🔒 fix: Provider Validation for Social, OpenID, SAML, and LDAP Logins (#8999)

* fix: social login provider crossover

* feat: Enhance OpenID login handling and add tests for provider validation

* refactor: authentication error handling to use ErrorTypes.AUTH_FAILED enum

* refactor: update authentication error handling in LDAP and SAML strategies to use ErrorTypes.AUTH_FAILED enum

* ci: Add validation for login with existing email and different provider in SAML strategy

chore: Add logging for existing users with different providers in LDAP, SAML, and Social Login strategies

api/strategies/ldapStrategy.js

@@ -1,10 +1,10 @@
 const fs = require('fs');
+const { isEnabled } = require('@librechat/api');
 const LdapStrategy = require('passport-ldapauth');
-const { SystemRoles } = require('librechat-data-provider');
 const { logger } = require('@librechat/data-schemas');
+const { SystemRoles, ErrorTypes } = require('librechat-data-provider');
 const { createUser, findUser, updateUser, countUsers } = require('~/models');
 const { getBalanceConfig } = require('~/server/services/Config');
-const { isEnabled } = require('~/server/utils');
 
 const {
   LDAP_URL,
@@ -90,6 +90,14 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
       (LDAP_ID && userinfo[LDAP_ID]) || userinfo.uid || userinfo.sAMAccountName || userinfo.mail;
 
     let user = await findUser({ ldapId });
+    if (user && user.provider !== 'ldap') {
+      logger.info(
+        `[ldapStrategy] User ${user.email} already exists with provider ${user.provider}`,
+      );
+      return done(null, false, {
+        message: ErrorTypes.AUTH_FAILED,
+      });
+    }
 
     const fullNameAttributes = LDAP_FULL_NAME && LDAP_FULL_NAME.split(',');
     const fullName =

api/strategies/openidStrategy.js

@@ -3,9 +3,9 @@ const fetch = require('node-fetch');
 const passport = require('passport');
 const client = require('openid-client');
 const jwtDecode = require('jsonwebtoken/decode');
-const { CacheKeys } = require('librechat-data-provider');
 const { HttpsProxyAgent } = require('https-proxy-agent');
 const { hashToken, logger } = require('@librechat/data-schemas');
+const { CacheKeys, ErrorTypes } = require('librechat-data-provider');
 const { Strategy: OpenIDStrategy } = require('openid-client/passport');
 const { isEnabled, safeStringify, logHeaders } = require('@librechat/api');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
@@ -320,6 +320,14 @@ async function setupOpenId() {
               } for openidId: ${claims.sub}`,
             );
           }
+          if (user != null && user.provider !== 'openid') {
+            logger.info(
+              `[openidStrategy] Attempted OpenID login by user ${user.email}, was registered with "${user.provider}" provider`,
+            );
+            return done(null, false, {
+              message: ErrorTypes.AUTH_FAILED,
+            });
+          }
           const userinfo = {
             ...claims,
             ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),

api/strategies/openidStrategy.spec.js

@@ -1,7 +1,8 @@
 const fetch = require('node-fetch');
 const jwtDecode = require('jsonwebtoken/decode');
-const { setupOpenId } = require('./openidStrategy');
+const { ErrorTypes } = require('librechat-data-provider');
 const { findUser, createUser, updateUser } = require('~/models');
+const { setupOpenId } = require('./openidStrategy');
 
 // --- Mocks ---
 jest.mock('node-fetch');
@@ -50,7 +51,7 @@ jest.mock('openid-client', () => {
       issuer: 'https://fake-issuer.com',
       // Add any other properties needed by the implementation
     }),
-    fetchUserInfo: jest.fn().mockImplementation((config, accessToken, sub) => {
+    fetchUserInfo: jest.fn().mockImplementation(() => {
       // Only return additional properties, but don't override any claims
       return Promise.resolve({});
     }),
@@ -261,17 +262,20 @@ describe('setupOpenId', () => {
   });
 
   it('should update an existing user on login', async () => {
-    // Arrange – simulate that a user already exists
+    // Arrange – simulate that a user already exists with openid provider
     const existingUser = {
       _id: 'existingUserId',
-      provider: 'local',
+      provider: 'openid',
       email: tokenset.claims().email,
       openidId: '',
       username: '',
       name: '',
     };
     findUser.mockImplementation(async (query) => {
-      if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
+      if (
+        query.openidId === tokenset.claims().sub ||
+        (query.email === tokenset.claims().email && query.provider === 'openid')
+      ) {
         return existingUser;
       }
       return null;
@@ -294,12 +298,38 @@ describe('setupOpenId', () => {
     );
   });
 
+  it('should block login when email exists with different provider', async () => {
+    // Arrange – simulate that a user exists with same email but different provider
+    const existingUser = {
+      _id: 'existingUserId',
+      provider: 'google',
+      email: tokenset.claims().email,
+      googleId: 'some-google-id',
+      username: 'existinguser',
+      name: 'Existing User',
+    };
+    findUser.mockImplementation(async (query) => {
+      if (query.email === tokenset.claims().email && !query.provider) {
+        return existingUser;
+      }
+      return null;
+    });
+
+    // Act
+    const result = await validate(tokenset);
+
+    // Assert – verify that the strategy rejects login
+    expect(result.user).toBe(false);
+    expect(result.details.message).toBe(ErrorTypes.AUTH_FAILED);
+    expect(createUser).not.toHaveBeenCalled();
+    expect(updateUser).not.toHaveBeenCalled();
+  });
+
   it('should enforce the required role and reject login if missing', async () => {
     // Arrange – simulate a token without the required role.
     jwtDecode.mockReturnValue({
       roles: ['SomeOtherRole'],
     });
-    const userinfo = tokenset.claims();
 
     // Act
     const { user, details } = await validate(tokenset);
@@ -310,9 +340,6 @@ describe('setupOpenId', () => {
   });
 
   it('should attempt to download and save the avatar if picture is provided', async () => {
-    // Arrange – ensure userinfo contains a picture URL
-    const userinfo = tokenset.claims();
-
     // Act
     const { user } = await validate(tokenset);
 

api/strategies/samlStrategy.js

@@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const fetch = require('node-fetch');
 const passport = require('passport');
+const { ErrorTypes } = require('librechat-data-provider');
 const { hashToken, logger } = require('@librechat/data-schemas');
 const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
@@ -203,6 +204,15 @@ async function setupSaml() {
             );
           }
 
+          if (user && user.provider !== 'saml') {
+            logger.info(
+              `[samlStrategy] User ${user.email} already exists with provider ${user.provider}`,
+            );
+            return done(null, false, {
+              message: ErrorTypes.AUTH_FAILED,
+            });
+          }
+
           const fullName = getFullName(profile);
 
           const username = convertToUsername(

api/strategies/samlStrategy.spec.js

@@ -378,11 +378,11 @@ u7wlOSk+oFzDIO/UILIA
   });
 
   it('should update an existing user on login', async () => {
-    // Set up findUser to return an existing user
+    // Set up findUser to return an existing user with saml provider
     const { findUser } = require('~/models');
     const existingUser = {
       _id: 'existing-user-id',
-      provider: 'local',
+      provider: 'saml',
       email: baseProfile.email,
       samlId: '',
       username: 'oldusername',
@@ -400,6 +400,26 @@ u7wlOSk+oFzDIO/UILIA
     expect(user.email).toBe(baseProfile.email);
   });
 
+  it('should block login when email exists with different provider', async () => {
+    // Set up findUser to return a user with different provider
+    const { findUser } = require('~/models');
+    const existingUser = {
+      _id: 'existing-user-id',
+      provider: 'google',
+      email: baseProfile.email,
+      googleId: 'some-google-id',
+      username: 'existinguser',
+      name: 'Existing User',
+    };
+    findUser.mockResolvedValue(existingUser);
+
+    const profile = { ...baseProfile };
+    const result = await validate(profile);
+
+    expect(result.user).toBe(false);
+    expect(result.details.message).toBe(require('librechat-data-provider').ErrorTypes.AUTH_FAILED);
+  });
+
   it('should attempt to download and save the avatar if picture is provided', async () => {
     const profile = { ...baseProfile };
 

api/strategies/socialLogin.js

@@ -1,6 +1,7 @@
+const { isEnabled } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
+const { ErrorTypes } = require('librechat-data-provider');
 const { createSocialUser, handleExistingUser } = require('./process');
-const { isEnabled } = require('~/server/utils');
 const { findUser } = require('~/models');
 
 const socialLogin =
@@ -11,12 +12,20 @@ const socialLogin =
         profile,
       });
 
-      const oldUser = await findUser({ email: email.trim() });
+      const existingUser = await findUser({ email: email.trim() });
       const ALLOW_SOCIAL_REGISTRATION = isEnabled(process.env.ALLOW_SOCIAL_REGISTRATION);
 
-      if (oldUser) {
-        await handleExistingUser(oldUser, avatarUrl);
-        return cb(null, oldUser);
+      if (existingUser?.provider === provider) {
+        await handleExistingUser(existingUser, avatarUrl);
+        return cb(null, existingUser);
+      } else if (existingUser) {
+        logger.info(
+          `[${provider}Login] User ${email} already exists with provider ${existingUser.provider}`,
+        );
+        const error = new Error(ErrorTypes.AUTH_FAILED);
+        error.code = ErrorTypes.AUTH_FAILED;
+        error.provider = existingUser.provider;
+        return cb(error);
       }
 
       if (ALLOW_SOCIAL_REGISTRATION) {