feat: add optional OIDC authentication

2026-06-05 17:34:03 +08:00
parent 09f752c8cf
commit 20654d9756
8 changed files with 382 additions and 2 deletions
--- a/lib/auth-config.test.ts
+++ b/lib/auth-config.test.ts
@@ -0,0 +1,88 @@
+import { describe, expect, test } from "bun:test";
+import {
+  getAuthMode,
+  mapOidcProfile,
+  isAuthRoute,
+  isProtectedPath,
+  type AuthEnv,
+} from "./auth-config";
+
+describe("optional OIDC auth config", () => {
+  test("disables auth when no OIDC settings are present", () => {
+    const env: AuthEnv = {};
+
+    expect(getAuthMode(env)).toEqual({ enabled: false, error: null });
+  });
+
+  test("does not enable auth when only non-OIDC auth settings are present", () => {
+    const env: AuthEnv = {
+      AUTH_SECRET: "session-secret",
+      OIDC_PROVIDER_NAME: "Casdoor",
+    };
+
+    expect(getAuthMode(env)).toEqual({ enabled: false, error: null });
+  });
+
+  test("enables auth when all required OIDC settings are present", () => {
+    const env: AuthEnv = {
+      OIDC_ISSUER: "https://door.example.com",
+      OIDC_CLIENT_ID: "analytics",
+      OIDC_CLIENT_SECRET: "secret",
+      AUTH_SECRET: "session-secret",
+    };
+
+    expect(getAuthMode(env)).toEqual({ enabled: true, error: null });
+  });
+
+  test("reports missing settings when OIDC config is partial", () => {
+    const env: AuthEnv = {
+      OIDC_ISSUER: "https://door.example.com",
+      OIDC_CLIENT_ID: "analytics",
+    };
+
+    expect(getAuthMode(env)).toEqual({
+      enabled: false,
+      error: "Missing required auth environment variables: OIDC_CLIENT_SECRET, AUTH_SECRET",
+    });
+  });
+});
+
+describe("auth route matching", () => {
+  test("protects analytics pages and API data routes", () => {
+    expect(isProtectedPath("/")).toBe(true);
+    expect(isProtectedPath("/logs")).toBe(true);
+    expect(isProtectedPath("/detail/user/alice")).toBe(true);
+    expect(isProtectedPath("/api/overview")).toBe(true);
+    expect(isProtectedPath("/api/detail/user/alice")).toBe(true);
+  });
+
+  test("does not protect auth or static asset routes", () => {
+    expect(isProtectedPath("/api/auth/signin")).toBe(false);
+    expect(isProtectedPath("/_next/static/chunk.js")).toBe(false);
+    expect(isProtectedPath("/favicon.ico")).toBe(false);
+    expect(isProtectedPath("/icon.svg")).toBe(false);
+  });
+
+  test("detects auth routes", () => {
+    expect(isAuthRoute("/api/auth/signin")).toBe(true);
+    expect(isAuthRoute("/api/overview")).toBe(false);
+  });
+});
+
+describe("OIDC profile mapping", () => {
+  test("uses standard OIDC profile claims for the NextAuth user", () => {
+    expect(
+      mapOidcProfile({
+        sub: "user-123",
+        preferred_username: "alice",
+        email: "alice@example.com",
+        picture: "https://example.com/alice.png",
+      })
+    ).toEqual({
+      id: "user-123",
+      name: "alice",
+      email: "alice@example.com",
+      image: "https://example.com/alice.png",
+    });
+  });
+});