LibreChat/api/models/Session.js

const mongoose = require('mongoose');
const crypto = require('crypto');
const jwt = require('jsonwebtoken');
const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;

const sessionSchema = mongoose.Schema({
  refreshTokenHash: {
    type: String,
    required: true,
  },
  expiration: {
    type: Date,
    required: true,
    expires: 0,
  },
  user: {
    type: mongoose.Schema.Types.ObjectId,
    ref: 'User',
    required: true,
  },
});

sessionSchema.methods.generateRefreshToken = async function () {
  try {
    let expiresIn;
    if (this.expiration) {
      expiresIn = this.expiration.getTime();
    } else {
      expiresIn = Date.now() + expires;
      this.expiration = new Date(expiresIn);
    }

    const refreshToken = jwt.sign(
      {
        id: this.user,
      },
      process.env.JWT_REFRESH_SECRET,
      { expiresIn: Math.floor((expiresIn - Date.now()) / 1000) },
    );

    const hash = crypto.createHash('sha256');
    this.refreshTokenHash = hash.update(refreshToken).digest('hex');

    await this.save();

    return refreshToken;
  } catch (error) {
    console.error(
      'Error generating refresh token. Have you set a JWT_REFRESH_SECRET in the .env file?\n\n',
      error,
    );
    throw error;
  }
};

const Session = mongoose.model('Session', sessionSchema);

module.exports = Session;
feat: Refresh Token for improved Session Security (#927) * feat(api): refresh token logic * feat(client): refresh token logic * feat(data-provider): refresh token logic * fix: SSE uses esm * chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token * chore: update scripts to more compatible bun methods, ran bun install again * chore: update env.example and playwright workflow with JWT_REFRESH_SECRET * chore: update breaking changes docs * chore: add timeout to url visit * chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions * fix(e2e): refresh automatically in development environment to pass e2e tests 2023-09-11 13:10:46 -04:00			`const mongoose = require('mongoose');`
			`const crypto = require('crypto');`
			`const jwt = require('jsonwebtoken');`
			`const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};`
			`const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;`

			`const sessionSchema = mongoose.Schema({`
			`refreshTokenHash: {`
			`type: String,`
			`required: true,`
			`},`
			`expiration: {`
			`type: Date,`
			`required: true,`
			`expires: 0,`
			`},`
			`user: {`
			`type: mongoose.Schema.Types.ObjectId,`
			`ref: 'User',`
			`required: true,`
			`},`
			`});`

			`sessionSchema.methods.generateRefreshToken = async function () {`
			`try {`
			`let expiresIn;`
			`if (this.expiration) {`
			`expiresIn = this.expiration.getTime();`
			`} else {`
			`expiresIn = Date.now() + expires;`
			`this.expiration = new Date(expiresIn);`
			`}`

			`const refreshToken = jwt.sign(`
			`{`
			`id: this.user,`
			`},`
			`process.env.JWT_REFRESH_SECRET,`
			`{ expiresIn: Math.floor((expiresIn - Date.now()) / 1000) },`
			`);`

			`const hash = crypto.createHash('sha256');`
			`this.refreshTokenHash = hash.update(refreshToken).digest('hex');`

			`await this.save();`

			`return refreshToken;`
			`} catch (error) {`
			`console.error(`
			`'Error generating refresh token. Have you set a JWT_REFRESH_SECRET in the .env file?\n\n',`
			`error,`
			`);`
			`throw error;`
			`}`
			`};`

			`const Session = mongoose.model('Session', sessionSchema);`

			`module.exports = Session;`