Add authenticated login and SSO protection

2026-05-29 15:54:13 +08:00
parent e36f28a668
commit 0648874801
50 changed files with 1853 additions and 63 deletions
--- a/lib/server/app-settings.ts
+++ b/lib/server/app-settings.ts
@@ -1,6 +1,7 @@
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { dirname, join } from "node:path";
 import { getEvolinkImageSettings, getSelectedImageEngine, shouldMockEvolinkApi, type ImageCreationEngine } from "@/lib/evolink/image-client";
+import { authConfigSummary, getAuthRuntimeConfig } from "@/lib/auth/config";
 import { getJimengCapabilities } from "@/lib/jimeng/capabilities";
 import { getSeedanceConfig, shouldMockSeedance } from "@/lib/seedance/client";
 import { rootDir } from "@/lib/server/runtime";
@@ -47,6 +48,30 @@ const settingDefinitions: Array<{
  description: string;
  fields: FieldDefinition[];
 }> = [
+  {
+    id: "auth",
+    title: "账户登录 SSO",
+    description: "用于发布环境的统一认证中心登录；client_secret 与 session secret 只保存在服务端。",
+    fields: [
+      {
+        key: "ZHINIAN_AUTH_REQUIRED",
+        label: "登录保护",
+        type: "select",
+        defaultValue: "auto",
+        options: [
+          { label: "自动", value: "auto" },
+          { label: "启用", value: "1" },
+          { label: "停用", value: "0" }
+        ]
+      },
+      { key: "ZHINIAN_AUTH_BASE_URL", label: "Auth Base URL" },
+      { key: "ZHINIAN_AUTH_CLIENT_ID", label: "客户端 ID", defaultValue: "customPC" },
+      { key: "ZHINIAN_AUTH_CLIENT_SECRET", label: "客户端密钥", secret: true, type: "password" },
+      { key: "ZHINIAN_AUTH_SCOPE", label: "Scope", defaultValue: "server" },
+      { key: "ZHINIAN_AUTH_ISSUER", label: "Issuer", defaultValue: "https://pig4cloud.com" },
+      { key: "ZHINIAN_AUTH_SESSION_SECRET", label: "会话签名密钥", secret: true, type: "password" }
+    ]
+  },
  {
    id: "visual",
    title: "即梦图片 API",
@@ -143,6 +168,7 @@ export async function getApiSettings() {
    })
  }));
  const seedance = getSeedanceConfig();
+  const auth = getAuthRuntimeConfig();
  const engineAssignments = buildEngineAssignments(fileEnv);
  return {
    envPath: envFilePath(),
@@ -150,6 +176,7 @@ export async function getApiSettings() {
      visual: shouldMockVisualApi() ? "mock" : "real",
      evolink: shouldMockEvolinkApi() ? "mock" : "real",
      seedance: shouldMockSeedance() ? "mock" : "real",
+      auth: authConfigSummary(auth),
      data: process.env.SUPABASE_SERVICE_ROLE_KEY ? "supabase" : "local"
    },
    capabilities: [