@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/server/service.d.ts

@@ -0,0 +1,63 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { Cache } from '@nocobase/cache';
+import type Application from '@nocobase/server';
+type ResourceServer = import('oidc-provider').ResourceServer;
+type TokenFormat = import('oidc-provider').TokenFormat;
+export type ResourceServerConfig = {
+    path?: string;
+    identifier?: string;
+    audience?: string;
+    scope: string;
+    accessTokenTTL?: number;
+    accessTokenFormat?: TokenFormat;
+    jwt?: ResourceServer['jwt'];
+};
+type ProviderContext = {
+    appName: string;
+    issuer: string;
+    issuerPath: string;
+    origin: string;
+};
+export declare class IdpOauthService {
+    private readonly app;
+    private readonly bridgeTokenCache;
+    private providers;
+    private pendingProviders;
+    private resourceServers;
+    private resourceJwks;
+    constructor(app: Application, bridgeTokenCache: Cache);
+    getOrigin(ctx: any): string;
+    getIssuerPath(appName?: string): string;
+    getIssuer(origin: string, appName?: string): string;
+    getProviderContext(ctx: any): ProviderContext;
+    registerResourceServer(name: string, config: ResourceServerConfig): void;
+    unregisterResourceServer(name: string): void;
+    getSupportedScopes(): string[];
+    private resolveResourceIdentifier;
+    private getResourceServerInfo;
+    private getResolvedResourceIdentifiers;
+    private getResourcePath;
+    private getRequestResourceConfig;
+    private getProviderJwks;
+    private generateSigningJwks;
+    private getDefaultJwksPath;
+    private getProviderSigningJwks;
+    private issueInternalToken;
+    private getBridgeTokenCacheKey;
+    private findUserById;
+    resolveInteractionSessionUser(accountId?: string | number): Promise<any>;
+    resolveInteractionBridgeUser(ctx: any): Promise<any>;
+    authenticateResourceRequest(ctx: any): Promise<any>;
+    private getPublicErrorLocation;
+    private createConfiguration;
+    ensureProviderForContext(ctx: any): Promise<import("oidc-provider").default>;
+    ensureProvider(providerContext: ProviderContext): Promise<import("oidc-provider").default>;
+}
+export {};

package/dist/server/service.js

@@ -0,0 +1,540 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var service_exports = {};
+__export(service_exports, {
+  IdpOauthService: () => IdpOauthService
+});
+module.exports = __toCommonJS(service_exports);
+var import_node_fs = __toESM(require("node:fs"));
+var import_light_my_request = __toESM(require("light-my-request"));
+var import_node_crypto = require("node:crypto");
+var import_node_path = __toESM(require("node:path"));
+var import_cache_adapter = require("./cache-adapter");
+var import_utils = require("./utils");
+let oidcModulePromise = null;
+let joseModulePromise = null;
+function getOidcModule() {
+  if (!oidcModulePromise) {
+    oidcModulePromise = import("oidc-provider");
+  }
+  return oidcModulePromise;
+}
+function getJoseModule() {
+  if (!joseModulePromise) {
+    joseModulePromise = import("jose");
+  }
+  return joseModulePromise;
+}
+const defaultSupportedScopes = ["openid", "offline_access", "profile", "email"];
+const envJwksKeys = ["IDP_OAUTH_JWKS", "OAUTH_JWKS"];
+class IdpOauthService {
+  constructor(app, bridgeTokenCache) {
+    this.app = app;
+    this.bridgeTokenCache = bridgeTokenCache;
+  }
+  providers = /* @__PURE__ */ new Map();
+  pendingProviders = /* @__PURE__ */ new Map();
+  resourceServers = /* @__PURE__ */ new Map();
+  resourceJwks = /* @__PURE__ */ new Map();
+  getOrigin(ctx) {
+    var _a, _b;
+    const protocol = ((_a = ctx.headers) == null ? void 0 : _a["x-forwarded-proto"]) || ctx.protocol || "http";
+    const host = ((_b = ctx.headers) == null ? void 0 : _b["x-forwarded-host"]) || ctx.host || "";
+    return process.env.APP_PUBLIC_ORIGIN || `${protocol}://${host}`;
+  }
+  getIssuerPath(appName = this.app.name) {
+    const apiBasePath = (0, import_utils.normalizeBasePath)(process.env.API_BASE_PATH || "/api");
+    if (appName === "main") {
+      return apiBasePath;
+    }
+    return `${apiBasePath}/__app/${appName}`;
+  }
+  getIssuer(origin, appName = this.app.name) {
+    return `${origin}${this.getIssuerPath(appName)}`;
+  }
+  getProviderContext(ctx) {
+    var _a;
+    const appName = ((_a = ctx.app) == null ? void 0 : _a.name) || this.app.name;
+    const origin = this.getOrigin(ctx);
+    const issuerPath = this.getIssuerPath(appName);
+    const issuer = this.getIssuer(origin, appName);
+    return {
+      appName,
+      issuer,
+      issuerPath,
+      origin
+    };
+  }
+  registerResourceServer(name, config) {
+    this.resourceServers.set(name, config);
+  }
+  unregisterResourceServer(name) {
+    this.resourceServers.delete(name);
+  }
+  getSupportedScopes() {
+    const supportedScopes = new Set(defaultSupportedScopes);
+    for (const config of this.resourceServers.values()) {
+      for (const scope of config.scope.split(/\s+/)) {
+        if (scope) {
+          supportedScopes.add(scope);
+        }
+      }
+    }
+    return [...supportedScopes];
+  }
+  resolveResourceIdentifier(providerContext, config) {
+    if (config.identifier) {
+      return config.identifier;
+    }
+    if (!config.path) {
+      return void 0;
+    }
+    const normalizedPath = config.path.startsWith("/") ? config.path : `/${config.path}`;
+    return new URL(`${providerContext.issuerPath}${normalizedPath}`, providerContext.origin).href;
+  }
+  getResourceServerInfo(providerContext, resourceIndicator) {
+    for (const config of this.resourceServers.values()) {
+      const identifier = this.resolveResourceIdentifier(providerContext, config);
+      if (!identifier || identifier !== resourceIndicator) {
+        continue;
+      }
+      return {
+        audience: config.audience || identifier,
+        scope: config.scope,
+        accessTokenTTL: config.accessTokenTTL,
+        accessTokenFormat: config.accessTokenFormat,
+        jwt: config.jwt
+      };
+    }
+    return void 0;
+  }
+  getResolvedResourceIdentifiers(providerContext) {
+    const identifiers = [];
+    for (const config of this.resourceServers.values()) {
+      const identifier = this.resolveResourceIdentifier(providerContext, config);
+      if (identifier) {
+        identifiers.push(identifier);
+      }
+    }
+    return identifiers;
+  }
+  getResourcePath(config) {
+    if (!config.path) {
+      return void 0;
+    }
+    const normalizedPath = config.path.startsWith("/") ? config.path : `/${config.path}`;
+    return `${(0, import_utils.normalizeBasePath)(process.env.API_BASE_PATH || "/api")}${normalizedPath}`;
+  }
+  getRequestResourceConfig(ctx) {
+    for (const config of this.resourceServers.values()) {
+      const requestPath = this.getResourcePath(config);
+      if (requestPath && ctx.path === requestPath) {
+        return config;
+      }
+    }
+    return void 0;
+  }
+  async getProviderJwks(provider) {
+    if (this.resourceJwks.has(provider.issuer)) {
+      return this.resourceJwks.get(provider.issuer);
+    }
+    const { createLocalJWKSet } = await getJoseModule();
+    const issuerPath = (0, import_utils.normalizeBasePath)(new URL(provider.issuer).pathname || "/");
+    const jwksPath = provider.pathFor("jwks");
+    const internalJwksPath = jwksPath === issuerPath ? "/" : jwksPath.startsWith(`${issuerPath}/`) ? jwksPath.slice(issuerPath.length) || "/" : jwksPath;
+    const response = await (0, import_light_my_request.default)(provider.callback(), {
+      method: "GET",
+      url: internalJwksPath,
+      headers: {
+        host: new URL(provider.issuer).host,
+        accept: "application/json"
+      }
+    });
+    const jwks = response.json();
+    const localJwks = createLocalJWKSet(jwks);
+    this.resourceJwks.set(provider.issuer, localJwks);
+    return localJwks;
+  }
+  async generateSigningJwks() {
+    const { exportJWK, generateKeyPair } = await getJoseModule();
+    const { privateKey } = await generateKeyPair("RS256", { extractable: true });
+    const privateJwk = await exportJWK(privateKey);
+    return {
+      keys: [
+        {
+          ...privateJwk,
+          kid: privateJwk.kid || "idp-oauth-rs256",
+          use: "sig",
+          alg: "RS256"
+        }
+      ]
+    };
+  }
+  getDefaultJwksPath(appName) {
+    return import_node_path.default.resolve(process.cwd(), "storage", "apps", appName, "idp_oauth_jwks.json");
+  }
+  async getProviderSigningJwks(appName) {
+    const parseJwks = (value, source) => {
+      try {
+        const jwks = JSON.parse(value);
+        if (!jwks || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
+          throw new Error("must be a JSON object with a non-empty keys array");
+        }
+        return jwks;
+      } catch (error) {
+        throw new Error(`Failed to parse JWKS from ${source}: ${error.message}`);
+      }
+    };
+    for (const key of envJwksKeys) {
+      const value = process.env[key];
+      if (value) {
+        return parseJwks(value, `environment variable ${key}`);
+      }
+    }
+    const jwksPath = this.getDefaultJwksPath(appName);
+    if (import_node_fs.default.existsSync(jwksPath)) {
+      return parseJwks(import_node_fs.default.readFileSync(jwksPath, "utf8"), `file ${jwksPath}`);
+    }
+    const generatedJwks = await this.generateSigningJwks();
+    import_node_fs.default.mkdirSync(import_node_path.default.dirname(jwksPath), { recursive: true });
+    import_node_fs.default.writeFileSync(jwksPath, JSON.stringify(generatedJwks, null, 2), { mode: 384 });
+    return generatedJwks;
+  }
+  async issueInternalToken(userId, maxExpiresInMs) {
+    const tokenInfo = await this.app.authManager.tokenController.add({ userId });
+    const config = await this.app.authManager.tokenController.getConfig();
+    const expiresInMs = typeof maxExpiresInMs === "number" && Number.isFinite(maxExpiresInMs) ? Math.max(1e3, Math.min(config.tokenExpirationTime, maxExpiresInMs)) : config.tokenExpirationTime;
+    const expiresIn = Math.max(1, Math.floor(expiresInMs / 1e3));
+    return this.app.authManager.jwt.sign(
+      {
+        userId,
+        temp: true,
+        signInTime: tokenInfo.signInTime
+      },
+      {
+        jwtid: tokenInfo.jti,
+        expiresIn
+      }
+    );
+  }
+  getBridgeTokenCacheKey(token, tokenId) {
+    return tokenId || (0, import_node_crypto.createHash)("sha256").update(token).digest("hex");
+  }
+  async findUserById(userId) {
+    return this.app.db.getRepository("users").findOne({
+      filterByTk: String(userId)
+    });
+  }
+  async resolveInteractionSessionUser(accountId) {
+    if (!accountId) {
+      return void 0;
+    }
+    return this.findUserById(accountId);
+  }
+  async resolveInteractionBridgeUser(ctx) {
+    const { bridge_token: token, bridge_authenticator: authenticator } = ctx.request.body || {};
+    if (!token || typeof token !== "string") {
+      return void 0;
+    }
+    const authenticatorName = typeof authenticator === "string" && authenticator ? authenticator : "basic";
+    try {
+      const auth = await ctx.app.authManager.get(authenticatorName, {
+        app: ctx.app,
+        db: ctx.db,
+        cache: ctx.cache,
+        logger: ctx.logger,
+        log: ctx.log,
+        headers: {
+          ...ctx.headers,
+          authorization: `Bearer ${token}`,
+          "x-authenticator": authenticatorName
+        },
+        req: {
+          ...ctx.req,
+          headers: {
+            ...ctx.req.headers,
+            authorization: `Bearer ${token}`,
+            "x-authenticator": authenticatorName
+          }
+        },
+        get: (name) => {
+          var _a;
+          const lowerName = name.toLowerCase();
+          if (lowerName === "authorization") {
+            return `Bearer ${token}`;
+          }
+          if (lowerName === "x-authenticator") {
+            return authenticatorName;
+          }
+          return (_a = ctx.get) == null ? void 0 : _a.call(ctx, name);
+        },
+        getBearerToken: () => token,
+        throw: (...args) => {
+          var _a;
+          throw new Error(((_a = args == null ? void 0 : args[0]) == null ? void 0 : _a.message) || (args == null ? void 0 : args[0]) || "Authentication failed");
+        },
+        t: ctx.t,
+        i18n: ctx.i18n,
+        state: { ...ctx.state }
+      });
+      const { user } = await auth.checkToken();
+      if (user) {
+        ctx.auth = auth;
+        ctx.auth.user = user;
+        ctx.state.currentUser = user;
+        return user;
+      }
+      return void 0;
+    } catch (_error) {
+      return void 0;
+    }
+  }
+  async authenticateResourceRequest(ctx) {
+    var _a, _b, _c;
+    const resourceConfig = this.getRequestResourceConfig(ctx);
+    if (!resourceConfig) {
+      return void 0;
+    }
+    const token = ((_a = ctx.getBearerToken) == null ? void 0 : _a.call(ctx)) || "";
+    if (!token) {
+      return void 0;
+    }
+    const { decodeJwt, jwtVerify } = await getJoseModule();
+    const providerContext = this.getProviderContext(ctx);
+    const audience = this.resolveResourceIdentifier(providerContext, resourceConfig);
+    (_c = (_b = ctx.logger) == null ? void 0 : _b.debug) == null ? void 0 : _c.call(_b, "idp-oauth authenticate resource request", {
+      path: ctx.path,
+      issuer: providerContext.issuer,
+      audience,
+      hasBearerToken: !!token
+    });
+    try {
+      const decoded = decodeJwt(token);
+      if (decoded.iss !== providerContext.issuer) {
+        return void 0;
+      }
+    } catch (_error) {
+      return void 0;
+    }
+    const provider = await this.ensureProvider(providerContext);
+    const keySet = await this.getProviderJwks(provider);
+    let payload;
+    try {
+      ({ payload } = await jwtVerify(token, keySet, {
+        issuer: providerContext.issuer,
+        audience
+      }));
+    } catch (error) {
+      return void 0;
+    }
+    if (typeof payload.sub !== "string" || !payload.sub) {
+      ctx.throw(401, "Invalid token subject");
+    }
+    const user = await this.app.db.getRepository("users").findOne({
+      filterByTk: payload.sub
+    });
+    if (!user) {
+      ctx.throw(401, "User not found");
+    }
+    const oauthExpiresInMs = typeof payload.exp === "number" ? Math.max(0, payload.exp * 1e3 - Date.now()) : void 0;
+    const bridgeTokenCacheKey = this.getBridgeTokenCacheKey(
+      token,
+      typeof payload.jti === "string" ? payload.jti : void 0
+    );
+    const cachedInternalToken = await this.bridgeTokenCache.get(bridgeTokenCacheKey);
+    const internalToken = cachedInternalToken || await this.issueInternalToken(user.id, oauthExpiresInMs);
+    if (!cachedInternalToken && typeof oauthExpiresInMs === "number" && oauthExpiresInMs > 0) {
+      await this.bridgeTokenCache.set(bridgeTokenCacheKey, internalToken, oauthExpiresInMs);
+    }
+    const authorizationHeader = `Bearer ${internalToken}`;
+    ctx.req.headers.authorization = authorizationHeader;
+    ctx.req.headers["x-authenticator"] = "basic";
+    ctx.state.currentUser = user;
+    ctx.auth = ctx.auth || {};
+    ctx.auth.user = user;
+    return user;
+  }
+  getPublicErrorLocation(appName, out) {
+    const query = new URLSearchParams();
+    for (const [key, value] of Object.entries(out || {})) {
+      if (typeof value === "undefined" || value === null) {
+        continue;
+      }
+      query.set(key, String(value));
+    }
+    return `/idp-oauth/error/${appName}${query.size ? `?${query.toString()}` : ""}`;
+  }
+  async createConfiguration({ appName, issuer, issuerPath, origin }) {
+    const app = this.app;
+    const cookieKey = this.app.authManager.jwt.getSecret();
+    if (!cookieKey) {
+      throw new Error("JWT secret is required for plugin-idp-oauth");
+    }
+    const jwks = await this.getProviderSigningJwks(appName);
+    return {
+      adapter: (0, import_cache_adapter.createCacheAdapter)(this.app.cache, "idp-oauth"),
+      clients: [],
+      scopes: this.getSupportedScopes(),
+      jwks,
+      cookies: {
+        keys: [cookieKey]
+      },
+      claims: {
+        openid: ["sub"],
+        profile: ["name", "preferred_username"],
+        email: ["email", "email_verified"]
+      },
+      interactions: {
+        url(_ctx, interaction) {
+          return `/idp-oauth/interaction/${appName}/${interaction.uid}`;
+        }
+      },
+      routes: {
+        authorization: "/idpOAuth/authorize",
+        token: "/idpOAuth/token",
+        jwks: "/idpOAuth/jwks",
+        registration: "/idpOAuth/register",
+        revocation: "/idpOAuth/revoke",
+        userinfo: "/idpOAuth/me",
+        introspection: "/idpOAuth/introspection",
+        end_session: "/idpOAuth/end-session"
+      },
+      features: {
+        devInteractions: { enabled: false },
+        registration: { enabled: true },
+        revocation: { enabled: true },
+        resourceIndicators: {
+          enabled: true,
+          useGrantedResource: async () => true,
+          // Temporary compatibility fallback for current Codex MCP OAuth login behavior.
+          // Codex may omit the RFC 8707 resource parameter during authorize/token requests,
+          // so when there is only one registered protected resource we default to it here.
+          // Track upstream fix: https://github.com/openai/codex/issues/13891
+          // This can be removed once the client consistently sends resource.
+          defaultResource: async (_ctx, _client, oneOf) => {
+            if ((oneOf == null ? void 0 : oneOf.length) === 1) {
+              return oneOf[0];
+            }
+            const identifiers = this.getResolvedResourceIdentifiers({ appName, issuer, issuerPath, origin });
+            if (identifiers.length === 1) {
+              return identifiers[0];
+            }
+            return void 0;
+          },
+          getResourceServerInfo: async (_ctx, resourceIndicator) => {
+            const resourceServer = this.getResourceServerInfo(
+              { appName, issuer, issuerPath, origin },
+              resourceIndicator
+            );
+            if (resourceServer) {
+              return resourceServer;
+            }
+            const oidc = await getOidcModule();
+            throw new oidc.errors.InvalidTarget();
+          }
+        }
+      },
+      ttl: {
+        AccessToken: () => 10 * 60,
+        AuthorizationCode: 60,
+        Grant: 14 * 24 * 60 * 60,
+        IdToken: 60 * 60,
+        RefreshToken: () => 30 * 24 * 60 * 60,
+        Session: 14 * 24 * 60 * 60,
+        Interaction: 60 * 60
+      },
+      pkce: {
+        required: () => true
+      },
+      findAccount: async (_ctx, sub) => {
+        const repo = app.db.getRepository("users");
+        const user = await repo.findOne({
+          filterByTk: sub
+        });
+        if (!user) {
+          return void 0;
+        }
+        return {
+          accountId: String(user.id),
+          claims: async () => ({
+            sub: String(user.id),
+            name: user.nickname || user.username || user.email,
+            preferred_username: user.username,
+            email: user.email,
+            email_verified: !!user.email
+          })
+        };
+      },
+      extraTokenClaims: async (_ctx, token) => {
+        return {
+          client_id: token.clientId,
+          iss: issuer
+        };
+      },
+      renderError: async (ctx, out) => {
+        ctx.status = 302;
+        ctx.redirect(this.getPublicErrorLocation(appName, out));
+      }
+    };
+  }
+  async ensureProviderForContext(ctx) {
+    return this.ensureProvider(this.getProviderContext(ctx));
+  }
+  async ensureProvider(providerContext) {
+    const { issuer } = providerContext;
+    if (this.providers.has(issuer)) {
+      return this.providers.get(issuer);
+    }
+    if (this.pendingProviders.has(issuer)) {
+      return this.pendingProviders.get(issuer);
+    }
+    const pending = getOidcModule().then(async (oidc) => {
+      const provider = new oidc.Provider(issuer, await this.createConfiguration(providerContext));
+      provider.proxy = true;
+      this.providers.set(issuer, provider);
+      return provider;
+    }).finally(() => {
+      this.pendingProviders.delete(issuer);
+    });
+    this.pendingProviders.set(issuer, pending);
+    return pending;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  IdpOauthService
+});

package/dist/server/utils.d.ts

@@ -0,0 +1,12 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { IdpOauthService } from './service';
+export declare function normalizeBasePath(path?: string): string;
+export declare function getCurrentUser(ctx: any): any;
+export declare function resolveCurrentUser(ctx: any, service?: IdpOauthService): Promise<any>;

package/dist/server/utils.js

@@ -0,0 +1,58 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+__export(utils_exports, {
+  getCurrentUser: () => getCurrentUser,
+  normalizeBasePath: () => normalizeBasePath,
+  resolveCurrentUser: () => resolveCurrentUser
+});
+module.exports = __toCommonJS(utils_exports);
+function normalizeBasePath(path = "") {
+  const normalized = path.replace(/\/+/g, "/").replace(/\/$/, "");
+  return normalized || "/";
+}
+function getCurrentUser(ctx) {
+  var _a, _b;
+  return ((_a = ctx.auth) == null ? void 0 : _a.user) || ((_b = ctx.state) == null ? void 0 : _b.currentUser);
+}
+async function resolveCurrentUser(ctx, service) {
+  const currentUser = getCurrentUser(ctx);
+  if (currentUser) {
+    return currentUser;
+  }
+  const bridgeUser = service ? await service.resolveInteractionBridgeUser(ctx) : void 0;
+  if (bridgeUser) {
+    return bridgeUser;
+  }
+  return void 0;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  getCurrentUser,
+  normalizeBasePath,
+  resolveCurrentUser
+});

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@nocobase/plugin-idp-oauth",
+  "version": "2.1.0-alpha.10",
+  "main": "dist/server/index.js",
+  "displayName": "IdP: OAuth",
+  "displayName.zh-CN": "IdP: OAuth",
+  "description": "Based on OAuth 2.1 and OpenID Connect, this plugin enables NocoBase to act as an identity provider for other systems.",
+  "description.zh-CN": "基于 OAuth 2.1 和 OpenID Connect 协议，支持 NocoBase 作为身份提供方登录其他系统。",
+  "devDependencies": {
+    "@types/oidc-provider": "^9.5.0",
+    "jose": "^6.2.1",
+    "light-my-request": "^6.6.0",
+    "oidc-provider": "~9.7.0"
+  },
+  "peerDependencies": {
+    "@nocobase/client": "2.x",
+    "@nocobase/server": "2.x",
+    "@nocobase/test": "2.x"
+  },
+  "keywords": [
+    "Authentication"
+  ],
+  "gitHead": "ce790d46c0a5768ca9618c7d0d77ab8300de75c8"
+}