Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-23 03:40:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: update processOpenIDAuth to add a flag for processing existing users only

Browse source
This commit is contained in:
Danny Avila 2025-09-17 20:43:27 -04:00
parent 41a4674469
commit 278590d0bb
No known key found for this signature in database
GPG key ID: BF31EEB2C5CA0956
1 changed files with 14 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

22
api/strategies/openidStrategy.js
View file

@ -287,18 +287,17 @@ function convertToUsername(input, defaultValue = '') {
* Can be reused by both the passport strategy and proxy authentication
*
* @param {Object} tokenset - The OpenID tokenset containing access_token, id_token, etc.
* @param {Object} additionalUserinfo - Additional userinfo to merge with token claims
* @param {boolean} existingUsersOnly - If true, only existing users will be processed
* @returns {Promise<Object>} The authenticated user object with tokenset
*/
async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
async function processOpenIDAuth(tokenset, existingUsersOnly = false) {
const claims = tokenset.claims ? tokenset.claims() : tokenset;
const userinfo = {
...claims,
...additionalUserinfo,
};
// Get userinfo from provider if we have access_token and haven't already
if (tokenset.access_token && !additionalUserinfo.sub) {
if (tokenset.access_token) {
const providerUserinfo = await getUserInfo(openidConfig, tokenset.access_token, claims.sub);
Object.assign(userinfo, providerUserinfo);
}
@ -326,7 +325,7 @@ async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
const fullName = getFullName(userinfo);
// Check required role if configured
/** Required role if configured */
const requiredRole = process.env.OPENID_REQUIRED_ROLE;
if (requiredRole) {
const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
@ -375,6 +374,10 @@ async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
);
}
if (existingUsersOnly && !user) {
throw new Error('User does not exist');
}
if (!user) {
user = {
provider: 'openid',
@ -442,10 +445,13 @@ async function processOpenIDAuth(tokenset, additionalUserinfo = {}) {
return { ...user, tokenset };
}
function createOpenIDCallback() {
/**
* @param {boolean | undefined} [existingUsersOnly]
*/
function createOpenIDCallback(existingUsersOnly) {
return async (tokenset, done) => {
try {
const user = await processOpenIDAuth(tokenset);
const user = await processOpenIDAuth(tokenset, existingUsersOnly);
done(null, user);
} catch (err) {
if (err.message === 'Email domain not allowed') {
@ -481,7 +487,7 @@ const setupOpenIdAdmin = (openidConfig) => {
clockTolerance: process.env.OPENID_CLOCK_TOLERANCE || 300,
callbackURL: process.env.DOMAIN_SERVER + '/api/admin/oauth/openid/callback',
},
createOpenIDCallback(),
createOpenIDCallback(true),
);
passport.use('openidAdmin', openidAdminLogin);