From f2a29653b251223082166af4bb691702f3414746 Mon Sep 17 00:00:00 2001 From: Jin <22962980+JYC333@users.noreply.github.com> Date: Wed, 26 Mar 2025 02:39:29 +0100 Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=B8=20Fix=20SSO=20login?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/routes/login.ts | 8 +++++++- src/services/auth.ts | 12 ++++-------- src/services/open_id.ts | 34 +++++++++++++++++++++++----------- 3 files changed, 34 insertions(+), 20 deletions(-) diff --git a/src/routes/login.ts b/src/routes/login.ts index b03099eca..25b2cb9e0 100644 --- a/src/routes/login.ts +++ b/src/routes/login.ts @@ -64,7 +64,13 @@ function setPassword(req: Request, res: Response) { function login(req: Request, res: Response) { if (openID.isOpenIDEnabled()) { - res.oidc.login({ returnTo: '/' }); + res.oidc.login({ + returnTo: '/', + authorizationParams: { + prompt: 'consent', + access_type: 'offline' + } + }); return; } diff --git a/src/services/auth.ts b/src/services/auth.ts index cb10f3662..2a0b2d6d7 100644 --- a/src/services/auth.ts +++ b/src/services/auth.ts @@ -28,16 +28,12 @@ function checkAuth(req: Request, res: Response, next: NextFunction) { }); return; } else if (openID.isOpenIDEnabled()) { - if ( - req.oidc.isAuthenticated() && - openIDEncryption.verifyOpenIDSubjectIdentifier(req.oidc.user?.sub) - ) { - req.session.loggedIn = true; + if (req.oidc?.isAuthenticated() && req.session.loggedIn) { next(); - } else { - req.session.loggedIn = false; - res.oidc.login({}); + return; } + res.redirect('/login'); + return; } else if (!req.session.loggedIn && !isElectron && !noAuthentication) { const redirectToShare = options.getOptionBool("redirectBareDomain"); if (redirectToShare) { diff --git a/src/services/open_id.ts b/src/services/open_id.ts index 1a9b7b1b9..54cb23e09 100644 --- a/src/services/open_id.ts +++ b/src/services/open_id.ts @@ -103,33 +103,45 @@ function generateOAuthConfig() { }; const authConfig = { - authRequired: true, + authRequired: false, auth0Logout: false, baseURL: config.MultiFactorAuthentication.oauthBaseUrl, clientID: config.MultiFactorAuthentication.oauthClientId, - issuerBaseURL: "https://accounts.google.com/.well-known/openid-configuration", + issuerBaseURL: "https://accounts.google.com", secret: config.MultiFactorAuthentication.oauthClientSecret, clientSecret: config.MultiFactorAuthentication.oauthClientSecret, authorizationParams: { response_type: "code", scope: "openid profile email", + access_type: "offline", + prompt: "consent", + state: "random_state_" + Math.random().toString(36).substring(2) }, routes: authRoutes, - idpLogout: false, + idpLogout: true, logoutParams: logoutParams, afterCallback: async (req: Request, res: Response, session: Session) => { if (!sqlInit.isDbInitialized()) return session; - if (isUserSaved()) return session; - - if (req.oidc.user === undefined) { + if (!req.oidc.user) { console.log("user invalid!"); - } else { - openIDEncryption.saveUser( - req.oidc.user.sub.toString(), - req.oidc.user.name.toString(), - req.oidc.user.email.toString()); + return session; } + + // 保存用户信息 + openIDEncryption.saveUser( + req.oidc.user.sub.toString(), + req.oidc.user.name.toString(), + req.oidc.user.email.toString() + ); + + // 设置登录状态 + req.session.loggedIn = true; + req.session.lastAuthState = { + totpEnabled: false, + ssoEnabled: true + }; + return session; }, };