🐛 fix: RAG API failing with OPENID_REUSE_TOKENS Enabled (#8090)

* feat: Implement Short-Lived JWT Token Generation for RAG API * fix: Update import paths * fix: Correct environment variable names for OpenID on behalf flow * fix: Remove unnecessary spaces in OpenID on behalf flow userinfo scope --------- Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
2025-12-18 01:10:14 +01:00 · 2025-06-26 19:10:21 -04:00 · 2025-06-26 19:10:21 -04:00 · 452151e408
commit 452151e408
parent 33b4a97b42
7 changed files with 33 additions and 14 deletions
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -1,4 +1,5 @@
 const bcrypt = require('bcryptjs');
+const jwt = require('jsonwebtoken');
 const { webcrypto } = require('node:crypto');
 const { isEnabled } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
@ -499,6 +500,18 @@ const resendVerificationEmail = async (req) => {
    };
  }
 };
+/**
+ * Generate a short-lived JWT token
+ * @param {String} userId - The ID of the user
+ * @param {String} [expireIn='5m'] - The expiration time for the token (default is 5 minutes)
+ * @returns {String} - The generated JWT token
+ */
+const generateShortLivedToken = (userId, expireIn = '5m') => {
+  return jwt.sign({ id: userId }, process.env.JWT_SECRET, {
+    expiresIn: expireIn,
+    algorithm: 'HS256',
+  });
+};

 module.exports = {
  logoutUser,
@ -506,7 +519,8 @@ module.exports = {
  registerUser,
  setAuthTokens,
  resetPassword,
+  setOpenIDAuthTokens,
  requestPasswordReset,
  resendVerificationEmail,
-  setOpenIDAuthTokens,
+  generateShortLivedToken,
 };
--- a/api/server/services/Files/Local/crud.js
+++ b/api/server/services/Files/Local/crud.js
@ -1,10 +1,11 @@
 const fs = require('fs');
 const path = require('path');
 const axios = require('axios');
+const { logger } = require('@librechat/data-schemas');
 const { EModelEndpoint } = require('librechat-data-provider');
+const { generateShortLivedToken } = require('~/server/services/AuthService');
 const { getBufferMetadata } = require('~/server/utils');
 const paths = require('~/config/paths');
-const { logger } = require('~/config');

 /**
 * Saves a file to a specified output path with a new filename.
@ -206,7 +207,7 @@ const deleteLocalFile = async (req, file) => {
  const cleanFilepath = file.filepath.split('?')[0];

  if (file.embedded && process.env.RAG_API_URL) {
-    const jwtToken = req.headers.authorization.split(' ')[1];
+    const jwtToken = generateShortLivedToken(req.user.id);
    axios.delete(`${process.env.RAG_API_URL}/documents`, {
      headers: {
        Authorization: `Bearer ${jwtToken}`,
--- a/api/server/services/Files/VectorDB/crud.js
+++ b/api/server/services/Files/VectorDB/crud.js
@ -4,6 +4,7 @@ const FormData = require('form-data');
 const { logAxiosError } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { FileSources } = require('librechat-data-provider');
+const { generateShortLivedToken } = require('~/server/services/AuthService');

 /**
 * Deletes a file from the vector database. This function takes a file object, constructs the full path, and
@ -23,7 +24,8 @@ const deleteVectors = async (req, file) => {
    return;
  }
  try {
-    const jwtToken = req.headers.authorization.split(' ')[1];
+    const jwtToken = generateShortLivedToken(req.user.id);
+
    return await axios.delete(`${process.env.RAG_API_URL}/documents`, {
      headers: {
        Authorization: `Bearer ${jwtToken}`,
@ -70,7 +72,7 @@ async function uploadVectors({ req, file, file_id, entity_id }) {
  }

  try {
-    const jwtToken = req.headers.authorization.split(' ')[1];
+    const jwtToken = generateShortLivedToken(req.user.id);
    const formData = new FormData();
    formData.append('file_id', file_id);
    formData.append('file', fs.createReadStream(file.path));