feat: 🎸 Fix SSO login

2025-10-24 08:11:30 +08:00 · 2025-03-26 02:39:29 +01:00 · 2025-03-26 02:39:29 +01:00 · f2a29653b2
commit f2a29653b2
parent d4b657e4d8
3 changed files with 34 additions and 20 deletions
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@ -64,7 +64,13 @@ function setPassword(req: Request, res: Response) {

 function login(req: Request, res: Response) {
    if (openID.isOpenIDEnabled()) {
-        res.oidc.login({ returnTo: '/' });
+        res.oidc.login({
+            returnTo: '/',
+            authorizationParams: {
+                prompt: 'consent',
+                access_type: 'offline'
+            }
+        });
        return;
    }

--- a/src/services/auth.ts
+++ b/src/services/auth.ts
@ -28,16 +28,12 @@ function checkAuth(req: Request, res: Response, next: NextFunction) {
        });
        return;
    } else if (openID.isOpenIDEnabled()) {
-        if (
-            req.oidc.isAuthenticated() &&
-            openIDEncryption.verifyOpenIDSubjectIdentifier(req.oidc.user?.sub)
-        ) {
-            req.session.loggedIn = true;
+        if (req.oidc?.isAuthenticated() && req.session.loggedIn) {
            next();
-        } else {
-            req.session.loggedIn = false;
-            res.oidc.login({});
+            return;
        }
+        res.redirect('/login');
+        return;
    } else if (!req.session.loggedIn && !isElectron && !noAuthentication) {
        const redirectToShare = options.getOptionBool("redirectBareDomain");
        if (redirectToShare) {
--- a/src/services/open_id.ts
+++ b/src/services/open_id.ts
@ -103,33 +103,45 @@ function generateOAuthConfig() {
    };

    const authConfig = {
-        authRequired: true,
+        authRequired: false,
        auth0Logout: false,
        baseURL: config.MultiFactorAuthentication.oauthBaseUrl,
        clientID: config.MultiFactorAuthentication.oauthClientId,
-        issuerBaseURL: "https://accounts.google.com/.well-known/openid-configuration",
+        issuerBaseURL: "https://accounts.google.com",
        secret: config.MultiFactorAuthentication.oauthClientSecret,
        clientSecret: config.MultiFactorAuthentication.oauthClientSecret,
        authorizationParams: {
            response_type: "code",
            scope: "openid profile email",
+            access_type: "offline",
+            prompt: "consent",
+            state: "random_state_" + Math.random().toString(36).substring(2)
        },
        routes: authRoutes,
-        idpLogout: false,
+        idpLogout: true,
        logoutParams: logoutParams,
        afterCallback: async (req: Request, res: Response, session: Session) => {
            if (!sqlInit.isDbInitialized()) return session;

-            if (isUserSaved()) return session;
-
-            if (req.oidc.user === undefined) {
+            if (!req.oidc.user) {
                console.log("user invalid!");
-            } else {
-                openIDEncryption.saveUser(
-                    req.oidc.user.sub.toString(),
-                    req.oidc.user.name.toString(),
-                    req.oidc.user.email.toString());
+                return session;
            }
+
+            // 保存用户信息
+            openIDEncryption.saveUser(
+                req.oidc.user.sub.toString(),
+                req.oidc.user.name.toString(),
+                req.oidc.user.email.toString()
+            );
+
+            // 设置登录状态
+            req.session.loggedIn = true;
+            req.session.lastAuthState = {
+                totpEnabled: false,
+                ssoEnabled: true
+            };
+
            return session;
        },
    };