🔒 feat: password reset disable option; fix: account email error message (#2327)

* feat: password reset disable option; fix: account email leak * fix(LoginSpec): typo * test: fixed LoginForm test * fix: disable password reset when undefined * refactor: use a helper function * fix: tests * feat: Remove unused error message in password reset process * chore: Update password reset email message * refactor: only allow password reset if explicitly allowed * feat: Add password reset email service configuration check The code changes in `checks.js` add a new function `checkPasswordReset()` that checks if the email service is configured when password reset is enabled. If the email service is not configured, a warning message is logged. This change ensures secure password reset functionality by prompting the user to configure the email service. Co-authored-by: Berry-13 <root@Berry> Co-authored-by: Danny Avila <messagedaniel@protonmail.com> Co-authored-by: Danny Avila <danny@librechat.ai> * chore: remove import order rules * refactor: simplify password reset logic and align against Observable Response Discrepancy * chore: make password reset warning more prominent * chore(AuthService): better logging for password resets, refactor requestPasswordReset to use req object, fix sendEmail error when email config is not present * refactor: fix styling of password reset email message * chore: add missing type for passwordResetEnabled, TStartupConfig * fix(LoginForm): prevent login form flickering * fix(ci): Update login form to use mocked startupConfig for rendering correctly * refactor: Improve password reset UI, applies DRY * chore: Add logging to password reset validation middleware * chore(CONTRIBUTING): Update import order conventions --------- Co-authored-by: Danny Avila <danny@librechat.ai> Co-authored-by: Berry-13 <root@Berry> Co-authored-by: Danny Avila <messagedaniel@protonmail.com>
2025-09-22 06:00:56 +02:00 · 2024-06-06 17:39:36 +02:00 · 2024-06-06 17:39:36 +02:00 · 5452d4c20c
commit 5452d4c20c
parent a7f5b57272
20 changed files with 288 additions and 137 deletions
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -16,6 +16,19 @@ const domains = {

 const isProduction = process.env.NODE_ENV === 'production';

+/**
+ * Check if email configuration is set
+ * @returns {Boolean}
+ */
+function checkEmailConfig() {
+  return (
+    (!!process.env.EMAIL_SERVICE || !!process.env.EMAIL_HOST) &&
+    !!process.env.EMAIL_USERNAME &&
+    !!process.env.EMAIL_PASSWORD &&
+    !!process.env.EMAIL_FROM
+  );
+}
+
 /**
 * Logout user
 *
@ -114,14 +127,20 @@ const registerUser = async (user) => {

 /**
 * Request password reset
- *
- * @param {String} email
- * @returns
+ * @param {Express.Request} req
 */
-const requestPasswordReset = async (email) => {
+const requestPasswordReset = async (req) => {
+  const { email } = req.body;
  const user = await User.findOne({ email }).lean();
+  const emailEnabled = checkEmailConfig();
+
+  logger.warn(`[requestPasswordReset] [Password reset request initiated] [Email: ${email}]`);
+
  if (!user) {
-    return new Error('Email does not exist');
+    logger.warn(`[requestPasswordReset] [No user found] [Email: ${email}] [IP: ${req.ip}]`);
+    return {
+      message: 'If an account with that email exists, a password reset link has been sent to it.',
+    };
  }

  let token = await Token.findOne({ userId: user._id });
@ -140,12 +159,6 @@ const requestPasswordReset = async (email) => {

  const link = `${domains.client}/reset-password?token=${resetToken}&userId=${user._id}`;

-  const emailEnabled =
-    (!!process.env.EMAIL_SERVICE || !!process.env.EMAIL_HOST) &&
-    !!process.env.EMAIL_USERNAME &&
-    !!process.env.EMAIL_PASSWORD &&
-    !!process.env.EMAIL_FROM;
-
  if (emailEnabled) {
    sendEmail(
      user.email,
@ -158,10 +171,19 @@ const requestPasswordReset = async (email) => {
      },
      'requestPasswordReset.handlebars',
    );
-    return { link: '' };
+    logger.info(
+      `[requestPasswordReset] Link emailed. [Email: ${email}] [ID: ${user._id}] [IP: ${req.ip}]`,
+    );
  } else {
+    logger.info(
+      `[requestPasswordReset] Link issued. [Email: ${email}] [ID: ${user._id}] [IP: ${req.ip}]`,
+    );
    return { link };
  }
+
+  return {
+    message: 'If an account with that email exists, a password reset link has been sent to it.',
+  };
 };

 /**
@ -190,20 +212,23 @@ const resetPassword = async (userId, token, password) => {
  await User.updateOne({ _id: userId }, { $set: { password: hash } }, { new: true });

  const user = await User.findById({ _id: userId });
+  const emailEnabled = checkEmailConfig();

-  sendEmail(
-    user.email,
-    'Password Reset Successfully',
-    {
-      appName: process.env.APP_TITLE || 'LibreChat',
-      name: user.name,
-      year: new Date().getFullYear(),
-    },
-    'passwordReset.handlebars',
-  );
+  if (emailEnabled) {
+    sendEmail(
+      user.email,
+      'Password Reset Successfully',
+      {
+        appName: process.env.APP_TITLE || 'LibreChat',
+        name: user.name,
+        year: new Date().getFullYear(),
+      },
+      'passwordReset.handlebars',
+    );
+  }

  await passwordResetToken.deleteOne();
-
+  logger.info(`[resetPassword] Password reset successful. [Email: ${user.email}]`);
  return { message: 'Password reset was successful' };
 };