Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-09-22 06:00:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/api/strategies/validators.spec.js

517 lines
14 KiB
JavaScript
Raw Normal View History

🛡️ : Security Enhancements (#1681) * fix: sanitize HTTP params and do not send whole error objects backs * fix: prevent path traversal * fix: send custom error message for tokenizer route * chore: handle info exposure vector * chore(oauth): skip check due to false positive as oauth routes are rate-limited * chore(app): disable `x-powered-by` * chore: disable false positives or flagging of hardcoded secrets when they are fake values * chore: add path traversal safety check
2024-01-30 14:34:02 -05:00
// file deepcode ignore NoHardcodedPasswords: No hard-coded passwords in tests
🅰️ feat: Azure Config to Allow Different Deployments per Model (#1863) * wip: first pass for azure endpoint schema * refactor: azure config to return groupMap and modelConfigMap * wip: naming and schema changes * refactor(errorsToString): move to data-provider * feat: rename to azureGroups, add additional tests, tests all expected outcomes, return errors * feat(AppService): load Azure groups * refactor(azure): use imported types, write `mapModelToAzureConfig` * refactor: move `extractEnvVariable` to data-provider * refactor(validateAzureGroups): throw on duplicate groups or models; feat(mapModelToAzureConfig): throw if env vars not present, add tests * refactor(AppService): ensure each model is properly configured on startup * refactor: deprecate azureOpenAI environment variables in favor of librechat.yaml config * feat: use helper functions to handle and order enabled/default endpoints; initialize azureOpenAI from config file * refactor: redefine types as well as load azureOpenAI models from config file * chore(ci): fix test description naming * feat(azureOpenAI): use validated model grouping for request authentication * chore: bump data-provider following rebase * chore: bump config file version noting significant changes * feat: add title options and switch azure configs for titling and vision requests * feat: enable azure plugins from config file * fix(ci): pass tests * chore(.env.example): mark `PLUGINS_USE_AZURE` as deprecated * fix(fetchModels): early return if apiKey not passed * chore: fix azure config typing * refactor(mapModelToAzureConfig): return baseURL and headers as well as azureOptions * feat(createLLM): use `azureOpenAIBasePath` * feat(parsers): resolveHeaders * refactor(extractBaseURL): handle invalid input * feat(OpenAIClient): handle headers and baseURL for azureConfig * fix(ci): pass `OpenAIClient` tests * chore: extract env var for azureOpenAI group config, baseURL * docs: azureOpenAI config setup docs * feat: safe check of potential conflicting env vars that map to unique placeholders * fix: reset apiKey when model switches from originally requested model (vision or title) * chore: linting * docs: CONFIG_PATH notes in custom_config.md
2024-02-26 14:12:25 -05:00
const { errorsToString } = require('librechat-data-provider');
const { loginSchema, registerSchema } = require('./validators');
chore: Remove Unused Dependencies 🧹 (#939) * chore: cleanup client depend 🧹 * chore: replace joi with zod and remove unused user validator * chore: move dep from root to api, cleanup other unused api deps * chore: remove unused dev dep * chore: update bun lockfile * fix: bun scripts * chore: add bun flag to update script * chore: remove legacy webpack + babel dev deps * chore: add back dev deps needed for frontend unit testing * fix(validators): make schemas as expected and more robust with a full test suite of edge cases * chore: remove axios from root package, remove path from api, update bun
2023-09-14 15:12:22 -04:00
describe('Zod Schemas', () => {
describe('loginSchema', () => {
it('should validate a correct login object', () => {
const result = loginSchema.safeParse({
email: 'test@example.com',
password: 'password123',
});
expect(result.success).toBe(true);
});
it('should invalidate an incorrect email', () => {
const result = loginSchema.safeParse({
email: 'testexample.com',
password: 'password123',
});
expect(result.success).toBe(false);
});
it('should invalidate a short password', () => {
const result = loginSchema.safeParse({
email: 'test@example.com',
password: 'pass',
});
expect(result.success).toBe(false);
});
it('should handle email with unusual characters', () => {
const emails = ['test+alias@example.com', 'test@subdomain.example.co.uk'];
emails.forEach((email) => {
const result = loginSchema.safeParse({
email,
password: 'password123',
});
expect(result.success).toBe(true);
});
});
it('should invalidate email without a domain', () => {
const result = loginSchema.safeParse({
email: 'test@.com',
password: 'password123',
});
expect(result.success).toBe(false);
});
it('should invalidate password with only spaces', () => {
const result = loginSchema.safeParse({
email: 'test@example.com',
password: ' ',
});
expect(result.success).toBe(false);
});
it('should invalidate password that is too long', () => {
const result = loginSchema.safeParse({
email: 'test@example.com',
password: 'a'.repeat(129),
});
expect(result.success).toBe(false);
});
it('should invalidate empty email or password', () => {
const result = loginSchema.safeParse({
email: '',
password: '',
});
expect(result.success).toBe(false);
});
});
describe('registerSchema', () => {
it('should validate a correct register object', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(true);
});
it('should allow the username to be omitted', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(true);
});
it('should invalidate a short name', () => {
const result = registerSchema.safeParse({
name: 'Jo',
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(false);
});
it('should handle empty username by transforming to null', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: '',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(true);
expect(result.data.username).toBe(null);
});
it('should handle name with special characters', () => {
const names = ['Jöhn Dœ', 'John <Doe>'];
names.forEach((name) => {
const result = registerSchema.safeParse({
name,
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(true);
});
});
it('should handle username with special characters', () => {
const usernames = ['john.doe@', 'john..doe'];
usernames.forEach((username) => {
const result = registerSchema.safeParse({
name: 'John Doe',
username,
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(true);
});
});
it('should invalidate mismatched password and confirm_password', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password124',
});
expect(result.success).toBe(false);
});
it('should handle email without a TLD', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@domain',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(false);
});
it('should handle email with multiple @ symbols', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@domain@com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(false);
});
it('should handle name that is too long', () => {
const result = registerSchema.safeParse({
name: 'a'.repeat(81),
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(false);
});
it('should handle username that is too long', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'a'.repeat(81),
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
expect(result.success).toBe(false);
});
it('should handle password or confirm_password that is too long', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@example.com',
password: 'a'.repeat(129),
confirm_password: 'a'.repeat(129),
});
expect(result.success).toBe(false);
});
it('should handle password or confirm_password that is just spaces', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@example.com',
password: ' ',
confirm_password: ' ',
});
expect(result.success).toBe(false);
});
it('should handle null values for fields', () => {
const result = registerSchema.safeParse({
name: null,
username: null,
email: null,
password: null,
confirm_password: null,
});
expect(result.success).toBe(false);
});
it('should handle undefined values for fields', () => {
const result = registerSchema.safeParse({
name: undefined,
username: undefined,
email: undefined,
password: undefined,
confirm_password: undefined,
});
expect(result.success).toBe(false);
});
it('should handle extra fields not defined in the schema', () => {
const result = registerSchema.safeParse({
name: 'John Doe',
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
🔐 feat: Add Configurable Min. Password Length (#9315) - Added support for a minimum password length defined by the MIN_PASSWORD_LENGTH environment variable. - Updated login, registration, and reset password forms to utilize the configured minimum length. - Enhanced validation schemas to reflect the new minimum password length requirement. - Included tests to ensure the minimum password length functionality works as expected.
2025-08-27 16:30:56 -04:00
extraField: "I shouldn't be here",
chore: Remove Unused Dependencies 🧹 (#939) * chore: cleanup client depend 🧹 * chore: replace joi with zod and remove unused user validator * chore: move dep from root to api, cleanup other unused api deps * chore: remove unused dev dep * chore: update bun lockfile * fix: bun scripts * chore: add bun flag to update script * chore: remove legacy webpack + babel dev deps * chore: add back dev deps needed for frontend unit testing * fix(validators): make schemas as expected and more robust with a full test suite of edge cases * chore: remove axios from root package, remove path from api, update bun
2023-09-14 15:12:22 -04:00
});
expect(result.success).toBe(true);
});
fix: Allow Latin-based Special Characters in Username (#969) * fix: username validation * fix: add data-testid to fix e2e workflow
2023-09-18 16:57:12 -04:00
it('should handle username with special characters from various languages', () => {
const usernames = [
// General
'éèäöü',
// German
'Jöhn.Döe@',
'Jöhn_Ü',
'Jöhnß',
// French
'Jéan-Piérre',
'Élève',
'Fiançée',
'Mère',
// Spanish
'Niño',
'Señor',
'Muñoz',
// Portuguese
'João',
'Coração',
'Pão',
// Italian
'Pietro',
'Bambino',
'Forlì',
// Romanian
'Mâncare',
'Școală',
'Țară',
// Catalan
'Niç',
'Màquina',
'Çap',
// Swedish
'Fjärran',
'Skål',
'Öland',
// Norwegian
'Blåbær',
'Fjord',
'Årstid',
// Danish
'Flød',
'Søster',
'Århus',
// Icelandic
'Þór',
'Ætt',
'Öx',
// Turkish
'Şehir',
'Çocuk',
'Gözlük',
// Polish
'Łódź',
'Część',
'Świat',
// Czech
'Čaj',
'Řeka',
'Život',
// Slovak
'Kočka',
'Ľudia',
'Žaba',
// Croatian
'Čovjek',
'Šuma',
'Žaba',
// Hungarian
'Tűz',
'Ősz',
'Ünnep',
// Finnish
'Mäki',
'Yö',
'Äiti',
// Estonian
'Tänav',
'Öö',
'Ülikool',
// Latvian
'Ēka',
'Ūdens',
'Čempions',
// Lithuanian
'Ūsas',
'Ąžuolas',
'Čia',
// Dutch
'Maïs',
'Geërfd',
'Coördinatie',
];
const failingUsernames = usernames.reduce((acc, username) => {
const result = registerSchema.safeParse({
name: 'John Doe',
username,
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
if (!result.success) {
acc.push({ username, error: result.error });
}
return acc;
}, []);
if (failingUsernames.length > 0) {
console.log('Failing Usernames:', failingUsernames);
}
expect(failingUsernames).toEqual([]);
});
it('should reject invalid usernames', () => {
const invalidUsernames = [
'john{doe}', // Contains `{` and `}`
'j', // Only one character
'a'.repeat(81), // More than 80 characters
🔐 feat: Add Configurable Min. Password Length (#9315) - Added support for a minimum password length defined by the MIN_PASSWORD_LENGTH environment variable. - Updated login, registration, and reset password forms to utilize the configured minimum length. - Enhanced validation schemas to reflect the new minimum password length requirement. - Included tests to ensure the minimum password length functionality works as expected.
2025-08-27 16:30:56 -04:00
"' OR '1'='1'; --", // SQL Injection
fix: Allow Latin-based Special Characters in Username (#969) * fix: username validation * fix: add data-testid to fix e2e workflow
2023-09-18 16:57:12 -04:00
'{$ne: null}', // MongoDB Injection
'<script>alert("XSS")</script>', // Basic XSS
'"><script>alert("XSS")</script>', // XSS breaking out of an attribute
'"><img src=x onerror=alert("XSS")>', // XSS using an image tag
];
const passingUsernames = [];
const failingUsernames = invalidUsernames.reduce((acc, username) => {
const result = registerSchema.safeParse({
name: 'John Doe',
username,
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
if (!result.success) {
acc.push({ username, error: result.error });
}
if (result.success) {
passingUsernames.push({ username });
}
return acc;
}, []);
expect(failingUsernames.length).toEqual(invalidUsernames.length); // They should match since all invalidUsernames should fail.
});
chore: Remove Unused Dependencies 🧹 (#939) * chore: cleanup client depend 🧹 * chore: replace joi with zod and remove unused user validator * chore: move dep from root to api, cleanup other unused api deps * chore: remove unused dev dep * chore: update bun lockfile * fix: bun scripts * chore: add bun flag to update script * chore: remove legacy webpack + babel dev deps * chore: add back dev deps needed for frontend unit testing * fix(validators): make schemas as expected and more robust with a full test suite of edge cases * chore: remove axios from root package, remove path from api, update bun
2023-09-14 15:12:22 -04:00
});
describe('errorsToString', () => {
it('should convert errors to string', () => {
const { error } = registerSchema.safeParse({
name: 'Jo',
username: 'john_doe',
email: 'john@example.com',
password: 'password123',
confirm_password: 'password123',
});
const result = errorsToString(error.errors);
expect(result).toBe('name: String must contain at least 3 character(s)');
});
});
🔐 feat: Add Configurable Min. Password Length (#9315) - Added support for a minimum password length defined by the MIN_PASSWORD_LENGTH environment variable. - Updated login, registration, and reset password forms to utilize the configured minimum length. - Enhanced validation schemas to reflect the new minimum password length requirement. - Included tests to ensure the minimum password length functionality works as expected.
2025-08-27 16:30:56 -04:00
describe('MIN_PASSWORD_LENGTH environment variable', () => {
// Note: These tests verify the behavior based on whatever MIN_PASSWORD_LENGTH
// was set when the validators module was loaded
const minLength = parseInt(process.env.MIN_PASSWORD_LENGTH, 10) || 8;
it('should respect the configured minimum password length for login', () => {
// Test password exactly at minimum length
const resultValid = loginSchema.safeParse({
email: 'test@example.com',
password: 'a'.repeat(minLength),
});
expect(resultValid.success).toBe(true);
// Test password one character below minimum
if (minLength > 1) {
const resultInvalid = loginSchema.safeParse({
email: 'test@example.com',
password: 'a'.repeat(minLength - 1),
});
expect(resultInvalid.success).toBe(false);
}
});
it('should respect the configured minimum password length for registration', () => {
// Test password exactly at minimum length
const resultValid = registerSchema.safeParse({
name: 'John Doe',
email: 'john@example.com',
password: 'a'.repeat(minLength),
confirm_password: 'a'.repeat(minLength),
});
expect(resultValid.success).toBe(true);
// Test password one character below minimum
if (minLength > 1) {
const resultInvalid = registerSchema.safeParse({
name: 'John Doe',
email: 'john@example.com',
password: 'a'.repeat(minLength - 1),
confirm_password: 'a'.repeat(minLength - 1),
});
expect(resultInvalid.success).toBe(false);
}
});
it('should handle edge case of very short minimum password length', () => {
// This test is meaningful only if MIN_PASSWORD_LENGTH is set to a very low value
if (minLength <= 3) {
const result = loginSchema.safeParse({
email: 'test@example.com',
password: 'abc',
});
expect(result.success).toBe(minLength <= 3);
} else {
// Skip this test if minimum length is > 3
expect(true).toBe(true);
}
});
});
chore: Remove Unused Dependencies 🧹 (#939) * chore: cleanup client depend 🧹 * chore: replace joi with zod and remove unused user validator * chore: move dep from root to api, cleanup other unused api deps * chore: remove unused dev dep * chore: update bun lockfile * fix: bun scripts * chore: add bun flag to update script * chore: remove legacy webpack + babel dev deps * chore: add back dev deps needed for frontend unit testing * fix(validators): make schemas as expected and more robust with a full test suite of edge cases * chore: remove axios from root package, remove path from api, update bun
2023-09-14 15:12:22 -04:00
});
Reference in a new issue Copy permalink