const passport = require('passport'); const session = require('express-session'); const { isEnabled } = require('@librechat/api'); const { CacheKeys } = require('librechat-data-provider'); const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas'); const { openIdJwtLogin, facebookLogin, discordLogin, setupOpenId, googleLogin, githubLogin, appleLogin, setupSaml, } = require('~/strategies'); const { getLogStores } = require('~/cache'); /** * Determines if secure cookies should be used. * Only use secure cookies in production when not on localhost. * @returns {boolean} */ function shouldUseSecureCookie() { const isProduction = process.env.NODE_ENV === 'production'; const domainServer = process.env.DOMAIN_SERVER || ''; let hostname = ''; if (domainServer) { try { const normalized = /^https?:\/\//i.test(domainServer) ? domainServer : `http://${domainServer}`; const url = new URL(normalized); hostname = (url.hostname || '').toLowerCase(); } catch { // Fallback: treat DOMAIN_SERVER directly as a hostname-like string hostname = domainServer.toLowerCase(); } } const isLocalhost = hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1' || hostname.endsWith('.localhost'); return isProduction && !isLocalhost; } /** * Configures OpenID Connect for the application. * @param {Express.Application} app - The Express application instance. * @returns {Promise} */ async function configureOpenId(app) { logger.info('Configuring OpenID Connect...'); const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY; const sessionOptions = { secret: process.env.OPENID_SESSION_SECRET, resave: false, saveUninitialized: false, store: getLogStores(CacheKeys.OPENID_SESSION), cookie: { maxAge: sessionExpiry, secure: shouldUseSecureCookie(), }, }; app.use(session(sessionOptions)); app.use(passport.session()); const config = await setupOpenId(); if (!config) { logger.error('OpenID Connect configuration failed - strategy not registered.'); return; } if (isEnabled(process.env.OPENID_REUSE_TOKENS)) { logger.info('OpenID token reuse is enabled.'); passport.use('openidJwt', openIdJwtLogin(config)); } logger.info('OpenID Connect configured successfully.'); } /** * * @param {Express.Application} app */ const configureSocialLogins = async (app) => { logger.info('Configuring social logins...'); if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) { passport.use(googleLogin()); } if (process.env.FACEBOOK_CLIENT_ID && process.env.FACEBOOK_CLIENT_SECRET) { passport.use(facebookLogin()); } if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) { passport.use(githubLogin()); } if (process.env.DISCORD_CLIENT_ID && process.env.DISCORD_CLIENT_SECRET) { passport.use(discordLogin()); } if (process.env.APPLE_CLIENT_ID && process.env.APPLE_PRIVATE_KEY_PATH) { passport.use(appleLogin()); } if ( process.env.OPENID_CLIENT_ID && process.env.OPENID_CLIENT_SECRET && process.env.OPENID_ISSUER && process.env.OPENID_SCOPE && process.env.OPENID_SESSION_SECRET ) { await configureOpenId(app); } if ( process.env.SAML_ENTRY_POINT && process.env.SAML_ISSUER && process.env.SAML_CERT && process.env.SAML_SESSION_SECRET ) { logger.info('Configuring SAML Connect...'); const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY; const sessionOptions = { secret: process.env.SAML_SESSION_SECRET, resave: false, saveUninitialized: false, store: getLogStores(CacheKeys.SAML_SESSION), cookie: { maxAge: sessionExpiry, secure: shouldUseSecureCookie(), }, }; app.use(session(sessionOptions)); app.use(passport.session()); setupSaml(); logger.info('SAML Connect configured.'); } }; module.exports = configureSocialLogins;