wangxuming/NianAIGC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add authenticated login and SSO protection

Browse Source
This commit is contained in:
inman
2026-05-29 15:54:13 +08:00
parent e36f28a668
commit 0648874801
50 changed files with 1853 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/api/assets/[id]/download/route.ts
View File

@@ -1,14 +1,16 @@
import { getAsset } from "@/lib/server/data-store";
import { jsonError } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { readAssetForDownload } from "@/lib/server/storage";
export const runtime = "nodejs";
export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const asset = await getAsset(id);
if (!asset) return jsonError("资产不存在", 404);
if (!asset || asset.ownerId !== user.id) return jsonError("资产不存在", 404);
const file = await readAssetForDownload(asset);
if (!file) return jsonError("资产文件不可下载", 404);
return new Response(new Uint8Array(file.bytes), {

5
app/api/assets/[id]/inpaint/route.ts
View File

@@ -1,5 +1,6 @@
import { getAsset } from "@/lib/server/data-store";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { requestOrigin } from "@/lib/server/runtime";
import { saveMaskDataUrl } from "@/lib/server/storage";
import { submitImageJob } from "@/lib/server/generation-service";
@@ -8,9 +9,10 @@ export const runtime = "nodejs";
export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const asset = await getAsset(id);
if (!asset) return jsonError(new Error("Asset not found."), 404);
if (!asset || asset.ownerId !== user.id) return jsonError(new Error("Asset not found."), 404);
const body = await readJsonBody<{
prompt?: string;
maskDataUrl?: string;
@@ -31,6 +33,7 @@ export async function POST(request: Request, context: { params: Promise<{ id: st
}
if (!maskUrl) throw new Error("maskDataUrl or maskUrl is required for inpainting.");
const job = await submitImageJob({
ownerId: user.id,
capability: "image.inpaint",
prompt: body.prompt || "删除",
imageUrls: [asset.url, maskUrl],

4
app/api/assets/[id]/route.ts
View File

@@ -1,14 +1,16 @@
import { deleteAsset, getAsset } from "@/lib/server/data-store";
import { jsonError, jsonOk } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { deleteStoredAsset } from "@/lib/server/storage";
export const runtime = "nodejs";
export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const asset = await getAsset(id);
if (!asset) return jsonError("资产不存在", 404);
if (!asset || asset.ownerId !== user.id) return jsonError("资产不存在", 404);
await deleteStoredAsset(asset);
await deleteAsset(id);
return jsonOk({ ok: true, deletedAssetId: id });

5
app/api/assets/[id]/upscale/route.ts
View File

@@ -1,5 +1,6 @@
import { getAsset } from "@/lib/server/data-store";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { requestOrigin } from "@/lib/server/runtime";
import { submitImageJob } from "@/lib/server/generation-service";
@@ -7,14 +8,16 @@ export const runtime = "nodejs";
export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const asset = await getAsset(id);
if (!asset) return jsonError(new Error("Asset not found."), 404);
if (!asset || asset.ownerId !== user.id) return jsonError(new Error("Asset not found."), 404);
const body = await readJsonBody<{
resolution?: "4k" | "8k";
scale?: number;
}>(request);
const job = await submitImageJob({
ownerId: user.id,
capability: "image.upscale",
imageUrls: [asset.url],
inputAssetIds: [asset.id],

8
app/api/assets/route.ts
View File

@@ -1,13 +1,14 @@
import { createAsset, listAssets } from "@/lib/server/data-store";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { DEFAULT_OWNER_ID } from "@/lib/server/runtime";
import { requireAppUser } from "@/lib/server/auth/current-user";
import type { AssetKind } from "@/lib/types";
export const runtime = "nodejs";
export async function GET() {
try {
return jsonOk({ assets: await listAssets(DEFAULT_OWNER_ID) });
const user = await requireAppUser();
return jsonOk({ assets: await listAssets(user.id) });
} catch (error) {
return jsonError(error, 500);
}
@@ -22,9 +23,10 @@ export async function POST(request: Request) {
tags?: string[];
source?: "upload" | "generated" | "edited" | "upscaled" | "external" | "seed";
}>(request);
const user = await requireAppUser();
if (!body.url) throw new Error("url is required");
const asset = await createAsset({
ownerId: DEFAULT_OWNER_ID,
ownerId: user.id,
kind: body.kind || "image",
name: body.name || "外部图片",
url: body.url,

6
app/api/assets/upload/route.ts
View File

@@ -1,17 +1,19 @@
import { jsonError, jsonOk } from "@/lib/server/api";
import { DEFAULT_OWNER_ID, requestOrigin } from "@/lib/server/runtime";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { requestOrigin } from "@/lib/server/runtime";
import { saveUploadAsset } from "@/lib/server/storage";
export const runtime = "nodejs";
export async function POST(request: Request) {
try {
const user = await requireAppUser();
const form = await request.formData();
const files = form.getAll("files").filter((item): item is File => item instanceof File);
if (!files.length) throw new Error("No files uploaded.");
const assets = await Promise.all(files.map(async (file) => {
return saveUploadAsset({
ownerId: DEFAULT_OWNER_ID,
ownerId: user.id,
bytes: Buffer.from(await file.arrayBuffer()),
fileName: file.name,
contentType: file.type || "application/octet-stream",

11
app/api/auth/callback/route.ts Normal file
View File

@@ -0,0 +1,11 @@
import { completeAuthorizationCallback, redirectToLoginWithError } from "@/lib/server/auth/oauth";
export const runtime = "nodejs";
export async function GET(request: Request) {
try {
return await completeAuthorizationCallback(request);
} catch {
return redirectToLoginWithError(request, "callback_failed");
}
}

25
app/api/auth/captcha/route.ts Normal file
View File

@@ -0,0 +1,25 @@
import { getAuthRuntimeConfig } from "@/lib/auth/config";
import { jsonError } from "@/lib/server/api";
export const runtime = "nodejs";
export async function GET(request: Request) {
try {
const config = getAuthRuntimeConfig();
if (!config.authBaseUrl) throw new Error("认证中心地址未配置。");
const randomStr = new URL(request.url).searchParams.get("randomStr")?.trim();
if (!randomStr) throw new Error("randomStr is required.");
const response = await fetch(`${config.authBaseUrl}/code/image?randomStr=${encodeURIComponent(randomStr)}`, {
cache: "no-store"
});
if (!response.ok) throw new Error(`验证码获取失败:${response.status}`);
return new Response(new Uint8Array(await response.arrayBuffer()), {
headers: {
"Content-Type": response.headers.get("content-type") || "image/png",
"Cache-Control": "no-store"
}
});
} catch (error) {
return jsonError(error, 500);
}
}

11
app/api/auth/login/route.ts Normal file
View File

@@ -0,0 +1,11 @@
import { createAuthorizeRedirect, redirectToLoginWithError } from "@/lib/server/auth/oauth";
export const runtime = "nodejs";
export async function GET(request: Request) {
try {
return await createAuthorizeRedirect(request);
} catch {
return redirectToLoginWithError(request, "auth_not_configured");
}
}

11
app/api/auth/logout/route.ts Normal file
View File

@@ -0,0 +1,11 @@
import { clearAuthCookies } from "@/lib/server/auth/oauth";
export const runtime = "nodejs";
export async function GET(request: Request) {
return clearAuthCookies(request);
}
export async function POST(request: Request) {
return clearAuthCookies(request);
}

16
app/api/auth/me/route.ts Normal file
View File

@@ -0,0 +1,16 @@
import { getAuthRuntimeConfig } from "@/lib/auth/config";
import { jsonOk } from "@/lib/server/api";
import { getOptionalAuthSession } from "@/lib/server/auth/current-user";
export const runtime = "nodejs";
export async function GET() {
const config = getAuthRuntimeConfig();
const session = await getOptionalAuthSession();
return jsonOk({
authenticated: Boolean(session),
authRequired: config.required,
authConfigured: config.configured,
user: session?.user || null
});
}

119
app/api/auth/password/route.ts Normal file
View File

@@ -0,0 +1,119 @@
import { SESSION_COOKIE_NAME, getAuthRuntimeConfig, safeNextPath, shouldUseSecureAuthCookie } from "@/lib/auth/config";
import { createSessionCookieValue } from "@/lib/auth/session";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { createSessionFromClaims, verifyAuthJwt } from "@/lib/server/auth/jwt";
export const runtime = "nodejs";
type PasswordTokenResponse = {
access_token?: string;
refresh_token?: string;
expires_in?: string | number;
token_type?: string;
error?: string;
error_description?: string;
msg?: string;
message?: string;
[key: string]: unknown;
};
export async function POST(request: Request) {
try {
const config = getAuthRuntimeConfig();
if (!config.configured || !config.tokenUrl || !config.clientSecret || !config.sessionSecret) {
throw new PasswordLoginError(`认证配置不完整:${config.missing.join(", ") || "未知配置"}`, 500);
}
const body = await readJsonBody<{
username?: string;
password?: string;
code?: string;
randomStr?: string;
next?: string;
}>(request);
const username = body.username?.trim();
const password = body.password || "";
const code = body.code?.trim();
const randomStr = body.randomStr?.trim();
if (!username || !password || !code || !randomStr) throw new PasswordLoginError("账号、密码和验证码不能为空。");
const token = await exchangePasswordToken({
tokenUrl: config.tokenUrl,
clientId: config.clientId,
clientSecret: config.clientSecret,
scope: config.scope,
username,
password,
code,
randomStr
});
if (!token.access_token) throw new PasswordLoginError("认证中心没有返回 access_token。", 502);
const claims = await verifyAuthJwt(token.access_token, config);
const session = createSessionFromClaims(claims, config, parseExpiresIn(token.expires_in));
const response = jsonOk({
ok: true,
redirectTo: safeNextPath(body.next),
user: session.user
});
response.cookies.set(SESSION_COOKIE_NAME, await createSessionCookieValue(session, config.sessionSecret), {
httpOnly: true,
sameSite: "lax",
secure: shouldUseSecureAuthCookie(request.url),
path: "/",
expires: new Date(session.expiresAt * 1000)
});
return response;
} catch (error) {
return jsonError(error, 401);
}
}
async function exchangePasswordToken(input: {
tokenUrl: string;
clientId: string;
clientSecret: string;
scope: string;
username: string;
password: string;
code: string;
randomStr: string;
}): Promise<PasswordTokenResponse> {
const form = new URLSearchParams();
form.set("grant_type", "password");
form.set("scope", input.scope);
form.set("username", input.username);
form.set("password", input.password);
form.set("code", input.code);
form.set("randomStr", input.randomStr);
const response = await fetch(input.tokenUrl, {
method: "POST",
headers: {
Authorization: `Basic ${Buffer.from(`${input.clientId}:${input.clientSecret}`).toString("base64")}`,
"Content-Type": "application/x-www-form-urlencoded"
},
body: form
});
const payload = await response.json().catch(() => ({})) as PasswordTokenResponse;
if (!response.ok) {
throw new PasswordLoginError(payload.error_description || payload.msg || payload.message || payload.error || "登录失败。", response.status);
}
return payload;
}
function parseExpiresIn(value: string | number | undefined): number | undefined {
if (typeof value === "number" && Number.isFinite(value)) return value;
if (typeof value === "string" && value.trim()) {
const parsed = Number(value);
if (Number.isFinite(parsed)) return parsed;
}
return undefined;
}
class PasswordLoginError extends Error {
status: number;
constructor(message: string, status = 400) {
super(message);
this.name = "PasswordLoginError";
this.status = status;
}
}

4
app/api/generations/image/[id]/retry/route.ts
View File

@@ -1,4 +1,5 @@
import { jsonError, jsonOk } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { requestOrigin } from "@/lib/server/runtime";
import { retryImageJob } from "@/lib/server/generation-service";
@@ -6,8 +7,9 @@ export const runtime = "nodejs";
export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const job = await retryImageJob(id, requestOrigin(request));
const job = await retryImageJob(id, requestOrigin(request), user.id);
return jsonOk({ job }, { status: 202 });
} catch (error) {
return jsonError(error);

7
app/api/generations/image/[id]/route.ts
View File

@@ -1,14 +1,16 @@
import { deleteAsset, deleteGenerationJob, getAsset, getGenerationJob } from "@/lib/server/data-store";
import { jsonError, jsonOk } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { deleteStoredAsset } from "@/lib/server/storage";
export const runtime = "nodejs";
export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const job = await getGenerationJob(id);
if (!job) return jsonError(new Error("Generation job not found."), 404);
if (!job || job.ownerId !== user.id) return jsonError(new Error("Generation job not found."), 404);
return jsonOk({ job });
} catch (error) {
return jsonError(error, 500);
@@ -17,9 +19,10 @@ export async function GET(_request: Request, context: { params: Promise<{ id: st
export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const job = await getGenerationJob(id);
if (!job || job.capability === "video.generate") return jsonError("任务不存在", 404);
if (!job || job.ownerId !== user.id || job.capability === "video.generate") return jsonError("任务不存在", 404);
const deletedAssetIds: string[] = [];
for (const assetId of job.outputAssetIds) {
const asset = await getAsset(assetId);

6
app/api/generations/image/route.ts
View File

@@ -1,5 +1,6 @@
import { getGenerationJob, listGenerationJobs } from "@/lib/server/data-store";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { requestOrigin } from "@/lib/server/runtime";
import { submitImageJob } from "@/lib/server/generation-service";
import { assemblePrompt, type PromptAssemblyInput, type PromptMaterial } from "@/lib/prompt/assembler";
@@ -9,7 +10,8 @@ export const runtime = "nodejs";
export async function GET() {
try {
const jobs = (await listGenerationJobs()).filter((job) => job.capability !== "video.generate");
const user = await requireAppUser();
const jobs = (await listGenerationJobs(user.id)).filter((job) => job.capability !== "video.generate");
return jsonOk({ jobs });
} catch (error) {
return jsonError(error, 500);
@@ -18,6 +20,7 @@ export async function GET() {
export async function POST(request: Request) {
try {
const user = await requireAppUser();
const body = await readJsonBody<{
capability?: EnabledImageCapability;
prompt?: string;
@@ -41,6 +44,7 @@ export async function POST(request: Request) {
.filter((material) => material.type === "image")
.map((material) => material.url);
const job = await submitImageJob({
ownerId: user.id,
capability,
prompt: body.prompt || assembled?.prompt,
imageUrls: body.imageUrls || materialImages,

7
app/api/generations/video/[id]/route.ts
View File

@@ -1,14 +1,16 @@
import { deleteAsset, deleteGenerationJob, getAsset, getGenerationJob } from "@/lib/server/data-store";
import { jsonError, jsonOk } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { deleteStoredAsset } from "@/lib/server/storage";
export const runtime = "nodejs";
export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const job = await getGenerationJob(id);
if (!job) return jsonError(new Error("Generation job not found."), 404);
if (!job || job.ownerId !== user.id) return jsonError(new Error("Generation job not found."), 404);
return jsonOk({ job });
} catch (error) {
return jsonError(error, 500);
@@ -17,9 +19,10 @@ export async function GET(_request: Request, context: { params: Promise<{ id: st
export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
try {
const user = await requireAppUser();
const { id } = await context.params;
const job = await getGenerationJob(id);
if (!job || job.capability !== "video.generate") return jsonError("任务不存在", 404);
if (!job || job.ownerId !== user.id || job.capability !== "video.generate") return jsonError("任务不存在", 404);
const deletedAssetIds: string[] = [];
for (const assetId of job.outputAssetIds) {
const asset = await getAsset(assetId);

7
app/api/generations/video/route.ts
View File

@@ -1,5 +1,6 @@
import { listGenerationJobs } from "@/lib/server/data-store";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
import { requestOrigin } from "@/lib/server/runtime";
import { submitVideoJob, type SubmitVideoJobInput } from "@/lib/server/video-generation-service";
@@ -7,7 +8,8 @@ export const runtime = "nodejs";
export async function GET() {
try {
const jobs = (await listGenerationJobs()).filter((job) => job.capability === "video.generate");
const user = await requireAppUser();
const jobs = (await listGenerationJobs(user.id)).filter((job) => job.capability === "video.generate");
return jsonOk({ jobs });
} catch (error) {
return jsonError(error, 500);
@@ -16,8 +18,9 @@ export async function GET() {
export async function POST(request: Request) {
try {
const user = await requireAppUser();
const body = await readJsonBody<SubmitVideoJobInput & Record<string, unknown>>(request);
const job = await submitVideoJob(body, requestOrigin(request));
const job = await submitVideoJob({ ...body, ownerId: user.id }, requestOrigin(request));
return jsonOk({ job }, { status: 202 });
} catch (error) {
return jsonError(error);

3
app/api/health/route.ts
View File

@@ -1,4 +1,5 @@
import { jsonOk } from "@/lib/server/api";
import { authConfigSummary, getAuthRuntimeConfig } from "@/lib/auth/config";
import { getEffectiveImageEngine, getEvolinkImageSettings, shouldMockEvolinkApi } from "@/lib/evolink/image-client";
import { getVisibleImageCapabilities } from "@/lib/jimeng/capabilities";
import { shouldMockVisualApi } from "@/lib/volcengine/visual-client";
@@ -8,6 +9,7 @@ export const runtime = "nodejs";
export async function GET() {
const evolink = getEvolinkImageSettings();
const auth = getAuthRuntimeConfig();
return jsonOk({
ok: true,
appId: "zhinian-web-studio",
@@ -15,6 +17,7 @@ export async function GET() {
visualApiMode: shouldMockVisualApi() ? "mock" : "volcengine",
evolinkMode: shouldMockEvolinkApi() ? "mock" : "evolink",
seedanceMode: shouldMockSeedance() ? "mock" : "seedance",
authMode: authConfigSummary(auth),
capabilities: [
...getVisibleImageCapabilities().map((capability) => {
const engine = getEffectiveImageEngine(capability.id);

2
app/api/prompt/assemble/route.ts
View File

@@ -1,10 +1,12 @@
import { assemblePrompt, type PromptAssemblyInput } from "@/lib/prompt/assembler";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
export const runtime = "nodejs";
export async function POST(request: Request) {
try {
await requireAppUser();
const body = await readJsonBody<PromptAssemblyInput & Record<string, unknown>>(request);
return jsonOk(assemblePrompt(body));
} catch (error) {

3
app/api/settings/route.ts
View File

@@ -1,10 +1,12 @@
import { getApiSettings, saveApiSettings } from "@/lib/server/app-settings";
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
import { requireAppUser } from "@/lib/server/auth/current-user";
export const runtime = "nodejs";
export async function GET() {
try {
await requireAppUser();
return jsonOk(await getApiSettings());
} catch (error) {
return jsonError(error, 500);
@@ -13,6 +15,7 @@ export async function GET() {
export async function POST(request: Request) {
try {
await requireAppUser();
const body = await readJsonBody<{ values?: Record<string, unknown> }>(request);
return jsonOk(await saveApiSettings(body.values || {}));
} catch (error) {