修改认证中心对接方式

lib/auth/config.ts

@@ -14,6 +14,7 @@ export type AuthRuntimeConfig = {
   clientSecret?: string;
   scope: string;
   issuer: string;
+  passwordEncryptionKey?: string;
   sessionSecret?: string;
   clockSkewSeconds: number;
 };
@@ -24,6 +25,7 @@ export function getAuthRuntimeConfig(): AuthRuntimeConfig {
   const clientSecret = envValue("ZHINIAN_AUTH_CLIENT_SECRET", "AUTH_CLIENT_SECRET");
   const scope = envValue("ZHINIAN_AUTH_SCOPE", "AUTH_SCOPE") || "server";
   const issuer = envValue("ZHINIAN_AUTH_ISSUER", "AUTH_ISSUER") || "https://pig4cloud.com";
+  const passwordEncryptionKey = envValue("ZHINIAN_AUTH_PASSWORD_ENC_KEY", "AUTH_PASSWORD_ENC_KEY", "AGENTBUS_SSO_PASSWORD_ENC_KEY");
   const sessionSecret = envValue("ZHINIAN_AUTH_SESSION_SECRET", "AUTH_SESSION_SECRET", "NEXTAUTH_SECRET");
   const explicitRequired = boolEnv("ZHINIAN_AUTH_REQUIRED");
   const disabled = boolEnv("ZHINIAN_AUTH_DISABLED") === true;
@@ -49,6 +51,7 @@ export function getAuthRuntimeConfig(): AuthRuntimeConfig {
     clientSecret,
     scope,
     issuer,
+    passwordEncryptionKey,
     sessionSecret,
     clockSkewSeconds: numberEnv("ZHINIAN_AUTH_CLOCK_SKEW_SECONDS") ?? 60
   };

lib/server/app-settings.ts

@@ -69,6 +69,7 @@ const settingDefinitions: Array<{
       { key: "ZHINIAN_AUTH_CLIENT_SECRET", label: "客户端密钥", secret: true, type: "password" },
       { key: "ZHINIAN_AUTH_SCOPE", label: "Scope", defaultValue: "server" },
       { key: "ZHINIAN_AUTH_ISSUER", label: "Issuer", defaultValue: "https://pig4cloud.com" },
+      { key: "ZHINIAN_AUTH_PASSWORD_ENC_KEY", label: "Password Encryption Key", secret: true, type: "password" },
       { key: "ZHINIAN_AUTH_SESSION_SECRET", label: "会话签名密钥", secret: true, type: "password" }
     ]
   },

lib/server/auth/jwt.ts

@@ -143,12 +143,14 @@ function validateClaims(claims: AuthTokenClaims, config: AuthRuntimeConfig) {
   if (iat && iat > now + skew) throw new JwtVerificationError("JWT issued-at is in the future.");
   if (claims.iss !== config.issuer) throw new JwtVerificationError("JWT issuer is not trusted.");
   const clientId = stringClaim(claims.client_id) || stringClaim(claims.clientId);
-  if (clientId !== config.clientId) throw new JwtVerificationError("JWT client id is not allowed.");
+  if (clientId && clientId !== config.clientId) throw new JwtVerificationError("JWT client id is not allowed.");
   const requiredScopes = config.scope.split(/\s+/).filter(Boolean);
   if (requiredScopes.length) {
     const tokenScopes = new Set(stringListClaim(claims.scope));
-    for (const scope of requiredScopes) {
-      if (!tokenScopes.has(scope)) throw new JwtVerificationError("JWT scope is not allowed.");
+    if (tokenScopes.size > 0) {
+      for (const scope of requiredScopes) {
+        if (!tokenScopes.has(scope)) throw new JwtVerificationError("JWT scope is not allowed.");
+      }
     }
   }
 }

lib/server/auth/password.ts

@@ -0,0 +1,21 @@
+import { createCipheriv } from "node:crypto";
+
+export function prepareAuthPassword(password: string, input: {
+  passwordEncrypted?: boolean;
+  passwordEncryptionKey?: string;
+}): string {
+  if (input.passwordEncrypted) return password;
+  const key = input.passwordEncryptionKey?.trim();
+  if (!key) return password;
+  return encryptPasswordCFB(password, key);
+}
+
+export function encryptPasswordCFB(password: string, key: string): string {
+  const keyBytes = Buffer.from(key);
+  if (![16, 24, 32].includes(keyBytes.length)) {
+    throw new Error("password encryption key must be 16, 24, or 32 bytes");
+  }
+  const algorithm = `aes-${keyBytes.length * 8}-cfb`;
+  const cipher = createCipheriv(algorithm, keyBytes, keyBytes);
+  return Buffer.concat([cipher.update(password, "utf8"), cipher.final()]).toString("base64");
+}