Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-18 09:20:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

🔑 feat: Base64 Google Service Keys and Reliable Private Key Formats (#8385)

Browse source
This commit is contained in:
Danny Avila 2025-07-10 20:33:01 -04:00 committed by GitHub
parent 8523074e87
commit 19320f2296
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 126 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

85
packages/api/src/utils/key.test.ts
View file

@ -94,4 +94,89 @@ describe('loadServiceKey', () => {
const result = await loadServiceKey(JSON.stringify(invalidServiceKey)); const result = await loadServiceKey(JSON.stringify(invalidServiceKey));
expect(result).toEqual(invalidServiceKey); // It returns the object as-is, validation is minimal expect(result).toEqual(invalidServiceKey); // It returns the object as-is, validation is minimal
}); });
it('should handle escaped newlines in private key from AWS Secrets Manager', async () => {
const serviceKeyWithEscapedNewlines = {
...mockServiceKey,
private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
};
const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
const result = await loadServiceKey(jsonString);
expect(result).not.toBeNull();
expect(result?.private_key).toBe(
'-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
);
});
it('should handle double-escaped newlines in private key', async () => {
// When you have \\n in JavaScript, JSON.stringify converts it to \\\\n
// But we want to test the case where the JSON string contains \\n (single backslash + n)
const serviceKeyWithEscapedNewlines = {
...mockServiceKey,
private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
};
// This will create a JSON string where the private_key contains literal \n (backslash-n)
const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
const result = await loadServiceKey(jsonString);
expect(result).not.toBeNull();
expect(result?.private_key).toBe(
'-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
);
});
it('should handle private key without any newlines', async () => {
const serviceKeyWithoutNewlines = {
...mockServiceKey,
private_key: '-----BEGIN PRIVATE KEY-----test-key-----END PRIVATE KEY-----',
};
const jsonString = JSON.stringify(serviceKeyWithoutNewlines);
const result = await loadServiceKey(jsonString);
expect(result).not.toBeNull();
expect(result?.private_key).toBe(
'-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
);
});
it('should not modify private key that already has proper formatting', async () => {
const jsonString = JSON.stringify(mockServiceKey);
const result = await loadServiceKey(jsonString);
expect(result).not.toBeNull();
expect(result?.private_key).toBe(mockServiceKey.private_key);
});
it('should handle base64 encoded service key', async () => {
const jsonString = JSON.stringify(mockServiceKey);
const base64Encoded = Buffer.from(jsonString).toString('base64');
const result = await loadServiceKey(base64Encoded);
expect(result).not.toBeNull();
expect(result).toEqual(mockServiceKey);
});
it('should handle base64 encoded service key with escaped newlines', async () => {
const serviceKeyWithEscapedNewlines = {
...mockServiceKey,
private_key: '-----BEGIN PRIVATE KEY-----\\ntest-key\\n-----END PRIVATE KEY-----',
};
const jsonString = JSON.stringify(serviceKeyWithEscapedNewlines);
const base64Encoded = Buffer.from(jsonString).toString('base64');
const result = await loadServiceKey(base64Encoded);
expect(result).not.toBeNull();
expect(result?.private_key).toBe(
'-----BEGIN PRIVATE KEY-----\ntest-key\n-----END PRIVATE KEY-----',
);
});
it('should handle invalid base64 strings gracefully', async () => {
// This looks like base64 but isn't valid
const invalidBase64 = 'SGVsbG8gV29ybGQ='; // "Hello World" in base64, not valid JSON
const result = await loadServiceKey(invalidBase64);
expect(result).toBeNull();
});
}); });

45
packages/api/src/utils/key.ts
View file

@ -29,8 +29,20 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
let serviceKey: unknown; let serviceKey: unknown;
// Check if it's base64 encoded (common pattern for storing in env vars)
if (keyPath.trim().match(/^[A-Za-z0-9+/]+=*$/)) {
try {
const decoded = Buffer.from(keyPath.trim(), 'base64').toString('utf-8');
// Try to parse the decoded string as JSON
serviceKey = JSON.parse(decoded);
} catch {
// Not base64 or not valid JSON after decoding, continue with other methods
// Silent failure - not critical
}
}
// Check if it's a stringified JSON (starts with '{') // Check if it's a stringified JSON (starts with '{')
if (keyPath.trim().startsWith('{')) { if (!serviceKey && keyPath.trim().startsWith('{')) {
try { try {
serviceKey = JSON.parse(keyPath); serviceKey = JSON.parse(keyPath);
} catch (error) { } catch (error) {
@ -39,7 +51,7 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
} }
} }
// Check if it's a URL // Check if it's a URL
else if (/^https?:\/\//.test(keyPath)) { else if (!serviceKey && /^https?:\/\//.test(keyPath)) {
try { try {
const response = await axios.get(keyPath); const response = await axios.get(keyPath);
serviceKey = response.data; serviceKey = response.data;
@ -47,7 +59,7 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
logger.error(`Failed to fetch the service key from URL: ${keyPath}`, error); logger.error(`Failed to fetch the service key from URL: ${keyPath}`, error);
return null; return null;
} }
} else { } else if (!serviceKey) {
// It's a file path // It's a file path
try { try {
const absolutePath = path.isAbsolute(keyPath) ? keyPath : path.resolve(keyPath); const absolutePath = path.isAbsolute(keyPath) ? keyPath : path.resolve(keyPath);
@ -75,5 +87,30 @@ export async function loadServiceKey(keyPath: string): Promise<GoogleServiceKey
return null; return null;
} }
return serviceKey as GoogleServiceKey; // Fix private key formatting if needed
const key = serviceKey as GoogleServiceKey;
if (key.private_key && typeof key.private_key === 'string') {
// Replace escaped newlines with actual newlines
// When JSON.parse processes "\\n", it becomes "\n" (single backslash + n)
// When JSON.parse processes "\n", it becomes an actual newline character
key.private_key = key.private_key.replace(/\\n/g, '\n');
// Also handle the String.raw`\n` case mentioned in Stack Overflow
key.private_key = key.private_key.split(String.raw`\n`).join('\n');
// Ensure proper PEM format
if (!key.private_key.includes('\n')) {
// If no newlines are present, try to format it properly
const privateKeyMatch = key.private_key.match(
/^(-----BEGIN [A-Z ]+-----)(.*)(-----END [A-Z ]+-----)$/,
);
if (privateKeyMatch) {
const [, header, body, footer] = privateKeyMatch;
// Add newlines after header and before footer
key.private_key = `${header}\n${body}\n${footer}`;
}
}
}
return key;
} }