🛂 fix: Reuse OpenID Auth Tokens with Proxy Setup (danny-avila#8151)

schnaker85 · web-flow · commit ad1dad826b19 · 2025-07-01T16:30:06.000-04:00
* Fixes danny-avila#8099 in correctly setting up proxy support - fixes the openid Strategy - fixes the openid jwt strategy (jwksRsa fetching in a proxy environment) Signed-off-by: Regli Daniel <daniel.regli1@sanitas.com> * Fixes danny-avila#8099 in correctly setting up proxy support - properly formatted Signed-off-by: Regli Daniel <1daniregli@gmail.com> --------- Signed-off-by: Regli Daniel <daniel.regli1@sanitas.com> Signed-off-by: Regli Daniel <1daniregli@gmail.com> Co-authored-by: schnaker85 <1daniregligmail.com>
diff --git a/api/strategies/openIdJwtStrategy.js b/api/strategies/openIdJwtStrategy.js
@@ -1,4 +1,5 @@
 const { SystemRoles } = require('librechat-data-provider');
+const { HttpsProxyAgent } = require('https-proxy-agent');
 const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
 const { updateUser, findUser } = require('~/models');
 const { logger } = require('~/config');
@@ -13,17 +14,23 @@ const { isEnabled } = require('~/server/utils');
  * The strategy extracts the JWT from the Authorization header as a Bearer token.
  * The JWT is then verified using the signing key, and the user is retrieved from the database.
  */
-const openIdJwtLogin = (openIdConfig) =>
-  new JwtStrategy(
+const openIdJwtLogin = (openIdConfig) => {
+  let jwksRsaOptions = {
+    cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
+    cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME
+      ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME)
+      : 60000,
+    jwksUri: openIdConfig.serverMetadata().jwks_uri,
+  };
+
+  if (process.env.PROXY) {
+    jwksRsaOptions.requestAgent = new HttpsProxyAgent(process.env.PROXY);
+  }
+
+  return new JwtStrategy(
     {
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      secretOrKeyProvider: jwksRsa.passportJwtSecret({
-        cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
-        cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME
-          ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME)
-          : 60000,
-        jwksUri: openIdConfig.serverMetadata().jwks_uri,
-      }),
+      secretOrKeyProvider: jwksRsa.passportJwtSecret(jwksRsaOptions),
     },
     async (payload, done) => {
       try {
@@ -48,5 +55,6 @@ const openIdJwtLogin = (openIdConfig) =>
       }
     },
   );
+};
 
 module.exports = openIdJwtLogin;
diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
@@ -49,7 +49,7 @@ async function customFetch(url, options) {
       logger.info(`[openidStrategy] proxy agent configured: ${process.env.PROXY}`);
       fetchOptions = {
         ...options,
-        dispatcher: new HttpsProxyAgent(process.env.PROXY),
+        dispatcher: new undici.ProxyAgent(process.env.PROXY),
       };
     }
 

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ async function customFetch(url, options) {`
`49`	`49`	logger.info(`[openidStrategy] proxy agent configured: ${process.env.PROXY}`);
`50`	`50`	`fetchOptions = {`
`51`	`51`	`...options,`
`52`		`- dispatcher: new HttpsProxyAgent(process.env.PROXY),`
	`52`	`+ dispatcher: new undici.ProxyAgent(process.env.PROXY),`
`53`	`53`	`};`
`54`	`54`	`}`
`55`	`55`