2025-02-18 01:09:36 +01:00
|
|
|
const { webcrypto } = require('node:crypto');
|
🪐 feat: MCP OAuth 2.0 Discovery Support (#7924)
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json
- Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates.
- Update dependencies for ajv and cross-spawn to their latest versions.
- Add ajv as a new dependency in the sdk module.
- Include json-schema-traverse as a new dependency in the sdk module.
* feat: @librechat/auth
* feat: Add crypto module exports to auth package
- Introduced a new crypto module by creating index.ts in the crypto directory.
- Updated the main index.ts of the auth package to export from the new crypto module.
* feat: Update package dependencies and build scripts for auth package
- Added @librechat/auth as a dependency in package.json and package-lock.json.
- Updated build scripts to include the auth package in both frontend and bun build processes.
- Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management.
* refactor: Migrate crypto utility functions to @librechat/auth
- Replaced local crypto utility imports with the new @librechat/auth package across multiple files.
- Removed the obsolete crypto.js file and its exports.
- Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth.
* feat: Enhance OAuth token handling and update dependencies in auth package
* chore: Remove Token model and TokenService due to restructuring of OAuth handling
- Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens.
- This change is part of a broader refactor to streamline OAuth token management and improve code organization.
* refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality
* refactor: Simplify logger usage in MCP and FlowStateManager classes
* chore: fix imports
* feat: Add OAuth configuration schema to MCP with token exchange method support
* feat: FIRST PASS Implement MCP OAuth flow with token management and error handling
- Added a new route for handling OAuth callbacks and token retrieval.
- Integrated OAuth token storage and retrieval mechanisms.
- Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors.
- Implemented dynamic client registration and metadata discovery for OAuth.
- Updated MCPManager to manage OAuth tokens and handle authentication requirements.
- Introduced comprehensive logging for OAuth processes and error handling.
* refactor: Update MCPConnection and MCPManager to utilize new URL handling
- Added a `url` property to MCPConnection for better URL management.
- Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling.
- Changed logging from info to debug level for flow manager and token methods initialization.
- Improved comments for clarity on existing tokens and OAuth event listener setup.
* refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection
- Updated the connection timeout error messages to include the duration of the timeout.
- Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility.
* chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs
* refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management
- Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction.
- Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability.
- Improved logging messages related to token persistence and retrieval processes.
* refactor: Update MCP OAuth handling to use static methods and improve flow management
- Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies.
- Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management.
- Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval.
* refactor: Integrate token methods into createMCPTool for enhanced token management
* refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management
* chore: clean up logging
* feat: first pass, auth URL from MCP OAuth flow
* chore: Improve logging format for OAuth authentication URL display
* chore: cleanup mcp manager comments
* feat: add connection reconnection logic in MCPManager
* refactor: reorganize token storage handling in MCP
- Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns.
- Updated imports to reflect the new token storage structure.
- Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management.
* chore: update comment for SYSTEM_USER_ID in MCPManager for clarity
* feat: implement refresh token functionality in MCP
- Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections.
- Introduced a refreshTokens function to facilitate token refresh logic.
- Enhanced MCPTokenStorage to manage client information and refresh token processes.
- Updated logging for better traceability during token operations.
* chore: cleanup @librechat/auth
* feat: implement MCP server initialization in a separate service
- Added a new service to handle the initialization of MCP servers, improving code organization and readability.
- Refactored the server startup logic to utilize the new initializeMCP function.
- Removed redundant MCP initialization code from the main server file.
* fix: don't log auth url for user connections
* feat: enhance OAuth flow with success and error handling components
- Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages.
- Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication.
- Added localization support for success and error messages in the translation files.
- Implemented countdown functionality in the success component for a better user experience.
* fix: refresh token handling for user connections, add missing URL and methods
- add standard enum for system user id and helper for determining app-lvel vs. user-level connections
* refactor: update token handling in MCPManager and MCPTokenStorage
* fix: improve error logging in OAuth authentication handler
* fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server)
* fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens
* chore: remove unused auth package directory from update configuration
* ci: fix mocks in samlStrategy tests
* ci: add mcpConfig to AppService test setup
* chore: remove obsolete MCP OAuth implementation documentation
* fix: update build script for API to use correct command
* chore: bump version of @librechat/api to 1.2.4
* fix: update abort signal handling in createMCPTool function
* fix: add optional clientInfo parameter to refreshTokensFunction metadata
* refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management
* fix: concurrent refresh token handling issue
* refactor: add signal parameter to getUserConnection method for improved abort handling
* chore: JSDoc typing for `loadEphemeralAgent`
* refactor: update isConnectionActive method to use destructured parameters for improved readability
* feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools
* ci: fix agent test
2025-06-17 13:50:33 -04:00
|
|
|
const { hashBackupCode, decryptV3, decryptV2 } = require('@librechat/api');
|
2025-05-30 22:18:13 -04:00
|
|
|
const { updateUser } = require('~/models');
|
2025-02-18 01:09:36 +01:00
|
|
|
|
2025-03-20 21:46:11 +01:00
|
|
|
// Base32 alphabet for TOTP secret encoding.
|
2025-02-18 01:09:36 +01:00
|
|
|
const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Encodes a Buffer into a Base32 string.
|
|
|
|
|
* @param {Buffer} buffer
|
|
|
|
|
* @returns {string}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const encodeBase32 = (buffer) => {
|
|
|
|
|
let bits = 0;
|
|
|
|
|
let value = 0;
|
|
|
|
|
let output = '';
|
|
|
|
|
for (const byte of buffer) {
|
|
|
|
|
value = (value << 8) | byte;
|
|
|
|
|
bits += 8;
|
|
|
|
|
while (bits >= 5) {
|
|
|
|
|
output += BASE32_ALPHABET[(value >>> (bits - 5)) & 31];
|
|
|
|
|
bits -= 5;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (bits > 0) {
|
|
|
|
|
output += BASE32_ALPHABET[(value << (5 - bits)) & 31];
|
|
|
|
|
}
|
|
|
|
|
return output;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Decodes a Base32 string into a Buffer.
|
|
|
|
|
* @param {string} base32Str
|
|
|
|
|
* @returns {Buffer}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const decodeBase32 = (base32Str) => {
|
|
|
|
|
const cleaned = base32Str.replace(/=+$/, '').toUpperCase();
|
|
|
|
|
let bits = 0;
|
|
|
|
|
let value = 0;
|
|
|
|
|
const output = [];
|
|
|
|
|
for (const char of cleaned) {
|
|
|
|
|
const idx = BASE32_ALPHABET.indexOf(char);
|
|
|
|
|
if (idx === -1) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
value = (value << 5) | idx;
|
|
|
|
|
bits += 5;
|
|
|
|
|
if (bits >= 8) {
|
|
|
|
|
output.push((value >>> (bits - 8)) & 0xff);
|
|
|
|
|
bits -= 8;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return Buffer.from(output);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Generates a new TOTP secret (Base32 encoded).
|
|
|
|
|
* @returns {string}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const generateTOTPSecret = () => {
|
|
|
|
|
const randomArray = new Uint8Array(10);
|
|
|
|
|
webcrypto.getRandomValues(randomArray);
|
|
|
|
|
return encodeBase32(Buffer.from(randomArray));
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Generates a TOTP code based on the secret and time.
|
|
|
|
|
* Uses a 30-second time step and produces a 6-digit code.
|
|
|
|
|
* @param {string} secret
|
|
|
|
|
* @param {number} [forTime=Date.now()]
|
|
|
|
|
* @returns {Promise<string>}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const generateTOTP = async (secret, forTime = Date.now()) => {
|
|
|
|
|
const timeStep = 30; // seconds
|
|
|
|
|
const counter = Math.floor(forTime / 1000 / timeStep);
|
|
|
|
|
const counterBuffer = new ArrayBuffer(8);
|
|
|
|
|
const counterView = new DataView(counterBuffer);
|
|
|
|
|
counterView.setUint32(4, counter, false);
|
|
|
|
|
|
|
|
|
|
const keyBuffer = decodeBase32(secret);
|
|
|
|
|
const keyArrayBuffer = keyBuffer.buffer.slice(
|
|
|
|
|
keyBuffer.byteOffset,
|
|
|
|
|
keyBuffer.byteOffset + keyBuffer.byteLength,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const cryptoKey = await webcrypto.subtle.importKey(
|
|
|
|
|
'raw',
|
|
|
|
|
keyArrayBuffer,
|
|
|
|
|
{ name: 'HMAC', hash: 'SHA-1' },
|
|
|
|
|
false,
|
|
|
|
|
['sign'],
|
|
|
|
|
);
|
|
|
|
|
const signatureBuffer = await webcrypto.subtle.sign('HMAC', cryptoKey, counterBuffer);
|
|
|
|
|
const hmac = new Uint8Array(signatureBuffer);
|
|
|
|
|
|
2025-03-20 21:46:11 +01:00
|
|
|
// Dynamic truncation per RFC 4226.
|
2025-02-18 01:09:36 +01:00
|
|
|
const offset = hmac[hmac.length - 1] & 0xf;
|
|
|
|
|
const slice = hmac.slice(offset, offset + 4);
|
|
|
|
|
const view = new DataView(slice.buffer, slice.byteOffset, slice.byteLength);
|
|
|
|
|
const binaryCode = view.getUint32(0, false) & 0x7fffffff;
|
|
|
|
|
const code = (binaryCode % 1000000).toString().padStart(6, '0');
|
|
|
|
|
return code;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Verifies a TOTP token by checking a ±1 time step window.
|
|
|
|
|
* @param {string} secret
|
|
|
|
|
* @param {string} token
|
|
|
|
|
* @returns {Promise<boolean>}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const verifyTOTP = async (secret, token) => {
|
|
|
|
|
const timeStepMS = 30 * 1000;
|
|
|
|
|
const currentTime = Date.now();
|
|
|
|
|
for (let offset = -1; offset <= 1; offset++) {
|
|
|
|
|
const expected = await generateTOTP(secret, currentTime + offset * timeStepMS);
|
|
|
|
|
if (expected === token) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Generates backup codes (default count: 10).
|
|
|
|
|
* Each code is an 8-character hexadecimal string and stored with its SHA-256 hash.
|
|
|
|
|
* @param {number} [count=10]
|
2025-02-19 19:33:29 +01:00
|
|
|
* @returns {Promise<{ plainCodes: string[], codeObjects: Array<{ codeHash: string, used: boolean, usedAt: Date | null }> }>}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const generateBackupCodes = async (count = 10) => {
|
|
|
|
|
const plainCodes = [];
|
|
|
|
|
const codeObjects = [];
|
|
|
|
|
const encoder = new TextEncoder();
|
2025-03-20 21:46:11 +01:00
|
|
|
|
2025-02-18 01:09:36 +01:00
|
|
|
for (let i = 0; i < count; i++) {
|
|
|
|
|
const randomArray = new Uint8Array(4);
|
|
|
|
|
webcrypto.getRandomValues(randomArray);
|
|
|
|
|
const code = Array.from(randomArray)
|
|
|
|
|
.map((b) => b.toString(16).padStart(2, '0'))
|
2025-03-20 21:46:11 +01:00
|
|
|
.join('');
|
2025-02-18 01:09:36 +01:00
|
|
|
plainCodes.push(code);
|
|
|
|
|
|
|
|
|
|
const codeBuffer = encoder.encode(code);
|
|
|
|
|
const hashBuffer = await webcrypto.subtle.digest('SHA-256', codeBuffer);
|
|
|
|
|
const hashArray = Array.from(new Uint8Array(hashBuffer));
|
|
|
|
|
const codeHash = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
|
|
|
|
|
codeObjects.push({ codeHash, used: false, usedAt: null });
|
|
|
|
|
}
|
|
|
|
|
return { plainCodes, codeObjects };
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Verifies a backup code and, if valid, marks it as used.
|
|
|
|
|
* @param {Object} params
|
|
|
|
|
* @param {Object} params.user
|
|
|
|
|
* @param {string} params.backupCode
|
|
|
|
|
* @returns {Promise<boolean>}
|
2025-02-18 01:09:36 +01:00
|
|
|
*/
|
|
|
|
|
const verifyBackupCode = async ({ user, backupCode }) => {
|
|
|
|
|
if (!backupCode || !user || !Array.isArray(user.backupCodes)) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const hashedInput = await hashBackupCode(backupCode.trim());
|
|
|
|
|
const matchingCode = user.backupCodes.find(
|
|
|
|
|
(codeObj) => codeObj.codeHash === hashedInput && !codeObj.used,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (matchingCode) {
|
|
|
|
|
const updatedBackupCodes = user.backupCodes.map((codeObj) =>
|
|
|
|
|
codeObj.codeHash === hashedInput && !codeObj.used
|
|
|
|
|
? { ...codeObj, used: true, usedAt: new Date() }
|
|
|
|
|
: codeObj,
|
|
|
|
|
);
|
2025-03-20 21:46:11 +01:00
|
|
|
// Update the user record with the marked backup code.
|
2025-02-18 01:09:36 +01:00
|
|
|
await updateUser(user._id, { backupCodes: updatedBackupCodes });
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
};
|
|
|
|
|
|
2025-02-19 19:33:29 +01:00
|
|
|
/**
|
2025-03-20 21:46:11 +01:00
|
|
|
* Retrieves and decrypts a stored TOTP secret.
|
|
|
|
|
* - Uses decryptV3 if the secret has a "v3:" prefix.
|
|
|
|
|
* - Falls back to decryptV2 for colon-delimited values.
|
|
|
|
|
* - Assumes a 16-character secret is already plain.
|
|
|
|
|
* @param {string|null} storedSecret
|
|
|
|
|
* @returns {Promise<string|null>}
|
2025-02-19 19:33:29 +01:00
|
|
|
*/
|
|
|
|
|
const getTOTPSecret = async (storedSecret) => {
|
2025-03-20 21:46:11 +01:00
|
|
|
if (!storedSecret) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
if (storedSecret.startsWith('v3:')) {
|
|
|
|
|
return decryptV3(storedSecret);
|
|
|
|
|
}
|
2025-02-19 19:33:29 +01:00
|
|
|
if (storedSecret.includes(':')) {
|
|
|
|
|
return await decryptV2(storedSecret);
|
|
|
|
|
}
|
|
|
|
|
if (storedSecret.length === 16) {
|
|
|
|
|
return storedSecret;
|
|
|
|
|
}
|
|
|
|
|
return storedSecret;
|
|
|
|
|
};
|
|
|
|
|
|
2025-03-20 21:46:11 +01:00
|
|
|
/**
|
|
|
|
|
* Generates a temporary JWT token for 2FA verification that expires in 5 minutes.
|
|
|
|
|
* @param {string} userId
|
|
|
|
|
* @returns {string}
|
|
|
|
|
*/
|
|
|
|
|
const generate2FATempToken = (userId) => {
|
|
|
|
|
const { sign } = require('jsonwebtoken');
|
|
|
|
|
return sign({ userId, twoFAPending: true }, process.env.JWT_SECRET, { expiresIn: '5m' });
|
|
|
|
|
};
|
|
|
|
|
|
2025-02-18 01:09:36 +01:00
|
|
|
module.exports = {
|
|
|
|
|
generateTOTPSecret,
|
2025-03-20 21:46:11 +01:00
|
|
|
generateTOTP,
|
|
|
|
|
verifyTOTP,
|
2025-02-18 01:09:36 +01:00
|
|
|
generateBackupCodes,
|
2025-03-20 21:46:11 +01:00
|
|
|
verifyBackupCode,
|
|
|
|
|
getTOTPSecret,
|
2025-02-18 01:09:36 +01:00
|
|
|
generate2FATempToken,
|
|
|
|
|
};
|