From 19320f2296c37f79f67eb5d9d7aa9f8b6839f773 Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Thu, 10 Jul 2025 20:33:01 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=91=20feat:=20Base64=20Google=20Servic?=
 =?UTF-8?q?e=20Keys=20and=20Reliable=20Private=20Key=20Formats=20(#8385)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/api/src/utils/key.test.ts | 85 ++++++++++++++++++++++++++++++
 packages/api/src/utils/key.ts      | 45 ++++++++++++++--
 2 files changed, 126 insertions(+), 4 deletions(-)

diff --git a/packages/api/src/utils/key.test.ts b/packages/api/src/utils/key.test.ts
index aa55cfbedf..29f34addee 100644
--- a/packages/api/src/utils/key.test.ts
+++ b/packages/api/src/utils/key.test.ts
@@ -94,4 +94,89 @@ describe('loadServiceKey', () => {
     const result = await loadServiceKey(JSON.stringify(invalidServiceKey));
     expect(result).toEqual(invalidServiceKey); // It returns the object as-is, validation is minimal
   });
+
+  it('should handle escaped newlines in private key from AWS Secrets Manager', async () => {
+    const serviceKeyWithEscapedNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
+    };
+    const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should handle double-escaped newlines in private key', async () => {
+    // When you have \\n in JavaScript, JSON.stringify converts it to \\\\n
+    // But we want to test the case where the JSON string contains \\n (single backslash + n)
+    const serviceKeyWithEscapedNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
+    };
+    // This will create a JSON string where the private_key contains literal \n (backslash-n)
+    const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should handle private key without any newlines', async () => {
+    const serviceKeyWithoutNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----test-key-----END PRIVATE KEY-----',
+    };
+    const jsonString = JSON.stringify(serviceKeyWithoutNewlines);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should not modify private key that already has proper formatting', async () => {
+    const jsonString = JSON.stringify(mockServiceKey);
+
+    const result = await loadServiceKey(jsonString);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(mockServiceKey.private_key);
+  });
+
+  it('should handle base64 encoded service key', async () => {
+    const jsonString = JSON.stringify(mockServiceKey);
+    const base64Encoded = Buffer.from(jsonString).toString('base64');
+
+    const result = await loadServiceKey(base64Encoded);
+    expect(result).not.toBeNull();
+    expect(result).toEqual(mockServiceKey);
+  });
+
+  it('should handle base64 encoded service key with escaped newlines', async () => {
+    const serviceKeyWithEscapedNewlines = {
+      ...mockServiceKey,
+      private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
+    };
+    const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
+    const base64Encoded = Buffer.from(jsonString).toString('base64');
+
+    const result = await loadServiceKey(base64Encoded);
+    expect(result).not.toBeNull();
+    expect(result?.private_key).toBe(
+      '-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
+    );
+  });
+
+  it('should handle invalid base64 strings gracefully', async () => {
+    // This looks like base64 but isn't valid
+    const invalidBase64 = 'SGVsbG8gV29ybGQ='; // "Hello World" in base64, not valid JSON
+
+    const result = await loadServiceKey(invalidBase64);
+    expect(result).toBeNull();
+  });
 });
diff --git a/packages/api/src/utils/key.ts b/packages/api/src/utils/key.ts
index f0ccb3e451..086e74c06e 100644
--- a/packages/api/src/utils/key.ts
+++ b/packages/api/src/utils/key.ts
@@ -29,8 +29,20 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
 
   let serviceKey: unknown;
 
+  // Check if it's base64 encoded (common pattern for storing in env vars)
+  if (keyPath.trim().match(/^[A-Za-z0-9+/]+=*$/)) {
+    try {
+      const decoded = Buffer.from(keyPath.trim(), 'base64').toString('utf-8');
+      // Try to parse the decoded string as JSON
+      serviceKey = JSON.parse(decoded);
+    } catch {
+      // Not base64 or not valid JSON after decoding, continue with other methods
+      // Silent failure - not critical
+    }
+  }
+
   // Check if it's a stringified JSON (starts with '{')
-  if (keyPath.trim().startsWith('{')) {
+  if (!serviceKey && keyPath.trim().startsWith('{')) {
     try {
       serviceKey = JSON.parse(keyPath);
     } catch (error) {
@@ -39,7 +51,7 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
     }
   }
   // Check if it's a URL
-  else if (/^https?:\/\//.test(keyPath)) {
+  else if (!serviceKey && /^https?:\/\//.test(keyPath)) {
     try {
       const response = await axios.get(keyPath);
       serviceKey = response.data;
@@ -47,7 +59,7 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
       logger.error(`Failed to fetch the service key from URL: ${keyPath}`, error);
       return null;
     }
-  } else {
+  } else if (!serviceKey) {
     // It's a file path
     try {
       const absolutePath = path.isAbsolute(keyPath) ? keyPath : path.resolve(keyPath);
@@ -75,5 +87,30 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
     return null;
   }
 
-  return serviceKey as GoogleServiceKey;
+  // Fix private key formatting if needed
+  const key = serviceKey as GoogleServiceKey;
+  if (key.private_key && typeof key.private_key === 'string') {
+    // Replace escaped newlines with actual newlines
+    // When JSON.parse processes "\\n", it becomes "\n" (single backslash + n)
+    // When JSON.parse processes "\n", it becomes an actual newline character
+    key.private_key = key.private_key.replace(/\\n/g, '\n');
+
+    // Also handle the String.raw`\n` case mentioned in Stack Overflow
+    key.private_key = key.private_key.split(String.raw`\n`).join('\n');
+
+    // Ensure proper PEM format
+    if (!key.private_key.includes('\n')) {
+      // If no newlines are present, try to format it properly
+      const privateKeyMatch = key.private_key.match(
+        /^(-----BEGIN [A-Z ]+-----)(.*)(-----END [A-Z ]+-----)$/,
+      );
+      if (privateKeyMatch) {
+        const [, header, body, footer] = privateKeyMatch;
+        // Add newlines after header and before footer
+        key.private_key = `${header}\n${body}\n${footer}`;
+      }
+    }
+  }
+
+  return key;
 }