From ac2e1b15863e8457f4f8f7926981beda5c02e725 Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Sun, 25 May 2025 16:33:34 -0400
Subject: [PATCH] feat: Enhance OpenID flow with state parameter handling

---
 api/server/routes/oauth.js       |  3 +++
 api/strategies/openidStrategy.js | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/api/server/routes/oauth.js b/api/server/routes/oauth.js
index 2336ac023d..c58321df6d 100644
--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@@ -1,6 +1,7 @@
 // file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
 const express = require('express');
 const passport = require('passport');
+const client = require('openid-client');
 const {
   checkBan,
   logHeaders,
@@ -107,6 +108,7 @@ router.get(
   '/openid',
   passport.authenticate('openid', {
     session: false,
+    state: client.randomState(),
   }),
 );
 
@@ -115,6 +117,7 @@ router.get(
   passport.authenticate('openid', {
     failureRedirect: `${domains.client}/oauth/error`,
     failureMessage: true,
+    state: client.randomState(),
     session: false,
   }),
   setBalanceConfig,
diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
index 92b225b20a..50770441a1 100644
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@@ -28,6 +28,17 @@ class CustomOpenIDStrategy extends OpenIDStrategy {
     const hostAndProtocol = process.env.DOMAIN_SERVER;
     return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
   }
+
+  /**
+   * Override to ensure proper authorization request parameters
+   */
+  authorizationRequestParams(req, options) {
+    const params = super.authorizationRequestParams?.(req, options) || {};
+    if (options?.state != null && options.state && !params.has('state')) {
+      params.set('state', options.state);
+    }
+    return params;
+  }
 }
 
 /**