Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-01-26 04:06:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

🧮 refactor: Replace Eval with Safe Math Expression Parser (#11098)

Browse source 
* chore: Add mathjs dependency

* refactor: Replace eval with mathjs for safer expression evaluation and improve session expiry handling to not environment variables from data-schemas package

* test: Add integration tests for math function with environment variable expressions

* refactor: Update test description for clarity on expiresIn behavior

* refactor: Update test cases to clarify default expiration behavior for token generation

* refactor: Improve error handling in math function for clearer evaluation errors
This commit is contained in:
Danny Avila 2025-12-25 12:25:41 -05:00 committed by GitHub
parent d0863de8d4
commit 6ffb176056
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 602 additions and 85 deletions
Download patch file Download diff file Expand all files Collapse all files

17
packages/data-schemas/src/methods/session.ts
View file

@ -12,8 +12,8 @@ export class SessionError extends Error {
}
}
const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
const expires = REFRESH_TOKEN_EXPIRY ? eval(REFRESH_TOKEN_EXPIRY) : 1000 * 60 * 60 * 24 * 7; // 7 days default
/** Default refresh token expiry: 7 days in milliseconds */
export const DEFAULT_REFRESH_TOKEN_EXPIRY = 1000 * 60 * 60 * 24 * 7;
// Factory function that takes mongoose instance and returns the methods
export function createSessionMethods(mongoose: typeof import('mongoose')) {
@ -28,11 +28,13 @@ export function createSessionMethods(mongoose: typeof import('mongoose')) {
throw new SessionError('User ID is required', 'INVALID_USER_ID');
}
const expiresIn = options.expiresIn ?? DEFAULT_REFRESH_TOKEN_EXPIRY;
try {
const Session = mongoose.models.Session;
const currentSession = new Session({
user: userId,
expiration: options.expiration || new Date(Date.now() + expires),
expiration: options.expiration || new Date(Date.now() + expiresIn),
});
const refreshToken = await generateRefreshToken(currentSession);
@ -105,7 +107,10 @@ export function createSessionMethods(mongoose: typeof import('mongoose')) {
async function updateExpiration(
session: t.ISession | string,
newExpiration?: Date,
options: t.UpdateExpirationOptions = {},
): Promise<t.ISession> {
const expiresIn = options.expiresIn ?? DEFAULT_REFRESH_TOKEN_EXPIRY;
try {
const Session = mongoose.models.Session;
const sessionDoc = typeof session === 'string' ? await Session.findById(session) : session;
@ -114,7 +119,7 @@ export function createSessionMethods(mongoose: typeof import('mongoose')) {
throw new SessionError('Session not found', 'SESSION_NOT_FOUND');
}
sessionDoc.expiration = newExpiration || new Date(Date.now() + expires);
sessionDoc.expiration = newExpiration || new Date(Date.now() + expiresIn);
return await sessionDoc.save();
} catch (error) {
logger.error('[updateExpiration] Error updating session:', error);
@ -208,7 +213,9 @@ export function createSessionMethods(mongoose: typeof import('mongoose')) {
}
try {
const expiresIn = session.expiration ? session.expiration.getTime() : Date.now() + expires;
const expiresIn = session.expiration
? session.expiration.getTime()
: Date.now() + DEFAULT_REFRESH_TOKEN_EXPIRY;
if (!session.expiration) {
session.expiration = new Date(expiresIn);