♻️ refactor: refactor oidc env to auth env (#11095)

♻️ refactor: refactor oidc to auth
2026-03-27 13:29:15 +07:00 · 2026-01-01 21:45:42 +08:00
parent a71d9c70d2
commit 6e8d4ffbc7
8 changed files with 21 additions and 41 deletions
--- a/e2e/src/support/webServer.ts
+++ b/e2e/src/support/webServer.ts
@@ -101,7 +101,6 @@ export async function startWebServer(options: WebServerOptions): Promise<void> {
        ...process.env,
        // E2E test secret keys
        BETTER_AUTH_SECRET: 'e2e-test-secret-key-for-better-auth-32chars!',
-        ENABLE_OIDC: '0',
        KEY_VAULTS_SECRET: 'LA7n9k3JdEcbSgml2sxfw+4TV1AzaaFU5+R176aQz4s=',
        // Disable email verification for e2e
        NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION: '0',
--- a/src/app/(backend)/oidc/[...oidc]/route.ts
+++ b/src/app/(backend)/oidc/[...oidc]/route.ts
@@ -2,7 +2,7 @@ import debug from 'debug';
 import { type NextRequest, NextResponse } from 'next/server';
 import { URL } from 'node:url';

-import { oidcEnv } from '@/envs/oidc';
+import { authEnv } from '@/envs/auth';
 import { createNodeRequest, createNodeResponse } from '@/libs/oidc-provider/http-adapter';
 import { getOIDCProvider } from '@/server/services/oidc/oidcProvider';

@@ -17,7 +17,7 @@ const handler = async (req: NextRequest) => {
  let responseCollector;

  try {
-    if (!oidcEnv.ENABLE_OIDC) {
+    if (!authEnv.ENABLE_OIDC) {
      log('OIDC is not enabled');
      return new NextResponse('OIDC is not enabled', { status: 404 });
    }
--- a/src/app/[variants]/(auth)/oauth/consent/[uid]/page.tsx
+++ b/src/app/[variants]/(auth)/oauth/consent/[uid]/page.tsx
@@ -1,6 +1,6 @@
 import { notFound } from 'next/navigation';

-import { oidcEnv } from '@/envs/oidc';
+import { authEnv } from '@/envs/auth';
 import { defaultClients } from '@/libs/oidc-provider/config';
 import { OIDCService } from '@/server/services/oidc';

@@ -9,7 +9,7 @@ import Consent from './Consent';
 import Login from './Login';

 const InteractionPage = async (props: { params: Promise<{ uid: string }> }) => {
-  if (!oidcEnv.ENABLE_OIDC) return notFound();
+  if (!authEnv.ENABLE_OIDC) return notFound();

  const params = await props.params;
  const uid = params.uid;
--- a/src/envs/auth.ts
+++ b/src/envs/auth.ts
@@ -284,6 +284,7 @@ export const getAuthConfig = () => {

      // Generic JWKS key for signing/verifying JWTs
      JWKS_KEY: z.string().optional(),
+      ENABLE_OIDC: z.boolean(),
    },

    runtimeEnv: {
@@ -407,6 +408,7 @@ export const getAuthConfig = () => {

      // Generic JWKS key (fallback to OIDC_JWKS_KEY for backward compatibility)
      JWKS_KEY: process.env.JWKS_KEY || process.env.OIDC_JWKS_KEY,
+      ENABLE_OIDC: !!(process.env.JWKS_KEY || process.env.OIDC_JWKS_KEY),
    },
  });
 };
--- a/src/envs/oidc.ts
+++ b/src/envs/oidc.ts
@@ -1,18 +0,0 @@
-import { createEnv } from '@t3-oss/env-nextjs';
-import { z } from 'zod';
-
-export const oidcEnv = createEnv({
-  client: {},
-  runtimeEnv: {
-    ENABLE_OIDC: process.env.ENABLE_OIDC === '1',
-    OIDC_JWKS_KEY: process.env.OIDC_JWKS_KEY,
-  },
-  server: {
-    // 是否启用 OIDC
-    ENABLE_OIDC: z.boolean().optional().default(false),
-    // OIDC 签名密钥
-    // 必须是一个包含私钥的 JWKS (JSON Web Key Set) 格式的 JSON 字符串。
-    // 可以使用 `node scripts/generate-oidc-jwk.mjs` 命令生成。
-    OIDC_JWKS_KEY: z.string().optional(),
-  },
-});
--- a/src/libs/next/proxy/define-config.ts
+++ b/src/libs/next/proxy/define-config.ts
@@ -12,7 +12,6 @@ import { LOBE_THEME_APPEARANCE } from '@/const/theme';
 import { isDesktop } from '@/const/version';
 import { appEnv } from '@/envs/app';
 import { authEnv } from '@/envs/auth';
-import { oidcEnv } from '@/envs/oidc';
 import NextAuth from '@/libs/next-auth';
 import { type Locales } from '@/locales/resources';
 import { parseBrowserLanguage } from '@/utils/locale';
@@ -236,7 +235,7 @@ export function defineConfig() {
      response.headers.set(OAUTH_AUTHORIZED, 'true');

      // If OIDC is enabled and user is logged in, add OIDC session pre-sync header
-      if (oidcEnv.ENABLE_OIDC && session?.user?.id) {
+      if (authEnv.ENABLE_OIDC && session?.user?.id) {
        logNextAuth('OIDC session pre-sync: Setting %s = %s', OIDC_SESSION_HEADER, session.user.id);
        response.headers.set(OIDC_SESSION_HEADER, session.user.id);
      }
@@ -285,10 +284,10 @@ export function defineConfig() {
      });

      // If OIDC is enabled and Clerk user is logged in, add OIDC session pre-sync header
-      if (oidcEnv.ENABLE_OIDC && data.userId) {
+      if (authEnv.ENABLE_OIDC && data.userId) {
        logClerk('OIDC session pre-sync: Setting %s = %s', OIDC_SESSION_HEADER, data.userId);
        response.headers.set(OIDC_SESSION_HEADER, data.userId);
-      } else if (oidcEnv.ENABLE_OIDC) {
+      } else if (authEnv.ENABLE_OIDC) {
        logClerk('No Clerk user detected, not setting OIDC session sync header');
      }

@@ -351,7 +350,7 @@ export function defineConfig() {
    enableBetterAuth: authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH,
    enableClerk: authEnv.NEXT_PUBLIC_ENABLE_CLERK_AUTH,
    enableNextAuth: authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH,
-    enableOIDC: oidcEnv.ENABLE_OIDC,
+    enableOIDC: authEnv.ENABLE_OIDC,
  });

  return {
--- a/src/libs/trpc/lambda/context.ts
+++ b/src/libs/trpc/lambda/context.ts
@@ -1,17 +1,17 @@
-import { type ClientSecretPayload } from '@lobechat/types';
-import { parse } from 'cookie';
-import debug from 'debug';
-import { type User } from 'next-auth';
-import { type NextRequest } from 'next/server';
-
 import {
  LOBE_CHAT_AUTH_HEADER,
  LOBE_CHAT_OIDC_AUTH_HEADER,
  enableBetterAuth,
  enableClerk,
  enableNextAuth,
-} from '@/const/auth';
-import { oidcEnv } from '@/envs/oidc';
+} from '@lobechat/const';
+import { type ClientSecretPayload } from '@lobechat/types';
+import { parse } from 'cookie';
+import debug from 'debug';
+import { type User } from 'next-auth';
+import { type NextRequest } from 'next/server';
+
+import { authEnv } from '@/envs/auth';
 import { ClerkAuth, type IClerkAuth } from '@/libs/clerk-auth';
 import { validateOIDCJWT } from '@/libs/oidc-provider/jwt';

@@ -129,11 +129,9 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
  let oidcAuth = null;

  // Prioritize checking for OIDC authentication (both standard Authorization and custom Oidc-Auth headers)
-  if (oidcEnv.ENABLE_OIDC) {
+  if (authEnv.ENABLE_OIDC) {
    log('OIDC enabled, attempting OIDC authentication');
-    const standardAuthorization = request.headers.get('Authorization');
    const oidcAuthToken = request.headers.get(LOBE_CHAT_OIDC_AUTH_HEADER);
-    log('Standard Authorization header: %s', standardAuthorization ? 'exists' : 'not found');
    log('Oidc-Auth header: %s', oidcAuthToken ? 'exists' : 'not found');

    try {
--- a/src/server/services/oidc/oidcProvider.ts
+++ b/src/server/services/oidc/oidcProvider.ts
@@ -1,5 +1,5 @@
 import { getDBInstance } from '@/database/core/web-server';
-import { oidcEnv } from '@/envs/oidc';
+import { authEnv } from '@/envs/auth';
 import { type OIDCProvider, createOIDCProvider } from '@/libs/oidc-provider/provider';

 /**
@@ -13,7 +13,7 @@ let provider: OIDCProvider;
 */
 export const getOIDCProvider = async (): Promise<OIDCProvider> => {
  if (!provider) {
-    if (!oidcEnv.ENABLE_OIDC) {
+    if (!authEnv.ENABLE_OIDC) {
      throw new Error('OIDC is not enabled. Set ENABLE_OIDC=1 to enable it.');
    }