🍪 refactor: Move OpenID Tokens from Cookies to Server-Side Sessions (#11236)

* refactor: OpenID token handling by storing tokens in session to reduce cookie size * refactor: Improve OpenID user identification logic in logout controller * refactor: Enhance OpenID logout flow by adding post-logout redirect URI * refactor: Update logout process to clear additional OpenID user ID cookie
2026-01-18 08:25:30 +01:00 · 2026-01-06 15:22:10 -05:00 · 2026-01-06 15:22:10 -05:00 · 348b4a4a32
commit 348b4a4a32
parent 3b41e392ba
8 changed files with 105 additions and 38 deletions
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -411,14 +411,17 @@ const setAuthTokens = async (userId, res, _session = null) => {
 /**
 * @function setOpenIDAuthTokens
 * Set OpenID Authentication Tokens
- * //type tokenset from openid-client
+ * Stores tokens server-side in express-session to avoid large cookie sizes
+ * that can exceed HTTP/2 header limits (especially for users with many group memberships).
+ *
 * @param {import('openid-client').TokenEndpointResponse & import('openid-client').TokenEndpointResponseHelpers} tokenset
 * - The tokenset object containing access and refresh tokens
+ * @param {Object} req - request object (for session access)
 * @param {Object} res - response object
 * @param {string} [userId] - Optional MongoDB user ID for image path validation
 * @returns {String} - access token
 */
-const setOpenIDAuthTokens = (tokenset, res, userId, existingRefreshToken) => {
+const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) => {
  try {
    if (!tokenset) {
      logger.error('[setOpenIDAuthTokens] No tokenset found in request');
@ -445,18 +448,30 @@ const setOpenIDAuthTokens = (tokenset, res, userId, existingRefreshToken) => {
      return;
    }

-    res.cookie('refreshToken', refreshToken, {
-      expires: expirationDate,
-      httpOnly: true,
-      secure: isProduction,
-      sameSite: 'strict',
-    });
-    res.cookie('openid_access_token', tokenset.access_token, {
-      expires: expirationDate,
-      httpOnly: true,
-      secure: isProduction,
-      sameSite: 'strict',
-    });
+    /** Store tokens server-side in session to avoid large cookies */
+    if (req.session) {
+      req.session.openidTokens = {
+        accessToken: tokenset.access_token,
+        refreshToken: refreshToken,
+        expiresAt: expirationDate.getTime(),
+      };
+    } else {
+      logger.warn('[setOpenIDAuthTokens] No session available, falling back to cookies');
+      res.cookie('refreshToken', refreshToken, {
+        expires: expirationDate,
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'strict',
+      });
+      res.cookie('openid_access_token', tokenset.access_token, {
+        expires: expirationDate,
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'strict',
+      });
+    }
+
+    /** Small cookie to indicate token provider (required for auth middleware) */
    res.cookie('token_provider', 'openid', {
      expires: expirationDate,
      httpOnly: true,