innFactory · pull · May 6, 2026 · May 4, 2026 · May 4, 2026 · May 5, 2026
diff --git a/api/package.json b/api/package.json
@@ -36,14 +36,16 @@
   "dependencies": {
     "@anthropic-ai/vertex-sdk": "^0.14.3",
     "@aws-sdk/client-bedrock-runtime": "^3.1013.0",
+    "@aws-sdk/client-cloudfront": "^3.1042.0",
     "@aws-sdk/client-s3": "^3.980.0",
+    "@aws-sdk/cloudfront-signer": "^3.1036.0",
     "@aws-sdk/s3-request-presigner": "^3.758.0",
     "@azure/identity": "^4.13.1",
     "@azure/search-documents": "^12.0.0",
     "@azure/storage-blob": "^12.30.0",
     "@google/genai": "^1.19.0",
     "@keyv/redis": "^4.3.3",
-    "@librechat/agents": "^3.1.77",
+    "@librechat/agents": "^3.1.78",
     "@librechat/api": "*",
     "@librechat/data-schemas": "*",
     "@microsoft/microsoft-graph-client": "^3.0.7",
@@ -105,6 +107,7 @@
     "passport-local": "^1.0.0",
     "pdfjs-dist": "^5.4.624",
     "rate-limit-redis": "^4.2.0",
+    "sanitize-html": "^2.13.0",
     "sharp": "^0.33.5",
     "traverse": "^0.6.7",
     "ua-parser-js": "^1.0.36",
@@ -116,6 +119,7 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
+    "@types/sanitize-html": "^2.13.0",
     "jest": "^30.2.0",
     "mongodb-memory-server": "^11.0.1",
     "nodemon": "^3.0.3",

diff --git a/api/server/controllers/AuthController.js b/api/server/controllers/AuthController.js
@@ -2,7 +2,7 @@ const cookies = require('cookie');
 const jwt = require('jsonwebtoken');
 const openIdClient = require('openid-client');
 const { logger } = require('@librechat/data-schemas');
-const { isEnabled, findOpenIDUser } = require('@librechat/api');
+const { isEnabled, findOpenIDUser, getOpenIdIssuer } = require('@librechat/api');
 const {
   requestPasswordReset,
   setOpenIDAuthTokens,
@@ -85,10 +85,12 @@ const refreshController = async (req, res) => {
         refreshParams,
       );
       const claims = tokenset.claims();
+      const openidIssuer = getOpenIdIssuer(claims, openIdConfig);
       const { user, error, migration } = await findOpenIDUser({
         findUser,
         email: getOpenIdEmail(claims),
         openidId: claims.sub,
+        openidIssuer,
         idOnTheSource: claims.oid,
         strategyName: 'refreshController',
       });
@@ -111,6 +113,7 @@ const refreshController = async (req, res) => {
         await updateUser(user._id.toString(), {
           provider: 'openid',
           openidId: claims.sub,
+          ...(openidIssuer ? { openidIssuer } : {}),
         });
         logger.info(
           `[refreshController] Updated user ${user.email} openidId (${reason}): ${user.openidId ?? 'null'} -> ${claims.sub}`,

diff --git a/api/server/controllers/AuthController.spec.js b/api/server/controllers/AuthController.spec.js
@@ -23,6 +23,7 @@ jest.mock('~/models', () => ({
 jest.mock('@librechat/api', () => ({
   isEnabled: jest.fn(),
   findOpenIDUser: jest.fn(),
+  getOpenIdIssuer: jest.fn(() => 'https://issuer.example.com'),
 }));
 
 const openIdClient = require('openid-client');
@@ -157,6 +158,7 @@ describe('refreshController – OpenID path', () => {
   };
 
   const baseClaims = {
+    iss: 'https://issuer.example.com',
     sub: 'oidc-sub-123',
     oid: 'oid-456',
     email: 'user@example.com',
@@ -204,7 +206,10 @@ describe('refreshController – OpenID path', () => {
 
     expect(getOpenIdEmail).toHaveBeenCalledWith(baseClaims);
     expect(findOpenIDUser).toHaveBeenCalledWith(
-      expect.objectContaining({ email: baseClaims.email }),
+      expect.objectContaining({
+        email: baseClaims.email,
+        openidIssuer: baseClaims.iss,
+      }),
     );
     expect(res.status).toHaveBeenCalledWith(200);
   });
@@ -225,7 +230,10 @@ describe('refreshController – OpenID path', () => {
 
     expect(getOpenIdEmail).toHaveBeenCalledWith(claimsWithUpn);
     expect(findOpenIDUser).toHaveBeenCalledWith(
-      expect.objectContaining({ email: 'user@corp.example.com' }),
+      expect.objectContaining({
+        email: 'user@corp.example.com',
+        openidIssuer: baseClaims.iss,
+      }),
     );
     expect(res.status).toHaveBeenCalledWith(200);
   });
@@ -236,7 +244,10 @@ describe('refreshController – OpenID path', () => {
     await refreshController(req, res);
 
     expect(findOpenIDUser).toHaveBeenCalledWith(
-      expect.objectContaining({ email: baseClaims.email }),
+      expect.objectContaining({
+        email: baseClaims.email,
+        openidIssuer: baseClaims.iss,
+      }),
     );
   });
 
@@ -267,7 +278,11 @@ describe('refreshController – OpenID path', () => {
 
     expect(updateUser).toHaveBeenCalledWith(
       'user-db-id',
-      expect.objectContaining({ provider: 'openid', openidId: baseClaims.sub }),
+      expect.objectContaining({
+        provider: 'openid',
+        openidId: baseClaims.sub,
+        openidIssuer: baseClaims.iss,
+      }),
     );
     expect(res.status).toHaveBeenCalledWith(200);
   });