🔐 feat: Implement Allowed Action Domains (#4964)

* chore: RequestExecutor typing * feat: allowed action domains * fix: rename TAgentsEndpoint to TAssistantEndpoint in typedefs * chore: update librechat-data-provider version to 0.7.62
2026-01-11 04:58:51 +01:00 · 2024-12-12 12:52:42 -05:00 · 2024-12-12 12:52:42 -05:00 · 69bd8e3644
commit 69bd8e3644
parent e82af236bc
18 changed files with 364 additions and 97 deletions
--- a/packages/data-provider/src/actions.ts
+++ b/packages/data-provider/src/actions.ts
@ -201,15 +201,21 @@ class RequestExecutor {
      oauth_client_secret,
    } = metadata;

-    const isApiKey = api_key && type === AuthTypeEnum.ServiceHttp;
-    const isOAuth =
+    const isApiKey = api_key != null && api_key.length > 0 && type === AuthTypeEnum.ServiceHttp;
+    const isOAuth = !!(
+      oauth_client_id != null &&
      oauth_client_id &&
+      oauth_client_secret != null &&
      oauth_client_secret &&
      type === AuthTypeEnum.OAuth &&
+      authorization_url != null &&
      authorization_url &&
+      client_url != null &&
      client_url &&
+      scope != null &&
      scope &&
-      token_exchange_method;
+      token_exchange_method
+    );

    if (isApiKey && authorization_type === AuthorizationTypeEnum.Basic) {
      const basicToken = Buffer.from(api_key).toString('base64');
@ -219,11 +225,13 @@ class RequestExecutor {
    } else if (
      isApiKey &&
      authorization_type === AuthorizationTypeEnum.Custom &&
+      custom_auth_header != null &&
      custom_auth_header
    ) {
      this.authHeaders[custom_auth_header] = api_key;
    } else if (isOAuth) {
-      if (!this.authToken) {
+      const authToken = this.authToken ?? '';
+      if (!authToken) {
        const tokenResponse = await axios.post(
          client_url,
          {
--- a/packages/data-provider/src/config.ts
+++ b/packages/data-provider/src/config.ts
@ -471,6 +471,11 @@ export const configSchema = z.object({
      agents: true,
    }),
  fileStrategy: fileSourceSchema.default(FileSources.local),
+  actions: z
+    .object({
+      allowedDomains: z.array(z.string()).optional(),
+    })
+    .optional(),
  registration: z
    .object({
      socialLogins: z.array(z.string()).optional(),
@ -962,6 +967,10 @@ export enum ErrorTypes {
   * Invalid request error, API rejected request
   */
  INVALID_REQUEST = 'invalid_request_error',
+  /**
+   * Invalid action request error, likely not on list of allowed domains
+   */
+  INVALID_ACTION = 'invalid_action_error',
  /**
   * Invalid request error, API rejected request
   */