Merge branch 'develop-prod' into develop

Author: bitifirefly

Dockerfile.prod-test

@@ -0,0 +1,17 @@
+FROM node:22-bookworm-slim
+
+WORKDIR /app
+
+ENV PNPM_HOME=/pnpm
+ENV PATH=$PNPM_HOME:$PATH
+
+RUN corepack enable && corepack prepare pnpm@10.14.0 --activate
+
+COPY . .
+
+RUN pnpm install --frozen-lockfile
+RUN pnpm build:all
+
+EXPOSE 3000 3010
+
+CMD ["pnpm", "start:prod"]

__tests__/auth/managed-sso.test.ts

@@ -0,0 +1,115 @@
+import {
+  buildManagedCasLoginUrl,
+  buildManagedCasValidateUrl,
+  parseCasServiceResponse,
+  resolveManagedCasProfile,
+  toManagedCasProviderConfig,
+  toPublicManagedSsoProvider,
+} from '@lib/auth/managed-sso';
+import { SsoProvider } from '@lib/types/database';
+
+function createCasProvider(overrides?: Partial<SsoProvider>): SsoProvider {
+  return {
+    id: '11111111-1111-4111-8111-111111111111',
+    name: 'BISTU CAS',
+    protocol: 'CAS',
+    settings: {
+      email_domain: 'bistu.edu.cn',
+      protocol_config: {
+        base_url: 'https://sso.bistu.edu.cn',
+        endpoints: {
+          login: '/login',
+          logout: '/logout',
+          validate: '/serviceValidate',
+          validate_v3: '/p3/serviceValidate',
+        },
+        attributes_mapping: {
+          employee_id: 'cas:user',
+          username: 'log_username',
+          full_name: 'cas:name',
+          email: 'mail',
+        },
+      },
+      security: {
+        allowed_redirect_hosts: ['bistu.edu.cn'],
+      },
+      ui: {
+        icon: '🏛️',
+        description: '北京信息科技大学统一认证系统',
+      },
+    },
+    client_id: null,
+    client_secret: null,
+    metadata_url: null,
+    enabled: true,
+    display_order: 0,
+    button_text: '北信科统一认证',
+    created_at: '2026-03-08T00:00:00.000Z',
+    updated_at: '2026-03-08T00:00:00.000Z',
+    ...overrides,
+  };
+}
+
+describe('managed sso helpers', () => {
+  it('maps CAS provider into public login provider', () => {
+    const provider = toPublicManagedSsoProvider(createCasProvider());
+
+    expect(provider).toEqual(
+      expect.objectContaining({
+        providerId: '11111111-1111-4111-8111-111111111111',
+        authFlow: 'managed-cas',
+        mode: 'managed-cas',
+        icon: '🏛️',
+        displayName: '北信科统一认证',
+        domain: 'bistu.edu.cn',
+      })
+    );
+  });
+
+  it('parses CAS service response and resolves profile', () => {
+    const xml = `
+      <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
+        <cas:authenticationSuccess>
+          <cas:user>20260001</cas:user>
+          <cas:attributes>
+            <cas:log_username>zhangsan</cas:log_username>
+            <cas:name>张三</cas:name>
+            <cas:employeeNumber>20260001</cas:employeeNumber>
+          </cas:attributes>
+        </cas:authenticationSuccess>
+      </cas:serviceResponse>
+    `;
+
+    const parsed = parseCasServiceResponse(xml);
+    const config = toManagedCasProviderConfig(createCasProvider());
+    expect(config).not.toBeNull();
+
+    const profile = resolveManagedCasProfile(config!, parsed);
+    expect(parsed.success).toBe(true);
+    expect(parsed.user).toBe('20260001');
+    expect(profile).toEqual(
+      expect.objectContaining({
+        subject: '20260001',
+        username: 'zhangsan',
+        fullName: '张三',
+        email: '20260001@bistu.edu.cn',
+        employeeNumber: '20260001',
+      })
+    );
+  });
+
+  it('builds CAS login and validate URLs with stable service', () => {
+    const config = toManagedCasProviderConfig(createCasProvider());
+    expect(config).not.toBeNull();
+
+    const serviceUrl =
+      'https://agent.bistu.edu.cn/api/sso/11111111-1111-4111-8111-111111111111/callback?returnUrl=%2Fchat';
+
+    expect(buildManagedCasLoginUrl(config!, serviceUrl)).toBe(
+      'https://sso.bistu.edu.cn/login?service=https%3A%2F%2Fagent.bistu.edu.cn%2Fapi%2Fsso%2F11111111-1111-4111-8111-111111111111%2Fcallback%3FreturnUrl%3D%252Fchat'
+    );
+    expect(buildManagedCasValidateUrl(config!, serviceUrl, 'ST-123')).toBe(
+      'https://sso.bistu.edu.cn/p3/serviceValidate?service=https%3A%2F%2Fagent.bistu.edu.cn%2Fapi%2Fsso%2F11111111-1111-4111-8111-111111111111%2Fcallback%3FreturnUrl%3D%252Fchat&ticket=ST-123'
+    );
+  });
+});

app/api/auth/sso/providers/route.ts

@@ -1,12 +1,29 @@
 import { getPublicSsoProviders } from '@lib/auth/better-auth/server';
+import {
+  PublicLoginSsoProvider,
+  toPublicManagedSsoProvider,
+} from '@lib/auth/managed-sso';
+import { listManagedSsoProvidersForLogin } from '@lib/auth/managed-sso-server';
 import { nextApiErrorResponse } from '@lib/errors/next-api-error-response';
 
 import { NextResponse } from 'next/server';
 
 export async function GET(request: Request) {
   try {
+    const managedProviders = (await listManagedSsoProvidersForLogin())
+      .map(toPublicManagedSsoProvider)
+      .filter(
+        (provider): provider is PublicLoginSsoProvider => provider !== null
+      );
+
+    const runtimeProviders: PublicLoginSsoProvider[] =
+      getPublicSsoProviders().map(provider => ({
+        ...provider,
+        authFlow: 'better-auth',
+      }));
+
     return NextResponse.json({
-      providers: getPublicSsoProviders(),
+      providers: [...managedProviders, ...runtimeProviders],
       success: true,
     });
   } catch (error) {

app/api/internal/error-events/client/route.ts

@@ -0,0 +1,185 @@
+import { resolveSessionIdentityReadOnly } from '@lib/auth/better-auth/session-identity';
+import {
+  REQUEST_ID_HEADER,
+  buildAppErrorDetail,
+  buildAppErrorEnvelope,
+  resolveRequestId,
+} from '@lib/errors/app-error';
+import { recordErrorEvent } from '@lib/server/errors/error-events';
+
+import { NextResponse } from 'next/server';
+
+export const runtime = 'nodejs';
+
+type PayloadObject = Record<string, unknown>;
+
+type SupportedSeverity = 'info' | 'warn' | 'error' | 'critical';
+
+function readString(value: unknown): string | null {
+  if (typeof value !== 'string') {
+    return null;
+  }
+
+  const normalized = value.trim();
+  return normalized.length > 0 ? normalized.slice(0, 4000) : null;
+}
+
+function readBoolean(value: unknown, fallbackValue: boolean): boolean {
+  if (typeof value === 'boolean') {
+    return value;
+  }
+  return fallbackValue;
+}
+
+function readNumber(value: unknown): number | null {
+  if (typeof value !== 'number' || !Number.isFinite(value)) {
+    return null;
+  }
+  return value;
+}
+
+function readObject(value: unknown): PayloadObject {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return {};
+  }
+  return value as PayloadObject;
+}
+
+function readSeverity(value: unknown): SupportedSeverity {
+  const normalized = readString(value)?.toLowerCase();
+  if (
+    normalized === 'info' ||
+    normalized === 'warn' ||
+    normalized === 'error' ||
+    normalized === 'critical'
+  ) {
+    return normalized;
+  }
+  return 'error';
+}
+
+function buildErrorResponse(
+  request: Request,
+  input: {
+    status: number;
+    code: string;
+    userMessage: string;
+    developerMessage: string;
+  }
+) {
+  const requestId = resolveRequestId(request);
+  const detail = buildAppErrorDetail({
+    status: input.status,
+    source: 'next-api',
+    code: input.code,
+    userMessage: input.userMessage,
+    developerMessage: input.developerMessage,
+    requestId,
+  });
+
+  const response = NextResponse.json(
+    buildAppErrorEnvelope(detail, input.userMessage),
+    {
+      status: input.status,
+      headers: {
+        'Cache-Control': 'no-store',
+      },
+    }
+  );
+  response.headers.set(REQUEST_ID_HEADER, requestId);
+  return response;
+}
+
+export async function POST(request: Request) {
+  const fallbackRequestId = resolveRequestId(request);
+
+  try {
+    const rawPayload = await request.json();
+    const payload = readObject(rawPayload);
+    if (Object.keys(payload).length === 0) {
+      return buildErrorResponse(request, {
+        status: 400,
+        code: 'CLIENT_ERROR_REPORT_INVALID_PAYLOAD',
+        userMessage: 'Invalid client error payload',
+        developerMessage: 'Payload is missing or not an object',
+      });
+    }
+
+    const userMessage =
+      readString(payload.userMessage) ||
+      readString(payload.message) ||
+      'Unexpected client error';
+    const developerMessage =
+      readString(payload.developerMessage) || readString(payload.message);
+    const requestId = readString(payload.requestId) || fallbackRequestId;
+    const context = readObject(payload.context);
+    const route =
+      readString(payload.route) ||
+      readString(context.pathname) ||
+      readString(context.href) ||
+      '/client';
+
+    let actorUserId: string | undefined;
+    try {
+      const resolvedIdentity = await resolveSessionIdentityReadOnly(
+        request.headers
+      );
+      if (resolvedIdentity.success && resolvedIdentity.data?.userId) {
+        actorUserId = resolvedIdentity.data.userId;
+      }
+    } catch (identityError) {
+      console.warn(
+        '[ClientErrorReport] failed to resolve session identity:',
+        identityError instanceof Error
+          ? identityError.message
+          : String(identityError)
+      );
+    }
+
+    await recordErrorEvent({
+      code: readString(payload.code) || 'CLIENT_RUNTIME_ERROR',
+      source: 'frontend',
+      severity: readSeverity(payload.severity),
+      retryable: readBoolean(payload.retryable, true),
+      userMessage,
+      developerMessage: developerMessage || undefined,
+      requestId,
+      traceId: readString(payload.traceId) || undefined,
+      actorUserId,
+      httpStatus: readNumber(payload.httpStatus) || undefined,
+      method: readString(payload.method) || 'CLIENT',
+      route,
+      context: {
+        ...context,
+        report_origin: 'browser',
+        server_received_at: new Date().toISOString(),
+        reporter_user_agent:
+          request.headers.get('user-agent')?.slice(0, 1000) || null,
+      },
+    });
+
+    const response = NextResponse.json(
+      {
+        success: true,
+        request_id: requestId,
+      },
+      {
+        status: 202,
+        headers: {
+          'Cache-Control': 'no-store',
+        },
+      }
+    );
+    response.headers.set(REQUEST_ID_HEADER, requestId);
+    return response;
+  } catch (error) {
+    console.error('[ClientErrorReport] failed to record client error:', error);
+    return buildErrorResponse(request, {
+      status: 500,
+      code: 'CLIENT_ERROR_REPORT_FAILED',
+      userMessage: 'Failed to record client error',
+      developerMessage:
+        error instanceof Error ? error.message : 'Unknown client error report failure',
+    });
+  }
+}