mx-space
diff --git a/‎README.md‎
Lines changed: 7 additions & 1 deletion b/‎README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎apps/core/package.json‎
Lines changed: 1 addition & 0 deletions b/‎apps/core/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/core/src/app.module.ts‎
Lines changed: 2 additions & 2 deletions b/‎apps/core/src/app.module.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎apps/core/src/common/contexts/request.context.ts‎
Lines changed: 2 additions & 2 deletions b/‎apps/core/src/common/contexts/request.context.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎apps/core/src/common/guards/auth.guard.ts‎
Lines changed: 37 additions & 42 deletions b/‎apps/core/src/common/guards/auth.guard.ts‎
Lines changed: 37 additions & 42 deletions
diff --git a/‎apps/core/src/common/guards/roles.guard.ts‎
Lines changed: 3 additions & 7 deletions b/‎apps/core/src/common/guards/roles.guard.ts‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎apps/core/src/constants/db.constant.ts‎
Lines changed: 1 addition & 0 deletions b/‎apps/core/src/constants/db.constant.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/core/src/constants/error-code.constant.ts‎
Lines changed: 4 additions & 0 deletions b/‎apps/core/src/constants/error-code.constant.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/core/src/migration/history.ts‎
Lines changed: 14 additions & 0 deletions b/‎apps/core/src/migration/history.ts‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎apps/core/src/migration/version/v9.7.0.ts‎
Lines changed: 113 additions & 0 deletions b/‎apps/core/src/migration/version/v9.7.0.ts‎
Lines changed: 113 additions & 0 deletions
@@ -23,10 +23,16 @@
 - `pnpm test`：运行测试
 - `pnpm lint`：运行 ESLint
 
+## 升级指南
+
+从 v9 升级到 v10 涉及鉴权体系重构，属于 **breaking change**。
+
+详细升级指南请查看 **[Upgrading to v10](./docs/migrations/v10.md)**
+
 # 许可
 
 此项目在 `apps/` 目录下的所有文件均使用 GNU Affero General Public License v3.0 (AGPLv3) with Additional Terms (ADDITIONAL_TERMS) 许可。
 
 其他部分使用 MIT License 许可。
 
-详情请查看 [LICENSE](./LICENSE) 和 [ADDITIONAL_TERMS](./ADDITIONAL_TERMS.md)。
+详情请查看 [LICENSE](./LICENSE) 和 [ADDITIONAL_TERMS](./ADDITIONAL_TERMS.md)。
@@ -58,6 +58,7 @@
     "@babel/plugin-transform-modules-commonjs": "7.28.6",
     "@babel/plugin-transform-typescript": "7.28.6",
     "@babel/types": "^7.28.5",
+    "@better-auth/passkey": "^1.4.18",
     "@fastify/cookie": "11.0.2",
     "@fastify/multipart": "9.4.0",
     "@fastify/static": "9.0.0",
 
@@ -43,6 +43,7 @@ import { MarkdownModule } from './modules/markdown/markdown.module'
 import { MetaPresetModule } from './modules/meta-preset/meta-preset.module'
 import { NoteModule } from './modules/note/note.module'
 import { OptionModule } from './modules/option/option.module'
+import { OwnerModule } from './modules/owner/owner.module'
 import { PageModule } from './modules/page/page.module'
 import { PageProxyModule } from './modules/pageproxy/pageproxy.module'
 import { PostModule } from './modules/post/post.module'
@@ -60,7 +61,6 @@ import { SnippetModule } from './modules/snippet/snippet.module'
 import { SubscribeModule } from './modules/subscribe/subscribe.module'
 import { TopicModule } from './modules/topic/topic.module'
 import { UpdateModule } from './modules/update/update.module'
-import { UserModule } from './modules/user/user.module'
 import { WebhookModule } from './modules/webhook/webhook.module'
 import { DatabaseModule } from './processors/database/database.module'
 import { GatewayModule } from './processors/gateway/gateway.module'
@@ -115,7 +115,7 @@ import { TaskQueueModule } from './processors/task-queue/task-queue.module'
     SubscribeModule,
     TopicModule,
     UpdateModule,
-    UserModule,
+    OwnerModule,
     WebhookModule,
 
     PageProxyModule,
 
@@ -3,7 +3,7 @@
 import { AsyncLocalStorage } from 'node:async_hooks'
 import type { ServerResponse } from 'node:http'
 import { UnauthorizedException } from '@nestjs/common'
-import type { UserModel } from '~/modules/user/user.model'
+import type { SessionUser } from '~/modules/auth/auth.types'
 import type { BizIncomingMessage } from '~/transformers/get-req.transformer'
 
 type Nullable<T> = T | null
@@ -39,7 +39,7 @@ export class RequestContext {
     return null
   }
 
-  static currentUser(throwError?: boolean): Nullable<UserModel> {
+  static currentUser(throwError?: boolean): Nullable<SessionUser> {
     const requestContext = RequestContext.currentRequestContext()
 
     if (requestContext) {
 
@@ -1,77 +1,72 @@
 import type { CanActivate, ExecutionContext } from '@nestjs/common'
-import { Injectable, UnauthorizedException } from '@nestjs/common'
+import { Injectable, Logger } from '@nestjs/common'
+import { ErrorCodeEnum } from '~/constants/error-code.constant'
 import { AuthService } from '~/modules/auth/auth.service'
-import { ConfigsService } from '~/modules/configs/configs.service'
-import type { UserModel } from '~/modules/user/user.model'
-import { UserService } from '~/modules/user/user.service'
+import type { SessionUser } from '~/modules/auth/auth.types'
 import type { FastifyBizRequest } from '~/transformers/get-req.transformer'
 import { getNestExecutionContextRequest } from '~/transformers/get-req.transformer'
-import { isJWT } from '~/utils/validator.util'
+import { BizException } from '../exceptions/biz.exception'
 
 /**
- * JWT auth guard
+ * Better Auth (cookie + API key) guard
  */
 
 @Injectable()
 export class AuthGuard implements CanActivate {
-  constructor(
-    protected readonly authService: AuthService,
-    protected readonly configs: ConfigsService,
-
-    protected readonly userService: UserService,
-  ) {}
+  protected readonly logger = new Logger(AuthGuard.name)
+  constructor(protected readonly authService: AuthService) {}
   async canActivate(context: ExecutionContext): Promise<any> {
     const request = this.getRequest(context)
 
-    const query = request.query as any
-    const headers = request.headers
-
     const session = await this.authService.getSessionUser(request.raw)
 
-    const Authorization: string =
-      headers.authorization || headers.Authorization || query.token
-
     if (session) {
-      const isOwner = !!session.user?.isOwner
+      const isOwner = session.user?.role === 'owner'
 
       if (isOwner) {
         this.attachUserAndToken(
           request,
-          await this.userService.getMaster(),
-          Authorization,
+          session.user as SessionUser,
+          session.session?.token || '',
         )
         return true
       }
     }
 
-    if (!Authorization) {
-      throw new UnauthorizedException('未登录')
+    const apiKey = this.authService.getApiKeyFromRequest({
+      headers: request.headers,
+      query: request.query as any,
+    })
+
+    if (!apiKey) {
+      throw new BizException(ErrorCodeEnum.AuthNotLoggedIn)
     }
 
-    if (this.authService.isCustomToken(Authorization)) {
-      const [isValid, userModel] =
-        await this.authService.verifyCustomToken(Authorization)
-      if (!isValid) {
-        throw new UnauthorizedException('令牌无效')
-      }
+    if (apiKey.deprecated) {
+      // this.logger.warn(
+      //   '[Auth] Authorization bearer token is deprecated. Use x-api-key instead.',
+      // )
+    }
 
-      this.attachUserAndToken(request, userModel, Authorization)
-      return true
+    if (!this.authService.isCustomToken(apiKey.key)) {
+      throw new BizException(ErrorCodeEnum.AuthTokenInvalid)
     }
 
-    const jwt = Authorization.replace(/[Bb]earer /, '')
+    const result = await this.authService.verifyApiKey(apiKey.key)
+    if (!result?.userId) {
+      throw new BizException(ErrorCodeEnum.AuthTokenInvalid)
+    }
 
-    if (!isJWT(jwt)) {
-      throw new UnauthorizedException('令牌无效')
+    const isOwner = await this.authService.isOwnerReaderId(result.userId)
+    if (!isOwner) {
+      throw new BizException(ErrorCodeEnum.AuthTokenInvalid)
     }
-    const valid = await this.authService.jwtServicePublic.verify(jwt)
 
-    if (!valid) throw new UnauthorizedException('身份过期')
-    this.attachUserAndToken(
-      request,
-      await this.userService.getMaster(),
-      Authorization,
-    )
+    const readerUser = await this.authService.getReaderById(result.userId)
+    if (!readerUser) {
+      throw new BizException(ErrorCodeEnum.AuthTokenInvalid)
+    }
+    this.attachUserAndToken(request, readerUser, apiKey.key)
     return true
   }
 
@@ -81,7 +76,7 @@ export class AuthGuard implements CanActivate {
 
   attachUserAndToken(
     request: FastifyBizRequest,
-    user: UserModel,
+    user: SessionUser,
     token: string,
   ) {
     request.user = user
 
@@ -2,7 +2,6 @@ import type { CanActivate, ExecutionContext } from '@nestjs/common'
 import { Injectable } from '@nestjs/common'
 import { AuthService } from '~/modules/auth/auth.service'
 import { ConfigsService } from '~/modules/configs/configs.service'
-import { UserService } from '~/modules/user/user.service'
 import { getNestExecutionContextRequest } from '~/transformers/get-req.transformer'
 import { AuthGuard } from './auth.guard'
 
@@ -15,10 +14,8 @@ export class RolesGuard extends AuthGuard implements CanActivate {
   constructor(
     protected readonly authService: AuthService,
     protected readonly configs: ConfigsService,
-
-    protected readonly userService: UserService,
   ) {
-    super(authService, configs, userService)
+    super(authService)
   }
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = this.getRequest(context)
@@ -29,10 +26,9 @@ export class RolesGuard extends AuthGuard implements CanActivate {
     } catch {}
 
     const session = await this.authService.getSessionUser(request.raw)
+    const readerId = session?.user?.id || request.user?.id
 
-    if (session) {
-      const readerId = session.user?.id
-
+    if (readerId) {
       request.readerId = readerId
 
       Object.assign(request.raw, {
 
@@ -22,6 +22,7 @@ export const DRAFT_COLLECTION_NAME = 'drafts'
 export const FILE_REFERENCE_COLLECTION_NAME = 'file_references'
 
 export const USER_COLLECTION_NAME = 'users'
+export const OWNER_PROFILE_COLLECTION_NAME = 'owner_profiles'
 export enum CollectionRefTypes {
   Post = POST_COLLECTION_NAME,
   Note = NOTE_COLLECTION_NAME,
 
@@ -77,6 +77,8 @@ export enum ErrorCodeEnum {
   AuthSessionNotFound = 15005,
   AuthUserIdNotFound = 15006,
   AuthFailed = 15007,
+  AuthNotLoggedIn = 15008,
+  AuthTokenInvalid = 15009,
 
   // biz - operation failed (400)
   CategoryHasPosts = 16000,
@@ -230,6 +232,8 @@ export const ErrorCode = Object.freeze<Record<ErrorCodeEnum, [string, number]>>(
     [ErrorCodeEnum.AuthSessionNotFound]: ['会话不存在', 400],
     [ErrorCodeEnum.AuthUserIdNotFound]: ['用户 ID 不存在', 400],
     [ErrorCodeEnum.AuthFailed]: ['认证失败', 400],
+    [ErrorCodeEnum.AuthNotLoggedIn]: ['未登录', 401],
+    [ErrorCodeEnum.AuthTokenInvalid]: ['令牌无效', 401],
 
     // operation failed (400)
     [ErrorCodeEnum.CategoryHasPosts]: ['该分类中有其他文章，无法被删除', 400],
 
@@ -20,6 +20,13 @@ import v9_4_1 from './version/v9.4.1'
 import v9_5_0 from './version/v9.5.0'
 import v9_6_0 from './version/v9.6.0'
 import v9_6_3 from './version/v9.6.3'
+import v9_7_0 from './version/v9.7.0'
+import v9_7_1 from './version/v9.7.1'
+import v9_7_2 from './version/v9.7.2'
+import v9_7_3 from './version/v9.7.3'
+import v9_7_4 from './version/v9.7.4'
+import v9_7_5 from './version/v9.7.5'
+import v9_7_6 from './version/v9.7.6'
 
 export default [
   v200Alpha1,
@@ -44,4 +51,11 @@ export default [
   v9_5_0,
   v9_6_0,
   v9_6_3,
+  v9_7_0,
+  v9_7_1,
+  v9_7_2,
+  v9_7_3,
+  v9_7_4,
+  v9_7_5,
+  v9_7_6,
 ]
@@ -0,0 +1,113 @@
+import { USER_COLLECTION_NAME } from '~/constants/db.constant'
+import { AUTH_JS_USER_COLLECTION } from '~/modules/auth/auth.constant'
+import type { Db } from 'mongodb'
+import { defineMigration } from '../helper'
+
+const base64UrlToBase64 = (value: string) => {
+  const normalized = value.replaceAll('-', '+').replaceAll('_', '/')
+  const padding = normalized.length % 4
+  const pad = padding === 0 ? '' : '='.repeat(4 - padding)
+  return `${normalized}${pad}`
+}
+
+export default defineMigration(
+  'v9.7.0-better-auth-migration',
+  async (db: Db) => {
+    const readers = db.collection(AUTH_JS_USER_COLLECTION)
+    let owner = await readers.findOne({ isOwner: true })
+
+    if (!owner) {
+      owner = await readers.findOne({})
+      if (owner && !owner.isOwner) {
+        await readers.updateOne({ _id: owner._id }, { $set: { isOwner: true } })
+      }
+    }
+
+    if (!owner) {
+      const legacyOwner = await db.collection(USER_COLLECTION_NAME).findOne({})
+      if (!legacyOwner) {
+        return
+      }
+
+      const now = new Date()
+      const newOwner = {
+        name: legacyOwner.name ?? legacyOwner.username ?? 'owner',
+        email: legacyOwner.mail ?? 'owner@local',
+        emailVerified: true,
+        image: legacyOwner.avatar ?? null,
+        createdAt: now,
+        updatedAt: now,
+        isOwner: true,
+        handle: legacyOwner.username ?? '',
+      }
+      const result = await readers.insertOne(newOwner)
+      owner = {
+        _id: result.insertedId,
+        ...newOwner,
+      }
+    }
+
+    if (!owner?._id) {
+      return
+    }
+
+    const ownerId = owner._id.toString()
+    const apiKeyCollection = db.collection('apikey')
+    const ownerUser = await db
+      .collection(USER_COLLECTION_NAME)
+      .findOne({}, { projection: { apiToken: 1 } })
+    const apiTokens = ownerUser?.apiToken
+
+    if (Array.isArray(apiTokens)) {
+      for (const token of apiTokens) {
+        if (!token?.token) continue
+        const exists = await apiKeyCollection.findOne({ key: token.token })
+        if (exists) continue
+
+        const createdAt = token.created ? new Date(token.created) : new Date()
+        const expiresAt = token.expired ? new Date(token.expired) : null
+        await apiKeyCollection.insertOne({
+          name: token.name ?? 'txo',
+          start: token.token.slice(0, 6),
+          prefix: token.token.startsWith('txo') ? 'txo' : undefined,
+          key: token.token,
+          userId: ownerId,
+          enabled: true,
+          rateLimitEnabled: true,
+          requestCount: 0,
+          createdAt,
+          updatedAt: createdAt,
+          expiresAt,
+        })
+      }
+    }
+
+    const passkeyCollection = db.collection('passkey')
+    const authnCollection = db.collection('authn')
+    const authnItems = await authnCollection.find().toArray()
+
+    for (const item of authnItems) {
+      if (!item?.credentialID || !item?.credentialPublicKey) continue
+      const existing = await passkeyCollection.findOne({
+        credentialID: String(item.credentialID),
+      })
+      if (existing) continue
+
+      const createdAt = item.created ? new Date(item.created) : new Date()
+      const publicKey = base64UrlToBase64(String(item.credentialPublicKey))
+
+      await passkeyCollection.insertOne({
+        name: item.name,
+        publicKey,
+        userId: ownerId,
+        credentialID: String(item.credentialID),
+        counter: item.counter ?? 0,
+        deviceType: item.credentialDeviceType ?? 'singleDevice',
+        backedUp: item.credentialBackedUp ?? false,
+        transports: item.transports ?? undefined,
+        createdAt,
+        aaguid: item.aaguid ?? undefined,
+      })
+    }
+  },
+)