From 8a5dbac0f93d39f5eaca2f75acc30deb8e6881b3 Mon Sep 17 00:00:00 2001 From: Dani Regli <1daniregli@gmail.com> Date: Tue, 1 Jul 2025 22:30:06 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=82=20fix:=20Reuse=20OpenID=20Auth=20T?= =?UTF-8?q?okens=20with=20Proxy=20Setup=20(#8151)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fixes https://github.com/danny-avila/LibreChat/issues/8099 in correctly setting up proxy support - fixes the openid Strategy - fixes the openid jwt strategy (jwksRsa fetching in a proxy environment) Signed-off-by: Regli Daniel * Fixes https://github.com/danny-avila/LibreChat/issues/8099 in correctly setting up proxy support - properly formatted Signed-off-by: Regli Daniel <1daniregli@gmail.com> --------- Signed-off-by: Regli Daniel Signed-off-by: Regli Daniel <1daniregli@gmail.com> Co-authored-by: schnaker85 <1daniregligmail.com> --- api/strategies/openIdJwtStrategy.js | 26 +++++++++++++++++--------- api/strategies/openidStrategy.js | 2 +- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/api/strategies/openIdJwtStrategy.js b/api/strategies/openIdJwtStrategy.js index dae8d17bc..cc90e2003 100644 --- a/api/strategies/openIdJwtStrategy.js +++ b/api/strategies/openIdJwtStrategy.js @@ -1,4 +1,5 @@ const { SystemRoles } = require('librechat-data-provider'); +const { HttpsProxyAgent } = require('https-proxy-agent'); const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt'); const { updateUser, findUser } = require('~/models'); const { logger } = require('~/config'); @@ -13,17 +14,23 @@ const { isEnabled } = require('~/server/utils'); * The strategy extracts the JWT from the Authorization header as a Bearer token. * The JWT is then verified using the signing key, and the user is retrieved from the database. */ -const openIdJwtLogin = (openIdConfig) => - new JwtStrategy( +const openIdJwtLogin = (openIdConfig) => { + let jwksRsaOptions = { + cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true, + cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME + ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME) + : 60000, + jwksUri: openIdConfig.serverMetadata().jwks_uri, + }; + + if (process.env.PROXY) { + jwksRsaOptions.requestAgent = new HttpsProxyAgent(process.env.PROXY); + } + + return new JwtStrategy( { jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(), - secretOrKeyProvider: jwksRsa.passportJwtSecret({ - cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true, - cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME - ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME) - : 60000, - jwksUri: openIdConfig.serverMetadata().jwks_uri, - }), + secretOrKeyProvider: jwksRsa.passportJwtSecret(jwksRsaOptions), }, async (payload, done) => { try { @@ -48,5 +55,6 @@ const openIdJwtLogin = (openIdConfig) => } }, ); +}; module.exports = openIdJwtLogin; diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js index 63a1aafd5..563ac8257 100644 --- a/api/strategies/openidStrategy.js +++ b/api/strategies/openidStrategy.js @@ -49,7 +49,7 @@ async function customFetch(url, options) { logger.info(`[openidStrategy] proxy agent configured: ${process.env.PROXY}`); fetchOptions = { ...options, - dispatcher: new HttpsProxyAgent(process.env.PROXY), + dispatcher: new undici.ProxyAgent(process.env.PROXY), }; }