone();
-    fallbackUrl.pathname = pathname;
-    return fallbackUrl;
-  }
+  // correctOIDCUrl 会验证 X-Forwarded-* 头部并防止开放重定向攻击
+  return correctOIDCUrl(req, baseUrl);
 };
 
 export const GET = async (req: NextRequest) => {
@@ -82,9 +56,6 @@ export const GET = async (req: NextRequest) => {
     log('Request x-forwarded-proto: %s', req.headers.get('x-forwarded-proto'));
     log('Constructed success URL: %s', successUrl.toString());
 
-    const correctedUrl = correctOIDCUrl(req, successUrl);
-    log('Final redirect URL: %s', correctedUrl.toString());
-
     // cleanup expired
     after(async () => {
       const cleanedCount = await authHandoffModel.cleanupExpired();
@@ -92,7 +63,7 @@ export const GET = async (req: NextRequest) => {
       log('Cleaned up %d expired handoff records', cleanedCount);
     });
 
-    return NextResponse.redirect(correctedUrl);
+    return NextResponse.redirect(successUrl);
   } catch (error) {
     log('Error in OIDC callback: %O', error);
 

package/src/app/(backend)/webapi/chat/[provider]/route.test.ts

@@ -6,7 +6,7 @@ import { getXorPayload } from '@lobechat/utils/server';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 import { checkAuthMethod } from '@/app/(backend)/middleware/auth/utils';
-import { LOBE_CHAT_AUTH_HEADER, OAUTH_AUTHORIZED } from '@/const/auth';
+import { LOBE_CHAT_AUTH_HEADER, OAUTH_AUTHORIZED } from '@/envs/auth';
 import { initModelRuntimeFromDB } from '@/server/modules/ModelRuntime';
 
 import { POST } from './route';
@@ -32,7 +32,7 @@ vi.mock('@/server/modules/ModelRuntime', () => ({
 const mockState = vi.hoisted(() => ({ enableClerk: false }));
 
 // 模拟 @/const/auth 模块
-vi.mock('@/const/auth', async (importOriginal) => {
+vi.mock('@/envs/auth', async (importOriginal) => {
   const modules = await importOriginal();
   return {
     ...(modules as any),

package/src/app/(backend)/webapi/models/[provider]/route.test.ts

@@ -4,7 +4,7 @@ import { ChatErrorType } from '@lobechat/types';
 import { getXorPayload } from '@lobechat/utils/server';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
-import { LOBE_CHAT_AUTH_HEADER } from '@/const/auth';
+import { LOBE_CHAT_AUTH_HEADER } from '@/envs/auth';
 import { initModelRuntimeFromDB } from '@/server/modules/ModelRuntime';
 
 import { GET } from './route';

package/src/app/(backend)/webapi/plugin/gateway/route.ts

@@ -3,9 +3,9 @@ import { ChatErrorType, TraceNameMap } from '@lobechat/types';
 import type { PluginRequestPayload } from '@lobehub/chat-plugin-sdk';
 import { createGatewayOnEdgeRuntime } from '@lobehub/chat-plugins-gateway';
 
-import { LOBE_CHAT_AUTH_HEADER } from '@/const/auth';
 import { LOBE_CHAT_TRACE_ID } from '@/const/trace';
 import { getAppConfig } from '@/envs/app';
+import { LOBE_CHAT_AUTH_HEADER } from '@/envs/auth';
 import { TraceClient } from '@/libs/traces';
 import { parserPluginSettings } from '@/server/services/pluginGateway/settings';
 import { getTracePayload } from '@/utils/trace';

package/src/app/(backend)/webapi/proxy/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server';
-import { ssrfSafeFetch } from 'ssrf-safe-fetch';
+import { ssrfSafeFetch } from '@lobechat/ssrf-safe-fetch';
 
 /**
  * just for a proxy

package/src/app/[variants]/(auth)/login/[[...login]]/page.tsx

@@ -2,7 +2,7 @@ import { SignIn } from '@clerk/nextjs';
 import { BRANDING_NAME } from '@lobechat/business-const';
 import { notFound } from 'next/navigation';
 
-import { enableClerk } from '@/const/auth';
+import { enableClerk } from '@/envs/auth';
 import { metadataModule } from '@/server/metadata';
 import { translation } from '@/server/translation';
 import { type DynamicLayoutProps } from '@/types/next';

package/src/app/[variants]/(auth)/reset-password/layout.tsx

@@ -1,7 +1,7 @@
 import { notFound } from 'next/navigation';
 import { type PropsWithChildren } from 'react';
 
-import { enableBetterAuth } from '@/const/auth';
+import { enableBetterAuth } from '@/envs/auth';
 
 const Layout = ({ children }: PropsWithChildren) => {
   if (!enableBetterAuth) return notFound();

package/src/app/[variants]/(auth)/signin/layout.tsx

@@ -1,7 +1,7 @@
 import { notFound } from 'next/navigation';
 import { type PropsWithChildren } from 'react';
 
-import { enableBetterAuth } from '@/const/auth';
+import { enableBetterAuth } from '@/envs/auth';
 
 const Layout = ({ children }: PropsWithChildren) => {
   if (!enableBetterAuth) return notFound();

package/src/app/[variants]/(auth)/signin/useSignIn.ts

@@ -8,10 +8,10 @@ import type { CheckUserResponseData } from '@/app/(backend)/api/auth/check-user/
 import type { ResolveUsernameResponseData } from '@/app/(backend)/api/auth/resolve-username/route';
 import { useBusinessSignin } from '@/business/client/hooks/useBusinessSignin';
 import { message } from '@/components/AntdStaticMethods';
-import { getAuthConfig } from '@/envs/auth';
 import { requestPasswordReset, signIn } from '@/libs/better-auth/auth-client';
 import { isBuiltinProvider, normalizeProviderId } from '@/libs/better-auth/utils/client';
 import { useServerConfigStore } from '@/store/serverConfig';
+import { serverConfigSelectors } from '@/store/serverConfig/selectors';
 
 import { EMAIL_REGEX, USERNAME_REGEX } from './SignInEmailStep';
 
@@ -31,7 +31,7 @@ export const useSignIn = () => {
   const { t } = useTranslation('auth');
   const router = useRouter();
   const searchParams = useSearchParams();
-  const { NEXT_PUBLIC_ENABLE_MAGIC_LINK: enableMagicLink } = getAuthConfig();
+  const enableMagicLink = useServerConfigStore(serverConfigSelectors.enableMagicLink);
   const [form] = Form.useForm<SignInFormValues>();
   const [loading, setLoading] = useState(false);
   const [socialLoading, setSocialLoading] = useState<string | null>(null);

package/src/app/[variants]/(auth)/signup/[[...signup]]/page.tsx

@@ -1,7 +1,7 @@
 import { SignUp } from '@clerk/nextjs';
 import { notFound } from 'next/navigation';
 
-import { enableBetterAuth, enableClerk } from '@/const/auth';
+import { enableBetterAuth, enableClerk } from '@/envs/auth';
 import { metadataModule } from '@/server/metadata';
 import { translation } from '@/server/translation';
 import { type DynamicLayoutProps } from '@/types/next';

package/src/app/[variants]/(auth)/signup/[[...signup]]/useSignUp.tsx

@@ -2,24 +2,30 @@ import { ENABLE_BUSINESS_FEATURES } from '@lobechat/business-const';
 import { form } from 'motion/react-m';
 import { useRouter, useSearchParams } from 'next/navigation';
 import { useState } from 'react';
+import { useTranslation } from 'react-i18next';
 
 import {
   BusinessSignupFomData,
   useBusinessSignup,
 } from '@/business/client/hooks/useBusinessSignup';
 import { message } from '@/components/AntdStaticMethods';
-import { authEnv } from '@/envs/auth';
 import { signUp } from '@/libs/better-auth/auth-client';
+import { useServerConfigStore } from '@/store/serverConfig';
+import { serverConfigSelectors } from '@/store/serverConfig/selectors';
 
 import { BaseSignUpFormValues } from './types';
 
 export type SignUpFormValues = BaseSignUpFormValues & BusinessSignupFomData;
 
 export const useSignUp = () => {
+  const { t } = useTranslation('auth');
   const router = useRouter();
   const searchParams = useSearchParams();
   const [loading, setLoading] = useState(false);
   const { getFetchOptions, preSocialSignupCheck, businessElement } = useBusinessSignup(form);
+  const enableEmailVerification = useServerConfigStore(
+    serverConfigSelectors.enableEmailVerification,
+  );
 
   const handleSignUp = async (values: SignUpFormValues) => {
     setLoading(true);
@@ -46,20 +52,20 @@ export const useSignUp = () => {
           (error as any)?.details?.cause?.code === '23505';
 
         if (isEmailDuplicate) {
-          message.error('betterAuth.errors.emailExists');
+          message.error(t('betterAuth.errors.emailExists'));
           return;
         }
 
         if (error.code === 'INVALID_EMAIL') {
-          message.error('betterAuth.errors.emailInvalid');
+          message.error(t('betterAuth.errors.emailInvalid'));
           return;
         }
 
-        message.error(error.message || 'betterAuth.signup.error');
+        message.error(error.message || t('betterAuth.signup.error'));
         return;
       }
 
-      if (authEnv.NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION) {
+      if (enableEmailVerification) {
         router.push(
           `/verify-email?email=${encodeURIComponent(values.email)}&callbackUrl=${encodeURIComponent(callbackUrl)}`,
         );
@@ -67,7 +73,7 @@ export const useSignUp = () => {
         router.push(callbackUrl);
       }
     } catch {
-      message.error('betterAuth.signup.error');
+      message.error(t('betterAuth.signup.error'));
     } finally {
       setLoading(false);
     }

package/src/app/[variants]/(auth)/verify-email/layout.tsx

@@ -1,7 +1,7 @@
 import { notFound } from 'next/navigation';
 import { type PropsWithChildren } from 'react';
 
-import { enableBetterAuth } from '@/const/auth';
+import { enableBetterAuth } from '@/envs/auth';
 
 const Layout = ({ children }: PropsWithChildren) => {
   if (!enableBetterAuth) return notFound();