🪪 feat: Add Google OAuth Login to Admin Panel

[dustinhealy]

Summary

Adds a "Continue with Google" button to the admin login page alongside the existing OpenID flow. LibreChat's /api/admin/oauth/google and /api/admin/oauth/google/callback routes were already wired, we just needed to consume them in the admin panel.

The provider availability layer was rewritten while in the area: instead of the openid-only GET /api/admin/oauth/openid/check probe, the loader now reads LibreChat's existing /api/config startup payload (the same endpoint LibreChat's chat client uses) and derives a provider availability map from *LoginEnabled flags. This eliminates the need for per-provider check endpoints, and makes adding future providers (GitHub, Discord, SAML) a one-line registry append.

Provider registry:

• src/constants/oauth.ts — single registry entry per provider (startPath, callbackRoute, enabledKey, optional labelKey/imageKey for OIDC/SAML branding overrides, optional click-ui Logo name).
• OAuthProvider union widened from 'openid' to 'openid' | 'google'; same shape on SessionData.tokenProvider.

Server functions (src/server/auth.ts):

• Replaced checkOpenIdFn / openIdCheckOptions with getStartupConfigFn / startupConfigOptions which fetches /api/config once and returns { providers, ssoOnly }.
• Replaced openidLoginFn with provider-parameterized oauthLoginFn (PKCE generation centralized in buildOAuthLoginUrl).
• oauthExchangeFn now takes { code, provider }; the upstream wire body to /api/admin/oauth/exchange is unchanged (still { code, code_verifier }) — provider is admin-panel-internal and only drives the session's tokenProvider field.
• Refresh-token cookie forwarding (refreshAdminToken) stays openid-only. Verified upstream: LibreChat's /api/auth/refresh only branches on token_provider=openid (and only when OPENID_REUSE_TOKENS=true); a token_provider=google cookie would be ignored. Google sessions correctly fall through the default JWT refresh path.

UI (src/components/AuthCard.tsx, src/routes/login.tsx):

• Single SSO button replaced with one button per enabled provider, rendered in registry order. Branded providers (Google) render the click-ui Logo glyph; OIDC consumes openidLabel / openidImageUrl from /api/config when set by the deployer.
• ADMIN_SSO_ONLY semantics extended for the multi-provider world: hides the password form whenever any SSO provider is enabled; auto-redirects only when exactly one provider is configured. Per product requirement, ssoOnly with multiple providers shows all buttons with no auto-redirect.
• Login route loader fans out to a single /api/config fetch on the SSR boundary — no client-visible discovery roundtrip.

Routes:

• New src/routes/auth/google/callback.tsx mirroring the openid callback; passes provider: 'google' to oauthExchangeFn.
• OpenID callback updated to pass provider: 'openid' for symmetry.

Change Type

• New feature (non-breaking change which adds functionality)

Testing

Manual end-to-end (real Google OAuth client):

1. Created a Google Cloud OAuth 2.0 Web Client with redirect URIs for /oauth/google/callback (LibreChat) and /api/admin/oauth/google/callback (admin panel).
2. Configured LibreChat with GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET / ALLOW_SOCIAL_LOGIN=true.
3. Verified GET /api/config returns googleLoginEnabled: true.
4. Promoted the test Gmail account to ADMIN in MongoDB (admin Google route requires an existing admin user; ALLOW_SOCIAL_REGISTRATION only applies to the chat path).
5. Clicked "Continue with Google" on /login → Google consent → exchange succeeded → admin dashboard rendered, tokenProvider: 'google' set in the encrypted admin session.
6. Regression-checked: email/password login, OIDC login, and 2FA flow all still work.

Automated:

• e2e/login.spec.ts — added "shows Google button alongside OpenID when both are configured" assertion. Existing OpenID/SSO/2FA tests adapted to the new button labels (Continue with OpenID / Continue with Google).
• e2e/mock-backend.mjs — added GET /api/config handler returning both openidLoginEnabled: true and googleLoginEnabled: true so multi-provider rendering exercises in CI.
• e2e/auth.setup.ts — fixed pre-existing Sign In / Sign in casing mismatch that was blocking the suite locally.

Test Configuration

• LibreChat dev branch (last sync b632367c8)
• Admin panel feat/admin-google-oauth (this branch)
• Local mongodb

Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• I have commented in any complex areas of my code
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes

[danny-avila]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[danny-avila]

Thanks for this, @dustinhealy — the feature itself is solid and the backend supports it (the admin Google routes exist in LibreChat: api/server/routes/admin/auth.js /oauth/google and /oauth/google/callback, backed by the googleAdmin passport strategy). Requesting changes purely on mergeability/freshness, not on the approach.

Blocking: branch is conflicting and stale

The PR currently reports mergeable: CONFLICTING / DIRTY against main, and it predates the OpenID/admin-auth refactors that have since landed:

• #46 — body-based OpenID refresh for cross-origin admin panels
• #50 — OpenID redirect origin handling + startup logs
• #59 — guard admin SSO PKCE verifier loss

Those reworked the same files this PR touches, so it needs a real rebase before it can be reviewed/merged. Expect to re-reconcile at least:

• src/server/auth.ts — the OAuth init/exchange + PKCE/origin handling has changed substantially; the new Google flow should reuse the current openidLoginFn/oauthExchangeFn patterns (PKCE code_challenge, origin binding, session codeVerifier) rather than the older shape this branch was built on.
• src/components/AuthCard.tsx and src/routes/login.tsx — SSO button/auto-redirect wiring has moved.
• src/routeTree.gen.ts — regenerate (don't hand-merge) after adding src/routes/auth/google/callback.tsx.
• src/types/auth.ts, src/types/server.ts, src/constants/oauth.ts, locales — re-check against current definitions.

Requested changes

1. Rebase onto latest main and resolve conflicts; regenerate routeTree.gen.ts rather than resolving it by hand.
2. After rebase, align the Google callback/exchange with the current admin OAuth contract (PKCE + origin binding via request headers; the backend strips redirect_uri/code_challenge/redirectTo, see packages/api/src/auth/exchange.ts).
3. Confirm tsc --noEmit and vitest run are green post-rebase, and that the e2e mock-backend updates still reflect the current exchange shape.

Happy to re-review as soon as it's rebased and green. Thanks again!