From ffd8dca38aa41b74935672429757dd85cb0fd493 Mon Sep 17 00:00:00 2001
From: Ethan-Zhang <ethanzhang55@outlook.com>
Date: Fri, 24 Oct 2025 15:52:34 +0800
Subject: [PATCH 1/2] =?UTF-8?q?Feat:=20authelia=E8=B6=85=E7=BA=A7=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E5=91=98=E5=88=9D=E5=A7=8B=E5=8C=96=E6=94=AF=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/oidc_provider/authelia.py | 48 +++++++++++++++++++++++++--
 apps/services/user.py                 | 42 ++++++++++++++++++++++-
 2 files changed, 87 insertions(+), 3 deletions(-)

diff --git a/apps/common/oidc_provider/authelia.py b/apps/common/oidc_provider/authelia.py
index bbc46c86b..aeeb9eb2c 100644
--- a/apps/common/oidc_provider/authelia.py
+++ b/apps/common/oidc_provider/authelia.py
@@ -113,10 +113,54 @@ class AutheliaOIDCProvider(OIDCProviderBase):
             logger.info("[Authelia] 获取用户信息成功: %s", resp.text)
             result = resp.json()
 
+        # 获取用户名和默认的user_sub
+        user_name = result.get("name", result.get("preferred_username", result.get("nickname", "")))
+        default_user_sub = result.get("sub", result.get("preferred_username", ""))
+        
+        # 管理员用户特殊处理逻辑
+        final_user_sub = await cls._handle_admin_user_sub(user_name, default_user_sub)
+
         return {
-            "user_sub": result.get("sub", result.get("preferred_username", "")),
-            "user_name": result.get("name", result.get("preferred_username", result.get("nickname", ""))),
+            "user_sub": final_user_sub,
+            "user_name": user_name,
         }
+    
+    @classmethod
+    async def _handle_admin_user_sub(cls, user_name: str, default_user_sub: str) -> str:
+        """处理管理员用户的user_sub逻辑（仅适用于Authelia）"""
+        from apps.common.config import Config
+        
+        config = Config().get_config()
+        
+        # 只有在使用Authelia provider时才应用此逻辑
+        if config.login.provider != "authelia":
+            return default_user_sub
+        
+        # 检查是否启用了管理员配置且用户名匹配
+        if not config.admin.enable or user_name != config.admin.user_name:
+            return default_user_sub
+        
+        # 检查数据库中是否已存在管理员用户
+        try:
+            from apps.common.mongo import MongoDB
+            mongo = MongoDB()
+            user_collection = mongo.get_collection("user")
+            
+            existing_admin = await user_collection.find_one({"_id": config.admin.user_sub})
+            
+            if existing_admin:
+                # 数据库中已存在管理员用户，使用默认的user_sub
+                logger.info(f"[_handle_admin_user_sub] 管理员用户已存在，使用默认user_sub: {default_user_sub}")
+                return default_user_sub
+            else:
+                # 数据库中不存在管理员用户，使用配置的管理员user_sub
+                logger.info(f"[_handle_admin_user_sub] 管理员用户不存在，使用配置的user_sub: {config.admin.user_sub}")
+                return config.admin.user_sub
+                
+        except Exception as e:
+            logger.error(f"[_handle_admin_user_sub] 检查管理员用户时出错: {e}")
+            # 出错时使用默认的user_sub
+            return default_user_sub
 
     @classmethod
     async def get_login_status(cls, cookie: dict[str, str]) -> dict[str, Any]:
diff --git a/apps/services/user.py b/apps/services/user.py
index 36c04ea8e..496938960 100644
--- a/apps/services/user.py
+++ b/apps/services/user.py
@@ -16,6 +16,42 @@ logger = logging.getLogger(__name__)
 class UserManager:
     """用户相关操作"""
 
+    @staticmethod
+    async def _handle_admin_user_creation(user_sub: str, user_name: str) -> str:
+        """处理管理员用户创建时的user_sub逻辑（仅适用于Authelia）"""
+        from apps.common.config import Config
+        
+        config = Config().get_config()
+        
+        # 只有在使用Authelia provider时才应用此逻辑
+        if config.login.provider != "authelia":
+            return user_sub
+        
+        # 检查是否启用了管理员配置且用户名匹配
+        if not config.admin.enable or user_name != config.admin.user_name:
+            return user_sub
+        
+        # 检查数据库中是否已存在管理员用户
+        try:
+            mongo = MongoDB()
+            user_collection = mongo.get_collection("user")
+            
+            existing_admin = await user_collection.find_one({"_id": config.admin.user_sub})
+            
+            if existing_admin:
+                # 数据库中已存在管理员用户，使用原始的user_sub
+                logger.info(f"[_handle_admin_user_creation] 管理员用户已存在，使用原始user_sub: {user_sub}")
+                return user_sub
+            else:
+                # 数据库中不存在管理员用户，使用配置的管理员user_sub
+                logger.info(f"[_handle_admin_user_creation] 管理员用户不存在，使用配置的user_sub: {config.admin.user_sub}")
+                return config.admin.user_sub
+                
+        except Exception as e:
+            logger.error(f"[_handle_admin_user_creation] 检查管理员用户时出错: {e}")
+            # 出错时使用原始的user_sub
+            return user_sub
+
     @staticmethod
     async def add_userinfo(user_sub: str, user_name: str = "") -> None:
         """
@@ -26,8 +62,12 @@ class UserManager:
         """
         mongo = MongoDB()
         user_collection = mongo.get_collection("user")
+        
+        # 管理员用户特殊处理：检查是否应该使用配置的管理员user_sub
+        final_user_sub = await UserManager._handle_admin_user_creation(user_sub, user_name)
+        
         await user_collection.insert_one(User(
-            _id=user_sub,
+            _id=final_user_sub,
             user_name=user_name,
         ).model_dump(by_alias=True))
 
-- 
Gitee


From 4197fd0bc181e1d8251ececeb0c82a69835eaf72 Mon Sep 17 00:00:00 2001
From: Ethan-Zhang <ethanzhang55@outlook.com>
Date: Fri, 24 Oct 2025 15:53:19 +0800
Subject: [PATCH 2/2] =?UTF-8?q?Fix:=20token=20endpoint=20auth=20method?=
 =?UTF-8?q?=E9=83=A8=E7=BD=B2=E4=BF=AE=E5=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 deploy/chart/authelia/configs/authelia.yml               | 2 +-
 deploy/scripts/9-other-script/authelia_client_manager.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/chart/authelia/configs/authelia.yml b/deploy/chart/authelia/configs/authelia.yml
index 1b2a9a2c6..23cbfbbb9 100644
--- a/deploy/chart/authelia/configs/authelia.yml
+++ b/deploy/chart/authelia/configs/authelia.yml
@@ -94,7 +94,7 @@ identity_providers:
         authorization_policy: {{ .authorization_policy | default "two_factor" | quote }}
         
         # 认证方法配置
-        token_endpoint_auth_method: {{ .token_endpoint_auth_method | default "client_secret_basic" | quote }}
+        token_endpoint_auth_method: {{ .token_endpoint_auth_method | default "client_secret_post" | quote }}
         require_pkce: {{ .require_pkce | default true }}
         pkce_challenge_method: {{ .pkce_challenge_method | default "S256" | quote }}
         
diff --git a/deploy/scripts/9-other-script/authelia_client_manager.sh b/deploy/scripts/9-other-script/authelia_client_manager.sh
index 41a774545..bf0411260 100755
--- a/deploy/scripts/9-other-script/authelia_client_manager.sh
+++ b/deploy/scripts/9-other-script/authelia_client_manager.sh
@@ -154,7 +154,7 @@ try:
         'client_secret': '$client_secret',
         'public': False,
         'authorization_policy': '$auth_policy',
-        'token_endpoint_auth_method': 'client_secret_basic',
+        'token_endpoint_auth_method': 'client_secret_post',
         'require_pkce': True,  # 明确设置为 True
         'pkce_challenge_method': 'S256',
         'redirect_uris': ['$redirect_uri'],
-- 
Gitee