fix: clear unusable OpenID refresh tokens when reuse is disabled#95
Open
dvorak33 wants to merge 1 commit into
Open
fix: clear unusable OpenID refresh tokens when reuse is disabled#95dvorak33 wants to merge 1 commit into
dvorak33 wants to merge 1 commit into
Conversation
The admin panel BFF stored the IdP refresh token returned by `/api/admin/oauth/exchange` and kept retrying it against `/api/admin/oauth/refresh` even when the deployment has `OPENID_REUSE_TOKENS=false`. The backend correctly rejects that call with `403 TOKEN_REUSE_DISABLED`, but the token stayed in session state and the refresh loop kept firing. - Model refresh calls as a discriminated `RefreshOutcome` (`success` / `reuse_disabled` / `failed`) so callers can distinguish a policy signal from a plain failure. - Detect `403 TOKEN_REUSE_DISABLED` from `/api/admin/oauth/refresh` and clear the stored `refreshToken` from the session in `ensureFreshBearer`, `refreshOn401`, and the `verifyAdminTokenFn` 401-recovery path. - Drop the openid cookie fallback in `oauthExchangeFn` so a missing `refreshToken` in the exchange body is stored as `undefined` instead of a stale value. - Add focused tests for the missing exchange refresh token and the `TOKEN_REUSE_DISABLED` handling in each caller. Fixes ClickHouse#47.
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
I fixed the admin panel's handling of unusable OpenID refresh tokens when the LibreChat deployment has
OPENID_REUSE_TOKENS=false. Before this change, the BFF stored the IdP refresh token returned by/api/admin/oauth/exchangeand kept retrying it against/api/admin/oauth/refresheven though the backend correctly rejects every call with403 TOKEN_REUSE_DISABLED.RefreshOutcome(success/reuse_disabled/failed) so callers can distinguish a policy signal from a plain failure without losing type safety.403 TOKEN_REUSE_DISABLEDfrom/api/admin/oauth/refreshand cleared the storedrefreshTokenfrom the session inensureFreshBearer,refreshOn401, and theverifyAdminTokenFn401-recovery path.oauthExchangeFnso a missingrefreshTokenin the exchange body is stored asundefinedinstead of an unrelated cookie value.TOKEN_REUSE_DISABLEDhandling in each caller.OPENID_REUSE_TOKENS=truebehavior is unchanged: thesuccessoutcome flows through exactly as before, including refresh-token rotation and dedupe.Change Type
Testing
npx vitest run src/server/utils/refresh.test.ts src/server/auth.oauth.test.ts— 32/32 passnpx eslint src/server/auth.ts src/server/utils/refresh.ts src/server/utils/refresh.test.ts src/server/auth.oauth.test.ts— cleannpx tsc --noEmit— cleanTest Configuration
Checklist