mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-02-14 05:24:24 +01:00
2e42378b16
* 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService Two independent bugs in `api/server/services/AuthService.js` cause complete authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`: Bug 1: `secure: isProduction` prevents auth cookies on localhost PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle the case where `NODE_ENV=production` but the server runs on `http://localhost`. However, `AuthService.js` was not updated — it still used `secure: isProduction` in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`. The `token_provider` cookie being dropped is critical: without it, `requireJwtAuth` middleware defaults to the `jwt` strategy instead of `openidJwt`, causing all authenticated requests to return 401. Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token` The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token (opaque or signed for a different audience), which fails JWKS validation. The `id_token` is always a standard JWT signed by the IdP's JWKS keys with the app's `client_id` as audience — which is what the strategy expects. This is the same root cause as issue #8796 (Auth0 encrypted access tokens). Changes: - Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts` as a shared, typed utility exported from `@librechat/api`, replacing the duplicate definitions in `AuthService.js` and `socialLogins.js` - Move `isProduction` check inside the function body so it is evaluated at call time rather than module load time - Fix `packages/api/src/oauth/csrf.ts` which also used bare `secure: isProduction` for CSRF and session cookies (same localhost bug) - Return `tokenset.id_token || tokenset.access_token` from `setOpenIDAuthTokens()` so JWKS validation works with standard OIDC providers; falls back to `access_token` for backward compatibility - Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes, localhost variants, edge cases, and a documented IPv6 bracket limitation - Add 13 tests for `setOpenIDAuthTokens()` covering token selection, session storage, cookie secure flag delegation, and edge cases Refs: #8796, #11518, #11236, #9931 * chore: Adjust Import Order and Type Definitions in AgentPanel Component - Reordered imports in `AgentPanel.tsx` for better organization and clarity. - Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`. - Removed redundant imports to streamline the codebase.
269 lines
8.6 KiB
JavaScript
269 lines
8.6 KiB
JavaScript
jest.mock('@librechat/data-schemas', () => ({
|
|
logger: { info: jest.fn(), warn: jest.fn(), debug: jest.fn(), error: jest.fn() },
|
|
DEFAULT_SESSION_EXPIRY: 900000,
|
|
DEFAULT_REFRESH_TOKEN_EXPIRY: 604800000,
|
|
}));
|
|
jest.mock('librechat-data-provider', () => ({
|
|
ErrorTypes: {},
|
|
SystemRoles: { USER: 'USER', ADMIN: 'ADMIN' },
|
|
errorsToString: jest.fn(),
|
|
}));
|
|
jest.mock('@librechat/api', () => ({
|
|
isEnabled: jest.fn((val) => val === 'true' || val === true),
|
|
checkEmailConfig: jest.fn(),
|
|
isEmailDomainAllowed: jest.fn(),
|
|
math: jest.fn((val, fallback) => (val ? Number(val) : fallback)),
|
|
shouldUseSecureCookie: jest.fn(() => false),
|
|
}));
|
|
jest.mock('~/models', () => ({
|
|
findUser: jest.fn(),
|
|
findToken: jest.fn(),
|
|
createUser: jest.fn(),
|
|
updateUser: jest.fn(),
|
|
countUsers: jest.fn(),
|
|
getUserById: jest.fn(),
|
|
findSession: jest.fn(),
|
|
createToken: jest.fn(),
|
|
deleteTokens: jest.fn(),
|
|
deleteSession: jest.fn(),
|
|
createSession: jest.fn(),
|
|
generateToken: jest.fn(),
|
|
deleteUserById: jest.fn(),
|
|
generateRefreshToken: jest.fn(),
|
|
}));
|
|
jest.mock('~/strategies/validators', () => ({ registerSchema: { parse: jest.fn() } }));
|
|
jest.mock('~/server/services/Config', () => ({ getAppConfig: jest.fn() }));
|
|
jest.mock('~/server/utils', () => ({ sendEmail: jest.fn() }));
|
|
|
|
const { shouldUseSecureCookie } = require('@librechat/api');
|
|
const { setOpenIDAuthTokens } = require('./AuthService');
|
|
|
|
/** Helper to build a mock Express response */
|
|
function mockResponse() {
|
|
const cookies = {};
|
|
const res = {
|
|
cookie: jest.fn((name, value, options) => {
|
|
cookies[name] = { value, options };
|
|
}),
|
|
_cookies: cookies,
|
|
};
|
|
return res;
|
|
}
|
|
|
|
/** Helper to build a mock Express request with session */
|
|
function mockRequest(sessionData = {}) {
|
|
return {
|
|
session: { openidTokens: null, ...sessionData },
|
|
};
|
|
}
|
|
|
|
describe('setOpenIDAuthTokens', () => {
|
|
const env = process.env;
|
|
|
|
beforeEach(() => {
|
|
jest.clearAllMocks();
|
|
process.env = {
|
|
...env,
|
|
JWT_REFRESH_SECRET: 'test-refresh-secret',
|
|
OPENID_REUSE_TOKENS: 'true',
|
|
};
|
|
});
|
|
|
|
afterAll(() => {
|
|
process.env = env;
|
|
});
|
|
|
|
describe('token selection (id_token vs access_token)', () => {
|
|
it('should return id_token when both id_token and access_token are present', () => {
|
|
const tokenset = {
|
|
id_token: 'the-id-token',
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBe('the-id-token');
|
|
});
|
|
|
|
it('should return access_token when id_token is not available', () => {
|
|
const tokenset = {
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBe('the-access-token');
|
|
});
|
|
|
|
it('should return access_token when id_token is undefined', () => {
|
|
const tokenset = {
|
|
id_token: undefined,
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBe('the-access-token');
|
|
});
|
|
|
|
it('should return access_token when id_token is null', () => {
|
|
const tokenset = {
|
|
id_token: null,
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBe('the-access-token');
|
|
});
|
|
|
|
it('should return id_token even when id_token and access_token differ', () => {
|
|
const tokenset = {
|
|
id_token: 'id-token-jwt-signed-by-idp',
|
|
access_token: 'opaque-graph-api-token',
|
|
refresh_token: 'refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBe('id-token-jwt-signed-by-idp');
|
|
expect(result).not.toBe('opaque-graph-api-token');
|
|
});
|
|
});
|
|
|
|
describe('session token storage', () => {
|
|
it('should store the original access_token in session (not id_token)', () => {
|
|
const tokenset = {
|
|
id_token: 'the-id-token',
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
|
|
expect(req.session.openidTokens.accessToken).toBe('the-access-token');
|
|
expect(req.session.openidTokens.refreshToken).toBe('the-refresh-token');
|
|
});
|
|
});
|
|
|
|
describe('cookie secure flag', () => {
|
|
it('should call shouldUseSecureCookie for every cookie set', () => {
|
|
const tokenset = {
|
|
id_token: 'the-id-token',
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
|
|
// token_provider + openid_user_id (session path, so no refreshToken/openid_access_token cookies)
|
|
const secureCalls = shouldUseSecureCookie.mock.calls.length;
|
|
expect(secureCalls).toBeGreaterThanOrEqual(2);
|
|
|
|
// Verify all cookies use the result of shouldUseSecureCookie
|
|
for (const [, cookie] of Object.entries(res._cookies)) {
|
|
expect(cookie.options.secure).toBe(false);
|
|
}
|
|
});
|
|
|
|
it('should set secure: true when shouldUseSecureCookie returns true', () => {
|
|
shouldUseSecureCookie.mockReturnValue(true);
|
|
|
|
const tokenset = {
|
|
id_token: 'the-id-token',
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
|
|
for (const [, cookie] of Object.entries(res._cookies)) {
|
|
expect(cookie.options.secure).toBe(true);
|
|
}
|
|
});
|
|
|
|
it('should use shouldUseSecureCookie for cookie fallback path (no session)', () => {
|
|
shouldUseSecureCookie.mockReturnValue(false);
|
|
|
|
const tokenset = {
|
|
id_token: 'the-id-token',
|
|
access_token: 'the-access-token',
|
|
refresh_token: 'the-refresh-token',
|
|
};
|
|
const req = { session: null };
|
|
const res = mockResponse();
|
|
|
|
setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
|
|
// In the cookie fallback path, we get: refreshToken, openid_access_token, token_provider, openid_user_id
|
|
expect(res.cookie).toHaveBeenCalledWith(
|
|
'refreshToken',
|
|
expect.any(String),
|
|
expect.objectContaining({ secure: false }),
|
|
);
|
|
expect(res.cookie).toHaveBeenCalledWith(
|
|
'openid_access_token',
|
|
expect.any(String),
|
|
expect.objectContaining({ secure: false }),
|
|
);
|
|
expect(res.cookie).toHaveBeenCalledWith(
|
|
'token_provider',
|
|
'openid',
|
|
expect.objectContaining({ secure: false }),
|
|
);
|
|
});
|
|
});
|
|
|
|
describe('edge cases', () => {
|
|
it('should return undefined when tokenset is null', () => {
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
const result = setOpenIDAuthTokens(null, req, res, 'user-123');
|
|
expect(result).toBeUndefined();
|
|
});
|
|
|
|
it('should return undefined when access_token is missing', () => {
|
|
const tokenset = { refresh_token: 'refresh' };
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBeUndefined();
|
|
});
|
|
|
|
it('should return undefined when no refresh token is available', () => {
|
|
const tokenset = { access_token: 'access', id_token: 'id' };
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123');
|
|
expect(result).toBeUndefined();
|
|
});
|
|
|
|
it('should use existingRefreshToken when tokenset has no refresh_token', () => {
|
|
const tokenset = {
|
|
id_token: 'the-id-token',
|
|
access_token: 'the-access-token',
|
|
};
|
|
const req = mockRequest();
|
|
const res = mockResponse();
|
|
|
|
const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123', 'existing-refresh');
|
|
expect(result).toBe('the-id-token');
|
|
expect(req.session.openidTokens.refreshToken).toBe('existing-refresh');
|
|
});
|
|
});
|
|
});
|