🐛 fix(auth): return 401 for expired OIDC JWT instead of 500#14014
Merged
Conversation
validateOIDCJWT wraps any JWT verification failure (including JWTExpired
from jose) into a TRPCError({ code: 'UNAUTHORIZED' }). The webapi auth
middleware's catch block only matched e.code === 'ERR_JWT_EXPIRED' —
which is swallowed by that wrap — and fell through to
InternalServerError, returning 500 without the X-Auth-Required header.
Desktop/CLI clients with expired tokens never saw a re-auth signal and
retried indefinitely, producing sustained 500 bursts.
- Add isUnauthorizedAuthError branch mapping UNAUTHORIZED to
ChatErrorType.Unauthorized (401) with X-Auth-Required header.
- Add getOIDCClientDebugInfo to decode JWT payload for observability
only (explicitly NOT used for authorization decisions).
- Add opt-in console.info('[auth] OIDC authentication failed', ...)
logging gated on Oidc-Auth presence to avoid flooding from
unauthenticated browser hits. Logged fields: clientId, code, path,
provider, userAgent, xClientType.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3bbb9a6589
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
+124
to
+128
| if (isUnauthorizedAuthError(e)) { | ||
| return createErrorResponse(ChatErrorType.Unauthorized, { | ||
| error: e, | ||
| provider: params?.provider, | ||
| }); |
There was a problem hiding this comment.
Restrict UNAUTHORIZED mapping to token-validation errors
The new isUnauthorizedAuthError branch converts every thrown object with code === 'UNAUTHORIZED' into ChatErrorType.Unauthorized (401 + X-Auth-Required), but validateOIDCJWT currently wraps non-auth infrastructure failures (for example JWKS parse/key-loading errors) into TRPCError({ code: 'UNAUTHORIZED' }) as well. In those cases this change misclassifies a server outage as a client auth problem, causing desktop/CLI to prompt/retry login instead of surfacing an internal error; this branch should only map to 401 when the underlying cause is truly token/auth related.
Useful? React with 👍 / 👎.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## canary #14014 +/- ##
==========================================
+ Coverage 66.81% 66.84% +0.03%
==========================================
Files 2100 2100
Lines 179130 179179 +49
Branches 21895 21141 -754
==========================================
+ Hits 119682 119771 +89
+ Misses 59324 59284 -40
Partials 124 124
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Follow-up to the OIDC 401 mapping (PR #14014) after review feedback: - `validateOIDCJWT` now lets `getVerificationKey` failures (missing/invalid JWKS_KEY, key import errors) propagate as plain Error so they map to 500 instead of being misclassified as client-side 401. JWT verification failures still wrap into TRPCError UNAUTHORIZED, now with the original jose error preserved via `cause`. - `checkAuth` walks the `cause` chain to recover `ERR_JWT_EXPIRED`, so clock-skew cases return SystemTimeNotMatchError instead of a generic Unauthorized that would trigger a re-login loop. - Regression tests cover both new paths.
The follow-up branch mapped ERR_JWT_EXPIRED to SystemTimeNotMatchError (HTTP 400, no X-Auth-Required header), but the desktop/CLI re-auth flow only fires on Unauthorized (401 + X-Auth-Required). Routing expired tokens to SystemTimeNotMatchError would leave the client without a re-login signal — the exact regression PR #14014 was fixing — and "exp claim failed" is not sufficient evidence of a client clock skew anyway (a genuinely expired token raises the same code). All OIDC token failures now uniformly return 401 + X-Auth-Required so the client can recover. JWKS/key infrastructure failures remain plain-Error → 500 as added in the previous commit.
| }, | ||
| })); | ||
|
|
||
| const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => undefined); |
Merged
arvinxx
added a commit
that referenced
this pull request
Apr 27, 2026
# 🚀 LobeHub v2.1.53 (20260427) **Release Date:** April 27, 2026 **Since v2.1.52:** 194 merged PRs · 17 contributors > Introduce Heterogeneous Agent — Claude Code and Codex run as first-class desktop runtimes, paired with a new Agent Signal package, sharper desktop UX, and a wave of flagship model additions. --- ## ✨ Highlights - **Introduce Heterogeneous Agent** — Claude Code and Codex run as first-class desktop agents: subagent rendering, partial-message streaming, multi-turn resume, terminal error surfacing, rich tool inspectors, and runtime polish. (#14162, #13754, #14067, #14001, #13970, #13942) - **Screen capture & Quick Chat tray** — New desktop screen capture overlay (macOS permission-gated) with Quick Chat tray and upload pipeline improvements; chat input auto-focuses on overlay mount. (#13818, #14097, #14105) - **Desktop topic & tab UX** — Dedicated topic popup window with cross-window sync, Cmd+W/Cmd+T tab shortcuts, TabBar polish, recent working directories expanded to 20, and human approval notifications. (#13957, #13983, #13972, #14036, #14092) - **Git workflow built-in** — One-click pull/push from the branch chip, ahead/behind badge, and submodule/worktree repo detection. (#14041, #13980, #13978) - **Agent Signal package** — New `@lobechat/agent-signal` runtime for dynamic memory feedback signals, with OTel metrics and self-iteration in Lab. (#14157, #14170, #14159, #14169, #14187) - **New models** — Claude Opus 4.7 with `xhigh` effort tier, GPT-5.5, DeepSeek V4 Flash/Pro with reasoning slider, Kimi K2.6, MiMo-V2.5/Pro, gpt-image-2, Qwen3.6 Flash/Plus, and Pixverse-c1. (#13903, #14147, #14114, #14004, #14089, #14039, #13923) - **New providers** — OpenCode Zen, OpenCode Go, and Azure OpenAI Router runtime. (#13943, #14064, #13823) - **Mobile settings overhaul** — Full settings menu and responsive profile layout for mobile. (#14019) --- ## 🏗️ Heterogeneous Agent - Claude Code runtime, working-directory awareness, and sidebar polish. (#13970) - CC subagent rendering with persistent streamed text; parallel-tool orphan fix. (#14001, #13968, #14024) - Per-step usage persisted to each step assistant message. (#13964) - Per-phase workflow expand defaults; full-expand toggle with three-level expansion. (#14171, #13906) - Hetero-mode actions bar; tool inspector polish. (#13963, #14034, #14030) - Codex desktop integration with rich tool rendering and devtools preview. (#14067, #14100) - Codex terminal error surfacing and CLI output tracing. (#14166) - Tighten `isCanUseVision` default and add aggregator fallback. (#14172) - Persist `ccSessionId` in topic metadata for CC multi-turn resume. (#13902) - CC account card, topic filter, and integration polish. (#13955, #13942, #13950) - Token-level deltas streamed via `--include-partial-messages`. (#13929) --- ## 🧠 Agent Signal & Self-Iteration - New `@lobechat/agent-signal` package with dynamic feedback signals. (#14157) - AgentSignalRuntime wired through agent-tracing and observability-otel metrics. (#14170, #14159) - Self-iteration feature flag added to Lab; front-side flag check. (#14169, #14186) - Signal policy for receiving memory feedback dynamically. (#14187) --- ## 💬 Conversation - Queue follow-up sends during running CC turns. (#14179) - Persist per-topic chat scroll position; pin user message + fold long messages. (#14191, #14056) - Inline resend when editing last user message. (#14080) - Disable first-block markdown streaming to prevent flicker. (#14193, #13904) - Prevent Markdown stream replay when vlist remounts streaming items. (#14086) - Stop repinning after manual scroll; unify scroll-to-user + spacer hooks. (#14099, #14132) --- ## 📱 Platforms & Integrations ### Desktop / Electron - Screen capture overlay, Quick Chat tray, and upload pipeline improvements. (#13818) - macOS permission gate for screen capture; auto-focus chat panel input. (#14097, #14105) - Dedicated topic popup window with cross-window sync. (#13957) - TabBar polish: `+` button for new topic, dark theme blend, close icon by default. (#13972, #14203, #13973) - Recent working directories expanded from 5 to 20; submodule/worktree repo detection. (#14036, #13978) - Cmd+W / Cmd+T tab shortcuts and global shortcut consolidation. (#13983, #13880) - Linux icon configuration; human approval desktop notifications. (#14042, #14092) ### Git Workflow - One-click pull/push from branch chip; ahead/behind badge with refactored GitCtr. (#14041, #13980) ### Mobile - Full settings menu and responsive profile layout. (#14019) - Agent route added to mobile router; mobile agent topic route registered. (#14103, #14158) - Session list skeleton row layout corrected. (#14040) ### Bot / Messaging - DM strategy support; bot emoji and markdown render optimization. (#14201, #14091, #14140) - Slack webhook fix; bot platform setup guide reference. (#14052, #14121) --- ## 🤖 Models & Providers ### New models - **Claude Opus 4.7** with `xhigh` effort tier; strip temperature/top_p. (#13903, #13909) - **GPT-5.5**. (#14147) - **DeepSeek V4** Flash/Pro cards with reasoning slider; cache-hit and Pro discount pricing. (#14114, #14209, #14196, #14131) - **Kimi K2.6** model with LobeHub-hosted card. (#14004, #14006) - **MiMo-V2.5 / V2.5-Pro**. (#14089) - **gpt-image-2**, **Qwen3.6 Flash/Plus**, **Pixverse-c1**. (#14039, #13923) ### New providers - **OpenCode Zen** and **OpenCode Go** with env-var support. (#13943, #14064) - **Azure OpenAI Router** runtime support. (#13823) - Model alias mapping for image and video runtimes. (#13896) - Seedance video models migrated to Dreamina. (#14144) ### Runtime reliability - Sanitize invalid tool_call arguments to unbreak strict providers. (#14033) - Tolerate null `function.name` in streaming tool_call deltas. (#14139) - Preserve Gemini 3 `thoughtSignature` in `call_tools_batch` normalization. (#14032) - Downgrade `image_url` parts when target model lacks vision. (#14029) - Preserve Cloudflare provider error context. (#14136) - Use `safety_identifier` for OpenAI Responses API. (#14148) - Unwrap underlying PG error in `formatErrorEventData`. (#14038) --- ## 🖥️ User Experience - **Onboarding** — Preset agent naming suggestions, structured hunk ops for `updateDocument`, persona analytics snapshot, footer promotion pipeline, wrap-up button. (#13931, #13989, #13930, #13853, #13934) - **Document workflow** — Agent documents promoted as primary workspace panel; history management and compare workflow; web-crawl docs associated with agent documents. (#13924, #13725, #13893) - **cmdk** — Agent identity surfaced on topic search results; topic/message search scoped to current agent. (#14204, #13960) - **Floating chat panel** and workspace improvements. (#13887) - **Topic completion status** with dropdown action and filter. (#14005) --- ## 🔧 Tooling - Redis-backed feature flag provider for runtime config. (#14098) - Vite upgraded to 8.0.0 with Rolldown strict execution order. (#12720, #14058) - `@lobechat/model-bank` automated npm release with provenance. (#14015, #14017, #14018) - Skill activation fallback when `activateTools` cannot find identifier. (#14010) - Cron tool: timezone and existing jobs injected into system prompt; clarified `lobe-gtd` and `lobe-cron` descriptions. (#14012, #14013) --- ## 🔒 Security & Reliability - **Security:** uuid bumped to v14 (advisory). (#14083) - **Security:** validate avatar URL and scope old-avatar deletion to owner. (#13982) - **Security:** clear OIDC sessions on better-auth signout; return 401 (not 500) for expired OIDC JWT. (#13916, #14014) - **Reliability:** scope pending-approval check to current assistant turn. (#14182) - **Reliability:** sanitize heterogeneous-agent attachment cache filenames. (#13937) - **Reliability:** reduce subagent task status error noise. (#14026) --- ## 👥 Contributors Huge thanks to **17 contributors** who shipped **194 merged PRs** this week. @hardy · @shaun0927 · @hezhijie0327 · @sxjeru · @arvinxx · @Innei · @tjx666 · @lijian · @neko · @rdmclin2 · @AmAzing129 · @sudongyuer · @CanisMinor · @rivertwilight Plus @lobehubbot and renovate[bot] for maintenance. --- **Full Changelog**: v2.1.52...v2.1.53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
💻 Change Type
🔗 Related Issue
Fixes LOBE-7494
🔀 Description of Change
validateOIDCJWTwraps any JWT verification failure (includingJWTExpiredfromjose) into aTRPCError({ code: 'UNAUTHORIZED' }). The webapi auth middleware's catch block only matchede.code === 'ERR_JWT_EXPIRED'— which is swallowed by that wrap — and fell through toInternalServerError, returning 500 instead of 401.Because the response lacked the
X-Auth-Requiredheader thatBackendProxyProtocolManageruses to triggernotifyAuthorizationRequired, desktop/CLI clients with expired tokens never prompted re-login and retried indefinitely, producing sustained 500 bursts (~40 req/s on/webapi/chat/lobehub).Changes
isUnauthorizedAuthErrorbranch mappingUNAUTHORIZED→ChatErrorType.Unauthorized(401) with theX-Auth-Requiredheader.getOIDCClientDebugInfoto decode the JWT payload for observability only (explicitly NOT used for authorization decisions).console.info('[auth] OIDC authentication failed', ...)logging, gated onOidc-Authpresence to avoid flooding from unauthenticated browser hits. Logged fields:clientId,code,path,provider,userAgent,xClientType— intended to identify which client version is sending expired tokens.Sibling callers verified clean
Other callers of
validateOIDCJWTalready handle the failure by swallowing and falling back to Better Auth / API Key, so no parallel fix is needed:src/libs/trpc/lambda/context.ts:198packages/openapi/src/middleware/auth.ts:183🧪 How to Test
Unit test added:
should return unauthorized when OIDC JWT validation throws UNAUTHORIZED. All 6 existing tests pass.📝 Additional Information
Root cause (jose
ERR_JWT_EXPIREDbeing rewrapped with the originalcodelost) predates this PR; a follow-up can restore the original error viacauseinsrc/libs/oidc-provider/jwt.tsand simplify the middleware. Deferred to keep this change surgical and hotfix-friendly.See LOBE-7494 for the full incident timeline, including the net.fetch (#13400) trigger hypothesis.