🔄 feat: Body-Based OpenID Refresh for Cross-Origin Admin Panels

[dustinhealy]

Summary

The cookie-based /api/auth/refresh controller can't be reached cross-origin because the refresh-token cookie doesn't ship on a fetch from a different host than the LibreChat backend. The result: cross-origin admin panel sessions silently die at JWT expiry with no recovery.

This routes openid sessions through the new POST /api/admin/oauth/refresh endpoint (danny-avila/LibreChat#13007) which accepts the refresh token in the request body and returns the same shape as /api/admin/oauth/exchange: { token, refreshToken, user, expiresAt }. Non-openid (librechat) sessions still use the legacy cookie-based path.

Changes

• src/server/auth.ts — refreshAdminToken posts to /api/admin/oauth/refresh for openid sessions, taking a new userId argument that's forwarded as user_id in the body for disambiguation when multiple user docs share the same OpenID sub. Threads expiresAt from the response into the session.
• src/types/server.ts — adds optional expiresAt?: number (ms epoch) to SessionData and OAuthExchangeResponse so the admin panel can drive proactive refresh before the bearer expires.

Compatibility

• librechat (local) sessions: unchanged, still use /api/auth/refresh with the cookie-based path.
• openid sessions on backends without the new endpoint: refresh returns 404, the admin panel clears the session and redirects to login. Same end-state as before, just one cycle later.

Testing

• The upstream /api/admin/oauth/refresh endpoint (danny-avila/LibreChat#13007) was validated via direct POST against a Microsoft Entra (Azure AD) personal-account tenant: a stored Entra refresh token returned a 200 with a valid { token, refreshToken, user, expiresAt } payload (rotated refresh_token, fresh HS256 LC JWT, ~24h expiresAt).
• This admin-panel-side change calls that same endpoint with the same body shape and parses the same response shape, so the integration is mechanical. Panel-driven refresh has not been exercised end-to-end yet (the bearer's natural expiry would take ~1 hour to test through the UI).
• Type-check and ESLint clean.

[danny-avila]

One follow-up needed now that danny-avila/LibreChat#13007 scopes /api/admin/oauth/refresh by tenant:

• Please forward the trusted X-Tenant-Id header on the BFF refresh request. The backend now reads tenant context via preAuthTenantMiddleware and passes getTenantId() into applyAdminRefresh. If this server-to-server call keeps sending only Content-Type, getTenantId() is undefined and the backend falls back to single-tenant behavior, so the multi-tenant duplicate (sub, iss) protection won't activate. Suggested shape: read getRequestHeader('x-tenant-id') and forward it as X-Tenant-Id on /api/admin/oauth/refresh.
• Please actually use expiresAt before admin API calls. This PR stores it, but apiFetch still sends the session bearer as-is. If an admin stays on a page past JWT expiry, the next query/mutation can fail with 401 before route-level verification refreshes. Prefer centralizing token freshness in apiFetch: refresh when expiresAt is within a small skew window, persist any rotated refresh token, and retry once on 401.

Suggested tests: tenant header forwarded/omitted correctly, apiFetch proactively refreshes near expiry, rotated refresh token is persisted, and 401 retry happens only once.

[danny-avila]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d6aa8680e1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".