Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-14 22:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782)

Browse source 
* 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService

  Two independent bugs in `api/server/services/AuthService.js` cause complete
  authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft
  Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`:

  Bug 1: `secure: isProduction` prevents auth cookies on localhost

  PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle
  the case where `NODE_ENV=production` but the server runs on `http://localhost`.
  However, `AuthService.js` was not updated — it still used `secure: isProduction`
  in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`.

  The `token_provider` cookie being dropped is critical: without it,
  `requireJwtAuth` middleware defaults to the `jwt` strategy instead of
  `openidJwt`, causing all authenticated requests to return 401.

  Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token`

  The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID
  without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token
  (opaque or signed for a different audience), which fails JWKS validation.

  The `id_token` is always a standard JWT signed by the IdP's JWKS keys with
  the app's `client_id` as audience — which is what the strategy expects.
  This is the same root cause as issue #8796 (Auth0 encrypted access tokens).

  Changes:

  - Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts`
    as a shared, typed utility exported from `@librechat/api`, replacing the
    duplicate definitions in `AuthService.js` and `socialLogins.js`
  - Move `isProduction` check inside the function body so it is evaluated at
    call time rather than module load time
  - Fix `packages/api/src/oauth/csrf.ts` which also used bare
    `secure: isProduction` for CSRF and session cookies (same localhost bug)
  - Return `tokenset.id_token || tokenset.access_token` from
    `setOpenIDAuthTokens()` so JWKS validation works with standard OIDC
    providers; falls back to `access_token` for backward compatibility
  - Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes,
    localhost variants, edge cases, and a documented IPv6 bracket limitation
  - Add 13 tests for `setOpenIDAuthTokens()` covering token selection,
    session storage, cookie secure flag delegation, and edge cases

  Refs: #8796, #11518, #11236, #9931

* chore: Adjust Import Order and Type Definitions in AgentPanel Component

- Reordered imports in `AgentPanel.tsx` for better organization and clarity.
- Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`.
- Removed redundant imports to streamline the codebase.
This commit is contained in:
Danny Avila 2026-02-13 10:35:51 -05:00 committed by GitHub
parent 3888dfa489
commit 2e42378b16
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 431 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

34
api/server/socialLogins.js
View file

@ -1,7 +1,7 @@
const passport = require('passport');
const session = require('express-session');
const { isEnabled } = require('@librechat/api');
const { CacheKeys } = require('librechat-data-provider');
const { isEnabled, shouldUseSecureCookie } = require('@librechat/api');
const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas');
const {
openIdJwtLogin,
@ -15,38 +15,6 @@ const {
} = require('~/strategies');
const { getLogStores } = require('~/cache');
/**
* Determines if secure cookies should be used.
* Only use secure cookies in production when not on localhost.
* @returns {boolean}
*/
function shouldUseSecureCookie() {
const isProduction = process.env.NODE_ENV === 'production';
const domainServer = process.env.DOMAIN_SERVER || '';
let hostname = '';
if (domainServer) {
try {
const normalized = /^https?:\/\//i.test(domainServer)
? domainServer
: `http://${domainServer}`;
const url = new URL(normalized);
hostname = (url.hostname || '').toLowerCase();
} catch {
// Fallback: treat DOMAIN_SERVER directly as a hostname-like string
hostname = domainServer.toLowerCase();
}
}
const isLocalhost =
hostname === 'localhost' ||
hostname === '127.0.0.1' ||
hostname === '::1' ||
hostname.endsWith('.localhost');
return isProduction && !isLocalhost;
}
/**
* Configures OpenID Connect for the application.
* @param {Express.Application} app - The Express application instance.