2025-10-23 10:53:14 +00:00
12 changed files with 64 additions and 209 deletions
--- a/README.md
+++ b/README.md
@ -1,5 +1,4 @@
 # Classworks KV
 [Classworks](https://cs.houlangs.com)用于班级大屏的作业板小工具
@ -21,31 +20,3 @@ This project is licensed under the **GNU AGPL v3.0**.
 Copyright (C) 2025 **Sunwuyuan** (<https://wuyuan.dev>)
 See [LICENSE](./LICENSE) for details.
 ## 配置（OAuth / JWT）
 在根目录创建或编辑 `.env`：
 - 基础地址（用于回调）：
  - `BASE_URL`: `http://localhost:3030`
  - `FRONTEND_URL`: `http://localhost:5173`
 - STCN（Casdoor）OIDC：
  - `STCN_CLIENT_ID`: `53e65cfd81232e729730`
  - `STCN_CLIENT_SECRET`: `e1b1277f8906e5df162b1d2f2eb3692182dd2920`
  - 回调地址：`${BASE_URL}/accounts/oauth/stcn/callback`
 - 其他可选提供者：GitHub、ZeroCat、厚浪云（Logto）
 - JWT：
  - 默认 HS256（提供 `JWT_SECRET`）
  - 如需 RS256，请设置：
    - `JWT_ALG=RS256`
    - `JWT_PRIVATE_KEY`（PEM，\n 转义）
    - `JWT_PUBLIC_KEY`（PEM，\n 转义）
    - `JWT_EXPIRES_IN=7d`
 完成后启动服务并访问：
 - GET /accounts/oauth/providers 列出可用登录方式
 - 浏览器打开 /accounts/oauth/stcn 发起 STCN 登录
--- a/config/oauth.js
+++ b/config/oauth.js
@ -7,13 +7,10 @@ export const oauthProviders = {
    tokenURL: "https://github.com/login/oauth/access_token",
    userInfoURL: "https://api.github.com/user",
    scope: "read:user user:email",
    // 展示相关
    name: "GitHub",
    displayName: "GitHub",
    icon: "github",
    color: "#24292e",
    description: "使用 GitHub 账号登录",
    website: "https://github.com",
  },
  zerocat: {
    clientId: process.env.ZEROCAT_CLIENT_ID,
@ -22,49 +19,23 @@ export const oauthProviders = {
    tokenURL: "https://zerocat-api.houlangs.com/oauth/token",
    userInfoURL: "https://zerocat-api.houlangs.com/oauth/userinfo",
    scope: "user:basic user:email",
    // 展示相关
    name: "ZeroCat",
    displayName: "ZeroCat",
    icon: "zerocat",
-    color: "#415f91",
+    color: "#6366f1",
    description: "使用 ZeroCat 账号登录",
    website: "https://zerocat.dev",
  },
  stcn: {
    // STCN（Casdoor）- 标准 OIDC Provider
    clientId: process.env.STCN_CLIENT_ID,
    clientSecret: process.env.STCN_CLIENT_SECRET,
    // Casdoor 标准端点
    authorizationURL: "https://auth.smart-teach.cn/login/oauth/authorize",
    tokenURL: "https://auth.smart-teach.cn/api/login/oauth/access_token",
    userInfoURL: "https://auth.smart-teach.cn/api/userinfo",
    scope: "openid profile email offline_access",
    // 展示相关
    name: "stcn",
    displayName: "智教联盟账户",
    icon: "casdoor",
    color: "#1068af",
    description: "使用智教联盟账户登录",
    website: "https://auth.smart-teach.cn",
    tokenRequestFormat: "json", // Casdoor 推荐 JSON 提交
  },
  hly: {
    // 厚浪云（Logto） - OIDC Provider
    clientId: process.env.HLY_CLIENT_ID,
-    clientSecret: process.env.HLY_CLIENT_SECRET,
+    clientSecret: process.env.HLY_CLIENT_SECRET, // 可选：若使用PKCE且应用为Public，可不配置
    authorizationURL: "https://oauth.houlang.cloud/oidc/auth",
    tokenURL: "https://oauth.houlang.cloud/oidc/token",
    userInfoURL: "https://oauth.houlang.cloud/oidc/me",
    scope: "openid profile email offline_access",
    // 展示相关
    name: "厚浪云",
    displayName: "厚浪云",
    icon: "logto",
-    color: "#2d53f8",
+    color: "#0ea5e9",
    textColor: "#ffffff",
    order: 40,
    description: "使用厚浪云账号登录",
    website: "https://houlang.cloud",
    pkce: true, // 启用PKCE支持
  },
 };
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "ClassworksKV",
-  "version": "1.1.1",
+  "version": "1.0.9",
  "private": true,
  "scripts": {
    "start": "node ./bin/www",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -1213,11 +1213,13 @@ packages:
  '@types/node@22.15.17':
    resolution: {integrity: sha512-wIX2aSZL5FE+MR0JlvF87BNVrtFWf6AE6rxSE9X7OwnVvoyCQjpzSRJ+M87se/4QCkCiebQAqrJ0y6fwIyi7nw==}
-  '@types/node@24.4.0':
+<<<<<<< HEAD
    resolution: {integrity: sha512-gUuVEAK4/u6F9wRLznPUU4WGUacSEBDPoC2TrBkw3GAnOLHBL45QdfHOXp1kJ4ypBGLxTOB+t7NJLpKoC3gznQ==}
  '@types/node@24.6.1':
    resolution: {integrity: sha512-ljvjjs3DNXummeIaooB4cLBKg2U6SPI6Hjra/9rRIy7CpM0HpLtG9HptkMKAb4HYWy5S7HUvJEuWgr/y0U8SHw==}
 =======
  '@types/node@24.4.0':
    resolution: {integrity: sha512-gUuVEAK4/u6F9wRLznPUU4WGUacSEBDPoC2TrBkw3GAnOLHBL45QdfHOXp1kJ4ypBGLxTOB+t7NJLpKoC3gznQ==}
 >>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
  '@types/oracledb@6.5.2':
    resolution: {integrity: sha512-kK1eBS/Adeyis+3OlBDMeQQuasIDLUYXsi2T15ccNJ0iyUpQ4xDF7svFu3+bGVrI0CMBUclPciz+lsQR3JX3TQ==}
@ -2385,11 +2387,13 @@ packages:
  undici-types@6.21.0:
    resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
-  undici-types@7.11.0:
+<<<<<<< HEAD
    resolution: {integrity: sha512-kt1ZriHTi7MU+Z/r9DOdAI3ONdaR3M3csEaRc6ewa4f4dTvX4cQCbJ4NkEn0ohE4hHtq85+PhPSTY+pO/1PwgA==}
  undici-types@7.13.0:
    resolution: {integrity: sha512-Ov2Rr9Sx+fRgagJ5AX0qvItZG/JKKoBRAVITs1zk7IqZGTJUwgUr7qoYBpWwakpWilTZFM98rG/AFRocu10iIQ==}
 =======
  undici-types@7.11.0:
    resolution: {integrity: sha512-kt1ZriHTi7MU+Z/r9DOdAI3ONdaR3M3csEaRc6ewa4f4dTvX4cQCbJ4NkEn0ohE4hHtq85+PhPSTY+pO/1PwgA==}
 >>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
  unpipe@1.0.0:
    resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==}
@ -3706,14 +3710,16 @@ snapshots:
    dependencies:
      undici-types: 6.21.0
-  '@types/node@24.4.0':
+<<<<<<< HEAD
    dependencies:
      undici-types: 7.11.0
  '@types/node@24.6.1':
    dependencies:
      undici-types: 7.13.0
    optional: true
 =======
  '@types/node@24.4.0':
    dependencies:
      undici-types: 7.11.0
 >>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
  '@types/oracledb@6.5.2':
    dependencies:
@ -4976,10 +4982,12 @@ snapshots:
  undici-types@6.21.0: {}
-  undici-types@7.11.0: {}
+<<<<<<< HEAD
  undici-types@7.13.0:
    optional: true
 =======
  undici-types@7.11.0: {}
 >>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
  unpipe@1.0.0: {}
--- a/prisma/migrations/20251007040712_increase_account_refresh_token_length/migration.sql
+++ b/prisma/migrations/20251007040712_increase_account_refresh_token_length/migration.sql
@ -1,2 +0,0 @@
 -- AlterTable
 ALTER TABLE `Account` MODIFY `refreshToken` TEXT NULL;
--- a/prisma/migrations/20251007041015_update/migration.sql
+++ b/prisma/migrations/20251007041015_update/migration.sql
@ -1,5 +0,0 @@
 -- DropIndex
 DROP INDEX `Account_accessToken_key` ON `Account`;
 -- AlterTable
 ALTER TABLE `Account` MODIFY `accessToken` TEXT NOT NULL;
--- a/prisma/migrations/20251007104950_adjust_text_type/migration.sql
+++ b/prisma/migrations/20251007104950_adjust_text_type/migration.sql
@ -1 +0,0 @@
 -- This is an empty migration.
--- a/prisma/migrations/20251007121656_noneedrefresh_token/migration.sql
+++ b/prisma/migrations/20251007121656_noneedrefresh_token/migration.sql
@ -1,9 +0,0 @@
 /*
  Warnings:
  - You are about to drop the column `refreshToken` on the `Account` table. All the data in the column will be lost.
 */
 -- AlterTable
 ALTER TABLE `Account` DROP COLUMN `refreshToken`,
    MODIFY `accessToken` TEXT NULL;
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@ -29,7 +29,8 @@ model Account {
  name             String?  // 用户名称
  avatarUrl        String?  // 用户头像URL
  providerData     Json?    // OAuth提供者返回的完整信息
-  accessToken      String?   @db.Text // 账户访问令牌
+  accessToken      String   @unique // 账户访问令牌
  refreshToken     String?  // OAuth refresh token (如果提供者支持)
  createdAt        DateTime @default(now())
  updatedAt        DateTime @updatedAt
--- a/routes/accounts.js
+++ b/routes/accounts.js
@ -41,7 +41,7 @@ function generateAccessToken() {
 * GET /accounts/oauth/providers
 */
 router.get("/oauth/providers", (req, res) => {
-  let providers = [];
+  const providers = [];
  for (const [key, config] of Object.entries(oauthProviders)) {
    // 只返回已配置的提供者
@ -50,22 +50,14 @@ router.get("/oauth/providers", (req, res) => {
      providers.push({
        id: key,
        name: config.name,
        displayName: config.displayName || config.name,
        icon: config.icon,
-        color: config.color,               // 向后兼容
+        color: config.color,
        brandColor: config.brandColor || config.color,
        textColor: config.textColor || "#ffffff",
        description: config.description,
        order: typeof config.order === 'number' ? config.order : 9999,
        authUrl: `/accounts/oauth/${key}`, // 前端用于发起认证的URL
        website: config.website,
      });
    }
  }
  // 按 order 排序（从小到大）
  providers = providers.sort((a, b) => a.order - b.order);
  res.json({
    success: true,
    data: providers,
@ -187,42 +179,22 @@ router.get("/oauth/:provider/callback", async (req, res) => {
  try {
    // 1. 使用授权码换取访问令牌
-    let tokenResponse;
+    const tokenResponse = await fetch(providerConfig.tokenURL, {
-    if (providerConfig.tokenRequestFormat === 'json') {
+      method: "POST",
-      tokenResponse = await fetch(providerConfig.tokenURL, {
+      headers: {
-        method: "POST",
+        "Accept": "application/json",
-        headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
-          "Accept": "application/json",
+      },
-          "Content-Type": "application/json",
+      body: new URLSearchParams({
-        },
+        client_id: providerConfig.clientId,
-        body: JSON.stringify({
+        ...(providerConfig.clientSecret ? { client_secret: providerConfig.clientSecret } : {}),
-          client_id: providerConfig.clientId,
+        code: code,
-          ...(providerConfig.clientSecret ? { client_secret: providerConfig.clientSecret } : {}),
+        grant_type: "authorization_code",
-          code: code,
+        redirect_uri: getCallbackURL(provider),
-          grant_type: "authorization_code",
+        // PKCE: 携带code_verifier
-          redirect_uri: getCallbackURL(provider),
+        ...(stateData?.codeVerifier ? { code_verifier: stateData.codeVerifier } : {}),
-          // PKCE: 携带code_verifier
+      }),
-          ...(stateData?.codeVerifier ? { code_verifier: stateData.codeVerifier } : {}),
+    });
        }),
      });
    } else {
      tokenResponse = await fetch(providerConfig.tokenURL, {
        method: "POST",
        headers: {
          "Accept": "application/json",
          "Content-Type": "application/x-www-form-urlencoded",
        },
        body: new URLSearchParams({
          client_id: providerConfig.clientId,
          ...(providerConfig.clientSecret ? { client_secret: providerConfig.clientSecret } : {}),
          code: code,
          grant_type: "authorization_code",
          redirect_uri: getCallbackURL(provider),
          // PKCE: 携带code_verifier
          ...(stateData?.codeVerifier ? { code_verifier: stateData.codeVerifier } : {}),
        }),
      });
    }
    const tokenData = await tokenResponse.json();
@ -231,20 +203,12 @@ router.get("/oauth/:provider/callback", async (req, res) => {
    }
    // 2. 使用访问令牌获取用户信息
-    let userResponse;
+    const userResponse = await fetch(providerConfig.userInfoURL, {
-    // Casdoor 支持两种方式：Authorization Bearer 或 accessToken 查询参数
+      headers: {
-    if (provider === 'stcn') {
+        "Authorization": `Bearer ${tokenData.access_token}`,
-      const url = new URL(providerConfig.userInfoURL);
+        "Accept": "application/json",
-      url.searchParams.set('accessToken', tokenData.access_token);
+      },
-      userResponse = await fetch(url, { headers: { "Accept": "application/json" } });
+    });
    } else {
      userResponse = await fetch(providerConfig.userInfoURL, {
        headers: {
          "Authorization": `Bearer ${tokenData.access_token}`,
          "Accept": "application/json",
        },
      });
    }
    const userData = await userResponse.json();
@ -273,14 +237,6 @@ router.get("/oauth/:provider/callback", async (req, res) => {
        name: userData.name || userData.preferred_username || userData.nickname,
        avatarUrl: userData.picture,
      };
    } else if (provider === "stcn") {
      // STCN（Casdoor）标准OIDC用户信息
      normalizedUser = {
        providerId: userData.sub,
        email: userData.email_verified ? userData.email : userData.email || null,
        name: userData.name || userData.preferred_username || userData.nickname,
        avatarUrl: userData.picture,
      };
    }
    // 名称为空时，用邮箱@前部分回填（若邮箱可用）
@ -310,7 +266,7 @@ router.get("/oauth/:provider/callback", async (req, res) => {
          name: normalizedUser.name || account.name,
          avatarUrl: normalizedUser.avatarUrl || account.avatarUrl,
          providerData: userData,
-          //refreshToken: tokenData.refresh_token || account.refreshToken,
+          refreshToken: tokenData.refresh_token || account.refreshToken,
          updatedAt: new Date(),
        },
      });
@ -326,7 +282,7 @@ router.get("/oauth/:provider/callback", async (req, res) => {
          avatarUrl: normalizedUser.avatarUrl,
          providerData: userData,
          accessToken,
-          //refreshToken: tokenData.refresh_token,
+          refreshToken: tokenData.refresh_token,
        },
      });
    }
@ -339,12 +295,6 @@ router.get("/oauth/:provider/callback", async (req, res) => {
    const callbackUrl = new URL(frontendBaseUrl);
    callbackUrl.searchParams.append("token", jwtToken);
    callbackUrl.searchParams.append("provider", provider);
    // 附带展示信息，便于前端显示品牌与名称
    const pconf = oauthProviders[provider] || {};
    callbackUrl.searchParams.append("providerName", pconf.displayName || pconf.name || provider);
    if (pconf.brandColor || pconf.color) {
      callbackUrl.searchParams.append("providerColor", pconf.brandColor || pconf.color);
    }
    callbackUrl.searchParams.append("success", "true");
    res.redirect(callbackUrl.toString());
@ -388,27 +338,11 @@ router.get("/profile", jwtAuth, async (req, res, next) => {
      },
    });
    // 组装 provider 展示信息
    const pconf = (account?.provider && oauthProviders[account.provider]) || {};
    const providerInfo = {
      id: account?.provider || undefined,
      name: pconf.name,
      displayName: pconf.displayName || pconf.name || account?.provider,
      icon: pconf.icon,
      color: pconf.color, // 兼容字段
      brandColor: pconf.brandColor || pconf.color,
      textColor: pconf.textColor || "#ffffff",
      description: pconf.description,
      order: typeof pconf.order === 'number' ? pconf.order : undefined,
      website: pconf.website,
    };
    res.json({
      success: true,
      data: {
        id: account.id,
        provider: account.provider,
        providerInfo,
        email: account.email,
        name: account.name,
        avatarUrl: account.avatarUrl,
--- a/routes/device.js
+++ b/routes/device.js
@ -140,6 +140,7 @@ router.post(
  errors.catchAsync(async (req, res, next) => {
    const { uuid } = req.params;
    const newPassword = req.query.newPassword || req.body.newPassword;
    const passwordHint = req.query.passwordHint || req.body.passwordHint;
    if (!newPassword) {
      return next(errors.createError(400, "新密码是必需的"));
@ -165,6 +166,7 @@ router.post(
      where: { id: device.id },
      data: {
        password: hashedPassword,
        passwordHint: passwordHint || null,
      },
    });
--- a/utils/jwt.js
+++ b/utils/jwt.js
@ -1,48 +1,33 @@
 import jwt from 'jsonwebtoken';
-// JWT 配置（支持 HS256 与 RS256）
+// JWT密钥 - 生产环境应该从环境变量读取
 const JWT_ALG = (process.env.JWT_ALG || 'HS256').toUpperCase();
 const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
 // HS256 密钥
 const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-this-in-production';
-
+const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d'; // 默认7天过期
 // RS256 密钥对（PEM 格式字符串）
 const JWT_PRIVATE_KEY = process.env.JWT_PRIVATE_KEY?.replace(/\\n/g, '\n');
 const JWT_PUBLIC_KEY = process.env.JWT_PUBLIC_KEY?.replace(/\\n/g, '\n');
 function getSignVerifyKeys() {
  if (JWT_ALG === 'RS256') {
    if (!JWT_PRIVATE_KEY || !JWT_PUBLIC_KEY) {
      throw new Error('RS256 需要同时提供 JWT_PRIVATE_KEY 与 JWT_PUBLIC_KEY');
    }
    return { signKey: JWT_PRIVATE_KEY, verifyKey: JWT_PUBLIC_KEY };
  }
  // 默认 HS256
  return { signKey: JWT_SECRET, verifyKey: JWT_SECRET };
 }
 /**
 * 签发JWT token
 * @param {Object} payload - 要编码的数据
 * @returns {string} JWT token
 */
 export function signToken(payload) {
-  const { signKey } = getSignVerifyKeys();
+  return jwt.sign(payload, JWT_SECRET, {
  return jwt.sign(payload, signKey, {
    expiresIn: JWT_EXPIRES_IN,
    algorithm: JWT_ALG,
  });
 }
 /**
 * 验证JWT token
 * @param {string} token - JWT token
 * @returns {Object} 解码后的payload
 */
 export function verifyToken(token) {
-  const { verifyKey } = getSignVerifyKeys();
+  return jwt.verify(token, JWT_SECRET);
  return jwt.verify(token, verifyKey, { algorithms: [JWT_ALG] });
 }
 /**
 * 为账户生成JWT token
 * @param {Object} account - 账户对象
 * @returns {string} JWT token
 */
 export function generateAccountToken(account) {
  return signToken({
		`@ -1,2 +0,0 @@`
			`-- AlterTable`
			ALTER TABLE `Account` MODIFY `refreshToken` TEXT NULL;