🔒 feat: password reset disable option; fix: account email error message (#2327)

* feat: password reset disable option; fix: account email leak * fix(LoginSpec): typo * test: fixed LoginForm test * fix: disable password reset when undefined * refactor: use a helper function * fix: tests * feat: Remove unused error message in password reset process * chore: Update password reset email message * refactor: only allow password reset if explicitly allowed * feat: Add password reset email service configuration check The code changes in `checks.js` add a new function `checkPasswordReset()` that checks if the email service is configured when password reset is enabled. If the email service is not configured, a warning message is logged. This change ensures secure password reset functionality by prompting the user to configure the email service. Co-authored-by: Berry-13 <root@Berry> Co-authored-by: Danny Avila <messagedaniel@protonmail.com> Co-authored-by: Danny Avila <danny@librechat.ai> * chore: remove import order rules * refactor: simplify password reset logic and align against Observable Response Discrepancy * chore: make password reset warning more prominent * chore(AuthService): better logging for password resets, refactor requestPasswordReset to use req object, fix sendEmail error when email config is not present * refactor: fix styling of password reset email message * chore: add missing type for passwordResetEnabled, TStartupConfig * fix(LoginForm): prevent login form flickering * fix(ci): Update login form to use mocked startupConfig for rendering correctly * refactor: Improve password reset UI, applies DRY * chore: Add logging to password reset validation middleware * chore(CONTRIBUTING): Update import order conventions --------- Co-authored-by: Danny Avila <danny@librechat.ai> Co-authored-by: Berry-13 <root@Berry> Co-authored-by: Danny Avila <messagedaniel@protonmail.com>
2025-12-23 20:00:15 +01:00 · 2024-06-06 17:39:36 +02:00 · 2024-06-06 17:39:36 +02:00 · 5452d4c20c
commit 5452d4c20c
parent a7f5b57272
20 changed files with 288 additions and 137 deletions
--- a/api/server/routes/tests/config.spec.js
+++ b/api/server/routes/tests/config.spec.js
@ -25,6 +25,7 @@ afterEach(() => {
  delete process.env.DOMAIN_SERVER;
  delete process.env.ALLOW_REGISTRATION;
  delete process.env.ALLOW_SOCIAL_LOGIN;
+  delete process.env.ALLOW_PASSWORD_RESET;
  delete process.env.LDAP_URL;
  delete process.env.LDAP_BIND_DN;
  delete process.env.LDAP_BIND_CREDENTIALS;
@ -55,6 +56,7 @@ describe.skip('GET /', () => {
    process.env.DOMAIN_SERVER = 'http://test-server.com';
    process.env.ALLOW_REGISTRATION = 'true';
    process.env.ALLOW_SOCIAL_LOGIN = 'true';
+    process.env.ALLOW_PASSWORD_RESET = 'true';
    process.env.LDAP_URL = 'Test LDAP URL';
    process.env.LDAP_BIND_DN = 'Test LDAP Bind DN';
    process.env.LDAP_BIND_CREDENTIALS = 'Test LDAP Bind Credentials';
@ -78,6 +80,7 @@ describe.skip('GET /', () => {
      serverDomain: 'http://test-server.com',
      emailLoginEnabled: 'true',
      registrationEnabled: 'true',
+      passwordResetEnabled: 'true',
      socialLoginEnabled: 'true',
    });
  });
--- a/api/server/routes/auth.js
+++ b/api/server/routes/auth.js
@ -15,6 +15,7 @@ const {
  requireLdapAuth,
  requireLocalAuth,
  validateRegistration,
+  validatePasswordReset,
 } = require('../middleware');

 const router = express.Router();
@ -32,7 +33,12 @@ router.post(
 );
 router.post('/refresh', refreshController);
 router.post('/register', registerLimiter, checkBan, validateRegistration, registrationController);
-router.post('/requestPasswordReset', resetPasswordRequestController);
-router.post('/resetPassword', resetPasswordController);
+router.post(
+  '/requestPasswordReset',
+  checkBan,
+  validatePasswordReset,
+  resetPasswordRequestController,
+);
+router.post('/resetPassword', checkBan, validatePasswordReset, resetPasswordController);

 module.exports = router;
--- a/api/server/routes/config.js
+++ b/api/server/routes/config.js
@ -6,6 +6,7 @@ const { logger } = require('~/config');
 const router = express.Router();
 const emailLoginEnabled =
  process.env.ALLOW_EMAIL_LOGIN === undefined || isEnabled(process.env.ALLOW_EMAIL_LOGIN);
+const passwordResetEnabled = isEnabled(process.env.ALLOW_PASSWORD_RESET);

 router.get('/', async function (req, res) {
  const isBirthday = () => {
@ -42,6 +43,7 @@ router.get('/', async function (req, res) {
        !!process.env.EMAIL_USERNAME &&
        !!process.env.EMAIL_PASSWORD &&
        !!process.env.EMAIL_FROM,
+      passwordResetEnabled,
      checkBalance: isEnabled(process.env.CHECK_BALANCE),
      showBirthdayIcon:
        isBirthday() ||