From 6e8d4ffbc79cacfaea63ff15cb8d8fc28453b8e7 Mon Sep 17 00:00:00 2001
From: Arvin Xu <arvinx@foxmail.com>
Date: Thu, 1 Jan 2026 21:45:42 +0800
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20refactor:=20refactor=20oid?=
 =?UTF-8?q?c=20env=20to=20auth=20env=20(#11095)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

♻️ refactor: refactor oidc to auth
---
 e2e/src/support/webServer.ts                  |  1 -
 src/app/(backend)/oidc/[...oidc]/route.ts     |  4 ++--
 .../(auth)/oauth/consent/[uid]/page.tsx       |  4 ++--
 src/envs/auth.ts                              |  2 ++
 src/envs/oidc.ts                              | 18 -----------------
 src/libs/next/proxy/define-config.ts          |  9 ++++-----
 src/libs/trpc/lambda/context.ts               | 20 +++++++++----------
 src/server/services/oidc/oidcProvider.ts      |  4 ++--
 8 files changed, 21 insertions(+), 41 deletions(-)
 delete mode 100644 src/envs/oidc.ts

diff --git a/e2e/src/support/webServer.ts b/e2e/src/support/webServer.ts
index a2dd2b2603..ca110d6aec 100644
--- a/e2e/src/support/webServer.ts
+++ b/e2e/src/support/webServer.ts
@@ -101,7 +101,6 @@ export async function startWebServer(options: WebServerOptions): Promise<void> {
         ...process.env,
         // E2E test secret keys
         BETTER_AUTH_SECRET: 'e2e-test-secret-key-for-better-auth-32chars!',
-        ENABLE_OIDC: '0',
         KEY_VAULTS_SECRET: 'LA7n9k3JdEcbSgml2sxfw+4TV1AzaaFU5+R176aQz4s=',
         // Disable email verification for e2e
         NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION: '0',
diff --git a/src/app/(backend)/oidc/[...oidc]/route.ts b/src/app/(backend)/oidc/[...oidc]/route.ts
index 4b641f3e25..309d75b511 100644
--- a/src/app/(backend)/oidc/[...oidc]/route.ts
+++ b/src/app/(backend)/oidc/[...oidc]/route.ts
@@ -2,7 +2,7 @@ import debug from 'debug';
 import { type NextRequest, NextResponse } from 'next/server';
 import { URL } from 'node:url';
 
-import { oidcEnv } from '@/envs/oidc';
+import { authEnv } from '@/envs/auth';
 import { createNodeRequest, createNodeResponse } from '@/libs/oidc-provider/http-adapter';
 import { getOIDCProvider } from '@/server/services/oidc/oidcProvider';
 
@@ -17,7 +17,7 @@ const handler = async (req: NextRequest) => {
   let responseCollector;
 
   try {
-    if (!oidcEnv.ENABLE_OIDC) {
+    if (!authEnv.ENABLE_OIDC) {
       log('OIDC is not enabled');
       return new NextResponse('OIDC is not enabled', { status: 404 });
     }
diff --git a/src/app/[variants]/(auth)/oauth/consent/[uid]/page.tsx b/src/app/[variants]/(auth)/oauth/consent/[uid]/page.tsx
index 33c1b1e143..ef68a4f858 100644
--- a/src/app/[variants]/(auth)/oauth/consent/[uid]/page.tsx
+++ b/src/app/[variants]/(auth)/oauth/consent/[uid]/page.tsx
@@ -1,6 +1,6 @@
 import { notFound } from 'next/navigation';
 
-import { oidcEnv } from '@/envs/oidc';
+import { authEnv } from '@/envs/auth';
 import { defaultClients } from '@/libs/oidc-provider/config';
 import { OIDCService } from '@/server/services/oidc';
 
@@ -9,7 +9,7 @@ import Consent from './Consent';
 import Login from './Login';
 
 const InteractionPage = async (props: { params: Promise<{ uid: string }> }) => {
-  if (!oidcEnv.ENABLE_OIDC) return notFound();
+  if (!authEnv.ENABLE_OIDC) return notFound();
 
   const params = await props.params;
   const uid = params.uid;
diff --git a/src/envs/auth.ts b/src/envs/auth.ts
index 80651b6ba7..e20cb8f895 100644
--- a/src/envs/auth.ts
+++ b/src/envs/auth.ts
@@ -284,6 +284,7 @@ export const getAuthConfig = () => {
 
       // Generic JWKS key for signing/verifying JWTs
       JWKS_KEY: z.string().optional(),
+      ENABLE_OIDC: z.boolean(),
     },
 
     runtimeEnv: {
@@ -407,6 +408,7 @@ export const getAuthConfig = () => {
 
       // Generic JWKS key (fallback to OIDC_JWKS_KEY for backward compatibility)
       JWKS_KEY: process.env.JWKS_KEY || process.env.OIDC_JWKS_KEY,
+      ENABLE_OIDC: !!(process.env.JWKS_KEY || process.env.OIDC_JWKS_KEY),
     },
   });
 };
diff --git a/src/envs/oidc.ts b/src/envs/oidc.ts
deleted file mode 100644
index efdca8a1fd..0000000000
--- a/src/envs/oidc.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { createEnv } from '@t3-oss/env-nextjs';
-import { z } from 'zod';
-
-export const oidcEnv = createEnv({
-  client: {},
-  runtimeEnv: {
-    ENABLE_OIDC: process.env.ENABLE_OIDC === '1',
-    OIDC_JWKS_KEY: process.env.OIDC_JWKS_KEY,
-  },
-  server: {
-    // 是否启用 OIDC
-    ENABLE_OIDC: z.boolean().optional().default(false),
-    // OIDC 签名密钥
-    // 必须是一个包含私钥的 JWKS (JSON Web Key Set) 格式的 JSON 字符串。
-    // 可以使用 `node scripts/generate-oidc-jwk.mjs` 命令生成。
-    OIDC_JWKS_KEY: z.string().optional(),
-  },
-});
diff --git a/src/libs/next/proxy/define-config.ts b/src/libs/next/proxy/define-config.ts
index d0a9580ed4..2bc751248a 100644
--- a/src/libs/next/proxy/define-config.ts
+++ b/src/libs/next/proxy/define-config.ts
@@ -12,7 +12,6 @@ import { LOBE_THEME_APPEARANCE } from '@/const/theme';
 import { isDesktop } from '@/const/version';
 import { appEnv } from '@/envs/app';
 import { authEnv } from '@/envs/auth';
-import { oidcEnv } from '@/envs/oidc';
 import NextAuth from '@/libs/next-auth';
 import { type Locales } from '@/locales/resources';
 import { parseBrowserLanguage } from '@/utils/locale';
@@ -236,7 +235,7 @@ export function defineConfig() {
       response.headers.set(OAUTH_AUTHORIZED, 'true');
 
       // If OIDC is enabled and user is logged in, add OIDC session pre-sync header
-      if (oidcEnv.ENABLE_OIDC && session?.user?.id) {
+      if (authEnv.ENABLE_OIDC && session?.user?.id) {
         logNextAuth('OIDC session pre-sync: Setting %s = %s', OIDC_SESSION_HEADER, session.user.id);
         response.headers.set(OIDC_SESSION_HEADER, session.user.id);
       }
@@ -285,10 +284,10 @@ export function defineConfig() {
       });
 
       // If OIDC is enabled and Clerk user is logged in, add OIDC session pre-sync header
-      if (oidcEnv.ENABLE_OIDC && data.userId) {
+      if (authEnv.ENABLE_OIDC && data.userId) {
         logClerk('OIDC session pre-sync: Setting %s = %s', OIDC_SESSION_HEADER, data.userId);
         response.headers.set(OIDC_SESSION_HEADER, data.userId);
-      } else if (oidcEnv.ENABLE_OIDC) {
+      } else if (authEnv.ENABLE_OIDC) {
         logClerk('No Clerk user detected, not setting OIDC session sync header');
       }
 
@@ -351,7 +350,7 @@ export function defineConfig() {
     enableBetterAuth: authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH,
     enableClerk: authEnv.NEXT_PUBLIC_ENABLE_CLERK_AUTH,
     enableNextAuth: authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH,
-    enableOIDC: oidcEnv.ENABLE_OIDC,
+    enableOIDC: authEnv.ENABLE_OIDC,
   });
 
   return {
diff --git a/src/libs/trpc/lambda/context.ts b/src/libs/trpc/lambda/context.ts
index dcbaa45912..3399ed49e3 100644
--- a/src/libs/trpc/lambda/context.ts
+++ b/src/libs/trpc/lambda/context.ts
@@ -1,17 +1,17 @@
-import { type ClientSecretPayload } from '@lobechat/types';
-import { parse } from 'cookie';
-import debug from 'debug';
-import { type User } from 'next-auth';
-import { type NextRequest } from 'next/server';
-
 import {
   LOBE_CHAT_AUTH_HEADER,
   LOBE_CHAT_OIDC_AUTH_HEADER,
   enableBetterAuth,
   enableClerk,
   enableNextAuth,
-} from '@/const/auth';
-import { oidcEnv } from '@/envs/oidc';
+} from '@lobechat/const';
+import { type ClientSecretPayload } from '@lobechat/types';
+import { parse } from 'cookie';
+import debug from 'debug';
+import { type User } from 'next-auth';
+import { type NextRequest } from 'next/server';
+
+import { authEnv } from '@/envs/auth';
 import { ClerkAuth, type IClerkAuth } from '@/libs/clerk-auth';
 import { validateOIDCJWT } from '@/libs/oidc-provider/jwt';
 
@@ -129,11 +129,9 @@ export const createLambdaContext = async (request: NextRequest): Promise<LambdaC
   let oidcAuth = null;
 
   // Prioritize checking for OIDC authentication (both standard Authorization and custom Oidc-Auth headers)
-  if (oidcEnv.ENABLE_OIDC) {
+  if (authEnv.ENABLE_OIDC) {
     log('OIDC enabled, attempting OIDC authentication');
-    const standardAuthorization = request.headers.get('Authorization');
     const oidcAuthToken = request.headers.get(LOBE_CHAT_OIDC_AUTH_HEADER);
-    log('Standard Authorization header: %s', standardAuthorization ? 'exists' : 'not found');
     log('Oidc-Auth header: %s', oidcAuthToken ? 'exists' : 'not found');
 
     try {
diff --git a/src/server/services/oidc/oidcProvider.ts b/src/server/services/oidc/oidcProvider.ts
index 70ba67998d..0c783b1c58 100644
--- a/src/server/services/oidc/oidcProvider.ts
+++ b/src/server/services/oidc/oidcProvider.ts
@@ -1,5 +1,5 @@
 import { getDBInstance } from '@/database/core/web-server';
-import { oidcEnv } from '@/envs/oidc';
+import { authEnv } from '@/envs/auth';
 import { type OIDCProvider, createOIDCProvider } from '@/libs/oidc-provider/provider';
 
 /**
@@ -13,7 +13,7 @@ let provider: OIDCProvider;
  */
 export const getOIDCProvider = async (): Promise<OIDCProvider> => {
   if (!provider) {
-    if (!oidcEnv.ENABLE_OIDC) {
+    if (!authEnv.ENABLE_OIDC) {
       throw new Error('OIDC is not enabled. Set ENABLE_OIDC=1 to enable it.');
     }