🔒 feat: password reset disable option; fix: account email error message (#2327)

* feat: password reset disable option; fix: account email leak * fix(LoginSpec): typo * test: fixed LoginForm test * fix: disable password reset when undefined * refactor: use a helper function * fix: tests * feat: Remove unused error message in password reset process * chore: Update password reset email message * refactor: only allow password reset if explicitly allowed * feat: Add password reset email service configuration check The code changes in `checks.js` add a new function `checkPasswordReset()` that checks if the email service is configured when password reset is enabled. If the email service is not configured, a warning message is logged. This change ensures secure password reset functionality by prompting the user to configure the email service. Co-authored-by: Berry-13 <root@Berry> Co-authored-by: Danny Avila <messagedaniel@protonmail.com> Co-authored-by: Danny Avila <danny@librechat.ai> * chore: remove import order rules * refactor: simplify password reset logic and align against Observable Response Discrepancy * chore: make password reset warning more prominent * chore(AuthService): better logging for password resets, refactor requestPasswordReset to use req object, fix sendEmail error when email config is not present * refactor: fix styling of password reset email message * chore: add missing type for passwordResetEnabled, TStartupConfig * fix(LoginForm): prevent login form flickering * fix(ci): Update login form to use mocked startupConfig for rendering correctly * refactor: Improve password reset UI, applies DRY * chore: Add logging to password reset validation middleware * chore(CONTRIBUTING): Update import order conventions --------- Co-authored-by: Danny Avila <danny@librechat.ai> Co-authored-by: Berry-13 <root@Berry> Co-authored-by: Danny Avila <messagedaniel@protonmail.com>
2025-12-22 11:20:15 +01:00 · 2024-06-06 17:39:36 +02:00 · 2024-06-06 17:39:36 +02:00 · 5452d4c20c
commit 5452d4c20c
parent a7f5b57272
20 changed files with 288 additions and 137 deletions
--- a/api/server/services/start/checks.js
+++ b/api/server/services/start/checks.js
@ -3,6 +3,7 @@ const {
  deprecatedAzureVariables,
  conflictingAzureVariables,
 } = require('librechat-data-provider');
+const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');

 const secretDefaults = {
@ -49,6 +50,8 @@ function checkVariables() {
      Please use the config (\`librechat.yaml\`) file for setting up OpenRouter, and use \`OPENROUTER_KEY\` or another environment variable instead.`,
    );
  }
+
+  checkPasswordReset();
 }

 /**
@ -107,4 +110,30 @@ Latest version: ${Constants.CONFIG_VERSION}
  }
 }

+function checkPasswordReset() {
+  const emailEnabled =
+    (!!process.env.EMAIL_SERVICE || !!process.env.EMAIL_HOST) &&
+    !!process.env.EMAIL_USERNAME &&
+    !!process.env.EMAIL_PASSWORD &&
+    !!process.env.EMAIL_FROM;
+
+  const passwordResetAllowed = isEnabled(process.env.ALLOW_PASSWORD_RESET);
+
+  if (!emailEnabled && passwordResetAllowed) {
+    logger.warn(
+      `❗❗❗
+
+      Password reset is enabled with \`ALLOW_PASSWORD_RESET\` but email service is not configured.
+      
+      This setup is insecure as password reset links will be issued with a recognized email.
+      
+      Please configure email service for secure password reset functionality.
+      
+      https://www.librechat.ai/docs/configuration/authentication/password_reset
+
+      ❗❗❗`,
+    );
+  }
+}
+
 module.exports = { checkVariables, checkHealth, checkConfig, checkAzureVariables };