修改认证中心对接方式

lib/server/auth/jwt.ts

@@ -143,12 +143,14 @@ function validateClaims(claims: AuthTokenClaims, config: AuthRuntimeConfig) {
   if (iat && iat > now + skew) throw new JwtVerificationError("JWT issued-at is in the future.");
   if (claims.iss !== config.issuer) throw new JwtVerificationError("JWT issuer is not trusted.");
   const clientId = stringClaim(claims.client_id) || stringClaim(claims.clientId);
-  if (clientId !== config.clientId) throw new JwtVerificationError("JWT client id is not allowed.");
+  if (clientId && clientId !== config.clientId) throw new JwtVerificationError("JWT client id is not allowed.");
   const requiredScopes = config.scope.split(/\s+/).filter(Boolean);
   if (requiredScopes.length) {
     const tokenScopes = new Set(stringListClaim(claims.scope));
-    for (const scope of requiredScopes) {
-      if (!tokenScopes.has(scope)) throw new JwtVerificationError("JWT scope is not allowed.");
+    if (tokenScopes.size > 0) {
+      for (const scope of requiredScopes) {
+        if (!tokenScopes.has(scope)) throw new JwtVerificationError("JWT scope is not allowed.");
+      }
     }
   }
 }

lib/server/auth/password.ts

@@ -0,0 +1,21 @@
+import { createCipheriv } from "node:crypto";
+
+export function prepareAuthPassword(password: string, input: {
+  passwordEncrypted?: boolean;
+  passwordEncryptionKey?: string;
+}): string {
+  if (input.passwordEncrypted) return password;
+  const key = input.passwordEncryptionKey?.trim();
+  if (!key) return password;
+  return encryptPasswordCFB(password, key);
+}
+
+export function encryptPasswordCFB(password: string, key: string): string {
+  const keyBytes = Buffer.from(key);
+  if (![16, 24, 32].includes(keyBytes.length)) {
+    throw new Error("password encryption key must be 16, 24, or 32 bytes");
+  }
+  const algorithm = `aes-${keyBytes.length * 8}-cfb`;
+  const cipher = createCipheriv(algorithm, keyBytes, keyBytes);
+  return Buffer.concat([cipher.update(password, "utf8"), cipher.final()]).toString("base64");
+}