Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-14 14:38:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782)

Browse source 
* 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService

  Two independent bugs in `api/server/services/AuthService.js` cause complete
  authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft
  Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`:

  Bug 1: `secure: isProduction` prevents auth cookies on localhost

  PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle
  the case where `NODE_ENV=production` but the server runs on `http://localhost`.
  However, `AuthService.js` was not updated — it still used `secure: isProduction`
  in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`.

  The `token_provider` cookie being dropped is critical: without it,
  `requireJwtAuth` middleware defaults to the `jwt` strategy instead of
  `openidJwt`, causing all authenticated requests to return 401.

  Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token`

  The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID
  without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token
  (opaque or signed for a different audience), which fails JWKS validation.

  The `id_token` is always a standard JWT signed by the IdP's JWKS keys with
  the app's `client_id` as audience — which is what the strategy expects.
  This is the same root cause as issue #8796 (Auth0 encrypted access tokens).

  Changes:

  - Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts`
    as a shared, typed utility exported from `@librechat/api`, replacing the
    duplicate definitions in `AuthService.js` and `socialLogins.js`
  - Move `isProduction` check inside the function body so it is evaluated at
    call time rather than module load time
  - Fix `packages/api/src/oauth/csrf.ts` which also used bare
    `secure: isProduction` for CSRF and session cookies (same localhost bug)
  - Return `tokenset.id_token || tokenset.access_token` from
    `setOpenIDAuthTokens()` so JWKS validation works with standard OIDC
    providers; falls back to `access_token` for backward compatibility
  - Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes,
    localhost variants, edge cases, and a documented IPv6 bracket limitation
  - Add 13 tests for `setOpenIDAuthTokens()` covering token selection,
    session storage, cookie secure flag delegation, and edge cases

  Refs: #8796, #11518, #11236, #9931

* chore: Adjust Import Order and Type Definitions in AgentPanel Component

- Reordered imports in `AgentPanel.tsx` for better organization and clarity.
- Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`.
- Removed redundant imports to streamline the codebase.
This commit is contained in:
Danny Avila 2026-02-13 10:35:51 -05:00 committed by GitHub
parent 3888dfa489
commit 2e42378b16
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 431 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

9
client/src/components/SidePanel/Agents/AgentPanel.tsx
View file

@ -1,7 +1,7 @@
import { Plus } from 'lucide-react';
import React, { useMemo, useCallback, useRef, useState } from 'react';
import { Plus } from 'lucide-react';
import { Button, useToastContext } from '@librechat/client';
import { useWatch, useForm, FormProvider, type FieldNamesMarkedBoolean } from 'react-hook-form';
import { useWatch, useForm, FormProvider } from 'react-hook-form';
import { useGetModelsQuery } from 'librechat-data-provider/react-query';
import {
Tools,
@ -11,8 +11,10 @@ import {
PermissionBits,
isAssistantsEndpoint,
} from 'librechat-data-provider';
import type { AgentForm, StringOption } from '~/common';
import type { FieldNamesMarkedBoolean } from 'react-hook-form';
import type { Agent } from 'librechat-data-provider';
import type { TranslationKeys } from '~/hooks/useLocalize';
import type { AgentForm, StringOption } from '~/common';
import {
useCreateAgentMutation,
useUpdateAgentMutation,
@ -23,7 +25,6 @@ import {
import { createProviderOption, getDefaultAgentFormValues } from '~/utils';
import { useResourcePermissions } from '~/hooks/useResourcePermissions';
import { useSelectAgent, useLocalize, useAuthContext } from '~/hooks';
import type { TranslationKeys } from '~/hooks/useLocalize';
import { useAgentPanelContext } from '~/Providers/AgentPanelContext';
import AgentPanelSkeleton from './AgentPanelSkeleton';
import AdvancedPanel from './Advanced/AdvancedPanel';