2025-02-03 16:57:49 +01:00
|
|
|
|
const fetch = require('node-fetch');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
const jwtDecode = require('jsonwebtoken/decode');
|
2025-08-11 18:49:34 -04:00
|
|
|
|
const { ErrorTypes } = require('librechat-data-provider');
|
2025-05-30 22:18:13 -04:00
|
|
|
|
const { findUser, createUser, updateUser } = require('~/models');
|
2025-08-11 18:49:34 -04:00
|
|
|
|
const { setupOpenId } = require('./openidStrategy');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// --- Mocks ---
|
|
|
|
|
|
jest.mock('node-fetch');
|
|
|
|
|
|
jest.mock('jsonwebtoken/decode');
|
2024-10-27 11:41:48 -04:00
|
|
|
|
jest.mock('~/server/services/Files/strategies', () => ({
|
|
|
|
|
|
getStrategyFunctions: jest.fn(() => ({
|
2025-02-03 16:57:49 +01:00
|
|
|
|
saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
|
2024-10-27 11:41:48 -04:00
|
|
|
|
})),
|
|
|
|
|
|
}));
|
2025-05-30 22:18:13 -04:00
|
|
|
|
jest.mock('~/server/services/Config', () => ({
|
2025-08-26 12:10:18 -04:00
|
|
|
|
getAppConfig: jest.fn().mockResolvedValue({}),
|
|
|
|
|
|
}));
|
|
|
|
|
|
jest.mock('@librechat/api', () => ({
|
|
|
|
|
|
...jest.requireActual('@librechat/api'),
|
|
|
|
|
|
isEnabled: jest.fn(() => false),
|
🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931)
* feat: Add OpenID Connect federated provider token support
Implements support for passing federated provider tokens (Cognito, Azure AD, Auth0)
as variables in LibreChat's librechat.yaml configuration for both custom endpoints
and MCP servers.
Features:
- New LIBRECHAT_OPENID_* template variables for federated provider tokens
- JWT claims parsing from ID tokens without verification (for claim extraction)
- Token validation with expiration checking
- Support for multiple token storage locations (federatedTokens, openidTokens)
- Integration with existing template variable system
- Comprehensive test suite with Cognito-specific scenarios
- Provider-agnostic design supporting Cognito, Azure AD, Auth0, etc.
Security:
- Server-side only token processing
- Automatic token expiration validation
- Graceful fallbacks for missing/invalid tokens
- No client-side token exposure
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Add federated token propagation to OIDC authentication strategies
Adds federatedTokens object to user during authentication to enable
federated provider token template variables in LibreChat configuration.
Changes:
- OpenID JWT Strategy: Extract raw JWT from Authorization header and
attach as federatedTokens.access_token to enable {{LIBRECHAT_OPENID_TOKEN}}
placeholder resolution
- OpenID Strategy: Attach tokenset tokens as federatedTokens object to
standardize token access across both authentication strategies
This enables proper token propagation for custom endpoints and MCP
servers that require federated provider tokens for authorization.
Resolves missing token issue reported by @ramden in PR #9931
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Denis Ramic <denis.ramic@nfon.com>
Co-Authored-By: Claude <noreply@anthropic.com>
* test: Add federatedTokens validation tests for OIDC strategies
Adds comprehensive test coverage for the federated token propagation
feature implemented in the authentication strategies.
Tests added:
- Verify federatedTokens object is attached to user with correct structure
(access_token, refresh_token, expires_at)
- Verify both tokenset and federatedTokens are present in user object
- Ensure tokens from OIDC provider are correctly propagated
Also fixes existing test suite by adding missing mocks:
- isEmailDomainAllowed function mock
- findOpenIDUser function mock
These tests validate the fix from commit 5874ba29f that enables
{{LIBRECHAT_OPENID_TOKEN}} template variable functionality.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* docs: Remove implementation documentation file
The PR description already contains all necessary implementation details.
This documentation file is redundant and was requested to be removed.
* fix: skip s256 check
* fix(openid): handle missing refresh token in Cognito token refresh response
When OPENID_REUSE_TOKENS=true, the token refresh flow was failing because
Cognito (and most OAuth providers) don't return a new refresh token in the
refresh grant response - they only return new access and ID tokens.
Changes:
- Modified setOpenIDAuthTokens() to accept optional existingRefreshToken parameter
- Updated validation to only require access_token (refresh_token now optional)
- Added logic to reuse existing refresh token when not provided in tokenset
- Updated refreshController to pass original refresh token as fallback
- Added comments explaining standard OAuth 2.0 refresh token behavior
This fixes the "Token is not present. User is not authenticated." error that
occurred during silent token refresh with Cognito as the OpenID provider.
Fixes: Authentication loop with OPENID_REUSE_TOKENS=true and AWS Cognito
* fix(openid): extract refresh token from cookies for template variable replacement
When OPENID_REUSE_TOKENS=true, the openIdJwtStrategy populates user.federatedTokens
to enable template variable replacement (e.g., {{LIBRECHAT_OPENID_ACCESS_TOKEN}}).
However, the refresh_token field was incorrectly sourced from payload.refresh_token,
which is always undefined because:
1. JWTs don't contain refresh tokens in their payload
2. The JWT itself IS the access token
3. Refresh tokens are separate opaque tokens stored in HTTP-only cookies
This caused extractOpenIDTokenInfo() to receive incomplete federatedTokens,
resulting in template variables remaining unreplaced in headers.
**Root Cause:**
- Line 90: `refresh_token: payload.refresh_token` (always undefined)
- JWTs only contain access token data in their claims
- Refresh tokens are separate, stored securely in cookies
**Solution:**
- Import `cookie` module to parse cookies from request
- Extract refresh token from `refreshToken` cookie
- Populate federatedTokens with both access token (JWT) and refresh token (from cookie)
**Impact:**
- Template variables like {{LIBRECHAT_OPENID_ACCESS_TOKEN}} now work correctly
- Headers in librechat.yaml are properly replaced with actual tokens
- MCP server authentication with federated tokens now functional
**Technical Details:**
- passReqToCallback=true in JWT strategy provides req object access
- Refresh token extracted via cookies.parse(req.headers.cookie).refreshToken
- Falls back gracefully if cookie header or refreshToken is missing
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: re-resolve headers on each request to pick up fresh federatedTokens
- OpenAIClient now re-resolves headers in chatCompletion() before each API call
- This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} are replaced
with actual token values from req.user.federatedTokens
- initialize.js now stores original template headers instead of pre-resolved ones
- Fixes template variable replacement when OPENID_REUSE_TOKENS=true
The issue was that headers were only resolved once during client initialization,
before openIdJwtStrategy had populated user.federatedTokens. Now headers are
re-resolved on every request with the current user's fresh tokens.
* debug: add logging to track header resolution in OpenAIClient
* debug: log tokenset structure after refresh to diagnose missing access_token
* fix: set federatedTokens on user object after OAuth refresh
- After successful OAuth token refresh, the user object was not being
updated with federatedTokens
- This caused template variable resolution to fail on subsequent requests
- Now sets user.federatedTokens with access_token, id_token, refresh_token
and expires_at from the refreshed tokenset
- Fixes template variables like {{LIBRECHAT_OPENID_TOKEN}} not being
replaced after token refresh
- Related to PR #9931 (OpenID federated token support)
* fix(openid): pass user object through agent chain for template variable resolution
Root cause: buildAgentContext in agents/run.ts called resolveHeaders without
the user parameter, preventing OpenID federated token template variables from
being resolved in agent runtime parameters.
Changes:
- packages/api/src/agents/run.ts: Add user parameter to createRun signature
- packages/api/src/agents/run.ts: Pass user to resolveHeaders in buildAgentContext
- api/server/controllers/agents/client.js: Pass user when calling createRun
- api/server/services/Endpoints/bedrock/options.js: Add resolveHeaders call with debug logging
- api/server/services/Endpoints/custom/initialize.js: Add debug logging
- packages/api/src/utils/env.ts: Add comprehensive debug logging and stack traces
- packages/api/src/utils/oidc.ts: Fix eslint errors (unused type, explicit any)
This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} and
{{LIBRECHAT_USER_OPENIDID}} are properly resolved in both custom endpoint
headers and Bedrock AgentCore runtime parameters.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor: remove debug logging from OpenID token template feature
Removed excessive debug logging that was added during development to make
the PR more suitable for upstream review:
- Removed 7 debug statements from OpenAIClient.js
- Removed all console.log statements from packages/api/src/utils/env.ts
- Removed debug logging from bedrock/options.js
- Removed debug logging from custom/initialize.js
- Removed debug statement from AuthController.js
This reduces the changeset by ~50 lines while maintaining full functionality
of the OpenID federated token template variable feature.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(openid): add comprehensive unit tests for template variable substitution
- Add 34 unit tests for OIDC token utilities (oidc.spec.ts)
- Test coverage for token extraction, validation, and placeholder processing
- Integration tests for full OpenID token flow
- All tests pass with comprehensive edge case coverage
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
* test: fix OpenID federated tokens test failures
- Add serverMetadata() mock to openid-client mock configuration
* Fixes TypeError in openIdJwtStrategy.js where serverMetadata() was being called
* Mock now returns jwks_uri and end_session_endpoint as expected by the code
- Update outdated initialize.spec.js test
* Remove test expecting resolveHeaders call during initialization
* Header resolution was refactored to be deferred until LLM request time
* Update test to verify options are returned correctly with useLegacyContent flag
Fixes #9931 CI failures for backend unit tests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* chore: fix package-lock.json conflict
* chore: sync package-log with upstream
* chore: cleanup
* fix: use createSafeUser
* fix: fix createSafeUser signature
* chore: remove comments
* chore: purge comments
* fix: update Jest testPathPattern to testPathPatterns for Jest 30+ compatibility
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Denis Ramic <denis.ramic@nfon.com>
Co-authored-by: kristjanaapro <kristjana@apro.is>
chore: import order and add back JSDoc for OpenID JWT callback
2025-11-21 14:44:52 +00:00
|
|
|
|
isEmailDomainAllowed: jest.fn(() => true),
|
|
|
|
|
|
findOpenIDUser: jest.requireActual('@librechat/api').findOpenIDUser,
|
2025-05-30 22:18:13 -04:00
|
|
|
|
getBalanceConfig: jest.fn(() => ({
|
|
|
|
|
|
enabled: false,
|
|
|
|
|
|
})),
|
|
|
|
|
|
}));
|
|
|
|
|
|
jest.mock('~/models', () => ({
|
2025-02-03 16:57:49 +01:00
|
|
|
|
findUser: jest.fn(),
|
|
|
|
|
|
createUser: jest.fn(),
|
|
|
|
|
|
updateUser: jest.fn(),
|
|
|
|
|
|
}));
|
🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
|
jest.mock('@librechat/data-schemas', () => ({
|
|
|
|
|
|
...jest.requireActual('@librechat/api'),
|
2025-02-03 16:57:49 +01:00
|
|
|
|
logger: {
|
|
|
|
|
|
info: jest.fn(),
|
2025-08-27 12:59:40 -04:00
|
|
|
|
warn: jest.fn(),
|
2025-02-03 16:57:49 +01:00
|
|
|
|
debug: jest.fn(),
|
|
|
|
|
|
error: jest.fn(),
|
2025-05-22 14:19:24 +02:00
|
|
|
|
},
|
🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
|
hashToken: jest.fn().mockResolvedValue('hashed-token'),
|
2025-05-22 14:19:24 +02:00
|
|
|
|
}));
|
|
|
|
|
|
jest.mock('~/cache/getLogStores', () =>
|
|
|
|
|
|
jest.fn(() => ({
|
|
|
|
|
|
get: jest.fn(),
|
|
|
|
|
|
set: jest.fn(),
|
|
|
|
|
|
})),
|
|
|
|
|
|
);
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Mock the openid-client module and all its dependencies
|
|
|
|
|
|
jest.mock('openid-client', () => {
|
|
|
|
|
|
return {
|
|
|
|
|
|
discovery: jest.fn().mockResolvedValue({
|
|
|
|
|
|
clientId: 'fake_client_id',
|
|
|
|
|
|
clientSecret: 'fake_client_secret',
|
|
|
|
|
|
issuer: 'https://fake-issuer.com',
|
|
|
|
|
|
// Add any other properties needed by the implementation
|
|
|
|
|
|
}),
|
2025-08-11 18:49:34 -04:00
|
|
|
|
fetchUserInfo: jest.fn().mockImplementation(() => {
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Only return additional properties, but don't override any claims
|
2025-07-30 14:43:42 -04:00
|
|
|
|
return Promise.resolve({});
|
2025-05-22 14:19:24 +02:00
|
|
|
|
}),
|
|
|
|
|
|
customFetch: Symbol('customFetch'),
|
|
|
|
|
|
};
|
2025-02-03 16:57:49 +01:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
jest.mock('openid-client/passport', () => {
|
|
|
|
|
|
let verifyCallback;
|
|
|
|
|
|
const mockStrategy = jest.fn((options, verify) => {
|
|
|
|
|
|
verifyCallback = verify;
|
|
|
|
|
|
return { name: 'openid', options, verify };
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
|
Strategy: mockStrategy,
|
|
|
|
|
|
__getVerifyCallback: () => verifyCallback,
|
|
|
|
|
|
};
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Mock passport
|
|
|
|
|
|
jest.mock('passport', () => ({
|
|
|
|
|
|
use: jest.fn(),
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
2024-10-27 11:41:48 -04:00
|
|
|
|
describe('setupOpenId', () => {
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Store a reference to the verify callback once it's set up
|
|
|
|
|
|
let verifyCallback;
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Helper to wrap the verify callback in a promise
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const validate = (tokenset) =>
|
2025-02-03 16:57:49 +01:00
|
|
|
|
new Promise((resolve, reject) => {
|
2025-05-22 14:19:24 +02:00
|
|
|
|
verifyCallback(tokenset, (err, user, details) => {
|
2025-02-03 16:57:49 +01:00
|
|
|
|
if (err) {
|
|
|
|
|
|
reject(err);
|
|
|
|
|
|
} else {
|
|
|
|
|
|
resolve({ user, details });
|
|
|
|
|
|
}
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const tokenset = {
|
|
|
|
|
|
id_token: 'fake_id_token',
|
|
|
|
|
|
access_token: 'fake_access_token',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
claims: () => ({
|
|
|
|
|
|
sub: '1234',
|
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
|
email_verified: true,
|
|
|
|
|
|
given_name: 'First',
|
|
|
|
|
|
family_name: 'Last',
|
|
|
|
|
|
name: 'My Full',
|
2025-07-30 14:43:42 -04:00
|
|
|
|
preferred_username: 'testusername',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
username: 'flast',
|
|
|
|
|
|
picture: 'https://example.com/avatar.png',
|
|
|
|
|
|
}),
|
2025-02-03 16:57:49 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
beforeEach(async () => {
|
|
|
|
|
|
// Clear previous mock calls and reset implementations
|
|
|
|
|
|
jest.clearAllMocks();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Reset environment variables needed by the strategy
|
|
|
|
|
|
process.env.OPENID_ISSUER = 'https://fake-issuer.com';
|
|
|
|
|
|
process.env.OPENID_CLIENT_ID = 'fake_client_id';
|
|
|
|
|
|
process.env.OPENID_CLIENT_SECRET = 'fake_client_secret';
|
|
|
|
|
|
process.env.DOMAIN_SERVER = 'https://example.com';
|
|
|
|
|
|
process.env.OPENID_CALLBACK_URL = '/callback';
|
|
|
|
|
|
process.env.OPENID_SCOPE = 'openid profile email';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'requiredRole';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'roles';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = 'id';
|
2025-10-09 08:35:22 +01:00
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'permissions';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_TOKEN_KIND = 'id';
|
2025-02-03 16:57:49 +01:00
|
|
|
|
delete process.env.OPENID_USERNAME_CLAIM;
|
|
|
|
|
|
delete process.env.OPENID_NAME_CLAIM;
|
|
|
|
|
|
delete process.env.PROXY;
|
2025-05-22 14:19:24 +02:00
|
|
|
|
delete process.env.OPENID_USE_PKCE;
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Default jwtDecode mock returns a token that includes the required role.
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
2025-10-09 08:35:22 +01:00
|
|
|
|
permissions: ['admin'],
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// By default, assume that no user is found, so createUser will be called
|
|
|
|
|
|
findUser.mockResolvedValue(null);
|
|
|
|
|
|
createUser.mockImplementation(async (userData) => {
|
|
|
|
|
|
// simulate created user with an _id property
|
|
|
|
|
|
return { _id: 'newUserId', ...userData };
|
|
|
|
|
|
});
|
|
|
|
|
|
updateUser.mockImplementation(async (id, userData) => {
|
|
|
|
|
|
return { _id: id, ...userData };
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// For image download, simulate a successful response
|
|
|
|
|
|
const fakeBuffer = Buffer.from('fake image');
|
|
|
|
|
|
const fakeResponse = {
|
|
|
|
|
|
ok: true,
|
|
|
|
|
|
buffer: jest.fn().mockResolvedValue(fakeBuffer),
|
2024-10-27 11:41:48 -04:00
|
|
|
|
};
|
2025-02-03 16:57:49 +01:00
|
|
|
|
fetch.mockResolvedValue(fakeResponse);
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
// Call the setup function and capture the verify callback
|
2025-02-03 16:57:49 +01:00
|
|
|
|
await setupOpenId();
|
2025-05-22 14:19:24 +02:00
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
2025-02-03 16:57:49 +01:00
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-07-30 14:43:42 -04:00
|
|
|
|
it('should create a new user with correct username when preferred_username claim exists', async () => {
|
|
|
|
|
|
// Arrange – our userinfo already has preferred_username 'testusername'
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Assert
|
2025-07-30 14:43:42 -04:00
|
|
|
|
expect(user.username).toBe(userinfo.preferred_username);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({
|
|
|
|
|
|
provider: 'openid',
|
|
|
|
|
|
openidId: userinfo.sub,
|
2025-07-30 14:43:42 -04:00
|
|
|
|
username: userinfo.preferred_username,
|
2025-02-03 16:57:49 +01:00
|
|
|
|
email: userinfo.email,
|
|
|
|
|
|
name: `${userinfo.given_name} ${userinfo.family_name}`,
|
|
|
|
|
|
}),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-07-30 14:43:42 -04:00
|
|
|
|
it('should use username as username when preferred_username claim is missing', async () => {
|
|
|
|
|
|
// Arrange – remove preferred_username from userinfo
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims() };
|
2025-07-30 14:43:42 -04:00
|
|
|
|
delete userinfo.preferred_username;
|
|
|
|
|
|
// Expect the username to be the "username"
|
|
|
|
|
|
const expectUsername = userinfo.username;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate({ ...tokenset, claims: () => userinfo });
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.username).toBe(expectUsername);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({ username: expectUsername }),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-07-30 14:43:42 -04:00
|
|
|
|
it('should use email as username when username and preferred_username are missing', async () => {
|
|
|
|
|
|
// Arrange – remove username and preferred_username
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims() };
|
2025-02-03 16:57:49 +01:00
|
|
|
|
delete userinfo.username;
|
2025-07-30 14:43:42 -04:00
|
|
|
|
delete userinfo.preferred_username;
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const expectUsername = userinfo.email;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate({ ...tokenset, claims: () => userinfo });
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.username).toBe(expectUsername);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({ username: expectUsername }),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
it('should override username with OPENID_USERNAME_CLAIM when set', async () => {
|
|
|
|
|
|
// Arrange – set OPENID_USERNAME_CLAIM so that the sub claim is used
|
|
|
|
|
|
process.env.OPENID_USERNAME_CLAIM = 'sub';
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – username should equal the sub (converted as-is)
|
|
|
|
|
|
expect(user.username).toBe(userinfo.sub);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.objectContaining({ username: userinfo.sub }),
|
2025-05-30 22:18:13 -04:00
|
|
|
|
{ enabled: false },
|
2025-02-03 16:57:49 +01:00
|
|
|
|
true,
|
|
|
|
|
|
true,
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
it('should set the full name correctly when given_name and family_name exist', async () => {
|
|
|
|
|
|
// Arrange
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const expectedFullName = `${userinfo.given_name} ${userinfo.family_name}`;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.name).toBe(expectedFullName);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should override full name with OPENID_NAME_CLAIM when set', async () => {
|
|
|
|
|
|
// Arrange – use the name claim as the full name
|
|
|
|
|
|
process.env.OPENID_NAME_CLAIM = 'name';
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims(), name: 'Custom Name' };
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate({ ...tokenset, claims: () => userinfo });
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user.name).toBe('Custom Name');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should update an existing user on login', async () => {
|
2025-08-11 18:49:34 -04:00
|
|
|
|
// Arrange – simulate that a user already exists with openid provider
|
2025-02-03 16:57:49 +01:00
|
|
|
|
const existingUser = {
|
|
|
|
|
|
_id: 'existingUserId',
|
2025-08-11 18:49:34 -04:00
|
|
|
|
provider: 'openid',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
email: tokenset.claims().email,
|
2025-02-03 16:57:49 +01:00
|
|
|
|
openidId: '',
|
|
|
|
|
|
username: '',
|
|
|
|
|
|
name: '',
|
|
|
|
|
|
};
|
|
|
|
|
|
findUser.mockImplementation(async (query) => {
|
2025-09-23 14:46:53 -04:00
|
|
|
|
if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
|
2025-02-03 16:57:49 +01:00
|
|
|
|
return existingUser;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = tokenset.claims();
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – updateUser should be called and the user object updated
|
2025-02-03 16:08:34 -05:00
|
|
|
|
expect(updateUser).toHaveBeenCalledWith(
|
|
|
|
|
|
existingUser._id,
|
|
|
|
|
|
expect.objectContaining({
|
|
|
|
|
|
provider: 'openid',
|
2025-05-22 14:19:24 +02:00
|
|
|
|
openidId: userinfo.sub,
|
2025-07-30 14:43:42 -04:00
|
|
|
|
username: userinfo.preferred_username,
|
2025-05-22 14:19:24 +02:00
|
|
|
|
name: `${userinfo.given_name} ${userinfo.family_name}`,
|
2025-02-03 16:08:34 -05:00
|
|
|
|
}),
|
|
|
|
|
|
);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
});
|
|
|
|
|
|
|
2025-08-11 18:49:34 -04:00
|
|
|
|
it('should block login when email exists with different provider', async () => {
|
|
|
|
|
|
// Arrange – simulate that a user exists with same email but different provider
|
|
|
|
|
|
const existingUser = {
|
|
|
|
|
|
_id: 'existingUserId',
|
|
|
|
|
|
provider: 'google',
|
|
|
|
|
|
email: tokenset.claims().email,
|
|
|
|
|
|
googleId: 'some-google-id',
|
|
|
|
|
|
username: 'existinguser',
|
|
|
|
|
|
name: 'Existing User',
|
|
|
|
|
|
};
|
|
|
|
|
|
findUser.mockImplementation(async (query) => {
|
|
|
|
|
|
if (query.email === tokenset.claims().email && !query.provider) {
|
|
|
|
|
|
return existingUser;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const result = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the strategy rejects login
|
|
|
|
|
|
expect(result.user).toBe(false);
|
|
|
|
|
|
expect(result.details.message).toBe(ErrorTypes.AUTH_FAILED);
|
|
|
|
|
|
expect(createUser).not.toHaveBeenCalled();
|
|
|
|
|
|
expect(updateUser).not.toHaveBeenCalled();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
2025-02-03 16:57:49 +01:00
|
|
|
|
it('should enforce the required role and reject login if missing', async () => {
|
|
|
|
|
|
// Arrange – simulate a token without the required role.
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['SomeOtherRole'],
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user, details } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the strategy rejects login
|
|
|
|
|
|
expect(user).toBe(false);
|
2025-09-23 16:39:34 +02:00
|
|
|
|
expect(details.message).toBe('You must have "requiredRole" role to log in.');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should allow login when single required role is present (backward compatibility)', async () => {
|
|
|
|
|
|
// Arrange – ensure single role configuration (as set in beforeEach)
|
|
|
|
|
|
// OPENID_REQUIRED_ROLE = 'requiredRole'
|
|
|
|
|
|
// Default jwtDecode mock in beforeEach already returns this role
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole', 'anotherRole'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that login succeeds with single role configuration
|
|
|
|
|
|
expect(user).toBeTruthy();
|
|
|
|
|
|
expect(user.email).toBe(tokenset.claims().email);
|
|
|
|
|
|
expect(user.username).toBe(tokenset.claims().preferred_username);
|
|
|
|
|
|
expect(createUser).toHaveBeenCalled();
|
2024-10-27 11:41:48 -04:00
|
|
|
|
});
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
it('should attempt to download and save the avatar if picture is provided', async () => {
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const { user } = await validate(tokenset);
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – verify that download was attempted and the avatar field was set via updateUser
|
|
|
|
|
|
expect(fetch).toHaveBeenCalled();
|
|
|
|
|
|
// Our mock getStrategyFunctions.saveBuffer returns '/fake/path/to/avatar.png'
|
|
|
|
|
|
expect(user.avatar).toBe('/fake/path/to/avatar.png');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should not attempt to download avatar if picture is not provided', async () => {
|
|
|
|
|
|
// Arrange – remove picture
|
2025-05-22 14:19:24 +02:00
|
|
|
|
const userinfo = { ...tokenset.claims() };
|
2025-02-03 16:57:49 +01:00
|
|
|
|
delete userinfo.picture;
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
2025-05-22 14:19:24 +02:00
|
|
|
|
await validate({ ...tokenset, claims: () => userinfo });
|
2025-02-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
|
|
// Assert – fetch should not be called and avatar should remain undefined or empty
|
|
|
|
|
|
expect(fetch).not.toHaveBeenCalled();
|
|
|
|
|
|
// Depending on your implementation, user.avatar may be undefined or an empty string.
|
|
|
|
|
|
});
|
2025-05-22 14:19:24 +02:00
|
|
|
|
|
2025-09-23 16:39:34 +02:00
|
|
|
|
it('should support comma-separated multiple roles', async () => {
|
|
|
|
|
|
// Arrange
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'someRole,anotherRole,admin';
|
|
|
|
|
|
await setupOpenId(); // Re-initialize the strategy
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['anotherRole', 'aThirdRole'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user).toBeTruthy();
|
|
|
|
|
|
expect(user.email).toBe(tokenset.claims().email);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should reject login when user has none of the required multiple roles', async () => {
|
|
|
|
|
|
// Arrange
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'someRole,anotherRole,admin';
|
|
|
|
|
|
await setupOpenId(); // Re-initialize the strategy
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['aThirdRole', 'aFourthRole'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user, details } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
expect(details.message).toBe(
|
|
|
|
|
|
'You must have one of: "someRole", "anotherRole", "admin" role to log in.',
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle spaces in comma-separated roles', async () => {
|
|
|
|
|
|
// Arrange
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = ' someRole , anotherRole , admin ';
|
|
|
|
|
|
await setupOpenId(); // Re-initialize the strategy
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['someRole'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
expect(user).toBeTruthy();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
2025-05-22 14:19:24 +02:00
|
|
|
|
it('should default to usePKCE false when OPENID_USE_PKCE is not defined', async () => {
|
|
|
|
|
|
const OpenIDStrategy = require('openid-client/passport').Strategy;
|
|
|
|
|
|
|
|
|
|
|
|
delete process.env.OPENID_USE_PKCE;
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
|
|
|
|
|
|
const callOptions = OpenIDStrategy.mock.calls[OpenIDStrategy.mock.calls.length - 1][0];
|
|
|
|
|
|
expect(callOptions.usePKCE).toBe(false);
|
|
|
|
|
|
expect(callOptions.params?.code_challenge_method).toBeUndefined();
|
|
|
|
|
|
});
|
2025-10-09 08:35:22 +01:00
|
|
|
|
|
🆔 feat: Add OpenID Connect Federated Provider Token Support (#9931)
* feat: Add OpenID Connect federated provider token support
Implements support for passing federated provider tokens (Cognito, Azure AD, Auth0)
as variables in LibreChat's librechat.yaml configuration for both custom endpoints
and MCP servers.
Features:
- New LIBRECHAT_OPENID_* template variables for federated provider tokens
- JWT claims parsing from ID tokens without verification (for claim extraction)
- Token validation with expiration checking
- Support for multiple token storage locations (federatedTokens, openidTokens)
- Integration with existing template variable system
- Comprehensive test suite with Cognito-specific scenarios
- Provider-agnostic design supporting Cognito, Azure AD, Auth0, etc.
Security:
- Server-side only token processing
- Automatic token expiration validation
- Graceful fallbacks for missing/invalid tokens
- No client-side token exposure
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Add federated token propagation to OIDC authentication strategies
Adds federatedTokens object to user during authentication to enable
federated provider token template variables in LibreChat configuration.
Changes:
- OpenID JWT Strategy: Extract raw JWT from Authorization header and
attach as federatedTokens.access_token to enable {{LIBRECHAT_OPENID_TOKEN}}
placeholder resolution
- OpenID Strategy: Attach tokenset tokens as federatedTokens object to
standardize token access across both authentication strategies
This enables proper token propagation for custom endpoints and MCP
servers that require federated provider tokens for authorization.
Resolves missing token issue reported by @ramden in PR #9931
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Denis Ramic <denis.ramic@nfon.com>
Co-Authored-By: Claude <noreply@anthropic.com>
* test: Add federatedTokens validation tests for OIDC strategies
Adds comprehensive test coverage for the federated token propagation
feature implemented in the authentication strategies.
Tests added:
- Verify federatedTokens object is attached to user with correct structure
(access_token, refresh_token, expires_at)
- Verify both tokenset and federatedTokens are present in user object
- Ensure tokens from OIDC provider are correctly propagated
Also fixes existing test suite by adding missing mocks:
- isEmailDomainAllowed function mock
- findOpenIDUser function mock
These tests validate the fix from commit 5874ba29f that enables
{{LIBRECHAT_OPENID_TOKEN}} template variable functionality.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* docs: Remove implementation documentation file
The PR description already contains all necessary implementation details.
This documentation file is redundant and was requested to be removed.
* fix: skip s256 check
* fix(openid): handle missing refresh token in Cognito token refresh response
When OPENID_REUSE_TOKENS=true, the token refresh flow was failing because
Cognito (and most OAuth providers) don't return a new refresh token in the
refresh grant response - they only return new access and ID tokens.
Changes:
- Modified setOpenIDAuthTokens() to accept optional existingRefreshToken parameter
- Updated validation to only require access_token (refresh_token now optional)
- Added logic to reuse existing refresh token when not provided in tokenset
- Updated refreshController to pass original refresh token as fallback
- Added comments explaining standard OAuth 2.0 refresh token behavior
This fixes the "Token is not present. User is not authenticated." error that
occurred during silent token refresh with Cognito as the OpenID provider.
Fixes: Authentication loop with OPENID_REUSE_TOKENS=true and AWS Cognito
* fix(openid): extract refresh token from cookies for template variable replacement
When OPENID_REUSE_TOKENS=true, the openIdJwtStrategy populates user.federatedTokens
to enable template variable replacement (e.g., {{LIBRECHAT_OPENID_ACCESS_TOKEN}}).
However, the refresh_token field was incorrectly sourced from payload.refresh_token,
which is always undefined because:
1. JWTs don't contain refresh tokens in their payload
2. The JWT itself IS the access token
3. Refresh tokens are separate opaque tokens stored in HTTP-only cookies
This caused extractOpenIDTokenInfo() to receive incomplete federatedTokens,
resulting in template variables remaining unreplaced in headers.
**Root Cause:**
- Line 90: `refresh_token: payload.refresh_token` (always undefined)
- JWTs only contain access token data in their claims
- Refresh tokens are separate, stored securely in cookies
**Solution:**
- Import `cookie` module to parse cookies from request
- Extract refresh token from `refreshToken` cookie
- Populate federatedTokens with both access token (JWT) and refresh token (from cookie)
**Impact:**
- Template variables like {{LIBRECHAT_OPENID_ACCESS_TOKEN}} now work correctly
- Headers in librechat.yaml are properly replaced with actual tokens
- MCP server authentication with federated tokens now functional
**Technical Details:**
- passReqToCallback=true in JWT strategy provides req object access
- Refresh token extracted via cookies.parse(req.headers.cookie).refreshToken
- Falls back gracefully if cookie header or refreshToken is missing
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: re-resolve headers on each request to pick up fresh federatedTokens
- OpenAIClient now re-resolves headers in chatCompletion() before each API call
- This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} are replaced
with actual token values from req.user.federatedTokens
- initialize.js now stores original template headers instead of pre-resolved ones
- Fixes template variable replacement when OPENID_REUSE_TOKENS=true
The issue was that headers were only resolved once during client initialization,
before openIdJwtStrategy had populated user.federatedTokens. Now headers are
re-resolved on every request with the current user's fresh tokens.
* debug: add logging to track header resolution in OpenAIClient
* debug: log tokenset structure after refresh to diagnose missing access_token
* fix: set federatedTokens on user object after OAuth refresh
- After successful OAuth token refresh, the user object was not being
updated with federatedTokens
- This caused template variable resolution to fail on subsequent requests
- Now sets user.federatedTokens with access_token, id_token, refresh_token
and expires_at from the refreshed tokenset
- Fixes template variables like {{LIBRECHAT_OPENID_TOKEN}} not being
replaced after token refresh
- Related to PR #9931 (OpenID federated token support)
* fix(openid): pass user object through agent chain for template variable resolution
Root cause: buildAgentContext in agents/run.ts called resolveHeaders without
the user parameter, preventing OpenID federated token template variables from
being resolved in agent runtime parameters.
Changes:
- packages/api/src/agents/run.ts: Add user parameter to createRun signature
- packages/api/src/agents/run.ts: Pass user to resolveHeaders in buildAgentContext
- api/server/controllers/agents/client.js: Pass user when calling createRun
- api/server/services/Endpoints/bedrock/options.js: Add resolveHeaders call with debug logging
- api/server/services/Endpoints/custom/initialize.js: Add debug logging
- packages/api/src/utils/env.ts: Add comprehensive debug logging and stack traces
- packages/api/src/utils/oidc.ts: Fix eslint errors (unused type, explicit any)
This ensures template variables like {{LIBRECHAT_OPENID_TOKEN}} and
{{LIBRECHAT_USER_OPENIDID}} are properly resolved in both custom endpoint
headers and Bedrock AgentCore runtime parameters.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor: remove debug logging from OpenID token template feature
Removed excessive debug logging that was added during development to make
the PR more suitable for upstream review:
- Removed 7 debug statements from OpenAIClient.js
- Removed all console.log statements from packages/api/src/utils/env.ts
- Removed debug logging from bedrock/options.js
- Removed debug logging from custom/initialize.js
- Removed debug statement from AuthController.js
This reduces the changeset by ~50 lines while maintaining full functionality
of the OpenID federated token template variable feature.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(openid): add comprehensive unit tests for template variable substitution
- Add 34 unit tests for OIDC token utilities (oidc.spec.ts)
- Test coverage for token extraction, validation, and placeholder processing
- Integration tests for full OpenID token flow
- All tests pass with comprehensive edge case coverage
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
* test: fix OpenID federated tokens test failures
- Add serverMetadata() mock to openid-client mock configuration
* Fixes TypeError in openIdJwtStrategy.js where serverMetadata() was being called
* Mock now returns jwks_uri and end_session_endpoint as expected by the code
- Update outdated initialize.spec.js test
* Remove test expecting resolveHeaders call during initialization
* Header resolution was refactored to be deferred until LLM request time
* Update test to verify options are returned correctly with useLegacyContent flag
Fixes #9931 CI failures for backend unit tests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* chore: fix package-lock.json conflict
* chore: sync package-log with upstream
* chore: cleanup
* fix: use createSafeUser
* fix: fix createSafeUser signature
* chore: remove comments
* chore: purge comments
* fix: update Jest testPathPattern to testPathPatterns for Jest 30+ compatibility
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Denis Ramic <denis.ramic@nfon.com>
Co-authored-by: kristjanaapro <kristjana@apro.is>
chore: import order and add back JSDoc for OpenID JWT callback
2025-11-21 14:44:52 +00:00
|
|
|
|
it('should attach federatedTokens to user object for token propagation', async () => {
|
|
|
|
|
|
// Arrange - setup tokenset with access token, refresh token, and expiration
|
|
|
|
|
|
const tokensetWithTokens = {
|
|
|
|
|
|
...tokenset,
|
|
|
|
|
|
access_token: 'mock_access_token_abc123',
|
|
|
|
|
|
refresh_token: 'mock_refresh_token_xyz789',
|
|
|
|
|
|
expires_at: 1234567890,
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
// Act - validate with the tokenset containing tokens
|
|
|
|
|
|
const { user } = await validate(tokensetWithTokens);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert - verify federatedTokens object is attached with correct values
|
|
|
|
|
|
expect(user.federatedTokens).toBeDefined();
|
|
|
|
|
|
expect(user.federatedTokens).toEqual({
|
|
|
|
|
|
access_token: 'mock_access_token_abc123',
|
|
|
|
|
|
refresh_token: 'mock_refresh_token_xyz789',
|
|
|
|
|
|
expires_at: 1234567890,
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should include tokenset along with federatedTokens', async () => {
|
|
|
|
|
|
// Arrange
|
|
|
|
|
|
const tokensetWithTokens = {
|
|
|
|
|
|
...tokenset,
|
|
|
|
|
|
access_token: 'test_access_token',
|
|
|
|
|
|
refresh_token: 'test_refresh_token',
|
|
|
|
|
|
expires_at: 9999999999,
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokensetWithTokens);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert - both tokenset and federatedTokens should be present
|
|
|
|
|
|
expect(user.tokenset).toBeDefined();
|
|
|
|
|
|
expect(user.federatedTokens).toBeDefined();
|
|
|
|
|
|
expect(user.tokenset.access_token).toBe('test_access_token');
|
|
|
|
|
|
expect(user.federatedTokens.access_token).toBe('test_access_token');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
2025-10-09 08:35:22 +01:00
|
|
|
|
it('should set role to "ADMIN" if OPENID_ADMIN_ROLE is set and user has that role', async () => {
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the user role is set to "ADMIN"
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should not set user role if OPENID_ADMIN_ROLE is set but the user does not have that role', async () => {
|
|
|
|
|
|
// Arrange – simulate a token without the admin permission
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
permissions: ['not-admin'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the user role is not defined
|
|
|
|
|
|
expect(user.role).toBeUndefined();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should demote existing admin user when admin role is removed from token', async () => {
|
|
|
|
|
|
// Arrange – simulate an existing user who is currently an admin
|
|
|
|
|
|
const existingAdminUser = {
|
|
|
|
|
|
_id: 'existingAdminId',
|
|
|
|
|
|
provider: 'openid',
|
|
|
|
|
|
email: tokenset.claims().email,
|
|
|
|
|
|
openidId: tokenset.claims().sub,
|
|
|
|
|
|
username: 'adminuser',
|
|
|
|
|
|
name: 'Admin User',
|
|
|
|
|
|
role: 'ADMIN',
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
findUser.mockImplementation(async (query) => {
|
|
|
|
|
|
if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
|
|
|
|
|
|
return existingAdminUser;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Token without admin permission
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
permissions: ['not-admin'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the user was demoted
|
|
|
|
|
|
expect(user.role).toBe('USER');
|
|
|
|
|
|
expect(updateUser).toHaveBeenCalledWith(
|
|
|
|
|
|
existingAdminUser._id,
|
|
|
|
|
|
expect.objectContaining({
|
|
|
|
|
|
role: 'USER',
|
|
|
|
|
|
}),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(logger.info).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining('demoted from admin - role no longer present in token'),
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should NOT demote admin user when admin role env vars are not configured', async () => {
|
|
|
|
|
|
// Arrange – remove admin role env vars
|
|
|
|
|
|
delete process.env.OPENID_ADMIN_ROLE;
|
|
|
|
|
|
delete process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH;
|
|
|
|
|
|
delete process.env.OPENID_ADMIN_ROLE_TOKEN_KIND;
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
// Simulate an existing admin user
|
|
|
|
|
|
const existingAdminUser = {
|
|
|
|
|
|
_id: 'existingAdminId',
|
|
|
|
|
|
provider: 'openid',
|
|
|
|
|
|
email: tokenset.claims().email,
|
|
|
|
|
|
openidId: tokenset.claims().sub,
|
|
|
|
|
|
username: 'adminuser',
|
|
|
|
|
|
name: 'Admin User',
|
|
|
|
|
|
role: 'ADMIN',
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
findUser.mockImplementation(async (query) => {
|
|
|
|
|
|
if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
|
|
|
|
|
|
return existingAdminUser;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert – verify that the admin user was NOT demoted
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
expect(updateUser).toHaveBeenCalledWith(
|
|
|
|
|
|
existingAdminUser._id,
|
|
|
|
|
|
expect.objectContaining({
|
|
|
|
|
|
role: 'ADMIN',
|
|
|
|
|
|
}),
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
describe('lodash get - nested path extraction', () => {
|
|
|
|
|
|
it('should extract roles from deeply nested token path', async () => {
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'app-user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'resource_access.my-client.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
resource_access: {
|
|
|
|
|
|
'my-client': {
|
|
|
|
|
|
roles: ['app-user', 'viewer'],
|
|
|
|
|
|
},
|
|
|
|
|
|
},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user).toBeTruthy();
|
|
|
|
|
|
expect(user.email).toBe(tokenset.claims().email);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should extract roles from three-level nested path', async () => {
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'editor';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'data.access.permissions.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
data: {
|
|
|
|
|
|
access: {
|
|
|
|
|
|
permissions: {
|
|
|
|
|
|
roles: ['editor', 'reader'],
|
|
|
|
|
|
},
|
|
|
|
|
|
},
|
|
|
|
|
|
},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user).toBeTruthy();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should log error and reject login when required role path does not exist in token', async () => {
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'app-user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'resource_access.nonexistent.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
resource_access: {
|
|
|
|
|
|
'my-client': {
|
|
|
|
|
|
roles: ['app-user'],
|
|
|
|
|
|
},
|
|
|
|
|
|
},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user, details } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining(
|
|
|
|
|
|
"Key 'resource_access.nonexistent.roles' not found or invalid type in id token!",
|
|
|
|
|
|
),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
expect(details.message).toContain('role to log in');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle missing intermediate nested path gracefully', async () => {
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'org.team.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
org: {
|
|
|
|
|
|
other: 'value',
|
|
|
|
|
|
},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining("Key 'org.team.roles' not found or invalid type in id token!"),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should extract admin role from nested path in access token', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'realm_access.roles';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_TOKEN_KIND = 'access';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockImplementation((token) => {
|
|
|
|
|
|
if (token === 'fake_access_token') {
|
|
|
|
|
|
return {
|
|
|
|
|
|
realm_access: {
|
|
|
|
|
|
roles: ['admin', 'user'],
|
|
|
|
|
|
},
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
return {
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
};
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should extract admin role from nested path in userinfo', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'organization.permissions';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_TOKEN_KIND = 'userinfo';
|
|
|
|
|
|
|
|
|
|
|
|
const userinfoWithNestedGroups = {
|
|
|
|
|
|
...tokenset.claims(),
|
|
|
|
|
|
organization: {
|
|
|
|
|
|
permissions: ['admin', 'write'],
|
|
|
|
|
|
},
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
require('openid-client').fetchUserInfo.mockResolvedValue({
|
|
|
|
|
|
organization: {
|
|
|
|
|
|
permissions: ['admin', 'write'],
|
|
|
|
|
|
},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate({
|
|
|
|
|
|
...tokenset,
|
|
|
|
|
|
claims: () => userinfoWithNestedGroups,
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle boolean admin role value', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'is_admin';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
is_admin: true,
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle string admin role value matching exactly', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'super-admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'role';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
role: 'super-admin',
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should not set admin role when string value does not match', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'super-admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'role';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
role: 'regular-user',
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBeUndefined();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle array admin role value', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'site-admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'app_roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
app_roles: ['user', 'site-admin', 'moderator'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBe('ADMIN');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should not set admin when role is not in array', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'site-admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'app_roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole'],
|
|
|
|
|
|
app_roles: ['user', 'moderator'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user.role).toBeUndefined();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle nested path with special characters in keys', async () => {
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'app-user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'resource_access.my-app-123.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
resource_access: {
|
|
|
|
|
|
'my-app-123': {
|
|
|
|
|
|
roles: ['app-user'],
|
|
|
|
|
|
},
|
|
|
|
|
|
},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(user).toBeTruthy();
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle empty object at nested path', async () => {
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'access.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
access: {},
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining("Key 'access.roles' not found or invalid type in id token!"),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should handle null value at intermediate path', async () => {
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'data.roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
data: null,
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining("Key 'data.roles' not found or invalid type in id token!"),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should reject login with invalid admin role token kind', async () => {
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE = 'admin';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH = 'roles';
|
|
|
|
|
|
process.env.OPENID_ADMIN_ROLE_TOKEN_KIND = 'invalid';
|
|
|
|
|
|
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: ['requiredRole', 'admin'],
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
await expect(validate(tokenset)).rejects.toThrow('Invalid admin role token kind');
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining(
|
|
|
|
|
|
"Invalid admin role token kind: invalid. Must be one of 'access', 'id', or 'userinfo'",
|
|
|
|
|
|
),
|
|
|
|
|
|
);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should reject login when roles path returns invalid type (object)', async () => {
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'app-user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'roles';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roles: { admin: true, user: false },
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user, details } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining("Key 'roles' not found or invalid type in id token!"),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
expect(details.message).toContain('role to log in');
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
it('should reject login when roles path returns invalid type (number)', async () => {
|
|
|
|
|
|
const { logger } = require('@librechat/data-schemas');
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE = 'user';
|
|
|
|
|
|
process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'roleCount';
|
|
|
|
|
|
|
|
|
|
|
|
jwtDecode.mockReturnValue({
|
|
|
|
|
|
roleCount: 5,
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
await setupOpenId();
|
|
|
|
|
|
verifyCallback = require('openid-client/passport').__getVerifyCallback();
|
|
|
|
|
|
|
|
|
|
|
|
const { user } = await validate(tokenset);
|
|
|
|
|
|
|
|
|
|
|
|
expect(logger.error).toHaveBeenCalledWith(
|
|
|
|
|
|
expect.stringContaining("Key 'roleCount' not found or invalid type in id token!"),
|
|
|
|
|
|
);
|
|
|
|
|
|
expect(user).toBe(false);
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
2025-02-03 16:08:34 -05:00
|
|
|
|
});
|