Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-12 20:44:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

WIP: first pass, OpenID Proxy Auth

Browse source
This commit is contained in:
Danny Avila 2025-09-13 13:53:06 -04:00
parent e90fd1df15
commit f6925f906b
No known key found for this signature in database
GPG key ID: BF31EEB2C5CA0956
6 changed files with 317 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

62
api/server/routes/admin/auth.js
View file

@ -1,7 +1,11 @@
const express = require('express');
const { loginController } = require('~/server/controllers/auth/LoginController');
const { getAppConfig } = require('~/server/services/Config');
const passport = require('passport');
const { randomState } = require('openid-client');
const { createSetBalanceConfig } = require('@librechat/api');
const { loginController } = require('~/server/controllers/auth/LoginController');
const { createOAuthHandler } = require('~/server/controllers/auth/oauth');
const { getAppConfig } = require('~/server/services/Config');
const { getOpenIdConfig } = require('~/strategies');
const middleware = require('~/server/middleware');
const { Balance } = require('~/db/models');
@ -12,33 +16,51 @@ const setBalanceConfig = createSetBalanceConfig({
const router = express.Router();
// Admin local authentication route - reuses main login controller
router.post(
'/login/local',
middleware.logHeaders,
middleware.loginLimiter,
middleware.checkBan,
middleware.requireLocalAuth, // Standard local auth
middleware.requireAdmin, // Then check if user is admin
middleware.requireLocalAuth,
middleware.requireAdmin,
setBalanceConfig,
loginController, // Reuse existing login controller
loginController,
);
// Admin token verification endpoint - simple JWT verify + admin check
router.get('/verify', middleware.requireJwtAuth, middleware.requireAdmin, (req, res) => {
const { password: _p, totpSecret: _t, __v, ...user } = req.user;
user.id = user._id.toString();
res.status(200).json({ user });
});
router.get('/oauth/openid/check', (req, res) => {
const openidConfig = getOpenIdConfig();
if (!openidConfig) {
return res.status(404).json({ message: 'OpenID configuration not found' });
}
res.status(200).json({ message: 'OpenID check successful' });
});
router.get('/oauth/openid', (req, res, next) => {
return passport.authenticate('openidAdmin', {
session: false,
state: randomState(),
})(req, res, next);
});
router.get(
'/verify',
middleware.requireJwtAuth, // Standard JWT auth
middleware.requireAdmin, // Then check if user is admin
(req, res) => {
// Simple response - user is already verified by middleware
const { password: _p, totpSecret: _t, __v, ...user } = req.user;
user.id = user._id.toString();
res.status(200).json({ user });
},
'/oauth/openid/callback',
passport.authenticate('openidAdmin', {
failureRedirect: `${process.env.DOMAIN_CLIENT}/oauth/error`,
failureMessage: true,
session: false,
}),
middleware.requireAdmin,
setBalanceConfig,
middleware.checkDomainAllowed,
createOAuthHandler(
(process.env.ADMIN_PANEL_URL || 'http://localhost:3000') + '/auth/openid/callback',
),
);
// TODO: Future OAuth/OpenID routes will be added here
// router.get('/auth/openid', ...);
// router.get('/auth/openid/callback', ...);
module.exports = router;