mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-01 11:53:55 +00:00
Google admin sessions cannot be refreshed today. Three gaps add up to that:
passport.authenticate('googleAdmin', ...) in api/server/routes/admin/auth.js
never sets access_type=offline, so Google omits the refresh_token from its
token response; createOAuthHandler in api/server/controllers/auth/oauth.js
only forwards a refresh token into the admin exchange payload when the user's
provider is 'openid' AND OPENID_REUSE_TOKENS is enabled; and
/api/admin/oauth/refresh is openid-only, calling openid-client.refreshTokenGrant
against the configured OIDC issuer. OpenID admins refresh transparently
because all three are in place for them.
This PR closes all three. The googleAdmin authenticate call now passes
accessType: 'offline' and prompt: 'consent' so Google issues a refresh token
on consent; the chat-side googleLogin is untouched. The shared socialLogin
verify callback now passes the IdP refreshToken through as passport's third
argument (info), landing on req.authInfo, with the two-argument call shape
preserved when no refresh token is present so existing strategy tests stay
valid. createOAuthHandler reads req.authInfo?.refreshToken for non-OpenID
admin providers and forwards it into the exchange code; the OpenID branch
and its OPENID_REUSE_TOKENS gate are unchanged. /api/admin/oauth/refresh
now accepts an optional provider field ('openid' | 'google', default 'openid').
The new Google branch POSTs grant_type=refresh_token to
https://oauth2.googleapis.com/token, decodes the returned id_token for the sub
claim, looks up the admin user by googleId, enforces tenant scope and
ACCESS_ADMIN, and mints a fresh LibreChat JWT in the same response shape
/oauth/exchange returns. It is gated on GOOGLE_CLIENT_ID and
GOOGLE_CLIENT_SECRET being set (returns 503 GOOGLE_NOT_CONFIGURED otherwise);
unknown provider values return 400 INVALID_PROVIDER.
96 lines
3.2 KiB
JavaScript
96 lines
3.2 KiB
JavaScript
const { CacheKeys } = require('librechat-data-provider');
|
|
const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas');
|
|
const {
|
|
isEnabled,
|
|
getAdminPanelUrl,
|
|
isAdminPanelRedirect,
|
|
generateAdminExchangeCode,
|
|
} = require('@librechat/api');
|
|
const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
|
|
const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
|
|
const getLogStores = require('~/cache/getLogStores');
|
|
const { checkBan } = require('~/server/middleware');
|
|
const { generateToken } = require('~/models');
|
|
|
|
const domains = {
|
|
client: process.env.DOMAIN_CLIENT,
|
|
server: process.env.DOMAIN_SERVER,
|
|
};
|
|
|
|
function createOAuthHandler(redirectUri = domains.client) {
|
|
/**
|
|
* A handler to process OAuth authentication results.
|
|
* @type {Function}
|
|
* @param {ServerRequest} req - Express request object.
|
|
* @param {ServerResponse} res - Express response object.
|
|
* @param {NextFunction} next - Express next middleware function.
|
|
*/
|
|
return async (req, res, next) => {
|
|
try {
|
|
if (res.headersSent) {
|
|
return;
|
|
}
|
|
|
|
await checkBan(req, res);
|
|
if (req.banned) {
|
|
return;
|
|
}
|
|
|
|
/** Check if this is an admin panel redirect (cross-origin) */
|
|
if (isAdminPanelRedirect(redirectUri, getAdminPanelUrl(), domains.client)) {
|
|
/** For admin panel, generate exchange code instead of setting cookies */
|
|
const cache = getLogStores(CacheKeys.ADMIN_OAUTH_EXCHANGE);
|
|
const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY;
|
|
const token = await generateToken(req.user, sessionExpiry);
|
|
|
|
let refreshToken;
|
|
if (req.user.provider === 'openid') {
|
|
if (isEnabled(process.env.OPENID_REUSE_TOKENS) === true) {
|
|
refreshToken =
|
|
req.user.tokenset?.refresh_token || req.user.federatedTokens?.refresh_token;
|
|
}
|
|
} else {
|
|
refreshToken = req.authInfo?.refreshToken;
|
|
}
|
|
const expiresAt = Date.now() + sessionExpiry;
|
|
|
|
const callbackUrl = new URL(redirectUri);
|
|
const exchangeCode = await generateAdminExchangeCode(
|
|
cache,
|
|
req.user,
|
|
token,
|
|
refreshToken,
|
|
callbackUrl.origin,
|
|
req.pkceChallenge,
|
|
expiresAt,
|
|
);
|
|
callbackUrl.searchParams.set('code', exchangeCode);
|
|
logger.info(`[OAuth] Admin panel redirect with exchange code for user: ${req.user.email}`);
|
|
return res.redirect(callbackUrl.toString());
|
|
}
|
|
|
|
/** Standard OAuth flow - set cookies and redirect */
|
|
if (
|
|
req.user &&
|
|
req.user.provider == 'openid' &&
|
|
isEnabled(process.env.OPENID_REUSE_TOKENS) === true
|
|
) {
|
|
await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
|
|
setOpenIDAuthTokens(req.user.tokenset, req, res, {
|
|
userId: req.user._id.toString(),
|
|
tenantId: req.user.tenantId,
|
|
});
|
|
} else {
|
|
await setAuthTokens(req.user._id, res, null, req);
|
|
}
|
|
res.redirect(redirectUri);
|
|
} catch (err) {
|
|
logger.error('Error in setting authentication tokens:', err);
|
|
next(err);
|
|
}
|
|
};
|
|
}
|
|
|
|
module.exports = {
|
|
createOAuthHandler,
|
|
};
|