mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-02-18 00:18:09 +01:00
3c844c9cc6
The express session cookie maxAge (SESSION_EXPIRY, default 15 min) is shorter than the OIDC token lifetime (~1 hour). When OPENID_REUSE_TOKENS is enabled, the refresh token was stored only in the express session (req.session.openidTokens). After the session expired, the refresh token was lost, causing "Refresh token not provided" on the next refresh attempt and signing the user out. Re-login via OIDC would succeed immediately (provider session still active), masking the root cause. The session-only storage was introduced in #11236 to avoid HTTP/2 header size limits from large access_token/id_token JWTs (especially Azure Entra ID with many group claims). The refresh token is a small opaque string and does not contribute to that problem. Move the refreshToken cookie out of the no-session fallback branch so it is always set alongside the session storage. The refreshController already has the fallback logic (req.session?.openidTokens?.refreshToken || parsedCookies.refreshToken) but previously never had a cookie to fall back to. Timeline before fix: T=0 Login, session created (15 min maxAge), id_token valid ~1 hr T=15min Session cookie expires, refresh token lost T=15min+ Page refresh or id_token expiry triggers refresh, fails with "Refresh token not provided", user redirected to /login Timeline after fix: T=0 Login, session created + refreshToken cookie (7 day expiry) T=15min Session cookie expires T=15min+ Refresh reads refreshToken from cookie fallback, succeeds, restores session with fresh tokens |
||
|---|---|---|
| .. | ||
| controllers | ||
| middleware | ||
| routes | ||
| services | ||
| utils | ||
| cleanup.js | ||
| experimental.js | ||
| index.js | ||
| index.spec.js | ||
| socialLogins.js | ||