Skip to content

🔐 fix: Add Tenant Context to Admin OAuth Callback Routes#12579

Merged
danny-avila merged 2 commits into
devfrom
fix/admin-oauth-tenant-context
Apr 9, 2026
Merged

🔐 fix: Add Tenant Context to Admin OAuth Callback Routes#12579
danny-avila merged 2 commits into
devfrom
fix/admin-oauth-tenant-context

Conversation

@dustinhealy

@dustinhealy dustinhealy commented Apr 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Admin OAuth callback routes (OpenID, SAML, Google, GitHub, Discord, Facebook, Apple) were missing tenantContextMiddleware after passport.authenticate. This caused requireCapability(ACCESS_ADMIN) to fail with [TenantIsolation] Query attempted without tenant context in strict mode, returning a 500 on the callback.

The normal login flow uses requireJwtAuth which chains into tenantContextMiddleware automatically. The admin OAuth callbacks bypass requireJwtAuth and use passport directly, so they need tenantContextMiddleware added explicitly.

Change Type

  • Bug fix (non-breaking change which fixes an issue)

Testing

  • Deploy admin panel with SSO configured
  • Trigger OpenID login flow from admin panel
  • Verify callback completes without 500
  • Verify user lands in admin panel authenticated

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • My changes do not introduce new warnings
  • Any changes dependent on mine have been merged and published in downstream modules.

Copilot AI review requested due to automatic review settings April 8, 2026 21:31
Copilot AI reviewed Apr 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes admin SSO callback failures under tenant isolation strict mode by ensuring tenant AsyncLocalStorage context is established for admin OAuth callback routes before admin capability checks and downstream DB access.

Changes:

  • Import tenantContextMiddleware from @librechat/api.
  • Add tenantContextMiddleware immediately after passport.authenticate(...) on all admin OAuth callback routes (OpenID, SAML, Google, GitHub, Discord, Facebook, Apple).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dustinhealy dustinhealy marked this pull request as ready for review April 8, 2026 21:42
@danny-avila

danny-avila commented Apr 8, 2026

Copy link
Copy Markdown
Owner

@codex review

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Apr 8, 2026

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Breezy!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@dustinhealy dustinhealy changed the base branch from main to dev April 8, 2026 22:02
@danny-avila danny-avila merged commit 55fc37f into dev Apr 9, 2026
10 checks passed
@danny-avila danny-avila deleted the fix/admin-oauth-tenant-context branch April 9, 2026 00:04
jcbartle pushed a commit to jcbartle/LibreChat that referenced this pull request May 11, 2026
@dustinhealy
🔐 fix: Add Tenant Context to Admin OAuth Callback Routes (danny-avila…
189339c 
…#12579)

* 🔐 fix: Add Tenant Context to Admin OAuth Callback Routes

* fix: add tenant context to admin local login route
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dustinhealy @danny-avila