Lucia-Auth on HanGR的碎碎念https://han-gr.github.io/tags/lucia-auth/Recent content in Lucia-Auth on HanGR的碎碎念Hugo -- gohugo.iozh-cnWed, 08 May 2024 00:00:00 +0000Lucia Auth 认证体系搭建https://han-gr.github.io/p/2024-05-08-lucia-auth-%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E6%90%AD%E5%BB%BA/Wed, 08 May 2024 00:00:00 +0000https://han-gr.github.io/p/2024-05-08-lucia-auth-%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E6%90%AD%E5%BB%BA/<img src="https://han-gr.github.io/p/2024-05-08-lucia-auth-%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E6%90%AD%E5%BB%BA/Lucia-Auth.webp" alt="Featured image of post Lucia Auth 认证体系搭建" /><h2 id="为什么选-lucia-auth">为什么选 Lucia Auth </h2><p>市面上有很多认证方案:NextAuth、Clerk、Auth0、Supabase Auth……</p> <p>选 Lucia Auth 的原因:</p> <ul> <li><strong>完全自托管</strong>:数据存在自己的 D1,不依赖第三方服务</li> <li><strong>轻量</strong>:只提供核心认证逻辑,不绑定特定数据库</li> <li><strong>灵活</strong>:可以自定义 Session 存储(我们用 KV)</li> <li><strong>免费</strong>:不像 Clerk 按 MAU 收费</li> </ul> <h2 id="邮箱密码登录">邮箱密码登录 </h2><h3 id="注册">注册 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="c1">// src/app/(auth)/sign-up/sign-up.actions.ts </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">const</span> <span class="nx">signUpAction</span> <span class="o">=</span> <span class="nx">actionClient</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">inputSchema</span><span class="p">(</span><span class="nx">signUpSchema</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">action</span><span class="p">(</span><span class="kr">async</span> <span class="p">({</span> <span class="nx">parsedInput</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">parsedInput</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nx">getDB</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 检查邮箱是否已注册 </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">findFirst</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">where</span>: <span class="kt">eq</span><span class="p">(</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">email</span><span class="p">.</span><span class="nx">toLowerCase</span><span class="p">()),</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">existing</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">throw</span> <span class="k">new</span> <span class="nx">ActionError</span><span class="p">(</span><span class="s2">&#34;CONFLICT&#34;</span><span class="p">,</span> <span class="s2">&#34;Email already registered&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 哈希密码 </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">passwordHash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">hashPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 创建用户 </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="sb">`usr_</span><span class="si">${</span><span class="nx">createId</span><span class="p">()</span><span class="si">}</span><span class="sb">`</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">insert</span><span class="p">(</span><span class="nx">userTable</span><span class="p">).</span><span class="nx">values</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">id</span>: <span class="kt">userId</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">email</span>: <span class="kt">email.toLowerCase</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="nx">passwordHash</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">role</span><span class="o">:</span> <span class="s2">&#34;user&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">emailVerified</span>: <span class="kt">false</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 发送验证邮件 </span></span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">sendVerificationEmail</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">email</span> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 创建 Session </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">createSession</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">setSessionCookie</span><span class="p">(</span><span class="nx">sessionId</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">{</span> <span class="nx">success</span>: <span class="kt">true</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="密码哈希">密码哈希 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="c1">// 使用 Web Crypto API(Workers 兼容) </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">hashPassword</span><span class="p">(</span><span class="nx">password</span>: <span class="kt">string</span><span class="p">)</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">encoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">TextEncoder</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nx">Uint8Array</span><span class="p">(</span><span class="mi">16</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">keyMaterial</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nx">importKey</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;raw&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">encoder</span><span class="p">.</span><span class="nx">encode</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;PBKDF2&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="kc">false</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="s2">&#34;deriveBits&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nx">deriveBits</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nx">name</span><span class="o">:</span> <span class="s2">&#34;PBKDF2&#34;</span><span class="p">,</span> <span class="nx">salt</span><span class="p">,</span> <span class="nx">iterations</span>: <span class="kt">100000</span><span class="p">,</span> <span class="nx">hash</span><span class="o">:</span> <span class="s2">&#34;SHA-256&#34;</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nx">keyMaterial</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">256</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 拼接 salt + hash,base64 编码存储 </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">combined</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Uint8Array</span><span class="p">(</span><span class="nx">salt</span><span class="p">.</span><span class="nx">length</span> <span class="o">+</span> <span class="nx">hash</span><span class="p">.</span><span class="nx">byteLength</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">combined</span><span class="p">.</span><span class="kr">set</span><span class="p">(</span><span class="nx">salt</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">combined</span><span class="p">.</span><span class="kr">set</span><span class="p">(</span><span class="k">new</span> <span class="nx">Uint8Array</span><span class="p">(</span><span class="nx">hash</span><span class="p">),</span> <span class="nx">salt</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">btoa</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(...</span><span class="nx">combined</span><span class="p">));</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="google-oauth">Google OAuth </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="c1">// src/app/api/auth/google/route.ts </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">GET() {</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="nx">generateState</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">codeVerifier</span> <span class="o">=</span> <span class="nx">generateCodeVerifier</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">google</span><span class="p">.</span><span class="nx">createAuthorizationURL</span><span class="p">(</span><span class="nx">state</span><span class="p">,</span> <span class="nx">codeVerifier</span><span class="p">,</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;openid&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;email&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;profile&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 存储 state 和 codeVerifier 到 Cookie </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Response</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">status</span>: <span class="kt">302</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">headers</span><span class="o">:</span> <span class="p">{</span> <span class="nx">Location</span>: <span class="kt">url.toString</span><span class="p">()</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="nx">setCookie</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="s2">&#34;google_oauth_state&#34;</span><span class="p">,</span> <span class="nx">state</span><span class="p">,</span> <span class="p">{</span> <span class="nx">httpOnly</span>: <span class="kt">true</span> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="nx">setCookie</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="s2">&#34;google_code_verifier&#34;</span><span class="p">,</span> <span class="nx">codeVerifier</span><span class="p">,</span> <span class="p">{</span> <span class="nx">httpOnly</span>: <span class="kt">true</span> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// src/app/api/auth/google/callback/route.ts </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">GET</span><span class="p">(</span><span class="nx">request</span>: <span class="kt">Request</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span> <span class="nx">searchParams</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="kr">get</span><span class="p">(</span><span class="s2">&#34;code&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="kr">get</span><span class="p">(</span><span class="s2">&#34;state&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 验证 state </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">storedState</span> <span class="o">=</span> <span class="nx">getCookie</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="s2">&#34;google_oauth_state&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">state</span> <span class="o">!==</span> <span class="nx">storedState</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="k">new</span> <span class="nx">Response</span><span class="p">(</span><span class="s2">&#34;Invalid state&#34;</span><span class="p">,</span> <span class="p">{</span> <span class="nx">status</span>: <span class="kt">400</span> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 换取 token </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">google</span><span class="p">.</span><span class="nx">validateAuthorizationCode</span><span class="p">(</span><span class="nx">code</span><span class="p">,</span> <span class="nx">codeVerifier</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">googleUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getGoogleUser</span><span class="p">(</span><span class="nx">tokens</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 查找或创建用户 </span></span></span><span class="line"><span class="cl"> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">findFirst</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">where</span>: <span class="kt">eq</span><span class="p">(</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">googleAccountId</span><span class="p">,</span> <span class="nx">googleUser</span><span class="p">.</span><span class="nx">sub</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">createUserFromGoogle</span><span class="p">(</span><span class="nx">googleUser</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 创建 Session </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">createSession</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">setSessionCookie</span><span class="p">(</span><span class="nx">sessionId</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">redirect</span><span class="p">(</span><span class="s2">&#34;/dashboard&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="passkey-无密码登录">Passkey 无密码登录 </h2><p>Passkey 基于 WebAuthn 标准,用设备的生物识别(Face ID、指纹)替代密码。</p> <h3 id="注册-passkey">注册 Passkey </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="c1">// 1. 服务器生成挑战 </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">const</span> <span class="nx">generatePasskeyRegistrationOptions</span> <span class="o">=</span> <span class="nx">actionClient</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">action</span><span class="p">(</span><span class="kr">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">requireVerifiedEmail</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">generateRegistrationOptions</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">rpName</span><span class="o">:</span> <span class="s2">&#34;RuiToolAI&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">rpID</span>: <span class="kt">process.env.NEXT_PUBLIC_APP_DOMAIN</span><span class="o">!</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">userID</span>: <span class="kt">session.user.id</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">userName</span>: <span class="kt">session.user.email</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 存储 challenge 到 KV </span></span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">kv</span><span class="p">.</span><span class="nx">put</span><span class="p">(</span><span class="sb">`passkey_challenge:</span><span class="si">${</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span> <span class="nx">options</span><span class="p">.</span><span class="nx">challenge</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">options</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 2. 前端调用 WebAuthn API </span></span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">credential</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">startRegistration</span><span class="p">(</span><span class="nx">options</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 3. 服务器验证并保存 </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">const</span> <span class="nx">verifyPasskeyRegistration</span> <span class="o">=</span> <span class="nx">actionClient</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">inputSchema</span><span class="p">(</span><span class="nx">passkeyRegistrationSchema</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">action</span><span class="p">(</span><span class="kr">async</span> <span class="p">({</span> <span class="nx">parsedInput</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">challenge</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">kv</span><span class="p">.</span><span class="kr">get</span><span class="p">(</span><span class="sb">`passkey_challenge:</span><span class="si">${</span><span class="nx">userId</span><span class="si">}</span><span class="sb">`</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">verification</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">verifyRegistrationResponse</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">response</span>: <span class="kt">parsedInput.credential</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">expectedChallenge</span>: <span class="kt">challenge</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">expectedOrigin</span>: <span class="kt">process.env.NEXT_PUBLIC_APP_URL</span><span class="o">!</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">verification</span><span class="p">.</span><span class="nx">verified</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">insert</span><span class="p">(</span><span class="nx">passkeyTable</span><span class="p">).</span><span class="nx">values</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">userId</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">credentialId</span>: <span class="kt">verification.registrationInfo.credentialID</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">publicKey</span>: <span class="kt">verification.registrationInfo.credentialPublicKey</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="session-管理">Session 管理 </h2><p>Session 存储在 Cloudflare KV,而不是 D1,原因是:</p> <ul> <li>KV 读取速度更快(每次请求都要验证 Session)</li> <li>KV 原生支持 TTL(过期自动删除)</li> <li>减少 D1 的读取压力</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="c1">// src/utils/kv-session.ts </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">createSession</span><span class="p">(</span><span class="nx">userId</span>: <span class="kt">string</span><span class="p">)</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="nx">generateId</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getCloudflareContext</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_TAG_CACHE_KV</span><span class="p">.</span><span class="nx">put</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="sb">`session:</span><span class="si">${</span><span class="nx">sessionId</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">createdAt</span>: <span class="kt">Date.now</span><span class="p">()</span> <span class="p">}),</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nx">expirationTtl</span>: <span class="kt">7</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="p">}</span> <span class="c1">// 7 天 </span></span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">sessionId</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">getSession</span><span class="p">(</span><span class="nx">sessionId</span>: <span class="kt">string</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getCloudflareContext</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_TAG_CACHE_KV</span><span class="p">.</span><span class="kr">get</span><span class="p">(</span><span class="sb">`session:</span><span class="si">${</span><span class="nx">sessionId</span><span class="si">}</span><span class="sb">`</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">raw</span> <span class="o">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">raw</span><span class="p">)</span> <span class="o">:</span> <span class="kc">null</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="邮箱验证">邮箱验证 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">sendVerificationEmail</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">email</span> <span class="p">})</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">generateId</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nx">getDB</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 存储验证 token </span></span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">insert</span><span class="p">(</span><span class="nx">emailVerificationTable</span><span class="p">).</span><span class="nx">values</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">id</span><span class="o">:</span> <span class="sb">`ev_</span><span class="si">${</span><span class="nx">createId</span><span class="p">()</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">userId</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">token</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">expiresAt</span>: <span class="kt">new</span> <span class="nb">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="c1">// 24 小时 </span></span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 发送邮件 </span></span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">sendEmail</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">to</span>: <span class="kt">email</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">subject</span><span class="o">:</span> <span class="s2">&#34;Verify your email&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">html</span><span class="o">:</span> <span class="sb">`&lt;a href=&#34;</span><span class="si">${</span><span class="nx">APP_URL</span><span class="si">}</span><span class="sb">/verify-email?token=</span><span class="si">${</span><span class="nx">token</span><span class="si">}</span><span class="sb">&#34;&gt;Verify Email&lt;/a&gt;`</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="密码重置">密码重置 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="c1">// 1. 用户提交邮箱 </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">const</span> <span class="nx">requestPasswordResetAction</span> <span class="o">=</span> <span class="nx">actionClient</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">inputSchema</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="kt">object</span><span class="p">({</span> <span class="nx">email</span>: <span class="kt">z.string</span><span class="p">().</span><span class="nx">email</span><span class="p">()</span> <span class="p">}))</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">action</span><span class="p">(</span><span class="kr">async</span> <span class="p">({</span> <span class="nx">parsedInput</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">findFirst</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">where</span>: <span class="kt">eq</span><span class="p">(</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">parsedInput</span><span class="p">.</span><span class="nx">email</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 不管用户是否存在,都返回成功(防止枚举攻击) </span></span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">success</span>: <span class="kt">true</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">generateId</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">insert</span><span class="p">(</span><span class="nx">passwordResetTable</span><span class="p">).</span><span class="nx">values</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">token</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">userId</span>: <span class="kt">user.id</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">expiresAt</span>: <span class="kt">new</span> <span class="nb">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="c1">// 1 小时 </span></span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">sendPasswordResetEmail</span><span class="p">({</span> <span class="nx">email</span>: <span class="kt">parsedInput.email</span><span class="p">,</span> <span class="nx">token</span> <span class="p">});</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">{</span> <span class="nx">success</span>: <span class="kt">true</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 2. 用户点击链接,提交新密码 </span></span></span><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">const</span> <span class="nx">resetPasswordAction</span> <span class="o">=</span> <span class="nx">actionClient</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">inputSchema</span><span class="p">(</span><span class="nx">resetPasswordSchema</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">action</span><span class="p">(</span><span class="kr">async</span> <span class="p">({</span> <span class="nx">parsedInput</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">newPassword</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">parsedInput</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">resetRecord</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">passwordResetTable</span><span class="p">.</span><span class="nx">findFirst</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">where</span>: <span class="kt">and</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="nx">eq</span><span class="p">(</span><span class="nx">passwordResetTable</span><span class="p">.</span><span class="nx">token</span><span class="p">,</span> <span class="nx">token</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="nx">gt</span><span class="p">(</span><span class="nx">passwordResetTable</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">,</span> <span class="k">new</span> <span class="nb">Date</span><span class="p">()),</span> </span></span><span class="line"><span class="cl"> <span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">resetRecord</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">throw</span> <span class="k">new</span> <span class="nx">ActionError</span><span class="p">(</span><span class="s2">&#34;INVALID_TOKEN&#34;</span><span class="p">,</span> <span class="s2">&#34;Token is invalid or expired&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">passwordHash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">hashPassword</span><span class="p">(</span><span class="nx">newPassword</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">update</span><span class="p">(</span><span class="nx">userTable</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="kr">set</span><span class="p">({</span> <span class="nx">passwordHash</span> <span class="p">})</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">where</span><span class="p">(</span><span class="nx">eq</span><span class="p">(</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">resetRecord</span><span class="p">.</span><span class="nx">userId</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 删除 token,防止重复使用 </span></span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">passwordResetTable</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">where</span><span class="p">(</span><span class="nx">eq</span><span class="p">(</span><span class="nx">passwordResetTable</span><span class="p">.</span><span class="nx">token</span><span class="p">,</span> <span class="nx">token</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">});</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="总结">总结 </h2><p>Lucia Auth 的认证体系:</p> <table> <thead> <tr> <th>功能</th> <th>实现方式</th> </tr> </thead> <tbody> <tr> <td>邮箱密码</td> <td>PBKDF2 哈希 + D1 存储</td> </tr> <tr> <td>Google OAuth</td> <td>OAuth 2.0 + PKCE</td> </tr> <tr> <td>Passkey</td> <td>WebAuthn + KV 存储 challenge</td> </tr> <tr> <td>Session</td> <td>KV 存储 + Cookie</td> </tr> <tr> <td>邮箱验证</td> <td>Token + 邮件发送</td> </tr> <tr> <td>密码重置</td> <td>Token + 防枚举设计</td> </tr> </tbody> </table> <h2 id="参考资源">参考资源 </h2><ul> <li><a class="link" href="https://lucia-auth.com/" target="_blank" rel="noopener" >Lucia Auth</a></li> <li><a class="link" href="https://webauthn.guide/" target="_blank" rel="noopener" >WebAuthn</a></li> <li><a class="link" href="https://simplewebauthn.dev/" target="_blank" rel="noopener" >SimpleWebAuthn</a></li> <li><a class="link" href="https://arcticjs.dev/" target="_blank" rel="noopener" >Arctic OAuth</a></li> </ul>