v1.37.11

build: prepare to build
2026-04-25 21:27:32 +08:00 · 2025-11-29 04:15:57 +08:00 · 2025-11-29 04:13:44 +08:00 · 2025-11-29 04:10:55 +08:00 · 2025-11-29 04:08:56 +08:00 · 2025-11-29 04:06:51 +08:00
83 changed files with 1422 additions and 195 deletions
@@ -8,5 +8,6 @@
    "editor.defaultFormatter": "dbaeumer.vscode-eslint",
    "[typescript]": {
        "editor.defaultFormatter": "vscode.typescript-language-features"
-    }
+    },
+    "editor.tabSize": 2
 }
@@ -3,6 +3,23 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Bug Fixes
+
+* 修复阿里云 waf tlsVersion参数缺失导致部署失败的问题 ([2fabee6](https://github.com/certd/certd/commit/2fabee647acf64afe689f5bea3603028cd0ba4a2))
+* 修复备注撑开表格行高的bug ([c7b298c](https://github.com/certd/certd/commit/c7b298c46f0d52b43bd2bb17b374e7970a446446))
+* 修复域名管理无法创建tencent-eo dns授权的bug ([3406bb5](https://github.com/certd/certd/commit/3406bb5a4a56bb310cddc1a1f410c70909fd129b))
+* openapi 成功后失败都返回msg ([6e735bb](https://github.com/certd/certd/commit/6e735bbd1e29712e939f775a4db974db70e3b4b0))
+
+### Performance Improvements
+
+*  ssh支持ppk格式私钥 ([575ae16](https://github.com/certd/certd/commit/575ae164c863d0b1f9fa0890549a2ee7472fb469))
+* 优化宝塔网站证书在并发部署时导致nginx配置文件错乱的问题 ([51cc084](https://github.com/certd/certd/commit/51cc08411fd2dbab66d769b495dc1b0bf2f2578c))
+* 优化天翼云cdn 等待5秒部署完成 ([53c88ad](https://github.com/certd/certd/commit/53c88ad5afe66a3f7c38b9b759747918913a4edc))
+* 支持oidc单点登录 ([ec75afb](https://github.com/certd/certd/commit/ec75afbc44139dbe9da534d8a8c08a5b91f86d3c))
+* ssl.com支持ecc ([b5ec047](https://github.com/certd/certd/commit/b5ec04723db48422f71041f4043002e7f5b450b1))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 ### Performance Improvements
@@ -9,5 +9,5 @@
    }
  },
  "npmClient": "pnpm",
-  "version": "1.37.10"
+  "version": "1.37.11"
 }
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/publishlab/node-acme-client/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Performance Improvements
+
+* ssl.com支持ecc ([b5ec047](https://github.com/publishlab/node-acme-client/commit/b5ec04723db48422f71041f4043002e7f5b450b1))
+
 ## [1.37.10](https://github.com/publishlab/node-acme-client/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/acme-client
@@ -3,7 +3,7 @@
    "description": "Simple and unopinionated ACME client",
    "private": false,
    "author": "nmorsman",
-    "version": "1.37.10",
+    "version": "1.37.11",
    "type": "module",
    "module": "scr/index.js",
    "main": "src/index.js",
@@ -18,7 +18,7 @@
        "types"
    ],
    "dependencies": {
-        "@certd/basic": "^1.37.10",
+        "@certd/basic": "^1.37.11",
        "@peculiar/x509": "^1.11.0",
        "asn1js": "^3.0.5",
        "axios": "^1.7.2",
@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Performance Improvements
+
+* 优化宝塔网站证书在并发部署时导致nginx配置文件错乱的问题 ([51cc084](https://github.com/certd/certd/commit/51cc08411fd2dbab66d769b495dc1b0bf2f2578c))
+* 优化天翼云cdn 等待5秒部署完成 ([53c88ad](https://github.com/certd/certd/commit/53c88ad5afe66a3f7c38b9b759747918913a4edc))
+* ssl.com支持ecc ([b5ec047](https://github.com/certd/certd/commit/b5ec04723db48422f71041f4043002e7f5b450b1))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/basic
@@ -1 +1 @@
-23:49
+04:13
@@ -1,7 +1,7 @@
 {
  "name": "@certd/basic",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "type": "module",
  "main": "./dist/index.js",
  "module": "./dist/index.js",
@@ -9,7 +9,7 @@ export class Locker {
  }

  async execute(lockStr: string, callback: any, options?: { timeout?: number }) {
-    const timeout = options?.timeout ?? 20000;
+    const timeout = options?.timeout ?? 120000;
    return this.asyncLocker.acquire(lockStr, callback, { timeout });
  }
 }
@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+**Note:** Version bump only for package @certd/pipeline
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/pipeline
@@ -1,7 +1,7 @@
 {
  "name": "@certd/pipeline",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "type": "module",
  "main": "./dist/index.js",
  "module": "./dist/index.js",
@@ -18,8 +18,8 @@
    "compile": "tsc --skipLibCheck --watch"
  },
  "dependencies": {
-    "@certd/basic": "^1.37.10",
-    "@certd/plus-core": "^1.37.10",
+    "@certd/basic": "^1.37.11",
+    "@certd/plus-core": "^1.37.11",
    "dayjs": "^1.11.7",
    "lodash-es": "^4.17.21",
    "reflect-metadata": "^0.1.13"
@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+**Note:** Version bump only for package @certd/lib-huawei
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/lib-huawei
@@ -1,7 +1,7 @@
 {
  "name": "@certd/lib-huawei",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "main": "./dist/bundle.js",
  "module": "./dist/bundle.js",
  "types": "./dist/d/index.d.ts",
@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+**Note:** Version bump only for package @certd/lib-iframe
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/lib-iframe
@@ -1,7 +1,7 @@
 {
  "name": "@certd/lib-iframe",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "type": "module",
  "main": "./dist/index.js",
  "module": "./dist/index.js",
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Performance Improvements
+
+*  ssh支持ppk格式私钥 ([575ae16](https://github.com/certd/certd/commit/575ae164c863d0b1f9fa0890549a2ee7472fb469))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/jdcloud
@@ -1,6 +1,6 @@
 {
  "name": "@certd/jdcloud",
-  "version": "1.37.10",
+  "version": "1.37.11",
  "description": "jdcloud openApi sdk",
  "main": "./dist/bundle.js",
  "module": "./dist/bundle.js",
@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+**Note:** Version bump only for package @certd/lib-k8s
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/lib-k8s
@@ -1,7 +1,7 @@
 {
  "name": "@certd/lib-k8s",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "type": "module",
  "main": "./dist/index.js",
  "module": "./dist/index.js",
@@ -17,7 +17,7 @@
    "pub": "npm publish"
  },
  "dependencies": {
-    "@certd/basic": "^1.37.10",
+    "@certd/basic": "^1.37.11",
    "@kubernetes/client-node": "0.21.0"
  },
  "devDependencies": {
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Performance Improvements
+
+* 支持oidc单点登录 ([ec75afb](https://github.com/certd/certd/commit/ec75afbc44139dbe9da534d8a8c08a5b91f86d3c))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/lib-server
@@ -1,6 +1,6 @@
 {
  "name": "@certd/lib-server",
-  "version": "1.37.10",
+  "version": "1.37.11",
  "description": "midway with flyway, sql upgrade way ",
  "private": false,
  "type": "module",
@@ -28,11 +28,11 @@
  ],
  "license": "AGPL",
  "dependencies": {
-    "@certd/acme-client": "^1.37.10",
-    "@certd/basic": "^1.37.10",
-    "@certd/pipeline": "^1.37.10",
-    "@certd/plugin-lib": "^1.37.10",
-    "@certd/plus-core": "^1.37.10",
+    "@certd/acme-client": "^1.37.11",
+    "@certd/basic": "^1.37.11",
+    "@certd/pipeline": "^1.37.11",
+    "@certd/plugin-lib": "^1.37.11",
+    "@certd/plus-core": "^1.37.11",
    "@midwayjs/cache": "3.14.0",
    "@midwayjs/core": "3.20.11",
    "@midwayjs/i18n": "3.20.13",
@@ -1,5 +1,5 @@
 import { PermissionException, ValidateException } from './exception/index.js';
-import { In, Repository, SelectQueryBuilder } from 'typeorm';
+import { FindOneOptions, In, Repository, SelectQueryBuilder } from 'typeorm';
 import { Inject } from '@midwayjs/core';
 import { TypeORMDataSourceManager } from '@midwayjs/typeorm';
 import { EntityManager } from 'typeorm/entity-manager/EntityManager.js';
@@ -238,4 +238,8 @@ export abstract class BaseService<T> {

    await this.delete(ids);
  }
+
+  async findOne(options: FindOneOptions<T>) {
+    return await this.getRepository().findOne(options);
+  }
 }
@@ -16,7 +16,7 @@ export class SysPublicSettings extends BaseSettings {
  static __access__ = 'public';

  registerEnabled = false;
-  userValidTimeEnabled?:boolean = false;
+  userValidTimeEnabled?: boolean = false;
  passwordLoginEnabled = true;
  usernameRegisterEnabled = true;
  mobileRegisterEnabled = false;
@@ -36,7 +36,7 @@ export class SysPublicSettings extends BaseSettings {
  captchaEnabled = false;
  //验证码类型
  captchaType?: string;
-  captchaAddonId?:number;
+  captchaAddonId?: number;



@@ -49,6 +49,14 @@ export class SysPublicSettings extends BaseSettings {
  // 固定证书有效期天数，0表示不固定
  fixedCertExpireDays?: number;

+  // 第三方OAuth配置
+  oauthEnabled?: boolean = false;
+  oauthProviders: Record<string, {
+    type: string;
+    title: string;
+    addonId: number;
+  }> = {};
+
 }

 export class SysPrivateSettings extends BaseSettings {
@@ -69,9 +77,9 @@ export class SysPrivateSettings extends BaseSettings {
    type?: string;
    config?: any;
  } = {
-    type: 'aliyun',
-    config: {},
-  };
+      type: 'aliyun',
+      config: {},
+    };

  removeSecret() {
    const clone = cloneDeep(this);
@@ -196,7 +204,7 @@ export class SysSuiteSetting extends BaseSettings {
  static __key__ = 'sys.suite';
  static __access__ = 'private';

-  enabled:boolean = false;
+  enabled: boolean = false;

  registerGift?: {
    productId: number;
@@ -221,11 +229,9 @@ export class SysSafeSetting extends BaseSettings {
  static __access__ = 'private';

  // 站点隐藏
-  hidden:SiteHidden = {
+  hidden: SiteHidden = {
    enabled: false,
-    hiddenOpenApi:false,
+    hiddenOpenApi: false,
    autoHiddenTimes: 5,
  };
 }
-
-
@@ -31,6 +31,7 @@ export type AddonDefine = Registrable & {
    [key: string]: AddonInputDefine;
  };
  showTest?: boolean;
+  icon?: string;
 };

 export type AddonInstanceConfig = {
@@ -76,7 +76,7 @@ export class AddonService extends BaseService<AddonEntity> {


  getDefineList(addonType: string) {
-    return addonRegistry.getDefineList();
+    return addonRegistry.getDefineList(addonType);
  }

  getDefineByType(type: string, prefix?: string) {
@@ -187,4 +187,14 @@ export class AddonService extends BaseService<AddonEntity> {
    });
    return this.buildAddonInstanceConfig(res);
  }
+
+  async getOneByType(req:{addonType:string,type:string,userId:number}) {
+    return await this.repository.findOne({
+      where: {
+        addonType: req.addonType,
+        type: req.type,
+        userId: req.userId
+      }
+    });
+  }
 }
@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+**Note:** Version bump only for package @certd/midway-flyway-js
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/midway-flyway-js
@@ -1,6 +1,6 @@
 {
  "name": "@certd/midway-flyway-js",
-  "version": "1.37.10",
+  "version": "1.37.11",
  "description": "midway with flyway, sql upgrade way ",
  "private": false,
  "type": "module",
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Performance Improvements
+
+* ssl.com支持ecc ([b5ec047](https://github.com/certd/certd/commit/b5ec04723db48422f71041f4043002e7f5b450b1))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 ### Performance Improvements
@@ -1,7 +1,7 @@
 {
  "name": "@certd/plugin-cert",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "type": "module",
  "main": "./dist/index.js",
  "types": "./dist/index.d.ts",
@@ -17,10 +17,10 @@
    "compile": "tsc --skipLibCheck --watch"
  },
  "dependencies": {
-    "@certd/acme-client": "^1.37.10",
-    "@certd/basic": "^1.37.10",
-    "@certd/pipeline": "^1.37.10",
-    "@certd/plugin-lib": "^1.37.10",
+    "@certd/acme-client": "^1.37.11",
+    "@certd/basic": "^1.37.11",
+    "@certd/pipeline": "^1.37.11",
+    "@certd/plugin-lib": "^1.37.11",
    "@google-cloud/publicca": "^1.3.0",
    "dayjs": "^1.11.7",
    "jszip": "^3.10.1",
@@ -17,6 +17,7 @@
    "@typescript-eslint/ban-ts-ignore": "off",
    "@typescript-eslint/no-explicit-any": "off",
    "@typescript-eslint/no-empty-function": "off",
-    "@typescript-eslint/no-unused-vars": "off"
+    "@typescript-eslint/no-unused-vars": "off",
+    "max-len": [0, 160, 2, { "ignoreUrls": true }]
  }
 }
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Performance Improvements
+
+*  ssh支持ppk格式私钥 ([575ae16](https://github.com/certd/certd/commit/575ae164c863d0b1f9fa0890549a2ee7472fb469))
+* 优化天翼云cdn 等待5秒部署完成 ([53c88ad](https://github.com/certd/certd/commit/53c88ad5afe66a3f7c38b9b759747918913a4edc))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 **Note:** Version bump only for package @certd/plugin-lib
@@ -1,7 +1,7 @@
 {
  "name": "@certd/plugin-lib",
  "private": false,
-  "version": "1.37.10",
+  "version": "1.37.11",
  "type": "module",
  "main": "./dist/index.js",
  "types": "./dist/index.d.ts",
@@ -22,8 +22,8 @@
    "@alicloud/pop-core": "^1.7.10",
    "@alicloud/tea-util": "^1.4.10",
    "@aws-sdk/client-s3": "^3.787.0",
-    "@certd/basic": "^1.37.10",
-    "@certd/pipeline": "^1.37.10",
+    "@certd/basic": "^1.37.11",
+    "@certd/pipeline": "^1.37.11",
    "@kubernetes/client-node": "0.21.0",
    "ali-oss": "^6.22.0",
    "basic-ftp": "^5.0.5",
@@ -7,4 +7,5 @@ export * from "./qiniu/index.js";
 export * from "./ctyun/index.js";
 export * from "./oss/index.js";
 export * from "./s3/index.js";
-export * from "./lib/index.js";
+export * from "./lib/index.js";
+export * from "./service/index.js";
@@ -0,0 +1 @@
+export * from "./site-info.js";
@@ -0,0 +1,7 @@
+export type SiteInfo = {
+  siteUrl: string;
+};
+
+export interface ISiteInfoGetter {
+  getSiteInfo(): Promise<SiteInfo>;
+}
@@ -36,7 +36,7 @@ export class TencentSslClient {

  checkRet(ret: any) {
    if (!ret || ret.Error) {
-      throw new Error("请求失败：" + ret.Error.Code + "," + ret.Error.Message);
+      throw new Error("请求失败：" + ret.Error.Code + "," + ret.Error.Message + ",requestId" + ret.RequestId);
    }
  }

@@ -70,43 +70,33 @@ export class TencentSslClient {
  }

  async deployCertificateInstance(params: any) {
-    const client = await this.getSslClient();
-    const res = await client.DeployCertificateInstance(params);
-    this.checkRet(res);
-    return res;
+    return await this.doRequest("DeployCertificateInstance", params);
  }

  async DescribeHostUploadUpdateRecordDetail(params: any) {
-    const client = await this.getSslClient();
-    const res = await client.request("DescribeHostUploadUpdateRecordDetail", params);
-    this.checkRet(res);
-    return res;
+    return await this.doRequest("DescribeHostUploadUpdateRecordDetail", params);
  }

  async UploadUpdateCertificateInstance(params: any) {
-    const client = await this.getSslClient();
-    const res = await client.request("UploadUpdateCertificateInstance", params);
-    this.checkRet(res);
-    return res;
+    return await this.doRequest("UploadUpdateCertificateInstance", params);
  }

  async DescribeCertificates(params: { Limit?: number; Offset?: number; SearchKey?: string }) {
-    const client = await this.getSslClient();
-    const res = await client.DescribeCertificates({
+    return await this.doRequest("DescribeCertificates", {
      ExpirationSort: "ASC",
      ...params,
    });
-    this.checkRet(res);
-    return res;
  }

  async doRequest(action: string, params: any) {
    const client = await this.getSslClient();
-    if (!client[action]) {
-      throw new Error(`action ${action} not found`);
+    try {
+      const res = await client.request(action, params);
+      this.checkRet(res);
+      return res;
+    } catch (e) {
+      this.logger.error(`action ${action} error: ${e.message},requestId=${e.RequestId}`);
+      throw e;
    }
-    const res = await client[action](params);
-    this.checkRet(res);
-    return res;
  }
 }
@@ -3,6 +3,18 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Bug Fixes
+
+* 修复备注撑开表格行高的bug ([c7b298c](https://github.com/certd/certd/commit/c7b298c46f0d52b43bd2bb17b374e7970a446446))
+* 修复域名管理无法创建tencent-eo dns授权的bug ([3406bb5](https://github.com/certd/certd/commit/3406bb5a4a56bb310cddc1a1f410c70909fd129b))
+
+### Performance Improvements
+
+* 优化天翼云cdn 等待5秒部署完成 ([53c88ad](https://github.com/certd/certd/commit/53c88ad5afe66a3f7c38b9b759747918913a4edc))
+* 支持oidc单点登录 ([ec75afb](https://github.com/certd/certd/commit/ec75afbc44139dbe9da534d8a8c08a5b91f86d3c))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 ### Performance Improvements
@@ -1,6 +1,6 @@
 {
  "name": "@certd/ui-client",
-  "version": "1.37.10",
+  "version": "1.37.11",
  "private": true,
  "scripts": {
    "dev": "vite --open",
@@ -106,8 +106,8 @@
    "zod-defaults": "^0.1.3"
  },
  "devDependencies": {
-    "@certd/lib-iframe": "^1.37.10",
-    "@certd/pipeline": "^1.37.10",
+    "@certd/lib-iframe": "^1.37.11",
+    "@certd/pipeline": "^1.37.11",
    "@rollup/plugin-commonjs": "^25.0.7",
    "@rollup/plugin-node-resolve": "^15.2.3",
    "@types/chai": "^4.3.12",
@@ -1,8 +1,8 @@
 <template>
  <div id="userLayout" :class="['user-layout-wrapper']">
-    <div class="login-container flex-center">
-      <div class="user-layout-content flex-center flex-col">
-        <div class="top flex flex-col items-center justify-center">
+    <div class="login-container flex justify-start">
+      <div class="user-layout-content flex-col justify-start">
+        <div class="top flex flex-col items-center justify-start">
          <div class="header flex flex-row items-center">
            <img :src="siteInfo.loginLogo" class="logo" alt="logo" />
            <span class="title"></span>
@@ -10,8 +10,9 @@
          <div class="desc">{{ siteInfo.slogan }}</div>
        </div>

-        <router-view />
-
+        <div class="flex-1 flex flex-col justify-start items-center">
+          <router-view />
+        </div>
        <div class="footer">
          <div class="copyright">
            <span v-if="!settingStore.isComm">
@@ -57,6 +57,7 @@ export default {
  passwordPlaceholder: "Please enter your password",
  mobilePlaceholder: "Please enter your mobile number",
  loginButton: "Log In",
+  bindButton: "Bind Account",
  forgotPassword: "Forgot password?",
  forgotAdminPassword: "Forgot admin password?",
  registerLink: "Register",
@@ -760,6 +760,13 @@ export default {
      fixedCertExpireDays: "Fixed Cert Expire Days",
      fixedCertExpireDaysHelper: "Fixed cert expiration days, helpful for table list progress bar display",
      fixedCertExpireDaysRecommend: "Recommend 90",
+
+      enableOauth: "Enable OAuth2 Login",
+      oauthEnabledHelper: "Whether to enable OAuth2 login",
+      oauthProviders: "OAuth2 Login Providers",
+      oauthType: "OAuth2 Login Type",
+      oauthConfig: "OAuth2 Login Config",
+      oauthProviderSelectorPlaceholder: "Please select OAuth2 login provider",
    },
  },
  modal: {
@@ -57,6 +57,7 @@ export default {
  passwordPlaceholder: "请输入密码",
  mobilePlaceholder: "请输入手机号",
  loginButton: "登录",
+  bindButton: "绑定账号",
  forgotPassword: "忘记密码？",
  forgotAdminPassword: "忘记管理员密码？",
  registerLink: "注册",
@@ -604,7 +604,7 @@ export default {
  limitUserPipelineCountHelper: "0为不限制",
  enableSelfRegistration: "开启自助注册",
  enableUserValidityPeriod: "开启用户有效期",
-  userValidityPeriodHelper: "有效期内用户可正常使用，失效后流水线将被停用",
+  userValidityPeriodHelper: "有效期内用户可正常使用，失效后用户的流水线将被停用",
  enableUsernameRegistration: "开启用户名注册",
  enableEmailRegistration: "开启邮箱注册",
  proFeature: "专业版功能",
@@ -761,6 +761,13 @@ export default {
      fixedCertExpireDays: "固定证书有效期天数",
      fixedCertExpireDaysHelper: "固定证书有效期天数，有助于列表进度条整齐显示",
      fixedCertExpireDaysRecommend: "推荐90",
+
+      enableOauth: "启用第三方登录",
+      oauthEnabledHelper: "是否启用第三方登录",
+      oauthProviders: "第三方登录提供商",
+      oauthType: "第三方登录类型",
+      oauthConfig: "第三方登录配置",
+      oauthProviderSelectorPlaceholder: "请选择第三方登录提供商",
    },
  },
  modal: {
@@ -32,6 +32,14 @@ export const outsideResource = [
        path: "/forgotPassword",
        component: "/framework/forgot-password/index.vue",
      },
+      {
+        meta: {
+          title: "第三方登录回调",
+        },
+        name: "oauthCallback",
+        path: "/oauth/callback/:type",
+        component: "/framework/oauth/oauth-callback.vue",
+      },
    ],
  },
  ...errorPage,
@@ -59,6 +59,17 @@ export type SysPublicSetting = {

  // 固定证书有效期天数，0表示不固定
  fixedCertExpireDays?: number;
+
+  // 第三方OAuth配置
+  oauthEnabled?: boolean;
+  oauthProviders?: Record<
+    string,
+    {
+      type: string;
+      title: string;
+      addonId: number;
+    }
+  >;
 };
 export type SuiteSetting = {
  enabled?: boolean;
@@ -82,6 +82,7 @@ function createCrudOptionsWithApi(opts: any) {
  opts.context = {
    api,
    addonType: props.addonType,
+    type: props.type,
  };
  return createCrudOptions(opts);
 }
@@ -110,7 +110,8 @@ export function getCommonColumnDefine(crudExpose: any, typeRef: any, api: any, a
      type: "dict-select",
      dict: addonTypeDictRef,
      search: {
-        show: false,
+        show: true,
+        valueChange: null,
      },
      column: {
        width: 200,
@@ -5,7 +5,12 @@ import { AddReq, CreateCrudOptionsProps, CreateCrudOptionsRet, DelReq, EditReq,
 export default function ({ crudExpose, context }: CreateCrudOptionsProps): CreateCrudOptionsRet {
  const api = context.api;
  const addonType = context.addonType;
+  const type = context.type;
  const pageRequest = async (query: UserPageQuery): Promise<UserPageRes> => {
+    if (query.query?.body) {
+      delete query.query.body;
+    }
+
    return await api.GetList(query);
  };
  const editRequest = async (req: EditReq) => {
@@ -44,6 +49,12 @@ export default function ({ crudExpose, context }: CreateCrudOptionsProps): Creat
          },
        },
      },
+      addForm: {
+        initialForm: {
+          addonType: addonType,
+          type: type,
+        },
+      },
      rowHandle: {
        width: 200,
      },
@@ -184,7 +184,8 @@ export default function ({ crudExpose, context }: CreateCrudOptionsProps): Creat
              name: "AccessSelector",
              vModel: "modelValue",
              type: compute(({ form }) => {
-                return form.dnsProviderType;
+                const type = form.dnsProviderType || "aliyun";
+                return dnsProviderTypeDict?.dataMap[type]?.accessType;
              }),
            },
            show: compute(({ form }) => {
@@ -22,3 +22,36 @@ export async function UpdateProfile(form: any) {
    data: form,
  });
 }
+
+export async function GetOauthBounds() {
+  return await request({
+    url: "/oauth/bounds",
+    method: "POST",
+  });
+}
+
+export async function GetOauthProviders() {
+  return await request({
+    url: "/oauth/providers",
+    method: "POST",
+  });
+}
+
+export async function UnbindOauth(type: string) {
+  return await request({
+    url: "/oauth/unbind",
+    method: "POST",
+    data: { type },
+  });
+}
+
+export async function OauthBoundUrl(type: string) {
+  return await request({
+    url: "/oauth/login",
+    method: "POST",
+    data: {
+      type,
+      forType: "bind",
+    },
+  });
+}
@@ -15,7 +15,14 @@
        </a-descriptions-item>
        <a-descriptions-item :label="t('authentication.email')">{{ userInfo.email }}</a-descriptions-item>
        <a-descriptions-item :label="t('authentication.phoneNumber')">{{ userInfo.phoneCode }}{{ userInfo.mobile }}</a-descriptions-item>
-        <a-descriptions-item></a-descriptions-item>
+        <a-descriptions-item v-if="settingStore.sysPublic.oauthEnabled && settingStore.isPlus" label="第三方账号绑定">
+          <div v-for="item in computedOauthBounds" :key="item.name" class="flex items-center gap-2">
+            <fs-icon :icon="item.icon" class="mr-2 text-blue-500" />
+            <span class="mr-2 w-36">{{ item.title }}</span>
+            <a-button v-if="item.bound" type="link" danger @click="unbind(item.name)">解绑</a-button>
+            <a-button v-else type="primary" @click="bind(item.name)">绑定</a-button>
+          </div>
+        </a-descriptions-item>
        <a-descriptions-item :label="t('common.handle')">
          <a-button type="primary" @click="doUpdate">{{ t("authentication.updateProfile") }}</a-button>
          <change-password-button class="ml-10" :show-button="true"> </change-password-button>
@@ -27,10 +34,12 @@

 <script lang="ts" setup>
 import * as api from "./api";
-import { Ref, ref } from "vue";
+import { computed, onMounted, Ref, ref } from "vue";
 import ChangePasswordButton from "/@/views/certd/mine/change-password-button.vue";
 import { useI18n } from "/src/locales";
 import { useUserProfile } from "./use";
+import { Modal } from "ant-design-vue";
+import { useSettingStore } from "/@/store/settings";

 const { t } = useI18n();

@@ -38,13 +47,13 @@ defineOptions({
  name: "UserProfile",
 });

+const settingStore = useSettingStore();
+
 const userInfo: Ref = ref({});

 const getUserInfo = async () => {
  userInfo.value = await api.getMineInfo();
 };
-getUserInfo();
-
 const { openEditProfileDialog } = useUserProfile();

 function doUpdate() {
@@ -54,4 +63,51 @@ function doUpdate() {
    },
  });
 }
+
+const oauthBounds = ref([]);
+const oauthProviders = ref([]);
+async function loadOauthBounds() {
+  const res = await api.GetOauthBounds();
+  oauthBounds.value = res;
+}
+async function loadOauthProviders() {
+  const res = await api.GetOauthProviders();
+  oauthProviders.value = res;
+}
+
+const computedOauthBounds = computed(() => {
+  const list = oauthProviders.value.map(item => {
+    const bound = oauthBounds.value.find(bound => bound.type === item.name);
+    return {
+      ...item,
+      bound,
+    };
+  });
+  return list;
+});
+
+async function unbind(type: string) {
+  Modal.confirm({
+    title: "确认解绑吗？",
+    okText: "确认",
+    okType: "danger",
+    onOk: async () => {
+      await api.UnbindOauth(type);
+      await loadOauthBounds();
+    },
+  });
+}
+
+async function bind(type: string) {
+  //获取第三方登录URL
+  const res = await api.OauthBoundUrl(type);
+  const loginUrl = res.loginUrl;
+  window.location.href = loginUrl;
+}
+
+onMounted(async () => {
+  await getUserInfo();
+  await loadOauthBounds();
+  await loadOauthProviders();
+});
 </script>
@@ -559,6 +559,7 @@ export default function ({ crudExpose, context }: CreateCrudOptionsProps): Creat
          column: {
            width: 200,
            sorter: true,
+            ellipsis: true,
            cellRender({ value }) {
              return <a-tooltip title={value}>{value}</a-tooltip>;
            },
@@ -350,6 +350,7 @@ export default function ({ crudExpose, context }: CreateCrudOptionsProps): Creat
            show: false,
          },
          column: {
+            ellipsis: true,
            width: 200,
            sorter: true,
            tooltip: true,
@@ -48,24 +48,26 @@
      </a-tabs>
      <a-form-item>
        <a-button type="primary" size="large" html-type="button" :loading="loading" class="login-button" @click="handleFinish">
-          {{ t("authentication.loginButton") }}
+          {{ queryBindCode ? t("authentication.bindButton") : t("authentication.loginButton") }}
        </a-button>

-        <div v-if="!!settingStore.sysPublic.selfServicePasswordRetrievalEnabled" class="mt-2">
-          <router-link :to="{ name: 'forgotPassword' }">
-            {{ t("authentication.forgotPassword") }}
-          </router-link>
-        </div>
-      </a-form-item>
+        <div class="mt-2 flex justify-between items-center">
+          <div class="flex items-center gap-2">
+            <language-toggle class="text-blue-500"></language-toggle>
+            <router-link v-if="!!settingStore.sysPublic.selfServicePasswordRetrievalEnabled && !queryBindCode" :to="{ name: 'forgotPassword' }">
+              {{ t("authentication.forgotPassword") }}
+            </router-link>
+          </div>

-      <a-form-item class="user-login-other">
-        <div class="flex flex-between justify-between items-center">
-          <language-toggle class="color-blue"></language-toggle>
-          <router-link v-if="hasRegisterTypeEnabled()" class="register" :to="{ name: 'register' }">
+          <router-link v-if="hasRegisterTypeEnabled() && !queryBindCode" class="register" :to="{ name: 'register' }">
            {{ t("authentication.registerLink") }}
          </router-link>
        </div>
      </a-form-item>
+
+      <div v-if="!queryBindCode && settingStore.sysPublic.oauthEnabled && settingStore.isPlus" class="w-full">
+        <oauth-footer></oauth-footer>
+      </div>
    </a-form>
    <a-form v-else ref="twoFactorFormRef" class="user-layout-login" :model="twoFactor" v-bind="layout">
      <div class="mb-10 flex flex-center">请打开您的Authenticator APP，获取动态验证码。</div>
@@ -80,7 +82,7 @@
        <loading-button type="primary" size="large" html-type="button" class="login-button" :click="handleTwoFactorSubmit">OTP验证登录</loading-button>
      </a-form-item>

-      <a-form-item class="user-login-other">
+      <a-form-item class="mt-10">
        <a class="register" @click="twoFactor.loginId = null"> 返回 </a>
      </a-form-item>
    </a-form>
@@ -96,12 +98,18 @@ import { useI18n } from "/@/locales";
 import { LanguageToggle } from "/@/vben/layouts";
 import CaptchaInput from "/@/components/captcha/captcha-input.vue";
 import { useRoute } from "vue-router";
+import OauthFooter from "/@/views/framework/oauth/oauth-footer.vue";
+import * as oauthApi from "../oauth/api";
+import { notification } from "ant-design-vue";
 export default defineComponent({
  name: "LoginPage",
-  components: { LanguageToggle, SmsCode, CaptchaInput },
+  components: { LanguageToggle, SmsCode, CaptchaInput, OauthFooter },
  setup() {
    const { t } = useI18n();
    const route = useRoute();
+
+    const queryBindCode = ref(route.query.bindCode as string | undefined);
+
    const urlLoginType = route.query.loginType as string | undefined;
    const verifyCodeInputRef = ref();
    const loading = ref(false);
@@ -160,6 +168,13 @@ export default defineComponent({
      },
    };

+    async function afterLoginSuccess() {
+      if (queryBindCode.value) {
+        await oauthApi.BindUser(queryBindCode.value);
+        notification.success({ message: "绑定第三方账号成功" });
+      }
+    }
+
    const twoFactor = reactive({
      loginId: "",
      verifyCode: "",
@@ -167,6 +182,7 @@ export default defineComponent({

    const handleTwoFactorSubmit = async () => {
      await userStore.loginByTwoFactor(twoFactor);
+      afterLoginSuccess();
    };

    const handleFinish = async () => {
@@ -178,6 +194,7 @@ export default defineComponent({
        // }
        const loginType = formState.loginType;
        await userStore.login(loginType, toRaw(formState));
+        afterLoginSuccess();
      } catch (e: any) {
        //@ts-ignore
        if (e.code === 10020) {
@@ -233,6 +250,7 @@ export default defineComponent({
      settingStore,
      captchaInputRef,
      captchaInputForSmsCode,
+      queryBindCode,
    };
  },
 });
@@ -0,0 +1,53 @@
+import { request } from "/src/api/service";
+
+const apiPrefix = "/oauth";
+
+export async function OauthLogin(type: string, forType?: string) {
+  return await request({
+    url: apiPrefix + `/login`,
+    method: "post",
+    data: {
+      type,
+      forType: forType || "login",
+    },
+  });
+}
+
+export async function OauthToken(type: string, validationCode: string) {
+  return await request({
+    url: apiPrefix + `/token`,
+    method: "post",
+    data: {
+      type,
+      validationCode,
+    },
+  });
+}
+
+export async function AutoRegister(type: string, code: string) {
+  return await request({
+    url: apiPrefix + `/autoRegister`,
+    method: "post",
+    data: {
+      validationCode: code,
+      type,
+    },
+  });
+}
+
+export async function BindUser(code: string) {
+  return await request({
+    url: apiPrefix + `/bind`,
+    method: "post",
+    data: {
+      validationCode: code,
+    },
+  });
+}
+
+export async function GetOauthProviders() {
+  return await request({
+    url: apiPrefix + "/providers",
+    method: "post",
+  });
+}
@@ -0,0 +1,127 @@
+<template>
+  <div class="oauth-callback-page">
+    <div class="oauth-callback-content">
+      <div v-if="!bindRequired" class="oauth-callback-title">
+        <span v-if="!error">登录中...</span>
+        <span v-else>{{ error }}</span>
+      </div>
+      <div v-else class="oauth-callback-title mt-10">
+        <div>第三方（{{ oauthType }}）登录成功，您还未绑定账号，请选择</div>
+
+        <div class="mt-10">
+          <a-button class="w-full mt-10" type="primary" @click="goBindUser">绑定已有账号</a-button>
+          <a-button v-if="settingStore.sysPublic.registerEnabled" class="w-full mt-10" type="primary" @click="autoRegister">创建新账号</a-button>
+        </div>
+
+        <div class="w-full mt-10">
+          <router-link to="/login" class="w-full mt-10" type="primary">返回登录页</router-link>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ref, onMounted } from "vue";
+import * as api from "./api";
+import { useRoute, useRouter } from "vue-router";
+import { useUserStore } from "/@/store/user";
+import { notification } from "ant-design-vue";
+import { useSettingStore } from "/@/store/settings";
+
+const route = useRoute();
+const router = useRouter();
+const settingStore = useSettingStore();
+const oauthType = route.params.type as string;
+const validationCode = route.query.validationCode as string;
+const forType = route.query.forType as string;
+const error = ref(route.query.error as string);
+const userStore = useUserStore();
+
+const bindRequired = ref(false);
+const bindCode = ref("");
+
+async function handleOauthToken() {
+  //处理第三方登录回调
+  const res = await api.OauthToken(oauthType, validationCode);
+  if (res.token) {
+    //登录成功
+    userStore.onLoginSuccess(res);
+    //跳转到首页
+    router.replace("/");
+    return;
+  }
+  if (res.bindRequired) {
+    //需要绑定
+    bindRequired.value = true;
+    bindCode.value = res.validationCode;
+  }
+}
+
+onMounted(async () => {
+  if (error.value) {
+    return;
+  }
+
+  if (forType === "bind") {
+    //绑定第三方账号
+    await api.BindUser(validationCode);
+    notification.success({
+      message: "绑定成功",
+    });
+    //跳转到首页
+    router.replace("/certd/mine/user-profile");
+    return;
+  }
+
+  await handleOauthToken();
+});
+
+async function goBindUser() {
+  //绑定已有账号
+  router.replace({
+    path: "/login",
+    query: {
+      bindCode: bindCode.value,
+    },
+  });
+}
+
+async function autoRegister() {
+  //自动注册账号
+  const res = await api.AutoRegister(oauthType, bindCode.value);
+  //登录成功
+  userStore.onLoginSuccess(res);
+  //跳转到首页
+  router.replace("/");
+}
+</script>
+<style lang="less">
+.oauth-callback-page {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  gap: 16px;
+  width: 100%;
+  .oauth-callback-content {
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    gap: 16px;
+    padding: 16px;
+    border-radius: 16px;
+    box-shadow: 0 0 16px rgba(0, 0, 0, 0.1);
+    width: 500px;
+    max-width: 90%;
+    margin: 0 auto;
+    margin-top: 50px;
+    margin-bottom: 100px;
+    min-height: 200px;
+
+    .oauth-callback-title {
+      font-size: 16px;
+      font-weight: 500;
+    }
+  }
+}
+</style>
@@ -0,0 +1,85 @@
+<template>
+  <div class="oauth-footer relative">
+    <div class="oauth-title">
+      <div class="oauth-title-text">其他方式登录</div>
+    </div>
+    <div v-for="item in oauthList" :key="item.type">
+      <div class="oauth-icon-button pointer" @click="goOauthLogin(item.name)">
+        <div><fs-icon :icon="item.icon" class="text-blue-600 text-40" /></div>
+        <div>{{ item.title }}</div>
+      </div>
+    </div>
+  </div>
+</template>
+<script setup lang="ts">
+import { onMounted, ref } from "vue";
+import * as api from "./api";
+
+const oauthList = ref([]);
+
+onMounted(async () => {
+  oauthList.value = await api.GetOauthProviders();
+});
+
+async function goOauthLogin(type: string) {
+  //获取第三方登录URL
+  const res = await api.OauthLogin(type);
+  const loginUrl = res.loginUrl;
+  window.location.href = loginUrl;
+}
+</script>
+<style lang="less">
+.oauth-footer {
+  width: 100%;
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  align-items: center;
+  gap: 16px;
+
+  .oauth-title {
+    width: 100%;
+    font-size: 14px;
+    font-weight: 500;
+    color: #8c8c8c;
+    position: relative;
+    .oauth-title-text {
+      position: relative;
+      z-index: 1;
+      text-align: center;
+      &::after {
+        content: "";
+        position: absolute;
+        top: 50%;
+        left: 0;
+        width: 36%;
+        height: 0.5px;
+        background-color: #8c8c8c;
+      }
+      &::before {
+        content: "";
+        position: absolute;
+        top: 50%;
+        right: 0;
+        width: 36%;
+        height: 0.5px;
+        background-color: #8c8c8c;
+      }
+    }
+  }
+
+  .oauth-icon-button {
+    display: flex;
+    flex-direction: column;
+    justify-content: center;
+    align-items: center;
+    gap: 8px;
+    padding: 8px 8px;
+    border-radius: 100px;
+    .fs-icon {
+      font-size: 36px;
+      color: #006be6 !important;
+    }
+  }
+}
+</style>
@@ -111,3 +111,10 @@ export async function GetSmsTypeDefine(type: string) {
    },
  });
 }
+
+export async function GetOauthProviders() {
+  return await request({
+    url: apiPrefix + "/oauth/providers",
+    method: "post",
+  });
+}
@@ -66,7 +66,7 @@ function onChange(value: string) {
 <style lang="less">
 .page-sys-settings {
  .sys-settings-form {
-    width: 800px;
+    width: 900px;
    max-width: 100%;
    padding: 20px;
  }
@@ -56,6 +56,38 @@
        </template>
      </template>

+      <a-form-item :label="t('certd.sys.setting.enableOauth')" :name="['public', 'oauthEnabled']">
+        <div class="flex-o">
+          <a-switch v-model:checked="formState.public.oauthEnabled" :disabled="!settingsStore.isPlus" :title="t('certd.plusFeature')" />
+          <vip-button class="ml-5" mode="button"></vip-button>
+        </div>
+      </a-form-item>
+      <a-form-item v-if="formState.public.oauthEnabled" :label="t('certd.sys.setting.oauthProviders')" :name="['public', 'oauthProviders']">
+        <div class="flex flex-wrap">
+          <table class="w-full table-auto border-collapse border border-gray-400">
+            <thead>
+              <tr>
+                <th class="border border-gray-300 px-4 py-2 w-1/2">{{ t("certd.sys.setting.oauthType") }}</th>
+                <th class="border border-gray-300 px-4 py-2 w-1/2">{{ t("certd.sys.setting.oauthConfig") }}</th>
+              </tr>
+            </thead>
+            <tbody>
+              <tr v-for="(item, key) of oauthProviders" :key="key">
+                <td class="border border-gray-300 px-4 py-2">
+                  <div class="flex items-center" :title="item.desc">
+                    <fs-icon :icon="item.icon" class="mr-2 text-blue-600" />
+                    {{ item.title }}
+                  </div>
+                </td>
+                <td class="border border-gray-300 px-4 py-2">
+                  <AddonSelector v-model:model-value="item.addonId" addon-type="oauth" from="sys" :type="item.name" :placeholder="t('certd.sys.setting.oauthProviderSelectorPlaceholder')" />
+                </td>
+              </tr>
+            </tbody>
+          </table>
+        </div>
+      </a-form-item>
+
      <a-form-item label=" " :colon="false" :wrapper-col="{ span: 16 }">
        <a-button :loading="saveLoading" type="primary" html-type="submit">{{ t("certd.saveButton") }}</a-button>
      </a-form-item>
@@ -64,14 +96,14 @@
 </template>

 <script setup lang="tsx">
-import { reactive, ref, Ref } from "vue";
+import { computed, reactive, ref, Ref } from "vue";
 import { GetSmsTypeDefine, SysSettings } from "/@/views/sys/settings/api";
 import * as api from "/@/views/sys/settings/api";
 import { merge } from "lodash-es";
 import { useSettingStore } from "/@/store/settings";
 import { notification } from "ant-design-vue";
 import { useI18n } from "/src/locales";
-
+import AddonSelector from "../../../certd/addon/addon-selector/index.vue";
 const { t } = useI18n();

 defineOptions({
@@ -158,6 +190,34 @@ async function loadTypeDefine(type: string) {
  smsTypeDefineInputs.value = inputs;
 }

+const oauthProviders = ref([]);
+async function loadOauthProviders() {
+  let list: any = await api.GetOauthProviders();
+  oauthProviders.value = list;
+  for (const item of list) {
+    const type = item.name;
+    const provider = formState.public.oauthProviders?.[type];
+    if (provider) {
+      item.addonId = provider.addonId;
+    }
+  }
+}
+
+function fillOauthProviders(form: any) {
+  const providers: any = {};
+  for (const item of oauthProviders.value) {
+    const type = item.name;
+    providers[type] = {
+      type: type,
+      title: item.title,
+      icon: item.icon,
+      addonId: item.addonId || null,
+    };
+  }
+  form.public.oauthProviders = providers;
+  return providers;
+}
+
 async function loadSysSettings() {
  const data: any = await api.SysSettingsGet();
  merge(formState, data);
@@ -172,6 +232,7 @@ async function loadSysSettings() {
  if (!settingsStore.isComm) {
    formState.public.smsLoginEnabled = false;
  }
+  await loadOauthProviders();
 }

 const saveLoading = ref(false);
@@ -180,6 +241,7 @@ const settingsStore = useSettingStore();
 const onFinish = async (form: any) => {
  try {
    saveLoading.value = true;
+    fillOauthProviders(form);
    await api.SysSettingsSave(form);
    await settingsStore.loadSysSettings();
    notification.success({
@@ -3,6 +3,18 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.37.11](https://github.com/certd/certd/compare/v1.37.10...v1.37.11) (2025-11-28)
+
+### Bug Fixes
+
+* 修复阿里云 waf tlsVersion参数缺失导致部署失败的问题 ([2fabee6](https://github.com/certd/certd/commit/2fabee647acf64afe689f5bea3603028cd0ba4a2))
+* 修复域名管理无法创建tencent-eo dns授权的bug ([3406bb5](https://github.com/certd/certd/commit/3406bb5a4a56bb310cddc1a1f410c70909fd129b))
+
+### Performance Improvements
+
+* 优化天翼云cdn 等待5秒部署完成 ([53c88ad](https://github.com/certd/certd/commit/53c88ad5afe66a3f7c38b9b759747918913a4edc))
+* 支持oidc单点登录 ([ec75afb](https://github.com/certd/certd/commit/ec75afbc44139dbe9da534d8a8c08a5b91f86d3c))
+
 ## [1.37.10](https://github.com/certd/certd/compare/v1.37.9...v1.37.10) (2025-11-19)

 ### Performance Improvements
@@ -0,0 +1,14 @@
+
+CREATE TABLE `cd_oauth_bound`
+(
+  `id`          bigint PRIMARY KEY AUTO_INCREMENT NOT NULL,
+  `user_id`     bigint      NOT NULL,
+  `type`        varchar(512) NOT NULL,
+  `open_id`     varchar(512) NOT NULL,
+  `create_time` timestamp     NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `update_time` timestamp     NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+
+CREATE INDEX `index_oauth_bound_user_id` ON `cd_oauth_bound` (`user_id`);
+CREATE INDEX `index_oauth_bound_open_id` ON `cd_oauth_bound` (`open_id`);
@@ -0,0 +1,14 @@
+
+CREATE TABLE "cd_oauth_bound"
+(
+  "id"          bigint PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY NOT NULL,
+  "user_id"     bigint      NOT NULL,
+  "type"        varchar(512) NOT NULL,
+  "open_id"     varchar(512) NOT NULL,
+  "create_time" timestamp     NOT NULL DEFAULT (CURRENT_TIMESTAMP),
+  "update_time" timestamp     NOT NULL DEFAULT (CURRENT_TIMESTAMP)
+);
+
+
+CREATE INDEX "index_oauth_bound_user_id" ON "cd_oauth_bound" ("user_id");
+CREATE INDEX "index_oauth_bound_open_id" ON "cd_oauth_bound" ("open_id");
@@ -0,0 +1,14 @@
+
+CREATE TABLE "cd_oauth_bound"
+(
+  "id"          integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+  "user_id"     integer      NOT NULL,
+  "type"        varchar(512) NOT NULL,
+  "open_id"     varchar(512) NOT NULL,
+  "create_time" datetime     NOT NULL DEFAULT (CURRENT_TIMESTAMP),
+  "update_time" datetime     NOT NULL DEFAULT (CURRENT_TIMESTAMP)
+);
+
+
+CREATE INDEX "index_oauth_bound_user_id" ON "cd_oauth_bound" ("user_id");
+CREATE INDEX "index_oauth_bound_open_id" ON "cd_oauth_bound" ("open_id");
@@ -1,6 +1,6 @@
 {
  "name": "@certd/ui-server",
-  "version": "1.37.10",
+  "version": "1.37.11",
  "description": "fast-server base midway",
  "private": true,
  "type": "module",
@@ -45,20 +45,20 @@
    "@aws-sdk/client-cloudfront": "^3.699.0",
    "@aws-sdk/client-iam": "^3.699.0",
    "@aws-sdk/client-s3": "^3.705.0",
-    "@certd/acme-client": "^1.37.10",
-    "@certd/basic": "^1.37.10",
-    "@certd/commercial-core": "^1.37.10",
+    "@certd/acme-client": "^1.37.11",
+    "@certd/basic": "^1.37.11",
+    "@certd/commercial-core": "^1.37.11",
    "@certd/cv4pve-api-javascript": "^8.4.2",
-    "@certd/jdcloud": "^1.37.10",
-    "@certd/lib-huawei": "^1.37.10",
-    "@certd/lib-k8s": "^1.37.10",
-    "@certd/lib-server": "^1.37.10",
-    "@certd/midway-flyway-js": "^1.37.10",
-    "@certd/pipeline": "^1.37.10",
-    "@certd/plugin-cert": "^1.37.10",
-    "@certd/plugin-lib": "^1.37.10",
-    "@certd/plugin-plus": "^1.37.10",
-    "@certd/plus-core": "^1.37.10",
+    "@certd/jdcloud": "^1.37.11",
+    "@certd/lib-huawei": "^1.37.11",
+    "@certd/lib-k8s": "^1.37.11",
+    "@certd/lib-server": "^1.37.11",
+    "@certd/midway-flyway-js": "^1.37.11",
+    "@certd/pipeline": "^1.37.11",
+    "@certd/plugin-cert": "^1.37.11",
+    "@certd/plugin-lib": "^1.37.11",
+    "@certd/plugin-plus": "^1.37.11",
+    "@certd/plus-core": "^1.37.11",
    "@huaweicloud/huaweicloud-sdk-cdn": "^3.1.120",
    "@huaweicloud/huaweicloud-sdk-core": "^3.1.120",
    "@koa/cors": "^5.0.0",
@@ -8,7 +8,7 @@ import { LoginService } from "../../../modules/login/service/login-service.js";
 */
@Provide()
@Controller('/api')
-export class LoginController extends BaseController {
+export class ForgotPasswordController extends BaseController {
  @Inject()
  loginService: LoginService;
  @Inject()
@@ -0,0 +1,226 @@
+import { addonRegistry, BaseController, Constants, SysInstallInfo, SysSettingsService } from "@certd/lib-server";
+import { ALL, Body, Controller, Get, Inject, Param, Post, Provide, Query } from "@midwayjs/core";
+import { AddonGetterService } from "../../../modules/pipeline/service/addon-getter-service.js";
+import { IOauthProvider } from "../../../plugins/plugin-oauth/api.js";
+import { LoginService } from "../../../modules/login/service/login-service.js";
+import { CodeService } from "../../../modules/basic/service/code-service.js";
+import { UserService } from "../../../modules/sys/authority/service/user-service.js";
+import { UserEntity } from "../../../modules/sys/authority/entity/user.js";
+import { logger, simpleNanoId, utils } from "@certd/basic";
+import { OauthBoundService } from "../../../modules/login/service/oauth-bound-service.js";
+import { OauthBoundEntity } from "../../../modules/login/entity/oauth-bound.js";
+import { checkPlus } from "@certd/plus-core";
+
+/**
+ */
+@Provide()
+@Controller('/api/oauth')
+export class ConnectController extends BaseController {
+
+  @Inject()
+  addonGetterService: AddonGetterService;
+  @Inject()
+  sysSettingsService: SysSettingsService;
+  @Inject()
+  loginService: LoginService;
+  @Inject()
+  codeService: CodeService;
+  @Inject()
+  userService: UserService;
+
+  @Inject()
+  oauthBoundService: OauthBoundService;
+
+
+
+  private async getOauthProvider(type: string) {
+    const publicSettings = await this.sysSettingsService.getPublicSettings()
+    if (!publicSettings?.oauthEnabled) {
+      throw new Error("OAuth功能未启用");
+    }
+    const setting = publicSettings?.oauthProviders?.[type || ""]
+    if (!setting) {
+      throw new Error(`未配置该OAuth类型:${type}`);
+    }
+
+    const addon = await this.addonGetterService.getAddonById(setting.addonId, true, 0);
+    if (!addon) {
+      throw new Error("初始化OAuth插件失败");
+    }
+    return addon as IOauthProvider;
+  }
+
+  @Post('/login', { summary: Constants.per.guest })
+  public async login(@Body(ALL) body: { type: string, forType?:string }) {
+
+    const addon = await this.getOauthProvider(body.type);
+    const installInfo = await this.sysSettingsService.getSetting<SysInstallInfo>(SysInstallInfo);
+    const bindUrl = installInfo?.bindUrl || "";
+    //构造登录url
+    const redirectUrl = `${bindUrl}api/oauth/callback/${body.type}`;
+    const { loginUrl, ticketValue } = await addon.buildLoginUrl({ redirectUri: redirectUrl, forType: body.forType });
+    const ticket = this.codeService.setValidationValue(ticketValue)
+    this.ctx.cookies.set("oauth_ticket", ticket, {
+      httpOnly: true,
+      // secure: true,
+      // sameSite: "strict",
+    })
+    return this.ok({ loginUrl, ticket });
+  }
+  @Get('/callback/:type', { summary: Constants.per.guest })
+  public async callback(@Param('type') type: string, @Query() query: Record<string, string>) {
+
+    checkPlus()
+
+    //处理登录回调
+    const addon = await this.getOauthProvider(type);
+    const request = this.ctx.request;
+    // const ticketValue = this.codeService.getValidationValue(ticket);
+    // if (!ticketValue) {
+    //   throw new Error("登录ticket已过期");
+    // }
+
+    const ticket = this.ctx.cookies.get("oauth_ticket");
+    if (!ticket) {
+      throw new Error("ticket已过期");
+    }
+    const ticketValue = this.codeService.getValidationValue(ticket);
+    if (!ticketValue) {
+      throw new Error("ticketValue已过期");
+    }
+
+    const installInfo = await this.sysSettingsService.getSetting<SysInstallInfo>(SysInstallInfo);
+    const bindUrl = installInfo?.bindUrl || "";
+    const currentUrl = `${bindUrl}api/oauth/callback/${type}?${request.querystring}`
+    try {
+      const tokenRes = await addon.onCallback({
+        code: query.code,
+        state: query.state,
+        ticketValue,
+        currentURL: new URL(currentUrl)
+      });
+
+      const userInfo = tokenRes.userInfo;
+
+      const validationCode = await this.codeService.setValidationValue({
+        type,
+        userInfo,
+      });
+
+      const state = JSON.parse(utils.hash.base64Decode(query.state));
+
+      const redirectUrl = `${bindUrl}#/oauth/callback/${type}?validationCode=${validationCode}&forType=${state.forType}`;
+      this.ctx.redirect(redirectUrl);
+    } catch (err) {
+      logger.error(err);
+      this.ctx.redirect(`${bindUrl}#/oauth/callback/${type}?error=${err.error_description || err.message}`);
+    }
+
+  }
+
+
+  @Post('/token', { summary: Constants.per.guest })
+  public async token(@Body(ALL) body: { validationCode: string, type: string }) {
+    checkPlus()
+    const validationValue = await this.codeService.getValidationValue(body.validationCode);
+    if (!validationValue) {
+      throw new Error("校验码错误");
+    }
+
+    const type = validationValue.type;
+    if (type !== body.type) {
+      throw new Error("校验码错误");
+    }
+    const userInfo = validationValue.userInfo;
+    const openId = userInfo.openId;
+
+    const loginRes = await this.loginService.loginByOpenId({ openId, type });
+    if (loginRes == null) {
+
+      return this.ok({
+        bindRequired: true,
+        validationCode: body.validationCode,
+      });
+    }
+
+    //返回登录成功token
+    return this.ok(loginRes);
+  }
+
+
+  @Post('/autoRegister', { summary: Constants.per.guest })
+  public async autoRegister(@Body(ALL) body: { validationCode: string, type: string }) {
+
+    const validationValue = this.codeService.getValidationValue(body.validationCode);
+    if (!validationValue) {
+      throw new Error("第三方认证授权已过期");
+    }
+    const userInfo = validationValue.userInfo;
+    const oauthType = validationValue.type;
+    let newUser = new UserEntity()
+    newUser.username = `${oauthType}_${userInfo.nickName}_${simpleNanoId(6)}`;
+    newUser.avatar = userInfo.avatar;
+    newUser.nickName = userInfo.nickName || simpleNanoId(6);
+
+    newUser = await this.userService.register("username", newUser, async (txManager) => {
+      const oauthBound: OauthBoundEntity = new OauthBoundEntity()
+      oauthBound.userId = newUser.id;
+      oauthBound.type = oauthType;
+      oauthBound.openId = userInfo.openId;
+      await txManager.save(oauthBound);
+    });
+
+    const loginRes = await this.loginService.generateToken(newUser);
+    return this.ok(loginRes);
+  }
+
+
+  @Post('/bind', { summary: Constants.per.loginOnly })
+  public async bind(@Body(ALL) body: any) {
+    //需要已登录
+    const userId = this.getUserId();
+    const validationValue = this.codeService.getValidationValue(body.validationCode);
+    if (!validationValue) {
+      throw new Error("校验码错误");
+    }
+    const type = validationValue.type;
+    const userInfo = validationValue.userInfo;
+    const openId = userInfo.openId;
+    await this.oauthBoundService.bind({
+      userId,
+      type,
+      openId,
+    });
+    return this.ok(1);
+  }
+
+  @Post('/unbind', { summary: Constants.per.loginOnly })
+  public async unbind(@Body(ALL) body: any) {
+    //需要已登录
+    const userId = this.getUserId();
+    await this.oauthBoundService.unbind({
+      userId,
+      type: body.type,
+    });
+    return this.ok(1);
+  }
+
+   @Post('/bounds', { summary: Constants.per.loginOnly })
+  public async bounds(@Body(ALL) body: any) {
+    //需要已登录
+    const userId = this.getUserId();
+    const bounds = await this.oauthBoundService.find({
+      where :{
+        userId,
+      }
+    });
+    return this.ok(bounds);
+  }
+
+  @Post('/providers', { summary: Constants.per.guest })
+  public async providers() {
+    const list = addonRegistry.getDefineList("oauth");
+    return this.ok(list);
+  }
+
+}
@@ -1,30 +0,0 @@
-import { BaseController, Constants } from "@certd/lib-server";
-import { ALL, Body, Controller, Get, Post, Provide, Query } from "@midwayjs/core";
-
-/**
- */
-@Provide()
-@Controller('/api/connect')
-export class LoginController extends BaseController {
-
-
-  @Get('/login', { summary: Constants.per.guest })
-  public async login(@Query(ALL) body: any) {
-    //构造登录url
-    return this.ok(1);
-  }
-  @Get('/callback', { summary: Constants.per.guest })
-  public async callback(@Query(ALL) body: any) {
-    //处理登录回调
-    return this.ok(1);
-  }
-
-  @Post('/bind', { summary: Constants.per.guest })
-  public async bind(@Body(ALL) body: any) {
-    const autoRegister = body.autoRegister || false;
-    const bindInfo = body.bind || {};
-    //处理登录回调
-    return this.ok(1);
-  }
-  
-}
@@ -1,5 +1,6 @@
 import { ALL, Body, Controller, Inject, Post, Provide, Query } from "@midwayjs/core";
 import {
+  addonRegistry,
  CrudController,
  SysPrivateSettings,
  SysPublicSettings,
@@ -199,4 +200,10 @@ export class SysSettingsController extends CrudController<SysSettingsService> {
    await this.codeService.checkCaptcha(body)
    return this.ok({});
  }
+
+  @Post('/oauth/providers', { summary: 'sys:settings:view' })
+  async oauthProviders() {
+    const list = await addonRegistry.getDefineList("oauth");
+    return this.ok(list);
+  }
 }
@@ -1,5 +1,5 @@
 import { Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
-import { cache, isDev, randomNumber } from '@certd/basic';
+import { cache, isDev, randomNumber, simpleNanoId } from '@certd/basic';
 import { SysSettingsService, SysSiteInfo } from '@certd/lib-server';
 import { SmsServiceFactory } from '../sms/factory.js';
 import { ISmsService } from '../sms/api.js';
@@ -188,4 +188,20 @@ export class CodeService {
    `
    );
  }
+
+
+  buildValidationValueKey(code:string) {
+    return `validationValue:${code}`;
+  }
+  setValidationValue(value:any) {
+    const randomCode = simpleNanoId(12);
+    const key = this.buildValidationValueKey(randomCode);
+    cache.set(key, value, {
+      ttl: 5 * 60 * 1000, //5分钟
+    });
+    return randomCode;
+  }
+  getValidationValue(code:string) {
+    return cache.get(this.buildValidationValueKey(code));
+  }
 }
@@ -0,0 +1,22 @@
+import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm';
+
+@Entity('cd_oauth_bound')
+export class OauthBoundEntity {
+  @PrimaryGeneratedColumn()
+  id: number;
+
+  @Column({ name: 'user_id', comment: '用户id' })
+  userId: number;
+
+  @Column({ name: 'type', comment: '第三方类型' })
+  type: string; // oidc, wechat, github, gitee , qq , alipay
+
+  @Column({ name: 'open_id', comment: '第三方openid' })
+  openId: string;
+
+  @Column({ name: 'create_time',comment: '创建时间', default: () => 'CURRENT_TIMESTAMP',})
+  createTime: Date;
+
+  @Column({ name: 'update_time',  comment: '修改时间',default: () => 'CURRENT_TIMESTAMP',})
+  updateTime: Date;
+}
@@ -17,9 +17,9 @@ import { TwoFactorService } from "../../mine/service/two-factor-service.js";
 import { UserSettingsService } from "../../mine/service/user-settings-service.js";
 import { isPlus } from "@certd/plus-core";
 import { AddonService } from "@certd/lib-server";
+import { OauthBoundService } from "./oauth-bound-service.js";

 /**
- * 系统用户
 */
@Provide()
@Scope(ScopeEnum.Request, {allowDowngrade: true})
@@ -42,6 +42,8 @@ export class LoginService {
  twoFactorService: TwoFactorService;
  @Inject()
  addonService: AddonService;
+  @Inject()
+  oauthBoundService: OauthBoundService;

  checkIsBlocked(username: string) {
    const blockDurationKey = `login_block_duration:${username}`;
@@ -204,6 +206,10 @@ export class LoginService {
   * @param roleIds
   */
  async generateToken(user: UserEntity) {
+    if (user.status === 0) {
+      throw new CommonException('用户已被禁用');
+    }
+
    const roleIds = await this.roleService.getRoleIdsByUserId(user.id);
    const tokenInfo = {
      username: user.username,
@@ -224,4 +230,20 @@ export class LoginService {
      expire,
    };
  }
+
+
+  async loginByOpenId(req: { openId: string, type:string }) {
+    const {openId, type} = req;
+    const oauthBound = await this.oauthBoundService.findOne({
+      where:{openId, type}
+    });
+    if (oauthBound == null) {
+      return null
+    }
+    const info = await this.userService.findOne({id: oauthBound.userId});
+    if (info == null) {
+      throw new CommonException('用户不存在');
+    }
+    return this.generateToken(info);
+  }
 }
@@ -0,0 +1,77 @@
+import { BaseService, SysSettingsService } from "@certd/lib-server";
+import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
+import { InjectEntityModel } from "@midwayjs/typeorm";
+import { Repository } from "typeorm";
+import { OauthBoundEntity } from "../entity/oauth-bound.js";
+
+
+@Provide()
+@Scope(ScopeEnum.Request, { allowDowngrade: true })
+export class OauthBoundService extends BaseService<OauthBoundEntity> {
+ 
+  @InjectEntityModel(OauthBoundEntity)
+  repository: Repository<OauthBoundEntity>;
+
+  @Inject()
+  sysSettingsService: SysSettingsService;
+
+
+  //@ts-ignore
+  getRepository() {
+    return this.repository;
+  }
+
+  async unbind(req: { userId: any; type: any; }) {
+    const { userId, type } = req;
+    if (!userId || !type) {
+      throw new Error('参数错误');
+    }
+
+    await this.repository.delete({
+      userId,
+      type,
+    });
+  }
+
+ async bind(req: { userId: any; type: any; openId: any; }) {
+    const { userId, type, openId } = req;
+    if (!userId || !type || !openId) {
+      throw new Error('参数错误');
+    }
+    const exist = await this.repository.findOne({
+      where: {
+        openId,
+        type,
+      },
+    });
+    if (exist ) {
+      if(exist.userId === userId){
+        return;
+      }
+      throw new Error('该第三方账号已绑定其他用户');
+    }
+
+    const exist2 = await this.repository.findOne({
+      where: {
+        userId,
+        type,
+      },
+    });
+    if (exist2) {
+      //覆盖绑定
+      exist2.openId = openId;
+      await this.update({
+        id: exist2.id,
+        openId,
+      });
+      return;
+    } 
+    //新增
+    await this.add({
+      userId,
+      type,
+      openId,
+    });
+  }
+
+}
@@ -0,0 +1,20 @@
+import { SysSettingsService, SysInstallInfo } from "@certd/lib-server";
+import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
+import { SiteInfo ,ISiteInfoGetter} from "@certd/plugin-lib";
+
+@Provide("siteInfoGetter")
+@Scope(ScopeEnum.Request, { allowDowngrade: true })
+export class SiteInfoGetter implements ISiteInfoGetter{
+    @Inject()
+    sysSettingsService: SysSettingsService;
+
+
+    async getSiteInfo(): Promise<SiteInfo> {
+
+        const installInfo = await this.sysSettingsService.getSetting<SysInstallInfo>(SysInstallInfo);
+
+        return {
+            siteUrl: installInfo?.bindUrl || "",
+        }
+    }
+}
@@ -1,6 +1,6 @@
 import { Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
 import { InjectEntityModel } from '@midwayjs/typeorm';
-import {In, MoreThan, Not, Repository} from 'typeorm';
+import {EntityManager, In, MoreThan, Not, Repository} from 'typeorm';
 import { UserEntity } from '../entity/user.js';
 import * as _ from 'lodash-es';
 import { BaseService, CommonException, Constants, FileService, SysInstallInfo, SysSettingsService } from '@certd/lib-server';
@@ -171,7 +171,7 @@ export class UserService extends BaseService<UserEntity> {
    return await this.roleService.getPermissionByRoleIds(roleIds);
  }

-  async register(type: string, user: UserEntity) {
+  async register(type: string, user: UserEntity,withTx?:(tx: EntityManager)=>Promise<void>) {
    if (!user.password) {
      user.password = simpleNanoId();
    }
@@ -225,8 +225,13 @@ export class UserService extends BaseService<UserEntity> {

    await this.transaction(async txManager => {
      newUser = await txManager.save(newUser);
+      user.id = newUser.id;
      const userRole: UserRoleEntity = UserRoleEntity.of(newUser.id, Constants.role.defaultUser);
      await txManager.save(userRole);
+
+      if(withTx) {
+        await withTx(txManager);
+      }
    });

    delete newUser.password;
@@ -38,3 +38,4 @@ export * from './plugin-godaddy/index.js'
 export * from './plugin-captcha/index.js'
 export * from './plugin-xinnet/index.js'
 export * from './plugin-xinnetconnet/index.js'
+export * from './plugin-oauth/index.js'
@@ -99,27 +99,39 @@ export class AliyunDeployCertToALB extends AbstractTaskPlugin {


  @TaskInput({
-      title: "部署证书类型",
-      value: "default",
-      component: {
-        name: "a-select",
-        vModel: "value",
-        options: [
-          {
-            label: "默认证书",
-            value: "default"
-          },
-          {
-            label: "扩展证书",
-            value: "extension"
-          }
-        ]
-      },
-      required: true
-    }
+    title: "部署证书类型",
+    value: "default",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: [
+        {
+          label: "默认证书",
+          value: "default"
+        },
+        {
+          label: "扩展证书",
+          value: "extension"
+        }
+      ]
+    },
+    required: true
+  }
  )
  deployType: string = "default";

+  @TaskInput({
+    title: "是否清理过期证书",
+    value: true,
+    component: {
+      name: "a-switch",
+      vModel: "checked",
+    },
+    required: true
+  }
+  )
+  clearExpiredCert: boolean;
+

  async onInstance() {
  }
@@ -155,17 +167,18 @@ export class AliyunDeployCertToALB extends AbstractTaskPlugin {
      const client = await this.getLBClient(access, this.regionId);
      await this.deployDefaultCert(certId, client);
    }
-    this.logger.info(`准备开始清理过期证书`);
-    await this.ctx.utils.sleep(30000)
-    for (const listener of this.listeners) {
-      try{
-        await this.clearInvalidCert(albClientV2, listener);
-      }catch(e){
-        this.logger.error(`清理监听器${listener}的过期证书失败`, e);
+    if (this.clearExpiredCert!==false) {
+      this.logger.info(`准备开始清理过期证书`);
+      await this.ctx.utils.sleep(30000)
+      for (const listener of this.listeners) {
+        try {
+          await this.clearInvalidCert(albClientV2, listener);
+        } catch (e) {
+          this.logger.error(`清理监听器${listener}的过期证书失败`, e);
+        }
      }
    }

-
    this.logger.info("执行完成");
  }

@@ -247,7 +260,7 @@ export class AliyunDeployCertToALB extends AbstractTaskPlugin {
      if (item.IsDefault) {
        continue;
      }
-      certIds.push( parseInt(item.CertificateId));
+      certIds.push(parseInt(item.CertificateId));
    }
    this.logger.info(`监听器${listener}绑定的证书${certIds}`);
    //检查是否过期，过期则删除
@@ -90,6 +90,35 @@ export class AliyunDeployCertToWaf extends AbstractTaskPlugin {
  )
  cnameDomains!: string[];

+
+  @TaskInput({
+    title: 'TLS版本',
+    value: 'TLSv1.2',
+    component: {
+      name: 'a-select',
+      options: [
+        { value: 'TLSv1', label: 'TLSv1' },
+        { value: 'TLSv1.1', label: 'TLSv1.1' },
+        { value: 'TLSv1.2', label: 'TLSv1.2' },
+      ],
+    },
+    required: true,
+  })
+  tlsVersion!: string;
+
+    @TaskInput({
+    title: '启用TLSv3',
+    value: true,
+    component: {
+      name: 'a-switch',
+      vModel: 'checked',
+    },
+    required: true,
+  })
+  enableTLSv3!: boolean;
+
+
+
  async onInstance() {}

  async getWafClient(access: AliyunAccess) {
@@ -163,6 +192,8 @@ export class AliyunDeployCertToWaf extends AbstractTaskPlugin {
        Redirect: JSON.stringify(redirect),
        Listen: JSON.stringify(listen),
        Domain: siteDomain,
+        TLSVersion: this.tlsVersion || 'TLSv1.2',
+        EnableTLSv3: this.enableTLSv3 ?? true,
      };
      const res = await client.request('ModifyDomain', updateParams);
      this.logger.info('部署成功', JSON.stringify(res));
@@ -24,10 +24,10 @@ const regionDict = [

@IsTaskPlugin({
  name: 'uploadCertToAliyun',
-  title: '阿里云-上传证书到阿里云CAS',
+  title: '阿里云-上传证书到CAS',
  icon: 'svg:icon-aliyun',
  group: pluginGroups.aliyun.key,
-  desc: '上传证书到阿里云数字证书管理服务（CAS），注意：不会部署到任何应用上；如果不想在阿里云上同一份证书上传多次，可以把此任务作为前置任务，其他阿里云任务证书那一项选择此任务的输出',
+  desc: '上传证书到阿里云证书管理服务（CAS），如果不想在阿里云上同一份证书上传多次，可以把此任务作为前置任务，其他阿里云任务证书那一项选择此任务的输出',
  default: {
    strategy: {
      runStrategy: RunStrategy.SkipWhenSucceed,
@@ -1,14 +1,24 @@
-export interface OauthProvider {
-  buildLoginUrl: (params: { redirectUri: string }) => string;
-  handleCallback: (params: { code: string; redirectUri: string }) => Promise<{
-    accessToken: string;
-    refreshToken: string;
-    expiresIn: number;
-    idToken: string;
-    scope: string;
-    tokenType: string;
-  }>;
-  bind: (params: {
+export type OnCallbackReq = {
+    code: string;
+    state: string;
+    currentURL: URL;
+    ticketValue: any;
+}
+
+export type OauthToken = {
+    userInfo: {
+        openId: string;
+        nickName: string;
+        avatar: string;
+    },
+    token: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    }
+}
+
+export type OnBindReq = {
    accessToken: string;
    refreshToken: string;
    expiresIn: number;
@@ -16,9 +26,18 @@ export interface OauthProvider {
    scope: string;
    tokenType: string;
    bindInfo: any;
-  }) => Promise<{
+}
+export type OnBindReply = {
    success: boolean;
    message: string;
-  }>;
-  
+}
+
+export type LoginUrlReply = {
+    loginUrl: string;
+    ticketValue: any;
+}
+
+export interface IOauthProvider {
+    buildLoginUrl: (params: { redirectUri: string, forType?: string }) => Promise<LoginUrlReply>;
+    onCallback: (params: OnCallbackReq) => Promise<OauthToken>;
 }
@@ -0,0 +1,2 @@
+export * from './api.js'
+export * from './oidc/plugin-oidc.js'
@@ -0,0 +1,132 @@
+import { AddonInput, BaseAddon, IsAddon } from "@certd/lib-server";
+import { IOauthProvider, OnCallbackReq } from "../api.js";
+
+@IsAddon({
+  addonType: "oauth",
+  name: 'oidc',
+  title: 'OIDC认证',
+  desc: 'OpenID Connect 认证，统一认证服务',
+  icon:"simple-icons:fusionauth",
+  showTest: false,
+})
+export class OidcOauthProvider extends BaseAddon implements IOauthProvider {
+
+  @AddonInput({
+    title: "ClientId",
+    helper: "ClientId / appId",
+    required: true,
+  })
+  clientId = "";
+
+  @AddonInput({
+    title: "ClientSecretKey",
+    component: {
+      placeholder: "ClientSecretKey / appSecretKey",
+    },
+    required: true,
+  })
+  clientSecretKey = "";
+
+  @AddonInput({
+    title: "服务地址",
+    helper: "Issuer地址，去掉/.well-known/openid-configuration的服务发现地址",
+    component: {
+      placeholder: "https://oidc.example.com/oidc",
+    },
+    required: true,
+  })
+  issuerUrl = "";
+
+
+  async getClient() {
+    const client = await import('openid-client')
+    let server = new URL(this.issuerUrl)// Authorization Server's Issuer Identifier
+
+    let config = await client.discovery(
+      server,
+      this.clientId,
+      this.clientSecretKey,
+    )
+
+    // console.log(config.serverMetadata())
+
+    return {
+      config,
+      client
+    }
+  }
+  
+  async buildLoginUrl(params: { redirectUri: string, forType?: string }) {
+    const { config, client } = await this.getClient()
+
+    let redirect_uri = new URL(params.redirectUri)
+    let scope = 'openid profile' // Scope of the access request
+    /**
+     * PKCE: The following MUST be generated for every redirect to the
+     * authorization_endpoint. You must store the code_verifier and state in the
+     * end-user session such that it can be recovered as the user gets redirected
+     * from the authorization server back to your application.
+     */
+    let code_verifier = client.randomPKCECodeVerifier()
+    let code_challenge = await client.calculatePKCECodeChallenge(code_verifier)
+    let state:any = {
+      forType: params.forType || 'login',
+    }
+    state = this.ctx.utils.hash.base64(JSON.stringify(state))
+
+    let parameters: any = {
+      redirect_uri,
+      scope,
+      code_challenge,
+      code_challenge_method: 'S256',
+      state,
+    }
+
+    // if (!config.serverMetadata().supportsPKCE()) {
+    //     /**
+    //      * We cannot be sure the server supports PKCE so we're going to use state too.
+    //      * Use of PKCE is backwards compatible even if the AS doesn't support it which
+    //      * is why we're using it regardless. Like PKCE, random state must be generated
+    //      * for every redirect to the authorization_endpoint.
+    //      */
+    //     parameters.state = client.randomState()
+    // }
+
+    let redirectTo = client.buildAuthorizationUrl(config, parameters)
+    return {
+      loginUrl: redirectTo.href,
+      ticketValue: {
+        codeVerifier: code_verifier,
+        state,
+      },
+    };
+  }
+
+  async onCallback(req: OnCallbackReq) {
+    const { config, client } = await this.getClient()
+
+    
+    let tokens: any = await client.authorizationCodeGrant(
+      config,
+      req.currentURL,
+      {
+        expectedState: client.skipStateCheck ,
+        pkceCodeVerifier: req.ticketValue.codeVerifier,
+      }
+    )
+
+    const claims = tokens.claims()
+    return {
+      token:{
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        expiresIn: tokens.expires_in,
+      },
+      userInfo: {
+        openId: claims.sub,
+        nickName: claims.nickname || claims.preferred_username || "",
+        avatar: claims.picture,
+      },
+    }
+  };
+}
@@ -124,6 +124,9 @@ export class TencentRefreshCert extends AbstractTaskPlugin {

    let resourceTypes = []
    const resourceTypesRegions = []
+    if(!this.resourceTypesRegions){
+      this.resourceTypesRegions = []
+    }
    for (const item of this.resourceTypesRegions) {
      const [type,region] = item.split("_")
      if (!resourceTypes.includes( type)){
@@ -156,13 +159,17 @@ export class TencentRefreshCert extends AbstractTaskPlugin {
          break;
        }
        retryCount++
-        deployRes = await sslClient.UploadUpdateCertificateInstance({
-          OldCertificateId: certId,
+        const params = {
+          "OldCertificateId": certId,
          "ResourceTypes": resourceTypes,
-          "CertificatePublicKey": this.cert.crt,
-          "CertificatePrivateKey": this.cert.key,
+          "CertificatePublicKey": "xxx",
+          "CertificatePrivateKey": "xxx",
          "ResourceTypesRegions":resourceTypesRegions
-        });
+        }
+        this.logger.info(`请求参数：${JSON.stringify(params)}`);
+        params.CertificatePublicKey = this.cert.crt
+        params.CertificatePrivateKey = this.cert.key
+        deployRes = await sslClient.UploadUpdateCertificateInstance(params);
        if (deployRes && deployRes.DeployRecordId>0){
          this.logger.info(`任务创建成功，开始检查结果：${JSON.stringify(deployRes)}`);
          break;
@@ -325,7 +332,7 @@ export class TencentRefreshCert extends AbstractTaskPlugin {
     */
    const options = list.map((item: any) => {
      return {
-        label: `${item.Alias}<${item.Domain}_${item.CertificateId}>`,
+        label: `${item.CertificateId}<${item.Domain}_${item.Alias}_${item.BoundResource.length}>`,
        value: item.CertificateId,
        domain: item.SubjectAltName,
      };
Author	SHA1	Message	Date
xiaojunnuo	9acac86ed5	v1.37.11	2025-11-29 04:15:57 +08:00
xiaojunnuo	ba5007219d	build: prepare to build	2025-11-29 04:13:44 +08:00
xiaojunnuo	ec046fd599	build: prepare to build	2025-11-29 04:10:55 +08:00
xiaojunnuo	5452ff1153	build: prepare to build	2025-11-29 04:08:56 +08:00
xiaojunnuo	d03b1e0608	chore: 数据库脚本同步	2025-11-29 04:06:51 +08:00
xiaojunnuo	53c88ad5af	perf: 优化天翼云cdn 等待5秒部署完成	2025-11-29 03:25:21 +08:00
xiaojunnuo	21585ca565	chore: 优化oidc登录	2025-11-28 01:42:42 +08:00
xiaojunnuo	2fabee647a	fix: 修复阿里云 waf tlsVersion参数缺失导致部署失败的问题	2025-11-27 22:36:33 +08:00
xiaojunnuo	cf4632045c	Merge branch 'v2-dev' of https://github.com/certd/certd into v2-dev	2025-11-27 01:59:28 +08:00
xiaojunnuo	ec75afbc44	perf: 支持oidc单点登录	2025-11-27 01:59:22 +08:00
xiaojunnuo	c7b298c46f	fix: 修复备注撑开表格行高的bug https://github.com/certd/certd/issues/586	2025-11-26 23:38:34 +08:00
xiaojunnuo	3406bb5a4a	fix: 修复域名管理无法创建tencent-eo dns授权的bug https://github.com/certd/certd/issues/587	2025-11-26 23:36:34 +08:00
xiaojunnuo	e9427b4694	chore: oauth-second	2025-11-26 23:25:51 +08:00
@@ -1 +1 @@
 :49
 :13