Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-03 23:00:18 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/packages/data-provider/specs/request-interceptor.spec.ts

103 lines
2.9 KiB
TypeScript
Raw Normal View History

🚪 fix: Complete OIDC RP-Initiated Logout With id_token_hint and Redirect Race Fix (#12024) * fix: complete OIDC logout implementation The OIDC logout feature added in #5626 was incomplete: 1. Backend: Missing id_token_hint/client_id parameters required by the RP-Initiated Logout spec. Keycloak 18+ rejects logout without these. 2. Frontend: The logout redirect URL was passed through isSafeRedirect() which rejects all absolute URLs. The redirect was silently dropped. Backend: Add id_token_hint (preferred) or client_id (fallback) to the logout URL for OIDC spec compliance. Frontend: Use window.location.replace() for logout redirects from the backend, bypassing isSafeRedirect() which was designed for user-input validation. Fixes #5506 * fix: accept undefined in setTokenHeader to properly clear Authorization header When token is undefined, delete the Authorization header instead of setting it to "Bearer undefined". Removes the @ts-ignore workaround in AuthContext. * fix: skip axios 401 refresh when Authorization header is cleared When the Authorization header has been removed (e.g. during logout), the response interceptor now skips the token refresh flow. This prevents a successful refresh from canceling an in-progress OIDC external redirect via window.location.replace(). * fix: guard against undefined OPENID_CLIENT_ID in logout URL Prevent literal "client_id=undefined" in the OIDC end-session URL when OPENID_CLIENT_ID is not set. Log a warning when neither id_token_hint nor client_id is available. * fix: prevent race condition canceling OIDC logout redirect The logout mutation wrapper's cleanup (clearStates, removeQueries) triggers re-renders and 401s on in-flight requests. The axios interceptor would refresh the token successfully, firing dispatchTokenUpdatedEvent which cancels the window.location.replace() navigation to the IdP's end_session_endpoint. Fix: - Clear Authorization header synchronously before redirect so the axios interceptor skips refresh for post-logout 401s - Add isExternalRedirectRef to suppress silentRefresh and useEffect side effects during the redirect - Add JSDoc explaining why isSafeRedirect is bypassed * test: add LogoutController and AuthContext logout test coverage LogoutController.spec.js (13 tests): - id_token_hint from session and cookie fallback - client_id fallback, including undefined OPENID_CLIENT_ID guard - Disabled endpoint, missing issuer, non-OpenID user - post_logout_redirect_uri (custom and default) - Missing OpenID config and end_session_endpoint - Error handling and cookie clearing AuthContext.spec.tsx (3 tests): - OIDC redirect calls window.location.replace + setTokenHeader - Non-redirect logout path - Logout error handling * test: add coverage for setTokenHeader, axios interceptor guard, and silentRefresh suppression headers-helpers.spec.ts (3 tests): - Sets Authorization header with Bearer token - Deletes Authorization header when called with undefined - No-op when clearing an already absent header request-interceptor.spec.ts (2 tests): - Skips refresh when Authorization header is cleared (the race fix) - Attempts refresh when Authorization header is present AuthContext.spec.tsx (1 new test): - Verifies silentRefresh is not triggered after OIDC redirect * test: enhance request-interceptor tests with adapter restoration and refresh verification - Store the original axios adapter before tests and restore it after all tests to prevent side effects. - Add verification for the refresh endpoint call in the interceptor tests to ensure correct behavior during token refresh attempts. * test: enhance AuthContext tests with live rendering and improved logout error handling - Introduced a new `renderProviderLive` function to facilitate testing with silentRefresh. - Updated tests to use the live rendering function, ensuring accurate simulation of authentication behavior. - Enhanced logout error handling test to verify that auth state is cleared without external redirects. * test: update LogoutController tests for OpenID config error handling - Renamed test suite to clarify that it handles cases when OpenID config is not available. - Modified test to check for error thrown by getOpenIdConfig instead of returning null, ensuring proper logging of the error message. * refactor: improve OpenID config error handling in LogoutController - Simplified error handling for OpenID configuration retrieval by using a try-catch block. - Updated logging to provide clearer messages when the OpenID config is unavailable. - Ensured that the end session endpoint is only accessed if the OpenID config is successfully retrieved. --------- Co-authored-by: cloudspinner <stijn.tastenhoye@gmail.com>
2026-03-02 21:34:13 -05:00
/**
* @jest-environment jsdom
*/
import axios from 'axios';
import { setTokenHeader } from '../src/headers-helpers';
/**
* The response interceptor in request.ts registers at import time when
* `typeof window !== 'undefined'` (jsdom provides window).
*
* We use axios's built-in request adapter mock to avoid real HTTP calls,
* and verify the interceptor's behavior by observing whether a 401 triggers
* a refresh POST or is immediately rejected.
*/
/** Mock the axios adapter to simulate responses without HTTP */
const mockAdapter = jest.fn();
let originalAdapter: typeof axios.defaults.adapter;
beforeAll(async () => {
originalAdapter = axios.defaults.adapter;
axios.defaults.adapter = mockAdapter;
/** Import triggers interceptor registration */
await import('../src/request');
});
beforeEach(() => {
mockAdapter.mockReset();
});
afterAll(() => {
axios.defaults.adapter = originalAdapter;
});
afterEach(() => {
delete axios.defaults.headers.common['Authorization'];
});
describe('axios 401 interceptor — Authorization header guard', () => {
it('skips refresh and rejects when Authorization header is cleared', async () => {
/** Simulate a cleared header (as done by setTokenHeader(undefined) during logout) */
setTokenHeader(undefined);
/** Set up adapter: first call returns 401, second would be the refresh */
mockAdapter.mockRejectedValueOnce({
response: { status: 401 },
config: { url: '/api/messages', headers: {} },
});
try {
await axios.get('/api/messages');
} catch {
// expected rejection
}
/**
* If the interceptor skipped refresh, only 1 call was made (the original).
* If it attempted refresh, there would be 2+ calls (original + refresh POST).
*/
expect(mockAdapter).toHaveBeenCalledTimes(1);
});
it('attempts refresh when Authorization header is present', async () => {
setTokenHeader('valid-token');
/** First call: 401 on the original request */
mockAdapter.mockRejectedValueOnce({
response: { status: 401 },
config: { url: '/api/messages', headers: {}, _retry: false },
});
/** Second call: the refresh endpoint succeeds */
mockAdapter.mockResolvedValueOnce({
data: { token: 'new-token' },
status: 200,
headers: {},
config: {},
});
/** Third call: retried original request succeeds */
mockAdapter.mockResolvedValueOnce({
data: { messages: [] },
status: 200,
headers: {},
config: {},
});
try {
await axios.get('/api/messages');
} catch {
// may reject depending on exact flow
}
/** More than 1 call means the interceptor attempted refresh */
expect(mockAdapter.mock.calls.length).toBeGreaterThan(1);
/** Verify the second call targeted the refresh endpoint */
const refreshCall = mockAdapter.mock.calls[1];
expect(refreshCall[0].url).toContain('api/auth/refresh');
});
});
Reference in a new issue Copy permalink