Merge branch 'main' into feat/webauthn

2025-12-22 19:30:15 +01:00 · 2025-02-22 14:28:12 +01:00 · 2025-02-22 14:28:12 +01:00 · 8173f5fca1
commit 8173f5fca1
parent 6496c9aeda 1260551690
132 changed files with 5513 additions and 769 deletions
--- a/api/app/clients/GoogleClient.js
+++ b/api/app/clients/GoogleClient.js
@ -51,7 +51,7 @@ class GoogleClient extends BaseClient {

    const serviceKey = creds[AuthKeys.GOOGLE_SERVICE_KEY] ?? {};
    this.serviceKey =
-      serviceKey && typeof serviceKey === 'string' ? JSON.parse(serviceKey) : serviceKey ?? {};
+      serviceKey && typeof serviceKey === 'string' ? JSON.parse(serviceKey) : (serviceKey ?? {});
    /** @type {string | null | undefined} */
    this.project_id = this.serviceKey.project_id;
    this.client_email = this.serviceKey.client_email;
@ -73,6 +73,8 @@ class GoogleClient extends BaseClient {
     * @type {string} */
    this.outputTokensKey = 'output_tokens';
    this.visionMode = VisionModes.generative;
+    /** @type {string} */
+    this.systemMessage;
    if (options.skipSetOptions) {
      return;
    }
@ -184,7 +186,7 @@ class GoogleClient extends BaseClient {
    if (typeof this.options.artifactsPrompt === 'string' && this.options.artifactsPrompt) {
      promptPrefix = `${promptPrefix ?? ''}\n${this.options.artifactsPrompt}`.trim();
    }
-    this.options.promptPrefix = promptPrefix;
+    this.systemMessage = promptPrefix;
    this.initializeClient();
    return this;
  }
@ -314,7 +316,7 @@ class GoogleClient extends BaseClient {
      }

      this.augmentedPrompt = await this.contextHandlers.createContext();
-      this.options.promptPrefix = this.augmentedPrompt + this.options.promptPrefix;
+      this.systemMessage = this.augmentedPrompt + this.systemMessage;
    }
  }

@ -361,8 +363,8 @@ class GoogleClient extends BaseClient {
      throw new Error('[GoogleClient] PaLM 2 and Codey models are no longer supported.');
    }

-    if (this.options.promptPrefix) {
-      const instructionsTokenCount = this.getTokenCount(this.options.promptPrefix);
+    if (this.systemMessage) {
+      const instructionsTokenCount = this.getTokenCount(this.systemMessage);

      this.maxContextTokens = this.maxContextTokens - instructionsTokenCount;
      if (this.maxContextTokens < 0) {
@ -417,8 +419,8 @@ class GoogleClient extends BaseClient {
      ],
    };

-    if (this.options.promptPrefix) {
-      payload.instances[0].context = this.options.promptPrefix;
+    if (this.systemMessage) {
+      payload.instances[0].context = this.systemMessage;
    }

    logger.debug('[GoogleClient] buildMessages', payload);
@ -464,7 +466,7 @@ class GoogleClient extends BaseClient {
      identityPrefix = `${identityPrefix}\nYou are ${this.options.modelLabel}`;
    }

-    let promptPrefix = (this.options.promptPrefix ?? '').trim();
+    let promptPrefix = (this.systemMessage ?? '').trim();

    if (identityPrefix) {
      promptPrefix = `${identityPrefix}${promptPrefix}`;
@ -639,7 +641,7 @@ class GoogleClient extends BaseClient {
    let error;
    try {
      if (!EXCLUDED_GENAI_MODELS.test(modelName) && !this.project_id) {
-        /** @type {GenAI} */
+        /** @type {GenerativeModel} */
        const client = this.client;
        /** @type {GenerateContentRequest} */
        const requestOptions = {
@ -648,7 +650,7 @@ class GoogleClient extends BaseClient {
          generationConfig: googleGenConfigSchema.parse(this.modelOptions),
        };

-        const promptPrefix = (this.options.promptPrefix ?? '').trim();
+        const promptPrefix = (this.systemMessage ?? '').trim();
        if (promptPrefix.length) {
          requestOptions.systemInstruction = {
            parts: [
@ -663,7 +665,17 @@ class GoogleClient extends BaseClient {
        /** @type {GenAIUsageMetadata} */
        let usageMetadata;

-        const result = await client.generateContentStream(requestOptions);
+        abortController.signal.addEventListener(
+          'abort',
+          () => {
+            logger.warn('[GoogleClient] Request was aborted', abortController.signal.reason);
+          },
+          { once: true },
+        );
+
+        const result = await client.generateContentStream(requestOptions, {
+          signal: abortController.signal,
+        });
        for await (const chunk of result.stream) {
          usageMetadata = !usageMetadata
            ? chunk?.usageMetadata
--- a/api/app/clients/OllamaClient.js
+++ b/api/app/clients/OllamaClient.js
@ -2,7 +2,7 @@ const { z } = require('zod');
 const axios = require('axios');
 const { Ollama } = require('ollama');
 const { Constants } = require('librechat-data-provider');
-const { deriveBaseURL } = require('~/utils');
+const { deriveBaseURL, logAxiosError } = require('~/utils');
 const { sleep } = require('~/server/utils');
 const { logger } = require('~/config');

@ -68,7 +68,7 @@ class OllamaClient {
    } catch (error) {
      const logMessage =
        'Failed to fetch models from Ollama API. If you are not using Ollama directly, and instead, through some aggregator or reverse proxy that handles fetching via OpenAI spec, ensure the name of the endpoint doesn\'t start with `ollama` (case-insensitive).';
-      logger.error(logMessage, error);
+      logAxiosError({ message: logMessage, error });
      return [];
    }
  }
--- a/api/app/clients/OpenAIClient.js
+++ b/api/app/clients/OpenAIClient.js
@ -7,6 +7,7 @@ const {
  ImageDetail,
  EModelEndpoint,
  resolveHeaders,
+  KnownEndpoints,
  openAISettings,
  ImageDetailCost,
  CohereConstants,
@ -116,11 +117,7 @@ class OpenAIClient extends BaseClient {

    const { reverseProxyUrl: reverseProxy } = this.options;

-    if (
-      !this.useOpenRouter &&
-      reverseProxy &&
-      reverseProxy.includes('https://openrouter.ai/api/v1')
-    ) {
+    if (!this.useOpenRouter && reverseProxy && reverseProxy.includes(KnownEndpoints.openrouter)) {
      this.useOpenRouter = true;
    }

--- a/api/app/clients/prompts/formatAgentMessages.spec.js
+++ b/api/app/clients/prompts/formatAgentMessages.spec.js
@ -282,4 +282,47 @@ describe('formatAgentMessages', () => {
    // Additional check to ensure the consecutive assistant messages were combined
    expect(result[1].content).toHaveLength(2);
  });
+
+  it('should skip THINK type content parts', () => {
+    const payload = [
+      {
+        role: 'assistant',
+        content: [
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'Initial response' },
+          { type: ContentTypes.THINK, [ContentTypes.THINK]: 'Reasoning about the problem...' },
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'Final answer' },
+        ],
+      },
+    ];
+
+    const result = formatAgentMessages(payload);
+
+    expect(result).toHaveLength(1);
+    expect(result[0]).toBeInstanceOf(AIMessage);
+    expect(result[0].content).toEqual('Initial response\nFinal answer');
+  });
+
+  it('should join TEXT content as string when THINK content type is present', () => {
+    const payload = [
+      {
+        role: 'assistant',
+        content: [
+          { type: ContentTypes.THINK, [ContentTypes.THINK]: 'Analyzing the problem...' },
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'First part of response' },
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'Second part of response' },
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'Final part of response' },
+        ],
+      },
+    ];
+
+    const result = formatAgentMessages(payload);
+
+    expect(result).toHaveLength(1);
+    expect(result[0]).toBeInstanceOf(AIMessage);
+    expect(typeof result[0].content).toBe('string');
+    expect(result[0].content).toBe(
+      'First part of response\nSecond part of response\nFinal part of response',
+    );
+    expect(result[0].content).not.toContain('Analyzing the problem...');
+  });
 });
--- a/api/app/clients/prompts/formatMessages.js
+++ b/api/app/clients/prompts/formatMessages.js
@ -153,6 +153,7 @@ const formatAgentMessages = (payload) => {
    let currentContent = [];
    let lastAIMessage = null;

+    let hasReasoning = false;
    for (const part of message.content) {
      if (part.type === ContentTypes.TEXT && part.tool_call_ids) {
        /*
@ -207,11 +208,25 @@ const formatAgentMessages = (payload) => {
            content: output || '',
          }),
        );
+      } else if (part.type === ContentTypes.THINK) {
+        hasReasoning = true;
+        continue;
      } else {
        currentContent.push(part);
      }
    }

+    if (hasReasoning) {
+      currentContent = currentContent
+        .reduce((acc, curr) => {
+          if (curr.type === ContentTypes.TEXT) {
+            return `${acc}${curr[ContentTypes.TEXT]}\n`;
+          }
+          return acc;
+        }, '')
+        .trim();
+    }
+
    if (currentContent.length > 0) {
      messages.push(new AIMessage({ content: currentContent }));
    }
--- a/api/app/clients/tools/util/fileSearch.js
+++ b/api/app/clients/tools/util/fileSearch.js
@ -106,18 +106,21 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {

      const formattedResults = validResults
        .flatMap((result) =>
-          result.data.map(([docInfo, relevanceScore]) => ({
+          result.data.map(([docInfo, distance]) => ({
            filename: docInfo.metadata.source.split('/').pop(),
            content: docInfo.page_content,
-            relevanceScore,
+            distance,
          })),
        )
-        .sort((a, b) => b.relevanceScore - a.relevanceScore);
+        // TODO: results should be sorted by relevance, not distance
+        .sort((a, b) => a.distance - b.distance)
+        // TODO: make this configurable
+        .slice(0, 10);

      const formattedString = formattedResults
        .map(
          (result) =>
-            `File: ${result.filename}\nRelevance: ${result.relevanceScore.toFixed(4)}\nContent: ${
+            `File: ${result.filename}\nRelevance: ${1.0 - result.distance.toFixed(4)}\nContent: ${
              result.content
            }\n`,
        )
--- a/api/cache/keyvRedis.js
+++ b/api/cache/keyvRedis.js
@ -1,15 +1,81 @@
+const fs = require('fs');
+const ioredis = require('ioredis');
 const KeyvRedis = require('@keyv/redis');
 const { isEnabled } = require('~/server/utils');
 const logger = require('~/config/winston');

-const { REDIS_URI, USE_REDIS } = process.env;
+const { REDIS_URI, USE_REDIS, USE_REDIS_CLUSTER, REDIS_CA, REDIS_KEY_PREFIX, REDIS_MAX_LISTENERS } =
+  process.env;

 let keyvRedis;
+const redis_prefix = REDIS_KEY_PREFIX || '';
+const redis_max_listeners = REDIS_MAX_LISTENERS || 10;
+
+function mapURI(uri) {
+  const regex =
+    /^(?:(?<scheme>\w+):\/\/)?(?:(?<user>[^:@]+)(?::(?<password>[^@]+))?@)?(?<host>[\w.-]+)(?::(?<port>\d{1,5}))?$/;
+  const match = uri.match(regex);
+
+  if (match) {
+    const { scheme, user, password, host, port } = match.groups;
+
+    return {
+      scheme: scheme || 'none',
+      user: user || null,
+      password: password || null,
+      host: host || null,
+      port: port || null,
+    };
+  } else {
+    const parts = uri.split(':');
+    if (parts.length === 2) {
+      return {
+        scheme: 'none',
+        user: null,
+        password: null,
+        host: parts[0],
+        port: parts[1],
+      };
+    }
+
+    return {
+      scheme: 'none',
+      user: null,
+      password: null,
+      host: uri,
+      port: null,
+    };
+  }
+}

 if (REDIS_URI && isEnabled(USE_REDIS)) {
-  keyvRedis = new KeyvRedis(REDIS_URI, { useRedisSets: false });
+  let redisOptions = null;
+  let keyvOpts = {
+    useRedisSets: false,
+    keyPrefix: redis_prefix,
+  };
+
+  if (REDIS_CA) {
+    const ca = fs.readFileSync(REDIS_CA);
+    redisOptions = { tls: { ca } };
+  }
+
+  if (isEnabled(USE_REDIS_CLUSTER)) {
+    const hosts = REDIS_URI.split(',').map((item) => {
+      var value = mapURI(item);
+
+      return {
+        host: value.host,
+        port: value.port,
+      };
+    });
+    const cluster = new ioredis.Cluster(hosts, { redisOptions });
+    keyvRedis = new KeyvRedis(cluster, keyvOpts);
+  } else {
+    keyvRedis = new KeyvRedis(REDIS_URI, keyvOpts);
+  }
  keyvRedis.on('error', (err) => logger.error('KeyvRedis connection error:', err));
-  keyvRedis.setMaxListeners(20);
+  keyvRedis.setMaxListeners(redis_max_listeners);
  logger.info(
    '[Optional] Redis initialized. Note: Redis support is experimental. If you have issues, disable it. Cache needs to be flushed for values to refresh.',
  );
--- a/api/lib/db/indexSync.js
+++ b/api/lib/db/indexSync.js
@ -1,9 +1,11 @@
 const { MeiliSearch } = require('meilisearch');
 const Conversation = require('~/models/schema/convoSchema');
 const Message = require('~/models/schema/messageSchema');
+const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');

-const searchEnabled = process.env?.SEARCH?.toLowerCase() === 'true';
+const searchEnabled = isEnabled(process.env.SEARCH);
+const indexingDisabled = isEnabled(process.env.MEILI_NO_SYNC);
 let currentTimeout = null;

 class MeiliSearchClient {
@ -23,8 +25,7 @@ class MeiliSearchClient {
  }
 }

-// eslint-disable-next-line no-unused-vars
-async function indexSync(req, res, next) {
+async function indexSync() {
  if (!searchEnabled) {
    return;
  }
@ -33,10 +34,15 @@ async function indexSync(req, res, next) {
    const client = MeiliSearchClient.getInstance();

    const { status } = await client.health();
-    if (status !== 'available' || !process.env.SEARCH) {
+    if (status !== 'available') {
      throw new Error('Meilisearch not available');
    }

+    if (indexingDisabled === true) {
+      logger.info('[indexSync] Indexing is disabled, skipping...');
+      return;
+    }
+
    const messageCount = await Message.countDocuments();
    const convoCount = await Conversation.countDocuments();
    const messages = await client.index('messages').getStats();
@ -71,7 +77,6 @@ async function indexSync(req, res, next) {
      logger.info('[indexSync] Meilisearch not configured, search will be disabled.');
    } else {
      logger.error('[indexSync] error', err);
-      // res.status(500).json({ error: 'Server error' });
    }
  }
 }
--- a/api/models/Agent.js
+++ b/api/models/Agent.js
@ -97,11 +97,22 @@ const updateAgent = async (searchParameter, updateData) => {
 const addAgentResourceFile = async ({ agent_id, tool_resource, file_id }) => {
  const searchParameter = { id: agent_id };

-  // build the update to push or create the file ids set
  const fileIdsPath = `tool_resources.${tool_resource}.file_ids`;
+
+  await Agent.updateOne(
+    {
+      id: agent_id,
+      [`${fileIdsPath}`]: { $exists: false },
+    },
+    {
+      $set: {
+        [`${fileIdsPath}`]: [],
+      },
+    },
+  );
+
  const updateData = { $addToSet: { [fileIdsPath]: file_id } };

-  // return the updated agent or throw if no agent matches
  const updatedAgent = await updateAgent(searchParameter, updateData);
  if (updatedAgent) {
    return updatedAgent;
@ -290,6 +301,7 @@ const updateAgentProjects = async ({ user, agentId, projectIds, removeProjectIds
 };

 module.exports = {
+  Agent,
  getAgent,
  loadAgent,
  createAgent,
--- a/api/models/Agent.spec.js
+++ b/api/models/Agent.spec.js
@ -0,0 +1,160 @@
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { Agent, addAgentResourceFile, removeAgentResourceFiles } = require('./Agent');
+
+describe('Agent Resource File Operations', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await Agent.deleteMany({});
+  });
+
+  const createBasicAgent = async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const agent = await Agent.create({
+      id: agentId,
+      name: 'Test Agent',
+      provider: 'test',
+      model: 'test-model',
+      author: new mongoose.Types.ObjectId(),
+    });
+    return agent;
+  };
+
+  test('should handle concurrent file additions', async () => {
+    const agent = await createBasicAgent();
+    const fileIds = Array.from({ length: 10 }, () => uuidv4());
+
+    // Concurrent additions
+    const additionPromises = fileIds.map((fileId) =>
+      addAgentResourceFile({
+        agent_id: agent.id,
+        tool_resource: 'test_tool',
+        file_id: fileId,
+      }),
+    );
+
+    await Promise.all(additionPromises);
+
+    const updatedAgent = await Agent.findOne({ id: agent.id });
+    expect(updatedAgent.tool_resources.test_tool.file_ids).toBeDefined();
+    expect(updatedAgent.tool_resources.test_tool.file_ids).toHaveLength(10);
+    expect(new Set(updatedAgent.tool_resources.test_tool.file_ids).size).toBe(10);
+  });
+
+  test('should handle concurrent additions and removals', async () => {
+    const agent = await createBasicAgent();
+    const initialFileIds = Array.from({ length: 5 }, () => uuidv4());
+
+    await Promise.all(
+      initialFileIds.map((fileId) =>
+        addAgentResourceFile({
+          agent_id: agent.id,
+          tool_resource: 'test_tool',
+          file_id: fileId,
+        }),
+      ),
+    );
+
+    const newFileIds = Array.from({ length: 5 }, () => uuidv4());
+    const operations = [
+      ...newFileIds.map((fileId) =>
+        addAgentResourceFile({
+          agent_id: agent.id,
+          tool_resource: 'test_tool',
+          file_id: fileId,
+        }),
+      ),
+      ...initialFileIds.map((fileId) =>
+        removeAgentResourceFiles({
+          agent_id: agent.id,
+          files: [{ tool_resource: 'test_tool', file_id: fileId }],
+        }),
+      ),
+    ];
+
+    await Promise.all(operations);
+
+    const updatedAgent = await Agent.findOne({ id: agent.id });
+    expect(updatedAgent.tool_resources.test_tool.file_ids).toBeDefined();
+    expect(updatedAgent.tool_resources.test_tool.file_ids).toHaveLength(5);
+  });
+
+  test('should initialize array when adding to non-existent tool resource', async () => {
+    const agent = await createBasicAgent();
+    const fileId = uuidv4();
+
+    const updatedAgent = await addAgentResourceFile({
+      agent_id: agent.id,
+      tool_resource: 'new_tool',
+      file_id: fileId,
+    });
+
+    expect(updatedAgent.tool_resources.new_tool.file_ids).toBeDefined();
+    expect(updatedAgent.tool_resources.new_tool.file_ids).toHaveLength(1);
+    expect(updatedAgent.tool_resources.new_tool.file_ids[0]).toBe(fileId);
+  });
+
+  test('should handle rapid sequential modifications to same tool resource', async () => {
+    const agent = await createBasicAgent();
+    const fileId = uuidv4();
+
+    for (let i = 0; i < 10; i++) {
+      await addAgentResourceFile({
+        agent_id: agent.id,
+        tool_resource: 'test_tool',
+        file_id: `${fileId}_${i}`,
+      });
+
+      if (i % 2 === 0) {
+        await removeAgentResourceFiles({
+          agent_id: agent.id,
+          files: [{ tool_resource: 'test_tool', file_id: `${fileId}_${i}` }],
+        });
+      }
+    }
+
+    const updatedAgent = await Agent.findOne({ id: agent.id });
+    expect(updatedAgent.tool_resources.test_tool.file_ids).toBeDefined();
+    expect(Array.isArray(updatedAgent.tool_resources.test_tool.file_ids)).toBe(true);
+  });
+
+  test('should handle multiple tool resources concurrently', async () => {
+    const agent = await createBasicAgent();
+    const toolResources = ['tool1', 'tool2', 'tool3'];
+    const operations = [];
+
+    toolResources.forEach((tool) => {
+      const fileIds = Array.from({ length: 5 }, () => uuidv4());
+      fileIds.forEach((fileId) => {
+        operations.push(
+          addAgentResourceFile({
+            agent_id: agent.id,
+            tool_resource: tool,
+            file_id: fileId,
+          }),
+        );
+      });
+    });
+
+    await Promise.all(operations);
+
+    const updatedAgent = await Agent.findOne({ id: agent.id });
+    toolResources.forEach((tool) => {
+      expect(updatedAgent.tool_resources[tool].file_ids).toBeDefined();
+      expect(updatedAgent.tool_resources[tool].file_ids).toHaveLength(5);
+    });
+  });
+});
--- a/api/models/Categories.js
+++ b/api/models/Categories.js
@ -1,40 +1,41 @@
 const { logger } = require('~/config');
 // const { Categories } = require('./schema/categories');
+
 const options = [
  {
-    label: 'idea',
+    label: 'com_ui_idea',
    value: 'idea',
  },
  {
-    label: 'travel',
+    label: 'com_ui_travel',
    value: 'travel',
  },
  {
-    label: 'teach_or_explain',
+    label: 'com_ui_teach_or_explain',
    value: 'teach_or_explain',
  },
  {
-    label: 'write',
+    label: 'com_ui_write',
    value: 'write',
  },
  {
-    label: 'shop',
+    label: 'com_ui_shop',
    value: 'shop',
  },
  {
-    label: 'code',
+    label: 'com_ui_code',
    value: 'code',
  },
  {
-    label: 'misc',
+    label: 'com_ui_misc',
    value: 'misc',
  },
  {
-    label: 'roleplay',
+    label: 'com_ui_roleplay',
    value: 'roleplay',
  },
  {
-    label: 'finance',
+    label: 'com_ui_finance',
    value: 'finance',
  },
 ];
--- a/api/models/schema/userSchema.js
+++ b/api/models/schema/userSchema.js
@ -39,12 +39,18 @@ const Session = mongoose.Schema({
  },
 });

+const backupCodeSchema = mongoose.Schema({
+  codeHash: { type: String, required: true },
+  used: { type: Boolean, default: false },
+  usedAt: { type: Date, default: null },
+});
+
 const passkeySchema = mongoose.Schema({
  id: { type: String, required: true },
  publicKey: { type: Buffer, required: true },
  counter: { type: Number, default: 0 },
  transports: { type: [String], default: [] },
-});
+ });

 /** @type {MongooseSchema<MongoUser>} */
 const userSchema = mongoose.Schema(
@ -130,7 +136,12 @@ const userSchema = mongoose.Schema(
    },
    plugins: {
      type: Array,
-      default: [],
+    },
+    totpSecret: {
+      type: String,
+    },
+    backupCodes: {
+      type: [backupCodeSchema],
    },
    refreshToken: {
      type: [Session],
--- a/api/package.json
+++ b/api/package.json
@ -45,7 +45,7 @@
    "@langchain/google-genai": "^0.1.7",
    "@langchain/google-vertexai": "^0.1.8",
    "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.0.5",
+    "@librechat/agents": "^2.1.2",
    "@waylaidwanderer/fetch-event-source": "^3.0.1",
    "axios": "1.7.8",
    "bcryptjs": "^2.4.3",
@ -65,6 +65,7 @@
    "firebase": "^11.0.2",
    "googleapis": "^126.0.1",
    "handlebars": "^4.7.7",
+    "https-proxy-agent": "^7.0.6",
    "ioredis": "^5.3.2",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.0",
--- a/api/server/controllers/AuthController.js
+++ b/api/server/controllers/AuthController.js
@ -61,7 +61,7 @@ const refreshController = async (req, res) => {

  try {
    const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
-    const user = await getUserById(payload.id, '-password -__v');
+    const user = await getUserById(payload.id, '-password -__v -totpSecret');
    if (!user) {
      return res.status(401).redirect('/login');
    }
--- a/api/server/controllers/TwoFactorController.js
+++ b/api/server/controllers/TwoFactorController.js
@ -0,0 +1,119 @@
+const {
+  verifyTOTP,
+  verifyBackupCode,
+  generateTOTPSecret,
+  generateBackupCodes,
+  getTOTPSecret,
+} = require('~/server/services/twoFactorService');
+const { updateUser, getUserById } = require('~/models');
+const { logger } = require('~/config');
+const { encryptV2 } = require('~/server/utils/crypto');
+
+const enable2FAController = async (req, res) => {
+  const safeAppTitle = (process.env.APP_TITLE || 'LibreChat').replace(/\s+/g, '');
+
+  try {
+    const userId = req.user.id;
+    const secret = generateTOTPSecret();
+    const { plainCodes, codeObjects } = await generateBackupCodes();
+
+    const encryptedSecret = await encryptV2(secret);
+    const user = await updateUser(userId, { totpSecret: encryptedSecret, backupCodes: codeObjects });
+
+    const otpauthUrl = `otpauth://totp/${safeAppTitle}:${user.email}?secret=${secret}&issuer=${safeAppTitle}`;
+
+    res.status(200).json({
+      otpauthUrl,
+      backupCodes: plainCodes,
+    });
+  } catch (err) {
+    logger.error('[enable2FAController]', err);
+    res.status(500).json({ message: err.message });
+  }
+};
+
+const verify2FAController = async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const { token, backupCode } = req.body;
+    const user = await getUserById(userId);
+    if (!user || !user.totpSecret) {
+      return res.status(400).json({ message: '2FA not initiated' });
+    }
+
+    // Retrieve the plain TOTP secret using getTOTPSecret.
+    const secret = await getTOTPSecret(user.totpSecret);
+
+    if (token && (await verifyTOTP(secret, token))) {
+      return res.status(200).json();
+    } else if (backupCode) {
+      const verified = await verifyBackupCode({ user, backupCode });
+      if (verified) {
+        return res.status(200).json();
+      }
+    }
+
+    return res.status(400).json({ message: 'Invalid token.' });
+  } catch (err) {
+    logger.error('[verify2FAController]', err);
+    res.status(500).json({ message: err.message });
+  }
+};
+
+const confirm2FAController = async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const { token } = req.body;
+    const user = await getUserById(userId);
+
+    if (!user || !user.totpSecret) {
+      return res.status(400).json({ message: '2FA not initiated' });
+    }
+
+    // Retrieve the plain TOTP secret using getTOTPSecret.
+    const secret = await getTOTPSecret(user.totpSecret);
+
+    if (await verifyTOTP(secret, token)) {
+      return res.status(200).json();
+    }
+
+    return res.status(400).json({ message: 'Invalid token.' });
+  } catch (err) {
+    logger.error('[confirm2FAController]', err);
+    res.status(500).json({ message: err.message });
+  }
+};
+
+const disable2FAController = async (req, res) => {
+  try {
+    const userId = req.user.id;
+    await updateUser(userId, { totpSecret: null, backupCodes: [] });
+    res.status(200).json();
+  } catch (err) {
+    logger.error('[disable2FAController]', err);
+    res.status(500).json({ message: err.message });
+  }
+};
+
+const regenerateBackupCodesController = async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const { plainCodes, codeObjects } = await generateBackupCodes();
+    await updateUser(userId, { backupCodes: codeObjects });
+    res.status(200).json({
+      backupCodes: plainCodes,
+      backupCodesHash: codeObjects,
+    });
+  } catch (err) {
+    logger.error('[regenerateBackupCodesController]', err);
+    res.status(500).json({ message: err.message });
+  }
+};
+
+module.exports = {
+  enable2FAController,
+  verify2FAController,
+  confirm2FAController,
+  disable2FAController,
+  regenerateBackupCodesController,
+};
--- a/api/server/controllers/UserController.js
+++ b/api/server/controllers/UserController.js
@ -19,7 +19,9 @@ const { Transaction } = require('~/models/Transaction');
 const { logger } = require('~/config');

 const getUserController = async (req, res) => {
-  res.status(200).send(req.user);
+  const userData = req.user.toObject != null ? req.user.toObject() : { ...req.user };
+  delete userData.totpSecret;
+  res.status(200).send(userData);
 };

 const getTermsStatusController = async (req, res) => {
--- a/api/server/controllers/agents/callbacks.js
+++ b/api/server/controllers/agents/callbacks.js
@ -199,6 +199,22 @@ function getDefaultHandlers({ res, aggregateContent, toolEndCallback, collectedU
        aggregateContent({ event, data });
      },
    },
+    [GraphEvents.ON_REASONING_DELTA]: {
+      /**
+       * Handle ON_REASONING_DELTA event.
+       * @param {string} event - The event name.
+       * @param {StreamEventData} data - The event data.
+       * @param {GraphRunnableConfig['configurable']} [metadata] The runnable metadata.
+       */
+      handle: (event, data, metadata) => {
+        if (metadata?.last_agent_index === metadata?.agent_index) {
+          sendEvent(res, { event, data });
+        } else if (!metadata?.hide_sequential_outputs) {
+          sendEvent(res, { event, data });
+        }
+        aggregateContent({ event, data });
+      },
+    },
  };

  return handlers;
--- a/api/server/controllers/agents/client.js
+++ b/api/server/controllers/agents/client.js
@ -20,11 +20,6 @@ const {
  bedrockOutputParser,
  removeNullishValues,
 } = require('librechat-data-provider');
-const {
-  extractBaseURL,
-  // constructAzureURL,
-  // genAzureChatCompletion,
-} = require('~/utils');
 const {
  formatMessage,
  formatAgentMessages,
@ -477,19 +472,6 @@ class AgentClient extends BaseClient {
        abortController = new AbortController();
      }

-      const baseURL = extractBaseURL(this.completionsUrl);
-      logger.debug('[api/server/controllers/agents/client.js] chatCompletion', {
-        baseURL,
-        payload,
-      });
-
-      // if (this.useOpenRouter) {
-      //   opts.defaultHeaders = {
-      //     'HTTP-Referer': 'https://librechat.ai',
-      //     'X-Title': 'LibreChat',
-      //   };
-      // }
-
      // if (this.options.headers) {
      //   opts.defaultHeaders = { ...opts.defaultHeaders, ...this.options.headers };
      // }
@ -626,7 +608,7 @@ class AgentClient extends BaseClient {
        let systemContent = [
          systemMessage,
          agent.instructions ?? '',
-          i !== 0 ? agent.additional_instructions ?? '' : '',
+          i !== 0 ? (agent.additional_instructions ?? '') : '',
        ]
          .join('\n')
          .trim();
--- a/api/server/controllers/agents/run.js
+++ b/api/server/controllers/agents/run.js
@ -1,5 +1,5 @@
 const { Run, Providers } = require('@librechat/agents');
-const { providerEndpointMap } = require('librechat-data-provider');
+const { providerEndpointMap, KnownEndpoints } = require('librechat-data-provider');

 /**
 * @typedef {import('@librechat/agents').t} t
@ -7,6 +7,7 @@ const { providerEndpointMap } = require('librechat-data-provider');
 * @typedef {import('@librechat/agents').StreamEventData} StreamEventData
 * @typedef {import('@librechat/agents').EventHandler} EventHandler
 * @typedef {import('@librechat/agents').GraphEvents} GraphEvents
+ * @typedef {import('@librechat/agents').LLMConfig} LLMConfig
 * @typedef {import('@librechat/agents').IState} IState
 */

@ -32,6 +33,7 @@ async function createRun({
  streamUsage = true,
 }) {
  const provider = providerEndpointMap[agent.provider] ?? agent.provider;
+  /** @type {LLMConfig} */
  const llmConfig = Object.assign(
    {
      provider,
@ -41,6 +43,11 @@ async function createRun({
    agent.model_parameters,
  );

+  /** @type {'reasoning_content' | 'reasoning'} */
+  let reasoningKey;
+  if (llmConfig.configuration?.baseURL?.includes(KnownEndpoints.openrouter)) {
+    reasoningKey = 'reasoning';
+  }
  if (/o1(?!-(?:mini|preview)).*$/.test(llmConfig.model)) {
    llmConfig.streaming = false;
    llmConfig.disableStreaming = true;
@ -50,6 +57,7 @@ async function createRun({
  const graphConfig = {
    signal,
    llmConfig,
+    reasoningKey,
    tools: agent.tools,
    instructions: agent.instructions,
    additional_instructions: agent.additional_instructions,
--- a/api/server/controllers/auth/LoginController.js
+++ b/api/server/controllers/auth/LoginController.js
@ -1,3 +1,4 @@
+const { generate2FATempToken } = require('~/server/services/twoFactorService');
 const { setAuthTokens } = require('~/server/services/AuthService');
 const { logger } = require('~/config');

@ -7,7 +8,12 @@ const loginController = async (req, res) => {
      return res.status(400).json({ message: 'Invalid credentials' });
    }

-    const { password: _, __v, ...user } = req.user;
+    if (req.user.backupCodes != null && req.user.backupCodes.length > 0) {
+      const tempToken = generate2FATempToken(req.user._id);
+      return res.status(200).json({ twoFAPending: true, tempToken });
+    }
+
+    const { password: _p, totpSecret: _t, __v, ...user } = req.user;
    user.id = user._id.toString();

    const token = await setAuthTokens(req.user._id, res);
--- a/api/server/controllers/auth/TwoFactorAuthController.js
+++ b/api/server/controllers/auth/TwoFactorAuthController.js
@ -0,0 +1,58 @@
+const jwt = require('jsonwebtoken');
+const { verifyTOTP, verifyBackupCode, getTOTPSecret } = require('~/server/services/twoFactorService');
+const { setAuthTokens } = require('~/server/services/AuthService');
+const { getUserById } = require('~/models/userMethods');
+const { logger } = require('~/config');
+
+const verify2FA = async (req, res) => {
+  try {
+    const { tempToken, token, backupCode } = req.body;
+    if (!tempToken) {
+      return res.status(400).json({ message: 'Missing temporary token' });
+    }
+
+    let payload;
+    try {
+      payload = jwt.verify(tempToken, process.env.JWT_SECRET);
+    } catch (err) {
+      return res.status(401).json({ message: 'Invalid or expired temporary token' });
+    }
+
+    const user = await getUserById(payload.userId);
+    // Ensure that the user exists and has backup codes (i.e. 2FA enabled)
+    if (!user || !(user.backupCodes && user.backupCodes.length > 0)) {
+      return res.status(400).json({ message: '2FA is not enabled for this user' });
+    }
+
+    // Use the new getTOTPSecret function to retrieve (and decrypt if necessary) the TOTP secret.
+    const secret = await getTOTPSecret(user.totpSecret);
+
+    let verified = false;
+    if (token && (await verifyTOTP(secret, token))) {
+      verified = true;
+    } else if (backupCode) {
+      verified = await verifyBackupCode({ user, backupCode });
+    }
+
+    if (!verified) {
+      return res.status(401).json({ message: 'Invalid 2FA code or backup code' });
+    }
+
+    // Prepare user data for response.
+    // If the user is a plain object (from lean queries), we create a shallow copy.
+    const userData = user.toObject ? user.toObject() : { ...user };
+    // Remove sensitive fields.
+    delete userData.password;
+    delete userData.__v;
+    delete userData.totpSecret;
+    userData.id = user._id.toString();
+
+    const authToken = await setAuthTokens(user._id, res);
+    return res.status(200).json({ token: authToken, user: userData });
+  } catch (err) {
+    logger.error('[verify2FA]', err);
+    return res.status(500).json({ message: 'Something went wrong' });
+  }
+};
+
+module.exports = { verify2FA };
--- a/api/server/index.js
+++ b/api/server/index.js
@ -24,10 +24,11 @@ const routes = require('./routes');
 const { mongoUserStore, mongoChallengeStore } = require('~/cache');
 const { WebAuthnStrategy } = require('passport-simple-webauthn2');

-const { PORT, HOST, ALLOW_SOCIAL_LOGIN, DISABLE_COMPRESSION } = process.env ?? {};
+const { PORT, HOST, ALLOW_SOCIAL_LOGIN, DISABLE_COMPRESSION, TRUST_PROXY } = process.env ?? {};

 const port = Number(PORT) || 3080;
 const host = HOST || 'localhost';
+const trusted_proxy = Number(TRUST_PROXY) || 1; /* trust first proxy by default */

 const startServer = async () => {
  if (typeof Bun !== 'undefined') {
@ -55,7 +56,7 @@ const startServer = async () => {
  app.use(staticCache(app.locals.paths.dist));
  app.use(staticCache(app.locals.paths.fonts));
  app.use(staticCache(app.locals.paths.assets));
-  app.set('trust proxy', 1); /* trust first proxy */
+  app.set('trust proxy', trusted_proxy);
  app.use(cors());
  app.use(cookieParser());

@ -165,6 +166,18 @@ process.on('uncaughtException', (err) => {
    logger.error('There was an uncaught error:', err);
  }

+  if (err.message.includes('abort')) {
+    logger.warn('There was an uncatchable AbortController error.');
+    return;
+  }
+
+  if (err.message.includes('GoogleGenerativeAI')) {
+    logger.warn(
+      '\n\n`GoogleGenerativeAI` errors cannot be caught due to an upstream issue, see: https://github.com/google-gemini/generative-ai-js/issues/303',
+    );
+    return;
+  }
+
  if (err.message.includes('fetch failed')) {
    if (messageCount === 0) {
      logger.warn('Meilisearch error, search will be disabled');
--- a/api/server/routes/auth.js
+++ b/api/server/routes/auth.js
@ -7,6 +7,13 @@ const {
 } = require('~/server/controllers/AuthController');
 const { loginController } = require('~/server/controllers/auth/LoginController');
 const { logoutController } = require('~/server/controllers/auth/LogoutController');
+const { verify2FA } = require('~/server/controllers/auth/TwoFactorAuthController');
+const {
+  enable2FAController,
+  verify2FAController,
+  disable2FAController,
+  regenerateBackupCodesController, confirm2FAController,
+} = require('~/server/controllers/TwoFactorController');
 const {
  checkBan,
  loginLimiter,
@ -50,4 +57,11 @@ router.post(
 );
 router.post('/resetPassword', checkBan, validatePasswordReset, resetPasswordController);

+router.get('/2fa/enable', requireJwtAuth, enable2FAController);
+router.post('/2fa/verify', requireJwtAuth, verify2FAController);
+router.post('/2fa/verify-temp', checkBan, verify2FA);
+router.post('/2fa/confirm', requireJwtAuth, confirm2FAController);
+router.post('/2fa/disable', requireJwtAuth, disable2FAController);
+router.post('/2fa/backup/regenerate', requireJwtAuth, regenerateBackupCodesController);
+
 module.exports = router;
--- a/api/server/services/Endpoints/agents/initialize.js
+++ b/api/server/services/Endpoints/agents/initialize.js
@ -22,12 +22,14 @@ const { getAgent } = require('~/models/Agent');
 const { logger } = require('~/config');

 const providerConfigMap = {
+  [Providers.OLLAMA]: initCustom,
+  [Providers.DEEPSEEK]: initCustom,
+  [Providers.OPENROUTER]: initCustom,
  [EModelEndpoint.openAI]: initOpenAI,
+  [EModelEndpoint.google]: initGoogle,
  [EModelEndpoint.azureOpenAI]: initOpenAI,
  [EModelEndpoint.anthropic]: initAnthropic,
  [EModelEndpoint.bedrock]: getBedrockOptions,
-  [EModelEndpoint.google]: initGoogle,
-  [Providers.OLLAMA]: initCustom,
 };

 /**
@ -100,8 +102,10 @@ const initializeAgentOptions = async ({

  const provider = agent.provider;
  let getOptions = providerConfigMap[provider];
-
-  if (!getOptions) {
+  if (!getOptions && providerConfigMap[provider.toLowerCase()] != null) {
+    agent.provider = provider.toLowerCase();
+    getOptions = providerConfigMap[agent.provider];
+  } else if (!getOptions) {
    const customEndpointConfig = await getCustomEndpointConfig(provider);
    if (!customEndpointConfig) {
      throw new Error(`Provider ${provider} not supported`);
--- a/api/server/services/Endpoints/openAI/llm.js
+++ b/api/server/services/Endpoints/openAI/llm.js
@ -1,4 +1,5 @@
 const { HttpsProxyAgent } = require('https-proxy-agent');
+const { KnownEndpoints } = require('librechat-data-provider');
 const { sanitizeModelName, constructAzureURL } = require('~/utils');
 const { isEnabled } = require('~/server/utils');

@ -57,10 +58,9 @@ function getLLMConfig(apiKey, options = {}) {

  /** @type {OpenAIClientOptions['configuration']} */
  const configOptions = {};
-
-  // Handle OpenRouter or custom reverse proxy
-  if (useOpenRouter || reverseProxyUrl === 'https://openrouter.ai/api/v1') {
-    configOptions.baseURL = 'https://openrouter.ai/api/v1';
+  if (useOpenRouter || (reverseProxyUrl && reverseProxyUrl.includes(KnownEndpoints.openrouter))) {
+    llmConfig.include_reasoning = true;
+    configOptions.baseURL = reverseProxyUrl;
    configOptions.defaultHeaders = Object.assign(
      {
        'HTTP-Referer': 'https://librechat.ai',
--- a/api/server/services/Files/Code/crud.js
+++ b/api/server/services/Files/Code/crud.js
@ -2,6 +2,7 @@
 const axios = require('axios');
 const FormData = require('form-data');
 const { getCodeBaseURL } = require('@librechat/agents');
+const { logAxiosError } = require('~/utils');

 const MAX_FILE_SIZE = 150 * 1024 * 1024;

@ -78,7 +79,11 @@ async function uploadCodeEnvFile({ req, stream, filename, apiKey, entity_id = ''

    return `${fileIdentifier}?entity_id=${entity_id}`;
  } catch (error) {
-    throw new Error(`Error uploading file: ${error.message}`);
+    logAxiosError({
+      message: `Error uploading code environment file: ${error.message}`,
+      error,
+    });
+    throw new Error(`Error uploading code environment file: ${error.message}`);
  }
 }

--- a/api/server/services/Files/Code/process.js
+++ b/api/server/services/Files/Code/process.js
@ -12,6 +12,7 @@ const {
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { convertImage } = require('~/server/services/Files/images/convert');
 const { createFile, getFiles, updateFile } = require('~/models/File');
+const { logAxiosError } = require('~/utils');
 const { logger } = require('~/config');

 /**
@ -85,7 +86,10 @@ const processCodeOutput = async ({
    /** Note: `messageId` & `toolCallId` are not part of file DB schema; message object records associated file ID */
    return Object.assign(file, { messageId, toolCallId });
  } catch (error) {
-    logger.error('Error downloading file:', error);
+    logAxiosError({
+      message: 'Error downloading code environment file',
+      error,
+    });
  }
 };

@ -135,7 +139,10 @@ async function getSessionInfo(fileIdentifier, apiKey) {

    return response.data.find((file) => file.name.startsWith(path))?.lastModified;
  } catch (error) {
-    logger.error(`Error fetching session info: ${error.message}`, error);
+    logAxiosError({
+      message: `Error fetching session info: ${error.message}`,
+      error,
+    });
    return null;
  }
 }
@ -202,7 +209,7 @@ const primeFiles = async (options, apiKey) => {
          const { handleFileUpload: uploadCodeEnvFile } = getStrategyFunctions(
            FileSources.execute_code,
          );
-          const stream = await getDownloadStream(file.filepath);
+          const stream = await getDownloadStream(options.req, file.filepath);
          const fileIdentifier = await uploadCodeEnvFile({
            req: options.req,
            stream,
--- a/api/server/services/Files/Firebase/crud.js
+++ b/api/server/services/Files/Firebase/crud.js
@ -224,10 +224,11 @@ async function uploadFileToFirebase({ req, file, file_id }) {
 /**
 * Retrieves a readable stream for a file from Firebase storage.
 *
+ * @param {ServerRequest} _req
 * @param {string} filepath - The filepath.
 * @returns {Promise<ReadableStream>} A readable stream of the file.
 */
-async function getFirebaseFileStream(filepath) {
+async function getFirebaseFileStream(_req, filepath) {
  try {
    const storage = getFirebaseStorage();
    if (!storage) {
--- a/api/server/services/Files/Local/crud.js
+++ b/api/server/services/Files/Local/crud.js
@ -175,6 +175,17 @@ const isValidPath = (req, base, subfolder, filepath) => {
  return normalizedFilepath.startsWith(normalizedBase);
 };

+/**
+ * @param {string} filepath
+ */
+const unlinkFile = async (filepath) => {
+  try {
+    await fs.promises.unlink(filepath);
+  } catch (error) {
+    logger.error('Error deleting file:', error);
+  }
+};
+
 /**
 * Deletes a file from the filesystem. This function takes a file object, constructs the full path, and
 * verifies the path's validity before deleting the file. If the path is invalid, an error is thrown.
@ -217,7 +228,7 @@ const deleteLocalFile = async (req, file) => {
      throw new Error(`Invalid file path: ${file.filepath}`);
    }

-    await fs.promises.unlink(filepath);
+    await unlinkFile(filepath);
    return;
  }

@ -233,7 +244,7 @@ const deleteLocalFile = async (req, file) => {
    throw new Error('Invalid file path');
  }

-  await fs.promises.unlink(filepath);
+  await unlinkFile(filepath);
 };

 /**
@ -275,11 +286,31 @@ async function uploadLocalFile({ req, file, file_id }) {
 /**
 * Retrieves a readable stream for a file from local storage.
 *
+ * @param {ServerRequest} req - The request object from Express
 * @param {string} filepath - The filepath.
 * @returns {ReadableStream} A readable stream of the file.
 */
-function getLocalFileStream(filepath) {
+function getLocalFileStream(req, filepath) {
  try {
+    if (filepath.includes('/uploads/')) {
+      const basePath = filepath.split('/uploads/')[1];
+
+      if (!basePath) {
+        logger.warn(`Invalid base path: ${filepath}`);
+        throw new Error(`Invalid file path: ${filepath}`);
+      }
+
+      const fullPath = path.join(req.app.locals.paths.uploads, basePath);
+      const uploadsDir = req.app.locals.paths.uploads;
+
+      const rel = path.relative(uploadsDir, fullPath);
+      if (rel.startsWith('..') || path.isAbsolute(rel) || rel.includes(`..${path.sep}`)) {
+        logger.warn(`Invalid relative file path: ${filepath}`);
+        throw new Error(`Invalid file path: ${filepath}`);
+      }
+
+      return fs.createReadStream(fullPath);
+    }
    return fs.createReadStream(filepath);
  } catch (error) {
    logger.error('Error getting local file stream:', error);
--- a/api/server/services/Files/VectorDB/crud.js
+++ b/api/server/services/Files/VectorDB/crud.js
@ -37,7 +37,14 @@ const deleteVectors = async (req, file) => {
      error,
      message: 'Error deleting vectors',
    });
-    throw new Error(error.message || 'An error occurred during file deletion.');
+    if (
+      error.response &&
+      error.response.status !== 404 &&
+      (error.response.status < 200 || error.response.status >= 300)
+    ) {
+      logger.warn('Error deleting vectors, file will not be deleted');
+      throw new Error(error.message || 'An error occurred during file deletion.');
+    }
  }
 };

--- a/api/server/services/Files/process.js
+++ b/api/server/services/Files/process.js
@ -347,8 +347,8 @@ const uploadImageBuffer = async ({ req, context, metadata = {}, resize = true })
      req.app.locals.imageOutputType
    }`;
  }
-
-  const filepath = await saveBuffer({ userId: req.user.id, fileName: filename, buffer });
+  const fileName = `${file_id}-${filename}`;
+  const filepath = await saveBuffer({ userId: req.user.id, fileName, buffer });
  return await createFile(
    {
      user: req.user.id,
@ -801,8 +801,7 @@ async function saveBase64Image(
  { req, file_id: _file_id, filename: _filename, endpoint, context, resolution = 'high' },
 ) {
  const file_id = _file_id ?? v4();
-
-  let filename = _filename;
+  let filename = `${file_id}-${_filename}`;
  const { buffer: inputBuffer, type } = base64ToBuffer(url);
  if (!path.extname(_filename)) {
    const extension = mime.getExtension(type);
--- a/api/server/services/ModelService.js
+++ b/api/server/services/ModelService.js
@ -1,4 +1,5 @@
 const axios = require('axios');
+const { Providers } = require('@librechat/agents');
 const { HttpsProxyAgent } = require('https-proxy-agent');
 const { EModelEndpoint, defaultModels, CacheKeys } = require('librechat-data-provider');
 const { inputSchema, logAxiosError, extractBaseURL, processModelData } = require('~/utils');
@ -57,7 +58,7 @@ const fetchModels = async ({
    return models;
  }

-  if (name && name.toLowerCase().startsWith('ollama')) {
+  if (name && name.toLowerCase().startsWith(Providers.OLLAMA)) {
    return await OllamaClient.fetchModels(baseURL);
  }

--- a/api/server/services/twoFactorService.js
+++ b/api/server/services/twoFactorService.js
@ -0,0 +1,238 @@
+const { sign } = require('jsonwebtoken');
+const { webcrypto } = require('node:crypto');
+const { hashBackupCode, decryptV2 } = require('~/server/utils/crypto');
+const { updateUser } = require('~/models/userMethods');
+
+const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+/**
+ * Encodes a Buffer into a Base32 string using the RFC 4648 alphabet.
+ *
+ * @param {Buffer} buffer - The buffer to encode.
+ * @returns {string} The Base32 encoded string.
+ */
+const encodeBase32 = (buffer) => {
+  let bits = 0;
+  let value = 0;
+  let output = '';
+  for (const byte of buffer) {
+    value = (value << 8) | byte;
+    bits += 8;
+    while (bits >= 5) {
+      output += BASE32_ALPHABET[(value >>> (bits - 5)) & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    output += BASE32_ALPHABET[(value << (5 - bits)) & 31];
+  }
+  return output;
+};
+
+/**
+ * Decodes a Base32-encoded string back into a Buffer.
+ *
+ * @param {string} base32Str - The Base32-encoded string.
+ * @returns {Buffer} The decoded buffer.
+ */
+const decodeBase32 = (base32Str) => {
+  const cleaned = base32Str.replace(/=+$/, '').toUpperCase();
+  let bits = 0;
+  let value = 0;
+  const output = [];
+  for (const char of cleaned) {
+    const idx = BASE32_ALPHABET.indexOf(char);
+    if (idx === -1) {
+      continue;
+    }
+    value = (value << 5) | idx;
+    bits += 5;
+    if (bits >= 8) {
+      output.push((value >>> (bits - 8)) & 0xff);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(output);
+};
+
+/**
+ * Generates a temporary token for 2FA verification.
+ * The token is signed with the JWT_SECRET and expires in 5 minutes.
+ *
+ * @param {string} userId - The unique identifier of the user.
+ * @returns {string} The signed JWT token.
+ */
+const generate2FATempToken = (userId) =>
+  sign({ userId, twoFAPending: true }, process.env.JWT_SECRET, { expiresIn: '5m' });
+
+/**
+ * Generates a TOTP secret.
+ * Creates 10 random bytes using WebCrypto and encodes them into a Base32 string.
+ *
+ * @returns {string} A Base32-encoded secret for TOTP.
+ */
+const generateTOTPSecret = () => {
+  const randomArray = new Uint8Array(10);
+  webcrypto.getRandomValues(randomArray);
+  return encodeBase32(Buffer.from(randomArray));
+};
+
+/**
+ * Generates a Time-based One-Time Password (TOTP) based on the provided secret and time.
+ * This implementation uses a 30-second time step and produces a 6-digit code.
+ *
+ * @param {string} secret - The Base32-encoded TOTP secret.
+ * @param {number} [forTime=Date.now()] - The time (in milliseconds) for which to generate the TOTP.
+ * @returns {Promise<string>} A promise that resolves to the 6-digit TOTP code.
+ */
+const generateTOTP = async (secret, forTime = Date.now()) => {
+  const timeStep = 30; // seconds
+  const counter = Math.floor(forTime / 1000 / timeStep);
+  const counterBuffer = new ArrayBuffer(8);
+  const counterView = new DataView(counterBuffer);
+  // Write counter into the last 4 bytes (big-endian)
+  counterView.setUint32(4, counter, false);
+
+  // Decode the secret into an ArrayBuffer
+  const keyBuffer = decodeBase32(secret);
+  const keyArrayBuffer = keyBuffer.buffer.slice(
+    keyBuffer.byteOffset,
+    keyBuffer.byteOffset + keyBuffer.byteLength,
+  );
+
+  // Import the key for HMAC-SHA1 signing
+  const cryptoKey = await webcrypto.subtle.importKey(
+    'raw',
+    keyArrayBuffer,
+    { name: 'HMAC', hash: 'SHA-1' },
+    false,
+    ['sign'],
+  );
+
+  // Generate HMAC signature
+  const signatureBuffer = await webcrypto.subtle.sign('HMAC', cryptoKey, counterBuffer);
+  const hmac = new Uint8Array(signatureBuffer);
+
+  // Dynamic truncation as per RFC 4226
+  const offset = hmac[hmac.length - 1] & 0xf;
+  const slice = hmac.slice(offset, offset + 4);
+  const view = new DataView(slice.buffer, slice.byteOffset, slice.byteLength);
+  const binaryCode = view.getUint32(0, false) & 0x7fffffff;
+  const code = (binaryCode % 1000000).toString().padStart(6, '0');
+  return code;
+};
+
+/**
+ * Verifies a provided TOTP token against the secret.
+ * It allows for a ±1 time-step window to account for slight clock discrepancies.
+ *
+ * @param {string} secret - The Base32-encoded TOTP secret.
+ * @param {string} token - The TOTP token provided by the user.
+ * @returns {Promise<boolean>} A promise that resolves to true if the token is valid; otherwise, false.
+ */
+const verifyTOTP = async (secret, token) => {
+  const timeStepMS = 30 * 1000;
+  const currentTime = Date.now();
+  for (let offset = -1; offset <= 1; offset++) {
+    const expected = await generateTOTP(secret, currentTime + offset * timeStepMS);
+    if (expected === token) {
+      return true;
+    }
+  }
+  return false;
+};
+
+/**
+ * Generates backup codes for two-factor authentication.
+ * Each backup code is an 8-character hexadecimal string along with its SHA-256 hash.
+ * The plain codes are returned for one-time download, while the hashed objects are meant for secure storage.
+ *
+ * @param {number} [count=10] - The number of backup codes to generate.
+ * @returns {Promise<{ plainCodes: string[], codeObjects: Array<{ codeHash: string, used: boolean, usedAt: Date | null }> }>}
+ *          A promise that resolves to an object containing both plain backup codes and their corresponding code objects.
+ */
+const generateBackupCodes = async (count = 10) => {
+  const plainCodes = [];
+  const codeObjects = [];
+  const encoder = new TextEncoder();
+  for (let i = 0; i < count; i++) {
+    const randomArray = new Uint8Array(4);
+    webcrypto.getRandomValues(randomArray);
+    const code = Array.from(randomArray)
+      .map((b) => b.toString(16).padStart(2, '0'))
+      .join(''); // 8-character hex code
+    plainCodes.push(code);
+
+    // Compute SHA-256 hash of the code using WebCrypto
+    const codeBuffer = encoder.encode(code);
+    const hashBuffer = await webcrypto.subtle.digest('SHA-256', codeBuffer);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const codeHash = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+    codeObjects.push({ codeHash, used: false, usedAt: null });
+  }
+  return { plainCodes, codeObjects };
+};
+
+/**
+ * Verifies a backup code for a user and updates its status as used if valid.
+ *
+ * @param {Object} params - The parameters object.
+ * @param {TUser | undefined} [params.user] - The user object containing backup codes.
+ * @param {string | undefined} [params.backupCode] - The backup code to verify.
+ * @returns {Promise<boolean>} A promise that resolves to true if the backup code is valid and updated; otherwise, false.
+ */
+const verifyBackupCode = async ({ user, backupCode }) => {
+  if (!backupCode || !user || !Array.isArray(user.backupCodes)) {
+    return false;
+  }
+
+  const hashedInput = await hashBackupCode(backupCode.trim());
+  const matchingCode = user.backupCodes.find(
+    (codeObj) => codeObj.codeHash === hashedInput && !codeObj.used,
+  );
+
+  if (matchingCode) {
+    const updatedBackupCodes = user.backupCodes.map((codeObj) =>
+      codeObj.codeHash === hashedInput && !codeObj.used
+        ? { ...codeObj, used: true, usedAt: new Date() }
+        : codeObj,
+    );
+
+    await updateUser(user._id, { backupCodes: updatedBackupCodes });
+    return true;
+  }
+
+  return false;
+};
+
+/**
+ * Retrieves and, if necessary, decrypts a stored TOTP secret.
+ * If the secret contains a colon, it is assumed to be in the format "iv:encryptedData" and will be decrypted.
+ * If the secret is exactly 16 characters long, it is assumed to be a legacy plain secret.
+ *
+ * @param {string|null} storedSecret - The stored TOTP secret (which may be encrypted).
+ * @returns {Promise<string|null>} A promise that resolves to the plain TOTP secret, or null if none is provided.
+ */
+const getTOTPSecret = async (storedSecret) => {
+  if (!storedSecret) { return null; }
+  // Check for a colon marker (encrypted secrets are stored as "iv:encryptedData")
+  if (storedSecret.includes(':')) {
+    return await decryptV2(storedSecret);
+  }
+  // If it's exactly 16 characters, assume it's already plain (legacy secret)
+  if (storedSecret.length === 16) {
+    return storedSecret;
+  }
+  // Fallback in case it doesn't meet our criteria.
+  return storedSecret;
+};
+
+module.exports = {
+  verifyTOTP,
+  generateTOTP,
+  getTOTPSecret,
+  verifyBackupCode,
+  generateTOTPSecret,
+  generateBackupCodes,
+  generate2FATempToken,
+};
--- a/api/server/utils/crypto.js
+++ b/api/server/utils/crypto.js
@ -112,4 +112,25 @@ async function getRandomValues(length) {
  return Buffer.from(randomValues).toString('hex');
 }

-module.exports = { encrypt, decrypt, encryptV2, decryptV2, hashToken, getRandomValues };
+/**
+ * Computes SHA-256 hash for the given input using WebCrypto
+ * @param {string} input
+ * @returns {Promise<string>} - Hex hash string
+ */
+const hashBackupCode = async (input) => {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(input);
+  const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+};
+
+module.exports = {
+  encrypt,
+  decrypt,
+  encryptV2,
+  decryptV2,
+  hashToken,
+  hashBackupCode,
+  getRandomValues,
+};
--- a/api/strategies/googleStrategy.js
+++ b/api/strategies/googleStrategy.js
@ -6,7 +6,7 @@ const getProfileDetails = ({ profile }) => ({
  id: profile.id,
  avatarUrl: profile.photos[0].value,
  username: profile.name.givenName,
-  name: `${profile.name.givenName} ${profile.name.familyName}`,
+  name: `${profile.name.givenName}${profile.name.familyName ? ` ${profile.name.familyName}` : ''}`,
  emailVerified: profile.emails[0].verified,
 });

--- a/api/strategies/jwtStrategy.js
+++ b/api/strategies/jwtStrategy.js
@ -12,7 +12,7 @@ const jwtLogin = async () =>
    },
    async (payload, done) => {
      try {
-        const user = await getUserById(payload?.id, '-password -__v');
+        const user = await getUserById(payload?.id, '-password -__v -totpSecret');
        if (user) {
          user.id = user._id.toString();
          if (!user.role) {
--- a/api/utils/axios.js
+++ b/api/utils/axios.js
@ -5,40 +5,32 @@ const { logger } = require('~/config');
 *
 * @param {Object} options - The options object.
 * @param {string} options.message - The custom message to be logged.
- * @param {Error} options.error - The Axios error object.
+ * @param {import('axios').AxiosError} options.error - The Axios error object.
 */
 const logAxiosError = ({ message, error }) => {
-  const timedOutMessage = 'Cannot read properties of undefined (reading \'status\')';
-  if (error.response) {
-    logger.error(
-      `${message} The request was made and the server responded with a status code that falls out of the range of 2xx: ${
-        error.message ? error.message : ''
-      }. Error response data:\n`,
-      {
-        headers: error.response?.headers,
-        status: error.response?.status,
-        data: error.response?.data,
-      },
-    );
-  } else if (error.request) {
-    logger.error(
-      `${message} The request was made but no response was received: ${
-        error.message ? error.message : ''
-      }. Error Request:\n`,
-      {
-        request: error.request,
-      },
-    );
-  } else if (error?.message?.includes(timedOutMessage)) {
-    logger.error(
-      `${message}\nThe request either timed out or was unsuccessful. Error message:\n`,
-      error,
-    );
-  } else {
-    logger.error(
-      `${message}\nSomething happened in setting up the request. Error message:\n`,
-      error,
-    );
+  try {
+    if (error.response?.status) {
+      const { status, headers, data } = error.response;
+      logger.error(`${message} The server responded with status ${status}: ${error.message}`, {
+        status,
+        headers,
+        data,
+      });
+    } else if (error.request) {
+      const { method, url } = error.config || {};
+      logger.error(
+        `${message} No response received for ${method ? method.toUpperCase() : ''} ${url || ''}: ${error.message}`,
+        { requestInfo: { method, url } },
+      );
+    } else if (error?.message?.includes('Cannot read properties of undefined (reading \'status\')')) {
+      logger.error(
+        `${message} It appears the request timed out or was unsuccessful: ${error.message}`,
+      );
+    } else {
+      logger.error(`${message} An error occurred while setting up the request: ${error.message}`);
+    }
+  } catch (err) {
+    logger.error(`Error in logAxiosError: ${err.message}`);
  }
 };