@lobehub/lobehub 2.0.13 → 2.1.1

package/docker-compose/setup.sh

@@ -263,10 +263,10 @@ show_message() {
         tips_allow_ports)
             case $LANGUAGE in
                 zh_CN)
-                    echo "请确保服务器以下端口未被占用且能被访问：3210, 9000, 9001, 8000"
+                    echo "请确保服务器以下端口未被占用且能被访问：3210, 9000, 9001"
                 ;;
                 *)
-                    echo "Please make sure the following ports on the server are not occupied and can be accessed: 3210, 9000, 9001, 8000"
+                    echo "Please make sure the following ports on the server are not occupied and can be accessed: 3210, 9000, 9001"
                 ;;
             esac
         ;;
@@ -315,12 +315,10 @@ show_message() {
         tips_init_database_failed)
             case $LANGUAGE in
                 zh_CN)
-                    echo "无法初始化数据库，为了避免你的数据重复初始化，请在首次成功启动时运行以下指令清空 Casdoor 初始配置文件："
-                    echo "echo '{}' > init_data.json"
+                    echo "无法初始化数据库"
                 ;;
                 *)
-                    echo "Failed to initialize the database. To avoid your data being initialized repeatedly, run the following command to unmount the initial configuration file of Casdoor when you first start successfully:"
-                    echo "echo '{}' > init_data.json"
+                    echo "Failed to initialize the database."
                 ;;
             esac
         ;;
@@ -338,7 +336,7 @@ show_message() {
             case $LANGUAGE in
                 zh_CN)
                     echo "请选择部署模式："
-                    echo "(0) 域名模式（访问时无需指明端口），需要使用反向代理服务 LobeHub, RustFS, Casdoor ，并分别分配一个域名；"
+                    echo "(0) 域名模式（访问时无需指明端口），需要使用反向代理服务 LobeHub, RustFS，并分别分配一个域名；"
                     echo "(1) 端口模式（访问时需要指明端口，如使用IP访问，或域名+端口访问），需要放开指定端口；"
                     echo "(2) 本地模式（仅供本地测试使用）"
                     echo "如果你对这些内容疑惑，可以先选择使用本地模式进行部署，稍后根据文档指引再进行修改。"
@@ -346,7 +344,7 @@ show_message() {
                 ;;
                 *)
                     echo "Please select the deployment mode:"
-                    echo "(0) Domain mode (no need to specify the port when accessing), you need to use the reverse proxy service LobeHub, RustFS, Casdoor, and assign a domain name respectively;"
+                    echo "(0) Domain mode (no need to specify the port when accessing), you need to use the reverse proxy service LobeHub, RustFS, and assign a domain name respectively;"
                     echo "(1) Port mode (need to specify the port when accessing, such as using IP access, or domain name + port access), you need to open the specified port;"
                     echo "(2) Local mode (for local testing only)"
                     echo "If you are confused about these contents, you can choose to deploy in local mode first, and then modify according to the document guide later."
@@ -408,31 +406,33 @@ download_file() {
 }
 
 print_centered() {
-    # Define colors
-    declare -A colors
-    colors=(
-        [black]="\e[30m"
-        [red]="\e[31m"
-        [green]="\e[32m"
-        [yellow]="\e[33m"
-        [blue]="\e[34m"
-        [magenta]="\e[35m"
-        [cyan]="\e[36m"
-        [white]="\e[37m"
-        [reset]="\e[0m"
-    )
     local text="$1"                                   # Get input texts
     local color="${2:-reset}"                         # Get color, default to reset
     local term_width=$(tput cols)                     # Get terminal width
     local text_length=${#text}                        # Get text length
     local padding=$(((term_width - text_length) / 2)) # Get padding
-    # Check if the color is valid
-    if [[ -z "${colors[$color]}" ]]; then
-        echo "Invalid color specified. Available colors: ${!colors[@]}"
-        return 1
-    fi
+
+    # Get color code (compatible with bash 3.x)
+    local color_code=""
+    local reset_code="\e[0m"
+    case "$color" in
+        black)   color_code="\e[30m" ;;
+        red)     color_code="\e[31m" ;;
+        green)   color_code="\e[32m" ;;
+        yellow)  color_code="\e[33m" ;;
+        blue)    color_code="\e[34m" ;;
+        magenta) color_code="\e[35m" ;;
+        cyan)    color_code="\e[36m" ;;
+        white)   color_code="\e[37m" ;;
+        reset)   color_code="\e[0m" ;;
+        *)
+            echo "Invalid color specified. Available colors: black red green yellow blue magenta cyan white reset"
+            return 1
+        ;;
+    esac
+
     # Print the text with padding
-    printf "%*s${colors[$color]}%s${colors[reset]}\n" $padding "" "$text"
+    printf "%*s${color_code}%s${reset_code}\n" $padding "" "$text"
 }
 
 # Usage:
@@ -469,10 +469,9 @@ ask() {
 # == Variables ==
 # ===============
 # File list
-SUB_DIR="docker-compose/local"
+SUB_DIR="docker-compose/deploy"
 FILES=(
     "$SUB_DIR/docker-compose.yml"
-    "$SUB_DIR/init_data.json"
     "$SUB_DIR/searxng-settings.yml"
     "$SUB_DIR/bucket.config.json"
 )
@@ -481,10 +480,7 @@ ENV_EXAMPLES=(
     "$SUB_DIR/.env.example"
 )
 # Default values
-CASDOOR_PASSWORD="pswd123"
-CASDOOR_SECRET="CASDOOR_SECRET"
 RUSTFS_SECRET_KEY="YOUR_RUSTFS_PASSWORD"
-CASDOOR_HOST="localhost:8000"
 RUSTFS_HOST="localhost:9000"
 PROTOCOL="http"
 
@@ -514,9 +510,8 @@ section_download_files(){
     fi
     
     download_file "$SOURCE_URL/${FILES[0]}" "docker-compose.yml"
-    download_file "$SOURCE_URL/${FILES[1]}" "init_data.json"
-    download_file "$SOURCE_URL/${FILES[2]}" "searxng-settings.yml"
-    download_file "$SOURCE_URL/${FILES[3]}" "bucket.config.json"
+    download_file "$SOURCE_URL/${FILES[1]}" "searxng-settings.yml"
+    download_file "$SOURCE_URL/${FILES[2]}" "bucket.config.json"
     # Download .env.example with the specified language
     if [ "$LANGUAGE" = "zh_CN" ]; then
         download_file "$SOURCE_URL/${ENV_EXAMPLES[0]}" ".env"
@@ -576,15 +571,10 @@ section_configurate_host() {
             echo "LobeHub" $(show_message "ask_domain" "example.com")
             ask "(example.com)"
             LOBE_HOST="$ask_result"
-            # If user use domain mode, ask for the domain of RustFS and Casdoor
+            # If user use domain mode, ask for the domain of RustFS
             echo "RustFS S3 API" $(show_message "ask_domain" "s3.example.com")
             ask "(s3.example.com)"
             RUSTFS_HOST="$ask_result"
-            echo "Casdoor API" $(show_message "ask_domain" "auth.example.com")
-            ask "(auth.example.com)"
-            CASDOOR_HOST="$ask_result"
-            # Setup callback url for Casdoor
-            sed "${SED_INPLACE_ARGS[@]}" "s/"example.com"/${LOBE_HOST}/" init_data.json
         ;;
         1)
             DEPLOY_MODE="ip"
@@ -595,21 +585,15 @@ section_configurate_host() {
             # If user use ip mode, append the port to the host
             LOBE_HOST="${HOST}:3210"
             RUSTFS_HOST="${HOST}:9000"
-            CASDOOR_HOST="${HOST}:8000"
-            # Setup callback url for Casdoor
-            sed "${SED_INPLACE_ARGS[@]}" "s/"localhost:3210"/${LOBE_HOST}/" init_data.json
         ;;
         *)
             echo "Invalid deploy mode: $ask_result"
             exit 1
         ;;
     esac
-    
+
     # lobe host
     sed "${SED_INPLACE_ARGS[@]}" "s#^APP_URL=.*#APP_URL=$PROTOCOL://$LOBE_HOST#" .env
-    # auth related
-    sed "${SED_INPLACE_ARGS[@]}" "s#^AUTH_CASDOOR_ISSUER=.*#AUTH_CASDOOR_ISSUER=$PROTOCOL://$CASDOOR_HOST#" .env
-    sed "${SED_INPLACE_ARGS[@]}" "s#^origin=.*#origin=$PROTOCOL://$CASDOOR_HOST#" .env
     # s3 related
     sed "${SED_INPLACE_ARGS[@]}" "s#^S3_PUBLIC_DOMAIN=.*#S3_PUBLIC_DOMAIN=$PROTOCOL://$RUSTFS_HOST#" .env
     sed "${SED_INPLACE_ARGS[@]}" "s#^S3_ENDPOINT=.*#S3_ENDPOINT=$PROTOCOL://$RUSTFS_HOST#" .env
@@ -664,37 +648,7 @@ section_regenerate_secrets() {
         exit 1
     fi
     echo $(show_message "security_secrect_regenerate")
-    
-    # Generate CASDOOR_SECRET
-    CASDOOR_SECRET=$(generate_key 32)
-    if [ $? -ne 0 ]; then
-        echo $(show_message "security_secrect_regenerate_failed") "CASDOOR_SECRET"
-    else
-        # Search and replace the value of CASDOOR_SECRET in .env
-        sed "${SED_INPLACE_ARGS[@]}" "s#^AUTH_CASDOOR_SECRET=.*#AUTH_CASDOOR_SECRET=${CASDOOR_SECRET}#" .env
-        if [ $? -ne 0 ]; then
-            echo $(show_message "security_secrect_regenerate_failed") "AUTH_CASDOOR_SECRET in \`.env\`"
-        fi
-        # replace `clientSecrect` in init_data.json
-        sed "${SED_INPLACE_ARGS[@]}" "s#dbf205949d704de81b0b5b3603174e23fbecc354#${CASDOOR_SECRET}#" init_data.json
-        if [ $? -ne 0 ]; then
-            echo $(show_message "security_secrect_regenerate_failed") "AUTH_CASDOOR_SECRET in \`init_data.json\`"
-        fi
-    fi
-    
-    # Generate Casdoor User
-    CASDOOR_USER="admin"
-    CASDOOR_PASSWORD=$(generate_key 10)
-    if [ $? -ne 0 ]; then
-        echo $(show_message "security_secrect_regenerate_failed") "CASDOOR_PASSWORD"
-        CASDOOR_PASSWORD="pswd123"
-    else
-        # replace `password` in init_data.json
-        sed "${SED_INPLACE_ARGS[@]}" "s/"pswd123"/${CASDOOR_PASSWORD}/" init_data.json
-        if [ $? -ne 0 ]; then
-            echo $(show_message "security_secrect_regenerate_failed") "CASDOOR_PASSWORD in \`init_data.json\`"
-        fi
-    fi
+
     # Generate RUSTFS S3 User Password
     RUSTFS_SECRET_KEY=$(generate_key 8)
     if [ $? -ne 0 ]; then
@@ -735,13 +689,10 @@ section_init_database() {
     fi
 
     docker compose pull
-    docker compose up --detach postgresql casdoor
+    docker compose up --detach postgresql
     # hopefully enough time for even the slower systems
 	sleep 15
 	docker compose stop
-
-    # Init finished, remove init mount
-    echo '{}' > init_data.json
 }
 
 show_message "ask_init_database"
@@ -759,16 +710,14 @@ fi
 section_display_configurated_report() {
     # Display configuration reports
     echo $(show_message "security_secrect_regenerate_report")
-    
-    echo -e "LobeHub: \n  - URL: $PROTOCOL://$LOBE_HOST \n  - Username: user \n  - Password: ${CASDOOR_PASSWORD} "
-    echo -e "Casdoor: \n  - URL: $PROTOCOL://$CASDOOR_HOST \n  - Username: admin \n  - Password: ${CASDOOR_PASSWORD}\n"
+
+    echo -e "LobeHub: \n  - URL: $PROTOCOL://$LOBE_HOST"
     echo -e "RustFS: \n  - URL: $PROTOCOL://$RUSTFS_HOST \n  - Username: admin\n  - Password: ${RUSTFS_SECRET_KEY}\n"
-    
+
     # if user run in domain mode, diplay reverse proxy configuration
     if [[ "$DEPLOY_MODE" == "domain" ]]; then
         echo $(show_message "tips_add_reverse_proxy")
         printf "\n%s\t->\t%s\n" "$LOBE_HOST" "127.0.0.1:3210"
-        printf "%s\t->\t%s\n" "$CASDOOR_HOST" "127.0.0.1:8000"
         printf "%s\t->\t%s\n" "$RUSTFS_HOST" "127.0.0.1:9000"
     fi
 

package/docs/self-hosting/advanced/auth/providers/casdoor.mdx

@@ -81,6 +81,116 @@ tags:
   After successful deployment, users will be able to authenticate with Casdoor and use LobeChat.
 </Callout>
 
+## Docker Compose Deployment with Casdoor
+
+If you're deploying LobeHub using Docker Compose, refer to the following configuration to integrate Casdoor as an authentication service.
+
+### Reverse Proxy Configuration
+
+In domain mode, you need to configure a reverse proxy to ensure Casdoor is accessible:
+
+| Domain             | Proxy Port | Description     |
+| ------------------ | ---------- | --------------- |
+| `auth.example.com` | `8000`     | Casdoor service |
+
+<Callout type="important">
+  If you're using panel software like [aaPanel](https://www.bt.cn/) for reverse proxy configuration,
+  ensure it does not intercept requests to the `.well-known` path to facilitate the proper functioning of Casdoor's OAuth2 configuration.
+  Below is a whitelist configuration for the Nginx server block concerning paths for Casdoor reverse proxy:
+
+  ```nginx
+  location /.well-known/openid-configuration {
+    proxy_pass http://localhost:8000;  # Forward to localhost:8000
+    proxy_set_header Host $host;  # Keep the original host header
+    proxy_set_header X-Real-IP $remote_addr;  # Keep the client's real IP
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  # Keep the forwarded IP
+    proxy_set_header X-Forwarded-Proto $scheme;  # Keep the request protocol
+  }
+  ```
+
+  ⚠️ Please do not enable any form of caching in the reverse proxy settings of such panel software to avoid affecting the normal operation of the service.
+  See [https://github.com/lobehub/lobe-chat/discussions/5986](https://github.com/lobehub/lobe-chat/discussions/5986)
+</Callout>
+
+### Required Configuration
+
+1. LobeHub needs to communicate with Casdoor, so you need to configure Casdoor's Issuer:
+
+```env
+AUTH_CASDOOR_ISSUER=https://auth.example.com
+```
+
+This configuration affects LobeHub's login authentication service. Ensure the Casdoor service URL is correct.
+
+2. Allow callback URL in Casdoor to point to LobeHub:
+
+In Casdoor's Web panel under `Authentication -> Applications` -> `<Application ID, default is app-built-in>` -> `Redirect URLs`, add:
+
+```
+https://lobe.example.com/api/auth/callback/casdoor
+```
+
+3. Casdoor needs Origin information in environment variables:
+
+```env
+origin=https://auth.example.com
+```
+
+### Troubleshooting
+
+#### Cannot Login Properly
+
+Check container logs for the following errors:
+
+```sh
+docker logs -f lobehub
+```
+
+**r3: "response" is not a conform Authorization Server Metadata response**
+
+```log
+lobehub      | [auth][error] r3: "response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)
+```
+
+Cause: This issue is typically caused by improper reverse proxy configuration. Ensure your reverse proxy doesn't intercept Casdoor's OAuth2 configuration requests.
+
+Solution:
+
+- Refer to the reverse proxy configuration notes above.
+
+- Direct troubleshooting: Access `https://auth.example.com/.well-known/openid-configuration`:
+  - If non-JSON data is returned, your reverse proxy configuration is incorrect.
+  - If the returned JSON's `"issuer": "URL"` field doesn't match `https://auth.example.com`, your environment variable configuration is incorrect.
+
+**TypeError: fetch failed**
+
+```log
+lobehub      | [auth][error] TypeError: fetch failed
+```
+
+Cause: LobeHub cannot access the authentication service.
+
+Solution:
+
+- Check if your authentication service is running properly and if LobeHub's network can reach it.
+
+- Direct troubleshooting: Use `curl` in the LobeHub container terminal to access `https://auth.example.com/.well-known/openid-configuration`. If JSON data is returned, your authentication service is working correctly.
+
+#### OAuth Token Exchange Failures with Reverse Proxy
+
+If OAuth authentication fails during the token exchange phase when using Docker behind a reverse proxy, this is typically caused by the default `MIDDLEWARE_REWRITE_THROUGH_LOCAL=1` setting.
+
+**Solution**: Set `MIDDLEWARE_REWRITE_THROUGH_LOCAL=0` in your `.env` file and restart Docker containers:
+
+```bash
+docker compose down
+docker compose up -d
+```
+
+### Docker Compose Configuration Files
+
+Casdoor Docker Compose configuration files can be found in the [docker-compose/local/casdoor](https://github.com/lobehub/lobe-chat/tree/main/docker-compose/local/casdoor) directory.
+
 ## Related Resources
 
 - [Casdoor Documentation](https://casdoor.org/docs/overview)

package/docs/self-hosting/advanced/auth/providers/casdoor.zh-CN.mdx

@@ -77,6 +77,171 @@ tags:
 
 <Callout type={'info'}>部署成功后，用户将可以通过 Casdoor 身份认证并使用 LobeChat。</Callout>
 
+## Docker Compose 部署 Casdoor
+
+如果你使用 Docker Compose 部署 LobeHub，可以参考以下配置来集成 Casdoor 作为鉴权服务。
+
+### 反向代理配置
+
+在域名模式中，你需要完成反向代理配置，并确保局域网 / 公网能访问到 Casdoor 服务：
+
+| 域名                 | 反代端口   | 说明         |
+| ------------------ | ------ | ---------- |
+| `auth.example.com` | `8000` | Casdoor 服务 |
+
+<Callout type="important">
+  如果你使用如 [宝塔面板](https://www.bt.cn/) 等面板软件进行反向代理配置，
+  你需要确保其对 `.well-known` 路径的请求不进行拦截，以确保 Casdoor 的 OAuth2 配置能够正常工作。
+  这里提供一份针对 Casdoor 服务的 Nginx server 块的路径白名单配置：
+
+  ```nginx
+  location /.well-known/openid-configuration {
+    proxy_pass http://localhost:8000;  # 转发到 localhost:8000
+    proxy_set_header Host $host;  # 保留原始主机头
+    proxy_set_header X-Real-IP $remote_addr;  # 保留客户端真实IP
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  # 保留转发的IP
+    proxy_set_header X-Forwarded-Proto $scheme;  # 保留请求协议
+  }
+  ```
+
+  ⚠️ 请不要在此类面板软件的反向代理设置中开启任何形式的缓存，以免影响服务的正常运行。
+  详情请见 [https://github.com/lobehub/lobe-chat/discussions/5986](https://github.com/lobehub/lobe-chat/discussions/5986)
+</Callout>
+
+### 必要配置
+
+1. LobeHub 需要与 Casdoor 通讯，因此你需要配置 Casdoor 的 Issuer：
+
+```env
+AUTH_CASDOOR_ISSUER=https://auth.example.com
+```
+
+该配置会影响 LobeHub 的登录鉴权服务，你需要确保 Casdoor 服务的地址正确。
+
+2. 在 Casdoor 中允许回调地址为 LobeHub 的地址：
+
+请在 Casdoor 的 Web 面板的 `身份认证 -> 应用` -> `<应用ID，默认为 app-built-in>` -> `重定向URL` 中添加一行：
+
+```
+https://lobe.example.com/api/auth/callback/casdoor
+```
+
+3. Casdoor 需要在环境变量中提供访问的 Origin 信息：
+
+```env
+origin=https://auth.example.com
+```
+
+### 使用 MinIO 存储 Casdoor 头像
+
+允许用户在 Casdoor 中更换头像：
+
+1. 你需要首先在 `buckets` 中创建一个名为 `casdoor` 的桶，选择自定义策略，复制并粘贴如下内容：
+
+   ```json
+   {
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": ["*"]
+         },
+         "Action": ["s3:GetBucketLocation"],
+         "Resource": ["arn:aws:s3:::casdoor"]
+       },
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": ["*"]
+         },
+         "Action": ["s3:ListBucket"],
+         "Resource": ["arn:aws:s3:::casdoor"],
+         "Condition": {
+           "StringEquals": {
+             "s3:prefix": ["files/*"]
+           }
+         }
+       },
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": ["*"]
+         },
+         "Action": ["s3:PutObject", "s3:DeleteObject", "s3:GetObject"],
+         "Resource": ["arn:aws:s3:::casdoor/**"]
+       }
+     ],
+     "Version": "2012-10-17"
+   }
+   ```
+
+2. 创建一个新的访问密钥，将生成的 `Access Key` 和 `Secret Key` 存储之
+
+3. 在 Casdoor 的 `身份认证 -> 提供商` 中关联 MinIO S3 服务，以下是一个示例配置：
+
+   ![casdoor](/blog/assets18bb134dbc5792d6a624199cca8bf7d3.webp)
+
+   其中，客户端 ID、客户端密钥为上一步创建的访问密钥中的 `Access Key` 和 `Secret Key`，`192.168.31.251` 应当被替换为 `your_server_ip`。
+
+4. 在 Casdoor 的 `身份认证 -> 应用` 中，对 `app-built-in` 应用添加提供商，选择 `minio`，保存并退出
+
+5. 你可以在 Casdoor 的 `身份认证 -> 资源` 中，尝试上传文件以测试配置是否正确
+
+### 常见问题
+
+#### 无法正常登陆
+
+请根据容器日志检查是否存在以下错误：
+
+```sh
+docker logs -f lobe-chat
+```
+
+**r3: "response" is not a conform Authorization Server Metadata response**
+
+```log
+lobe-chat      | [auth][error] r3: "response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)
+```
+
+成因：该问题一般是由于你的反向代理配置不正确导致的，你需要确保你的反向代理配置不会拦截 Casdoor 的 OAuth2 配置请求。
+
+解决方案：
+
+- 请参考上方的反向代理配置注意事项。
+
+- 一个直接的排查方式，你可以直接访问 `https://auth.example.com/.well-known/openid-configuration`，如果：
+  - 返回了非 JSON 格式的数据，则说明你的反向代理配置错误。
+  - 如果返回的 JSON 格式数据中的 `"issuer": "URL"` 字段不是你配置的 `https://auth.example.com`，则说明你的环境变量配置错误。
+
+**TypeError: fetch failed**
+
+```log
+lobe-chat      | [auth][error] TypeError: fetch failed
+```
+
+成因：LobeHub 无法访问鉴权服务。
+
+解决方案：
+
+- 请检查你的鉴权服务是否正常运行，以及 LobeHub 所在的网络是否能够访问到鉴权服务。
+
+- 一个直接的排查方式，你可以在 LobeHub 容器的终端中，使用 `curl` 命令访问你的鉴权服务 `https://auth.example.com/.well-known/openid-configuration`，如果返回了 JSON 格式的数据，则说明你的鉴权服务正常运行。
+
+#### 反向代理下 OAuth 令牌交换失败
+
+如果在反向代理后使用 Docker 时 OAuth 认证在令牌交换阶段失败，这通常是由默认的 `MIDDLEWARE_REWRITE_THROUGH_LOCAL=1` 设置引起的，该设置会将 URL 重写为 `127.0.0.1:3210`。
+
+**解决方案**: 在 `.env` 文件中设置 `MIDDLEWARE_REWRITE_THROUGH_LOCAL=0` 并重启 Docker 容器：
+
+```bash
+docker compose down
+docker compose up -d
+```
+
+### Docker Compose 配置文件
+
+Casdoor 的 Docker Compose 配置文件可以在 [docker-compose/local/casdoor](https://github.com/lobehub/lobe-chat/tree/main/docker-compose/local/casdoor) 目录中找到。
+
 ## 相关资源
 
 - [Casdoor 文档](https://casdoor.org/docs/overview)