@nocobase/plugin-auth 1.7.0-beta.9 → 1.8.0-alpha.1

package/dist/locale/nl-NL.json

@@ -1,33 +1,67 @@
 {
-    "Auth Type": "Authenticatietype",
-    "Authenticators": "Authenticators",
-    "Authentication": "Authenticatie",
-    "Sign in via email": "Inloggen via e-mail",
-    "Sign in via password": "Inloggen via wachtwoord",
-    "Not allowed to sign up": "Aanmelden is niet toegestaan",
-    "Allow to sign up": "Toestaan om je aan te melden",
-    "The username or email is incorrect, please re-enter": "De gebruikersnaam of e-mail is incorrect, probeer het opnieuw",
-    "The password is incorrect, please re-enter": "Het wachtwoord is incorrect, probeer het opnieuw",
-    "Not a valid cellphone number, please re-enter": "Geen geldig telefoonnummer, probeer opnieuw in te voeren",
-    "The phone number has been registered, please login directly": "Het telefoonnummer is al geregistreerd, log direct in",
-    "The phone number is not registered, please register first": "Het telefoonnummer is niet geregistreerd, registreer eerst",
-    "Please keep and enable at least one authenticator": "Houd minstens één authenticator ingeschakeld",
-    "Allow to sign in with": "Toestaan om in te loggen met",
-    "Please enter a valid username": "Voer een geldige gebruikersnaam in",
-    "Please enter a valid email": "Voer een geldig e-mailadres in",
-    "Please enter your username or email": "Voer je gebruikersnaam of e-mailadres in",
-    "Please enter a password": "Voer een wachtwoord in",
-    "Username/Email": "Gebruikersnaam/E-mail",
-    "Auth UID": "Auth UID",
-    "The authentication allows users to sign in via username or email.": "De authenticatie staat gebruikers toe in te loggen via gebruikersnaam of e-mail.",
-    "No authentication methods available.": "Geen authenticatiemethoden beschikbaar.",
-    "The password is inconsistent, please re-enter": "Het wachtwoord is inconsistent, probeer het opnieuw",
-    "Sign-in": "Inloggen",
-    "Password": "Wachtwoord",
-    "The username/email or password is incorrect, please re-enter": "De gebruikersnaam/e-mail of het wachtwoord is incorrect, probeer het opnieuw",
-    "Show": "Toon",
-    "Sign up settings": "Aanmeldinstellingen",
-    "Sign up form": "Aanmeldformulier",
-    "At least one of the username or email fields is required": "Ten minste één van de velden voor gebruikersnaam of e-mail is verplicht",
-    "Password is not allowed to be changed": "Wachtwoord mag niet worden gewijzigd"
+  "Auth Type": "Authenticatietype",
+  "Authenticators": "Authenticators",
+  "Authentication": "Authenticatie",
+  "Sign in via email": "Inloggen via e-mail",
+  "Sign in via password": "Inloggen via wachtwoord",
+  "Not allowed to sign up": "Aanmelden is niet toegestaan",
+  "Allow to sign up": "Toestaan om je aan te melden",
+  "The username or email is incorrect, please re-enter": "De gebruikersnaam of e-mail is incorrect, probeer het opnieuw",
+  "The password is incorrect, please re-enter": "Het wachtwoord is incorrect, probeer het opnieuw",
+  "Not a valid cellphone number, please re-enter": "Geen geldig telefoonnummer, probeer opnieuw in te voeren",
+  "The phone number has been registered, please login directly": "Het telefoonnummer is al geregistreerd, log direct in",
+  "The phone number is not registered, please register first": "Het telefoonnummer is niet geregistreerd, registreer eerst",
+  "Please keep and enable at least one authenticator": "Houd minstens één authenticator ingeschakeld",
+  "Allow to sign in with": "Toestaan om in te loggen met",
+  "Please enter a valid username": "Voer een geldige gebruikersnaam in",
+  "Please enter a valid email": "Voer een geldig e-mailadres in",
+  "Please enter your username or email": "Voer je gebruikersnaam of e-mailadres in",
+  "Please enter a password": "Voer een wachtwoord in",
+  "Username/Email": "Gebruikersnaam/E-mail",
+  "Auth UID": "Auth UID",
+  "The authentication allows users to sign in via username or email.": "De authenticatie staat gebruikers toe in te loggen via gebruikersnaam of e-mail.",
+  "No authentication methods available.": "Geen authenticatiemethoden beschikbaar.",
+  "The password is inconsistent, please re-enter": "Het wachtwoord is inconsistent, probeer het opnieuw",
+  "Sign-in": "Inloggen",
+  "Password": "Wachtwoord",
+  "The username/email or password is incorrect, please re-enter": "De gebruikersnaam/e-mail of het wachtwoord is incorrect, probeer het opnieuw",
+  "Show": "Toon",
+  "Sign up settings": "Aanmeldinstellingen",
+  "Sign up form": "Aanmeldformulier",
+  "At least one of the username or email fields is required": "Ten minste één van de velden voor gebruikersnaam of e-mail is verplicht",
+  "Password is not allowed to be changed": "Wachtwoord mag niet worden gewijzigd",
+  "Email channel not found": "E-mailkanaal niet gevonden",
+  "Notification manager plugin not found": "Notificatiebeheer-plugin niet gevonden",
+  "Not allowed to reset password": "Wachtwoord resetten niet toegestaan",
+  "Token expired": "Token verlopen",
+  "User not found": "Gebruiker niet gevonden",
+  "Forgot password": "Wachtwoord vergeten",
+  "Please enter your email": "Voer je e-mailadres",
+  "Reset password": "Wachtwoord opnieuw instellen",
+  "Back to login": "Terug naar inloggen",
+  "Send reset email": "Stuur reset e-mail",
+  "Reset link has expired": "Resetlink is verlopen",
+  "Go to login": "Ga naar inloggen",
+  "Please enter new password": "Voer een nieuw wachtwoord in",
+  "Please enter the same password again": "Voer hetzelfde wachtwoord opnieuw in",
+  "The passwords entered twice are inconsistent": "De twee ingevoerde wachtwoorden zijn inconsistent",
+  "Password reset successful": "Wachtwoord opnieuw instellen succesvol",
+  "Enable forget password": "Vergeet wachtwoord functie inschakelen",
+  "Notification channel (Email)": "Notificatiekanaal (E-mail)",
+  "Subject": "Onderwerp",
+  "Content type": "Contenttype",
+  "Plain text": "Gewone tekst",
+  "defaultResetPasswordEmailSubject": "Stel uw wachtwoord opnieuw in voor {{$systemSettings.title}}",
+  "defaultResetPasswordEmailContentHTML": "<p>Hallo {{$user.username}},</p>\n\n<p>We hebben een verzoek ontvangen om het wachtwoord voor uw {{$systemSettings.title}}-account opnieuw in te stellen.</p>\n\n<p>Klik op de onderstaande link om uw nieuwe wachtwoord in te stellen:</p>\n\n<p>\n  <a href=\"{{$resetLink}}\">Stel uw wachtwoord opnieuw in</a>\n</p>\n\n<p>\n  Als u geen wachtwoordreset heeft aangevraagd, negeer dan deze e-mail. Uw wachtwoord blijft ongewijzigd.\n</p>\n\n<p>\n  Let op: Voor uw veiligheid verloopt deze wachtwoordresetlink over <strong>{{$resetLinkExpiration}} minuten</strong>.\n</p>\n\n<p>Als u problemen ondervindt bij het opnieuw instellen van uw wachtwoord, neem dan contact op met ons ondersteuningsteam.</p>\n\n<p>\n  Bedankt,<br>\n  Het {{$systemSettings.title}} Team\n</p>",
+  "defaultResetPasswordEmailContentText": "Hallo {{$user.username}},\n\nWe hebben een verzoek ontvangen om het wachtwoord voor uw {{$systemSettings.title}}-account opnieuw in te stellen.\n\nKlik op de onderstaande link om uw nieuwe wachtwoord in te stellen:\n\n{{$resetLink}}\n\nAls u geen wachtwoordreset heeft aangevraagd, negeer dan deze e-mail. Uw wachtwoord blijft ongewijzigd.\n\nLet op: Voor uw veiligheid verloopt deze wachtwoordresetlink over {{$resetLinkExpiration}} minuten.\n\nAls u problemen ondervindt bij het opnieuw instellen van uw wachtwoord, neem dan contact op met ons ondersteuningsteam.\n\nBedankt, Het {{$systemSettings.title}} Team",
+  "No notification channels found. Please ": "Geen meldingskanalen gevonden. Gelieve ",
+  "add one first": "een toe te voegen",
+  "Reset password email": "Wachtwoord opnieuw instellen e-mail",
+  "1. Select notification channel": "1. Selecteer meldingskanaal",
+  "2. Configure reset email": "2. Configureer reset e-mail",
+  "The notification channel used to send the reset password email, only support email channel": "Het notificatiekanaal dat wordt gebruikt om de e-mail voor het opnieuw instellen van het wachtwoord te verzenden, ondersteunt alleen het e-mailkanaal",
+  "Reset link expiration (minutes)": "Verloop van de resetlink (minuten)",
+  "Reset password link": "Wachtwoord opnieuw instellen link",
+  "Missing X-Authenticator in request header": "Ontbrekende X-Authenticator in de aanvraagheader",
+  "Reset email sent successfully": "Reset e-mail succesvol verzonden"
 }

package/dist/locale/zh-CN.json

@@ -45,5 +45,39 @@
   "The maximum time limit allowed for refreshing a Token after it expires. After this time limit, the token cannot be automatically renewed, and the user needs to log in again.": "Token 过期后允许刷新的最大时限，超过此时限后，Token 无法自动更新，用户需重新登录。",
   "Your session has expired. Please sign in again.": "您的会话已过期，请重新登录。",
   "Unauthenticated. Please sign in to continue.": "未认证。请登录以继续。",
-  "User not found. Please sign in again to continue.": "用户不存在。请重新登录以继续。"
+  "User not found. Please sign in again to continue.": "用户不存在。请重新登录以继续。",
+  "Email channel not found": "未找到邮件通道",
+  "Notification manager plugin not found": "未找到通知管理插件",
+  "Not allowed to reset password": "不允许重置密码",
+  "Token expired": "令牌已过期",
+  "User not found": "未找到用户",
+  "Forgot password": "忘记密码",
+  "Please enter your email": "请输入您的邮箱",
+  "Reset password": "重置密码",
+  "Back to login": "返回登录",
+  "Send reset email": "发送重置邮件",
+  "Reset link has expired": "重置链接已过期",
+  "Go to login": "前往登录",
+  "Please enter new password": "请输入新密码",
+  "Please enter the same password again": "请再次输入相同的密码",
+  "The passwords entered twice are inconsistent": "两次输入的密码不一致",
+  "Password reset successful": "密码重置成功",
+  "Enable forget password": "启用忘记密码功能",
+  "Notification channel (Email)": "通知渠道（电子邮件）",
+  "Subject": "主题",
+  "Content type": "内容类型",
+  "Plain text": "普通文本",
+  "defaultResetPasswordEmailSubject": "重置您的 {{$systemSettings.title}} 密码",
+  "defaultResetPasswordEmailContentHTML": "<p>您好 {{$user.username}}，</p>\n\n<p>我们收到了重置您 {{$systemSettings.title}} 账户密码的请求。</p>\n\n<p>请点击下面的链接设置您的新密码：</p>\n\n<p>\n  <a href=\"{{$resetLink}}\">重置您的密码</a>\n</p>\n\n<p>\n  如果您没有请求重置密码，请忽略此邮件。您的密码将保持不变。\n</p>\n\n<p>\n  请注意：为了您的安全，此密码重置链接将在 <strong>{{$resetLinkExpiration}} 分钟</strong>后过期。\n</p>\n\n<p>如果您在重置密码时遇到任何问题，请联系我们的支持团队。</p>\n\n<p>\n  谢谢，<br>\n  {{$systemSettings.title}} 团队\n</p>",
+  "defaultResetPasswordEmailContentText": "您好 {{$user.username}}，\n\n我们收到了重置您 {{$systemSettings.title}} 账户密码的请求。\n\n请点击下面的链接设置您的新密码：\n\n{{$resetLink}}\n\n如果您没有请求重置密码，请忽略此邮件。您的密码将保持不变。\n\n请注意：为了您的安全，此密码重置链接将在 {{$resetLinkExpiration}} 分钟后过期。\n\n如果您在重置密码时遇到任何问题，请联系我们的支持团队。\n\n谢谢，{{$systemSettings.title}} 团队",
+  "No notification channels found. Please ": "未找到通知渠道，请",
+  "add one first": "先添加一个",
+  "Reset password email": "重置密码邮件",
+  "1. Select notification channel": "1. 选择通知渠道",
+  "2. Configure reset email": "2. 配置重置邮件",
+  "The notification channel used to send the reset password email, only support email channel": "发送重置密码邮件所使用的通知渠道，仅支持电子邮件通道",
+  "Reset link expiration (minutes)": "重置链接有效期（分钟）",
+  "Reset password link": "重置密码链接",
+  "Missing X-Authenticator in request header": "请求头中缺少了 X-Authenticator",
+  "Reset email sent successfully": "重置邮件发送成功"
 }

package/dist/node_modules/cron/package.json

@@ -1 +1 @@
-{"name":"cron","description":"Cron jobs for your node","version":"2.4.4","author":"Nick Campbell <nicholas.j.campbell@gmail.com> (https://github.com/ncb000gt)","bugs":{"url":"https://github.com/kelektiv/node-cron/issues"},"repository":{"type":"git","url":"https://github.com/kelektiv/node-cron.git"},"main":"lib/cron","scripts":{"lint":"eslint {lib,tests}/*.js","test":"jest --coverage","test:watch":"jest --watch --coverage","test:types":"tsd","prepare":"husky install","release":"semantic-release"},"types":"types/index.d.ts","dependencies":{"@types/luxon":"~3.3.0","luxon":"~3.3.0"},"devDependencies":{"@commitlint/cli":"~17.6.6","@insurgentlab/commitlint-config":"^18.1.0","@insurgentlab/conventional-changelog-preset":"~6.0.3","@semantic-release/changelog":"~6.0.x","@semantic-release/commit-analyzer":"~9.0.x","@semantic-release/git":"~10.0.x","@semantic-release/github":"~8.1.x","@semantic-release/npm":"~10.0.x","@semantic-release/release-notes-generator":"~11.0.x","chai":"~4.2.x","eslint":"~8.36.x","eslint-config-prettier":"^8.7.x","eslint-config-standard":"~17.0.x","eslint-plugin-import":"~2.27.x","eslint-plugin-jest":"~27.2.x","eslint-plugin-n":"~15.6.x","eslint-plugin-prettier":"~4.2.x","eslint-plugin-promise":"~6.1.x","husky":"^8.0.3","jest":"~29.5.x","prettier":"~2.8.x","semantic-release":"~21.0.x","sinon":"^15.0.x","tsd":"^0.28.1"},"keywords":["cron","node cron","node-cron","schedule","scheduler","cronjob","cron job"],"license":"MIT","contributors":["Brandon der Blätter <https://interlucid.com/contact/> (https://github.com/intcreator)","Romain Beauxis <toots@rastageeks.org> (https://github.com/toots)","James Padolsey <> (https://github.com/jamespadolsey)","Finn Herpich <fh@three-heads.de> (https://github.com/ErrorProne)","Clifton Cunningham <clifton.cunningham@gmail.com> (https://github.com/cliftonc)","Eric Abouaf <eric.abouaf@gmail.com> (https://github.com/neyric)","humanchimp <morphcham@gmail.com> (https://github.com/humanchimp)","Craig Condon <craig@spiceapps.com> (https://github.com/spiceapps)","Dan Bear <daniel@hulu.com> (https://github.com/danhbear)","Vadim Baryshev <vadimbaryshev@gmail.com> (https://github.com/baryshev)","Leandro Ferrari <lfthomaz@gmail.com> (https://github.com/lfthomaz)","Gregg Zigler <greggzigler@gmail.com> (https://github.com/greggzigler)","Jordan Abderrachid <jabderrachid@gmail.com> (https://github.com/jordanabderrachid)","Masakazu Matsushita <matsukaz@gmail.com> (matsukaz)","Christopher Lunt <me@kirisu.co.uk> (https://github.com/kirisu)"],"jest":{"collectCoverage":true,"collectCoverageFrom":["lib/*.js"],"coverageThreshold":{"global":{"statements":80,"branches":80,"functions":70,"lines":80}}},"files":["lib","types","CHANGELOG.md","LICENSE","README.md"],"_lastModified":"2025-03-25T05:43:14.322Z"}
+{"name":"cron","description":"Cron jobs for your node","version":"2.4.4","author":"Nick Campbell <nicholas.j.campbell@gmail.com> (https://github.com/ncb000gt)","bugs":{"url":"https://github.com/kelektiv/node-cron/issues"},"repository":{"type":"git","url":"https://github.com/kelektiv/node-cron.git"},"main":"lib/cron","scripts":{"lint":"eslint {lib,tests}/*.js","test":"jest --coverage","test:watch":"jest --watch --coverage","test:types":"tsd","prepare":"husky install","release":"semantic-release"},"types":"types/index.d.ts","dependencies":{"@types/luxon":"~3.3.0","luxon":"~3.3.0"},"devDependencies":{"@commitlint/cli":"~17.6.6","@insurgentlab/commitlint-config":"^18.1.0","@insurgentlab/conventional-changelog-preset":"~6.0.3","@semantic-release/changelog":"~6.0.x","@semantic-release/commit-analyzer":"~9.0.x","@semantic-release/git":"~10.0.x","@semantic-release/github":"~8.1.x","@semantic-release/npm":"~10.0.x","@semantic-release/release-notes-generator":"~11.0.x","chai":"~4.2.x","eslint":"~8.36.x","eslint-config-prettier":"^8.7.x","eslint-config-standard":"~17.0.x","eslint-plugin-import":"~2.27.x","eslint-plugin-jest":"~27.2.x","eslint-plugin-n":"~15.6.x","eslint-plugin-prettier":"~4.2.x","eslint-plugin-promise":"~6.1.x","husky":"^8.0.3","jest":"~29.5.x","prettier":"~2.8.x","semantic-release":"~21.0.x","sinon":"^15.0.x","tsd":"^0.28.1"},"keywords":["cron","node cron","node-cron","schedule","scheduler","cronjob","cron job"],"license":"MIT","contributors":["Brandon der Blätter <https://interlucid.com/contact/> (https://github.com/intcreator)","Romain Beauxis <toots@rastageeks.org> (https://github.com/toots)","James Padolsey <> (https://github.com/jamespadolsey)","Finn Herpich <fh@three-heads.de> (https://github.com/ErrorProne)","Clifton Cunningham <clifton.cunningham@gmail.com> (https://github.com/cliftonc)","Eric Abouaf <eric.abouaf@gmail.com> (https://github.com/neyric)","humanchimp <morphcham@gmail.com> (https://github.com/humanchimp)","Craig Condon <craig@spiceapps.com> (https://github.com/spiceapps)","Dan Bear <daniel@hulu.com> (https://github.com/danhbear)","Vadim Baryshev <vadimbaryshev@gmail.com> (https://github.com/baryshev)","Leandro Ferrari <lfthomaz@gmail.com> (https://github.com/lfthomaz)","Gregg Zigler <greggzigler@gmail.com> (https://github.com/greggzigler)","Jordan Abderrachid <jabderrachid@gmail.com> (https://github.com/jordanabderrachid)","Masakazu Matsushita <matsukaz@gmail.com> (matsukaz)","Christopher Lunt <me@kirisu.co.uk> (https://github.com/kirisu)"],"jest":{"collectCoverage":true,"collectCoverageFrom":["lib/*.js"],"coverageThreshold":{"global":{"statements":80,"branches":80,"functions":70,"lines":80}}},"files":["lib","types","CHANGELOG.md","LICENSE","README.md"],"_lastModified":"2025-06-04T02:26:10.295Z"}

package/dist/node_modules/ms/package.json

@@ -1 +1 @@
-{"name":"ms","version":"2.1.3","description":"Tiny millisecond conversion utility","repository":"vercel/ms","main":"./index","files":["index.js"],"scripts":{"precommit":"lint-staged","lint":"eslint lib/* bin/*","test":"mocha tests.js"},"eslintConfig":{"extends":"eslint:recommended","env":{"node":true,"es6":true}},"lint-staged":{"*.js":["npm run lint","prettier --single-quote --write","git add"]},"license":"MIT","devDependencies":{"eslint":"4.18.2","expect.js":"0.3.1","husky":"0.14.3","lint-staged":"5.0.0","mocha":"4.0.1","prettier":"2.0.5"},"_lastModified":"2025-03-25T05:43:14.401Z"}
+{"name":"ms","version":"2.1.3","description":"Tiny millisecond conversion utility","repository":"vercel/ms","main":"./index","files":["index.js"],"scripts":{"precommit":"lint-staged","lint":"eslint lib/* bin/*","test":"mocha tests.js"},"eslintConfig":{"extends":"eslint:recommended","env":{"node":true,"es6":true}},"lint-staged":{"*.js":["npm run lint","prettier --single-quote --write","git add"]},"license":"MIT","devDependencies":{"eslint":"4.18.2","expect.js":"0.3.1","husky":"0.14.3","lint-staged":"5.0.0","mocha":"4.0.1","prettier":"2.0.5"},"_lastModified":"2025-06-04T02:26:10.373Z"}

package/dist/server/actions/auth.d.ts

@@ -8,6 +8,9 @@
  */
 import { Context, Next } from '@nocobase/actions';
 declare const _default: {
+    lostPassword: (ctx: Context, next: Next) => Promise<void>;
+    resetPassword: (ctx: Context, next: Next) => Promise<void>;
+    checkResetToken: (ctx: Context, next: Next) => Promise<void>;
     changePassword: (ctx: Context, next: Next) => Promise<void>;
 };
 export default _default;

package/dist/server/actions/auth.js

@@ -32,18 +32,19 @@ module.exports = __toCommonJS(auth_exports);
 var import_preset = require("../../preset");
 /* istanbul ignore file -- @preserve */
 var auth_default = {
-  // lostPassword: async (ctx: Context, next: Next) => {
-  //   ctx.body = await ctx.auth.lostPassword();
-  //   await next();
-  // },
-  // resetPassword: async (ctx: Context, next: Next) => {
-  //   ctx.body = await ctx.auth.resetPassword();
-  //   await next();
-  // },
-  // getUserByResetToken: async (ctx: Context, next: Next) => {
-  //   ctx.body = await ctx.auth.getUserByResetToken();
-  //   await next();
-  // },
+  lostPassword: async (ctx, next) => {
+    ctx.body = await ctx.auth.lostPassword();
+    await next();
+  },
+  resetPassword: async (ctx, next) => {
+    ctx.body = await ctx.auth.resetPassword();
+    await next();
+  },
+  checkResetToken: async (ctx, next) => {
+    const { resetToken } = ctx.action.params.values;
+    ctx.body = await ctx.auth.checkResetToken(resetToken);
+    await next();
+  },
   changePassword: async (ctx, next) => {
     const systemSettings = ctx.db.getRepository("systemSettings");
     const settings = await systemSettings.findOne();

package/dist/server/basic-auth.d.ts

@@ -8,12 +8,18 @@
  */
 import { AuthConfig, BaseAuth } from '@nocobase/auth';
 export declare class BasicAuth extends BaseAuth {
+    static readonly optionsKeysNotAllowedInEnv: string[];
     constructor(config: AuthConfig);
+    private isEmail;
     validate(): Promise<any>;
     private getSignupFormSettings;
     private verfiySignupParams;
     signUp(): Promise<any>;
+    private getEmailConfig;
     lostPassword(): Promise<any>;
     resetPassword(): Promise<any>;
-    getUserByResetToken(): Promise<any>;
+    /**
+     * 检查重置密码的 Token 是否有效
+     */
+    checkResetToken(resetToken: string): Promise<boolean>;
 }

package/dist/server/basic-auth.js

@@ -40,14 +40,18 @@ __export(basic_auth_exports, {
 });
 module.exports = __toCommonJS(basic_auth_exports);
 var import_auth = require("@nocobase/auth");
-var import_crypto = __toESM(require("crypto"));
-var import_preset = require("../preset");
 var import_lodash = __toESM(require("lodash"));
+var import_preset = require("../preset");
+var import_utils = require("@nocobase/utils");
 class BasicAuth extends import_auth.BaseAuth {
+  static optionsKeysNotAllowedInEnv = ["emailContentText", "emailContentHTML", "emailSubject"];
   constructor(config) {
     const userCollection = config.ctx.db.getCollection("users");
     super({ ...config, userCollection });
   }
+  isEmail(value) {
+    return /^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/.test(value);
+  }
   async validate() {
     const ctx = this.ctx;
     const {
@@ -73,7 +77,7 @@ class BasicAuth extends import_auth.BaseAuth {
     const valid = await field.verify(password, user.password);
     if (!valid) {
       ctx.throw(401, ctx.t("The username/email or password is incorrect, please re-enter", { ns: import_preset.namespace }), {
-        code: "INCORRECT_PASSWORD",
+        internalCode: "INCORRECT_PASSWORD",
         user
       });
     }
@@ -101,7 +105,7 @@ class BasicAuth extends import_auth.BaseAuth {
     }
     const emailSetting = signupFormSettings.find((item) => item.field === "email");
     if (emailSetting && emailSetting.show) {
-      if (email && !/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/.test(email)) {
+      if (email && !this.isEmail(email)) {
         throw new Error("Please enter a valid email address");
       }
       if (emailSetting.required && !email) {
@@ -142,15 +146,27 @@ class BasicAuth extends import_auth.BaseAuth {
     const user = await User.create({ values: { ...userValues, password } });
     return user;
   }
-  /* istanbul ignore next -- @preserve */
+  getEmailConfig() {
+    var _a, _b;
+    const options = import_lodash.default.omit(this.authenticator.options, "public") || {};
+    return { ...options, enableResetPassword: (_b = (_a = this.authenticator.options) == null ? void 0 : _a.public) == null ? void 0 : _b.enableResetPassword };
+  }
   async lostPassword() {
+    var _a;
     const ctx = this.ctx;
     const {
-      values: { email }
+      values: { email, baseURL }
     } = ctx.action.params;
+    const authenticatorName = ctx.headers["x-authenticator"];
+    if (!authenticatorName) {
+      ctx.throw(400, ctx.t("Missing X-Authenticator in request header", { ns: import_preset.namespace }));
+    }
     if (!email) {
       ctx.throw(400, ctx.t("Please fill in your email address", { ns: import_preset.namespace }));
     }
+    if (!this.isEmail(email)) {
+      ctx.throw(400, ctx.t("Incorrect email format", { ns: import_preset.namespace }));
+    }
     const user = await this.userRepository.findOne({
       where: {
         email
@@ -159,44 +175,147 @@ class BasicAuth extends import_auth.BaseAuth {
     if (!user) {
       ctx.throw(401, ctx.t("The email is incorrect, please re-enter", { ns: import_preset.namespace }));
     }
-    user.resetToken = import_crypto.default.randomBytes(20).toString("hex");
-    await user.save();
-    return user;
+    const {
+      notificationChannel,
+      emailContentType,
+      emailContentHTML,
+      emailContentText,
+      emailSubject,
+      enableResetPassword,
+      resetTokenExpiresIn
+    } = this.getEmailConfig();
+    if (!enableResetPassword) {
+      ctx.throw(403, ctx.t("Not allowed to reset password", { ns: import_preset.namespace }));
+    }
+    const resetToken = await ctx.app.authManager.jwt.sign(
+      {
+        resetPasswordUserId: user.id
+      },
+      {
+        expiresIn: resetTokenExpiresIn * 60
+        // 配置的过期时间，单位分钟，需要转成秒
+      }
+    );
+    const resetLink = `${baseURL}/reset-password?resetToken=${resetToken}&name=${authenticatorName}`;
+    const systemSettings = await ((_a = ctx.db.getRepository("systemSettings")) == null ? void 0 : _a.findOne()) || {};
+    const notificationManager = ctx.app.getPlugin("notification-manager");
+    if (notificationManager) {
+      const emailer = await notificationManager.manager.findChannel(notificationChannel);
+      if (emailer) {
+        try {
+          const parsedSubject = (0, import_utils.parsedValue)(emailSubject, {
+            $user: user,
+            $resetLink: resetLink,
+            $env: ctx.app.environment.getVariables(),
+            $resetLinkExpiration: resetTokenExpiresIn,
+            $systemSettings: systemSettings
+          });
+          const parsedContent = (0, import_utils.parsedValue)(emailContentType === "html" ? emailContentHTML : emailContentText, {
+            $user: user,
+            $resetLink: resetLink,
+            $env: ctx.app.environment.getVariables(),
+            $resetLinkExpiration: resetTokenExpiresIn,
+            $systemSettings: systemSettings
+          });
+          const content = emailContentType === "html" ? { html: parsedContent } : { text: parsedContent };
+          try {
+            await notificationManager.send({
+              channelName: notificationChannel,
+              message: {
+                to: [email],
+                subject: parsedSubject,
+                contentType: emailContentType,
+                ...content
+              }
+            });
+            ctx.logger.info(`Password reset email sent to ${email}`);
+          } catch (error) {
+            ctx.logger.error(`Failed to send reset password email: ${error.message}`, {
+              error,
+              email,
+              notificationChannel
+            });
+            ctx.throw(
+              500,
+              ctx.t("Failed to send email. Error: {{error}}", {
+                ns: import_preset.namespace,
+                error: error.message
+              })
+            );
+          }
+        } catch (error) {
+          ctx.logger.error(`Error parsing email template variables: ${error.message}`, {
+            error,
+            emailSubject,
+            emailContentType
+          });
+          ctx.throw(
+            500,
+            ctx.t("Error parsing email template. Error: {{error}}", {
+              ns: import_preset.namespace,
+              error: error.message
+            })
+          );
+        }
+      } else {
+        ctx.throw(400, ctx.t("Email channel not found", { ns: import_preset.namespace }));
+      }
+    } else {
+      ctx.throw(500, ctx.t("Notification manager plugin not found", { ns: import_preset.namespace }));
+    }
+    ctx.logger.info(`Password reset email sent to ${email}`);
+    return null;
   }
-  /* istanbul ignore next -- @preserve */
   async resetPassword() {
     const ctx = this.ctx;
     const {
-      values: { email, password, resetToken }
+      values: { password, resetToken }
     } = ctx.action.params;
+    if (!resetToken) {
+      ctx.throw(401, ctx.t("Token expired", { ns: import_preset.namespace }));
+    }
+    try {
+      await this.checkResetToken(resetToken);
+    } catch (error) {
+      throw error;
+    }
+    let decodedToken;
+    try {
+      decodedToken = await ctx.app.authManager.jwt.decode(resetToken);
+    } catch (error) {
+      ctx.throw(401, ctx.t("Token expired", { ns: import_preset.namespace }));
+    }
     const user = await this.userRepository.findOne({
       where: {
-        email,
-        resetToken
+        id: decodedToken.resetPasswordUserId
       }
     });
     if (!user) {
-      ctx.throw(404);
+      ctx.throw(404, ctx.t("User not found", { ns: import_preset.namespace }));
     }
-    user.token = null;
-    user.resetToken = null;
     user.password = password;
     await user.save();
-    return user;
+    await ctx.app.authManager.jwt.block(resetToken);
+    ctx.logger.info(`Password for user ${user.id} has been reset`);
+    return null;
   }
-  /* istanbul ignore next -- @preserve */
-  async getUserByResetToken() {
-    const ctx = this.ctx;
-    const { token } = ctx.action.params;
-    const user = await this.userRepository.findOne({
-      where: {
-        resetToken: token
-      }
-    });
-    if (!user) {
-      ctx.throw(401);
+  /**
+   * 检查重置密码的 Token 是否有效
+   */
+  async checkResetToken(resetToken) {
+    if (!resetToken) {
+      this.ctx.throw(401, this.ctx.t("Token expired", { ns: import_preset.namespace }));
+    }
+    const blocked = await this.jwt.blacklist.has(resetToken);
+    if (blocked) {
+      this.ctx.throw(401, this.ctx.t("Token expired", { ns: import_preset.namespace }));
+    }
+    try {
+      await this.ctx.app.authManager.jwt.decode(resetToken);
+      return true;
+    } catch (err) {
+      this.ctx.throw(401, this.ctx.t("Token expired", { ns: import_preset.namespace }));
     }
-    return user;
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/server/locale/en-US.json

@@ -5,4 +5,4 @@
   "Not a valid cellphone number, please re-enter": "Not a valid cellphone number, please re-enter",
   "The phone number has been registered, please login directly": "The phone number has been registered, please login directly",
   "The phone number is not registered, please register first": "The phone number is not registered, please register first"
-}
+}

package/dist/server/plugin.js

@@ -135,6 +135,9 @@ class PluginAuthServer extends import_server.Plugin {
     );
     ["signIn", "signUp"].forEach((action) => this.app.acl.allow("auth", action));
     ["check", "signOut", "changePassword"].forEach((action) => this.app.acl.allow("auth", action, "loggedIn"));
+    ["lostPassword", "resetPassword", "checkResetToken"].forEach(
+      (action) => this.app.acl.allow("auth", action, "public")
+    );
     this.app.acl.allow("authenticators", "publicList");
     this.app.acl.registerSnippet({
       name: `pm.${this.name}.authenticators`,
@@ -229,22 +232,15 @@ class PluginAuthServer extends import_server.Plugin {
             filterByTk: userId
           });
           const roles = await (user == null ? void 0 : user.getRoles());
-          if (!roles) {
+          if (roles && roles.length === 1) {
             return {
-              userId
+              userId,
+              roleName: roles[0].name
             };
-          } else {
-            if (roles.length === 1) {
-              return {
-                userId,
-                roleName: roles[0].name
-              };
-            } else {
-              return {
-                userId
-              };
-            }
           }
+          return {
+            userId
+          };
         }
       },
       {

package/dist/server/token-controller.d.ts

@@ -25,7 +25,7 @@ export declare class TokenController implements TokenControlService {
     setTokenInfo(id: string, value: TokenInfo): Promise<void>;
     getConfig(): Promise<NumericTokenPolicyConfig>;
     setConfig(config: TokenPolicyConfig): Promise<void>;
-    removeSessionExpiredTokens(userId: number): Promise<any>;
+    removeSessionExpiredTokens(userId: number): Promise<number>;
     add({ userId }: {
         userId: number;
     }): Promise<{

package/dist/server/token-controller.js

@@ -42,6 +42,7 @@ module.exports = __toCommonJS(token_controller_exports);
 var import_auth = require("@nocobase/auth");
 var import_crypto = require("crypto");
 var import_ms = __toESM(require("ms"));
+var import_database = require("@nocobase/database");
 var import_constants = require("../constants");
 const JTICACHEKEY = "token-jti";
 class TokenController {
@@ -81,13 +82,13 @@ class TokenController {
   }
   async removeSessionExpiredTokens(userId) {
     const config = await this.getConfig();
-    const issuedTokenRepo = this.app.db.getRepository(import_constants.issuedTokensCollectionName);
+    const model = this.app.db.getModel(import_constants.issuedTokensCollectionName);
     const currTS = Date.now();
-    return issuedTokenRepo.destroy({
-      filter: {
+    return model.destroy({
+      where: {
         userId,
         signInTime: {
-          $lt: currTS - config.sessionExpirationTime
+          [import_database.Op.lt]: currTS - config.sessionExpirationTime
         }
       }
     });

package/dist/swagger/index.js

@@ -309,46 +309,6 @@ var swagger_default = {
     //     },
     //   },
     // },
-    // '/auth:getUserByResetToken': {
-    //   get: {
-    //     description: 'Get user by reset token',
-    //     tags: ['Basic auth'],
-    //     security: [],
-    //     parameters: [
-    //       {
-    //         name: 'token',
-    //         in: 'query',
-    //         description: '重置密码的token',
-    //         required: true,
-    //         schema: {
-    //           type: 'string',
-    //         },
-    //       },
-    //     ],
-    //     responses: {
-    //       200: {
-    //         description: 'ok',
-    //         content: {
-    //           'application/json': {
-    //             schema: {
-    //               $ref: '#/components/schemas/user',
-    //             },
-    //           },
-    //         },
-    //       },
-    //       401: {
-    //         description: 'Unauthorized',
-    //         content: {
-    //           'application/json': {
-    //             schema: {
-    //               $ref: '#/components/schemas/error',
-    //             },
-    //           },
-    //         },
-    //       },
-    //     },
-    //   },
-    // },
     "/auth:changePassword": {
       post: {
         description: "Change password",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-auth",
-  "version": "1.7.0-beta.9",
+  "version": "1.8.0-alpha.1",
   "main": "./dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/auth",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/auth",
@@ -27,7 +27,7 @@
   "displayName.zh-CN": "用户认证",
   "description": "User authentication management, including password, SMS, and support for Single Sign-On (SSO) protocols, with extensibility.",
   "description.zh-CN": "用户认证管理，包括基础的密码认证、短信认证、SSO 协议的认证等，可扩展。",
-  "gitHead": "7013a5080f3695d7750ab21005c90d2172c16480",
+  "gitHead": "bc81ea73ed91b18dfb7cfad0f353b825881b4cc7",
   "keywords": [
     "Authentication",
     "Security"