โจ feat: support login & session authentication via OAuth 2.0 (Auth0) #1143
Conversation
|
@CloudPassenger is attempting to deploy a commit to the LobeHub Team on Vercel. A member of the Team first needs to authorize it. |
|
๐ @CloudPassenger Thank you for raising your pull request and contributing to our Community |
arvinxx
changed the title
There was a problem hiding this comment.
It seems not a very heavy task, and the code is clean ๐
But I request to think of these issues:
- By default, we won't want to show the SSO OAuth in the UI. Because our first customers are the C , not the B. So please make a set of ENVs to make this feature optional enabled, and it should be disabled by default.
- Please wirite done some doucments about this feature, it should include:
- Add an guide of
how to enable SSO OAuthin thedocs/Deploymentfolder to help self hosting users know how to use the SSO OAuth feature in their companies with Docker or Vercel/zeabur/SealOS. - Update the usage of these environment variables to the Environment-Variable and Chinese Version ็ฏๅขๅ้.
- Add a develop guide of this feature to introduce how to maintain this feature or to improve it (for example, how it work, how to test and so on ). We need a guide for the community to make this feature more maintainable.
- Add an guide of
- as for the implement, I think the auth of
openai/...is not clean as I expect.Maybe there can be a more biz auth function to just wrapper the router function with noting need to change with type or params. Let's take a challange of it.
|
The latest updates on your projects. Learn more about Vercel for Git โ๏ธ
|
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1143 +/- ##
==========================================
- Coverage 86.37% 86.35% -0.02%
==========================================
Files 214 214
Lines 10540 10557 +17
Branches 1140 1140
==========================================
+ Hits 9104 9117 +13
- Misses 1436 1440 +4 โ View full report in Codecov by Sentry. |
Thank you for your kind review. I will follow the instructions and make changes as soon as possible. |
|
@CloudPassenger fell free to ask anything about implement~ ๐ |
- clean up code under /api/openai - update middleware.ts to use custom middleware - clean up unnessary type definitions
|
Hi, based on your reviews I made some changes and refractor the code
Issue: Upon further code review, I will supplement this PR with the requested documentation, including deployment guides, environment variable usage, and a development guide for maintaining and improving the SSO OAuth feature. |
There was a problem hiding this comment.
A more clean implement! ๐ And I think we can make it better.
As you said, there is some problem with client side/ server side envs.
And we have met simmilar problem as before, and here is my thought:
- defined a totally server ENV in the
src/config/server.tslikeENABLE_OAUTH_SSO, - update the code at
api/config/route.ts, https://github.com/lobehub/lobe-chat/blob/main/src/app/api/config/route.ts#L9 , this api will send the ENVs from server to client. And we have a request method to get data from server when LobeChat init. - make a
selectorin here:
const enabledOAuthSSO = (s: GlobalStore): boolean => s.serverConfig.enabledOAuthSSO || false;
export const globalSelectors = {
enabledOAuthSSO
}- and use the selectors to make condition:
const isEnabledOAuth = useGlobalStore(globalSelectors.enabledOAuthSSO)Important
Don't use NEXT_PUBLIC_XXX env as the feature flag, because it's not working with Docker Deployment. here are some issues about this:
you can refer to #773 for more example.
|
|
||
| // TODO: Verify more auth conditions |
There was a problem hiding this comment.
I would have thought that some code could have been added to set user permissions (e.g. only allow certain email suffixes to log in). But after thinking about it, the best solution would be to control organisation permissions on the provider of OAuth 2.0 like Auth0.
|
Hi, Sorry to my late reply. I was so busy last week that I didn't follow up on this Pull Request. I saw tons of updated in these few days. I've updated the code according to your instructions, adapted the new API structure, and written a short note about environment variables. I hope you can review it again. And wish you a happy Spring Festival! |
|
@CloudPassenger Good update! And happy Spring Festival! I think your code is as clean as possible. It's time to step into next part: documents. Here are three more things to think:
|
docs: Add authentication setup guides for LobeChat ``` Added detailed documentation for setting up the authentication services in LobeChat, with a focus on integrating Auth0. This includes guides for creating an Auth0 application, adding users, and configuring environment variables. Advanced topics cover connecting to existing single sign-on services and setting up social logins. This effort enhances the platform's security and provides clear instructions for enterprise users on authentication procedures.
|
Hi, Thank you for your feedback. I wrote the instructions for deployment and I am working in progress for the documents for developers. I've given your question some serious thought, and I think for now it's better to use the While only Auth0 is currently adapted (personally, because it's being used within my organisation), Auth.js does support for use with multiple providers at the same time. Other developers can easily adapt the single sign-on authentication methods they need, such as enterprise management platforms like Okta, which is not supported by Auth0, based on the capabilities of Auth.js. So they can use different providers for different group of tenants (staff, temporary users, etc.) Regardless of which provider is used, I think it would be more intuitive to use a single environment variable to enable/disable functionality. |
docs: Add authentication integration guide with Auth.js Adds a comprehensive guide on integrating a new authentication provider using Auth.js in both English and Chinese documentation. The guide includes pre-requisites, step-by-step code integration, server configuration updates, frontend changes, and environment variable setup. ``` The changes introduce a new guide in the documentation for integrating new authentication providers using Auth.js. The guide is provided in both English and Chinese, ensuring broad accessibility. It covers the necessary pre-requisites, detailed instructions for adding the core authentication code, updating server configuration, modifying frontend components, and setting up the required environment variables. This will aid developers in implementing authentication features using Auth.js in the LobeChat application.
|
The integration guide for developers is updated ๐ |
|
โค๏ธ Great PR @CloudPassenger โค๏ธ The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world. |
## [Version 0.125.0](v0.124.3...v0.125.0) <sup>Released on **2024-02-08**</sup> #### โจ Features - **misc**: Support login & session authentication via OAuth 2.0 (Auth0). <br/> <details> <summary><kbd>Improvements and Fixes</kbd></summary> #### What's improved * **misc**: Support login & session authentication via OAuth 2.0 (Auth0), closes [#1143](#1143) ([0609690](0609690)) </details> <div align="right"> [](#readme-top) </div>
|
๐ This PR is included in version 0.125.0 ๐ The release is available on: Your semantic-release bot ๐ฆ๐ |
## [Version 1.7.0](v1.6.1...v1.7.0) <sup>Released on **2024-02-08**</sup> #### โจ Features - **misc**: Support login & session authentication via OAuth 2.0 (Auth0). #### ๐ Bug Fixes - **misc**: Fix OAuthForm.tsx. <br/> <details> <summary><kbd>Improvements and Fixes</kbd></summary> #### What's improved * **misc**: Support login & session authentication via OAuth 2.0 (Auth0), closes [lobehub#1143](https://github.com/bentwnghk/lobe-chat/issues/1143) ([0609690](0609690)) #### What's fixed * **misc**: Fix OAuthForm.tsx ([a1edfdd](a1edfdd)) </details> <div align="right"> [](#readme-top) </div>
## [Version 0.125.0](lobehub/lobe-chat@v0.124.3...v0.125.0) <sup>Released on **2024-02-08**</sup> #### โจ Features - **misc**: Support login & session authentication via OAuth 2.0 (Auth0). <br/> <details> <summary><kbd>Improvements and Fixes</kbd></summary> #### What's improved * **misc**: Support login & session authentication via OAuth 2.0 (Auth0), closes [#1143](lobehub/lobe-chat#1143) ([0609690](lobehub/lobe-chat@0609690)) </details> <div align="right"> [](#readme-top) </div>
๐ป ๅๆด็ฑปๅ | Change Type
๐ ๅๆด่ฏดๆ | Description of Change
This Pull Request introduces a new feature that supports login and session authentication using OAuth 2.0 with Auth0 as the provider. The implementation leverages NextAuth.js version 5 to handle authentication both on the server-side (Edge Runtime) and the client-side (Client Components). The current setup allows for a simple OAuth 2.0 authentication flow that is specifically tailored to work with Auth0.
Key changes include:
Configuration of the OAuth feature through environment variables
AUTH0_CLIENT_ID,AUTH0_CLIENT_SECRET, andAUTH0_ISSUER.๐ ่กฅๅ ไฟกๆฏ | Additional Information
This Pull Request is a significant step towards implementing robust user authentication within the application. While the current scope is limited to Auth0, the groundwork has been set for potential expansion to support other OAuth providers in the future. The addition of user authentication opens up new possibilities for personalized user experiences and secure access control.
For developers looking to test or deploy this feature, it's essential to configure the necessary environment variables with their Auth0 credentials. Further documentation or guides on setting up and using Auth0 with NextAuth.js might be beneficial for those unfamiliar with the process.
This contribution aims to provide a secure and user-friendly authentication mechanism, and I look forward to feedback and suggestions for improvement.