fix: allow delegated admin panel access

[danny-avila]

Summary

I fixed delegated admin access in the admin panel by removing stale local SystemRoles.ADMIN vetoes after the LibreChat backend has already authorized the admin flow.

• Removed role-equality checks from local login, 2FA completion, and cached session verification.
• Kept backend 403 responses as the source of truth for revoked or missing admin access.
• Added regression tests for backend-approved delegated admins through login, 2FA, and fresh-session verification.
• Added coverage that a delegated admin session is still cleared when backend capability revalidation returns 403.
• Fixed Admin panel access is hard-coded to the ADMIN role, ignoring the access:admin capability — delegated sub-admins can't log in #86.

LibreChat code references:

• LibreChat imports the capability middleware and defines admin access as requireCapability(SystemCapabilities.ACCESS_ADMIN) in api/server/routes/admin/auth.js.
• The local admin login and session verify routes use that requireAdminAccess middleware before returning successful admin responses in api/server/routes/admin/auth.js.
• The admin OAuth refresh path checks hasCapability(..., SystemCapabilities.ACCESS_ADMIN) before minting a refreshed bearer in api/server/routes/admin/auth.js.
• The refresh helper documents that admin bearer refresh must fail when the resolved user no longer holds ACCESS_ADMIN in packages/api/src/auth/refresh.ts.

Change Type

• Bug fix (non-breaking change which fixes an issue)

Testing

• bun run test src/server/auth.oauth.test.ts
• eslint src/server/auth.ts src/server/auth.oauth.test.ts
• prettier --check src/server/auth.ts src/server/auth.oauth.test.ts
• bun run build

Test Configuration:

• Bun 1.3.13
• Vitest 4.1.9
• Node.js v24.16.0

Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes

[danny-avila]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 411b0ea414

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[danny-avila]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Hooray!

Reviewed commit: e79e10dd08

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".