@lobehub/lobehub 2.0.0-next.355 → 2.0.0-next.356

package/src/libs/better-auth/plugins/email-whitelist.test.ts

@@ -0,0 +1,120 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+// Get mocked module
+import { authEnv } from '@/envs/auth';
+
+import { isEmailAllowed } from './email-whitelist';
+
+// Mock authEnv
+vi.mock('@/envs/auth', () => ({
+  authEnv: {
+    AUTH_ALLOWED_EMAILS: undefined as string | undefined,
+  },
+}));
+
+describe('isEmailAllowed', () => {
+  beforeEach(() => {
+    // Reset to undefined before each test
+    (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = undefined;
+  });
+
+  describe('when whitelist is empty', () => {
+    it('should allow all emails when AUTH_ALLOWED_EMAILS is undefined', () => {
+      expect(isEmailAllowed('anyone@example.com')).toBe(true);
+    });
+
+    it('should allow all emails when AUTH_ALLOWED_EMAILS is empty string', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = '';
+      expect(isEmailAllowed('anyone@example.com')).toBe(true);
+    });
+  });
+
+  describe('domain matching', () => {
+    beforeEach(() => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'example.com,company.org';
+    });
+
+    it('should allow email from whitelisted domain', () => {
+      expect(isEmailAllowed('user@example.com')).toBe(true);
+      expect(isEmailAllowed('admin@company.org')).toBe(true);
+    });
+
+    it('should reject email from non-whitelisted domain', () => {
+      expect(isEmailAllowed('user@other.com')).toBe(false);
+    });
+
+    it('should be case-sensitive for domain', () => {
+      expect(isEmailAllowed('user@Example.com')).toBe(false);
+      expect(isEmailAllowed('user@EXAMPLE.COM')).toBe(false);
+    });
+  });
+
+  describe('exact email matching', () => {
+    beforeEach(() => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'admin@special.com,vip@other.com';
+    });
+
+    it('should allow exact email match', () => {
+      expect(isEmailAllowed('admin@special.com')).toBe(true);
+      expect(isEmailAllowed('vip@other.com')).toBe(true);
+    });
+
+    it('should reject different email at same domain', () => {
+      expect(isEmailAllowed('user@special.com')).toBe(false);
+    });
+
+    it('should be case-sensitive for email', () => {
+      expect(isEmailAllowed('Admin@special.com')).toBe(false);
+    });
+  });
+
+  describe('mixed domain and email matching', () => {
+    beforeEach(() => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'example.com,admin@other.com';
+    });
+
+    it('should allow any email from whitelisted domain', () => {
+      expect(isEmailAllowed('anyone@example.com')).toBe(true);
+    });
+
+    it('should allow specific whitelisted email', () => {
+      expect(isEmailAllowed('admin@other.com')).toBe(true);
+    });
+
+    it('should reject non-whitelisted email from non-whitelisted domain', () => {
+      expect(isEmailAllowed('user@other.com')).toBe(false);
+    });
+  });
+
+  describe('whitespace handling', () => {
+    it('should trim whitespace from whitelist entries', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        ' example.com , admin@other.com ';
+      expect(isEmailAllowed('user@example.com')).toBe(true);
+      expect(isEmailAllowed('admin@other.com')).toBe(true);
+    });
+
+    it('should filter empty entries', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'example.com,,other.com';
+      expect(isEmailAllowed('user@example.com')).toBe(true);
+      expect(isEmailAllowed('user@other.com')).toBe(true);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should reject malformed email without @', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = 'example.com';
+      expect(isEmailAllowed('invalid-email')).toBe(false);
+    });
+
+    it('should handle email with multiple @ symbols', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = 'example.com';
+      // split('@')[1] returns 'middle@example.com', which won't match 'example.com'
+      expect(isEmailAllowed('user@middle@example.com')).toBe(false);
+    });
+  });
+});

package/src/libs/better-auth/plugins/email-whitelist.ts

@@ -0,0 +1,62 @@
+import { APIError } from 'better-auth/api';
+import { type BetterAuthPlugin } from 'better-auth/types';
+
+import { authEnv } from '@/envs/auth';
+
+/**
+ * Parse comma-separated email whitelist string into array.
+ */
+function parseAllowedEmails(value: string | undefined): string[] {
+  if (!value) return [];
+  return value
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+}
+
+/**
+ * Check if email is allowed based on whitelist.
+ * Supports full email (user@example.com) or domain (example.com).
+ */
+export function isEmailAllowed(email: string): boolean {
+  const allowedList = parseAllowedEmails(authEnv.AUTH_ALLOWED_EMAILS);
+  if (allowedList.length === 0) return true;
+
+  const domain = email.split('@')[1];
+
+  return allowedList.some((item) => {
+    // Full email match
+    if (item.includes('@')) return item === email;
+    // Domain match
+    return item === domain;
+  });
+}
+
+/**
+ * Better Auth plugin to restrict registration to whitelisted emails/domains.
+ * Intercepts user creation (both email signup and SSO) via databaseHooks.
+ */
+export const emailWhitelist = (): BetterAuthPlugin => ({
+  id: 'email-whitelist',
+  init() {
+    return {
+      options: {
+        databaseHooks: {
+          user: {
+            create: {
+              before: async (user) => {
+                if (!user.email) return { data: user };
+
+                if (!isEmailAllowed(user.email)) {
+                  throw new APIError('FORBIDDEN', { message: 'Email not allowed for registration' });
+                }
+
+                return { data: user };
+              },
+            },
+          },
+        },
+      },
+    };
+  },
+});

package/src/libs/next/config/define-config.ts

@@ -31,10 +31,22 @@ export function defineConfig(config: CustomNextConfig) {
     outputFileTracingIncludes: { '*': ['public/**/*', '.next/static/**/*'] },
   };
 
+  // Vercel serverless optimization: exclude musl binaries
+  // Vercel uses Amazon Linux (glibc), not Alpine Linux (musl)
+  // This saves ~45MB (29MB canvas-musl + 16MB sharp-musl)
+  const vercelConfig: NextConfig = {
+    outputFileTracingExcludes: {
+      '*': [
+        'node_modules/.pnpm/@napi-rs+canvas-*-musl*',
+        'node_modules/.pnpm/@img+sharp-libvips-*musl*',
+      ],
+    },
+  };
+
   const assetPrefix = process.env.NEXT_PUBLIC_ASSET_PREFIX;
 
   const nextConfig: NextConfig = {
-    ...(isStandaloneMode ? standaloneConfig : {}),
+    ...(isStandaloneMode ? standaloneConfig : vercelConfig),
     assetPrefix,
 
     compiler: {

package/src/libs/next/proxy/define-config.ts

@@ -7,8 +7,7 @@ import { auth } from '@/auth';
 import { LOBE_LOCALE_COOKIE } from '@/const/locale';
 import { isDesktop } from '@/const/version';
 import { appEnv } from '@/envs/app';
-import { OAUTH_AUTHORIZED, authEnv } from '@/envs/auth';
-import NextAuth from '@/libs/next-auth';
+import { authEnv } from '@/envs/auth';
 import { type Locales } from '@/locales/resources';
 import { parseBrowserLanguage } from '@/utils/locale';
 import { RouteVariants } from '@/utils/server/routeVariants';
@@ -17,12 +16,8 @@ import { createRouteMatcher } from './createRouteMatcher';
 
 // Create debug logger instances
 const logDefault = debug('middleware:default');
-const logNextAuth = debug('middleware:next-auth');
 const logBetterAuth = debug('middleware:better-auth');
 
-// OIDC session pre-sync constant
-const OIDC_SESSION_HEADER = 'x-oidc-session-sync';
-
 export function defineConfig() {
   const backendApiEndpoints = ['/api', '/trpc', '/webapi', '/oidc'];
 
@@ -169,8 +164,6 @@ export function defineConfig() {
     '/api/agent(.*)',
     '/webapi(.*)',
     '/trpc(.*)',
-    // next auth
-    '/next-auth/(.*)',
     // better auth
     '/signin',
     '/signup',
@@ -187,70 +180,6 @@ export function defineConfig() {
     '/share(.*)',
   ]);
 
-  const isProtectedRoute = createRouteMatcher([
-    '/settings(.*)',
-    '/knowledge(.*)',
-    '/onboard(.*)',
-    '/oauth(.*)',
-    // ↓ cloud ↓
-  ]);
-
-  // Initialize an Edge compatible NextAuth middleware
-  const nextAuthMiddleware = NextAuth.auth((req) => {
-    logNextAuth('NextAuth middleware processing request: %s %s', req.method, req.url);
-
-    const response = defaultMiddleware(req);
-
-    // when enable auth protection, only public route is not protected, others are all protected
-    const isProtected = appEnv.ENABLE_AUTH_PROTECTION ? !isPublicRoute(req) : isProtectedRoute(req);
-
-    logNextAuth('Route protection status: %s, %s', req.url, isProtected ? 'protected' : 'public');
-
-    // Just check if session exists
-    const session = req.auth;
-
-    // Check if next-auth throws errors
-    // refs: https://github.com/lobehub/lobe-chat/pull/1323
-    const isLoggedIn = !!session?.expires;
-
-    logNextAuth('NextAuth session status: %O', {
-      expires: session?.expires,
-      isLoggedIn,
-      userId: session?.user?.id,
-    });
-
-    // Remove & amend OAuth authorized header
-    response.headers.delete(OAUTH_AUTHORIZED);
-    if (isLoggedIn) {
-      logNextAuth('Setting auth header: %s = %s', OAUTH_AUTHORIZED, 'true');
-      response.headers.set(OAUTH_AUTHORIZED, 'true');
-
-      // If OIDC is enabled and user is logged in, add OIDC session pre-sync header
-      if (authEnv.ENABLE_OIDC && session?.user?.id) {
-        logNextAuth('OIDC session pre-sync: Setting %s = %s', OIDC_SESSION_HEADER, session.user.id);
-        response.headers.set(OIDC_SESSION_HEADER, session.user.id);
-      }
-    } else {
-      // If request a protected route, redirect to sign-in page
-      // ref: https://authjs.dev/getting-started/session-management/protecting
-      if (isProtected) {
-        logNextAuth('Request a protected route, redirecting to sign-in page');
-        const callbackUrl = `${appEnv.APP_URL}${req.nextUrl.pathname}${req.nextUrl.search}`;
-        const nextLoginUrl = new URL('/next-auth/signin', appEnv.APP_URL);
-        nextLoginUrl.searchParams.set('callbackUrl', callbackUrl);
-        const hl = req.nextUrl.searchParams.get('hl');
-        if (hl) {
-          nextLoginUrl.searchParams.set('hl', hl);
-          logNextAuth('Preserving locale to sign-in: hl=%s', hl);
-        }
-        return Response.redirect(nextLoginUrl);
-      }
-      logNextAuth('Request a free route but not login, allow visit without auth header');
-    }
-
-    return response;
-  });
-
   const betterAuthMiddleware = async (req: NextRequest) => {
     logBetterAuth('BetterAuth middleware processing request: %s %s', req.method, req.url);
 
@@ -298,12 +227,10 @@ export function defineConfig() {
 
   logDefault('Middleware configuration: %O', {
     enableAuthProtection: appEnv.ENABLE_AUTH_PROTECTION,
-    enableBetterAuth: authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH,
-    enableNextAuth: authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH,
     enableOIDC: authEnv.ENABLE_OIDC,
   });
 
   return {
-    middleware: authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH ? nextAuthMiddleware : betterAuthMiddleware,
+    middleware: betterAuthMiddleware,
   };
 }

package/src/libs/oidc-provider/provider.test.ts

@@ -4,10 +4,6 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 // Mock dependencies
-vi.mock('@/envs/auth', () => ({
-  enableBetterAuth: false,
-  enableNextAuth: false,
-}));
 
 vi.mock('@/envs/app', () => ({
   appEnv: {

package/src/libs/redis/index.ts

@@ -2,5 +2,4 @@ export * from './keys';
 export * from './manager';
 export * from './redis';
 export * from './types';
-export * from './upstash';
 export * from './utils';

package/src/libs/redis/manager.test.ts

@@ -1,23 +1,15 @@
 import { afterEach, describe, expect, it, vi } from 'vitest';
 
 import { RedisManager, initializeRedis, resetRedisClient } from './manager';
-import { DisabledRedisConfig } from './types';
+import { RedisConfig } from './types';
 
-const {
-  mockIoRedisInitialize,
-  mockIoRedisDisconnect,
-  mockUpstashInitialize,
-  mockUpstashDisconnect,
-} = vi.hoisted(() => ({
+const { mockIoRedisInitialize, mockIoRedisDisconnect } = vi.hoisted(() => ({
   mockIoRedisInitialize: vi.fn().mockResolvedValue(undefined),
   mockIoRedisDisconnect: vi.fn().mockResolvedValue(undefined),
-  mockUpstashInitialize: vi.fn().mockResolvedValue(undefined),
-  mockUpstashDisconnect: vi.fn().mockResolvedValue(undefined),
 }));
 
 vi.mock('./redis', () => {
   const IoRedisRedisProvider = vi.fn().mockImplementation((config) => ({
-    provider: 'redis' as const,
     config,
     initialize: mockIoRedisInitialize,
     disconnect: mockIoRedisDisconnect,
@@ -26,20 +18,9 @@ vi.mock('./redis', () => {
   return { IoRedisRedisProvider };
 });
 
-vi.mock('./upstash', () => {
-  const UpstashRedisProvider = vi.fn().mockImplementation((config) => ({
-    provider: 'upstash' as const,
-    config,
-    initialize: mockUpstashInitialize,
-    disconnect: mockUpstashDisconnect,
-  }));
-
-  return { UpstashRedisProvider };
-});
-
 afterEach(async () => {
-  vi.clearAllMocks();
   await RedisManager.reset();
+  vi.clearAllMocks();
 });
 
 describe('RedisManager', () => {
@@ -47,14 +28,14 @@ describe('RedisManager', () => {
     const config = {
       enabled: false,
       prefix: 'test',
-      provider: false,
-    } satisfies DisabledRedisConfig;
+      tls: false,
+      url: '',
+    } satisfies RedisConfig;
 
     const instance = await initializeRedis(config);
 
     expect(instance).toBeNull();
     expect(mockIoRedisInitialize).not.toHaveBeenCalled();
-    expect(mockUpstashInitialize).not.toHaveBeenCalled();
   });
 
   it('initializes ioredis provider once and memoizes the instance', async () => {
@@ -63,41 +44,24 @@ describe('RedisManager', () => {
       enabled: true,
       password: 'pwd',
       prefix: 'test',
-      provider: 'redis' as const,
       tls: false,
       url: 'redis://localhost:6379',
       username: 'user',
-    };
+    } satisfies RedisConfig;
+
     const [first, second] = await Promise.all([initializeRedis(config), initializeRedis(config)]);
 
     expect(first).toBe(second);
     expect(mockIoRedisInitialize).toHaveBeenCalledTimes(1);
-    expect(mockUpstashInitialize).not.toHaveBeenCalled();
-  });
-
-  it('initializes upstash provider when configured', async () => {
-    const config = {
-      enabled: true,
-      prefix: 'test',
-      provider: 'upstash' as const,
-      token: 'token',
-      url: 'https://example.upstash.io',
-    };
-    const instance = await initializeRedis(config);
-
-    expect(instance?.provider).toBe('upstash');
-    expect(mockUpstashInitialize).toHaveBeenCalledTimes(1);
-    expect(mockIoRedisInitialize).not.toHaveBeenCalled();
   });
 
   it('disconnects existing provider on reset', async () => {
     const config = {
       enabled: true,
       prefix: 'test',
-      provider: 'redis' as const,
       tls: false,
       url: 'redis://localhost:6379',
-    };
+    } satisfies RedisConfig;
 
     await initializeRedis(config);
     await resetRedisClient();

package/src/libs/redis/manager.ts

@@ -1,32 +1,18 @@
 import { IoRedisRedisProvider } from './redis';
 import { type BaseRedisProvider, type RedisConfig } from './types';
-import { UpstashRedisProvider } from './upstash';
 
 /**
  * Create a Redis provider instance based on config
  *
  * @param config - Redis config
  * @param prefix - Optional custom prefix to override config.prefix
- * @returns Provider instance or null if disabled/unsupported
+ * @returns Provider instance or null if disabled
  */
 const createProvider = (config: RedisConfig, prefix?: string): BaseRedisProvider | null => {
   if (!config.enabled) return null;
 
   const actualPrefix = prefix ?? config.prefix;
-
-  if (config.provider === 'redis') {
-    return new IoRedisRedisProvider({ ...config, prefix: actualPrefix });
-  }
-
-  if (config.provider === 'upstash') {
-    return new UpstashRedisProvider({
-      prefix: actualPrefix,
-      token: config.token,
-      url: config.url,
-    });
-  }
-
-  return null;
+  return new IoRedisRedisProvider({ ...config, prefix: actualPrefix });
 };
 
 class RedisManager {

package/src/libs/redis/redis.test.ts

@@ -1,8 +1,8 @@
 import { afterEach, describe, expect, it, vi } from 'vitest';
 
-import { IoRedisConfig } from './types';
+import { RedisConfig } from './types';
 
-const buildRedisConfig = (): IoRedisConfig | null => {
+const buildRedisConfig = (): RedisConfig | null => {
   const url = process.env.REDIS_URL;
 
   if (!url) return null;
@@ -14,7 +14,6 @@ const buildRedisConfig = (): IoRedisConfig | null => {
     enabled: true,
     password: process.env.REDIS_PASSWORD,
     prefix: process.env.REDIS_PREFIX ?? 'lobe-chat-test',
-    provider: 'redis',
     tls: process.env.REDIS_TLS === 'true',
     url,
     username: process.env.REDIS_USERNAME,
@@ -79,7 +78,6 @@ const createMockedProvider = async () => {
   const provider = new IoRedisRedisProvider({
     enabled: true,
     prefix: 'mock',
-    provider: 'redis',
     tls: false,
     url: 'redis://localhost:6379',
   });

package/src/libs/redis/redis.ts

@@ -3,10 +3,9 @@ import type { Redis } from 'ioredis';
 
 import {
   type BaseRedisProvider,
-  type IoRedisConfig,
+  type RedisConfig,
   type RedisKey,
   type RedisMSetArgument,
-  type RedisProviderName,
   type RedisSetResult,
   type RedisValue,
   type SetOptions,
@@ -16,10 +15,9 @@ import { buildIORedisSetArgs, normalizeMsetValues } from './utils';
 const log = debug('lobe:redis');
 
 export class IoRedisRedisProvider implements BaseRedisProvider {
-  provider: RedisProviderName = 'redis';
   private client: Redis | null = null;
 
-  constructor(private config: IoRedisConfig) {}
+  constructor(private config: RedisConfig) {}
 
   async initialize() {
     const IORedis = await import('ioredis');

package/src/libs/redis/types.ts

@@ -1,35 +1,16 @@
 export type RedisKey = string | Buffer;
 export type RedisValue = string | Buffer | number;
-export type RedisProvider = false | 'redis' | 'upstash';
-export type RedisProviderName = Exclude<RedisProvider, false>;
 
-export type IoRedisConfig = {
+export type RedisConfig = {
   database?: number;
   enabled: boolean;
   password?: string;
   prefix: string;
-  provider: 'redis';
   tls: boolean;
   url: string;
   username?: string;
 };
 
-export type UpstashConfig = {
-  enabled: boolean;
-  prefix: string;
-  provider: 'upstash';
-  token: string;
-  url: string;
-};
-
-export type DisabledRedisConfig = {
-  enabled: false;
-  prefix: string;
-  provider: false;
-};
-
-export type RedisConfig = IoRedisConfig | UpstashConfig | DisabledRedisConfig;
-
 export interface SetOptions {
   ex?: number;
   exat?: number;
@@ -41,8 +22,7 @@ export interface SetOptions {
   xx?: boolean;
 }
 
-// NOTICE: number comes from upstash
-export type RedisSetResult = 'OK' | null | string | number;
+export type RedisSetResult = 'OK' | null | string;
 export type RedisMSetArgument = Record<string, RedisValue> | Map<RedisKey, RedisValue>;
 
 export interface RedisClient {
@@ -65,7 +45,5 @@ export interface RedisClient {
 
 export interface BaseRedisProvider extends RedisClient {
   disconnect(): Promise<void>;
-
   initialize(): Promise<void>;
-  provider: RedisProviderName;
 }

package/src/libs/redis/utils.test.ts

@@ -2,7 +2,6 @@ import { describe, expect, it } from 'vitest';
 
 import {
   buildIORedisSetArgs,
-  buildUpstashSetOptions,
   normalizeMsetValues,
   normalizeRedisKey,
   normalizeRedisKeys,
@@ -34,13 +33,4 @@ describe('redis utils', () => {
 
     expect(args).toEqual(['EX', 1, 'NX', 'GET']);
   });
-
-  it('builds upstash set options', () => {
-    expect(buildUpstashSetOptions()).toBeUndefined();
-    expect(buildUpstashSetOptions({ ex: 10, nx: true, get: true })).toEqual({
-      ex: 10,
-      nx: true,
-      get: true,
-    });
-  });
 });

package/src/libs/redis/utils.ts

@@ -1,5 +1,3 @@
-import type { SetCommandOptions } from '@upstash/redis';
-
 import { type RedisKey, type RedisMSetArgument, type RedisValue, type SetOptions } from './types';
 
 export const normalizeRedisKey = (key: RedisKey) =>
@@ -34,20 +32,3 @@ export const buildIORedisSetArgs = (options?: SetOptions): Array<string | number
 
   return args;
 };
-
-export const buildUpstashSetOptions = (options?: SetOptions): SetCommandOptions | undefined => {
-  if (!options) return undefined;
-
-  const mapped: Partial<SetCommandOptions> = {};
-
-  if (options.ex !== undefined) mapped.ex = options.ex;
-  if (options.px !== undefined) mapped.px = options.px;
-  if (options.exat !== undefined) mapped.exat = options.exat;
-  if (options.pxat !== undefined) mapped.pxat = options.pxat;
-  if (options.keepTtl) mapped.keepTtl = true;
-  if (options.nx) mapped.nx = true;
-  if (options.xx) mapped.xx = true;
-  if (options.get) mapped.get = true;
-
-  return Object.keys(mapped).length ? (mapped as SetCommandOptions) : undefined;
-};

package/src/libs/trpc/lambda/context.test.ts

@@ -9,7 +9,6 @@ describe('createContextInner', () => {
     expect(context).toMatchObject({
       authorizationHeader: undefined,
       marketAccessToken: undefined,
-      nextAuth: undefined,
       oidcAuth: undefined,
       userAgent: undefined,
       userId: undefined,
@@ -58,18 +57,6 @@ describe('createContextInner', () => {
     expect(context.oidcAuth).toEqual(oidcAuth);
   });
 
-  it('should create context with NextAuth user data', async () => {
-    const nextAuth = {
-      id: 'next-auth-user-id',
-      name: 'Test User',
-      email: 'test@example.com',
-    };
-
-    const context = await createContextInner({ nextAuth });
-
-    expect(context.nextAuth).toEqual(nextAuth);
-  });
-
   it('should create context with all parameters combined', async () => {
     const params = {
       authorizationHeader: 'Bearer token',