From 278590d0bbf863675dbd0cc31ddfa537de787a1d Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Wed, 17 Sep 2025 20:43:27 -0400
Subject: [PATCH] refactor: update `processOpenIDAuth` to add a flag for
 processing existing users only

---
 api/strategies/openidStrategy.js | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
index 687736db9f..3fcbd7ebd9 100644
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@@ -287,18 +287,17 @@ function convertToUsername(input, defaultValue = '') {
  * Can be reused by both the passport strategy and proxy authentication
  *
  * @param {Object} tokenset - The OpenID tokenset containing access_token, id_token, etc.
- * @param {Object} additionalUserinfo - Additional userinfo to merge with token claims
+ * @param {boolean} existingUsersOnly - If true, only existing users will be processed
  * @returns {Promise<Object>} The authenticated user object with tokenset
  */
-async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
+async function processOpenIDAuth(tokenset, existingUsersOnly = false) {
   const claims = tokenset.claims ? tokenset.claims() : tokenset;
   const userinfo = {
     ...claims,
-    ...additionalUserinfo,
   };
 
   // Get userinfo from provider if we have access_token and haven't already
-  if (tokenset.access_token && !additionalUserinfo.sub) {
+  if (tokenset.access_token) {
     const providerUserinfo = await getUserInfo(openidConfig, tokenset.access_token, claims.sub);
     Object.assign(userinfo, providerUserinfo);
   }
@@ -326,7 +325,7 @@ async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
 
   const fullName = getFullName(userinfo);
 
-  // Check required role if configured
+  /** Required role if configured */
   const requiredRole = process.env.OPENID_REQUIRED_ROLE;
   if (requiredRole) {
     const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
@@ -375,6 +374,10 @@ async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
     );
   }
 
+  if (existingUsersOnly && !user) {
+    throw new Error('User does not exist');
+  }
+
   if (!user) {
     user = {
       provider: 'openid',
@@ -442,10 +445,13 @@ async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
   return { ...user, tokenset };
 }
 
-function createOpenIDCallback() {
+/**
+ * @param {boolean | undefined} [existingUsersOnly]
+ */
+function createOpenIDCallback(existingUsersOnly) {
   return async (tokenset, done) => {
     try {
-      const user = await processOpenIDAuth(tokenset);
+      const user = await processOpenIDAuth(tokenset, existingUsersOnly);
       done(null, user);
     } catch (err) {
       if (err.message === 'Email domain not allowed') {
@@ -481,7 +487,7 @@ const setupOpenIdAdmin = (openidConfig) => {
         clockTolerance: process.env.OPENID_CLOCK_TOLERANCE || 300,
         callbackURL: process.env.DOMAIN_SERVER + '/api/admin/oauth/openid/callback',
       },
-      createOpenIDCallback(),
+      createOpenIDCallback(true),
     );
 
     passport.use('openidAdmin', openidAdminLogin);