feat(auth): auto-refresh OIDC tokens when session is empty

When the OIDC JWT strategy finds no usable id_token (missing from both the
session and the openid_id_token cookie) but a refreshToken cookie exists,
transparently call the IdP's refresh-token endpoint, repopulate the session,
and continue the request. This makes in-memory session loss invisible to the
user — primarily addressing the deployment-restart scenario where the
MemoryStore is wiped while the browser still holds a valid Bearer token,
which previously caused empty 'Authorization: Bearer ' headers to reach
downstream services like LiteLLM.

If refresh is impossible (no refresh cookie, IdP rejects, etc.), the strategy
fails closed with 401 so the SPA's existing axios interceptor handles it.

- Add refreshOpenIDTokensFromCookie(req, res, userId) helper in AuthService.js
  with module-private dedup map keyed on the refresh-token value, so
  concurrent requests for the same credential share one IdP round-trip.
- Wire helper into openIdJwtStrategy.js: detect missing id_token before
  populating user.federatedTokens, refresh if possible, fail closed otherwise.
- Lazy-require getOpenIdConfig to avoid pulling undici/openid-client into
  unrelated AuthService consumers' module-init.
- Tests: 11 new helper tests (no-cookie short-circuit, IdP success/failure
  paths, getOpenIdConfig throws, missing res, concurrent dedup, sequential
  release, failure release) + 4 new strategy tests (refresh on empty session,
  401 on helper failure, no refresh when not needed, no refresh cookie).
- Updates the existing 'should set id_token to undefined' strategy test to
  reflect the new fail-closed behavior.

Author: bensi94

api/server/services/AuthService.js

@@ -39,6 +39,8 @@ const {
 const { registerSchema } = require('~/strategies/validators');
 const { getAppConfig } = require('~/server/services/Config');
 const { sendEmail } = require('~/server/utils');
+const cookies = require('cookie');
+const openIdClient = require('openid-client');
 
 const domains = {
   client: process.env.DOMAIN_CLIENT,
@@ -714,6 +716,90 @@ const setOpenIDAuthTokens = (
   }
 };
 
+/**
+ * Module-private map for deduplicating concurrent token-refresh calls.
+ * Key: refresh token value. Value: in-flight refresh promise.
+ *
+ * Within a single Node process, two requests that both observe an empty
+ * session for the same refresh token will share one IdP round-trip,
+ * preventing a refresh-token-rotation race.
+ *
+ * @type {Map<string, Promise<object | null>>}
+ */
+const inFlightRefreshes = new Map();
+
+/**
+ * Refresh OpenID tokens server-side using the persistent `refreshToken` cookie.
+ * Used to recover from session loss (e.g. in-memory session store wiped by a
+ * deployment) without forcing the user to re-authenticate.
+ *
+ * @param {import('express').Request} req
+ * @param {import('express').Response} res
+ * @param {string} userId - MongoDB user id, for the openid_user_id cookie.
+ * @returns {Promise<object | null>} The new tokenset on success, or null on any
+ *   failure (no cookie, IdP error, missing res, etc.). Caller treats null as
+ *   "could not refresh — fail closed."
+ */
+const refreshOpenIDTokensFromCookie = async (req, res, userId) => {
+  if (!res) {
+    logger.warn(
+      '[refreshOpenIDTokensFromCookie] No res object available; cannot persist rotated cookies',
+    );
+    return null;
+  }
+
+  const cookieHeader = req?.headers?.cookie;
+  const parsedCookies = cookieHeader ? cookies.parse(cookieHeader) : {};
+  const refreshToken = parsedCookies.refreshToken;
+  if (!refreshToken) {
+    return null;
+  }
+
+  const existing = inFlightRefreshes.get(refreshToken);
+  if (existing) {
+    return existing;
+  }
+
+  const refreshPromise = (async () => {
+    let openIdConfig;
+    try {
+      // Lazy-require to avoid pulling undici/openid-client into all consumers
+      // of AuthService at module-init time (those imports break Node 18 tests
+      // that don't need them).
+      const { getOpenIdConfig } = require('~/strategies/openidStrategy');
+      openIdConfig = getOpenIdConfig();
+    } catch (err) {
+      logger.warn('[refreshOpenIDTokensFromCookie] getOpenIdConfig failed', err);
+      return null;
+    }
+
+    const refreshParams = process.env.OPENID_SCOPE ? { scope: process.env.OPENID_SCOPE } : {};
+
+    let tokenset;
+    try {
+      tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken, refreshParams);
+    } catch (err) {
+      logger.warn('[refreshOpenIDTokensFromCookie] refreshTokenGrant failed', err);
+      return null;
+    }
+
+    const appAuthToken = setOpenIDAuthTokens(tokenset, req, res, userId, refreshToken);
+    if (!appAuthToken) {
+      logger.warn('[refreshOpenIDTokensFromCookie] setOpenIDAuthTokens returned no token');
+      return null;
+    }
+
+    return tokenset;
+  })();
+
+  inFlightRefreshes.set(refreshToken, refreshPromise);
+  try {
+    return await refreshPromise;
+  } finally {
+    inFlightRefreshes.delete(refreshToken);
+  }
+};
+
 /**
  * Resend Verification Email
  * @param {Object} req
@@ -783,4 +869,5 @@ module.exports = {
   setCloudFrontAuthCookies,
   requestPasswordReset,
   resendVerificationEmail,
+  refreshOpenIDTokensFromCookie,
 };