Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-13 03:16:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/packages/api/src/oauth/csrf.ts
Danny Avila 2e42378b16
🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782) 
* 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService

  Two independent bugs in `api/server/services/AuthService.js` cause complete
  authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft
  Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`:

  Bug 1: `secure: isProduction` prevents auth cookies on localhost

  PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle
  the case where `NODE_ENV=production` but the server runs on `http://localhost`.
  However, `AuthService.js` was not updated — it still used `secure: isProduction`
  in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`.

  The `token_provider` cookie being dropped is critical: without it,
  `requireJwtAuth` middleware defaults to the `jwt` strategy instead of
  `openidJwt`, causing all authenticated requests to return 401.

  Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token`

  The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID
  without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token
  (opaque or signed for a different audience), which fails JWKS validation.

  The `id_token` is always a standard JWT signed by the IdP's JWKS keys with
  the app's `client_id` as audience — which is what the strategy expects.
  This is the same root cause as issue #8796 (Auth0 encrypted access tokens).

  Changes:

  - Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts`
    as a shared, typed utility exported from `@librechat/api`, replacing the
    duplicate definitions in `AuthService.js` and `socialLogins.js`
  - Move `isProduction` check inside the function body so it is evaluated at
    call time rather than module load time
  - Fix `packages/api/src/oauth/csrf.ts` which also used bare
    `secure: isProduction` for CSRF and session cookies (same localhost bug)
  - Return `tokenset.id_token || tokenset.access_token` from
    `setOpenIDAuthTokens()` so JWKS validation works with standard OIDC
    providers; falls back to `access_token` for backward compatibility
  - Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes,
    localhost variants, edge cases, and a documented IPv6 bracket limitation
  - Add 13 tests for `setOpenIDAuthTokens()` covering token selection,
    session storage, cookie secure flag delegation, and edge cases

  Refs: #8796, #11518, #11236, #9931

* chore: Adjust Import Order and Type Definitions in AgentPanel Component

- Reordered imports in `AgentPanel.tsx` for better organization and clarity.
- Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`.
- Removed redundant imports to streamline the codebase.
2026-02-13 10:35:51 -05:00

119 lines
4 KiB
TypeScript
Raw Blame History

import crypto from 'crypto';
import type { Request, Response, NextFunction } from 'express';
export const OAUTH_CSRF_COOKIE = 'oauth_csrf';
export const OAUTH_CSRF_MAX_AGE = 10 * 60 * 1000;
export const OAUTH_SESSION_COOKIE = 'oauth_session';
export const OAUTH_SESSION_MAX_AGE = 24 * 60 * 60 * 1000;
export const OAUTH_SESSION_COOKIE_PATH = '/api';
/**
* Determines if secure cookies should be used.
* Returns `true` in production unless the server is running on localhost (HTTP).
* This allows cookies to work on `http://localhost` during local development
* even when `NODE_ENV=production` (common in Docker Compose setups).
*/
export function shouldUseSecureCookie(): boolean {
const isProduction = process.env.NODE_ENV === 'production';
const domainServer = process.env.DOMAIN_SERVER || '';
let hostname = '';
if (domainServer) {
try {
const normalized = /^https?:\/\//i.test(domainServer)
? domainServer
: `http://${domainServer}`;
const url = new URL(normalized);
hostname = (url.hostname || '').toLowerCase();
} catch {
hostname = domainServer.toLowerCase();
}
}
const isLocalhost =
hostname === 'localhost' ||
hostname === '127.0.0.1' ||
hostname === '::1' ||
hostname.endsWith('.localhost');
return isProduction && !isLocalhost;
}
/** Generates an HMAC-based token for OAuth CSRF protection */
export function generateOAuthCsrfToken(flowId: string, secret?: string): string {
const key = secret || process.env.JWT_SECRET;
if (!key) {
throw new Error('JWT_SECRET is required for OAuth CSRF token generation');
}
return crypto.createHmac('sha256', key).update(flowId).digest('hex').slice(0, 32);
}
/** Sets a SameSite=Lax CSRF cookie bound to a specific OAuth flow */
export function setOAuthCsrfCookie(res: Response, flowId: string, cookiePath: string): void {
res.cookie(OAUTH_CSRF_COOKIE, generateOAuthCsrfToken(flowId), {
httpOnly: true,
secure: shouldUseSecureCookie(),
sameSite: 'lax',
maxAge: OAUTH_CSRF_MAX_AGE,
path: cookiePath,
});
}
/**
* Validates the per-flow CSRF cookie against the expected HMAC.
* Uses timing-safe comparison and always clears the cookie to prevent replay.
*/
export function validateOAuthCsrf(
req: Request,
res: Response,
flowId: string,
cookiePath: string,
): boolean {
const cookie = (req.cookies as Record<string, string> | undefined)?.[OAUTH_CSRF_COOKIE];
res.clearCookie(OAUTH_CSRF_COOKIE, { path: cookiePath });
if (!cookie) {
return false;
}
const expected = generateOAuthCsrfToken(flowId);
if (cookie.length !== expected.length) {
return false;
}
return crypto.timingSafeEqual(Buffer.from(cookie), Buffer.from(expected));
}
/**
* Express middleware that sets the OAuth session cookie after JWT authentication.
* Chain after requireJwtAuth on routes that precede an OAuth redirect (e.g., reinitialize, bind).
*/
export function setOAuthSession(req: Request, res: Response, next: NextFunction): void {
const user = (req as Request & { user?: { id?: string } }).user;
if (user?.id && !(req.cookies as Record<string, string> | undefined)?.[OAUTH_SESSION_COOKIE]) {
setOAuthSessionCookie(res, user.id);
}
next();
}
/** Sets a SameSite=Lax session cookie that binds the browser to the authenticated userId */
export function setOAuthSessionCookie(res: Response, userId: string): void {
res.cookie(OAUTH_SESSION_COOKIE, generateOAuthCsrfToken(userId), {
httpOnly: true,
secure: shouldUseSecureCookie(),
sameSite: 'lax',
maxAge: OAUTH_SESSION_MAX_AGE,
path: OAUTH_SESSION_COOKIE_PATH,
});
}
/** Validates the session cookie against the expected userId using timing-safe comparison */
export function validateOAuthSession(req: Request, userId: string): boolean {
const cookie = (req.cookies as Record<string, string> | undefined)?.[OAUTH_SESSION_COOKIE];
if (!cookie) {
return false;
}
const expected = generateOAuthCsrfToken(userId);
if (cookie.length !== expected.length) {
return false;
}
return crypto.timingSafeEqual(Buffer.from(cookie), Buffer.from(expected));
}
Reference in a new issue View git blame Copy permalink