Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-28 06:08:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

feat: Refresh Token for improved Session Security (#927)

Browse source 
* feat(api): refresh token logic

* feat(client): refresh token logic

* feat(data-provider): refresh token logic

* fix: SSE uses esm

* chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token

* chore: update scripts to more compatible bun methods, ran bun install again

* chore: update env.example and playwright workflow with JWT_REFRESH_SECRET

* chore: update breaking changes docs

* chore: add timeout to url visit

* chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions

* fix(e2e): refresh automatically in development environment to pass e2e tests
This commit is contained in:
Danny Avila 2023-09-11 13:10:46 -04:00 committed by GitHub
parent 75be9a3279
commit 33f087d38f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
31 changed files with 420 additions and 232 deletions
Download patch file Download diff file Expand all files Collapse all files

114
api/server/controllers/AuthController.js
View file

@ -1,19 +1,27 @@
const { registerUser, requestPasswordReset, resetPassword } = require('../services/AuthService');
const isProduction = process.env.NODE_ENV === 'production';
const {
registerUser,
requestPasswordReset,
resetPassword,
setAuthTokens,
} = require('../services/AuthService');
const jwt = require('jsonwebtoken');
const Session = require('../../models/Session');
const User = require('../../models/User');
const crypto = require('crypto');
const cookies = require('cookie');
const registrationController = async (req, res) => {
try {
const response = await registerUser(req.body);
if (response.status === 200) {
const { status, user } = response;
const token = user.generateToken();
//send token for automatic login
res.cookie('token', token, {
expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
httpOnly: false,
secure: isProduction,
});
let newUser = await User.findOne({ _id: user._id });
if (!newUser) {
newUser = new User(user);
await newUser.save();
}
const token = await setAuthTokens(user._id, res);
res.setHeader('Authorization', `Bearer ${token}`);
res.status(status).send({ user });
} else {
const { status, message } = response;
@ -61,59 +69,47 @@ const resetPasswordController = async (req, res) => {
}
};
// const refreshController = async (req, res, next) => {
// const { signedCookies = {} } = req;
// const { refreshToken } = signedCookies;
// TODO
// if (refreshToken) {
// try {
// const payload = jwt.verify(refreshToken, process.env.REFRESH_TOKEN_SECRET);
// const userId = payload._id;
// User.findOne({ _id: userId }).then(
// (user) => {
// if (user) {
// // Find the refresh token against the user record in database
// const tokenIndex = user.refreshToken.findIndex(item => item.refreshToken === refreshToken);
const refreshController = async (req, res) => {
const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
if (!refreshToken) {
return res.status(200).send('Refresh token not provided');
}
// if (tokenIndex === -1) {
// res.statusCode = 401;
// res.send('Unauthorized');
// } else {
// const token = req.user.generateToken();
// // If the refresh token exists, then create new one and replace it.
// const newRefreshToken = req.user.generateRefreshToken();
// user.refreshToken[tokenIndex] = { refreshToken: newRefreshToken };
// user.save((err) => {
// if (err) {
// res.statusCode = 500;
// res.send(err);
// } else {
// // setTokenCookie(res, newRefreshToken);
// const user = req.user.toJSON();
// res.status(200).send({ token, user });
// }
// });
// }
// } else {
// res.statusCode = 401;
// res.send('Unauthorized');
// }
// },
// err => next(err)
// );
// } catch (err) {
// res.statusCode = 401;
// res.send('Unauthorized');
// }
// } else {
// res.statusCode = 401;
// res.send('Unauthorized');
// }
// };
try {
const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
const userId = payload.id;
const user = await User.findOne({ _id: userId });
if (!user) {
return res.status(401).send('User not found');
}
if (process.env.NODE_ENV === 'development') {
const token = await setAuthTokens(userId, res);
const userObj = user.toJSON();
return res.status(200).send({ token, user: userObj });
}
// Hash the refresh token
const hash = crypto.createHash('sha256');
const hashedToken = hash.update(refreshToken).digest('hex');
// Find the session with the hashed refresh token
const session = await Session.findOne({ user: userId, refreshTokenHash: hashedToken });
if (session && session.expiration > new Date()) {
const token = await setAuthTokens(userId, res, session._id);
const userObj = user.toJSON();
res.status(200).send({ token, user: userObj });
} else {
res.status(401).send('Refresh token expired or not found for this user');
}
} catch (err) {
res.status(401).send('Invalid refresh token');
}
};
module.exports = {
getUserController,
// refreshController,
refreshController,
registrationController,
resetPasswordRequestController,
resetPasswordController,

11
api/server/controllers/auth/LoginController.js
View file

@ -1,4 +1,5 @@
const User = require('../../../models/User');
const { setAuthTokens } = require('../../services/AuthService');
const loginController = async (req, res) => {
try {
@ -10,15 +11,7 @@ const loginController = async (req, res) => {
return res.status(400).json({ message: 'Invalid credentials' });
}
const token = req.user.generateToken();
const expires = eval(process.env.SESSION_EXPIRY);
// Add token to cookie
res.cookie('token', token, {
expires: new Date(Date.now() + expires),
httpOnly: false,
secure: process.env.NODE_ENV === 'production',
});
const token = await setAuthTokens(user._id, res);
return res.status(200).send({ token, user });
} catch (err) {

7
api/server/controllers/auth/LogoutController.js
View file

@ -1,12 +1,11 @@
const { logoutUser } = require('../../services/AuthService');
const cookies = require('cookie');
const logoutController = async (req, res) => {
const { signedCookies = {} } = req;
const { refreshToken } = signedCookies;
const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
try {
const logout = await logoutUser(req.user, refreshToken);
const logout = await logoutUser(req.user._id, refreshToken);
const { status, message } = logout;
res.clearCookie('token');
res.clearCookie('refreshToken');
return res.status(status).send({ message });
} catch (err) {

4
api/server/routes/auth.js
View file

@ -2,7 +2,7 @@ const express = require('express');
const {
resetPasswordRequestController,
resetPasswordController,
// refreshController,
refreshController,
registrationController,
} = require('../controllers/AuthController');
const { loginController } = require('../controllers/auth/LoginController');
@ -20,7 +20,7 @@ const router = express.Router();
//Local
router.post('/logout', requireJwtAuth, logoutController);
router.post('/login', loginLimiter, requireLocalAuth, loginController);
// router.post('/refresh', requireJwtAuth, refreshController);
router.post('/refresh', refreshController);
router.post('/register', registerLimiter, validateRegistration, registrationController);
router.post('/requestPasswordReset', resetPasswordRequestController);
router.post('/resetPassword', resetPasswordController);

84
api/server/routes/oauth.js
View file

@ -1,17 +1,15 @@
const passport = require('passport');
const express = require('express');
const router = express.Router();
const { loginLimiter } = require('../middleware');
const config = require('../../../config/loader');
const { setAuthTokens } = require('../services/AuthService');
const domains = config.domains;
const isProduction = config.isProduction;
/**
* Google Routes
*/
router.get(
'/google',
loginLimiter,
passport.authenticate('google', {
scope: ['openid', 'profile', 'email'],
session: false,
@ -26,20 +24,18 @@ router.get(
session: false,
scope: ['openid', 'profile', 'email'],
}),
(req, res) => {
const token = req.user.generateToken();
res.cookie('token', token, {
expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
httpOnly: false,
secure: isProduction,
});
res.redirect(domains.client);
async (req, res) => {
try {
await setAuthTokens(req.user._id, res);
res.redirect(domains.client);
} catch (err) {
console.error('Error in setting authentication tokens:', err);
}
},
);
router.get(
'/facebook',
loginLimiter,
passport.authenticate('facebook', {
scope: ['public_profile'],
profileFields: ['id', 'email', 'name'],
@ -56,20 +52,18 @@ router.get(
scope: ['public_profile'],
profileFields: ['id', 'email', 'name'],
}),
(req, res) => {
const token = req.user.generateToken();
res.cookie('token', token, {
expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
httpOnly: false,
secure: isProduction,
});
res.redirect(domains.client);
async (req, res) => {
try {
await setAuthTokens(req.user._id, res);
res.redirect(domains.client);
} catch (err) {
console.error('Error in setting authentication tokens:', err);
}
},
);
router.get(
'/openid',
loginLimiter,
passport.authenticate('openid', {
session: false,
}),
@ -82,20 +76,18 @@ router.get(
failureMessage: true,
session: false,
}),
(req, res) => {
const token = req.user.generateToken();
res.cookie('token', token, {
expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
httpOnly: false,
secure: isProduction,
});
res.redirect(domains.client);
async (req, res) => {
try {
await setAuthTokens(req.user._id, res);
res.redirect(domains.client);
} catch (err) {
console.error('Error in setting authentication tokens:', err);
}
},
);
router.get(
'/github',
loginLimiter,
passport.authenticate('github', {
scope: ['user:email', 'read:user'],
session: false,
@ -110,20 +102,17 @@ router.get(
session: false,
scope: ['user:email', 'read:user'],
}),
(req, res) => {
const token = req.user.generateToken();
res.cookie('token', token, {
expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
httpOnly: false,
secure: isProduction,
});
res.redirect(domains.client);
async (req, res) => {
try {
await setAuthTokens(req.user._id, res);
res.redirect(domains.client);
} catch (err) {
console.error('Error in setting authentication tokens:', err);
}
},
);
router.get(
'/discord',
loginLimiter,
passport.authenticate('discord', {
scope: ['identify', 'email'],
session: false,
@ -138,14 +127,13 @@ router.get(
session: false,
scope: ['identify', 'email'],
}),
(req, res) => {
const token = req.user.generateToken();
res.cookie('token', token, {
expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
httpOnly: false,
secure: isProduction,
});
res.redirect(domains.client);
async (req, res) => {
try {
await setAuthTokens(req.user._id, res);
res.redirect(domains.client);
} catch (err) {
console.error('Error in setting authentication tokens:', err);
}
},
);

69
api/server/services/AuthService.js
View file

@ -1,32 +1,36 @@
const crypto = require('crypto');
const bcrypt = require('bcryptjs');
const User = require('../../models/User');
const Session = require('../../models/Session');
const Token = require('../../models/schema/tokenSchema');
const { registerSchema } = require('../../strategies/validators');
const config = require('../../../config/loader');
const { sendEmail } = require('../utils');
const domains = config.domains;
const isProduction = config.isProduction;
/**
* Logout user
*
* @param {Object} user
* @param {String} userId
* @param {*} refreshToken
* @returns
*/
const logoutUser = async (user, refreshToken) => {
const logoutUser = async (userId, refreshToken) => {
try {
const userFound = await User.findById(user._id);
const tokenIndex = userFound.refreshToken.findIndex(
(item) => item.refreshToken === refreshToken,
);
const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');
if (tokenIndex !== -1) {
userFound.refreshToken.id(userFound.refreshToken[tokenIndex]._id).remove();
// Find the session with the matching user and refreshTokenHash
const session = await Session.findOne({ user: userId, refreshTokenHash: hash });
if (session) {
try {
await Session.deleteOne({ _id: session._id });
} catch (deleteErr) {
console.error(deleteErr);
return { status: 500, message: 'Failed to delete session.' };
}
}
await userFound.save();
return { status: 200, message: 'Logout successful' };
} catch (err) {
return { status: 500, message: err.message };
@ -83,9 +87,6 @@ const registerUser = async (user) => {
role: isFirstRegisteredUser ? 'ADMIN' : 'USER',
});
// todo: implement refresh token
// const refreshToken = newUser.generateRefreshToken();
// newUser.refreshToken.push({ refreshToken });
const salt = bcrypt.genSaltSync(10);
const hash = bcrypt.hashSync(newUser.password, salt);
newUser.password = hash;
@ -188,9 +189,51 @@ const resetPassword = async (userId, token, password) => {
return { message: 'Password reset was successful' };
};
/**
* Set Auth Tokens
*
* @param {String} userId
* @param {Object} res
* @param {String} sessionId
* @returns
*/
const setAuthTokens = async (userId, res, sessionId = null) => {
try {
const user = await User.findOne({ _id: userId });
const token = await user.generateToken();
let session;
let refreshTokenExpires;
if (sessionId) {
session = await Session.findById(sessionId);
refreshTokenExpires = session.expiration.getTime();
} else {
session = new Session({ user: userId });
const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;
refreshTokenExpires = Date.now() + expires;
}
const refreshToken = await session.generateRefreshToken();
res.cookie('refreshToken', refreshToken, {
expires: new Date(refreshTokenExpires),
httpOnly: true,
secure: isProduction,
sameSite: 'strict',
});
return token;
} catch (error) {
console.log('Error in setting authentication tokens:', error);
throw error;
}
};
module.exports = {
registerUser,
logoutUser,
requestPasswordReset,
resetPassword,
setAuthTokens,
};