✨feat: Add compatibility for enabling extension fields in webhook in casdoor #6697
Conversation
Add compatibility for extended user fields of webhook
|
@chung1912 is attempting to deploy a commit to the LobeChat Desktop Team on Vercel. A member of the Team first needs to authorize it. |
dosubot
bot
added
the
size:S
|
Thank you for raising your pull request and contributing to our Community |
| return value; | ||
| }) as Partial<CasdoorWebhookPayload> & CasdoorUserEntity; | ||
|
|
||
| // If enabling webhook Extended user fields |
There was a problem hiding this comment.
- 这个判断有明确的依据吗? 例如文档、Release Note、Issue 之类
- 这个判断兼容之前的版本吗? 我们有很多存量用户用的还是旧版,是不是无感更新的呢?
There was a problem hiding this comment.
刚刚更新的,应该没有更新到文档
给你看一下两种方式的请求体结构,判断的依据是我通过实测的结果
不勾选扩展字段的请求体是这样的json结构,用户信息在object字段里面,这个结构新版和旧版一样,原来需要的字段action和object都在,object里面是string,没区别,所以不更新casdoor,继续用原来的版本没有影响的:
{ "id": 0, "owner": "test", "name": "", "createdTime": "2025-03-05T08:43:22+08:00", "organization": "test", "clientIp": "192.168.0.100", "user": "abc", "method": "POST", "requestUri": "/", "action": "update-user", "language": "zh", "object": "{\"owner\":\"test\",\"avatar\":\"https://\",\"displayName\":\"张三\",\"email\":\"abc@example.com\",\"id\":\"xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx\"}" "statusCode": 200, "isTriggered": false, "extendedUser": null }
新版casdoor勾选了扩展字段之后,POST的请求体就只有选定的四项内容,没有action这个字段,也没有object字段,直接就是扩展字段,结构如下:
{ "avatar": "https://", "displayName": "张三", "email": "abc@example.com", "id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx" }
There was a problem hiding this comment.
要不等他文档更新之后再看看吧,或者去提个 issue 问问他们的维护者在新版是怎么定义这些 webhook 字段的。代码是会被随时修改的。
There was a problem hiding this comment.
要不等他文档更新之后再看看吧,或者去提个 issue 问问他们的维护者在新版是怎么定义这些 webhook 字段的。代码是会被随时修改的。
casdoor那边提了个issue在询问
There was a problem hiding this comment.
要不等他文档更新之后再看看吧,或者去提个 issue 问问他们的维护者在新版是怎么定义这些 webhook 字段的。代码是会被随时修改的。
casdoor的维护者认为是一个bug,他漏了,1.856.0版本又把其他内容全加进去了,所以扩展字段应该只是增加更多内容。这样我就更加疑惑了,扩展字段有大量的内容都是和object重复的,而且发送的也不是管理员用户的信息,完全不知道扩展字段有什么意义了
There was a problem hiding this comment.
原来是这样,等他们稳定了再跟进会比较合适?
如果他们能接受建议,直接把object改为可选,lobechat都不用改了
There was a problem hiding this comment.
其实object传递信息也是可以接受的。代码上面改动其实会比较复杂,其实可以考虑从文档入手,在casdoor文档那章上增加一些好的安全实践,如像一键部署的配置文件那样,builtin组织只给管理员,lobe用另一个组织做登录。这样object里面就不会含有敏感信息了,也能实现你所提的安全目标。初始化文件在 docker-compose/local/init_data.json。
| @@ -10,10 +10,10 @@ export type CasdoorUserEntity = { | |||
| }; | |||
|
|
|||
| interface CasdoorWebhookPayload { | |||
| action: string; | |||
| action?: string; | |||
There was a problem hiding this comment.
action 不是可选的,而是通过是否启用扩展字段自动的,如果启用了扩展字段就不会有这个字段,如果不启用就有,不能选择
There was a problem hiding this comment.
这是新出的吗?之前开启了拓展用户之后消息体还有action。这个action后面。还要用来做其他功能的,你看看怎么处理兼容性?
There was a problem hiding this comment.
现在新出的没有action字段,是不是可以直接加进去?如果扩展字段读不到这个action,就直接把action赋值为'update-user'添加进去?
There was a problem hiding this comment.
这样做的行为就不太可控了。以后是要实现对多个 action 的支持,如 ban user 这些。
There was a problem hiding this comment.
这样做的行为就不太可控了。以后是要实现对多个 action 的支持,如 ban user 这些。
我已经去casdoor那边提issue询问了,问问新版就是这样设计的,还是漏了action字段。我的想法其实是在保证原来逻辑的前提下,仅仅只是单纯的兼容扩展字段这种方式,看看action等基础字段能不能重新加进来,这样不会影响原来的逻辑
There was a problem hiding this comment.
我其实也不太理解这样设计,为什么不直接把object字段做成可选?
|
麻烦对应更新下 casdoor 的文档部分吧?我觉得是需要让普通用户也知道下怎么提高安全性的 |
Please update the corresponding document part of casdoor? I think it is necessary for ordinary users to know how to improve security |
| return JSON.parse(value); | ||
| } | ||
| return value; | ||
| }) as Partial<CasdoorWebhookPayload> & CasdoorUserEntity; |
There was a problem hiding this comment.
我尝试了当前代码在 Casdoor 1.855.0 下 object 字段的原文(没有任何Mask),并没有看到威胁安全性的字段暴露, 你可以说一下哪些字段会威胁安全性吗?
{
owner: 'organization_909sis',
name: 'user_cctax5',
createdTime: '2025-03-05T10:02:36+08:00',
updatedTime: '2025-03-05T02:02:55Z',
deletedTime: '',
id: '42ed393e-2441-4aa2-9abf-c432d0f6e70c',
externalId: '',
type: 'normal-user',
password: '***',
passwordSalt: '',
passwordType: 'plain',
displayName: 'New User - cctax5',
firstName: '',
lastName: '',
avatar: 'https://cdn.casbin.org/img/casbin.svg',
avatarType: '',
permanentAvatar: '',
email: 'ccta65@example.com',
emailVerified: false,
phone: '10123068366',
countryCode: 'US',
region: '',
location: '',
address: [],
affiliation: 'Example Inc.',
title: '',
idCardType: '',
idCard: '',
homepage: '',
bio: '',
tag: 'staff',
language: '',
gender: '',
birthday: '',
education: '',
score: 2000,
karma: 0,
ranking: 0,
balance: 0,
currency: '',
isDefaultAvatar: false,
isOnline: false,
isAdmin: true,
isForbidden: false,
isDeleted: false,
signupApplication: '',
hash: '',
preHash: '',
accessKey: '',
accessSecret: '',
accessToken: '',
createdIp: '',
lastSigninTime: '',
lastSigninIp: '',
github: '',
google: '',
qq: '',
wechat: '',
facebook: '',
dingtalk: '',
weibo: '',
gitee: '',
linkedin: '',
wecom: '',
lark: '',
gitlab: '',
adfs: '',
baidu: '',
alipay: '',
casdoor: '',
infoflow: '',
apple: '',
azuread: '',
azureadb2c: '',
slack: '',
steam: '',
bilibili: '',
okta: '',
douyin: '',
kwai: '',
line: '',
amazon: '',
auth0: '',
battlenet: '',
bitbucket: '',
box: '',
cloudfoundry: '',
dailymotion: '',
deezer: '',
digitalocean: '',
discord: '',
dropbox: '',
eveonline: '',
fitbit: '',
gitea: '',
heroku: '',
influxcloud: '',
instagram: '',
intercom: '',
kakao: '',
lastfm: '',
mailru: '',
meetup: '',
microsoftonline: '',
naver: '',
nextcloud: '',
onedrive: '',
oura: '',
patreon: '',
paypal: '',
salesforce: '',
shopify: '',
soundcloud: '',
spotify: '',
strava: '',
stripe: '',
tiktok: '',
tumblr: '',
twitch: '',
twitter: '',
typetalk: '',
uber: '',
vk: '',
wepay: '',
xero: '',
yahoo: '',
yammer: '',
yandex: '',
zoom: '',
metamask: '',
web3onboard: '',
custom: '',
webauthnCredentials: null,
preferredMfaType: '',
recoveryCodes: null,
totpSecret: '',
mfaPhoneEnabled: false,
mfaEmailEnabled: false,
multiFactorAuths: [
{ enabled: false, isPreferred: false, mfaType: 'sms' },
{ enabled: false, isPreferred: false, mfaType: 'email' },
{ enabled: false, isPreferred: false, mfaType: 'app' }
],
invitation: '',
invitationCode: '',
faceIds: null,
ldap: '',
properties: {},
roles: [],
permissions: [],
groups: [],
lastChangePasswordTime: '',
lastSigninWrongTime: '',
signinWrongTimes: 0,
managedAccounts: null,
mfaAccounts: null,
needUpdatePassword: false,
ipWhitelist: ''
}There was a problem hiding this comment.
accessKey,accessSecret
这个权限比较高,是明文传输的,可以代替用户名密码做很多事情
另外 像idCardType和idCard,这个其实就是身份证和身份证号,属于用户高度隐私的内容
There was a problem hiding this comment.
但这两个key都没有值传过来,casdoor已经omit掉了? idcard type 这个值在我们的场景下,没有人会填的吧 🤣
There was a problem hiding this comment.
这两个值默认不生成,用户如果需要用,进去自己点击生成就会有,我就在用这两个key来做一些鉴权的事
There was a problem hiding this comment.
现在推荐的Casdoor的初始化模板里已经配置管理员和登录用户分离了。管理员无法登录 LobeChat 应用,普通用户因为无法进入管理员面板,理论上用户是不会创建这两个 key 的。你可以试一下现在的建议配置 https://github.com/lobehub/lobe-chat/blob/main/docker-compose/local/init_data.json
Add compatibility for extended user fields of webhook
💻 变更类型 | Change Type
🔀 变更说明 | Description of Change
当使用casdoor更新用户信息时,如果勾选了“扩展用户字段”,则casdoor推送的请求体中不会包含object字段,而是会将用户信息直接在json请求体中
此更新兼容webhook勾选“扩展用户字段”的情形。
📝 补充信息 | Additional Information
#6689
1、支持casdoor 1.855.0以上版本
2、在casdoor的webhook配置时,需要勾选“扩展用户字段”,且需要在Extended user fields部分添加“avatar, displayName, email, id”四个字段