Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-18 16:38:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/api/server/services
History
Danny Avila 3c844c9cc6
🥠 refactor: Always set OIDC refresh token cookie to survive session expiry (#11810) 
The express session cookie maxAge (SESSION_EXPIRY, default 15 min) is
shorter than the OIDC token lifetime (~1 hour). When OPENID_REUSE_TOKENS
is enabled, the refresh token was stored only in the express session
(req.session.openidTokens). After the session expired, the refresh token
was lost, causing "Refresh token not provided" on the next refresh
attempt and signing the user out. Re-login via OIDC would succeed
immediately (provider session still active), masking the root cause.

The session-only storage was introduced in #11236 to avoid HTTP/2 header
size limits from large access_token/id_token JWTs (especially Azure
Entra ID with many group claims). The refresh token is a small opaque
string and does not contribute to that problem.

Move the refreshToken cookie out of the no-session fallback branch so it
is always set alongside the session storage. The refreshController
already has the fallback logic (req.session?.openidTokens?.refreshToken
|| parsedCookies.refreshToken) but previously never had a cookie to fall
back to.

Timeline before fix:
  T=0      Login, session created (15 min maxAge), id_token valid ~1 hr
  T=15min  Session cookie expires, refresh token lost
  T=15min+ Page refresh or id_token expiry triggers refresh, fails with
           "Refresh token not provided", user redirected to /login

Timeline after fix:
  T=0      Login, session created + refreshToken cookie (7 day expiry)
  T=15min  Session cookie expires
  T=15min+ Refresh reads refreshToken from cookie fallback, succeeds,
           restores session with fresh tokens
2026-02-16 14:42:19 -05:00
..
__tests__ 🦥 feat: Add Deferred Tools as Agents Capability (#11295) 2026-01-28 17:44:30 -05:00
Artifacts 🪄 fix: Code Block handling in Artifact Updates (#11417) 2026-01-20 08:45:43 -05:00
Config 🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738) 2026-02-11 22:20:43 -05:00
Endpoints 👻 fix: Prevent Async Title Generation From Recreating Deleted Conversations (#11797) 2026-02-14 13:57:00 -05:00
Files 🔧 feat: deleteRagFile utility for Consistent RAG API document deletion (#11493) 2026-02-14 13:57:01 -05:00
Runs 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
start 🦥 refactor: Event-Driven Lazy Tool Loading (#11588) 2026-02-01 08:50:57 -05:00
Threads 🔧 chore: Update ESLint Config & Run Linter (#10986) 2025-12-15 17:55:25 -05:00
Tools 🔐 fix: MCP OAuth Tool Discovery and Event Emission (#11599) 2026-02-01 19:37:04 -05:00
ActionService.js 🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722) 2026-02-11 22:09:58 -05:00
ActionService.spec.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
AssistantService.js 🪦 refactor: Remove Legacy Code (#10533) 2025-12-11 16:36:12 -05:00
AuthService.js 🥠 refactor: Always set OIDC refresh token cookie to survive session expiry (#11810) 2026-02-16 14:42:19 -05:00
AuthService.spec.js 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782) 2026-02-13 10:35:51 -05:00
cleanup.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
createRunBody.js feat: Add Current Datetime to Assistants (v1/v2) (#4952) 2024-12-11 15:26:18 -05:00
GraphApiService.js 👫 fix: Update Entra ID group retrieval to use getMemberGroups and add pagination support (#10199) 2025-10-26 21:58:29 -04:00
GraphApiService.spec.js 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00
GraphTokenService.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
initializeMCPs.js 🧰 fix: Allow UI-based MCP Management without Configured Servers (#11158) 2025-12-30 18:55:11 -05:00
initializeMCPs.spec.js 🚦 refactor: Concurrent Request Limiter for Resumable Streams (#11167) 2026-01-01 11:10:56 -05:00
initializeOAuthReconnectManager.js 💫 feat: MCP OAuth Auto-Reconnect (#9646) 2025-09-17 16:49:36 -04:00
MCP.js 🧰 fix: Convert const to enum in MCP Schemas for Gemini Compatibility (#11784) 2026-02-13 13:33:25 -05:00
MCP.spec.js 🧰 fix: Convert const to enum in MCP Schemas for Gemini Compatibility (#11784) 2026-02-13 13:33:25 -05:00
PermissionService.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
PermissionService.spec.js 🏗️ feat: Dynamic MCP Server Infrastructure with Access Control (#10787) 2025-12-11 16:38:37 -05:00
PluginService.js 🔌 feat: MCP Reinitialization and OAuth in UI (#8598) 2025-07-22 22:52:45 -04:00
ToolService.js 🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) 2026-02-12 14:22:05 -05:00
twoFactorService.js 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00