LibreChat/api/server/controllers/auth/oauth.js

const { CacheKeys } = require('librechat-data-provider');
const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas');
const {
  isEnabled,
  getAdminPanelUrl,
  isAdminPanelRedirect,
  generateAdminExchangeCode,
} = require('@librechat/api');
const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
const getLogStores = require('~/cache/getLogStores');
const { checkBan } = require('~/server/middleware');
const { generateToken } = require('~/models');

const domains = {
  client: process.env.DOMAIN_CLIENT,
  server: process.env.DOMAIN_SERVER,
};

function createOAuthHandler(redirectUri = domains.client) {
  /**
   * A handler to process OAuth authentication results.
   * @type {Function}
   * @param {ServerRequest} req - Express request object.
   * @param {ServerResponse} res - Express response object.
   * @param {NextFunction} next - Express next middleware function.
   */
  return async (req, res, next) => {
    try {
      if (res.headersSent) {
        return;
      }

      await checkBan(req, res);
      if (req.banned) {
        return;
      }

      /** Check if this is an admin panel redirect (cross-origin) */
      if (isAdminPanelRedirect(redirectUri, getAdminPanelUrl(), domains.client)) {
        /** For admin panel, generate exchange code instead of setting cookies */
        const cache = getLogStores(CacheKeys.ADMIN_OAUTH_EXCHANGE);
        const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY;
        const token = await generateToken(req.user, sessionExpiry);

        /** Get refresh token from tokenset for OpenID users */
        const refreshToken =
          req.user.tokenset?.refresh_token || req.user.federatedTokens?.refresh_token;

        const exchangeCode = await generateAdminExchangeCode(cache, req.user, token, refreshToken);

        const callbackUrl = new URL(redirectUri);
        callbackUrl.searchParams.set('code', exchangeCode);
        logger.info(`[OAuth] Admin panel redirect with exchange code for user: ${req.user.email}`);
        return res.redirect(callbackUrl.toString());
      }

      /** Standard OAuth flow - set cookies and redirect */
      if (
        req.user &&
        req.user.provider == 'openid' &&
        isEnabled(process.env.OPENID_REUSE_TOKENS) === true
      ) {
        await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
        setOpenIDAuthTokens(req.user.tokenset, req, res, req.user._id.toString());
      } else {
        await setAuthTokens(req.user._id, res);
      }
      res.redirect(redirectUri);
    } catch (err) {
      logger.error('Error in setting authentication tokens:', err);
      next(err);
    }
  };
}

module.exports = {
  createOAuthHandler,
};
🔐 feat: Admin Auth. Routes with Secure Cross-Origin Token Exchange (#11297) * feat: implement admin authentication with OpenID & Local Auth proxy support * feat: implement admin OAuth exchange flow with caching support - Added caching for admin OAuth exchange codes with a short TTL. - Introduced new endpoints for generating and exchanging admin OAuth codes. - Updated relevant controllers and routes to handle admin panel redirects and token exchanges. - Enhanced logging for better traceability of OAuth operations. * refactor: enhance OpenID strategy mock to support multiple verify callbacks - Updated the OpenID strategy mock to store and retrieve verify callbacks by strategy name. - Improved backward compatibility by maintaining a method to get the last registered callback. - Adjusted tests to utilize the new callback retrieval methods, ensuring clarity in the verification process for the 'openid' strategy. * refactor: reorder import statements for better organization * refactor: admin OAuth flow with improved URL handling and validation - Added a utility function to retrieve the admin panel URL, defaulting to a local development URL if not set in the environment. - Updated the OAuth exchange endpoint to include validation for the authorization code format. - Refactored the admin panel redirect logic to handle URL parsing more robustly, ensuring accurate origin comparisons. - Removed redundant local URL definitions from the codebase for better maintainability. * refactor: remove deprecated requireAdmin middleware and migrate to TypeScript - Deleted the old requireAdmin middleware file and its references in the middleware index. - Introduced a new TypeScript version of the requireAdmin middleware with enhanced error handling and logging. - Updated routes to utilize the new requireAdmin middleware, ensuring consistent access control for admin routes. * feat: add requireAdmin middleware for admin role verification - Introduced requireAdmin middleware to enforce admin role checks for authenticated users. - Implemented comprehensive error handling and logging for unauthorized access attempts. - Added unit tests to validate middleware functionality and ensure proper behavior for different user roles. - Updated middleware index to include the new requireAdmin export. 2026-01-11 14:46:23 -05:00			`const { CacheKeys } = require('librechat-data-provider');`
			`const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas');`
			`const {`
			`isEnabled,`
			`getAdminPanelUrl,`
			`isAdminPanelRedirect,`
			`generateAdminExchangeCode,`
			`} = require('@librechat/api');`
			`const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');`
			`const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');`
			`const getLogStores = require('~/cache/getLogStores');`
			`const { checkBan } = require('~/server/middleware');`
			`const { generateToken } = require('~/models');`

			`const domains = {`
			`client: process.env.DOMAIN_CLIENT,`
			`server: process.env.DOMAIN_SERVER,`
			`};`

			`function createOAuthHandler(redirectUri = domains.client) {`
			`/**`
			`* A handler to process OAuth authentication results.`
			`* @type {Function}`
			`* @param {ServerRequest} req - Express request object.`
			`* @param {ServerResponse} res - Express response object.`
			`* @param {NextFunction} next - Express next middleware function.`
			`*/`
			`return async (req, res, next) => {`
			`try {`
			`if (res.headersSent) {`
			`return;`
			`}`

			`await checkBan(req, res);`
			`if (req.banned) {`
			`return;`
			`}`

			`/** Check if this is an admin panel redirect (cross-origin) */`
			`if (isAdminPanelRedirect(redirectUri, getAdminPanelUrl(), domains.client)) {`
			`/** For admin panel, generate exchange code instead of setting cookies */`
			`const cache = getLogStores(CacheKeys.ADMIN_OAUTH_EXCHANGE);`
			`const sessionExpiry = Number(process.env.SESSION_EXPIRY) \|\| DEFAULT_SESSION_EXPIRY;`
			`const token = await generateToken(req.user, sessionExpiry);`

			`/** Get refresh token from tokenset for OpenID users */`
			`const refreshToken =`
			`req.user.tokenset?.refresh_token \|\| req.user.federatedTokens?.refresh_token;`

			`const exchangeCode = await generateAdminExchangeCode(cache, req.user, token, refreshToken);`

			`const callbackUrl = new URL(redirectUri);`
			`callbackUrl.searchParams.set('code', exchangeCode);`
			logger.info(`[OAuth] Admin panel redirect with exchange code for user: ${req.user.email}`);
			`return res.redirect(callbackUrl.toString());`
			`}`

			`/** Standard OAuth flow - set cookies and redirect */`
			`if (`
			`req.user &&`
			`req.user.provider == 'openid' &&`
			`isEnabled(process.env.OPENID_REUSE_TOKENS) === true`
			`) {`
			`await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);`
			`setOpenIDAuthTokens(req.user.tokenset, req, res, req.user._id.toString());`
			`} else {`
			`await setAuthTokens(req.user._id, res);`
			`}`
			`res.redirect(redirectUri);`
			`} catch (err) {`
			`logger.error('Error in setting authentication tokens:', err);`
			`next(err);`
			`}`
			`};`
			`}`

			`module.exports = {`
			`createOAuthHandler,`
			`};`