Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-22 07:36:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
LibreChat/api/server/controllers
History
Airam Hernández Hernández 96f6976e00
🪂 fix: Automatic logout_hint Fallback for Oversized OpenID Token URLs (#12326) 
* fix: automatic logout_hint fallback for long OpenID tokens

Implements OIDC RP-Initiated Logout cascading strategy to prevent errors when id_token_hint makes logout URL too long.

Automatically detects URLs exceeding configurable length and falls back to logout_hint only when URL is too long, preserving previous behavior when token is missing. Adds OPENID_MAX_LOGOUT_URL_LENGTH environment variable. Comprehensive test coverage with 20 tests. Works with any OpenID provider.

* fix: address review findings for OIDC logout URL length fallback

- Replace two-boolean tri-state (useIdTokenHint/urlTooLong) with a single
  string discriminant ('use_token'|'too_long'|'no_token') for clarity
- Fix misleading warning: differentiate 'url too long + no client_id' from
  'no token + no client_id' so operators get actionable advice
- Strict env var parsing: reject partial numeric strings like '500abc' that
  Number.parseInt silently accepted; use regex + Number() instead
- Pre-compute projected URL length from base URL + token length (JWT chars
  are URL-safe), eliminating the set-then-delete mutation pattern
- Extract parseMaxLogoutUrlLength helper for validation and early return
- Add tests: invalid env values, url-too-long + missing OPENID_CLIENT_ID,
  boundary condition (exact max vs max+1), cookie-sourced long token
- Remove redundant try/finally in 'respects custom limit' test
- Use empty value in .env.example to signal optional config (default: 2000)

---------

Co-authored-by: Airam Hernández Hernández <airam.hernandez@intelequia.com>
Co-authored-by: Danny Avila <danny@librechat.ai>
2026-03-20 12:46:57 -04:00
..
__tests__ 🪦 fix: ACL-Safe User Account Deletion for Agents, Prompts, and MCP Servers (#12314) 2026-03-19 17:46:14 -04:00
agents 🪪 fix: Enforce Conversation Ownership Checks in Remote Agent Controllers (#12263) 2026-03-16 09:19:48 -04:00
assistants 🏞️ fix: Gemini Image Filenames and Add Tool Cache Safety (#11306) 2026-01-12 09:01:23 -05:00
auth 🪂 fix: Automatic logout_hint Fallback for Oversized OpenID Token URLs (#12326) 2026-03-20 12:46:57 -04:00
AuthController.js 🔏 fix: Remove Federated Tokens from OpenID Refresh Response (#12264) 2026-03-16 09:23:46 -04:00
AuthController.spec.js 🔏 fix: Remove Federated Tokens from OpenID Refresh Response (#12264) 2026-03-16 09:23:46 -04:00
Balance.js 🏗️ refactor: Extract DB layers to data-schemas for shared use (#7650) 2025-05-30 22:18:13 -04:00
EndpointController.js refactor: Integrate Capabilities into Agent File Uploads and Tool Handling (#5048) 2024-12-19 13:04:48 -05:00
FavoritesController.js 📌 feat: Pin Agents and Models in the Sidebar (#10634) 2025-12-11 16:38:20 -05:00
mcp.js 🪪 fix: MCP API Responses and OAuth Validation (#12217) 2026-03-13 23:18:56 -04:00
ModelController.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
PermissionsController.js 🧯 fix: Remove Revoked Agents from User Favorites (#12296) 2026-03-19 15:15:10 -04:00
PluginController.js 🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738) 2026-02-11 22:20:43 -05:00
PluginController.spec.js 🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738) 2026-02-11 22:20:43 -05:00
tools.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
TwoFactorController.js 🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223) 2026-03-14 01:51:31 -04:00
UserController.js 🪦 fix: ACL-Safe User Account Deletion for Agents, Prompts, and MCP Servers (#12314) 2026-03-19 17:46:14 -04:00