@nocobase/plugin-idp-oauth 2.1.0-alpha.40 → 2.1.0-alpha.46

package/dist/client/index.js

@@ -7,4 +7,4 @@
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
 
-!function(e,t){"object"==typeof exports&&"object"==typeof module?module.exports=t(require("antd"),require("react"),require("@nocobase/client"),require("react-router-dom")):"function"==typeof define&&define.amd?define("@nocobase/plugin-idp-oauth",["antd","react","@nocobase/client","react-router-dom"],t):"object"==typeof exports?exports["@nocobase/plugin-idp-oauth"]=t(require("antd"),require("react"),require("@nocobase/client"),require("react-router-dom")):e["@nocobase/plugin-idp-oauth"]=t(e.antd,e.react,e["@nocobase/client"],e["react-router-dom"])}(self,function(e,t,r,n){return function(){"use strict";var o={342:function(e){e.exports=r},59:function(t){t.exports=e},155:function(e){e.exports=t},442:function(e){e.exports=n}},i={};function a(e){var t=i[e];if(void 0!==t)return t.exports;var r=i[e]={exports:{}};return o[e](r,r.exports,a),r.exports}a.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return a.d(t,{a:t}),t},a.d=function(e,t){for(var r in t)a.o(t,r)&&!a.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},a.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||Function("return this")()}catch(e){if("object"==typeof window)return window}}(),a.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},a.r=function(e){"u">typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.g.importScripts&&(u=a.g.location+"");var u,c=a.g.document;if(!u&&c&&(c.currentScript&&"SCRIPT"===c.currentScript.tagName.toUpperCase()&&(u=c.currentScript.src),!u)){var l=c.getElementsByTagName("script");if(l.length)for(var s=l.length-1;s>-1&&(!u||!/^http(s?):/.test(u));)u=l[s--].src}if(!u)throw Error("Automatic publicPath is not supported in this browser");a.p=u.replace(/^blob:/,"").replace(/#.*$/,"").replace(/\?.*$/,"").replace(/\/[^\/]+$/,"/");var p={};return!function(){var e="",t="u">typeof document?document.currentScript:null;if(t&&t.src&&(e=t.src.replace(/^blob:/,"").replace(/#.*$/,"").replace(/\?.*$/,"").replace(/\/[^\/]+$/,"/")),!e){var r=window.__webpack_public_path__||"";r&&("/"!==r.charAt(r.length-1)&&(r+="/"),e=r+"static/plugins/@nocobase/plugin-idp-oauth/dist/client/")}if(!e){if(!(e=window.__nocobase_public_path__||"")&&window.location&&window.location.pathname){var n=window.location.pathname||"/",o=n.indexOf("/v2/");e=o>=0?n.slice(0,o+1):"/"}e&&(e=e.replace(/\/v2\/?$/,"/")),e||(e="/"),"/"!==e.charAt(e.length-1)&&(e+="/"),e+="static/plugins/@nocobase/plugin-idp-oauth/dist/client/"}a.p=e}(),!function(){a.r(p),a.d(p,{default:function(){return O}});var e=a(342),t=a(59),r=a(155),n=a.n(r),o=a(442);function i(e,t){(null==t||t>e.length)&&(t=e.length);for(var r=0,n=Array(t);r<t;r++)n[r]=e[r];return n}var u=function(){var e,r=(function(e){if(Array.isArray(e))return e}(e=(0,o.useSearchParams)())||function(e){var t,r,n=null==e?null:"u">typeof Symbol&&e[Symbol.iterator]||e["@@iterator"];if(null!=n){var o=[],i=!0,a=!1;try{for(n=n.call(e);!(i=(t=n.next()).done)&&(o.push(t.value),1!==o.length);i=!0);}catch(e){a=!0,r=e}finally{try{i||null==n.return||n.return()}finally{if(a)throw r}}return o}}(e)||function(e){if(e){if("string"==typeof e)return i(e,1);var t=Object.prototype.toString.call(e).slice(8,-1);if("Object"===t&&e.constructor&&(t=e.constructor.name),"Map"===t||"Set"===t)return Array.from(t);if("Arguments"===t||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t))return i(e,1)}}(e)||function(){throw TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}())[0],a=r.get("error"),u=r.get("error_description"),c=r.get("iss");return n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Result,{status:"error",title:a||"Authentication failed",subTitle:u||void 0}),n().createElement(t.Space,{direction:"vertical",size:"middle",style:{width:"100%"}},c?n().createElement("div",null,n().createElement(t.Typography.Text,{type:"secondary"},"Issuer"),n().createElement("div",null,n().createElement(t.Typography.Text,{code:!0},c))):null))};function c(e,t){(null==t||t>e.length)&&(t=e.length);for(var r=0,n=Array(t);r<t;r++)n[r]=e[r];return n}function l(e,t,r,n,o,i,a){try{var u=e[i](a),c=u.value}catch(e){r(e);return}u.done?t(c):Promise.resolve(c).then(n,o)}function s(e){return function(){var t=this,r=arguments;return new Promise(function(n,o){var i=e.apply(t,r);function a(e){l(i,n,o,a,u,"next",e)}function u(e){l(i,n,o,a,u,"throw",e)}a(void 0)})}}function f(e,t){return null!=t&&"u">typeof Symbol&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):e instanceof t}function d(e,t){return function(e){if(Array.isArray(e))return e}(e)||function(e,t){var r,n,o=null==e?null:"u">typeof Symbol&&e[Symbol.iterator]||e["@@iterator"];if(null!=o){var i=[],a=!0,u=!1;try{for(o=o.call(e);!(a=(r=o.next()).done)&&(i.push(r.value),!t||i.length!==t);a=!0);}catch(e){u=!0,n=e}finally{try{a||null==o.return||o.return()}finally{if(u)throw n}}return i}}(e,t)||function(e,t){if(e){if("string"==typeof e)return c(e,t);var r=Object.prototype.toString.call(e).slice(8,-1);if("Object"===r&&e.constructor&&(r=e.constructor.name),"Map"===r||"Set"===r)return Array.from(r);if("Arguments"===r||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r))return c(e,t)}}(e,t)||function(){throw TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}()}function y(e,t){var r,n,o,i={label:0,sent:function(){if(1&o[0])throw o[1];return o[1]},trys:[],ops:[]},a=Object.create(("function"==typeof Iterator?Iterator:Object).prototype),u=Object.defineProperty;return u(a,"next",{value:c(0)}),u(a,"throw",{value:c(1)}),u(a,"return",{value:c(2)}),"function"==typeof Symbol&&u(a,Symbol.iterator,{value:function(){return this}}),a;function c(u){return function(c){var l=[u,c];if(r)throw TypeError("Generator is already executing.");for(;a&&(a=0,l[0]&&(i=0)),i;)try{if(r=1,n&&(o=2&l[0]?n.return:l[0]?n.throw||((o=n.return)&&o.call(n),0):n.next)&&!(o=o.call(n,l[1])).done)return o;switch(n=0,o&&(l=[2&l[0],o.value]),l[0]){case 0:case 1:o=l;break;case 4:return i.label++,{value:l[1],done:!1};case 5:i.label++,n=l[1],l=[0];continue;case 7:l=i.ops.pop(),i.trys.pop();continue;default:if(!(o=(o=i.trys).length>0&&o[o.length-1])&&(6===l[0]||2===l[0])){i=0;continue}if(3===l[0]&&(!o||l[1]>o[0]&&l[1]<o[3])){i.label=l[1];break}if(6===l[0]&&i.label<o[1]){i.label=o[1],o=l;break}if(o&&i.label<o[2]){i.label=o[2],i.ops.push(l);break}o[2]&&i.ops.pop(),i.trys.pop();continue}l=t.call(e,i)}catch(e){l=[6,e],n=0}finally{r=o=0}if(5&l[0])throw l[1];return{value:l[0]?l[1]:void 0,done:!0}}}}function h(e,t){return f(e,Error)?e.message:t}var m=function(){var i=(0,e.useAPIClient)(),a=(0,e.useApp)(),u=(0,o.useNavigate)(),c=(0,o.useParams)(),l=d((0,r.useState)(!0),2),p=l[0],m=l[1],b=d((0,r.useState)(null),2),v=b[0],g=b[1],w=d((0,r.useState)(null),2),E=w[0],x=w[1],S=(0,r.useMemo)(function(){return c.uid?"main"===a.name?"idpOAuth/interaction/".concat(c.uid):"__app/".concat(a.name,"/idpOAuth/interaction/").concat(c.uid):null},[a.name,c.uid]),O=(0,r.useMemo)(function(){return c.uid?"/idp-oauth/interaction/".concat(c.uid):"/signin"},[c.uid]),j=(0,r.useCallback)(function(e,t){return s(function(){var r,n,o,a,c;return y(this,function(l){switch(l.label){case 0:if(!S)return g("Invalid interaction path"),m(!1),[2];return n=i.auth.getToken(),o=i.auth.getAuthenticator()||"basic",[4,i.request({url:S,method:e,skipNotify:!0,withCredentials:!0,data:"post"===e?t:void 0,headers:n?{Authorization:"Bearer ".concat(n),"X-Authenticator":o}:void 0})];case 1:if(null==(c=(null==(a=l.sent())||null==(r=a.data)?void 0:r.data)||(null==a?void 0:a.data))?void 0:c.redirectTo)return window.location.replace(c.redirectTo),[2];if((null==c?void 0:c.prompt)!=="login")return[3,4];if(!n)return u("/signin?redirect=".concat(encodeURIComponent(O)),{replace:!0}),[2];if("get"!==e)return[3,3];return[4,j("post")];case 2:return l.sent(),[2];case 3:return u("/signin?redirect=".concat(encodeURIComponent(O)),{replace:!0}),[2];case 4:return x(c),m(!1),[2]}})})()},[i,O,S,u]),A=(0,r.useCallback)(function(){var e=arguments.length>0&&void 0!==arguments[0]&&arguments[0];return s(function(){return y(this,function(t){switch(t.label){case 0:m(!0),g(null),t.label=1;case 1:return t.trys.push([1,3,,4]),[4,j("post",e?{cancel:1}:{submit:1})];case 2:return t.sent(),[3,4];case 3:return g(h(t.sent(),"Failed to submit interaction")),m(!1),[3,4];case 4:return[2]}})})()},[j]);return((0,r.useEffect)(function(){var e=!1;return s(function(){var t;return y(this,function(r){switch(r.label){case 0:return r.trys.push([0,2,,3]),[4,j("get")];case 1:return r.sent(),[3,3];case 2:return t=r.sent(),e||(g(h(t,"Failed to load interaction")),m(!1)),[3,3];case 3:return[2]}})})(),function(){e=!0}},[j]),(0,r.useEffect)(function(){if((null==E?void 0:E.prompt)==="consent"&&!p){var e=function(e){if(!e.defaultPrevented){var t=e.target;if(null==t||!t.closest('input, textarea, select, [contenteditable="true"]')){if("Enter"===e.key&&!e.shiftKey&&!e.ctrlKey&&!e.metaKey&&!e.altKey){var r=document.activeElement;if(f(r,HTMLButtonElement)||f(r,HTMLAnchorElement))return;e.preventDefault(),A(!1);return}"Escape"===e.key&&(e.preventDefault(),A(!0))}}};return window.addEventListener("keydown",e),function(){return window.removeEventListener("keydown",e)}}},[null==E?void 0:E.prompt,p,A]),p)?n().createElement("div",{style:{display:"flex",justifyContent:"center",padding:48}},n().createElement(t.Spin,{size:"large"})):v?n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Alert,{type:"error",message:v,showIcon:!0})):(null==E?void 0:E.prompt)==="consent"?n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Card,null,n().createElement(t.Space,{direction:"vertical",size:"large",style:{width:"100%"}},n().createElement("div",null,n().createElement(t.Typography.Title,{level:3,style:{marginBottom:8}},"Authorize application"),n().createElement(t.Typography.Paragraph,{style:{marginBottom:0}},E.clientName||"Application"," requests access to your account.")),E.details?n().createElement(t.Alert,{type:"info",showIcon:!0,message:"Requested permissions",description:E.details}):null,n().createElement(t.Space,null,n().createElement(t.Button,{type:"primary",loading:p,onClick:function(){return A(!1)}},"Continue"),n().createElement(t.Button,{loading:p,onClick:function(){return A(!0)}},"Cancel"))))):n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Result,{title:"Redirecting...",subTitle:"Please wait while authorization continues."}))},b={};function v(e,t,r,n,o,i,a){try{var u=e[i](a),c=u.value}catch(e){r(e);return}u.done?t(c):Promise.resolve(c).then(n,o)}function g(e,t,r){return(g=S()?Reflect.construct:function(e,t,r){var n=[null];n.push.apply(n,t);var o=new(Function.bind.apply(e,n));return r&&E(o,r.prototype),o}).apply(null,arguments)}function w(e){return(w=Object.setPrototypeOf?Object.getPrototypeOf:function(e){return e.__proto__||Object.getPrototypeOf(e)})(e)}function E(e,t){return(E=Object.setPrototypeOf||function(e,t){return e.__proto__=t,e})(e,t)}function x(e){var t="function"==typeof Map?new Map:void 0;return(x=function(e){if(null===e||-1===Function.toString.call(e).indexOf("[native code]"))return e;if("function"!=typeof e)throw TypeError("Super expression must either be null or a function");if(void 0!==t){if(t.has(e))return t.get(e);t.set(e,r)}function r(){return g(e,arguments,w(this).constructor)}return r.prototype=Object.create(e.prototype,{constructor:{value:r,enumerable:!1,writable:!0,configurable:!0}}),E(r,e)})(e)}function S(){try{var e=!Boolean.prototype.valueOf.call(Reflect.construct(Boolean,[],function(){}))}catch(e){}return(S=function(){return!!e})()}var O=function(e){var t;if("function"!=typeof e&&null!==e)throw TypeError("Super expression must either be null or a function");function r(){var e,t;if(!(this instanceof r))throw TypeError("Cannot call a class as a function");return e=r,t=arguments,e=w(e),function(e,t){var r;if(t&&("object"==((r=t)&&"u">typeof Symbol&&r.constructor===Symbol?"symbol":typeof r)||"function"==typeof t))return t;if(void 0===e)throw ReferenceError("this hasn't been initialised - super() hasn't been called");return e}(this,S()?Reflect.construct(e,t||[],w(this).constructor):e.apply(this,t))}return r.prototype=Object.create(e&&e.prototype,{constructor:{value:r,writable:!0,configurable:!0}}),e&&E(r,e),t=[{key:"load",value:function(){var e;return(e=function(){return function(e,t){var r,n,o,i={label:0,sent:function(){if(1&o[0])throw o[1];return o[1]},trys:[],ops:[]},a=Object.create(("function"==typeof Iterator?Iterator:Object).prototype),u=Object.defineProperty;return u(a,"next",{value:c(0)}),u(a,"throw",{value:c(1)}),u(a,"return",{value:c(2)}),"function"==typeof Symbol&&u(a,Symbol.iterator,{value:function(){return this}}),a;function c(u){return function(c){var l=[u,c];if(r)throw TypeError("Generator is already executing.");for(;a&&(a=0,l[0]&&(i=0)),i;)try{if(r=1,n&&(o=2&l[0]?n.return:l[0]?n.throw||((o=n.return)&&o.call(n),0):n.next)&&!(o=o.call(n,l[1])).done)return o;switch(n=0,o&&(l=[2&l[0],o.value]),l[0]){case 0:case 1:o=l;break;case 4:return i.label++,{value:l[1],done:!1};case 5:i.label++,n=l[1],l=[0];continue;case 7:l=i.ops.pop(),i.trys.pop();continue;default:if(!(o=(o=i.trys).length>0&&o[o.length-1])&&(6===l[0]||2===l[0])){i=0;continue}if(3===l[0]&&(!o||l[1]>o[0]&&l[1]<o[3])){i.label=l[1];break}if(6===l[0]&&i.label<o[1]){i.label=o[1],o=l;break}if(o&&i.label<o[2]){i.label=o[2],i.ops.push(l);break}o[2]&&i.ops.pop(),i.trys.pop();continue}l=t.call(e,i)}catch(e){l=[6,e],n=0}finally{r=o=0}if(5&l[0])throw l[1];return{value:l[0]?l[1]:void 0,done:!0}}}}(this,function(e){return this.flowEngine.registerModels(b),this.router.add("idp-oauth.interaction",{path:"/idp-oauth/interaction/:uid",Component:m,skipAuthCheck:!0}),this.router.add("idp-oauth.error",{path:"/idp-oauth/error",Component:u,skipAuthCheck:!0}),[2]})},function(){var t=this,r=arguments;return new Promise(function(n,o){var i=e.apply(t,r);function a(e){v(i,n,o,a,u,"next",e)}function u(e){v(i,n,o,a,u,"throw",e)}a(void 0)})}).call(this)}}],function(e,t){for(var r=0;r<t.length;r++){var n=t[r];n.enumerable=n.enumerable||!1,n.configurable=!0,"value"in n&&(n.writable=!0),Object.defineProperty(e,n.key,n)}}(r.prototype,t),r}(x(e.Plugin))}(),p}()});
+!function(e,t){"object"==typeof exports&&"object"==typeof module?module.exports=t(require("antd"),require("react"),require("@nocobase/client"),require("react-router-dom")):"function"==typeof define&&define.amd?define("@nocobase/plugin-idp-oauth",["antd","react","@nocobase/client","react-router-dom"],t):"object"==typeof exports?exports["@nocobase/plugin-idp-oauth"]=t(require("antd"),require("react"),require("@nocobase/client"),require("react-router-dom")):e["@nocobase/plugin-idp-oauth"]=t(e.antd,e.react,e["@nocobase/client"],e["react-router-dom"])}(self,function(e,t,r,n){return function(){"use strict";var o={342:function(e){e.exports=r},59:function(t){t.exports=e},155:function(e){e.exports=t},442:function(e){e.exports=n}},i={};function a(e){var t=i[e];if(void 0!==t)return t.exports;var r=i[e]={exports:{}};return o[e](r,r.exports,a),r.exports}a.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return a.d(t,{a:t}),t},a.d=function(e,t){for(var r in t)a.o(t,r)&&!a.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},a.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||Function("return this")()}catch(e){if("object"==typeof window)return window}}(),a.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},a.r=function(e){"u">typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.g.importScripts&&(u=a.g.location+"");var u,c=a.g.document;if(!u&&c&&(c.currentScript&&"SCRIPT"===c.currentScript.tagName.toUpperCase()&&(u=c.currentScript.src),!u)){var l=c.getElementsByTagName("script");if(l.length)for(var s=l.length-1;s>-1&&(!u||!/^http(s?):/.test(u));)u=l[s--].src}if(!u)throw Error("Automatic publicPath is not supported in this browser");a.p=u.replace(/^blob:/,"").replace(/#.*$/,"").replace(/\?.*$/,"").replace(/\/[^\/]+$/,"/");var p={};return!function(){var e="",t="u">typeof document?document.currentScript:null;if(t&&t.src&&(e=t.src.replace(/^blob:/,"").replace(/#.*$/,"").replace(/\?.*$/,"").replace(/\/[^\/]+$/,"/")),!e){var r=window.__webpack_public_path__||"";r&&("/"!==r.charAt(r.length-1)&&(r+="/"),e=r+"static/plugins/@nocobase/plugin-idp-oauth/dist/client/")}if(!e){var n=window.__nocobase_modern_client_prefix__||"v",o="/"+(n=String(n).replace(/^\/+|\/+$/g,"")||"v")+"/";if(!(e=window.__nocobase_public_path__||"")&&window.location&&window.location.pathname){var i=window.location.pathname||"/",u=i.indexOf(o);e=u>=0?i.slice(0,u+1):"/"}e&&(e=e.replace(RegExp("/"+n+"/?$"),"/")),e||(e="/"),"/"!==e.charAt(e.length-1)&&(e+="/"),e+="static/plugins/@nocobase/plugin-idp-oauth/dist/client/"}a.p=e}(),!function(){a.r(p),a.d(p,{default:function(){return _}});var e=a(342),t=a(59),r=a(155),n=a.n(r),o=a(442);function i(e,t){(null==t||t>e.length)&&(t=e.length);for(var r=0,n=Array(t);r<t;r++)n[r]=e[r];return n}var u=function(){var e,r=(function(e){if(Array.isArray(e))return e}(e=(0,o.useSearchParams)())||function(e){var t,r,n=null==e?null:"u">typeof Symbol&&e[Symbol.iterator]||e["@@iterator"];if(null!=n){var o=[],i=!0,a=!1;try{for(n=n.call(e);!(i=(t=n.next()).done)&&(o.push(t.value),1!==o.length);i=!0);}catch(e){a=!0,r=e}finally{try{i||null==n.return||n.return()}finally{if(a)throw r}}return o}}(e)||function(e){if(e){if("string"==typeof e)return i(e,1);var t=Object.prototype.toString.call(e).slice(8,-1);if("Object"===t&&e.constructor&&(t=e.constructor.name),"Map"===t||"Set"===t)return Array.from(t);if("Arguments"===t||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t))return i(e,1)}}(e)||function(){throw TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}())[0],a=r.get("error"),u=r.get("error_description"),c=r.get("iss");return n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Result,{status:"error",title:a||"Authentication failed",subTitle:u||void 0}),n().createElement(t.Space,{direction:"vertical",size:"middle",style:{width:"100%"}},c?n().createElement("div",null,n().createElement(t.Typography.Text,{type:"secondary"},"Issuer"),n().createElement("div",null,n().createElement(t.Typography.Text,{code:!0},c))):null))};function c(e,t){(null==t||t>e.length)&&(t=e.length);for(var r=0,n=Array(t);r<t;r++)n[r]=e[r];return n}function l(e,t,r,n,o,i,a){try{var u=e[i](a),c=u.value}catch(e){r(e);return}u.done?t(c):Promise.resolve(c).then(n,o)}function s(e){return function(){var t=this,r=arguments;return new Promise(function(n,o){var i=e.apply(t,r);function a(e){l(i,n,o,a,u,"next",e)}function u(e){l(i,n,o,a,u,"throw",e)}a(void 0)})}}function f(e,t){return null!=t&&"u">typeof Symbol&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):e instanceof t}function d(e,t){return function(e){if(Array.isArray(e))return e}(e)||function(e,t){var r,n,o=null==e?null:"u">typeof Symbol&&e[Symbol.iterator]||e["@@iterator"];if(null!=o){var i=[],a=!0,u=!1;try{for(o=o.call(e);!(a=(r=o.next()).done)&&(i.push(r.value),!t||i.length!==t);a=!0);}catch(e){u=!0,n=e}finally{try{a||null==o.return||o.return()}finally{if(u)throw n}}return i}}(e,t)||function(e,t){if(e){if("string"==typeof e)return c(e,t);var r=Object.prototype.toString.call(e).slice(8,-1);if("Object"===r&&e.constructor&&(r=e.constructor.name),"Map"===r||"Set"===r)return Array.from(r);if("Arguments"===r||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r))return c(e,t)}}(e,t)||function(){throw TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}()}function y(e,t){var r,n,o,i={label:0,sent:function(){if(1&o[0])throw o[1];return o[1]},trys:[],ops:[]},a=Object.create(("function"==typeof Iterator?Iterator:Object).prototype),u=Object.defineProperty;return u(a,"next",{value:c(0)}),u(a,"throw",{value:c(1)}),u(a,"return",{value:c(2)}),"function"==typeof Symbol&&u(a,Symbol.iterator,{value:function(){return this}}),a;function c(u){return function(c){var l=[u,c];if(r)throw TypeError("Generator is already executing.");for(;a&&(a=0,l[0]&&(i=0)),i;)try{if(r=1,n&&(o=2&l[0]?n.return:l[0]?n.throw||((o=n.return)&&o.call(n),0):n.next)&&!(o=o.call(n,l[1])).done)return o;switch(n=0,o&&(l=[2&l[0],o.value]),l[0]){case 0:case 1:o=l;break;case 4:return i.label++,{value:l[1],done:!1};case 5:i.label++,n=l[1],l=[0];continue;case 7:l=i.ops.pop(),i.trys.pop();continue;default:if(!(o=(o=i.trys).length>0&&o[o.length-1])&&(6===l[0]||2===l[0])){i=0;continue}if(3===l[0]&&(!o||l[1]>o[0]&&l[1]<o[3])){i.label=l[1];break}if(6===l[0]&&i.label<o[1]){i.label=o[1],o=l;break}if(o&&i.label<o[2]){i.label=o[2],i.ops.push(l);break}o[2]&&i.ops.pop(),i.trys.pop();continue}l=t.call(e,i)}catch(e){l=[6,e],n=0}finally{r=o=0}if(5&l[0])throw l[1];return{value:l[0]?l[1]:void 0,done:!0}}}}function h(e,t){return f(e,Error)?e.message:t}var m=function(){var i=(0,e.useAPIClient)(),a=(0,e.useApp)(),u=(0,o.useNavigate)(),c=(0,o.useParams)(),l=d((0,r.useState)(!0),2),p=l[0],m=l[1],v=d((0,r.useState)(null),2),b=v[0],g=v[1],w=d((0,r.useState)(null),2),x=w[0],E=w[1],S=(0,r.useMemo)(function(){return c.uid?"main"===a.name?"idpOAuth/interaction/".concat(c.uid):"__app/".concat(a.name,"/idpOAuth/interaction/").concat(c.uid):null},[a.name,c.uid]),_=(0,r.useMemo)(function(){return c.uid?"/idp-oauth/interaction/".concat(c.uid):"/signin"},[c.uid]),O=(0,r.useCallback)(function(e,t){return s(function(){var r,n,o,a,c;return y(this,function(l){switch(l.label){case 0:if(!S)return g("Invalid interaction path"),m(!1),[2];return n=i.auth.getToken(),o=i.auth.getAuthenticator()||"basic",[4,i.request({url:S,method:e,skipNotify:!0,withCredentials:!0,data:"post"===e?t:void 0,headers:n?{Authorization:"Bearer ".concat(n),"X-Authenticator":o}:void 0})];case 1:if(null==(c=(null==(a=l.sent())||null==(r=a.data)?void 0:r.data)||(null==a?void 0:a.data))?void 0:c.redirectTo)return window.location.replace(c.redirectTo),[2];if((null==c?void 0:c.prompt)!=="login")return[3,4];if(!n)return u("/signin?redirect=".concat(encodeURIComponent(_)),{replace:!0}),[2];if("get"!==e)return[3,3];return[4,O("post")];case 2:return l.sent(),[2];case 3:return u("/signin?redirect=".concat(encodeURIComponent(_)),{replace:!0}),[2];case 4:return E(c),m(!1),[2]}})})()},[i,_,S,u]),j=(0,r.useCallback)(function(){var e=arguments.length>0&&void 0!==arguments[0]&&arguments[0];return s(function(){return y(this,function(t){switch(t.label){case 0:m(!0),g(null),t.label=1;case 1:return t.trys.push([1,3,,4]),[4,O("post",e?{cancel:1}:{submit:1})];case 2:return t.sent(),[3,4];case 3:return g(h(t.sent(),"Failed to submit interaction")),m(!1),[3,4];case 4:return[2]}})})()},[O]);return((0,r.useEffect)(function(){var e=!1;return s(function(){var t;return y(this,function(r){switch(r.label){case 0:return r.trys.push([0,2,,3]),[4,O("get")];case 1:return r.sent(),[3,3];case 2:return t=r.sent(),e||(g(h(t,"Failed to load interaction")),m(!1)),[3,3];case 3:return[2]}})})(),function(){e=!0}},[O]),(0,r.useEffect)(function(){if((null==x?void 0:x.prompt)==="consent"&&!p){var e=function(e){if(!e.defaultPrevented){var t=e.target;if(null==t||!t.closest('input, textarea, select, [contenteditable="true"]')){if("Enter"===e.key&&!e.shiftKey&&!e.ctrlKey&&!e.metaKey&&!e.altKey){var r=document.activeElement;if(f(r,HTMLButtonElement)||f(r,HTMLAnchorElement))return;e.preventDefault(),j(!1);return}"Escape"===e.key&&(e.preventDefault(),j(!0))}}};return window.addEventListener("keydown",e),function(){return window.removeEventListener("keydown",e)}}},[null==x?void 0:x.prompt,p,j]),p)?n().createElement("div",{style:{position:"fixed",inset:0,display:"flex",alignItems:"center",justifyContent:"center"}},n().createElement(t.Spin,{style:{fontSize:72}})):b?n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Alert,{type:"error",message:b,showIcon:!0})):(null==x?void 0:x.prompt)==="consent"?n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Card,null,n().createElement(t.Space,{direction:"vertical",size:"large",style:{width:"100%"}},n().createElement("div",null,n().createElement(t.Typography.Title,{level:3,style:{marginBottom:8}},"Authorize application"),n().createElement(t.Typography.Paragraph,{style:{marginBottom:0}},x.clientName||"Application"," requests access to your account.")),x.details?n().createElement(t.Alert,{type:"info",showIcon:!0,message:"Requested permissions",description:x.details}):null,n().createElement(t.Space,null,n().createElement(t.Button,{type:"primary",loading:p,onClick:function(){return j(!1)}},"Continue"),n().createElement(t.Button,{loading:p,onClick:function(){return j(!0)}},"Cancel"))))):n().createElement("div",{style:{maxWidth:640,margin:"48px auto",padding:"0 24px"}},n().createElement(t.Result,{title:"Redirecting...",subTitle:"Please wait while authorization continues."}))},v={};function b(e,t,r,n,o,i,a){try{var u=e[i](a),c=u.value}catch(e){r(e);return}u.done?t(c):Promise.resolve(c).then(n,o)}function g(e,t,r){return(g=S()?Reflect.construct:function(e,t,r){var n=[null];n.push.apply(n,t);var o=new(Function.bind.apply(e,n));return r&&x(o,r.prototype),o}).apply(null,arguments)}function w(e){return(w=Object.setPrototypeOf?Object.getPrototypeOf:function(e){return e.__proto__||Object.getPrototypeOf(e)})(e)}function x(e,t){return(x=Object.setPrototypeOf||function(e,t){return e.__proto__=t,e})(e,t)}function E(e){var t="function"==typeof Map?new Map:void 0;return(E=function(e){if(null===e||-1===Function.toString.call(e).indexOf("[native code]"))return e;if("function"!=typeof e)throw TypeError("Super expression must either be null or a function");if(void 0!==t){if(t.has(e))return t.get(e);t.set(e,r)}function r(){return g(e,arguments,w(this).constructor)}return r.prototype=Object.create(e.prototype,{constructor:{value:r,enumerable:!1,writable:!0,configurable:!0}}),x(r,e)})(e)}function S(){try{var e=!Boolean.prototype.valueOf.call(Reflect.construct(Boolean,[],function(){}))}catch(e){}return(S=function(){return!!e})()}var _=function(e){var t;if("function"!=typeof e&&null!==e)throw TypeError("Super expression must either be null or a function");function r(){var e,t;if(!(this instanceof r))throw TypeError("Cannot call a class as a function");return e=r,t=arguments,e=w(e),function(e,t){var r;if(t&&("object"==((r=t)&&"u">typeof Symbol&&r.constructor===Symbol?"symbol":typeof r)||"function"==typeof t))return t;if(void 0===e)throw ReferenceError("this hasn't been initialised - super() hasn't been called");return e}(this,S()?Reflect.construct(e,t||[],w(this).constructor):e.apply(this,t))}return r.prototype=Object.create(e&&e.prototype,{constructor:{value:r,writable:!0,configurable:!0}}),e&&x(r,e),t=[{key:"load",value:function(){var e;return(e=function(){var e;return function(e,t){var r,n,o,i={label:0,sent:function(){if(1&o[0])throw o[1];return o[1]},trys:[],ops:[]},a=Object.create(("function"==typeof Iterator?Iterator:Object).prototype),u=Object.defineProperty;return u(a,"next",{value:c(0)}),u(a,"throw",{value:c(1)}),u(a,"return",{value:c(2)}),"function"==typeof Symbol&&u(a,Symbol.iterator,{value:function(){return this}}),a;function c(u){return function(c){var l=[u,c];if(r)throw TypeError("Generator is already executing.");for(;a&&(a=0,l[0]&&(i=0)),i;)try{if(r=1,n&&(o=2&l[0]?n.return:l[0]?n.throw||((o=n.return)&&o.call(n),0):n.next)&&!(o=o.call(n,l[1])).done)return o;switch(n=0,o&&(l=[2&l[0],o.value]),l[0]){case 0:case 1:o=l;break;case 4:return i.label++,{value:l[1],done:!1};case 5:i.label++,n=l[1],l=[0];continue;case 7:l=i.ops.pop(),i.trys.pop();continue;default:if(!(o=(o=i.trys).length>0&&o[o.length-1])&&(6===l[0]||2===l[0])){i=0;continue}if(3===l[0]&&(!o||l[1]>o[0]&&l[1]<o[3])){i.label=l[1];break}if(6===l[0]&&i.label<o[1]){i.label=o[1],o=l;break}if(o&&i.label<o[2]){i.label=o[2],i.ops.push(l);break}o[2]&&i.ops.pop(),i.trys.pop();continue}l=t.call(e,i)}catch(e){l=[6,e],n=0}finally{r=o=0}if(5&l[0])throw l[1];return{value:l[0]?l[1]:void 0,done:!0}}}}(this,function(t){return e=this,e.flowEngine.registerModels(v),e.router.add("idp-oauth.interaction",{path:"/idp-oauth/interaction/:uid",Component:m,skipAuthCheck:!0}),e.router.add("idp-oauth.error",{path:"/idp-oauth/error",Component:u,skipAuthCheck:!0}),[2]})},function(){var t=this,r=arguments;return new Promise(function(n,o){var i=e.apply(t,r);function a(e){b(i,n,o,a,u,"next",e)}function u(e){b(i,n,o,a,u,"throw",e)}a(void 0)})}).call(this)}}],function(e,t){for(var r=0;r<t.length;r++){var n=t[r];n.enumerable=n.enumerable||!1,n.configurable=!0,"value"in n&&(n.writable=!0),Object.defineProperty(e,n.key,n)}}(r.prototype,t),r}(E(e.Plugin))}(),p}()});

package/dist/externalVersion.js

@@ -11,11 +11,11 @@ module.exports = {
   "antd": "5.24.2",
   "react": "18.2.0",
   "react-router-dom": "6.30.1",
-  "@nocobase/client": "2.1.0-alpha.40",
-  "@nocobase/flow-engine": "2.1.0-alpha.40",
-  "@nocobase/server": "2.1.0-alpha.40",
-  "@nocobase/cache": "2.1.0-alpha.40",
-  "@nocobase/plugin-auth": "2.1.0-alpha.40",
-  "@nocobase/utils": "2.1.0-alpha.40",
-  "@nocobase/database": "2.1.0-alpha.40"
+  "@nocobase/client": "2.1.0-alpha.46",
+  "@nocobase/flow-engine": "2.1.0-alpha.46",
+  "@nocobase/server": "2.1.0-alpha.46",
+  "@nocobase/cache": "2.1.0-alpha.46",
+  "@nocobase/plugin-auth": "2.1.0-alpha.46",
+  "@nocobase/utils": "2.1.0-alpha.46",
+  "@nocobase/database": "2.1.0-alpha.46"
 };

package/dist/node_modules/light-my-request/package.json

@@ -1 +1 @@
-{"name":"light-my-request","version":"6.6.0","description":"Fake HTTP injection library","main":"index.js","type":"commonjs","types":"types/index.d.ts","dependencies":{"cookie":"^1.0.1","process-warning":"^4.0.0","set-cookie-parser":"^2.6.0"},"devDependencies":{"@fastify/ajv-compiler":"^4.0.0","@fastify/pre-commit":"^2.1.0","@types/node":"^22.7.7","c8":"^10.1.2","end-of-stream":"^1.4.4","eslint":"^9.17.0","express":"^4.19.2","form-auto-content":"^3.2.1","form-data":"^4.0.0","formdata-node":"^6.0.3","multer":"^1.4.5-lts.1","neostandard":"^0.12.0","tinybench":"^3.0.0","tsd":"^0.31.0","undici":"^7.0.0"},"scripts":{"benchmark":"node benchmark/benchmark.js","coverage":"npm run unit -- --cov --coverage-report=html","lint":"eslint","lint:fix":"eslint --fix","test":"npm run lint && npm run test:unit && npm run test:typescript","test:typescript":"tsd","test:unit":"c8 --100 node --test"},"repository":{"type":"git","url":"git+https://github.com/fastify/light-my-request.git"},"keywords":["http","inject","fake","request","server"],"author":"Tomas Della Vedova - @delvedor (http://delved.org)","contributors":[{"name":"Matteo Collina","email":"hello@matteocollina.com"},{"name":"Manuel Spigolon","email":"behemoth89@gmail.com"},{"name":"Aras Abbasi","email":"aras.abbasi@gmail.com"},{"name":"Frazer Smith","email":"frazer.dev@icloud.com","url":"https://github.com/fdawgs"}],"license":"BSD-3-Clause","bugs":{"url":"https://github.com/fastify/light-my-request/issues"},"homepage":"https://github.com/fastify/light-my-request#readme","funding":[{"type":"github","url":"https://github.com/sponsors/fastify"},{"type":"opencollective","url":"https://opencollective.com/fastify"}],"_lastModified":"2026-05-21T22:22:19.867Z"}
+{"name":"light-my-request","version":"6.6.0","description":"Fake HTTP injection library","main":"index.js","type":"commonjs","types":"types/index.d.ts","dependencies":{"cookie":"^1.0.1","process-warning":"^4.0.0","set-cookie-parser":"^2.6.0"},"devDependencies":{"@fastify/ajv-compiler":"^4.0.0","@fastify/pre-commit":"^2.1.0","@types/node":"^22.7.7","c8":"^10.1.2","end-of-stream":"^1.4.4","eslint":"^9.17.0","express":"^4.19.2","form-auto-content":"^3.2.1","form-data":"^4.0.0","formdata-node":"^6.0.3","multer":"^1.4.5-lts.1","neostandard":"^0.12.0","tinybench":"^3.0.0","tsd":"^0.31.0","undici":"^7.0.0"},"scripts":{"benchmark":"node benchmark/benchmark.js","coverage":"npm run unit -- --cov --coverage-report=html","lint":"eslint","lint:fix":"eslint --fix","test":"npm run lint && npm run test:unit && npm run test:typescript","test:typescript":"tsd","test:unit":"c8 --100 node --test"},"repository":{"type":"git","url":"git+https://github.com/fastify/light-my-request.git"},"keywords":["http","inject","fake","request","server"],"author":"Tomas Della Vedova - @delvedor (http://delved.org)","contributors":[{"name":"Matteo Collina","email":"hello@matteocollina.com"},{"name":"Manuel Spigolon","email":"behemoth89@gmail.com"},{"name":"Aras Abbasi","email":"aras.abbasi@gmail.com"},{"name":"Frazer Smith","email":"frazer.dev@icloud.com","url":"https://github.com/fdawgs"}],"license":"BSD-3-Clause","bugs":{"url":"https://github.com/fastify/light-my-request/issues"},"homepage":"https://github.com/fastify/light-my-request#readme","funding":[{"type":"github","url":"https://github.com/sponsors/fastify"},{"type":"opencollective","url":"https://opencollective.com/fastify"}],"_lastModified":"2026-06-04T11:30:16.204Z"}

package/dist/node_modules/ms/package.json

@@ -1 +1 @@
-{"name":"ms","version":"2.1.3","description":"Tiny millisecond conversion utility","repository":"vercel/ms","main":"./index","files":["index.js"],"scripts":{"precommit":"lint-staged","lint":"eslint lib/* bin/*","test":"mocha tests.js"},"eslintConfig":{"extends":"eslint:recommended","env":{"node":true,"es6":true}},"lint-staged":{"*.js":["npm run lint","prettier --single-quote --write","git add"]},"license":"MIT","devDependencies":{"eslint":"4.18.2","expect.js":"0.3.1","husky":"0.14.3","lint-staged":"5.0.0","mocha":"4.0.1","prettier":"2.0.5"},"_lastModified":"2026-05-21T22:22:19.917Z"}
+{"name":"ms","version":"2.1.3","description":"Tiny millisecond conversion utility","repository":"vercel/ms","main":"./index","files":["index.js"],"scripts":{"precommit":"lint-staged","lint":"eslint lib/* bin/*","test":"mocha tests.js"},"eslintConfig":{"extends":"eslint:recommended","env":{"node":true,"es6":true}},"lint-staged":{"*.js":["npm run lint","prettier --single-quote --write","git add"]},"license":"MIT","devDependencies":{"eslint":"4.18.2","expect.js":"0.3.1","husky":"0.14.3","lint-staged":"5.0.0","mocha":"4.0.1","prettier":"2.0.5"},"_lastModified":"2026-06-04T11:30:16.257Z"}

package/dist/server/adapter.d.ts

@@ -0,0 +1,12 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import Application from '@nocobase/server';
+import type { IdpOauthService } from './service';
+import type { AdapterConstructor } from 'oidc-provider';
+export declare function createOidcAdapter(app: Application, service: IdpOauthService, collectionName?: string): AdapterConstructor;

package/dist/server/adapter.js

@@ -0,0 +1,73 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var adapter_exports = {};
+__export(adapter_exports, {
+  createOidcAdapter: () => createOidcAdapter
+});
+module.exports = __toCommonJS(adapter_exports);
+var import_db_adapter = require("./db-adapter");
+function createOidcAdapter(app, service, collectionName = "oidcStates") {
+  const DbAdapter = (0, import_db_adapter.createDbAdapter)(app, collectionName);
+  return class OidcAdapter {
+    constructor(model) {
+      this.model = model;
+      this.dbAdapter = new DbAdapter(model);
+    }
+    dbAdapter;
+    async find(id) {
+      if (this.model === "Client") {
+        const resolvedClient = await service.resolveClient(id);
+        if (resolvedClient) {
+          return resolvedClient;
+        }
+      }
+      return this.dbAdapter.find(id);
+    }
+    async findByUserCode(userCode) {
+      return this.dbAdapter.findByUserCode(userCode);
+    }
+    async findByUid(uid) {
+      return this.dbAdapter.findByUid(uid);
+    }
+    async upsert(id, payload, expiresIn) {
+      return this.dbAdapter.upsert(id, payload, expiresIn);
+    }
+    async consume(id) {
+      return this.dbAdapter.consume(id);
+    }
+    async destroy(id) {
+      return this.dbAdapter.destroy(id);
+    }
+    async revokeByGrantId(grantId) {
+      return this.dbAdapter.revokeByGrantId(grantId);
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createOidcAdapter
+});

package/dist/server/interaction.js

@@ -44,6 +44,12 @@ function getInteractionPromptDetails(details) {
   const missingResourceScopes = Object.entries(promptDetails.missingResourceScopes || {}).map(([resource, scopes]) => `${resource}: ${asStringArray(scopes).join(" ")}`).join("; ");
   return [missingScope, missingClaims, missingResourceScopes].filter(Boolean).join(" | ");
 }
+function shouldSkipConsent(clientId) {
+  return clientId.startsWith("app:");
+}
+function getClientId(details) {
+  return String(details.params.client_id || "");
+}
 async function getInteractionRedirect(ctx, provider, service, result, mergeWithLastSubmission) {
   const redirectTo = await provider.interactionResult(ctx.req, ctx.res, result, {
     mergeWithLastSubmission
@@ -63,6 +69,65 @@ async function completeLogin(ctx, provider, service, accountId) {
     false
   );
 }
+async function createConsentGrant(provider, details, accountId) {
+  const promptDetails = getPromptDetails(details);
+  const clientId = getClientId(details);
+  let grant;
+  if (details.grantId) {
+    grant = await provider.Grant.find(details.grantId);
+  } else {
+    grant = new provider.Grant({
+      accountId,
+      clientId
+    });
+  }
+  const missingOIDCScope = asStringArray(promptDetails.missingOIDCScope);
+  const requestedScope = typeof details.params.scope === "string" ? details.params.scope.split(/\s+/).filter(Boolean) : [];
+  const oidcScope = missingOIDCScope.length ? missingOIDCScope : requestedScope;
+  if (oidcScope.length) {
+    grant.addOIDCScope(oidcScope.join(" "));
+  }
+  const missingOIDCClaims = asStringArray(promptDetails.missingOIDCClaims);
+  if (missingOIDCClaims.length) {
+    grant.addOIDCClaims(missingOIDCClaims);
+  }
+  const missingResourceScopes = promptDetails.missingResourceScopes || {};
+  if (Object.keys(missingResourceScopes).length) {
+    for (const [indicator, scopes] of Object.entries(missingResourceScopes)) {
+      grant.addResourceScope(indicator, asStringArray(scopes).join(" "));
+    }
+  }
+  return grant.save();
+}
+async function completeTrustedAppLogin(ctx, provider, service, details, accountId) {
+  return getInteractionRedirect(
+    ctx,
+    provider,
+    service,
+    {
+      login: {
+        accountId
+      },
+      consent: {
+        grantId: await createConsentGrant(provider, details, accountId)
+      }
+    },
+    false
+  );
+}
+async function completeConsent(ctx, provider, service, details, accountId) {
+  return getInteractionRedirect(
+    ctx,
+    provider,
+    service,
+    {
+      consent: {
+        grantId: await createConsentGrant(provider, details, accountId)
+      }
+    },
+    true
+  );
+}
 async function handleInteractionGet(ctx, provider, user, service) {
   var _a;
   const details = await provider.interactionDetails(ctx.req, ctx.res);
@@ -74,14 +139,21 @@ async function handleInteractionGet(ctx, provider, user, service) {
       };
       return;
     }
+    const clientId = getClientId(details);
     ctx.body = {
-      redirectTo: await completeLogin(ctx, provider, service, String(interactionUser.id))
+      redirectTo: shouldSkipConsent(clientId) ? await completeTrustedAppLogin(ctx, provider, service, details, String(interactionUser.id)) : await completeLogin(ctx, provider, service, String(interactionUser.id))
     };
     return;
   }
   if (details.prompt.name === "consent") {
-    const clientId = String(details.params.client_id || "");
+    const clientId = getClientId(details);
     const client = await provider.Client.find(clientId);
+    if (interactionUser && shouldSkipConsent(clientId)) {
+      ctx.body = {
+        redirectTo: await completeConsent(ctx, provider, service, details, String(interactionUser.id))
+      };
+      return;
+    }
     ctx.body = {
       prompt: "consent",
       clientName: (client == null ? void 0 : client.clientName) || (client == null ? void 0 : client.clientId) || clientId,
@@ -123,43 +195,8 @@ async function handleInteractionPost(ctx, provider, user, service) {
     return;
   }
   if (details.prompt.name === "consent") {
-    const promptDetails = getPromptDetails(details);
-    const clientId = String(details.params.client_id || "");
-    let grant;
-    if (details.grantId) {
-      grant = await provider.Grant.find(details.grantId);
-    } else {
-      grant = new provider.Grant({
-        accountId: String(interactionUser.id),
-        clientId
-      });
-    }
-    const missingOIDCScope = asStringArray(promptDetails.missingOIDCScope);
-    if (missingOIDCScope.length) {
-      grant.addOIDCScope(missingOIDCScope.join(" "));
-    }
-    const missingOIDCClaims = asStringArray(promptDetails.missingOIDCClaims);
-    if (missingOIDCClaims.length) {
-      grant.addOIDCClaims(missingOIDCClaims);
-    }
-    const missingResourceScopes = promptDetails.missingResourceScopes || {};
-    if (Object.keys(missingResourceScopes).length) {
-      for (const [indicator, scopes] of Object.entries(missingResourceScopes)) {
-        grant.addResourceScope(indicator, asStringArray(scopes).join(" "));
-      }
-    }
     ctx.body = {
-      redirectTo: await getInteractionRedirect(
-        ctx,
-        provider,
-        service,
-        {
-          consent: {
-            grantId: await grant.save()
-          }
-        },
-        true
-      )
+      redirectTo: await completeConsent(ctx, provider, service, details, String(interactionUser.id))
     };
     return;
   }

package/dist/server/plugin.d.ts

@@ -10,6 +10,7 @@ import { Plugin } from '@nocobase/server';
 import { IdpOauthService } from './service';
 export declare class PluginIdpOauthServer extends Plugin {
     service: IdpOauthService;
+    constructor(...args: ConstructorParameters<typeof Plugin>);
     private registerDefaultApiResource;
     load(): Promise<void>;
     remove(): Promise<void>;

package/dist/server/plugin.js

@@ -38,6 +38,10 @@ var import_service = require("./service");
 var import_utils = require("./utils");
 class PluginIdpOauthServer extends import_server.Plugin {
   service;
+  constructor(...args) {
+    super(...args);
+    this.service = new import_service.IdpOauthService(this.app);
+  }
   registerDefaultApiResource() {
     this.service.registerResourceServer("api", {
       path: "/",
@@ -49,12 +53,16 @@ class PluginIdpOauthServer extends import_server.Plugin {
     });
   }
   async load() {
-    const bridgeTokenCache = await this.app.cacheManager.createCache({
-      name: "idp-oauth-token",
-      prefix: "idp-oauth:token",
-      store: "memory"
+    this.app.on("auth:signOut", async ({ ctx }) => {
+      var _a, _b;
+      try {
+        await this.service.destroyProviderSession(ctx);
+      } catch (error) {
+        (_b = (_a = ctx.logger) == null ? void 0 : _a.warn) == null ? void 0 : _b.call(_a, "failed to destroy idp-oauth provider session", {
+          error: error instanceof Error ? error.message : String(error)
+        });
+      }
     });
-    this.service = new import_service.IdpOauthService(this.app, bridgeTokenCache);
     this.registerDefaultApiResource();
     const paths = (0, import_paths.createIdpOauthPaths)();
     this.app.use(

package/dist/server/provider-dispatch.js

@@ -68,6 +68,15 @@ function assertRegistrationRedirectUris(ctx, pathname) {
     return true;
   }
   const body = getRequestBody(ctx);
+  const clientId = body == null ? void 0 : body.client_id;
+  if (typeof clientId === "string" && clientId.startsWith("app:")) {
+    ctx.status = 400;
+    ctx.body = {
+      error: "invalid_client_metadata",
+      error_description: "client_id prefix app: is reserved"
+    };
+    return false;
+  }
   const redirectUris = body == null ? void 0 : body.redirect_uris;
   if (!Array.isArray(redirectUris) || !redirectUris.length || !redirectUris.every((uri) => typeof uri === "string" && isLoopbackRedirectUri(uri))) {
     ctx.status = 400;
@@ -283,7 +292,10 @@ async function dispatchToProvider(ctx, provider, pathname, service) {
 }
 async function dispatchCurrentRequestToProvider(ctx, service, apiBasePath) {
   const provider = await service.ensureProviderForContext(ctx);
-  return dispatchToProvider(ctx, provider, (0, import_paths.getProviderInternalPath)(ctx.path, apiBasePath), service);
+  return service.runWithProviderContext(
+    ctx,
+    () => dispatchToProvider(ctx, provider, (0, import_paths.getProviderInternalPath)(ctx.path, apiBasePath), service)
+  );
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/server/service.d.ts

@@ -19,20 +19,27 @@ export type ResourceServerConfig = {
     accessTokenFormat?: TokenFormat;
     jwt?: ResourceServer['jwt'];
 };
-type ProviderContext = {
+export type ProviderContext = {
     appName: string;
     issuer: string;
     issuerPath: string;
     origin: string;
 };
+export type OidcClientMetadata = import('oidc-provider').ClientMetadata;
+export type OidcClientResolver = {
+    resolveClient(clientId: string, providerContext?: ProviderContext): Promise<OidcClientMetadata | null | undefined> | OidcClientMetadata | null | undefined;
+};
 export declare class IdpOauthService {
     private readonly app;
-    private readonly bridgeTokenCache;
+    private bridgeTokenCache?;
     private providers;
     private pendingProviders;
     private resourceServers;
     private resourceJwks;
-    constructor(app: Application, bridgeTokenCache: Cache);
+    private clientResolvers;
+    private providerContextStorage;
+    constructor(app: Application, bridgeTokenCache?: Cache);
+    private getBridgeTokenCache;
     getOrigin(ctx: any): string;
     private getApiBasePath;
     private getRequestPath;
@@ -43,8 +50,13 @@ export declare class IdpOauthService {
     getFrontendInteractionPath(appName: string, uid: string, issuerPath?: string): string;
     getFrontendErrorPath(appName: string, issuerPath?: string): string;
     getProviderContext(ctx: any): ProviderContext;
+    getCurrentProviderContext(): ProviderContext;
+    runWithProviderContext<T>(ctx: any, callback: () => T): T;
     registerResourceServer(name: string, config: ResourceServerConfig): void;
     unregisterResourceServer(name: string): void;
+    registerClientResolver(name: string, resolver: OidcClientResolver): void;
+    unregisterClientResolver(name: string): void;
+    resolveClient(clientId: string): Promise<import("oidc-provider").ClientMetadata>;
     getSupportedScopes(): string[];
     private resolveResourceIdentifier;
     private getResourceServerInfo;
@@ -59,6 +71,7 @@ export declare class IdpOauthService {
     private getBridgeTokenCacheKey;
     private findUserById;
     resolveInteractionSessionUser(accountId?: string | number): Promise<any>;
+    destroyProviderSession(ctx: any): Promise<void>;
     resolveInteractionBridgeUser(ctx: any): Promise<any>;
     authenticateResourceRequest(ctx: any): Promise<any>;
     private getPublicErrorLocation;

package/dist/server/service.js

@@ -43,11 +43,12 @@ var import_plugin_auth = require("@nocobase/plugin-auth");
 var import_server = require("@nocobase/server");
 var import_node_fs = __toESM(require("node:fs"));
 var import_light_my_request = __toESM(require("light-my-request"));
+var import_node_async_hooks = require("node:async_hooks");
 var import_node_crypto = require("node:crypto");
 var import_node_path = __toESM(require("node:path"));
 var import_utils = require("@nocobase/utils");
 var import_ms = __toESM(require("ms"));
-var import_db_adapter = require("./db-adapter");
+var import_adapter = require("./adapter");
 var import_utils2 = require("./utils");
 let oidcModulePromise = null;
 let joseModulePromise = null;
@@ -66,8 +67,8 @@ function getJoseModule() {
 const defaultSupportedScopes = ["openid", "offline_access", "profile", "email"];
 const envJwksKeys = ["IDP_OAUTH_JWKS", "OAUTH_JWKS"];
 const MAX_CACHE_TTL_MS = 2147483647;
-const DEFAULT_ACCESS_TOKEN_TTL_SECONDS = Math.floor((0, import_ms.default)(import_plugin_auth.defaultTokenPolicyConfig.tokenExpirationTime) / 1e3);
-const DEFAULT_SESSION_TTL_SECONDS = Math.floor((0, import_ms.default)(import_plugin_auth.defaultTokenPolicyConfig.sessionExpirationTime) / 1e3);
+const DEFAULT_ACCESS_TOKEN_TTL_SECONDS = Math.floor((0, import_ms.default)(String(import_plugin_auth.defaultTokenPolicyConfig.tokenExpirationTime)) / 1e3);
+const DEFAULT_SESSION_TTL_SECONDS = Math.floor((0, import_ms.default)(String(import_plugin_auth.defaultTokenPolicyConfig.sessionExpirationTime)) / 1e3);
 function policyMillisecondsToSeconds(value, fallback) {
   if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
     return fallback;
@@ -83,6 +84,18 @@ class IdpOauthService {
   pendingProviders = /* @__PURE__ */ new Map();
   resourceServers = /* @__PURE__ */ new Map();
   resourceJwks = /* @__PURE__ */ new Map();
+  clientResolvers = /* @__PURE__ */ new Map();
+  providerContextStorage = new import_node_async_hooks.AsyncLocalStorage();
+  async getBridgeTokenCache() {
+    if (!this.bridgeTokenCache) {
+      this.bridgeTokenCache = await this.app.cacheManager.createCache({
+        name: "idp-oauth-token",
+        prefix: "idp-oauth:token",
+        store: "memory"
+      });
+    }
+    return this.bridgeTokenCache;
+  }
   getOrigin(ctx) {
     var _a, _b;
     const protocol = ((_a = ctx.headers) == null ? void 0 : _a["x-forwarded-proto"]) || ctx.protocol || "http";
@@ -165,12 +178,34 @@ class IdpOauthService {
       origin
     };
   }
+  getCurrentProviderContext() {
+    return this.providerContextStorage.getStore();
+  }
+  runWithProviderContext(ctx, callback) {
+    return this.providerContextStorage.run(this.getProviderContext(ctx), callback);
+  }
   registerResourceServer(name, config) {
     this.resourceServers.set(name, config);
   }
   unregisterResourceServer(name) {
     this.resourceServers.delete(name);
   }
+  registerClientResolver(name, resolver) {
+    this.clientResolvers.set(name, resolver);
+  }
+  unregisterClientResolver(name) {
+    this.clientResolvers.delete(name);
+  }
+  async resolveClient(clientId) {
+    const providerContext = this.getCurrentProviderContext();
+    for (const resolver of this.clientResolvers.values()) {
+      const client = await resolver.resolveClient(clientId, providerContext);
+      if (client) {
+        return client;
+      }
+    }
+    return void 0;
+  }
   getSupportedScopes() {
     const supportedScopes = new Set(defaultSupportedScopes);
     for (const config of this.resourceServers.values()) {
@@ -343,6 +378,19 @@ class IdpOauthService {
     }
     return this.findUserById(accountId);
   }
+  async destroyProviderSession(ctx) {
+    var _a, _b, _c;
+    const provider = await this.ensureProviderForContext(ctx);
+    const session = await provider.Session.get(ctx);
+    if (session && !session.new) {
+      await session.destroy();
+    }
+    (_c = (_a = ctx.cookies) == null ? void 0 : _a.set) == null ? void 0 : _c.call(_a, provider.cookieName("session"), null, {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: (((_b = ctx.headers) == null ? void 0 : _b["x-forwarded-proto"]) || ctx.protocol) === "https"
+    });
+  }
   async resolveInteractionBridgeUser(ctx) {
     var _a, _b, _c, _d, _e, _f;
     const token = (_a = ctx.getBearerToken) == null ? void 0 : _a.call(ctx);
@@ -464,10 +512,11 @@ class IdpOauthService {
       token,
       typeof payload.jti === "string" ? payload.jti : void 0
     );
-    const cachedInternalToken = await this.bridgeTokenCache.get(bridgeTokenCacheKey);
+    const bridgeTokenCache = await this.getBridgeTokenCache();
+    const cachedInternalToken = await bridgeTokenCache.get(bridgeTokenCacheKey);
     const internalToken = cachedInternalToken || await this.issueInternalToken(user.id, oauthExpiresInMs);
     if (!cachedInternalToken && typeof oauthExpiresInMs === "number" && oauthExpiresInMs > 0) {
-      await this.bridgeTokenCache.set(bridgeTokenCacheKey, internalToken, Math.min(oauthExpiresInMs, MAX_CACHE_TTL_MS));
+      await bridgeTokenCache.set(bridgeTokenCacheKey, internalToken, Math.min(oauthExpiresInMs, MAX_CACHE_TTL_MS));
     }
     const authorizationHeader = `Bearer ${internalToken}`;
     ctx.req.headers.authorization = authorizationHeader;
@@ -505,7 +554,7 @@ class IdpOauthService {
     );
     const sessionTtl = policyMillisecondsToSeconds(tokenPolicy == null ? void 0 : tokenPolicy.sessionExpirationTime, DEFAULT_SESSION_TTL_SECONDS);
     return {
-      adapter: (0, import_db_adapter.createDbAdapter)(this.app, "oidcStates"),
+      adapter: (0, import_adapter.createOidcAdapter)(this.app, this, "oidcStates"),
       clients: [],
       scopes: this.getSupportedScopes(),
       jwks,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-idp-oauth",
-  "version": "2.1.0-alpha.40",
+  "version": "2.1.0-alpha.46",
   "main": "dist/server/index.js",
   "displayName": "IdP: OAuth",
   "displayName.zh-CN": "IdP: OAuth",
@@ -22,5 +22,5 @@
   "keywords": [
     "Authentication"
   ],
-  "gitHead": "e73f99dd0abefe847f2e50ff0fea1f41a82fd048"
+  "gitHead": "42b269944cdd1908d7a848c0af4936fe94c03bb7"
 }