From fb8766320146d813146594bbe692f99e744d4ebd Mon Sep 17 00:00:00 2001 From: longdayi <13477510+longdayilongdayi@user.noreply.gitee.com> Date: Mon, 26 May 2025 23:11:24 +0800 Subject: [PATCH] 05262311 --- apps/backend/package.json | 1 + apps/backend/src/oidc/config.ts | 61 ++++++++++++--------------------- pnpm-lock.yaml | 3 ++ 3 files changed, 25 insertions(+), 40 deletions(-) diff --git a/apps/backend/package.json b/apps/backend/package.json index a6050da..029adf6 100644 --- a/apps/backend/package.json +++ b/apps/backend/package.json @@ -12,6 +12,7 @@ "@types/oidc-provider": "^9.1.0", "hono": "^4.7.10", "ioredis": "5.4.1", + "jose": "^6.0.11", "minio": "7.1.3", "nanoid": "^5.1.5", "node-cron": "^4.0.7", diff --git a/apps/backend/src/oidc/config.ts b/apps/backend/src/oidc/config.ts index ec05f27..7d4aac6 100644 --- a/apps/backend/src/oidc/config.ts +++ b/apps/backend/src/oidc/config.ts @@ -1,54 +1,37 @@ import { Configuration } from 'oidc-provider'; import { RedisAdapter } from './redis-adapter'; import { prisma } from '@repo/db'; -import { generateKeyPairSync } from 'crypto'; -// 自动生成JWKS密钥对(如无环境变量则自动生成,建议持久化到安全存储) -function getJWKS() { - if (process.env.OIDC_JWKS) { - return JSON.parse(process.env.OIDC_JWKS); - } - // 生成RSA密钥对 - const { publicKey, privateKey } = generateKeyPairSync('rsa', { - modulusLength: 2048, - publicKeyEncoding: { type: 'spki', format: 'pem' }, - privateKeyEncoding: { type: 'pkcs8', format: 'pem' }, - }); - // 转为JWK格式(这里只做简单转换,生产建议用jose等库) - const jwk = require('pem-jwk').pem2jwk(publicKey); - jwk.use = 'sig'; - jwk.alg = 'RS256'; - // 打印公钥,便于配置到前端或备份 - console.log('自动生成的OIDC公钥JWK:', JSON.stringify(jwk, null, 2)); - return [jwk]; -} - -// 支持从数据库动态加载clients async function getClients() { const dbClients = await prisma.oidcClient.findMany?.(); - if (dbClients && dbClients.length > 0) { - return dbClients.map(c => ({ + const dbClientList = (dbClients && dbClients.length > 0) + ? dbClients.map(c => ({ client_id: c.clientId, client_secret: c.clientSecret, grant_types: JSON.parse(c.grantTypes), // string -> string[] redirect_uris: JSON.parse(c.redirectUris), // string -> string[] response_types: JSON.parse(c.responseTypes), // string -> string[] scope: c.scope, - })); - } - return [ - { - client_id: process.env.OIDC_CLIENT_ID || 'example-client', - client_secret: process.env.OIDC_CLIENT_SECRET || 'example-secret', - grant_types: ['authorization_code', 'refresh_token'], - redirect_uris: [process.env.OIDC_REDIRECT_URI || 'http://localhost:3000/callback'], - response_types: ['code'], - scope: 'openid email profile', - }, - ]; + })) + : []; + + // 管理后台client,通过环境变量读取 + const adminClient = { + client_id: process.env.OIDC_CLIENT_ID || 'admin-client', + client_secret: process.env.OIDC_CLIENT_SECRET || 'admin-secret', + grant_types: ['authorization_code', 'refresh_token'], + redirect_uris: [process.env.OIDC_REDIRECT_URI || 'http://localhost:3000/admin/callback'], + response_types: ['code'], + scope: 'openid email profile', + }; + + // 检查是否与数据库client_id重复 + const allClients = [adminClient, ...dbClientList.filter(c => c.client_id !== adminClient.client_id)]; + + return allClients; } -const OIDC_COOKIE_KEY = process.env.OIDC_COOKIE_KEY || 'default-cookie-key'; +const OIDC_COOKIE_KEY = process.env.OIDC_COOKIE_KEY || 'HrbEPlzByV0CcjFJhl2pjKV2iG8FgQIc'; const config: Configuration = { adapter: RedisAdapter, @@ -67,9 +50,7 @@ const config: Configuration = { cookies: { keys: [OIDC_COOKIE_KEY], }, - jwks: { - keys: getJWKS(), - }, + jwks: [], ttl: { AccessToken: 3600, AuthorizationCode: 600, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 67c076e..523e9dd 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -53,6 +53,9 @@ importers: ioredis: specifier: 5.4.1 version: 5.4.1 + jose: + specifier: ^6.0.11 + version: 6.0.11 minio: specifier: 7.1.3 version: 7.1.3