Skip to content

🤝 fix: Honor OPENID_REUSE_TOKENS in Admin OAuth Exchange#13154

Merged
danny-avila merged 1 commit into
danny-avila:devfrom
jangByeongHui:fix/admin-oauth-refresh-token-handoff
May 18, 2026
Merged

🤝 fix: Honor OPENID_REUSE_TOKENS in Admin OAuth Exchange#13154
danny-avila merged 1 commit into
danny-avila:devfrom
jangByeongHui:fix/admin-oauth-refresh-token-handoff

Conversation

@jangByeongHui

@jangByeongHui jangByeongHui commented May 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes #13033 — honor OPENID_REUSE_TOKENS in the admin OAuth exchange path.

The /api/admin/oauth/refresh endpoint already enforces this flag (returns 403 TOKEN_REUSE_DISABLED when disabled, added in #13007). However, the upstream /api/admin/oauth/exchange path in api/server/controllers/auth/oauth.js unconditionally extracted and forwarded the IdP refreshToken into the exchange payload, regardless of the OPENID_REUSE_TOKENS setting. This left a sensitive IdP refresh token stored in the admin-panel BFF session even when the operator had explicitly disabled token reuse — a policy inconsistency and unnecessary token exposure.

Fix: gate the refreshToken extraction in the admin-panel redirect branch on req.user.provider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) === true, mirroring the logic already applied in the standard (non-admin) OAuth path and the refresh endpoint.

- const refreshToken =
-   req.user.tokenset?.refresh_token || req.user.federatedTokens?.refresh_token;
+ const refreshToken =
+   req.user.provider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) === true
+     ? req.user.tokenset?.refresh_token || req.user.federatedTokens?.refresh_token
+     : undefined;

Changed files:

File Change
api/server/controllers/auth/oauth.js Gate refresh-token extraction on OPENID_REUSE_TOKENS flag
api/server/controllers/auth/oauth.spec.js New — unit tests for both enabled/disabled branches

Change Type

  • Bug fix (non-breaking change which fixes an issue)

Testing

Test Configuration

Variable Value
OPENID_REUSE_TOKENS false (disabled branch), true (enabled branch)
Node.js v20.20.2

New Unit Tests

api/server/controllers/auth/oauth.spec.js — added two focused unit tests for the admin-panel redirect path:

  1. OPENID_REUSE_TOKENS disabled — asserts that generateAdminExchangeCode receives undefined as the refresh-token argument, so the exchange payload never contains an IdP token.
  2. OPENID_REUSE_TOKENS enabled — asserts that generateAdminExchangeCode receives the OpenID refresh_token, preserving the existing enabled-path behavior.

Run the new controller tests:

npm --prefix api run test:ci -- \
  --runTestsByPath api/server/controllers/auth/oauth.spec.js

Result:

PASS server/controllers/auth/oauth.spec.js
  createOAuthHandler
    ✓ omits refresh token from admin exchange when OPENID_REUSE_TOKENS is disabled (3 ms)
    ✓ includes refresh token in admin exchange when OPENID_REUSE_TOKENS is enabled (1 ms)

Tests: 2 passed, 2 total

Run together with the related admin refresh regression suite:

npm --prefix api run test:ci -- \
  --runTestsByPath api/server/controllers/auth/oauth.spec.js \
                  api/server/routes/admin/auth.refresh.test.js

Result:

PASS server/controllers/auth/oauth.spec.js
PASS server/routes/admin/auth.refresh.test.js

Test Suites: 2 passed, 2 total
Tests:       8 passed, 8 total

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes

@jangByeongHui jangByeongHui changed the title 🛡️ fix: Honor OPENID_REUSE_TOKENS in admin OAuth exchange 🛡️ fix: Honor OPENID_REUSE_TOKENS in admin OAuth exchange(#13033 ) May 16, 2026
@danny-avila

Copy link
Copy Markdown
Owner

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@danny-avila danny-avila changed the title 🛡️ fix: Honor OPENID_REUSE_TOKENS in admin OAuth exchange(#13033 ) 🛡️ fix: Honor OPENID_REUSE_TOKENS in Admin OAuth Exchange May 18, 2026
@danny-avila danny-avila changed the title 🛡️ fix: Honor OPENID_REUSE_TOKENS in Admin OAuth Exchange 🤝 fix: Honor OPENID_REUSE_TOKENS in Admin OAuth Exchange May 18, 2026
@danny-avila danny-avila merged commit ac163c2 into danny-avila:dev May 18, 2026
12 checks passed
patricia2510 pushed a commit to lexaeon-org/libre-chat that referenced this pull request May 21, 2026
fuuuzzy pushed a commit to fuuuzzy/LibreChat that referenced this pull request May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants