LibreChat/packages/api/src/auth/openid.ts

import { logger } from '@librechat/data-schemas';
import { ErrorTypes } from 'librechat-data-provider';
import type { IUser, UserMethods } from '@librechat/data-schemas';

/**
 * Finds or migrates a user for OpenID authentication
 * @returns user object (with migration fields if needed), error message, and whether migration is needed
 */
export async function findOpenIDUser({
  openidId,
  findUser,
  email,
  idOnTheSource,
  strategyName = 'openid',
}: {
  openidId: string;
  findUser: UserMethods['findUser'];
  email?: string;
  idOnTheSource?: string;
  strategyName?: string;
}): Promise<{ user: IUser | null; error: string | null; migration: boolean }> {
  const primaryConditions = [];

  if (openidId && typeof openidId === 'string') {
    primaryConditions.push({ openidId });
  }

  if (idOnTheSource && typeof idOnTheSource === 'string') {
    primaryConditions.push({ idOnTheSource });
  }

  let user = null;
  if (primaryConditions.length > 0) {
    user = await findUser({ $or: primaryConditions });
  }
  if (!user && email) {
    user = await findUser({ email });
    logger.warn(
      `[${strategyName}] user ${user ? 'found' : 'not found'} with email: ${email} for openidId: ${openidId}`,
    );

    // If user found by email, check if they're allowed to use OpenID provider
    if (user && user.provider && user.provider !== 'openid') {
      logger.warn(
        `[${strategyName}] Attempted OpenID login by user ${user.email}, was registered with "${user.provider}" provider`,
      );
      return { user: null, error: ErrorTypes.AUTH_FAILED, migration: false };
    }

    // If user found by email but doesn't have openidId, prepare for migration
    if (user && !user.openidId) {
      logger.info(
        `[${strategyName}] Preparing user ${user.email} for migration to OpenID with sub: ${openidId}`,
      );
      user.provider = 'openid';
      user.openidId = openidId;
      return { user, error: null, migration: true };
    }
  }

  return { user, error: null, migration: false };
}
📧 fix: Missing Email fallback in `openIdJwtLogin` (#9311) * 📧 fix: Missing Email fallback in `openIdJwtLogin` * chore: Add auth module export to index 2025-08-27 12:59:40 -04:00			`import { logger } from '@librechat/data-schemas';`
🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788) * add use of immutable claims to identify user object * fix semicolons * update email attribute on change * replace ternary expressions * fix semicolon * chore: add typing * chore: reorder fields in `findOpenIDUser` * refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips * refactor: integrate findOpenIDUser for improved user retrieval in refreshController * refactor: improve error logging for invalid refresh tokens in refreshController * ci: mock findUser correctly in openidStrategy tests * test: add unit tests for findOpenIDUser function to enhance user retrieval logic --------- Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com> 2025-09-23 14:46:53 -04:00			`import { ErrorTypes } from 'librechat-data-provider';`
📧 fix: Missing Email fallback in `openIdJwtLogin` (#9311) * 📧 fix: Missing Email fallback in `openIdJwtLogin` * chore: Add auth module export to index 2025-08-27 12:59:40 -04:00			`import type { IUser, UserMethods } from '@librechat/data-schemas';`

			`/**`
			`* Finds or migrates a user for OpenID authentication`
			`* @returns user object (with migration fields if needed), error message, and whether migration is needed`
			`*/`
			`export async function findOpenIDUser({`
			`openidId,`
			`findUser,`
🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788) * add use of immutable claims to identify user object * fix semicolons * update email attribute on change * replace ternary expressions * fix semicolon * chore: add typing * chore: reorder fields in `findOpenIDUser` * refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips * refactor: integrate findOpenIDUser for improved user retrieval in refreshController * refactor: improve error logging for invalid refresh tokens in refreshController * ci: mock findUser correctly in openidStrategy tests * test: add unit tests for findOpenIDUser function to enhance user retrieval logic --------- Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com> 2025-09-23 14:46:53 -04:00			`email,`
			`idOnTheSource,`
📧 fix: Missing Email fallback in `openIdJwtLogin` (#9311) * 📧 fix: Missing Email fallback in `openIdJwtLogin` * chore: Add auth module export to index 2025-08-27 12:59:40 -04:00			`strategyName = 'openid',`
			`}: {`
			`openidId: string;`
			`findUser: UserMethods['findUser'];`
			`email?: string;`
🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788) * add use of immutable claims to identify user object * fix semicolons * update email attribute on change * replace ternary expressions * fix semicolon * chore: add typing * chore: reorder fields in `findOpenIDUser` * refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips * refactor: integrate findOpenIDUser for improved user retrieval in refreshController * refactor: improve error logging for invalid refresh tokens in refreshController * ci: mock findUser correctly in openidStrategy tests * test: add unit tests for findOpenIDUser function to enhance user retrieval logic --------- Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com> 2025-09-23 14:46:53 -04:00			`idOnTheSource?: string;`
📧 fix: Missing Email fallback in `openIdJwtLogin` (#9311) * 📧 fix: Missing Email fallback in `openIdJwtLogin` * chore: Add auth module export to index 2025-08-27 12:59:40 -04:00			`strategyName?: string;`
			`}): Promise<{ user: IUser \| null; error: string \| null; migration: boolean }> {`
🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788) * add use of immutable claims to identify user object * fix semicolons * update email attribute on change * replace ternary expressions * fix semicolon * chore: add typing * chore: reorder fields in `findOpenIDUser` * refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips * refactor: integrate findOpenIDUser for improved user retrieval in refreshController * refactor: improve error logging for invalid refresh tokens in refreshController * ci: mock findUser correctly in openidStrategy tests * test: add unit tests for findOpenIDUser function to enhance user retrieval logic --------- Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com> 2025-09-23 14:46:53 -04:00			`const primaryConditions = [];`

			`if (openidId && typeof openidId === 'string') {`
			`primaryConditions.push({ openidId });`
			`}`

			`if (idOnTheSource && typeof idOnTheSource === 'string') {`
			`primaryConditions.push({ idOnTheSource });`
			`}`

			`let user = null;`
			`if (primaryConditions.length > 0) {`
			`user = await findUser({ $or: primaryConditions });`
			`}`
📧 fix: Missing Email fallback in `openIdJwtLogin` (#9311) * 📧 fix: Missing Email fallback in `openIdJwtLogin` * chore: Add auth module export to index 2025-08-27 12:59:40 -04:00			`if (!user && email) {`
			`user = await findUser({ email });`
			`logger.warn(`
			`[${strategyName}] user ${user ? 'found' : 'not found'} with email: ${email} for openidId: ${openidId}`,
			`);`

			`// If user found by email, check if they're allowed to use OpenID provider`
			`if (user && user.provider && user.provider !== 'openid') {`
			`logger.warn(`
			`[${strategyName}] Attempted OpenID login by user ${user.email}, was registered with "${user.provider}" provider`,
			`);`
🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788) * add use of immutable claims to identify user object * fix semicolons * update email attribute on change * replace ternary expressions * fix semicolon * chore: add typing * chore: reorder fields in `findOpenIDUser` * refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips * refactor: integrate findOpenIDUser for improved user retrieval in refreshController * refactor: improve error logging for invalid refresh tokens in refreshController * ci: mock findUser correctly in openidStrategy tests * test: add unit tests for findOpenIDUser function to enhance user retrieval logic --------- Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com> 2025-09-23 14:46:53 -04:00			`return { user: null, error: ErrorTypes.AUTH_FAILED, migration: false };`
📧 fix: Missing Email fallback in `openIdJwtLogin` (#9311) * 📧 fix: Missing Email fallback in `openIdJwtLogin` * chore: Add auth module export to index 2025-08-27 12:59:40 -04:00			`}`

			`// If user found by email but doesn't have openidId, prepare for migration`
			`if (user && !user.openidId) {`
			`logger.info(`
			`[${strategyName}] Preparing user ${user.email} for migration to OpenID with sub: ${openidId}`,
			`);`
			`user.provider = 'openid';`
			`user.openidId = openidId;`
			`return { user, error: null, migration: true };`
			`}`
			`}`

			`return { user, error: null, migration: false };`
			`}`