feat: support auth proxy login mode (#466)

* feat: support auth proxy login mode

Signed-off-by: BobDu <[email protected]>

* feat: support auth proxy login mode(logout)

Signed-off-by: BobDu <[email protected]>

* fix: userId is string type

Signed-off-by: BobDu <[email protected]>

* docs: auth proxy mode

Signed-off-by: BobDu <[email protected]>

---------

Signed-off-by: BobDu <[email protected]>

Author: BobDu

README.en.md

@@ -30,6 +30,7 @@ Some unique features have been added:
 
 [✓] Conversation round limit & setting different limits by user & giftcards
 
+[✓] Implement SSO login through the auth proxy feature (need to integrate a third-party authentication reverse proxy, it can support login protocols such as LDAP/OIDC/SAML)
 
 > [!CAUTION]
 > This project is only published on GitHub, based on the MIT license, free and for open source learning usage. And there will be no any form of account selling, paid service, discussion group, discussion group and other behaviors. Beware of being deceived.
@@ -353,6 +354,22 @@ Q: The content returned is incomplete?
 
 A: There is a length limit for the content returned by the API each time. You can modify the `VITE_GLOB_OPEN_LONG_REPLY` field in the `.env` file under the root directory, set it to `true`, and rebuild the front-end to enable the long reply feature, which can return the full content. It should be noted that using this feature may bring more API usage fees.
 
+## Auth Proxy Mode
+
+> [!WARNING]  
+> This feature is only provided for Operations Engineer with relevant experience to deploy during the integration of the enterprise's internal account management system. Improper configuration may lead to security risks.
+
+Set env `AUTH_PROXY_ENABLED=true` can enable auth proxy mode.
+
+After activating this feature, it is necessary to ensure that chatgpt-web can only be accessed through a reverse proxy.
+
+Authentication is carried out by the reverse proxy, which then forwards the request with the `X-Email` header to identify the user identity.
+
+Recommended for current IdP to use LDAP protocol, using [authelia](https://www.authelia.com)
+
+Recommended for current IdP to use OIDC protocol, using [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy)
+
+
 ## Contributing
 
 Please read the [Contributing Guidelines](./CONTRIBUTING.en.md) before contributing.

README.md

@@ -30,6 +30,8 @@
 
 [✓] 对话数量限制 & 设置不同用户对话数量 & 兑换数量
 
+[✓] 通过 auth proxy 功能实现sso登录 (配合第三方身份验证反向代理 可实现支持 LDAP/OIDC/SAML 等协议登录)
+
 
 > [!CAUTION]
 > 声明：此项目只发布于 Github，基于 MIT 协议，免费且作为开源学习使用。并且不会有任何形式的卖号、付费服务、讨论群、讨论组等行为。谨防受骗。
@@ -349,6 +351,22 @@ PS: 不进行打包，直接在服务器上运行 `pnpm start` 也可
 pnpm build
 ```
 
+## Auth Proxy Mode
+
+> [!WARNING]  
+> 该功能仅适用于有相关经验的运维人员在集成企业内部账号管理系统时部署 配置不当可能会导致安全风险
+
+设置环境变量 `AUTH_PROXY_ENABLED=true` 即可开启 auth proxy 模式
+
+在开启该功能后 需确保 chatgpt-web 只能通过反向代理访问
+
+由反向代理进行进行身份验证 并再转发请求时携带请求头`X-Email`标识用户身份
+
+推荐当前 Idp 使用 LDAP 协议的 可以选择使用 [authelia](https://www.authelia.com)
+
+当前 Idp 使用 OIDC 协议的 可以选择使用 [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy)
+
+
 ## 常见问题
 Q: 为什么 `Git` 提交总是报错？
 

service/src/index.ts

@@ -597,8 +597,9 @@ router.post('/config', rootAuth, async (req, res) => {
 router.post('/session', async (req, res) => {
   try {
     const config = await getCacheConfig()
-    const hasAuth = config.siteConfig.loginEnabled
-    const allowRegister = (await getCacheConfig()).siteConfig.registerEnabled
+    const hasAuth = config.siteConfig.loginEnabled || config.siteConfig.authProxyEnabled
+    const authProxyEnabled = config.siteConfig.authProxyEnabled
+    const allowRegister = config.siteConfig.registerEnabled
     if (config.apiModel !== 'ChatGPTAPI' && config.apiModel !== 'ChatGPTUnofficialProxyAPI')
       config.apiModel = 'ChatGPTAPI'
     const userId = await getUserId(req)
@@ -681,6 +682,7 @@ router.post('/session', async (req, res) => {
         message: '',
         data: {
           auth: hasAuth,
+          authProxyEnabled,
           allowRegister,
           model: config.apiModel,
           title: config.siteConfig.siteTitle,
@@ -698,6 +700,7 @@ router.post('/session', async (req, res) => {
       message: '',
       data: {
         auth: hasAuth,
+        authProxyEnabled,
         allowRegister,
         model: config.apiModel,
         title: config.siteConfig.siteTitle,
@@ -759,6 +762,10 @@ router.post('/user-login', authLimiter, async (req, res) => {
   }
 })
 
+router.post('/user-logout', async (req, res) => {
+  res.send({ status: 'Success', message: '退出登录成功 | Logout successful', data: null })
+})
+
 router.post('/user-send-reset-mail', authLimiter, async (req, res) => {
   try {
     const { username } = req.body as { username: string }
@@ -923,7 +930,7 @@ router.post('/user-edit', rootAuth, async (req, res) => {
     }
     else {
       const newPassword = md5(password)
-      const user = await createUser(email, newPassword, roles, remark, Number(useAmount), limit_switch)
+      const user = await createUser(email, newPassword, roles, null, remark, Number(useAmount), limit_switch)
       await updateUserStatus(user._id.toString(), Status.Normal)
     }
     res.send({ status: 'Success', message: '更新成功 | Update successfully' })

service/src/middleware/auth.ts

@@ -1,12 +1,30 @@
 import jwt from 'jsonwebtoken'
 import type { Request } from 'express'
 import { getCacheConfig } from '../storage/config'
-import { getUserById } from '../storage/mongo'
-import { Status } from '../storage/model'
+import { createUser, getUser, getUserById } from '../storage/mongo'
+import { Status, UserRole } from '../storage/model'
 import type { AuthJwtPayload } from '../types'
 
 async function auth(req, res, next) {
   const config = await getCacheConfig()
+
+  if (config.siteConfig.authProxyEnabled) {
+    try {
+      const username = req.header('X-Email')
+      if (!username) {
+        res.send({ status: 'Unauthorized', message: 'Please config auth proxy (usually is nginx) add set proxy header X-Email.', data: null })
+        return
+      }
+      const user = await getUser(username)
+      req.headers.userId = user._id.toString()
+      next()
+    }
+    catch (error) {
+      res.send({ status: 'Unauthorized', message: error.message ?? 'Please config auth proxy (usually is nginx) add set proxy header X-Email.', data: null })
+    }
+    return
+  }
+
   if (config.siteConfig.loginEnabled) {
     try {
       const token = req.header('Authorization').replace('Bearer ', '')
@@ -32,11 +50,22 @@ async function auth(req, res, next) {
 async function getUserId(req: Request): Promise<string | undefined> {
   let token: string
   try {
-    // no Authorization info is received withput login
+    const config = await getCacheConfig()
+    if (config.siteConfig.authProxyEnabled) {
+      const username = req.header('X-Email')
+      let user = await getUser(username)
+      if (user == null) {
+        const isRoot = username.toLowerCase() === process.env.ROOT_USER
+        user = await createUser(username, '', isRoot ? [UserRole.Admin] : [UserRole.User], Status.Normal, 'Created by auth proxy.')
+      }
+      return user._id.toString()
+    }
+
+    // no Authorization info is received without login
     if (!(req.header('Authorization') as string))
       return null // '6406d8c50aedd633885fa16f'
     token = req.header('Authorization').replace('Bearer ', '')
-    const config = await getCacheConfig()
+
     const info = jwt.verify(token, config.siteConfig.loginSalt.trim()) as AuthJwtPayload
     return info.userId
   }

service/src/middleware/rootAuth.ts

@@ -1,14 +1,31 @@
 import jwt from 'jsonwebtoken'
 import * as dotenv from 'dotenv'
 import { Status, UserRole } from '../storage/model'
-import { getUserById } from '../storage/mongo'
+import { getUser, getUserById } from '../storage/mongo'
 import { getCacheConfig } from '../storage/config'
 import type { AuthJwtPayload } from '../types'
 
 dotenv.config()
 
 async function rootAuth(req, res, next) {
   const config = await getCacheConfig()
+
+  if (config.siteConfig.authProxyEnabled) {
+    try {
+      const username = req.header('X-Email')
+      const user = await getUser(username)
+      req.headers.userId = user._id
+      if (user == null || user.status !== Status.Normal || !user.roles.includes(UserRole.Admin))
+        res.send({ status: 'Fail', message: '无权限 | No permission.', data: null })
+      else
+        next()
+    }
+    catch (error) {
+      res.send({ status: 'Unauthorized', message: error.message ?? 'Please config auth proxy (usually is nginx) add set proxy header X-Email.', data: null })
+    }
+    return
+  }
+
   if (config.siteConfig.loginEnabled) {
     try {
       const token = req.header('Authorization').replace('Bearer ', '')

service/src/storage/config.ts

@@ -44,6 +44,7 @@ export async function getOriginConfig() {
       new SiteConfig(
         process.env.SITE_TITLE || 'ChatGPT Web',
         isNotEmptyString(process.env.AUTH_SECRET_KEY),
+        process.env.AUTH_PROXY_ENABLED === 'true',
         process.env.AUTH_SECRET_KEY,
         process.env.REGISTER_ENABLED === 'true',
         process.env.REGISTER_REVIEW === 'true',
@@ -58,6 +59,8 @@ export async function getOriginConfig() {
   else {
     if (config.siteConfig.loginEnabled === undefined)
       config.siteConfig.loginEnabled = isNotEmptyString(process.env.AUTH_SECRET_KEY)
+    if (config.siteConfig.authProxyEnabled === undefined)
+      config.siteConfig.authProxyEnabled = process.env.AUTH_PROXY_ENABLED === 'true'
     if (config.siteConfig.loginSalt === undefined)
       config.siteConfig.loginSalt = process.env.AUTH_SECRET_KEY
     if (config.apiDisableDebug === undefined)

service/src/storage/model.ts

@@ -191,6 +191,7 @@ export class SiteConfig {
   constructor(
     public siteTitle?: string,
     public loginEnabled?: boolean,
+    public authProxyEnabled?: boolean,
     public loginSalt?: string,
     public registerEnabled?: boolean,
     public registerReview?: boolean,

service/src/storage/mongo.ts

@@ -248,11 +248,14 @@ export async function deleteChat(roomId: number, uuid: number, inversion: boolea
 }
 
 // createUser、updateUserInfo中加入useAmount limit_switch
-export async function createUser(email: string, password: string, roles?: UserRole[], remark?: string, useAmount?: number, limit_switch?: boolean): Promise<UserInfo> {
+export async function createUser(email: string, password: string, roles?: UserRole[], status?: Status, remark?: string, useAmount?: number, limit_switch?: boolean): Promise<UserInfo> {
   email = email.toLowerCase()
   const userInfo = new UserInfo(email, password)
   if (roles && roles.includes(UserRole.Admin))
     userInfo.status = Status.Normal
+  if (status !== null)
+    userInfo.status = status
+
   userInfo.roles = roles
   userInfo.remark = remark
   userInfo.useAmount = useAmount

src/api/index.ts

@@ -89,6 +89,13 @@ export function fetchLogin<T = any>(username: string, password: string, token?:
   })
 }
 
+export function fetchLogout<T = any>() {
+  return post<T>({
+    url: '/user-logout',
+    data: { },
+  })
+}
+
 export function fetchSendResetMail<T = any>(username: string) {
   return post<T>({
     url: '/user-send-reset-mail',

src/components/common/UserAvatar/index.vue

@@ -15,7 +15,7 @@ const authStore = useAuthStore()
 const { isMobile } = useBasicLayout()
 const showPermission = ref(false)
 
-const needPermission = computed(() => !!authStore.session?.auth && !authStore.token && (isMobile.value || showPermission.value))
+const needPermission = computed(() => !!authStore.session?.auth && !authStore.token && !authStore.session?.authProxyEnabled && (isMobile.value || showPermission.value))
 
 const userInfo = computed(() => userStore.userInfo)