Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/strategies/openIdJwtStrategy.js
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ const openIdJwtLogin = (openIdConfig) => {

user.federatedTokens = {
access_token: accessToken || rawToken,
id_token: idToken,
id_token: idToken || rawToken,
refresh_token: refreshToken,
expires_at: payload.exp,
};
Expand Down
4 changes: 2 additions & 2 deletions api/strategies/openIdJwtStrategy.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,7 @@ describe('openIdJwtStrategy – token source handling', () => {
expect(user.federatedTokens.refresh_token).toBe('cookie-refresh');
});

it('should set id_token to undefined when not available in session or cookies', async () => {
it('should fall back to raw Bearer token for id_token when not available in session or cookies', async () => {
const req = {
headers: {
authorization: 'Bearer raw-bearer-token',
Expand All @@ -326,7 +326,7 @@ describe('openIdJwtStrategy – token source handling', () => {
const { user } = await invokeVerify(req, payload);

expect(user.federatedTokens.access_token).toBe('cookie-access');
expect(user.federatedTokens.id_token).toBeUndefined();
expect(user.federatedTokens.id_token).toBe('raw-bearer-token');
expect(user.federatedTokens.refresh_token).toBe('cookie-refresh');
});

Expand Down
27 changes: 27 additions & 0 deletions packages/api/src/endpoints/openai/initialize.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,33 @@ describe('initializeOpenAI – SSRF guard wiring', () => {
expect(mockValidateEndpointURL).not.toHaveBeenCalled();
});

it('should resolve a stored user key even when the expiry field is missing', async () => {
const params = createParams({
OPENAI_API_KEY: AuthType.USER_PROVIDED,
OPENAI_REVERSE_PROXY: 'https://user-proxy.example.com/v1',
});
params.req.body = {} as BaseInitializeParams['req']['body'];

try {
await initializeOpenAI(params);
} finally {
(params as unknown as { _restore: () => void })._restore();
}

expect(params.db.getUserKeyValues).toHaveBeenCalledWith({
userId: 'user-1',
name: EModelEndpoint.openAI,
});
expect(mockValidateEndpointURL).not.toHaveBeenCalled();
expect(mockGetOpenAIConfig).toHaveBeenCalledWith(
'sk-user-key',
expect.objectContaining({
reverseProxyUrl: 'https://user-proxy.example.com/v1',
}),
EModelEndpoint.openAI,
);
});

it('should propagate SSRF rejection from validateEndpointURL', async () => {
mockValidateEndpointURL.mockRejectedValueOnce(
new Error('Base URL for openAI targets a restricted address.'),
Expand Down
6 changes: 4 additions & 2 deletions packages/api/src/endpoints/openai/initialize.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,10 @@ export async function initializeOpenAI({
const userProvidesURL = isUserProvided(baseURLOptions[endpoint as keyof typeof baseURLOptions]);

let userValues: UserKeyValues | null = null;
if (expiresAt && (userProvidesKey || userProvidesURL)) {
checkUserKeyExpiry(expiresAt, endpoint);
if (userProvidesKey || userProvidesURL) {
if (expiresAt) {
checkUserKeyExpiry(expiresAt, endpoint);
}
userValues = await db.getUserKeyValues({ userId: req.user?.id ?? '', name: endpoint });
}

Expand Down
Loading