Danny Avila 2e42378b16 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782) ... * 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService Two independent bugs in `api/server/services/AuthService.js` cause complete authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`: Bug 1: `secure: isProduction` prevents auth cookies on localhost PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle the case where `NODE_ENV=production` but the server runs on `http://localhost`. However, `AuthService.js` was not updated — it still used `secure: isProduction` in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`. The `token_provider` cookie being dropped is critical: without it, `requireJwtAuth` middleware defaults to the `jwt` strategy instead of `openidJwt`, causing all authenticated requests to return 401. Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token` The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token (opaque or signed for a different audience), which fails JWKS validation. The `id_token` is always a standard JWT signed by the IdP's JWKS keys with the app's `client_id` as audience — which is what the strategy expects. This is the same root cause as issue #8796 (Auth0 encrypted access tokens). Changes: - Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts` as a shared, typed utility exported from `@librechat/api`, replacing the duplicate definitions in `AuthService.js` and `socialLogins.js` - Move `isProduction` check inside the function body so it is evaluated at call time rather than module load time - Fix `packages/api/src/oauth/csrf.ts` which also used bare `secure: isProduction` for CSRF and session cookies (same localhost bug) - Return `tokenset.id_token || tokenset.access_token` from `setOpenIDAuthTokens()` so JWKS validation works with standard OIDC providers; falls back to `access_token` for backward compatibility - Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes, localhost variants, edge cases, and a documented IPv6 bracket limitation - Add 13 tests for `setOpenIDAuthTokens()` covering token selection, session storage, cookie secure flag delegation, and edge cases Refs: #8796, #11518, #11236, #9931 * chore: Adjust Import Order and Type Definitions in AgentPanel Component - Reordered imports in `AgentPanel.tsx` for better organization and clarity. - Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`. - Removed redundant imports to streamline the codebase.		2026-02-13 10:35:51 -05:00
..
controllers	🏁 fix: Resolve Content Aggregation Race Condition in Agent Event Handlers (#11757)	2026-02-12 15:42:22 -05:00
middleware	🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756)	2026-02-12 14:22:05 -05:00
routes	🔱 chore: Harden API Routes Against IDOR and DoS Attacks (#11760)	2026-02-12 18:08:24 -05:00
services	🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782)	2026-02-13 10:35:51 -05:00
utils	✨ feat: Add Claude conversation importer with thinking support (#11124)	2025-12-29 21:37:52 -05:00
cleanup.js	⏸ refactor: Improve UX for Parallel Streams (Multi-Convo) (#11096)	2025-12-25 01:43:54 -05:00
experimental.js	🛸 feat: Remote Agent Access with External API Support (#11503)	2026-01-28 17:44:33 -05:00
index.js	🛸 feat: Remote Agent Access with External API Support (#11503)	2026-01-28 17:44:33 -05:00
index.spec.js	🚦 refactor: Concurrent Request Limiter for Resumable Streams (#11167)	2026-01-01 11:10:56 -05:00
socialLogins.js	🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782)	2026-02-13 10:35:51 -05:00