diff --git a/src/app/admin/page.tsx b/src/app/admin/page.tsx index a8e08fc..0060520 100644 --- a/src/app/admin/page.tsx +++ b/src/app/admin/page.tsx @@ -6340,6 +6340,7 @@ const RegistrationConfigComponent = ({ OIDCClientId: string; OIDCClientSecret: string; OIDCButtonText: string; + OIDCMinTrustLevel: number; }>({ EnableRegistration: false, RegistrationRequireTurnstile: false, @@ -6356,6 +6357,7 @@ const RegistrationConfigComponent = ({ OIDCClientId: '', OIDCClientSecret: '', OIDCButtonText: '', + OIDCMinTrustLevel: 0, }); useEffect(() => { @@ -6376,6 +6378,7 @@ const RegistrationConfigComponent = ({ OIDCClientId: config.SiteConfig.OIDCClientId || '', OIDCClientSecret: config.SiteConfig.OIDCClientSecret || '', OIDCButtonText: config.SiteConfig.OIDCButtonText || '', + OIDCMinTrustLevel: config.SiteConfig.OIDCMinTrustLevel ?? 0, }); } }, [config]); @@ -6934,7 +6937,31 @@ const RegistrationConfigComponent = ({ className='w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 focus:ring-2 focus:ring-green-500 focus:border-transparent' />

- 自定义OIDC登录按钮显示的文字,如"使用企业账号登录"、"使用SSO登录"等。留空则显示默认文字"使用OIDC登录" + 自定义OIDC登录按钮显示的文字,如"使用企业账号登录"、"使用SSO登录"等。留空则显示默认文字"使用OIDC登录" +

+ + + {/* OIDC最低信任等级 */} +
+ + + setRegistrationSettings((prev) => ({ + ...prev, + OIDCMinTrustLevel: e.target.value === '' ? 0 : parseInt(e.target.value), + })) + } + className='w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 focus:ring-2 focus:ring-green-500 focus:border-transparent' + /> +

+ 仅LinuxDo网站有效。设置为0时不判断,1-4表示最低信任等级要求

diff --git a/src/app/api/admin/site/route.ts b/src/app/api/admin/site/route.ts index 5ca0eb9..285f677 100644 --- a/src/app/api/admin/site/route.ts +++ b/src/app/api/admin/site/route.ts @@ -64,6 +64,7 @@ export async function POST(request: NextRequest) { OIDCClientId, OIDCClientSecret, OIDCButtonText, + OIDCMinTrustLevel, } = body as { SiteName: string; Announcement: string; @@ -100,6 +101,7 @@ export async function POST(request: NextRequest) { OIDCClientId?: string; OIDCClientSecret?: string; OIDCButtonText?: string; + OIDCMinTrustLevel?: number; }; // 参数校验 @@ -135,7 +137,8 @@ export async function POST(request: NextRequest) { (OIDCUserInfoEndpoint !== undefined && typeof OIDCUserInfoEndpoint !== 'string') || (OIDCClientId !== undefined && typeof OIDCClientId !== 'string') || (OIDCClientSecret !== undefined && typeof OIDCClientSecret !== 'string') || - (OIDCButtonText !== undefined && typeof OIDCButtonText !== 'string') + (OIDCButtonText !== undefined && typeof OIDCButtonText !== 'string') || + (OIDCMinTrustLevel !== undefined && typeof OIDCMinTrustLevel !== 'number') ) { return NextResponse.json({ error: '参数格式错误' }, { status: 400 }); } @@ -190,6 +193,7 @@ export async function POST(request: NextRequest) { OIDCClientId, OIDCClientSecret, OIDCButtonText, + OIDCMinTrustLevel, }; // 写入数据库 diff --git a/src/app/api/auth/oidc/callback/route.ts b/src/app/api/auth/oidc/callback/route.ts index 80889c5..4907ae4 100644 --- a/src/app/api/auth/oidc/callback/route.ts +++ b/src/app/api/auth/oidc/callback/route.ts @@ -213,6 +213,7 @@ export async function GET(request: NextRequest) { sub: oidcSub, email: userInfo.email, name: userInfo.name, + trust_level: userInfo.trust_level, // 提取trust_level字段 timestamp: Date.now(), }; diff --git a/src/app/api/auth/oidc/complete-register/route.ts b/src/app/api/auth/oidc/complete-register/route.ts index bd11e0f..f95652d 100644 --- a/src/app/api/auth/oidc/complete-register/route.ts +++ b/src/app/api/auth/oidc/complete-register/route.ts @@ -102,6 +102,18 @@ export async function POST(request: NextRequest) { ); } + // 检查最低信任等级 + const minTrustLevel = siteConfig.OIDCMinTrustLevel || 0; + if (minTrustLevel > 0) { + const userTrustLevel = oidcSession.trust_level ?? 0; + if (userTrustLevel < minTrustLevel) { + return NextResponse.json( + { error: `您的信任等级(${userTrustLevel})不满足最低要求(${minTrustLevel})` }, + { status: 403 } + ); + } + } + // 检查是否与站长同名 if (username === process.env.USERNAME) { return NextResponse.json( diff --git a/src/app/api/auth/oidc/session-info/route.ts b/src/app/api/auth/oidc/session-info/route.ts index 9bc049a..ae5b838 100644 --- a/src/app/api/auth/oidc/session-info/route.ts +++ b/src/app/api/auth/oidc/session-info/route.ts @@ -35,6 +35,7 @@ export async function GET(request: NextRequest) { return NextResponse.json({ email: oidcSession.email, name: oidcSession.name, + trust_level: oidcSession.trust_level, }); } catch (error) { return NextResponse.json( diff --git a/src/app/oidc-register/page.tsx b/src/app/oidc-register/page.tsx index 93215a8..45088db 100644 --- a/src/app/oidc-register/page.tsx +++ b/src/app/oidc-register/page.tsx @@ -103,6 +103,12 @@ function OIDCRegisterPageClient() { {oidcInfo.name && ( <> 名称: {oidcInfo.name} +
+ + )} + {oidcInfo.trust_level !== undefined && ( + <> + 信任等级: {oidcInfo.trust_level} )}

diff --git a/src/lib/admin.types.ts b/src/lib/admin.types.ts index bd51ec2..7396d44 100644 --- a/src/lib/admin.types.ts +++ b/src/lib/admin.types.ts @@ -48,6 +48,7 @@ export interface AdminConfig { OIDCClientId?: string; // OIDC Client ID OIDCClientSecret?: string; // OIDC Client Secret OIDCButtonText?: string; // OIDC登录按钮文字 + OIDCMinTrustLevel?: number; // 最低信任等级(仅LinuxDo网站有效,为0时不判断) }; UserConfig: { Users: {