Spaces:

helloya20
/

chat

Configuration error

App Files Files Community

chat / api /strategies /openidStrategy.js

helloya20's picture

Upload 2345 files

f0743f4 verified 3 months ago

history blame contribute delete

20.7 kB

	const undici = require('undici');
	const { get } = require('lodash');
	const fetch = require('node-fetch');
	const passport = require('passport');
	const client = require('openid-client');
	const jwtDecode = require('jsonwebtoken/decode');
	const { HttpsProxyAgent } = require('https-proxy-agent');
	const { hashToken, logger } = require('@librechat/data-schemas');
	const { CacheKeys, ErrorTypes } = require('librechat-data-provider');
	const { Strategy: OpenIDStrategy } = require('openid-client/passport');
	const {
	isEnabled,
	logHeaders,
	safeStringify,
	findOpenIDUser,
	getBalanceConfig,
	isEmailDomainAllowed,
	} = require('@librechat/api');
	const { getStrategyFunctions } = require('~/server/services/Files/strategies');
	const { findUser, createUser, updateUser } = require('~/models');
	const { getAppConfig } = require('~/server/services/Config');
	const getLogStores = require('~/cache/getLogStores');

	/**
	* @typedef {import('openid-client').ClientMetadata} ClientMetadata
	* @typedef {import('openid-client').Configuration} Configuration
	**/

	/**
	* @param {string} url
	* @param {client.CustomFetchOptions} options
	*/
	async function customFetch(url, options) {
	const urlStr = url.toString();
	logger.debug(`[openidStrategy] Request to: ${urlStr}`);
	const debugOpenId = isEnabled(process.env.DEBUG_OPENID_REQUESTS);
	if (debugOpenId) {
	logger.debug(`[openidStrategy] Request method: ${options.method \|\| 'GET'}`);
	logger.debug(`[openidStrategy] Request headers: ${logHeaders(options.headers)}`);
	if (options.body) {
	let bodyForLogging = '';
	if (options.body instanceof URLSearchParams) {
	bodyForLogging = options.body.toString();
	} else if (typeof options.body === 'string') {
	bodyForLogging = options.body;
	} else {
	bodyForLogging = safeStringify(options.body);
	}
	logger.debug(`[openidStrategy] Request body: ${bodyForLogging}`);
	}
	}

	try {
	/** @type {undici.RequestInit} */
	let fetchOptions = options;
	if (process.env.PROXY) {
	logger.info(`[openidStrategy] proxy agent configured: ${process.env.PROXY}`);
	fetchOptions = {
	...options,
	dispatcher: new undici.ProxyAgent(process.env.PROXY),
	};
	}

	const response = await undici.fetch(url, fetchOptions);

	if (debugOpenId) {
	logger.debug(`[openidStrategy] Response status: ${response.status} ${response.statusText}`);
	logger.debug(`[openidStrategy] Response headers: ${logHeaders(response.headers)}`);
	}

	if (response.status === 200 && response.headers.has('www-authenticate')) {
	const wwwAuth = response.headers.get('www-authenticate');
	logger.warn(`[openidStrategy] Non-standard WWW-Authenticate header found in successful response (200 OK): ${wwwAuth}.
	This violates RFC 7235 and may cause issues with strict OAuth clients. Removing header for compatibility.`);

	/** Cloned response without the WWW-Authenticate header */
	const responseBody = await response.arrayBuffer();
	const newHeaders = new Headers();
	for (const [key, value] of response.headers.entries()) {
	if (key.toLowerCase() !== 'www-authenticate') {
	newHeaders.append(key, value);
	}
	}

	return new Response(responseBody, {
	status: response.status,
	statusText: response.statusText,
	headers: newHeaders,
	});
	}

	return response;
	} catch (error) {
	logger.error(`[openidStrategy] Fetch error: ${error.message}`);
	throw error;
	}
	}

	/** @typedef {Configuration \| null} */
	let openidConfig = null;

	//overload currenturl function because of express version 4 buggy req.host doesn't include port
	//More info https://github.com/panva/openid-client/pull/713

	class CustomOpenIDStrategy extends OpenIDStrategy {
	currentUrl(req) {
	const hostAndProtocol = process.env.DOMAIN_SERVER;
	return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
	}

	authorizationRequestParams(req, options) {
	const params = super.authorizationRequestParams(req, options);
	if (options?.state && !params.has('state')) {
	params.set('state', options.state);
	}

	if (process.env.OPENID_AUDIENCE) {
	params.set('audience', process.env.OPENID_AUDIENCE);
	logger.debug(
	`[openidStrategy] Adding audience to authorization request: ${process.env.OPENID_AUDIENCE}`,
	);
	}

	/** Generate nonce for federated providers that require it */
	const shouldGenerateNonce = isEnabled(process.env.OPENID_GENERATE_NONCE);
	if (shouldGenerateNonce && !params.has('nonce') && this._sessionKey) {
	const crypto = require('crypto');
	const nonce = crypto.randomBytes(16).toString('hex');
	params.set('nonce', nonce);
	logger.debug('[openidStrategy] Generated nonce for federated provider:', nonce);
	}

	return params;
	}
	}

	/**
	* Exchange the access token for a new access token using the on-behalf-of flow if required.
	* @param {Configuration} config
	* @param {string} accessToken access token to be exchanged if necessary
	* @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
	* @param {boolean} fromCache - Indicates whether to use cached tokens.
	* @returns {Promise<string>} The new access token if exchanged, otherwise the original access token.
	*/
	const exchangeAccessTokenIfNeeded = async (config, accessToken, sub, fromCache = false) => {
	const tokensCache = getLogStores(CacheKeys.OPENID_EXCHANGED_TOKENS);
	const onBehalfFlowRequired = isEnabled(process.env.OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED);
	if (onBehalfFlowRequired) {
	if (fromCache) {
	const cachedToken = await tokensCache.get(sub);
	if (cachedToken) {
	return cachedToken.access_token;
	}
	}
	const grantResponse = await client.genericGrantRequest(
	config,
	'urn:ietf:params:oauth:grant-type:jwt-bearer',
	{
	scope: process.env.OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE \|\| 'user.read',
	assertion: accessToken,
	requested_token_use: 'on_behalf_of',
	},
	);
	await tokensCache.set(
	sub,
	{
	access_token: grantResponse.access_token,
	},
	grantResponse.expires_in * 1000,
	);
	return grantResponse.access_token;
	}
	return accessToken;
	};

	/**
	* get user info from openid provider
	* @param {Configuration} config
	* @param {string} accessToken access token
	* @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
	* @returns {Promise<Object\|null>}
	*/
	const getUserInfo = async (config, accessToken, sub) => {
	try {
	const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub);
	return await client.fetchUserInfo(config, exchangedAccessToken, sub);
	} catch (error) {
	logger.error('[openidStrategy] getUserInfo: Error fetching user info:', error);
	return null;
	}
	};

	/**
	* Downloads an image from a URL using an access token.
	* @param {string} url
	* @param {Configuration} config
	* @param {string} accessToken access token
	* @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
	* @returns {Promise<Buffer \| string>} The image buffer or an empty string if the download fails.
	*/
	const downloadImage = async (url, config, accessToken, sub) => {
	const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub, true);
	if (!url) {
	return '';
	}

	try {
	const options = {
	method: 'GET',
	headers: {
	Authorization: `Bearer ${exchangedAccessToken}`,
	},
	};

	if (process.env.PROXY) {
	options.agent = new HttpsProxyAgent(process.env.PROXY);
	}

	const response = await fetch(url, options);

	if (response.ok) {
	const buffer = await response.buffer();
	return buffer;
	} else {
	throw new Error(`${response.statusText} (HTTP ${response.status})`);
	}
	} catch (error) {
	logger.error(
	`[openidStrategy] downloadImage: Error downloading image at URL "${url}": ${error}`,
	);
	return '';
	}
	};

	/**
	* Determines the full name of a user based on OpenID userinfo and environment configuration.
	*
	* @param {Object} userinfo - The user information object from OpenID Connect
	* @param {string} [userinfo.given_name] - The user's first name
	* @param {string} [userinfo.family_name] - The user's last name
	* @param {string} [userinfo.username] - The user's username
	* @param {string} [userinfo.email] - The user's email address
	* @returns {string} The determined full name of the user
	*/
	function getFullName(userinfo) {
	if (process.env.OPENID_NAME_CLAIM) {
	return userinfo[process.env.OPENID_NAME_CLAIM];
	}

	if (userinfo.given_name && userinfo.family_name) {
	return `${userinfo.given_name} ${userinfo.family_name}`;
	}

	if (userinfo.given_name) {
	return userinfo.given_name;
	}

	if (userinfo.family_name) {
	return userinfo.family_name;
	}

	return userinfo.username \|\| userinfo.email;
	}

	/**
	* Converts an input into a string suitable for a username.
	* If the input is a string, it will be returned as is.
	* If the input is an array, elements will be joined with underscores.
	* In case of undefined or other falsy values, a default value will be returned.
	*
	* @param {string \| string[] \| undefined} input - The input value to be converted into a username.
	* @param {string} [defaultValue=''] - The default value to return if the input is falsy.
	* @returns {string} The processed input as a string suitable for a username.
	*/
	function convertToUsername(input, defaultValue = '') {
	if (typeof input === 'string') {
	return input;
	} else if (Array.isArray(input)) {
	return input.join('_');
	}

	return defaultValue;
	}

	/**
	* Sets up the OpenID strategy for authentication.
	* This function configures the OpenID client, handles proxy settings,
	* and defines the OpenID strategy for Passport.js.
	*
	* @async
	* @function setupOpenId
	* @returns {Promise<Configuration \| null>} A promise that resolves when the OpenID strategy is set up and returns the openid client config object.
	* @throws {Error} If an error occurs during the setup process.
	*/
	async function setupOpenId() {
	try {
	const shouldGenerateNonce = isEnabled(process.env.OPENID_GENERATE_NONCE);

	/** @type {ClientMetadata} */
	const clientMetadata = {
	client_id: process.env.OPENID_CLIENT_ID,
	client_secret: process.env.OPENID_CLIENT_SECRET,
	};

	if (shouldGenerateNonce) {
	clientMetadata.response_types = ['code'];
	clientMetadata.grant_types = ['authorization_code'];
	clientMetadata.token_endpoint_auth_method = 'client_secret_post';
	}

	/** @type {Configuration} */
	openidConfig = await client.discovery(
	new URL(process.env.OPENID_ISSUER),
	process.env.OPENID_CLIENT_ID,
	clientMetadata,
	undefined,
	{
	[client.customFetch]: customFetch,
	},
	);

	const requiredRole = process.env.OPENID_REQUIRED_ROLE;
	const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
	const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
	const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
	logger.info(`[openidStrategy] OpenID authentication configuration`, {
	generateNonce: shouldGenerateNonce,
	reason: shouldGenerateNonce
	? 'OPENID_GENERATE_NONCE=true - Will generate nonce and use explicit metadata for federated providers'
	: 'OPENID_GENERATE_NONCE=false - Standard flow without explicit nonce or metadata',
	});

	// Set of env variables that specify how to set if a user is an admin
	// If not set, all users will be treated as regular users
	const adminRole = process.env.OPENID_ADMIN_ROLE;
	const adminRoleParameterPath = process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH;
	const adminRoleTokenKind = process.env.OPENID_ADMIN_ROLE_TOKEN_KIND;

	const openidLogin = new CustomOpenIDStrategy(
	{
	config: openidConfig,
	scope: process.env.OPENID_SCOPE,
	callbackURL: process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL,
	clockTolerance: process.env.OPENID_CLOCK_TOLERANCE \|\| 300,
	usePKCE,
	},
	/**
	* @param {import('openid-client').TokenEndpointResponseHelpers} tokenset
	* @param {import('passport-jwt').VerifyCallback} done
	*/
	async (tokenset, done) => {
	try {
	const claims = tokenset.claims();
	const userinfo = {
	...claims,
	...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
	};

	const appConfig = await getAppConfig();
	/** Azure AD sometimes doesn't return email, use preferred_username as fallback */
	const email = userinfo.email \|\| userinfo.preferred_username \|\| userinfo.upn;
	if (!isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
	logger.error(
	`[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${email}]`,
	);
	return done(null, false, { message: 'Email domain not allowed' });
	}

	const result = await findOpenIDUser({
	findUser,
	email: email,
	openidId: claims.sub,
	idOnTheSource: claims.oid,
	strategyName: 'openidStrategy',
	});
	let user = result.user;
	const error = result.error;

	if (error) {
	return done(null, false, {
	message: ErrorTypes.AUTH_FAILED,
	});
	}

	const fullName = getFullName(userinfo);

	if (requiredRole) {
	const requiredRoles = requiredRole
	.split(',')
	.map((role) => role.trim())
	.filter(Boolean);
	let decodedToken = '';
	if (requiredRoleTokenKind === 'access') {
	decodedToken = jwtDecode(tokenset.access_token);
	} else if (requiredRoleTokenKind === 'id') {
	decodedToken = jwtDecode(tokenset.id_token);
	}

	let roles = get(decodedToken, requiredRoleParameterPath);
	if (!roles \|\| (!Array.isArray(roles) && typeof roles !== 'string')) {
	logger.error(
	`[openidStrategy] Key '${requiredRoleParameterPath}' not found or invalid type in ${requiredRoleTokenKind} token!`,
	);
	const rolesList =
	requiredRoles.length === 1
	? `"${requiredRoles[0]}"`
	: `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
	return done(null, false, {
	message: `You must have ${rolesList} role to log in.`,
	});
	}

	if (!requiredRoles.some((role) => roles.includes(role))) {
	const rolesList =
	requiredRoles.length === 1
	? `"${requiredRoles[0]}"`
	: `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
	return done(null, false, {
	message: `You must have ${rolesList} role to log in.`,
	});
	}
	}

	let username = '';
	if (process.env.OPENID_USERNAME_CLAIM) {
	username = userinfo[process.env.OPENID_USERNAME_CLAIM];
	} else {
	username = convertToUsername(
	userinfo.preferred_username \|\| userinfo.username \|\| userinfo.email,
	);
	}

	if (!user) {
	user = {
	provider: 'openid',
	openidId: userinfo.sub,
	username,
	email: email \|\| '',
	emailVerified: userinfo.email_verified \|\| false,
	name: fullName,
	idOnTheSource: userinfo.oid,
	};

	const balanceConfig = getBalanceConfig(appConfig);
	user = await createUser(user, balanceConfig, true, true);
	} else {
	user.provider = 'openid';
	user.openidId = userinfo.sub;
	user.username = username;
	user.name = fullName;
	user.idOnTheSource = userinfo.oid;
	if (email && email !== user.email) {
	user.email = email;
	user.emailVerified = userinfo.email_verified \|\| false;
	}
	}

	if (adminRole && adminRoleParameterPath && adminRoleTokenKind) {
	let adminRoleObject;
	switch (adminRoleTokenKind) {
	case 'access':
	adminRoleObject = jwtDecode(tokenset.access_token);
	break;
	case 'id':
	adminRoleObject = jwtDecode(tokenset.id_token);
	break;
	case 'userinfo':
	adminRoleObject = userinfo;
	break;
	default:
	logger.error(
	`[openidStrategy] Invalid admin role token kind: ${adminRoleTokenKind}. Must be one of 'access', 'id', or 'userinfo'.`,
	);
	return done(new Error('Invalid admin role token kind'));
	}

	const adminRoles = get(adminRoleObject, adminRoleParameterPath);

	// Accept 3 types of values for the object extracted from adminRoleParameterPath:
	// 1. A boolean value indicating if the user is an admin
	// 2. A string with a single role name
	// 3. An array of role names

	if (
	adminRoles &&
	(adminRoles === true \|\|
	adminRoles === adminRole \|\|
	(Array.isArray(adminRoles) && adminRoles.includes(adminRole)))
	) {
	user.role = 'ADMIN';
	logger.info(
	`[openidStrategy] User ${username} is an admin based on role: ${adminRole}`,
	);
	} else if (user.role === 'ADMIN') {
	user.role = 'USER';
	logger.info(
	`[openidStrategy] User ${username} demoted from admin - role no longer present in token`,
	);
	}
	}

	if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {
	/** @type {string \| undefined} */
	const imageUrl = userinfo.picture;

	let fileName;
	if (crypto) {
	fileName = (await hashToken(userinfo.sub)) + '.png';
	} else {
	fileName = userinfo.sub + '.png';
	}

	const imageBuffer = await downloadImage(
	imageUrl,
	openidConfig,
	tokenset.access_token,
	userinfo.sub,
	);
	if (imageBuffer) {
	const { saveBuffer } = getStrategyFunctions(
	appConfig?.fileStrategy ?? process.env.CDN_PROVIDER,
	);
	const imagePath = await saveBuffer({
	fileName,
	userId: user._id.toString(),
	buffer: imageBuffer,
	});
	user.avatar = imagePath ?? '';
	}
	}

	user = await updateUser(user._id, user);

	logger.info(
	`[openidStrategy] login success openidId: ${user.openidId} \| email: ${user.email} \| username: ${user.username} `,
	{
	user: {
	openidId: user.openidId,
	username: user.username,
	email: user.email,
	name: user.name,
	},
	},
	);

	done(null, {
	...user,
	tokenset,
	federatedTokens: {
	access_token: tokenset.access_token,
	refresh_token: tokenset.refresh_token,
	expires_at: tokenset.expires_at,
	},
	});
	} catch (err) {
	logger.error('[openidStrategy] login failed', err);
	done(err);
	}
	},
	);
	passport.use('openid', openidLogin);
	return openidConfig;
	} catch (err) {
	logger.error('[openidStrategy]', err);
	return null;
	}
	}
	/**
	* @function getOpenIdConfig
	* @description Returns the OpenID client instance.
	* @throws {Error} If the OpenID client is not initialized.
	* @returns {Configuration}
	*/
	function getOpenIdConfig() {
	if (!openidConfig) {
	throw new Error('OpenID client is not initialized. Please call setupOpenId first.');
	}
	return openidConfig;
	}

	module.exports = {
	setupOpenId,
	getOpenIdConfig,
	};