LibreChat/api/server/middleware/validateImageRequest.js

const cookies = require('cookie');
const jwt = require('jsonwebtoken');
const { logger } = require('@librechat/data-schemas');
const { getAppConfig } = require('~/server/services/Config/app');

const OBJECT_ID_LENGTH = 24;
const OBJECT_ID_PATTERN = /^[0-9a-f]{24}$/i;

/**
 * Validates if a string is a valid MongoDB ObjectId
 * @param {string} id - String to validate
 * @returns {boolean} - Whether string is a valid ObjectId format
 */
function isValidObjectId(id) {
  if (typeof id !== 'string') {
    return false;
  }
  if (id.length !== OBJECT_ID_LENGTH) {
    return false;
  }
  return OBJECT_ID_PATTERN.test(id);
}

/**
 * Middleware to validate image request.
 * Must be set by `secureImageLinks` via custom config file.
 */
async function validateImageRequest(req, res, next) {
  const appConfig = await getAppConfig({ role: req.user?.role });
  if (!appConfig.secureImageLinks) {
    return next();
  }

  const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
  if (!refreshToken) {
    logger.warn('[validateImageRequest] Refresh token not provided');
    return res.status(401).send('Unauthorized');
  }

  let payload;
  try {
    payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
  } catch (err) {
    logger.warn('[validateImageRequest]', err);
    return res.status(403).send('Access Denied');
  }

  if (!isValidObjectId(payload.id)) {
    logger.warn('[validateImageRequest] Invalid User ID');
    return res.status(403).send('Access Denied');
  }

  const currentTimeInSeconds = Math.floor(Date.now() / 1000);
  if (payload.exp < currentTimeInSeconds) {
    logger.warn('[validateImageRequest] Refresh token expired');
    return res.status(403).send('Access Denied');
  }

  const fullPath = decodeURIComponent(req.originalUrl);
  const pathPattern = new RegExp(`^/images/${payload.id}/[^/]+$`);

  if (pathPattern.test(fullPath)) {
    logger.debug('[validateImageRequest] Image request validated');
    next();
  } else {
    logger.warn('[validateImageRequest] Invalid image path');
    res.status(403).send('Access Denied');
  }
}

module.exports = validateImageRequest;
🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`const cookies = require('cookie');`
			`const jwt = require('jsonwebtoken');`
🛜 refactor: Streamline App Config Usage (#9234) * WIP: app.locals refactoring WIP: appConfig fix: update memory configuration retrieval to use getAppConfig based on user role fix: update comment for AppConfig interface to clarify purpose 🏷️ refactor: Update tests to use getAppConfig for endpoint configurations ci: Update AppService tests to initialize app config instead of app.locals ci: Integrate getAppConfig into remaining tests refactor: Update multer storage destination to use promise-based getAppConfig and improve error handling in tests refactor: Rename initializeAppConfig to setAppConfig and update related tests ci: Mock getAppConfig in various tests to provide default configurations refactor: Update convertMCPToolsToPlugins to use mcpManager for server configuration and adjust related tests chore: rename `Config/getAppConfig` -> `Config/app` fix: streamline OpenAI image tools configuration by removing direct appConfig dependency and using function parameters chore: correct parameter documentation for imageOutputType in ToolService.js refactor: remove `getCustomConfig` dependency in config route refactor: update domain validation to use appConfig for allowed domains refactor: use appConfig registration property chore: remove app parameter from AppService invocation refactor: update AppConfig interface to correct registration and turnstile configurations refactor: remove getCustomConfig dependency and use getAppConfig in PluginController, multer, and MCP services refactor: replace getCustomConfig with getAppConfig in STTService, TTSService, and related files refactor: replace getCustomConfig with getAppConfig in Conversation and Message models, update tempChatRetention functions to use AppConfig type refactor: update getAppConfig calls in Conversation and Message models to include user role for temporary chat expiration ci: update related tests refactor: update getAppConfig call in getCustomConfigSpeech to include user role fix: update appConfig usage to access allowedDomains from actions instead of registration refactor: enhance AppConfig to include fileStrategies and update related file strategy logic refactor: update imports to use normalizeEndpointName from @librechat/api and remove redundant definitions chore: remove deprecated unused RunManager refactor: get balance config primarily from appConfig refactor: remove customConfig dependency for appConfig and streamline loadConfigModels logic refactor: remove getCustomConfig usage and use app config in file citations refactor: consolidate endpoint loading logic into loadEndpoints function refactor: update appConfig access to use endpoints structure across various services refactor: implement custom endpoints configuration and streamline endpoint loading logic refactor: update getAppConfig call to include user role parameter refactor: streamline endpoint configuration and enhance appConfig usage across services refactor: replace getMCPAuthMap with getUserMCPAuthMap and remove unused getCustomConfig file refactor: add type annotation for loadedEndpoints in loadEndpoints function refactor: move /services/Files/images/parse to TS API chore: add missing FILE_CITATIONS permission to IRole interface refactor: restructure toolkits to TS API refactor: separate manifest logic into its own module refactor: consolidate tool loading logic into a new tools module for startup logic refactor: move interface config logic to TS API refactor: migrate checkEmailConfig to TypeScript and update imports refactor: add FunctionTool interface and availableTools to AppConfig refactor: decouple caching and DB operations from AppService, make part of consolidated `getAppConfig` WIP: fix tests * fix: rebase conflicts * refactor: remove app.locals references * refactor: replace getBalanceConfig with getAppConfig in various strategies and middleware * refactor: replace appConfig?.balance with getBalanceConfig in various controllers and clients * test: add balance configuration to titleConvo method in AgentClient tests * chore: remove unused `openai-chat-tokens` package * chore: remove unused imports in initializeMCPs.js * refactor: update balance configuration to use getAppConfig instead of getBalanceConfig * refactor: integrate configMiddleware for centralized configuration handling * refactor: optimize email domain validation by removing unnecessary async calls * refactor: simplify multer storage configuration by removing async calls * refactor: reorder imports for better readability in user.js * refactor: replace getAppConfig calls with req.config for improved performance * chore: replace getAppConfig calls with req.config in tests for centralized configuration handling * chore: remove unused override config * refactor: add configMiddleware to endpoint route and replace getAppConfig with req.config * chore: remove customConfig parameter from TTSService constructor * refactor: pass appConfig from request to processFileCitations for improved configuration handling * refactor: remove configMiddleware from endpoint route and retrieve appConfig directly in getEndpointsConfig if not in `req.config` * test: add mockAppConfig to processFileCitations tests for improved configuration handling * fix: pass req.config to hasCustomUserVars and call without await after synchronous refactor * fix: type safety in useExportConversation * refactor: retrieve appConfig using getAppConfig in PluginController and remove configMiddleware from plugins route, to avoid always retrieving when plugins are cached * chore: change `MongoUser` typedef to `IUser` * fix: Add `user` and `config` fields to ServerRequest and update JSDoc type annotations from Express.Request to ServerRequest * fix: remove unused setAppConfig mock from Server configuration tests 2025-08-26 12:10:18 -04:00			`const { logger } = require('@librechat/data-schemas');`
			`const { getAppConfig } = require('~/server/services/Config/app');`
🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00
🛡️ fix: Minor Vulnerabilities (#4543) * fix: ReDoS in ChatGPT Import * ci: should correctly process citations from real ChatGPT data * ci: Add ReDoS vulnerability test for processAssistantMessage * refactor: Update thread management and citation handling * refactor(validateImageRequest): robust validation * refactor(Prompt.js): update name search regex to escape special characters * refactor(Preset): exclude user from preset update to prevent mass assignment * refactor(files.js): Improve file deletion process * ci: updated validateImageRequest.spec.js * a11y: plugin pagination * refactor(CreatePromptForm.tsx): Improve input field styling * chore(Prompts): typing and accessibility * fix: prompt creation access role check * chore: remove duplicate jsdocs 2024-10-24 15:50:48 -04:00			`const OBJECT_ID_LENGTH = 24;`
			`const OBJECT_ID_PATTERN = /^[0-9a-f]{24}$/i;`

			`/**`
			`* Validates if a string is a valid MongoDB ObjectId`
			`* @param {string} id - String to validate`
			`* @returns {boolean} - Whether string is a valid ObjectId format`
			`*/`
			`function isValidObjectId(id) {`
			`if (typeof id !== 'string') {`
			`return false;`
			`}`
			`if (id.length !== OBJECT_ID_LENGTH) {`
			`return false;`
			`}`
			`return OBJECT_ID_PATTERN.test(id);`
			`}`

🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`/**`
🔓 refactor: Make Image URL Security Optional (#2415) 2024-04-14 19:34:13 -04:00			`* Middleware to validate image request.`
			* Must be set by `secureImageLinks` via custom config file.
🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`*/`
🛜 refactor: Streamline App Config Usage (#9234) * WIP: app.locals refactoring WIP: appConfig fix: update memory configuration retrieval to use getAppConfig based on user role fix: update comment for AppConfig interface to clarify purpose 🏷️ refactor: Update tests to use getAppConfig for endpoint configurations ci: Update AppService tests to initialize app config instead of app.locals ci: Integrate getAppConfig into remaining tests refactor: Update multer storage destination to use promise-based getAppConfig and improve error handling in tests refactor: Rename initializeAppConfig to setAppConfig and update related tests ci: Mock getAppConfig in various tests to provide default configurations refactor: Update convertMCPToolsToPlugins to use mcpManager for server configuration and adjust related tests chore: rename `Config/getAppConfig` -> `Config/app` fix: streamline OpenAI image tools configuration by removing direct appConfig dependency and using function parameters chore: correct parameter documentation for imageOutputType in ToolService.js refactor: remove `getCustomConfig` dependency in config route refactor: update domain validation to use appConfig for allowed domains refactor: use appConfig registration property chore: remove app parameter from AppService invocation refactor: update AppConfig interface to correct registration and turnstile configurations refactor: remove getCustomConfig dependency and use getAppConfig in PluginController, multer, and MCP services refactor: replace getCustomConfig with getAppConfig in STTService, TTSService, and related files refactor: replace getCustomConfig with getAppConfig in Conversation and Message models, update tempChatRetention functions to use AppConfig type refactor: update getAppConfig calls in Conversation and Message models to include user role for temporary chat expiration ci: update related tests refactor: update getAppConfig call in getCustomConfigSpeech to include user role fix: update appConfig usage to access allowedDomains from actions instead of registration refactor: enhance AppConfig to include fileStrategies and update related file strategy logic refactor: update imports to use normalizeEndpointName from @librechat/api and remove redundant definitions chore: remove deprecated unused RunManager refactor: get balance config primarily from appConfig refactor: remove customConfig dependency for appConfig and streamline loadConfigModels logic refactor: remove getCustomConfig usage and use app config in file citations refactor: consolidate endpoint loading logic into loadEndpoints function refactor: update appConfig access to use endpoints structure across various services refactor: implement custom endpoints configuration and streamline endpoint loading logic refactor: update getAppConfig call to include user role parameter refactor: streamline endpoint configuration and enhance appConfig usage across services refactor: replace getMCPAuthMap with getUserMCPAuthMap and remove unused getCustomConfig file refactor: add type annotation for loadedEndpoints in loadEndpoints function refactor: move /services/Files/images/parse to TS API chore: add missing FILE_CITATIONS permission to IRole interface refactor: restructure toolkits to TS API refactor: separate manifest logic into its own module refactor: consolidate tool loading logic into a new tools module for startup logic refactor: move interface config logic to TS API refactor: migrate checkEmailConfig to TypeScript and update imports refactor: add FunctionTool interface and availableTools to AppConfig refactor: decouple caching and DB operations from AppService, make part of consolidated `getAppConfig` WIP: fix tests * fix: rebase conflicts * refactor: remove app.locals references * refactor: replace getBalanceConfig with getAppConfig in various strategies and middleware * refactor: replace appConfig?.balance with getBalanceConfig in various controllers and clients * test: add balance configuration to titleConvo method in AgentClient tests * chore: remove unused `openai-chat-tokens` package * chore: remove unused imports in initializeMCPs.js * refactor: update balance configuration to use getAppConfig instead of getBalanceConfig * refactor: integrate configMiddleware for centralized configuration handling * refactor: optimize email domain validation by removing unnecessary async calls * refactor: simplify multer storage configuration by removing async calls * refactor: reorder imports for better readability in user.js * refactor: replace getAppConfig calls with req.config for improved performance * chore: replace getAppConfig calls with req.config in tests for centralized configuration handling * chore: remove unused override config * refactor: add configMiddleware to endpoint route and replace getAppConfig with req.config * chore: remove customConfig parameter from TTSService constructor * refactor: pass appConfig from request to processFileCitations for improved configuration handling * refactor: remove configMiddleware from endpoint route and retrieve appConfig directly in getEndpointsConfig if not in `req.config` * test: add mockAppConfig to processFileCitations tests for improved configuration handling * fix: pass req.config to hasCustomUserVars and call without await after synchronous refactor * fix: type safety in useExportConversation * refactor: retrieve appConfig using getAppConfig in PluginController and remove configMiddleware from plugins route, to avoid always retrieving when plugins are cached * chore: change `MongoUser` typedef to `IUser` * fix: Add `user` and `config` fields to ServerRequest and update JSDoc type annotations from Express.Request to ServerRequest * fix: remove unused setAppConfig mock from Server configuration tests 2025-08-26 12:10:18 -04:00			`async function validateImageRequest(req, res, next) {`
			`const appConfig = await getAppConfig({ role: req.user?.role });`
			`if (!appConfig.secureImageLinks) {`
🔓 refactor: Make Image URL Security Optional (#2415) 2024-04-14 19:34:13 -04:00			`return next();`
			`}`

🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;`
			`if (!refreshToken) {`
			`logger.warn('[validateImageRequest] Refresh token not provided');`
			`return res.status(401).send('Unauthorized');`
			`}`

			`let payload;`
			`try {`
			`payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);`
			`} catch (err) {`
			`logger.warn('[validateImageRequest]', err);`
			`return res.status(403).send('Access Denied');`
			`}`

🛡️ fix: Minor Vulnerabilities (#4543) * fix: ReDoS in ChatGPT Import * ci: should correctly process citations from real ChatGPT data * ci: Add ReDoS vulnerability test for processAssistantMessage * refactor: Update thread management and citation handling * refactor(validateImageRequest): robust validation * refactor(Prompt.js): update name search regex to escape special characters * refactor(Preset): exclude user from preset update to prevent mass assignment * refactor(files.js): Improve file deletion process * ci: updated validateImageRequest.spec.js * a11y: plugin pagination * refactor(CreatePromptForm.tsx): Improve input field styling * chore(Prompts): typing and accessibility * fix: prompt creation access role check * chore: remove duplicate jsdocs 2024-10-24 15:50:48 -04:00			`if (!isValidObjectId(payload.id)) {`
			`logger.warn('[validateImageRequest] Invalid User ID');`
			`return res.status(403).send('Access Denied');`
			`}`

🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`const currentTimeInSeconds = Math.floor(Date.now() / 1000);`
			`if (payload.exp < currentTimeInSeconds) {`
			`logger.warn('[validateImageRequest] Refresh token expired');`
			`return res.status(403).send('Access Denied');`
			`}`

🔐 fix: Enhance Message & Image Access Security (#3363) * chore: slight refactor * fix: prevent message updates unless explicitly owned * refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests * fix: Add path normalization and validation to image request middleware * fix: image validation path security 2024-07-17 09:51:03 -04:00			`const fullPath = decodeURIComponent(req.originalUrl);`
			const pathPattern = new RegExp(`^/images/${payload.id}/[^/]+$`);

			`if (pathPattern.test(fullPath)) {`
🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`logger.debug('[validateImageRequest] Image request validated');`
			`next();`
			`} else {`
🔐 fix: Enhance Message & Image Access Security (#3363) * chore: slight refactor * fix: prevent message updates unless explicitly owned * refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests * fix: Add path normalization and validation to image request middleware * fix: image validation path security 2024-07-17 09:51:03 -04:00			`logger.warn('[validateImageRequest] Invalid image path');`
🔒 feat: Authenticated Image Requests (#2389) * 🔒 feat: Authenticated Image Requests * fix: reserved keyword `static` 2024-04-11 02:50:57 -04:00			`res.status(403).send('Access Denied');`
			`}`
			`}`

			`module.exports = validateImageRequest;`