1
1
mirror of https://github.com/ZeroCatDev/ClassworksKV.git synced 2025-10-25 20:33:09 +00:00

Compare commits

..

11 Commits
v1.0.8 ... main

Author SHA1 Message Date
SunWuyuan
b20d8dab96
1.1.1 2025-10-07 20:17:22 +08:00
SunWuyuan
3c64226562
移除账户模型中的refreshToken字段,并将accessToken字段修改为可选 2025-10-07 20:17:11 +08:00
SunWuyuan
da77018509
1.1.0 2025-10-07 15:08:55 +08:00
SunWuyuan
f8f63d1ddd
添加OAuth提供者和用户资料中的网站字段 2025-10-07 15:08:16 +08:00
SunWuyuan
5435814cb6
1.0.10 2025-10-07 14:49:02 +08:00
SunWuyuan
d5fc9e2dae
修改登录服务商颜色、链接地址 2025-10-07 14:48:35 +08:00
SunWuyuan
6c05d71506
添加智教联盟登录 2025-10-07 14:46:53 +08:00
SunWuyuan
be1d8d1328
1.0.9 2025-10-06 16:45:21 +08:00
SunWuyuan
0576a02d6e
修复厚浪云的缩写 2025-10-06 16:45:15 +08:00
SunWuyuan
d83d748da0
添加厚浪云(Logto)作为OAuth提供者 2025-10-06 16:41:23 +08:00
SunWuyuan
6ab78af370
更新授权页面地址为环境变量FRONTEND_URL 2025-10-06 15:49:29 +08:00
14 changed files with 276 additions and 65 deletions

View File

@ -1,4 +1,5 @@
# Classworks KV # Classworks KV
[Classworks](https://cs.houlangs.com)用于班级大屏的作业板小工具 [Classworks](https://cs.houlangs.com)用于班级大屏的作业板小工具
@ -20,3 +21,31 @@ This project is licensed under the **GNU AGPL v3.0**.
Copyright (C) 2025 **Sunwuyuan** (<https://wuyuan.dev>) Copyright (C) 2025 **Sunwuyuan** (<https://wuyuan.dev>)
See [LICENSE](./LICENSE) for details. See [LICENSE](./LICENSE) for details.
## 配置OAuth / JWT
在根目录创建或编辑 `.env`
- 基础地址(用于回调):
- `BASE_URL`: `http://localhost:3030`
- `FRONTEND_URL`: `http://localhost:5173`
- STCNCasdoorOIDC
- `STCN_CLIENT_ID`: `53e65cfd81232e729730`
- `STCN_CLIENT_SECRET`: `e1b1277f8906e5df162b1d2f2eb3692182dd2920`
- 回调地址:`${BASE_URL}/accounts/oauth/stcn/callback`
- 其他可选提供者GitHub、ZeroCat、厚浪云Logto
- JWT
- 默认 HS256提供 `JWT_SECRET`
- 如需 RS256请设置
- `JWT_ALG=RS256`
- `JWT_PRIVATE_KEY`PEM\n 转义)
- `JWT_PUBLIC_KEY`PEM\n 转义)
- `JWT_EXPIRES_IN=7d`
完成后启动服务并访问:
- GET /accounts/oauth/providers 列出可用登录方式
- 浏览器打开 /accounts/oauth/stcn 发起 STCN 登录

View File

@ -24,7 +24,7 @@ const CONFIG = {
// 应用ID // 应用ID
appId: process.env.APP_ID || '1', appId: process.env.APP_ID || '1',
// 授权页面地址Classworks前端 // 授权页面地址Classworks前端
authPageUrl: process.env.AUTH_PAGE_URL || 'http://localhost:5173/authorize', authPageUrl: process.env.FRONTEND_URL,
// 本地回调服务器端口 // 本地回调服务器端口
callbackPort: process.env.CALLBACK_PORT || '8080', callbackPort: process.env.CALLBACK_PORT || '8080',
// 回调路径 // 回调路径

View File

@ -21,7 +21,7 @@ const CONFIG = {
// 应用ID // 应用ID
appId: process.env.APP_ID || '1', appId: process.env.APP_ID || '1',
// 授权页面地址Classworks前端 // 授权页面地址Classworks前端
authPageUrl: process.env.AUTH_PAGE_URL || 'http://localhost:5173/authorize', authPageUrl: process.env.FRONTEND_URL,
// 轮询间隔(秒) // 轮询间隔(秒)
pollInterval: 3, pollInterval: 3,
// 最大轮询次数 // 最大轮询次数

View File

@ -7,10 +7,13 @@ export const oauthProviders = {
tokenURL: "https://github.com/login/oauth/access_token", tokenURL: "https://github.com/login/oauth/access_token",
userInfoURL: "https://api.github.com/user", userInfoURL: "https://api.github.com/user",
scope: "read:user user:email", scope: "read:user user:email",
// 展示相关
name: "GitHub", name: "GitHub",
displayName: "GitHub",
icon: "github", icon: "github",
color: "#24292e", color: "#24292e",
description: "使用 GitHub 账号登录", description: "使用 GitHub 账号登录",
website: "https://github.com",
}, },
zerocat: { zerocat: {
clientId: process.env.ZEROCAT_CLIENT_ID, clientId: process.env.ZEROCAT_CLIENT_ID,
@ -19,10 +22,50 @@ export const oauthProviders = {
tokenURL: "https://zerocat-api.houlangs.com/oauth/token", tokenURL: "https://zerocat-api.houlangs.com/oauth/token",
userInfoURL: "https://zerocat-api.houlangs.com/oauth/userinfo", userInfoURL: "https://zerocat-api.houlangs.com/oauth/userinfo",
scope: "user:basic user:email", scope: "user:basic user:email",
// 展示相关
name: "ZeroCat", name: "ZeroCat",
displayName: "ZeroCat",
icon: "zerocat", icon: "zerocat",
color: "#6366f1", color: "#415f91",
description: "使用 ZeroCat 账号登录", description: "使用 ZeroCat 账号登录",
website: "https://zerocat.dev",
},
stcn: {
// STCNCasdoor- 标准 OIDC Provider
clientId: process.env.STCN_CLIENT_ID,
clientSecret: process.env.STCN_CLIENT_SECRET,
// Casdoor 标准端点
authorizationURL: "https://auth.smart-teach.cn/login/oauth/authorize",
tokenURL: "https://auth.smart-teach.cn/api/login/oauth/access_token",
userInfoURL: "https://auth.smart-teach.cn/api/userinfo",
scope: "openid profile email offline_access",
// 展示相关
name: "stcn",
displayName: "智教联盟账户",
icon: "casdoor",
color: "#1068af",
description: "使用智教联盟账户登录",
website: "https://auth.smart-teach.cn",
tokenRequestFormat: "json", // Casdoor 推荐 JSON 提交
},
hly: {
// 厚浪云Logto - OIDC Provider
clientId: process.env.HLY_CLIENT_ID,
clientSecret: process.env.HLY_CLIENT_SECRET,
authorizationURL: "https://oauth.houlang.cloud/oidc/auth",
tokenURL: "https://oauth.houlang.cloud/oidc/token",
userInfoURL: "https://oauth.houlang.cloud/oidc/me",
scope: "openid profile email offline_access",
// 展示相关
name: "厚浪云",
displayName: "厚浪云",
icon: "logto",
color: "#2d53f8",
textColor: "#ffffff",
order: 40,
description: "使用厚浪云账号登录",
website: "https://houlang.cloud",
pkce: true, // 启用PKCE支持
}, },
}; };

View File

@ -1,6 +1,6 @@
{ {
"name": "ClassworksKV", "name": "ClassworksKV",
"version": "1.0.8", "version": "1.1.1",
"private": true, "private": true,
"scripts": { "scripts": {
"start": "node ./bin/www", "start": "node ./bin/www",

32
pnpm-lock.yaml generated
View File

@ -1213,13 +1213,11 @@ packages:
'@types/node@22.15.17': '@types/node@22.15.17':
resolution: {integrity: sha512-wIX2aSZL5FE+MR0JlvF87BNVrtFWf6AE6rxSE9X7OwnVvoyCQjpzSRJ+M87se/4QCkCiebQAqrJ0y6fwIyi7nw==} resolution: {integrity: sha512-wIX2aSZL5FE+MR0JlvF87BNVrtFWf6AE6rxSE9X7OwnVvoyCQjpzSRJ+M87se/4QCkCiebQAqrJ0y6fwIyi7nw==}
<<<<<<< HEAD
'@types/node@24.6.1':
resolution: {integrity: sha512-ljvjjs3DNXummeIaooB4cLBKg2U6SPI6Hjra/9rRIy7CpM0HpLtG9HptkMKAb4HYWy5S7HUvJEuWgr/y0U8SHw==}
=======
'@types/node@24.4.0': '@types/node@24.4.0':
resolution: {integrity: sha512-gUuVEAK4/u6F9wRLznPUU4WGUacSEBDPoC2TrBkw3GAnOLHBL45QdfHOXp1kJ4ypBGLxTOB+t7NJLpKoC3gznQ==} resolution: {integrity: sha512-gUuVEAK4/u6F9wRLznPUU4WGUacSEBDPoC2TrBkw3GAnOLHBL45QdfHOXp1kJ4ypBGLxTOB+t7NJLpKoC3gznQ==}
>>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
'@types/node@24.6.1':
resolution: {integrity: sha512-ljvjjs3DNXummeIaooB4cLBKg2U6SPI6Hjra/9rRIy7CpM0HpLtG9HptkMKAb4HYWy5S7HUvJEuWgr/y0U8SHw==}
'@types/oracledb@6.5.2': '@types/oracledb@6.5.2':
resolution: {integrity: sha512-kK1eBS/Adeyis+3OlBDMeQQuasIDLUYXsi2T15ccNJ0iyUpQ4xDF7svFu3+bGVrI0CMBUclPciz+lsQR3JX3TQ==} resolution: {integrity: sha512-kK1eBS/Adeyis+3OlBDMeQQuasIDLUYXsi2T15ccNJ0iyUpQ4xDF7svFu3+bGVrI0CMBUclPciz+lsQR3JX3TQ==}
@ -2387,13 +2385,11 @@ packages:
undici-types@6.21.0: undici-types@6.21.0:
resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==} resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
<<<<<<< HEAD
undici-types@7.13.0:
resolution: {integrity: sha512-Ov2Rr9Sx+fRgagJ5AX0qvItZG/JKKoBRAVITs1zk7IqZGTJUwgUr7qoYBpWwakpWilTZFM98rG/AFRocu10iIQ==}
=======
undici-types@7.11.0: undici-types@7.11.0:
resolution: {integrity: sha512-kt1ZriHTi7MU+Z/r9DOdAI3ONdaR3M3csEaRc6ewa4f4dTvX4cQCbJ4NkEn0ohE4hHtq85+PhPSTY+pO/1PwgA==} resolution: {integrity: sha512-kt1ZriHTi7MU+Z/r9DOdAI3ONdaR3M3csEaRc6ewa4f4dTvX4cQCbJ4NkEn0ohE4hHtq85+PhPSTY+pO/1PwgA==}
>>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
undici-types@7.13.0:
resolution: {integrity: sha512-Ov2Rr9Sx+fRgagJ5AX0qvItZG/JKKoBRAVITs1zk7IqZGTJUwgUr7qoYBpWwakpWilTZFM98rG/AFRocu10iIQ==}
unpipe@1.0.0: unpipe@1.0.0:
resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==}
@ -3710,16 +3706,14 @@ snapshots:
dependencies: dependencies:
undici-types: 6.21.0 undici-types: 6.21.0
<<<<<<< HEAD '@types/node@24.4.0':
dependencies:
undici-types: 7.11.0
'@types/node@24.6.1': '@types/node@24.6.1':
dependencies: dependencies:
undici-types: 7.13.0 undici-types: 7.13.0
optional: true optional: true
=======
'@types/node@24.4.0':
dependencies:
undici-types: 7.11.0
>>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
'@types/oracledb@6.5.2': '@types/oracledb@6.5.2':
dependencies: dependencies:
@ -4982,12 +4976,10 @@ snapshots:
undici-types@6.21.0: {} undici-types@6.21.0: {}
<<<<<<< HEAD undici-types@7.11.0: {}
undici-types@7.13.0: undici-types@7.13.0:
optional: true optional: true
=======
undici-types@7.11.0: {}
>>>>>>> 12bded7e3d9aaf1a6f9f74126dec551d84efcd8f
unpipe@1.0.0: {} unpipe@1.0.0: {}

View File

@ -0,0 +1,2 @@
-- AlterTable
ALTER TABLE `Account` MODIFY `refreshToken` TEXT NULL;

View File

@ -0,0 +1,5 @@
-- DropIndex
DROP INDEX `Account_accessToken_key` ON `Account`;
-- AlterTable
ALTER TABLE `Account` MODIFY `accessToken` TEXT NOT NULL;

View File

@ -0,0 +1 @@
-- This is an empty migration.

View File

@ -0,0 +1,9 @@
/*
Warnings:
- You are about to drop the column `refreshToken` on the `Account` table. All the data in the column will be lost.
*/
-- AlterTable
ALTER TABLE `Account` DROP COLUMN `refreshToken`,
MODIFY `accessToken` TEXT NULL;

View File

@ -29,8 +29,7 @@ model Account {
name String? // 用户名称 name String? // 用户名称
avatarUrl String? // 用户头像URL avatarUrl String? // 用户头像URL
providerData Json? // OAuth提供者返回的完整信息 providerData Json? // OAuth提供者返回的完整信息
accessToken String @unique // 账户访问令牌 accessToken String? @db.Text // 账户访问令牌
refreshToken String? // OAuth refresh token (如果提供者支持)
createdAt DateTime @default(now()) createdAt DateTime @default(now())
updatedAt DateTime @updatedAt updatedAt DateTime @updatedAt

View File

@ -11,6 +11,24 @@ const prisma = new PrismaClient();
// 存储OAuth state防止CSRF攻击生产环境应使用Redis等 // 存储OAuth state防止CSRF攻击生产环境应使用Redis等
const oauthStates = new Map(); const oauthStates = new Map();
// 生成PKCE code_verifier 和 code_challenge
function generatePkcePair() {
const codeVerifier = crypto
.randomBytes(32)
.toString("base64")
.replace(/\+/g, "-")
.replace(/\//g, "_")
.replace(/=+$/, "");
const challenge = crypto
.createHash("sha256")
.update(codeVerifier)
.digest("base64")
.replace(/\+/g, "-")
.replace(/\//g, "_")
.replace(/=+$/, "");
return { codeVerifier, codeChallenge: challenge };
}
/** /**
* 生成安全的访问令牌 * 生成安全的访问令牌
*/ */
@ -23,22 +41,31 @@ function generateAccessToken() {
* GET /accounts/oauth/providers * GET /accounts/oauth/providers
*/ */
router.get("/oauth/providers", (req, res) => { router.get("/oauth/providers", (req, res) => {
const providers = []; let providers = [];
for (const [key, config] of Object.entries(oauthProviders)) { for (const [key, config] of Object.entries(oauthProviders)) {
// 只返回已配置的提供者 // 只返回已配置的提供者
if (config.clientId && config.clientSecret) { const pkceAllowed = !!config.pkce;
if (config.clientId && (config.clientSecret || pkceAllowed)) {
providers.push({ providers.push({
id: key, id: key,
name: config.name, name: config.name,
displayName: config.displayName || config.name,
icon: config.icon, icon: config.icon,
color: config.color, color: config.color, // 向后兼容
brandColor: config.brandColor || config.color,
textColor: config.textColor || "#ffffff",
description: config.description, description: config.description,
order: typeof config.order === 'number' ? config.order : 9999,
authUrl: `/accounts/oauth/${key}`, // 前端用于发起认证的URL authUrl: `/accounts/oauth/${key}`, // 前端用于发起认证的URL
website: config.website,
}); });
} }
} }
// 按 order 排序(从小到大)
providers = providers.sort((a, b) => a.order - b.order);
res.json({ res.json({
success: true, success: true,
data: providers, data: providers,
@ -64,7 +91,8 @@ router.get("/oauth/:provider", (req, res) => {
}); });
} }
if (!providerConfig.clientId || !providerConfig.clientSecret) { const pkceAllowed = !!providerConfig.pkce;
if (!providerConfig.clientId || (!providerConfig.clientSecret && !pkceAllowed)) {
return res.status(500).json({ return res.status(500).json({
success: false, success: false,
message: `OAuth提供者 ${provider} 未配置`, message: `OAuth提供者 ${provider} 未配置`,
@ -74,11 +102,20 @@ router.get("/oauth/:provider", (req, res) => {
// 生成state参数 // 生成state参数
const state = generateState(); const state = generateState();
// PKCE: 若启用为此次会话生成code_verifier/challenge
let codeChallenge, codeVerifier;
if (pkceAllowed) {
const pair = generatePkcePair();
codeVerifier = pair.codeVerifier;
codeChallenge = pair.codeChallenge;
}
// 保存state和redirect_uri5分钟过期 // 保存state和redirect_uri5分钟过期
oauthStates.set(state, { oauthStates.set(state, {
provider, provider,
redirect_uri, redirect_uri,
timestamp: Date.now(), timestamp: Date.now(),
codeVerifier,
}); });
// 清理过期的state超过5分钟 // 清理过期的state超过5分钟
@ -103,6 +140,11 @@ router.get("/oauth/:provider", (req, res) => {
params.append("prompt", "consent"); params.append("prompt", "consent");
} }
if (pkceAllowed && codeChallenge) {
params.append("code_challenge", codeChallenge);
params.append("code_challenge_method", "S256");
}
const authUrl = `${providerConfig.authorizationURL}?${params.toString()}`; const authUrl = `${providerConfig.authorizationURL}?${params.toString()}`;
// 重定向到OAuth提供者 // 重定向到OAuth提供者
@ -145,7 +187,26 @@ router.get("/oauth/:provider/callback", async (req, res) => {
try { try {
// 1. 使用授权码换取访问令牌 // 1. 使用授权码换取访问令牌
const tokenResponse = await fetch(providerConfig.tokenURL, { let tokenResponse;
if (providerConfig.tokenRequestFormat === 'json') {
tokenResponse = await fetch(providerConfig.tokenURL, {
method: "POST",
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
},
body: JSON.stringify({
client_id: providerConfig.clientId,
...(providerConfig.clientSecret ? { client_secret: providerConfig.clientSecret } : {}),
code: code,
grant_type: "authorization_code",
redirect_uri: getCallbackURL(provider),
// PKCE: 携带code_verifier
...(stateData?.codeVerifier ? { code_verifier: stateData.codeVerifier } : {}),
}),
});
} else {
tokenResponse = await fetch(providerConfig.tokenURL, {
method: "POST", method: "POST",
headers: { headers: {
"Accept": "application/json", "Accept": "application/json",
@ -153,12 +214,15 @@ router.get("/oauth/:provider/callback", async (req, res) => {
}, },
body: new URLSearchParams({ body: new URLSearchParams({
client_id: providerConfig.clientId, client_id: providerConfig.clientId,
client_secret: providerConfig.clientSecret, ...(providerConfig.clientSecret ? { client_secret: providerConfig.clientSecret } : {}),
code: code, code: code,
grant_type: "authorization_code", grant_type: "authorization_code",
redirect_uri: getCallbackURL(provider), redirect_uri: getCallbackURL(provider),
// PKCE: 携带code_verifier
...(stateData?.codeVerifier ? { code_verifier: stateData.codeVerifier } : {}),
}), }),
}); });
}
const tokenData = await tokenResponse.json(); const tokenData = await tokenResponse.json();
@ -167,12 +231,20 @@ router.get("/oauth/:provider/callback", async (req, res) => {
} }
// 2. 使用访问令牌获取用户信息 // 2. 使用访问令牌获取用户信息
const userResponse = await fetch(providerConfig.userInfoURL, { let userResponse;
// Casdoor 支持两种方式Authorization Bearer 或 accessToken 查询参数
if (provider === 'stcn') {
const url = new URL(providerConfig.userInfoURL);
url.searchParams.set('accessToken', tokenData.access_token);
userResponse = await fetch(url, { headers: { "Accept": "application/json" } });
} else {
userResponse = await fetch(providerConfig.userInfoURL, {
headers: { headers: {
"Authorization": `Bearer ${tokenData.access_token}`, "Authorization": `Bearer ${tokenData.access_token}`,
"Accept": "application/json", "Accept": "application/json",
}, },
}); });
}
const userData = await userResponse.json(); const userData = await userResponse.json();
@ -193,6 +265,30 @@ router.get("/oauth/:provider/callback", async (req, res) => {
name: userData.nickname || userData.username, name: userData.nickname || userData.username,
avatarUrl: userData.avatar, avatarUrl: userData.avatar,
}; };
} else if (provider === "hly") {
// 厚浪云Logto标准OIDC用户信息
normalizedUser = {
providerId: userData.sub,
email: userData.email_verified ? userData.email : null,
name: userData.name || userData.preferred_username || userData.nickname,
avatarUrl: userData.picture,
};
} else if (provider === "stcn") {
// STCNCasdoor标准OIDC用户信息
normalizedUser = {
providerId: userData.sub,
email: userData.email_verified ? userData.email : userData.email || null,
name: userData.name || userData.preferred_username || userData.nickname,
avatarUrl: userData.picture,
};
}
// 名称为空时,用邮箱@前部分回填(若邮箱可用)
if ((!normalizedUser.name || normalizedUser.name.trim() === "") && normalizedUser.email) {
const at = normalizedUser.email.indexOf("@");
if (at > 0) {
normalizedUser.name = normalizedUser.email.substring(0, at);
}
} }
// 4. 查找或创建账户 // 4. 查找或创建账户
@ -214,7 +310,7 @@ router.get("/oauth/:provider/callback", async (req, res) => {
name: normalizedUser.name || account.name, name: normalizedUser.name || account.name,
avatarUrl: normalizedUser.avatarUrl || account.avatarUrl, avatarUrl: normalizedUser.avatarUrl || account.avatarUrl,
providerData: userData, providerData: userData,
refreshToken: tokenData.refresh_token || account.refreshToken, //refreshToken: tokenData.refresh_token || account.refreshToken,
updatedAt: new Date(), updatedAt: new Date(),
}, },
}); });
@ -230,7 +326,7 @@ router.get("/oauth/:provider/callback", async (req, res) => {
avatarUrl: normalizedUser.avatarUrl, avatarUrl: normalizedUser.avatarUrl,
providerData: userData, providerData: userData,
accessToken, accessToken,
refreshToken: tokenData.refresh_token, //refreshToken: tokenData.refresh_token,
}, },
}); });
} }
@ -243,6 +339,12 @@ router.get("/oauth/:provider/callback", async (req, res) => {
const callbackUrl = new URL(frontendBaseUrl); const callbackUrl = new URL(frontendBaseUrl);
callbackUrl.searchParams.append("token", jwtToken); callbackUrl.searchParams.append("token", jwtToken);
callbackUrl.searchParams.append("provider", provider); callbackUrl.searchParams.append("provider", provider);
// 附带展示信息,便于前端显示品牌与名称
const pconf = oauthProviders[provider] || {};
callbackUrl.searchParams.append("providerName", pconf.displayName || pconf.name || provider);
if (pconf.brandColor || pconf.color) {
callbackUrl.searchParams.append("providerColor", pconf.brandColor || pconf.color);
}
callbackUrl.searchParams.append("success", "true"); callbackUrl.searchParams.append("success", "true");
res.redirect(callbackUrl.toString()); res.redirect(callbackUrl.toString());
@ -286,11 +388,27 @@ router.get("/profile", jwtAuth, async (req, res, next) => {
}, },
}); });
// 组装 provider 展示信息
const pconf = (account?.provider && oauthProviders[account.provider]) || {};
const providerInfo = {
id: account?.provider || undefined,
name: pconf.name,
displayName: pconf.displayName || pconf.name || account?.provider,
icon: pconf.icon,
color: pconf.color, // 兼容字段
brandColor: pconf.brandColor || pconf.color,
textColor: pconf.textColor || "#ffffff",
description: pconf.description,
order: typeof pconf.order === 'number' ? pconf.order : undefined,
website: pconf.website,
};
res.json({ res.json({
success: true, success: true,
data: { data: {
id: account.id, id: account.id,
provider: account.provider, provider: account.provider,
providerInfo,
email: account.email, email: account.email,
name: account.name, name: account.name,
avatarUrl: account.avatarUrl, avatarUrl: account.avatarUrl,

View File

@ -140,7 +140,6 @@ router.post(
errors.catchAsync(async (req, res, next) => { errors.catchAsync(async (req, res, next) => {
const { uuid } = req.params; const { uuid } = req.params;
const newPassword = req.query.newPassword || req.body.newPassword; const newPassword = req.query.newPassword || req.body.newPassword;
const passwordHint = req.query.passwordHint || req.body.passwordHint;
if (!newPassword) { if (!newPassword) {
return next(errors.createError(400, "新密码是必需的")); return next(errors.createError(400, "新密码是必需的"));
@ -166,7 +165,6 @@ router.post(
where: { id: device.id }, where: { id: device.id },
data: { data: {
password: hashedPassword, password: hashedPassword,
passwordHint: passwordHint || null,
}, },
}); });

View File

@ -1,33 +1,48 @@
import jwt from 'jsonwebtoken'; import jwt from 'jsonwebtoken';
// JWT密钥 - 生产环境应该从环境变量读取 // JWT 配置(支持 HS256 与 RS256
const JWT_ALG = (process.env.JWT_ALG || 'HS256').toUpperCase();
const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
// HS256 密钥
const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-this-in-production'; const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-this-in-production';
const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d'; // 默认7天过期
// RS256 密钥对PEM 格式字符串)
const JWT_PRIVATE_KEY = process.env.JWT_PRIVATE_KEY?.replace(/\\n/g, '\n');
const JWT_PUBLIC_KEY = process.env.JWT_PUBLIC_KEY?.replace(/\\n/g, '\n');
function getSignVerifyKeys() {
if (JWT_ALG === 'RS256') {
if (!JWT_PRIVATE_KEY || !JWT_PUBLIC_KEY) {
throw new Error('RS256 需要同时提供 JWT_PRIVATE_KEY 与 JWT_PUBLIC_KEY');
}
return { signKey: JWT_PRIVATE_KEY, verifyKey: JWT_PUBLIC_KEY };
}
// 默认 HS256
return { signKey: JWT_SECRET, verifyKey: JWT_SECRET };
}
/** /**
* 签发JWT token * 签发JWT token
* @param {Object} payload - 要编码的数据
* @returns {string} JWT token
*/ */
export function signToken(payload) { export function signToken(payload) {
return jwt.sign(payload, JWT_SECRET, { const { signKey } = getSignVerifyKeys();
return jwt.sign(payload, signKey, {
expiresIn: JWT_EXPIRES_IN, expiresIn: JWT_EXPIRES_IN,
algorithm: JWT_ALG,
}); });
} }
/** /**
* 验证JWT token * 验证JWT token
* @param {string} token - JWT token
* @returns {Object} 解码后的payload
*/ */
export function verifyToken(token) { export function verifyToken(token) {
return jwt.verify(token, JWT_SECRET); const { verifyKey } = getSignVerifyKeys();
return jwt.verify(token, verifyKey, { algorithms: [JWT_ALG] });
} }
/** /**
* 为账户生成JWT token * 为账户生成JWT token
* @param {Object} account - 账户对象
* @returns {string} JWT token
*/ */
export function generateAccountToken(account) { export function generateAccountToken(account) {
return signToken({ return signToken({