LibreChat

mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-14 14:38:11 +01:00

History

Jón Levy dc89e00039 🪙 refactor: Distinguish ID Tokens from Access Tokens in OIDC Federated Auth (#11711 ) * fix(openid): distinguish ID tokens from access tokens in federated auth Fix OpenID Connect token handling to properly distinguish ID tokens from access tokens. ID tokens and access tokens are now stored and propagated separately, preventing token placeholders from resolving to identical values. - AuthService.js: Added idToken field to session storage - openIdJwtStrategy.js: Updated to read idToken from session - openidStrategy.js: Explicitly included id_token in federatedTokens - Test suites: Added comprehensive test coverage for token distinction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(openid): add separate openid_id_token cookie for ID token storage Store the OIDC ID token in its own cookie rather than relying solely on the access token, ensuring correct token type is used for identity verification vs API authorization. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test(openid): add JWT strategy cookie fallback tests Cover the token source resolution logic in openIdJwtStrategy: session-only, cookie-only, partial session fallback, raw Bearer fallback, and distinct id_token/access_token from cookies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>		2026-02-13 11:07:39 -05:00
..
__tests__	🦥 feat: Add Deferred Tools as Agents Capability (#11295 )	2026-01-28 17:44:30 -05:00
Artifacts	🪄 fix: Code Block handling in Artifact Updates (#11417 )	2026-01-20 08:45:43 -05:00
Config	🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738 )	2026-02-11 22:20:43 -05:00
Endpoints	⚠️ chore: Remove Deprecated `forcePrompt` setting (#11622 )	2026-02-04 11:02:27 +01:00
Files	🆔 fix: Atomic File Dedupe, Bedrock Tokens Fix, and Allowed MIME Types (#11675 )	2026-02-07 13:26:18 -05:00
Runs	🧹 chore: Cleanup Logger and Utility Imports (#9935 )	2025-10-01 23:30:47 -04:00
start	🦥 refactor: Event-Driven Lazy Tool Loading (#11588 )	2026-02-01 08:50:57 -05:00
Threads	🔧 chore: Update ESLint Config & Run Linter (#10986 )	2025-12-15 17:55:25 -05:00
Tools	🔐 fix: MCP OAuth Tool Discovery and Event Emission (#11599 )	2026-02-01 19:37:04 -05:00
ActionService.js	🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722 )	2026-02-11 22:09:58 -05:00
ActionService.spec.js	🛜 refactor: Streamline App Config Usage (#9234 )	2025-08-26 12:10:18 -04:00
AssistantService.js	🪦 refactor: Remove Legacy Code (#10533 )	2025-12-11 16:36:12 -05:00
AuthService.js	🪙 refactor: Distinguish ID Tokens from Access Tokens in OIDC Federated Auth (#11711 )	2026-02-13 11:07:39 -05:00
AuthService.spec.js	🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782 )	2026-02-13 10:35:51 -05:00
cleanup.js	🧹 chore: Cleanup Logger and Utility Imports (#9935 )	2025-10-01 23:30:47 -04:00
createRunBody.js	⌚ feat: Add Current Datetime to Assistants (v1/v2) (#4952 )	2024-12-11 15:26:18 -05:00
GraphApiService.js	👫 fix: Update Entra ID group retrieval to use getMemberGroups and add pagination support (#10199 )	2025-10-26 21:58:29 -04:00
GraphApiService.spec.js	🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794 )	2025-12-11 16:37:16 -05:00
GraphTokenService.js	🧹 chore: Cleanup Logger and Utility Imports (#9935 )	2025-10-01 23:30:47 -04:00
initializeMCPs.js	🧰 fix: Allow UI-based MCP Management without Configured Servers (#11158 )	2025-12-30 18:55:11 -05:00
initializeMCPs.spec.js	🚦 refactor: Concurrent Request Limiter for Resumable Streams (#11167 )	2026-01-01 11:10:56 -05:00
initializeOAuthReconnectManager.js	💫 feat: MCP OAuth Auto-Reconnect (#9646 )	2025-09-17 16:49:36 -04:00
MCP.js	🔄 refactor: Sequential Event Ordering in Redis Streaming Mode (#11650 )	2026-02-05 17:57:33 +01:00
MCP.spec.js	🦥 refactor: Event-Driven Lazy Tool Loading (#11588 )	2026-02-01 08:50:57 -05:00
PermissionService.js	🛸 feat: Remote Agent Access with External API Support (#11503 )	2026-01-28 17:44:33 -05:00
PermissionService.spec.js	🏗️ feat: Dynamic MCP Server Infrastructure with Access Control (#10787 )	2025-12-11 16:38:37 -05:00
PluginService.js	🔌 feat: MCP Reinitialization and OAuth in UI (#8598 )	2025-07-22 22:52:45 -04:00
ToolService.js	🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756 )	2026-02-12 14:22:05 -05:00
twoFactorService.js	🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794 )	2025-12-11 16:37:16 -05:00