b19da9c7fe
⚠️ 应用类型约束:当前实现仅支持「钉钉登录-企业内部应用」(DingTalk 开放平台
internal_app 类型)。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed(硬约束)。
钉钉 OAuth 登录主链
- 4 步 OAuth 链:ExchangeCodeForUserToken / GetUnionIdByUserToken /
GetUserIdByUnionId / GetStaffInfoByUserId;app token 缓存
- pending session 机制持久化 OAuth 中间态;cookie-only token 持久化
- 三种分流:bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only;stale "whitelist" 在
加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关:企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
等横切点支持 dingtalk provider
- migration 136:4 表 CHECK 约束加入 'dingtalk' provider 值
internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
SyncXxxAttrKey 目标属性 key(默认 dingtalk_email / dingtalk_name /
dingtalk_department);非 internal_only policy 在写入层与加载层均
coerce 为 false,admin handler 与 setting_service 双层兜底
- 同步语义:首次注册写 users.username(昵称优先 → 企业姓名 fallback),
之后每次登录刷新 3 个属性;空值也写入以覆盖旧值
- 邮箱三级 fallback:org_email > email > extension["企业邮箱"]
(钉钉自定义字段 JSON)
- 部门路径递归向上拼接,跳过 dept_id=1 选首个真实子部门,剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段;
新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService;OAuth pending flow 在
createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
AfterRegistration(syncUsername=true)/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义
附带修复(同集成路径暴露的两个 OAuth 注册回归)
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
覆写 caller 显式传入的 signupSource,导致 dingtalk/linuxdo/oidc/wechat
渠道授权按 email 渠道读取;改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
(Concurrency=5 / Balance=0) 当作"未配置"哨兵,admin 显式设 5 时被误判
退回全局默认(复现:全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
用户实际 concurrency=1);去掉哨兵,admin 任何 >=0 值都覆盖 globalDefaults
前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
视图;router + auth API client
- admin SettingsView:corp policy radio(none / internal_only)+ bypass
注册开关 + i18n;internal_only 下展示三同步开关 + 目标 attr key 下拉
(拉取 user attribute definitions),展示 fieldEmail /
qyapi_get_department_list 钉钉权限申请提示
- Profile:S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
699 lines
19 KiB
TypeScript
699 lines
19 KiB
TypeScript
/**
|
|
* Authentication API endpoints
|
|
* Handles user login, registration, and logout operations
|
|
*/
|
|
|
|
import { apiClient } from './client'
|
|
import type {
|
|
LoginRequest,
|
|
RegisterRequest,
|
|
AuthResponse,
|
|
CurrentUserResponse,
|
|
SendVerifyCodeRequest,
|
|
SendVerifyCodeResponse,
|
|
PublicSettings,
|
|
TotpLoginResponse,
|
|
TotpLogin2FARequest
|
|
} from '@/types'
|
|
|
|
/**
|
|
* Login response type - can be either full auth or 2FA required
|
|
*/
|
|
export type LoginResponse = AuthResponse | TotpLoginResponse
|
|
|
|
/**
|
|
* Type guard to check if login response requires 2FA
|
|
*/
|
|
export function isTotp2FARequired(response: LoginResponse): response is TotpLoginResponse {
|
|
return 'requires_2fa' in response && response.requires_2fa === true
|
|
}
|
|
|
|
/**
|
|
* Store authentication token in localStorage
|
|
*/
|
|
export function setAuthToken(token: string): void {
|
|
localStorage.setItem('auth_token', token)
|
|
}
|
|
|
|
/**
|
|
* Store refresh token in localStorage
|
|
*/
|
|
export function setRefreshToken(token: string): void {
|
|
localStorage.setItem('refresh_token', token)
|
|
}
|
|
|
|
/**
|
|
* Store token expiration timestamp in localStorage
|
|
* Converts expires_in (seconds) to absolute timestamp (milliseconds)
|
|
*/
|
|
export function setTokenExpiresAt(expiresIn: number): void {
|
|
const expiresAt = Date.now() + expiresIn * 1000
|
|
localStorage.setItem('token_expires_at', String(expiresAt))
|
|
}
|
|
|
|
/**
|
|
* Get authentication token from localStorage
|
|
*/
|
|
export function getAuthToken(): string | null {
|
|
return localStorage.getItem('auth_token')
|
|
}
|
|
|
|
/**
|
|
* Get refresh token from localStorage
|
|
*/
|
|
export function getRefreshToken(): string | null {
|
|
return localStorage.getItem('refresh_token')
|
|
}
|
|
|
|
/**
|
|
* Get token expiration timestamp from localStorage
|
|
*/
|
|
export function getTokenExpiresAt(): number | null {
|
|
const value = localStorage.getItem('token_expires_at')
|
|
return value ? parseInt(value, 10) : null
|
|
}
|
|
|
|
/**
|
|
* Clear authentication token from localStorage
|
|
*/
|
|
export function clearAuthToken(): void {
|
|
localStorage.removeItem('auth_token')
|
|
localStorage.removeItem('refresh_token')
|
|
localStorage.removeItem('auth_user')
|
|
localStorage.removeItem('token_expires_at')
|
|
}
|
|
|
|
/**
|
|
* User login
|
|
* @param credentials - Email and password
|
|
* @returns Authentication response with token and user data, or 2FA required response
|
|
*/
|
|
export async function login(credentials: LoginRequest): Promise<LoginResponse> {
|
|
const { data } = await apiClient.post<LoginResponse>('/auth/login', credentials)
|
|
|
|
// Only store token if 2FA is not required
|
|
if (!isTotp2FARequired(data)) {
|
|
setAuthToken(data.access_token)
|
|
if (data.refresh_token) {
|
|
setRefreshToken(data.refresh_token)
|
|
}
|
|
if (data.expires_in) {
|
|
setTokenExpiresAt(data.expires_in)
|
|
}
|
|
localStorage.setItem('auth_user', JSON.stringify(data.user))
|
|
}
|
|
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Complete login with 2FA code
|
|
* @param request - Temp token and TOTP code
|
|
* @returns Authentication response with token and user data
|
|
*/
|
|
export async function login2FA(request: TotpLogin2FARequest): Promise<AuthResponse> {
|
|
const { data } = await apiClient.post<AuthResponse>('/auth/login/2fa', request)
|
|
|
|
// Store token and user data
|
|
setAuthToken(data.access_token)
|
|
if (data.refresh_token) {
|
|
setRefreshToken(data.refresh_token)
|
|
}
|
|
if (data.expires_in) {
|
|
setTokenExpiresAt(data.expires_in)
|
|
}
|
|
localStorage.setItem('auth_user', JSON.stringify(data.user))
|
|
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* User registration
|
|
* @param userData - Registration data (username, email, password)
|
|
* @returns Authentication response with token and user data
|
|
*/
|
|
export async function register(userData: RegisterRequest): Promise<AuthResponse> {
|
|
const { data } = await apiClient.post<AuthResponse>('/auth/register', userData)
|
|
|
|
// Store token and user data
|
|
setAuthToken(data.access_token)
|
|
if (data.refresh_token) {
|
|
setRefreshToken(data.refresh_token)
|
|
}
|
|
if (data.expires_in) {
|
|
setTokenExpiresAt(data.expires_in)
|
|
}
|
|
localStorage.setItem('auth_user', JSON.stringify(data.user))
|
|
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Get current authenticated user
|
|
* @returns User profile data
|
|
*/
|
|
export async function getCurrentUser() {
|
|
return apiClient.get<CurrentUserResponse>('/auth/me')
|
|
}
|
|
|
|
/**
|
|
* User logout
|
|
* Clears authentication token and user data from localStorage
|
|
* Optionally revokes the refresh token on the server
|
|
*/
|
|
export async function logout(): Promise<void> {
|
|
const refreshToken = getRefreshToken()
|
|
|
|
// Try to revoke the refresh token on the server
|
|
if (refreshToken) {
|
|
try {
|
|
await apiClient.post('/auth/logout', { refresh_token: refreshToken })
|
|
} catch {
|
|
// Ignore errors - we still want to clear local state
|
|
}
|
|
}
|
|
|
|
clearAuthToken()
|
|
}
|
|
|
|
/**
|
|
* Refresh token response
|
|
*/
|
|
export interface RefreshTokenResponse {
|
|
access_token: string
|
|
refresh_token: string
|
|
expires_in: number
|
|
token_type: string
|
|
}
|
|
|
|
export interface OAuthTokenResponse {
|
|
access_token: string
|
|
refresh_token?: string
|
|
expires_in?: number
|
|
token_type?: string
|
|
}
|
|
|
|
export interface PendingOAuthBindLoginResponse extends Partial<OAuthTokenResponse> {
|
|
auth_result?: string
|
|
redirect?: string
|
|
error?: string
|
|
requires_2fa?: boolean
|
|
temp_token?: string
|
|
user_email_masked?: string
|
|
adoption_required?: boolean
|
|
suggested_display_name?: string
|
|
suggested_avatar_url?: string
|
|
}
|
|
|
|
export type PendingOAuthExchangeResponse = PendingOAuthBindLoginResponse
|
|
|
|
export interface PendingOAuthCreateAccountResponse extends OAuthTokenResponse {
|
|
auth_result?: string
|
|
}
|
|
|
|
export interface PendingOAuthSendVerifyCodeResponse extends SendVerifyCodeResponse {
|
|
auth_result?: string
|
|
provider?: string
|
|
redirect?: string
|
|
}
|
|
|
|
export type OAuthCompletionKind = 'login' | 'bind'
|
|
|
|
export interface OAuthAdoptionDecision {
|
|
adoptDisplayName?: boolean
|
|
adoptAvatar?: boolean
|
|
}
|
|
|
|
function serializeOAuthAdoptionDecision(
|
|
decision?: OAuthAdoptionDecision
|
|
): Record<string, boolean> {
|
|
const payload: Record<string, boolean> = {}
|
|
|
|
if (typeof decision?.adoptDisplayName === 'boolean') {
|
|
payload.adopt_display_name = decision.adoptDisplayName
|
|
}
|
|
if (typeof decision?.adoptAvatar === 'boolean') {
|
|
payload.adopt_avatar = decision.adoptAvatar
|
|
}
|
|
|
|
return payload
|
|
}
|
|
|
|
export function isOAuthLoginCompletion(
|
|
completion: Partial<OAuthTokenResponse>
|
|
): completion is OAuthTokenResponse {
|
|
return typeof completion.access_token === 'string' && completion.access_token.trim().length > 0
|
|
}
|
|
|
|
export function getOAuthCompletionKind(
|
|
completion: Partial<OAuthTokenResponse>
|
|
): OAuthCompletionKind {
|
|
return isOAuthLoginCompletion(completion) ? 'login' : 'bind'
|
|
}
|
|
|
|
export function getPendingOAuthBindLoginKind(
|
|
completion: PendingOAuthBindLoginResponse
|
|
): OAuthCompletionKind {
|
|
return getOAuthCompletionKind(completion)
|
|
}
|
|
|
|
export function isPendingOAuthCreateAccountRequired(
|
|
completion: Pick<PendingOAuthBindLoginResponse, 'error'>
|
|
): boolean {
|
|
return completion.error === 'invitation_required'
|
|
}
|
|
|
|
export function hasPendingOAuthSuggestedProfile(
|
|
completion: Pick<
|
|
PendingOAuthBindLoginResponse,
|
|
'suggested_display_name' | 'suggested_avatar_url'
|
|
>
|
|
): boolean {
|
|
return Boolean(completion.suggested_display_name || completion.suggested_avatar_url)
|
|
}
|
|
|
|
export function persistOAuthTokenContext(tokens: Partial<OAuthTokenResponse>): void {
|
|
if (tokens.refresh_token) {
|
|
setRefreshToken(tokens.refresh_token)
|
|
}
|
|
if (tokens.expires_in) {
|
|
setTokenExpiresAt(tokens.expires_in)
|
|
}
|
|
}
|
|
|
|
export async function prepareOAuthBindAccessTokenCookie(): Promise<void> {
|
|
if (!getAuthToken()) {
|
|
return
|
|
}
|
|
await apiClient.post('/auth/oauth/bind-token')
|
|
}
|
|
|
|
/**
|
|
* Refresh the access token using the refresh token
|
|
* @returns New token pair
|
|
*/
|
|
export async function refreshToken(): Promise<RefreshTokenResponse> {
|
|
const currentRefreshToken = getRefreshToken()
|
|
if (!currentRefreshToken) {
|
|
throw new Error('No refresh token available')
|
|
}
|
|
|
|
const { data } = await apiClient.post<RefreshTokenResponse>('/auth/refresh', {
|
|
refresh_token: currentRefreshToken
|
|
})
|
|
|
|
// Update tokens in localStorage
|
|
setAuthToken(data.access_token)
|
|
setRefreshToken(data.refresh_token)
|
|
setTokenExpiresAt(data.expires_in)
|
|
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Revoke all sessions for the current user
|
|
* @returns Response with message
|
|
*/
|
|
export async function revokeAllSessions(): Promise<{ message: string }> {
|
|
const { data } = await apiClient.post<{ message: string }>('/auth/revoke-all-sessions')
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Check if user is authenticated
|
|
* @returns True if user has valid token
|
|
*/
|
|
export function isAuthenticated(): boolean {
|
|
return getAuthToken() !== null
|
|
}
|
|
|
|
/**
|
|
* Get public settings (no auth required)
|
|
* @returns Public settings including registration and Turnstile config
|
|
*/
|
|
export async function getPublicSettings(): Promise<PublicSettings> {
|
|
const { data } = await apiClient.get<PublicSettings>('/settings/public')
|
|
return data
|
|
}
|
|
|
|
export type WeChatOAuthMode = 'open' | 'mp'
|
|
export type WeChatOAuthUnavailableReason =
|
|
| 'not_configured'
|
|
| 'capability_unknown'
|
|
| 'external_browser_required'
|
|
| 'wechat_browser_required'
|
|
| 'native_app_required'
|
|
|
|
export interface ResolvedWeChatOAuthStart {
|
|
mode: WeChatOAuthMode | null
|
|
openEnabled: boolean
|
|
mpEnabled: boolean
|
|
mobileEnabled: boolean
|
|
isWeChatBrowser: boolean
|
|
unavailableReason: WeChatOAuthUnavailableReason | null
|
|
}
|
|
|
|
export type WeChatOAuthPublicSettings = {
|
|
wechat_oauth_enabled?: boolean
|
|
wechat_oauth_open_enabled?: boolean
|
|
wechat_oauth_mp_enabled?: boolean
|
|
wechat_oauth_mobile_enabled?: boolean
|
|
}
|
|
|
|
export function isWeChatWebOAuthEnabled(
|
|
settings: WeChatOAuthPublicSettings | null | undefined,
|
|
): boolean {
|
|
const legacyEnabled = settings?.wechat_oauth_enabled ?? false
|
|
const hasExplicitCapabilities =
|
|
typeof settings?.wechat_oauth_open_enabled === 'boolean' ||
|
|
typeof settings?.wechat_oauth_mp_enabled === 'boolean'
|
|
|
|
if (!hasExplicitCapabilities) {
|
|
return legacyEnabled
|
|
}
|
|
|
|
return settings?.wechat_oauth_open_enabled === true || settings?.wechat_oauth_mp_enabled === true
|
|
}
|
|
|
|
export function hasExplicitWeChatOAuthCapabilities(
|
|
settings: WeChatOAuthPublicSettings | null | undefined,
|
|
): settings is WeChatOAuthPublicSettings & {
|
|
wechat_oauth_open_enabled: boolean
|
|
wechat_oauth_mp_enabled: boolean
|
|
} {
|
|
return typeof settings?.wechat_oauth_open_enabled === 'boolean'
|
|
&& typeof settings?.wechat_oauth_mp_enabled === 'boolean'
|
|
}
|
|
|
|
export function resolveWeChatOAuthStart(
|
|
settings: WeChatOAuthPublicSettings | null | undefined,
|
|
userAgent?: string
|
|
): ResolvedWeChatOAuthStart {
|
|
const normalizedUserAgent = (userAgent
|
|
?? (typeof navigator !== 'undefined' ? navigator.userAgent : '')
|
|
?? '').trim()
|
|
const isWeChatBrowser = /MicroMessenger/i.test(normalizedUserAgent)
|
|
const legacyEnabled = settings?.wechat_oauth_enabled ?? false
|
|
const openEnabled = typeof settings?.wechat_oauth_open_enabled === 'boolean'
|
|
? settings.wechat_oauth_open_enabled
|
|
: legacyEnabled
|
|
const mpEnabled = typeof settings?.wechat_oauth_mp_enabled === 'boolean'
|
|
? settings.wechat_oauth_mp_enabled
|
|
: legacyEnabled
|
|
const mobileEnabled = typeof settings?.wechat_oauth_mobile_enabled === 'boolean'
|
|
? settings.wechat_oauth_mobile_enabled
|
|
: false
|
|
|
|
if (isWeChatBrowser) {
|
|
if (mpEnabled) {
|
|
return { mode: 'mp', openEnabled, mpEnabled, mobileEnabled, isWeChatBrowser, unavailableReason: null }
|
|
}
|
|
if (openEnabled) {
|
|
return { mode: null, openEnabled, mpEnabled, mobileEnabled, isWeChatBrowser, unavailableReason: 'external_browser_required' }
|
|
}
|
|
return { mode: null, openEnabled, mpEnabled, mobileEnabled, isWeChatBrowser, unavailableReason: 'not_configured' }
|
|
}
|
|
|
|
if (openEnabled) {
|
|
return { mode: 'open', openEnabled, mpEnabled, mobileEnabled, isWeChatBrowser, unavailableReason: null }
|
|
}
|
|
if (mpEnabled) {
|
|
return { mode: null, openEnabled, mpEnabled, mobileEnabled, isWeChatBrowser, unavailableReason: 'wechat_browser_required' }
|
|
}
|
|
return { mode: null, openEnabled, mpEnabled, mobileEnabled, isWeChatBrowser, unavailableReason: 'not_configured' }
|
|
}
|
|
|
|
export function resolveWeChatOAuthStartStrict(
|
|
settings: WeChatOAuthPublicSettings | null | undefined,
|
|
userAgent?: string,
|
|
): ResolvedWeChatOAuthStart {
|
|
const normalizedUserAgent = (userAgent
|
|
?? (typeof navigator !== 'undefined' ? navigator.userAgent : '')
|
|
?? '').trim()
|
|
const isWeChatBrowser = /MicroMessenger/i.test(normalizedUserAgent)
|
|
|
|
if (!hasExplicitWeChatOAuthCapabilities(settings)) {
|
|
return {
|
|
mode: null,
|
|
openEnabled: false,
|
|
mpEnabled: false,
|
|
mobileEnabled: false,
|
|
isWeChatBrowser,
|
|
unavailableReason: 'capability_unknown',
|
|
}
|
|
}
|
|
|
|
return resolveWeChatOAuthStart(settings, normalizedUserAgent)
|
|
}
|
|
|
|
/**
|
|
* Send verification code to email
|
|
* @param request - Email and optional Turnstile token
|
|
* @returns Response with countdown seconds
|
|
*/
|
|
export async function sendVerifyCode(
|
|
request: SendVerifyCodeRequest
|
|
): Promise<SendVerifyCodeResponse> {
|
|
const { data } = await apiClient.post<SendVerifyCodeResponse>('/auth/send-verify-code', request)
|
|
return data
|
|
}
|
|
|
|
export async function sendPendingOAuthVerifyCode(
|
|
request: SendVerifyCodeRequest
|
|
): Promise<PendingOAuthSendVerifyCodeResponse> {
|
|
const { data } = await apiClient.post<PendingOAuthSendVerifyCodeResponse>(
|
|
'/auth/oauth/pending/send-verify-code',
|
|
request
|
|
)
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Validate promo code response
|
|
*/
|
|
export interface ValidatePromoCodeResponse {
|
|
valid: boolean
|
|
bonus_amount?: number
|
|
error_code?: string
|
|
message?: string
|
|
}
|
|
|
|
/**
|
|
* Validate promo code (public endpoint, no auth required)
|
|
* @param code - Promo code to validate
|
|
* @returns Validation result with bonus amount if valid
|
|
*/
|
|
export async function validatePromoCode(code: string): Promise<ValidatePromoCodeResponse> {
|
|
const { data } = await apiClient.post<ValidatePromoCodeResponse>('/auth/validate-promo-code', { code })
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Validate invitation code response
|
|
*/
|
|
export interface ValidateInvitationCodeResponse {
|
|
valid: boolean
|
|
error_code?: string
|
|
}
|
|
|
|
/**
|
|
* Validate invitation code (public endpoint, no auth required)
|
|
* @param code - Invitation code to validate
|
|
* @returns Validation result
|
|
*/
|
|
export async function validateInvitationCode(code: string): Promise<ValidateInvitationCodeResponse> {
|
|
const { data } = await apiClient.post<ValidateInvitationCodeResponse>('/auth/validate-invitation-code', { code })
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Forgot password request
|
|
*/
|
|
export interface ForgotPasswordRequest {
|
|
email: string
|
|
turnstile_token?: string
|
|
}
|
|
|
|
/**
|
|
* Forgot password response
|
|
*/
|
|
export interface ForgotPasswordResponse {
|
|
message: string
|
|
}
|
|
|
|
/**
|
|
* Request password reset link
|
|
* @param request - Email and optional Turnstile token
|
|
* @returns Response with message
|
|
*/
|
|
export async function forgotPassword(request: ForgotPasswordRequest): Promise<ForgotPasswordResponse> {
|
|
const { data } = await apiClient.post<ForgotPasswordResponse>('/auth/forgot-password', request)
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Reset password request
|
|
*/
|
|
export interface ResetPasswordRequest {
|
|
email: string
|
|
token: string
|
|
new_password: string
|
|
}
|
|
|
|
/**
|
|
* Reset password response
|
|
*/
|
|
export interface ResetPasswordResponse {
|
|
message: string
|
|
}
|
|
|
|
/**
|
|
* Reset password with token
|
|
* @param request - Email, token, and new password
|
|
* @returns Response with message
|
|
*/
|
|
export async function resetPassword(request: ResetPasswordRequest): Promise<ResetPasswordResponse> {
|
|
const { data } = await apiClient.post<ResetPasswordResponse>('/auth/reset-password', request)
|
|
return data
|
|
}
|
|
|
|
/**
|
|
* Complete LinuxDo OAuth registration by supplying an invitation code
|
|
* @param invitationCode - Invitation code entered by the user
|
|
* @returns Token pair on success
|
|
*/
|
|
export async function completeLinuxDoOAuthRegistration(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<OAuthTokenResponse> {
|
|
return createPendingLinuxDoOAuthAccount(invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
/**
|
|
* Complete OIDC OAuth registration by supplying an invitation code
|
|
* @param invitationCode - Invitation code entered by the user
|
|
* @returns Token pair on success
|
|
*/
|
|
export async function completeOIDCOAuthRegistration(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<OAuthTokenResponse> {
|
|
return createPendingOIDCOAuthAccount(invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
export async function completeWeChatOAuthRegistration(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<OAuthTokenResponse> {
|
|
return createPendingWeChatOAuthAccount(invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
async function createPendingOAuthAccount(
|
|
provider: 'linuxdo' | 'oidc' | 'wechat' | 'dingtalk',
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<PendingOAuthCreateAccountResponse> {
|
|
const normalizedAffiliateCode = affiliateCode?.trim()
|
|
const { data } = await apiClient.post<PendingOAuthCreateAccountResponse>(
|
|
`/auth/oauth/${provider}/complete-registration`,
|
|
{
|
|
invitation_code: invitationCode,
|
|
...(normalizedAffiliateCode ? { aff_code: normalizedAffiliateCode } : {}),
|
|
...serializeOAuthAdoptionDecision(decision)
|
|
}
|
|
)
|
|
return data
|
|
}
|
|
|
|
export async function createPendingLinuxDoOAuthAccount(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<PendingOAuthCreateAccountResponse> {
|
|
return createPendingOAuthAccount('linuxdo', invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
export async function createPendingOIDCOAuthAccount(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<PendingOAuthCreateAccountResponse> {
|
|
return createPendingOAuthAccount('oidc', invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
export async function createPendingWeChatOAuthAccount(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<PendingOAuthCreateAccountResponse> {
|
|
return createPendingOAuthAccount('wechat', invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
export async function createPendingDingTalkOAuthAccount(
|
|
invitationCode: string,
|
|
decision?: OAuthAdoptionDecision,
|
|
affiliateCode?: string
|
|
): Promise<PendingOAuthCreateAccountResponse> {
|
|
return createPendingOAuthAccount('dingtalk', invitationCode, decision, affiliateCode)
|
|
}
|
|
|
|
export async function completePendingOAuthBindLogin(
|
|
decision?: OAuthAdoptionDecision
|
|
): Promise<PendingOAuthBindLoginResponse> {
|
|
const { data } = await apiClient.post<PendingOAuthBindLoginResponse>(
|
|
'/auth/oauth/pending/exchange',
|
|
serializeOAuthAdoptionDecision(decision)
|
|
)
|
|
return data
|
|
}
|
|
|
|
export async function exchangePendingOAuthCompletion(
|
|
decision?: OAuthAdoptionDecision
|
|
): Promise<PendingOAuthExchangeResponse> {
|
|
return completePendingOAuthBindLogin(decision)
|
|
}
|
|
|
|
export const authAPI = {
|
|
login,
|
|
login2FA,
|
|
isTotp2FARequired,
|
|
register,
|
|
getCurrentUser,
|
|
logout,
|
|
isAuthenticated,
|
|
setAuthToken,
|
|
setRefreshToken,
|
|
setTokenExpiresAt,
|
|
getAuthToken,
|
|
getRefreshToken,
|
|
getTokenExpiresAt,
|
|
clearAuthToken,
|
|
getPublicSettings,
|
|
sendVerifyCode,
|
|
sendPendingOAuthVerifyCode,
|
|
validatePromoCode,
|
|
validateInvitationCode,
|
|
forgotPassword,
|
|
resetPassword,
|
|
refreshToken,
|
|
revokeAllSessions,
|
|
getPendingOAuthBindLoginKind,
|
|
isPendingOAuthCreateAccountRequired,
|
|
hasPendingOAuthSuggestedProfile,
|
|
completePendingOAuthBindLogin,
|
|
createPendingLinuxDoOAuthAccount,
|
|
createPendingOIDCOAuthAccount,
|
|
createPendingWeChatOAuthAccount,
|
|
exchangePendingOAuthCompletion,
|
|
completeLinuxDoOAuthRegistration,
|
|
completeOIDCOAuthRegistration,
|
|
completeWeChatOAuthRegistration,
|
|
createPendingDingTalkOAuthAccount
|
|
}
|
|
|
|
export default authAPI
|