Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-01-13 22:18:51 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

🍪 refactor: Move OpenID Tokens from Cookies to Server-Side Sessions (#11236)

Browse source 
* refactor: OpenID token handling by storing tokens in session to reduce cookie size

* refactor: Improve OpenID user identification logic in logout controller

* refactor: Enhance OpenID logout flow by adding post-logout redirect URI

* refactor: Update logout process to clear additional OpenID user ID cookie
This commit is contained in:
Danny Avila 2026-01-06 15:22:10 -05:00 committed by GitHub
parent 3b41e392ba
commit 348b4a4a32
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 105 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

28
api/server/controllers/AuthController.js
View file

@ -66,14 +66,17 @@ const resetPasswordController = async (req, res) => {
};
const refreshController = async (req, res) => {
const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
const token_provider = req.headers.cookie
? cookies.parse(req.headers.cookie).token_provider
: null;
if (!refreshToken) {
return res.status(200).send('Refresh token not provided');
}
if (token_provider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) === true) {
const parsedCookies = req.headers.cookie ? cookies.parse(req.headers.cookie) : {};
const token_provider = parsedCookies.token_provider;
if (token_provider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS)) {
/** For OpenID users, read refresh token from session to avoid large cookie issues */
const refreshToken = req.session?.openidTokens?.refreshToken || parsedCookies.refreshToken;
if (!refreshToken) {
return res.status(200).send('Refresh token not provided');
}
try {
const openIdConfig = getOpenIdConfig();
const tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken);
@ -110,7 +113,7 @@ const refreshController = async (req, res) => {
);
}
const token = setOpenIDAuthTokens(tokenset, res, user._id.toString(), refreshToken);
const token = setOpenIDAuthTokens(tokenset, req, res, user._id.toString(), refreshToken);
user.federatedTokens = {
access_token: tokenset.access_token,
@ -125,6 +128,13 @@ const refreshController = async (req, res) => {
return res.status(403).send('Invalid OpenID refresh token');
}
}
/** For non-OpenID users, read refresh token from cookies */
const refreshToken = parsedCookies.refreshToken;
if (!refreshToken) {
return res.status(200).send('Refresh token not provided');
}
try {
const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
const user = await getUserById(payload.id, '-password -__v -totpSecret -backupCodes');