Add authenticated login and SSO protection
This commit is contained in:
inman
11
app/api/auth/callback/route.ts
Normal file
11
app/api/auth/callback/route.ts
Normal file
@@ -0,0 +1,11 @@
|
||||
import { completeAuthorizationCallback, redirectToLoginWithError } from "@/lib/server/auth/oauth";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
export async function GET(request: Request) {
|
||||
try {
|
||||
return await completeAuthorizationCallback(request);
|
||||
} catch {
|
||||
return redirectToLoginWithError(request, "callback_failed");
|
||||
}
|
||||
}
|
||||
25
app/api/auth/captcha/route.ts
Normal file
25
app/api/auth/captcha/route.ts
Normal file
@@ -0,0 +1,25 @@
|
||||
import { getAuthRuntimeConfig } from "@/lib/auth/config";
|
||||
import { jsonError } from "@/lib/server/api";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
export async function GET(request: Request) {
|
||||
try {
|
||||
const config = getAuthRuntimeConfig();
|
||||
if (!config.authBaseUrl) throw new Error("认证中心地址未配置。");
|
||||
const randomStr = new URL(request.url).searchParams.get("randomStr")?.trim();
|
||||
if (!randomStr) throw new Error("randomStr is required.");
|
||||
const response = await fetch(`${config.authBaseUrl}/code/image?randomStr=${encodeURIComponent(randomStr)}`, {
|
||||
cache: "no-store"
|
||||
});
|
||||
if (!response.ok) throw new Error(`验证码获取失败:${response.status}`);
|
||||
return new Response(new Uint8Array(await response.arrayBuffer()), {
|
||||
headers: {
|
||||
"Content-Type": response.headers.get("content-type") || "image/png",
|
||||
"Cache-Control": "no-store"
|
||||
}
|
||||
});
|
||||
} catch (error) {
|
||||
return jsonError(error, 500);
|
||||
}
|
||||
}
|
||||
11
app/api/auth/login/route.ts
Normal file
11
app/api/auth/login/route.ts
Normal file
@@ -0,0 +1,11 @@
|
||||
import { createAuthorizeRedirect, redirectToLoginWithError } from "@/lib/server/auth/oauth";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
export async function GET(request: Request) {
|
||||
try {
|
||||
return await createAuthorizeRedirect(request);
|
||||
} catch {
|
||||
return redirectToLoginWithError(request, "auth_not_configured");
|
||||
}
|
||||
}
|
||||
11
app/api/auth/logout/route.ts
Normal file
11
app/api/auth/logout/route.ts
Normal file
@@ -0,0 +1,11 @@
|
||||
import { clearAuthCookies } from "@/lib/server/auth/oauth";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
export async function GET(request: Request) {
|
||||
return clearAuthCookies(request);
|
||||
}
|
||||
|
||||
export async function POST(request: Request) {
|
||||
return clearAuthCookies(request);
|
||||
}
|
||||
16
app/api/auth/me/route.ts
Normal file
16
app/api/auth/me/route.ts
Normal file
@@ -0,0 +1,16 @@
|
||||
import { getAuthRuntimeConfig } from "@/lib/auth/config";
|
||||
import { jsonOk } from "@/lib/server/api";
|
||||
import { getOptionalAuthSession } from "@/lib/server/auth/current-user";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
export async function GET() {
|
||||
const config = getAuthRuntimeConfig();
|
||||
const session = await getOptionalAuthSession();
|
||||
return jsonOk({
|
||||
authenticated: Boolean(session),
|
||||
authRequired: config.required,
|
||||
authConfigured: config.configured,
|
||||
user: session?.user || null
|
||||
});
|
||||
}
|
||||
119
app/api/auth/password/route.ts
Normal file
119
app/api/auth/password/route.ts
Normal file
@@ -0,0 +1,119 @@
|
||||
import { SESSION_COOKIE_NAME, getAuthRuntimeConfig, safeNextPath, shouldUseSecureAuthCookie } from "@/lib/auth/config";
|
||||
import { createSessionCookieValue } from "@/lib/auth/session";
|
||||
import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
|
||||
import { createSessionFromClaims, verifyAuthJwt } from "@/lib/server/auth/jwt";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
type PasswordTokenResponse = {
|
||||
access_token?: string;
|
||||
refresh_token?: string;
|
||||
expires_in?: string | number;
|
||||
token_type?: string;
|
||||
error?: string;
|
||||
error_description?: string;
|
||||
msg?: string;
|
||||
message?: string;
|
||||
[key: string]: unknown;
|
||||
};
|
||||
|
||||
export async function POST(request: Request) {
|
||||
try {
|
||||
const config = getAuthRuntimeConfig();
|
||||
if (!config.configured || !config.tokenUrl || !config.clientSecret || !config.sessionSecret) {
|
||||
throw new PasswordLoginError(`认证配置不完整:${config.missing.join(", ") || "未知配置"}`, 500);
|
||||
}
|
||||
const body = await readJsonBody<{
|
||||
username?: string;
|
||||
password?: string;
|
||||
code?: string;
|
||||
randomStr?: string;
|
||||
next?: string;
|
||||
}>(request);
|
||||
const username = body.username?.trim();
|
||||
const password = body.password || "";
|
||||
const code = body.code?.trim();
|
||||
const randomStr = body.randomStr?.trim();
|
||||
if (!username || !password || !code || !randomStr) throw new PasswordLoginError("账号、密码和验证码不能为空。");
|
||||
|
||||
const token = await exchangePasswordToken({
|
||||
tokenUrl: config.tokenUrl,
|
||||
clientId: config.clientId,
|
||||
clientSecret: config.clientSecret,
|
||||
scope: config.scope,
|
||||
username,
|
||||
password,
|
||||
code,
|
||||
randomStr
|
||||
});
|
||||
if (!token.access_token) throw new PasswordLoginError("认证中心没有返回 access_token。", 502);
|
||||
const claims = await verifyAuthJwt(token.access_token, config);
|
||||
const session = createSessionFromClaims(claims, config, parseExpiresIn(token.expires_in));
|
||||
const response = jsonOk({
|
||||
ok: true,
|
||||
redirectTo: safeNextPath(body.next),
|
||||
user: session.user
|
||||
});
|
||||
response.cookies.set(SESSION_COOKIE_NAME, await createSessionCookieValue(session, config.sessionSecret), {
|
||||
httpOnly: true,
|
||||
sameSite: "lax",
|
||||
secure: shouldUseSecureAuthCookie(request.url),
|
||||
path: "/",
|
||||
expires: new Date(session.expiresAt * 1000)
|
||||
});
|
||||
return response;
|
||||
} catch (error) {
|
||||
return jsonError(error, 401);
|
||||
}
|
||||
}
|
||||
|
||||
async function exchangePasswordToken(input: {
|
||||
tokenUrl: string;
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
scope: string;
|
||||
username: string;
|
||||
password: string;
|
||||
code: string;
|
||||
randomStr: string;
|
||||
}): Promise<PasswordTokenResponse> {
|
||||
const form = new URLSearchParams();
|
||||
form.set("grant_type", "password");
|
||||
form.set("scope", input.scope);
|
||||
form.set("username", input.username);
|
||||
form.set("password", input.password);
|
||||
form.set("code", input.code);
|
||||
form.set("randomStr", input.randomStr);
|
||||
const response = await fetch(input.tokenUrl, {
|
||||
method: "POST",
|
||||
headers: {
|
||||
Authorization: `Basic ${Buffer.from(`${input.clientId}:${input.clientSecret}`).toString("base64")}`,
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
},
|
||||
body: form
|
||||
});
|
||||
const payload = await response.json().catch(() => ({})) as PasswordTokenResponse;
|
||||
if (!response.ok) {
|
||||
throw new PasswordLoginError(payload.error_description || payload.msg || payload.message || payload.error || "登录失败。", response.status);
|
||||
}
|
||||
return payload;
|
||||
}
|
||||
|
||||
function parseExpiresIn(value: string | number | undefined): number | undefined {
|
||||
if (typeof value === "number" && Number.isFinite(value)) return value;
|
||||
if (typeof value === "string" && value.trim()) {
|
||||
const parsed = Number(value);
|
||||
if (Number.isFinite(parsed)) return parsed;
|
||||
}
|
||||
return undefined;
|
||||
}
|
||||
|
||||
class PasswordLoginError extends Error {
|
||||
status: number;
|
||||
|
||||
constructor(message: string, status = 400) {
|
||||
super(message);
|
||||
this.name = "PasswordLoginError";
|
||||
this.status = status;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user