From 494c6d25968bd03febb78531b9fddf733f7c0ec9 Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Fri, 30 May 2025 14:38:01 -0400
Subject: [PATCH] refactor(crypto): reorganize token hashing and signing
 functionality

---
 api/models/inviteUser.js                     |  4 +--
 api/server/services/signPayload.js           | 26 --------------------
 api/server/utils/crypto.js                   |  7 ------
 api/strategies/openidStrategy.js             | 11 ++-------
 api/strategies/samlStrategy.js               |  3 +--
 packages/data-schemas/src/crypto/index.ts    | 17 +++++++++++++
 packages/data-schemas/src/index.ts           |  1 +
 packages/data-schemas/src/methods/session.ts |  2 +-
 packages/data-schemas/src/methods/user.ts    |  4 +--
 packages/data-schemas/src/schema/session.ts  | 18 +-------------
 10 files changed, 27 insertions(+), 66 deletions(-)
 delete mode 100644 api/server/services/signPayload.js
 create mode 100644 packages/data-schemas/src/crypto/index.ts

diff --git a/api/models/inviteUser.js b/api/models/inviteUser.js
index 295cdff87f..9f35b3f02b 100644
--- a/api/models/inviteUser.js
+++ b/api/models/inviteUser.js
@@ -1,6 +1,6 @@
 const mongoose = require('mongoose');
-const { logger } = require('@librechat/data-schemas');
-const { getRandomValues, hashToken } = require('~/server/utils/crypto');
+const { logger, hashToken } = require('@librechat/data-schemas');
+const { getRandomValues } = require('~/server/utils/crypto');
 const { createToken, findToken } = require('~/models');
 
 /**
diff --git a/api/server/services/signPayload.js b/api/server/services/signPayload.js
deleted file mode 100644
index a7bb0c64fc..0000000000
--- a/api/server/services/signPayload.js
+++ /dev/null
@@ -1,26 +0,0 @@
-const jwt = require('jsonwebtoken');
-
-/**
- * Signs a given payload using either the `jose` library (for Bun runtime) or `jsonwebtoken`.
- *
- * @async
- * @function
- * @param {Object} options - The options for signing the payload.
- * @param {Object} options.payload - The payload to be signed.
- * @param {string} options.secret - The secret key used for signing.
- * @param {number} options.expirationTime - The expiration time in seconds.
- * @returns {Promise<string>} Returns a promise that resolves to the signed JWT.
- * @throws {Error} Throws an error if there's an issue during signing.
- *
- * @example
- * const signedPayload = await signPayload({
- *   payload: { userId: 123 },
- *   secret: 'my-secret-key',
- *   expirationTime: 3600
- * });
- */
-async function signPayload({ payload, secret, expirationTime }) {
-  return jwt.sign(payload, secret, { expiresIn: expirationTime });
-}
-
-module.exports = signPayload;
diff --git a/api/server/utils/crypto.js b/api/server/utils/crypto.js
index 43662c3ef5..883129238c 100644
--- a/api/server/utils/crypto.js
+++ b/api/server/utils/crypto.js
@@ -106,12 +106,6 @@ function decryptV3(encryptedValue) {
   return decrypted.toString('utf8');
 }
 
-async function hashToken(str) {
-  const data = new TextEncoder().encode(str);
-  const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
-  return Buffer.from(hashBuffer).toString('hex');
-}
-
 async function getRandomValues(length) {
   if (!Number.isInteger(length) || length <= 0) {
     throw new Error('Length must be a positive integer');
@@ -141,7 +135,6 @@ module.exports = {
   decryptV2,
   encryptV3,
   decryptV3,
-  hashToken,
   hashBackupCode,
   getRandomValues,
 };
diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
index 60c9f2df07..2525258ad9 100644
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@@ -2,12 +2,13 @@ const fetch = require('node-fetch');
 const passport = require('passport');
 const client = require('openid-client');
 const jwtDecode = require('jsonwebtoken/decode');
-const { logger } = require('@librechat/data-schemas');
 const { CacheKeys } = require('librechat-data-provider');
 const { HttpsProxyAgent } = require('https-proxy-agent');
+const { hashToken, logger } = require('@librechat/data-schemas');
 const { Strategy: OpenIDStrategy } = require('openid-client/passport');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { findUser, createUser, updateUser } = require('~/models');
+const { getBalanceConfig } = require('~/server/services/Config');
 const getLogStores = require('~/cache/getLogStores');
 const { isEnabled } = require('~/server/utils');
 
@@ -36,8 +37,6 @@ class CustomOpenIDStrategy extends OpenIDStrategy {
   }
 }
 
-const { getBalanceConfig } = require('~/server/services/Config');
-
 let crypto;
 let webcrypto;
 try {
@@ -47,12 +46,6 @@ try {
   logger.error('[openidStrategy] crypto support is disabled!', err);
 }
 
-async function hashToken(str) {
-  const data = new TextEncoder().encode(str);
-  const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
-  return Buffer.from(hashBuffer).toString('hex');
-}
-
 /**
  * Exchange the access token for a new access token using the on-behalf-of flow if required.
  * @param {Configuration} config
diff --git a/api/strategies/samlStrategy.js b/api/strategies/samlStrategy.js
index a0793f1c83..ccbfc650c3 100644
--- a/api/strategies/samlStrategy.js
+++ b/api/strategies/samlStrategy.js
@@ -5,8 +5,7 @@ const passport = require('passport');
 const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { hashToken } = require('~/server/utils/crypto');
-const { logger } = require('~/config');
+const { hashToken, logger } = require('@librechat/data-schemas');
 const paths = require('~/config/paths');
 
 let crypto;
diff --git a/packages/data-schemas/src/crypto/index.ts b/packages/data-schemas/src/crypto/index.ts
new file mode 100644
index 0000000000..b9118896f8
--- /dev/null
+++ b/packages/data-schemas/src/crypto/index.ts
@@ -0,0 +1,17 @@
+import jwt from 'jsonwebtoken';
+import { webcrypto } from 'node:crypto';
+import { SignPayloadParams } from '~/types';
+
+export async function signPayload({
+  payload,
+  secret,
+  expirationTime,
+}: SignPayloadParams): Promise<string> {
+  return jwt.sign(payload, secret!, { expiresIn: expirationTime });
+}
+
+export async function hashToken(str: string): Promise<string> {
+  const data = new TextEncoder().encode(str);
+  const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
+  return Buffer.from(hashBuffer).toString('hex');
+}
diff --git a/packages/data-schemas/src/index.ts b/packages/data-schemas/src/index.ts
index c1fc8a47d2..ca0b0b6d9b 100644
--- a/packages/data-schemas/src/index.ts
+++ b/packages/data-schemas/src/index.ts
@@ -1,3 +1,4 @@
+export * from './crypto';
 export { createModels } from './models';
 export { createMethods } from './methods';
 export type * from './types';
diff --git a/packages/data-schemas/src/methods/session.ts b/packages/data-schemas/src/methods/session.ts
index b301d988ba..8c44aa54db 100644
--- a/packages/data-schemas/src/methods/session.ts
+++ b/packages/data-schemas/src/methods/session.ts
@@ -1,5 +1,5 @@
 import type * as t from '~/types/session';
-import { signPayload, hashToken } from '~/schema/session';
+import { signPayload, hashToken } from '~/crypto';
 import logger from '~/config/winston';
 
 export class SessionError extends Error {
diff --git a/packages/data-schemas/src/methods/user.ts b/packages/data-schemas/src/methods/user.ts
index c9a79e2b67..5c7b2e40d8 100644
--- a/packages/data-schemas/src/methods/user.ts
+++ b/packages/data-schemas/src/methods/user.ts
@@ -1,6 +1,6 @@
 import mongoose, { FilterQuery } from 'mongoose';
-import { IUser, BalanceConfig, UserCreateData, UserUpdateResult } from '~/types';
-import { signPayload } from '~/schema/session';
+import type { IUser, BalanceConfig, UserCreateData, UserUpdateResult } from '~/types';
+import { signPayload } from '~/crypto';
 
 /** Factory function that takes mongoose instance and returns the methods */
 export function createUserMethods(mongoose: typeof import('mongoose')) {
diff --git a/packages/data-schemas/src/schema/session.ts b/packages/data-schemas/src/schema/session.ts
index 4797726cd7..9dc2d733a5 100644
--- a/packages/data-schemas/src/schema/session.ts
+++ b/packages/data-schemas/src/schema/session.ts
@@ -1,7 +1,5 @@
 import mongoose, { Schema } from 'mongoose';
-import jwt from 'jsonwebtoken';
-import { webcrypto } from 'node:crypto';
-import { ISession, SignPayloadParams } from '~/types';
+import { ISession } from '~/types';
 
 const sessionSchema: Schema<ISession> = new Schema({
   refreshTokenHash: {
@@ -20,18 +18,4 @@ const sessionSchema: Schema<ISession> = new Schema({
   },
 });
 
-export async function signPayload({
-  payload,
-  secret,
-  expirationTime,
-}: SignPayloadParams): Promise<string> {
-  return jwt.sign(payload, secret!, { expiresIn: expirationTime });
-}
-
-export async function hashToken(str: string): Promise<string> {
-  const data = new TextEncoder().encode(str);
-  const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
-  return Buffer.from(hashBuffer).toString('hex');
-}
-
 export default sessionSchema;