Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-04-18 05:39:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

🍪 refactor: Secure Cookie Setting for Localhost OAuth Sessions (#11518)
Some checks failed
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Has been cancelled
Details
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Has been cancelled
Details

Browse source 
* fix: Added check for secure cookies when running in production mode on localhost

* Applied copilot's suggestions
This commit is contained in:
Max Sanna 2026-01-26 17:28:50 +01:00 committed by GitHub
parent 5310529ee0
commit 8c6277a281
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 34 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

38
api/server/socialLogins.js
View file

@ -15,6 +15,38 @@ const {
} = require('~/strategies'); } = require('~/strategies');
const { getLogStores } = require('~/cache'); const { getLogStores } = require('~/cache');
/**
* Determines if secure cookies should be used.
* Only use secure cookies in production when not on localhost.
* @returns {boolean}
*/
function shouldUseSecureCookie() {
const isProduction = process.env.NODE_ENV === 'production';
const domainServer = process.env.DOMAIN_SERVER || '';
let hostname = '';
if (domainServer) {
try {
const normalized = /^https?:\/\//i.test(domainServer)
? domainServer
: `http://${domainServer}`;
const url = new URL(normalized);
hostname = (url.hostname || '').toLowerCase();
} catch {
// Fallback: treat DOMAIN_SERVER directly as a hostname-like string
hostname = domainServer.toLowerCase();
}
}
const isLocalhost =
hostname === 'localhost' ||
hostname === '127.0.0.1' ||
hostname === '::1' ||
hostname.endsWith('.localhost');
return isProduction && !isLocalhost;
}
/** /**
* Configures OpenID Connect for the application. * Configures OpenID Connect for the application.
* @param {Express.Application} app - The Express application instance. * @param {Express.Application} app - The Express application instance.
@ -22,7 +54,6 @@ const { getLogStores } = require('~/cache');
*/ */
async function configureOpenId(app) { async function configureOpenId(app) {
logger.info('Configuring OpenID Connect...'); logger.info('Configuring OpenID Connect...');
const isProduction = process.env.NODE_ENV === 'production';
const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY; const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY;
const sessionOptions = { const sessionOptions = {
secret: process.env.OPENID_SESSION_SECRET, secret: process.env.OPENID_SESSION_SECRET,
@ -31,7 +62,7 @@ async function configureOpenId(app) {
store: getLogStores(CacheKeys.OPENID_SESSION), store: getLogStores(CacheKeys.OPENID_SESSION),
cookie: { cookie: {
maxAge: sessionExpiry, maxAge: sessionExpiry,
secure: isProduction, secure: shouldUseSecureCookie(),
}, },
}; };
app.use(session(sessionOptions)); app.use(session(sessionOptions));
@ -88,7 +119,6 @@ const configureSocialLogins = async (app) => {
process.env.SAML_SESSION_SECRET process.env.SAML_SESSION_SECRET
) { ) {
logger.info('Configuring SAML Connect...'); logger.info('Configuring SAML Connect...');
const isProduction = process.env.NODE_ENV === 'production';
const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY; const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY;
const sessionOptions = { const sessionOptions = {
secret: process.env.SAML_SESSION_SECRET, secret: process.env.SAML_SESSION_SECRET,
@ -97,7 +127,7 @@ const configureSocialLogins = async (app) => {
store: getLogStores(CacheKeys.SAML_SESSION), store: getLogStores(CacheKeys.SAML_SESSION),
cookie: { cookie: {
maxAge: sessionExpiry, maxAge: sessionExpiry,
secure: isProduction, secure: shouldUseSecureCookie(),
}, },
}; };
app.use(session(sessionOptions)); app.use(session(sessionOptions));