wangxuming/NianAIGC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改认证中心对接方式

Browse Source
This commit is contained in:
brother7
2026-06-04 12:02:53 +08:00
parent fb0229ba06
commit ce358df201
13 changed files with 195 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/server/app-settings.ts
View File

@@ -69,6 +69,7 @@ const settingDefinitions: Array<{
{ key: "ZHINIAN_AUTH_CLIENT_SECRET", label: "客户端密钥", secret: true, type: "password" },
{ key: "ZHINIAN_AUTH_SCOPE", label: "Scope", defaultValue: "server" },
{ key: "ZHINIAN_AUTH_ISSUER", label: "Issuer", defaultValue: "https://pig4cloud.com" },
{ key: "ZHINIAN_AUTH_PASSWORD_ENC_KEY", label: "Password Encryption Key", secret: true, type: "password" },
{ key: "ZHINIAN_AUTH_SESSION_SECRET", label: "会话签名密钥", secret: true, type: "password" }
]
},

8
lib/server/auth/jwt.ts
View File

@@ -143,12 +143,14 @@ function validateClaims(claims: AuthTokenClaims, config: AuthRuntimeConfig) {
if (iat && iat > now + skew) throw new JwtVerificationError("JWT issued-at is in the future.");
if (claims.iss !== config.issuer) throw new JwtVerificationError("JWT issuer is not trusted.");
const clientId = stringClaim(claims.client_id) || stringClaim(claims.clientId);
if (clientId !== config.clientId) throw new JwtVerificationError("JWT client id is not allowed.");
if (clientId && clientId !== config.clientId) throw new JwtVerificationError("JWT client id is not allowed.");
const requiredScopes = config.scope.split(/\s+/).filter(Boolean);
if (requiredScopes.length) {
const tokenScopes = new Set(stringListClaim(claims.scope));
for (const scope of requiredScopes) {
if (!tokenScopes.has(scope)) throw new JwtVerificationError("JWT scope is not allowed.");
if (tokenScopes.size > 0) {
for (const scope of requiredScopes) {
if (!tokenScopes.has(scope)) throw new JwtVerificationError("JWT scope is not allowed.");
}
}
}
}

21
lib/server/auth/password.ts Normal file
View File

@@ -0,0 +1,21 @@
import { createCipheriv } from "node:crypto";
export function prepareAuthPassword(password: string, input: {
passwordEncrypted?: boolean;
passwordEncryptionKey?: string;
}): string {
if (input.passwordEncrypted) return password;
const key = input.passwordEncryptionKey?.trim();
if (!key) return password;
return encryptPasswordCFB(password, key);
}
export function encryptPasswordCFB(password: string, key: string): string {
const keyBytes = Buffer.from(key);
if (![16, 24, 32].includes(keyBytes.length)) {
throw new Error("password encryption key must be 16, 24, or 32 bytes");
}
const algorithm = `aes-${keyBytes.length * 8}-cfb`;
const cipher = createCipheriv(algorithm, keyBytes, keyBytes);
return Buffer.concat([cipher.update(password, "utf8"), cipher.final()]).toString("base64");
}