🛂 feat: Added Security for Conversation Access (#3588)

* 🛂 feat: Added Security for Conversation Access

* refactor: Update concurrentLimiter and convoAccess middleware to use isEnabled function for Redis check

* refactor: handle access check even if cache is not available (edge case)

api/server/routes/ask/index.js

@@ -12,9 +12,10 @@ const {
   uaParser,
   checkBan,
   requireJwtAuth,
-  concurrentLimiter,
   messageIpLimiter,
+  concurrentLimiter,
   messageUserLimiter,
+  validateConvoAccess,
 } = require('~/server/middleware');
 
 const { LIMIT_CONCURRENT_MESSAGES, LIMIT_MESSAGE_IP, LIMIT_MESSAGE_USER } = process.env ?? {};
@@ -37,6 +38,8 @@ if (isEnabled(LIMIT_MESSAGE_USER)) {
   router.use(messageUserLimiter);
 }
 
+router.use(validateConvoAccess);
+
 router.use([`/${EModelEndpoint.azureOpenAI}`, `/${EModelEndpoint.openAI}`], openAI);
 router.use(`/${EModelEndpoint.chatGPTBrowser}`, askChatGPTBrowser);
 router.use(`/${EModelEndpoint.gptPlugins}`, gptPlugins);

api/server/routes/assistants/chatV1.js

@@ -8,6 +8,7 @@ const {
   // validateEndpoint,
   buildEndpointOption,
 } = require('~/server/middleware');
+const validateConvoAccess = require('~/server/middleware/validate/convoAccess');
 const validateAssistant = require('~/server/middleware/assistants/validate');
 const chatController = require('~/server/controllers/assistants/chatV1');
 
@@ -21,6 +22,14 @@ router.post('/abort', handleAbort());
  * @param {express.Response} res - The response object, used to send back a response.
  * @returns {void}
  */
-router.post('/', validateModel, buildEndpointOption, validateAssistant, setHeaders, chatController);
+router.post(
+  '/',
+  validateModel,
+  buildEndpointOption,
+  validateAssistant,
+  validateConvoAccess,
+  setHeaders,
+  chatController,
+);
 
 module.exports = router;

api/server/routes/assistants/chatV2.js

@@ -8,6 +8,7 @@ const {
   // validateEndpoint,
   buildEndpointOption,
 } = require('~/server/middleware');
+const validateConvoAccess = require('~/server/middleware/validate/convoAccess');
 const validateAssistant = require('~/server/middleware/assistants/validate');
 const chatController = require('~/server/controllers/assistants/chatV2');
 
@@ -21,6 +22,14 @@ router.post('/abort', handleAbort());
  * @param {express.Response} res - The response object, used to send back a response.
  * @returns {void}
  */
-router.post('/', validateModel, buildEndpointOption, validateAssistant, setHeaders, chatController);
+router.post(
+  '/',
+  validateModel,
+  buildEndpointOption,
+  validateAssistant,
+  validateConvoAccess,
+  setHeaders,
+  chatController,
+);
 
 module.exports = router;

api/server/routes/assistants/index.js

@@ -1,13 +1,6 @@
 const express = require('express');
 const router = express.Router();
-const {
-  uaParser,
-  checkBan,
-  requireJwtAuth,
-  // concurrentLimiter,
-  // messageIpLimiter,
-  // messageUserLimiter,
-} = require('~/server/middleware');
+const { uaParser, checkBan, requireJwtAuth } = require('~/server/middleware');
 
 const v1 = require('./v1');
 const chatV1 = require('./chatV1');

api/server/routes/edit/index.js

@@ -13,6 +13,7 @@ const {
   messageIpLimiter,
   concurrentLimiter,
   messageUserLimiter,
+  validateConvoAccess,
 } = require('~/server/middleware');
 
 const { LIMIT_CONCURRENT_MESSAGES, LIMIT_MESSAGE_IP, LIMIT_MESSAGE_USER } = process.env ?? {};
@@ -35,6 +36,8 @@ if (isEnabled(LIMIT_MESSAGE_USER)) {
   router.use(messageUserLimiter);
 }
 
+router.use(validateConvoAccess);
+
 router.use([`/${EModelEndpoint.azureOpenAI}`, `/${EModelEndpoint.openAI}`], openAI);
 router.use(`/${EModelEndpoint.gptPlugins}`, gptPlugins);
 router.use(`/${EModelEndpoint.anthropic}`, anthropic);