📧 fix: Case-Insensitive Domain Matching (#9868)

* chore: move domain related functions to `packages/api`

* fix: isEmailDomainAllowed for case-insensitive domain matching

- Added tests to validate case-insensitive matching for email domains in various scenarios.
- Updated isEmailDomainAllowed function to convert email domains to lowercase for consistent comparison.
- Improved handling of null/undefined entries in allowedDomains.

* ci: Mock isEmailDomainAllowed in samlStrategy tests

- Added a mock implementation for isEmailDomainAllowed to return true in samlStrategy tests, ensuring consistent behavior during test execution.

* ci: Update import of isEmailDomainAllowed in ldapStrategy tests

- Changed the import of isEmailDomainAllowed from the domains service to the api package for consistency and to reflect recent refactoring.

api/server/middleware/checkDomainAllowed.js

@@ -1,5 +1,5 @@
 const { logger } = require('@librechat/data-schemas');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
+const { isEmailDomainAllowed } = require('@librechat/api');
 const { getAppConfig } = require('~/server/services/Config');
 
 /**

api/server/routes/agents/actions.js

@@ -1,20 +1,19 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
 const { logger } = require('@librechat/data-schemas');
-const { generateCheckAccess } = require('@librechat/api');
+const { generateCheckAccess, isActionDomainAllowed } = require('@librechat/api');
 const {
   Permissions,
   ResourceType,
+  PermissionBits,
   PermissionTypes,
   actionDelimiter,
-  PermissionBits,
   removeNullishValues,
 } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
 const { findAccessibleResources } = require('~/server/services/PermissionService');
 const { getAgent, updateAgent, getListAgentsByAccess } = require('~/models/Agent');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
-const { isActionDomainAllowed } = require('~/server/services/domains');
 const { canAccessAgentResource } = require('~/server/middleware');
 const { getRoleByName } = require('~/models/Role');
 

api/server/routes/assistants/actions.js

@@ -1,12 +1,12 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
 const { logger } = require('@librechat/data-schemas');
+const { isActionDomainAllowed } = require('@librechat/api');
 const { actionDelimiter, EModelEndpoint, removeNullishValues } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { updateAssistantDoc, getAssistant } = require('~/models/Assistant');
-const { isActionDomainAllowed } = require('~/server/services/domains');
 
 const router = express.Router();
 

api/server/services/AuthService.js

@@ -2,7 +2,7 @@ const bcrypt = require('bcryptjs');
 const jwt = require('jsonwebtoken');
 const { webcrypto } = require('node:crypto');
 const { logger } = require('@librechat/data-schemas');
-const { isEnabled, checkEmailConfig } = require('@librechat/api');
+const { isEnabled, checkEmailConfig, isEmailDomainAllowed } = require('@librechat/api');
 const { ErrorTypes, SystemRoles, errorsToString } = require('librechat-data-provider');
 const {
   findUser,
@@ -20,7 +20,6 @@ const {
   deleteUserById,
   generateRefreshToken,
 } = require('~/models');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { registerSchema } = require('~/strategies/validators');
 const { getAppConfig } = require('~/server/services/Config');
 const { sendEmail } = require('~/server/utils');

api/server/services/ToolService.js

@@ -1,7 +1,12 @@
 const { sleep } = require('@librechat/agents');
 const { logger } = require('@librechat/data-schemas');
 const { tool: toolFn, DynamicStructuredTool } = require('@langchain/core/tools');
-const { getToolkitKey, hasCustomUserVars, getUserMCPAuthMap } = require('@librechat/api');
+const {
+  getToolkitKey,
+  hasCustomUserVars,
+  getUserMCPAuthMap,
+  isActionDomainAllowed,
+} = require('@librechat/api');
 const {
   Tools,
   Constants,
@@ -26,7 +31,6 @@ const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/p
 const { getEndpointsConfig, getCachedTools } = require('~/server/services/Config');
 const { manifestToolMap, toolkits } = require('~/app/clients/tools/manifest');
 const { createOnSearchResults } = require('~/server/services/Tools/search');
-const { isActionDomainAllowed } = require('~/server/services/domains');
 const { recordUsage } = require('~/server/services/Threads');
 const { loadTools } = require('~/app/clients/tools/util');
 const { redactMessage } = require('~/config/parsers');

api/server/services/domains.js

@@ -1,105 +0,0 @@
-/**
- * @param {string} email
- * @param {string[]} [allowedDomains]
- * @returns {boolean}
- */
-function isEmailDomainAllowed(email, allowedDomains) {
-  if (!email) {
-    return false;
-  }
-
-  const domain = email.split('@')[1];
-
-  if (!domain) {
-    return false;
-  }
-
-  if (!allowedDomains) {
-    return true;
-  } else if (!Array.isArray(allowedDomains) || !allowedDomains.length) {
-    return true;
-  }
-
-  return allowedDomains.includes(domain);
-}
-
-/**
- * Normalizes a domain string
- * @param {string} domain
- * @returns {string|null}
- */
-/**
- * Normalizes a domain string. If the domain is invalid, returns null.
- * Normalized === lowercase, trimmed, and protocol added if missing.
- * @param {string} domain
- * @returns {string|null}
- */
-function normalizeDomain(domain) {
-  try {
-    let normalizedDomain = domain.toLowerCase().trim();
-
-    // Early return for obviously invalid formats
-    if (normalizedDomain === 'http://' || normalizedDomain === 'https://') {
-      return null;
-    }
-
-    // If it's not already a URL, make it one
-    if (!normalizedDomain.startsWith('http://') && !normalizedDomain.startsWith('https://')) {
-      normalizedDomain = `https://${normalizedDomain}`;
-    }
-
-    const url = new URL(normalizedDomain);
-    // Additional validation that hostname isn't just protocol
-    if (!url.hostname || url.hostname === 'http:' || url.hostname === 'https:') {
-      return null;
-    }
-
-    return url.hostname.replace(/^www\./i, '');
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Checks if the given domain is allowed. If no restrictions are set, allows all domains.
- * @param {string} [domain]
- * @param {string[]} [allowedDomains]
- * @returns {Promise<boolean>}
- */
-async function isActionDomainAllowed(domain, allowedDomains) {
-  if (!domain || typeof domain !== 'string') {
-    return false;
-  }
-
-  if (!Array.isArray(allowedDomains) || !allowedDomains.length) {
-    return true;
-  }
-
-  const normalizedInputDomain = normalizeDomain(domain);
-  if (!normalizedInputDomain) {
-    return false;
-  }
-
-  for (const allowedDomain of allowedDomains) {
-    const normalizedAllowedDomain = normalizeDomain(allowedDomain);
-    if (!normalizedAllowedDomain) {
-      continue;
-    }
-
-    if (normalizedAllowedDomain.startsWith('*.')) {
-      const baseDomain = normalizedAllowedDomain.slice(2);
-      if (
-        normalizedInputDomain === baseDomain ||
-        normalizedInputDomain.endsWith(`.${baseDomain}`)
-      ) {
-        return true;
-      }
-    } else if (normalizedInputDomain === normalizedAllowedDomain) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-module.exports = { isEmailDomainAllowed, isActionDomainAllowed };

api/server/services/domains.spec.js

@@ -1,198 +0,0 @@
-const { isEmailDomainAllowed, isActionDomainAllowed } = require('~/server/services/domains');
-const { getAppConfig } = require('~/server/services/Config');
-
-jest.mock('~/server/services/Config', () => ({
-  getAppConfig: jest.fn(),
-}));
-
-describe('isEmailDomainAllowed', () => {
-  afterEach(() => {
-    jest.clearAllMocks();
-  });
-
-  it('should return false if email is falsy', async () => {
-    const email = '';
-    const result = isEmailDomainAllowed(email);
-    expect(result).toBe(false);
-  });
-
-  it('should return false if domain is not present in the email', async () => {
-    const email = 'test';
-    const result = isEmailDomainAllowed(email);
-    expect(result).toBe(false);
-  });
-
-  it('should return true if customConfig is not available', async () => {
-    const email = 'test@domain1.com';
-    getAppConfig.mockResolvedValue(null);
-    const result = isEmailDomainAllowed(email, null);
-    expect(result).toBe(true);
-  });
-
-  it('should return true if allowedDomains is not defined in customConfig', async () => {
-    const email = 'test@domain1.com';
-    getAppConfig.mockResolvedValue({});
-    const result = isEmailDomainAllowed(email, undefined);
-    expect(result).toBe(true);
-  });
-
-  it('should return true if domain is included in the allowedDomains', async () => {
-    const email = 'user@domain1.com';
-    getAppConfig.mockResolvedValue({
-      registration: {
-        allowedDomains: ['domain1.com', 'domain2.com'],
-      },
-    });
-    const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
-    expect(result).toBe(true);
-  });
-
-  it('should return false if domain is not included in the allowedDomains', async () => {
-    const email = 'user@domain3.com';
-    getAppConfig.mockResolvedValue({
-      registration: {
-        allowedDomains: ['domain1.com', 'domain2.com'],
-      },
-    });
-    const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
-    expect(result).toBe(false);
-  });
-});
-
-describe('isActionDomainAllowed', () => {
-  afterEach(() => {
-    jest.clearAllMocks();
-  });
-
-  // Basic Input Validation Tests
-  describe('input validation', () => {
-    it('should return false for falsy values', async () => {
-      expect(await isActionDomainAllowed()).toBe(false);
-      expect(await isActionDomainAllowed(null)).toBe(false);
-      expect(await isActionDomainAllowed('')).toBe(false);
-      expect(await isActionDomainAllowed(undefined)).toBe(false);
-    });
-
-    it('should return false for non-string inputs', async () => {
-      expect(await isActionDomainAllowed(123)).toBe(false);
-      expect(await isActionDomainAllowed({})).toBe(false);
-      expect(await isActionDomainAllowed([])).toBe(false);
-    });
-
-    it('should return false for invalid domain formats', async () => {
-      getAppConfig.mockResolvedValue({
-        actions: { allowedDomains: ['http://', 'https://'] },
-      });
-      expect(await isActionDomainAllowed('http://', ['http://', 'https://'])).toBe(false);
-      expect(await isActionDomainAllowed('https://', ['http://', 'https://'])).toBe(false);
-    });
-  });
-
-  // Configuration Tests
-  describe('configuration handling', () => {
-    it('should return true if customConfig is null', async () => {
-      getAppConfig.mockResolvedValue(null);
-      expect(await isActionDomainAllowed('example.com', null)).toBe(true);
-    });
-
-    it('should return true if actions.allowedDomains is not defined', async () => {
-      getAppConfig.mockResolvedValue({});
-      expect(await isActionDomainAllowed('example.com', undefined)).toBe(true);
-    });
-
-    it('should return true if allowedDomains is empty array', async () => {
-      getAppConfig.mockResolvedValue({
-        actions: { allowedDomains: [] },
-      });
-      expect(await isActionDomainAllowed('example.com', [])).toBe(true);
-    });
-  });
-
-  // Domain Matching Tests
-  describe('domain matching', () => {
-    const allowedDomains = [
-      'example.com',
-      '*.subdomain.com',
-      'specific.domain.com',
-      'www.withprefix.com',
-      'swapi.dev',
-    ];
-
-    beforeEach(() => {
-      getAppConfig.mockResolvedValue({
-        actions: {
-          allowedDomains,
-        },
-      });
-    });
-
-    it('should match exact domains', async () => {
-      expect(await isActionDomainAllowed('example.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('other.com', allowedDomains)).toBe(false);
-      expect(await isActionDomainAllowed('swapi.dev', allowedDomains)).toBe(true);
-    });
-
-    it('should handle domains with www prefix', async () => {
-      expect(await isActionDomainAllowed('www.example.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('www.withprefix.com', allowedDomains)).toBe(true);
-    });
-
-    it('should handle full URLs', async () => {
-      expect(await isActionDomainAllowed('https://example.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('http://example.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('https://example.com/path', allowedDomains)).toBe(true);
-    });
-
-    it('should handle wildcard subdomains', async () => {
-      expect(await isActionDomainAllowed('test.subdomain.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('any.subdomain.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('subdomain.com', allowedDomains)).toBe(true);
-    });
-
-    it('should handle specific subdomains', async () => {
-      expect(await isActionDomainAllowed('specific.domain.com', allowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('other.domain.com', allowedDomains)).toBe(false);
-    });
-  });
-
-  // Edge Cases
-  describe('edge cases', () => {
-    const edgeAllowedDomains = ['example.com', '*.test.com'];
-
-    beforeEach(() => {
-      getAppConfig.mockResolvedValue({
-        actions: {
-          allowedDomains: edgeAllowedDomains,
-        },
-      });
-    });
-
-    it('should handle domains with query parameters', async () => {
-      expect(await isActionDomainAllowed('example.com?param=value', edgeAllowedDomains)).toBe(true);
-    });
-
-    it('should handle domains with ports', async () => {
-      expect(await isActionDomainAllowed('example.com:8080', edgeAllowedDomains)).toBe(true);
-    });
-
-    it('should handle domains with trailing slashes', async () => {
-      expect(await isActionDomainAllowed('example.com/', edgeAllowedDomains)).toBe(true);
-    });
-
-    it('should handle case insensitivity', async () => {
-      expect(await isActionDomainAllowed('EXAMPLE.COM', edgeAllowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('Example.Com', edgeAllowedDomains)).toBe(true);
-    });
-
-    it('should handle invalid entries in allowedDomains', async () => {
-      const invalidAllowedDomains = ['example.com', null, undefined, '', 'test.com'];
-      getAppConfig.mockResolvedValue({
-        actions: {
-          allowedDomains: invalidAllowedDomains,
-        },
-      });
-      expect(await isActionDomainAllowed('example.com', invalidAllowedDomains)).toBe(true);
-      expect(await isActionDomainAllowed('test.com', invalidAllowedDomains)).toBe(true);
-    });
-  });
-});

api/strategies/ldapStrategy.js

@@ -1,10 +1,9 @@
 const fs = require('fs');
 const LdapStrategy = require('passport-ldapauth');
 const { logger } = require('@librechat/data-schemas');
-const { isEnabled, getBalanceConfig } = require('@librechat/api');
 const { SystemRoles, ErrorTypes } = require('librechat-data-provider');
+const { isEnabled, getBalanceConfig, isEmailDomainAllowed } = require('@librechat/api');
 const { createUser, findUser, updateUser, countUsers } = require('~/models');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { getAppConfig } = require('~/server/services/Config');
 
 const {

api/strategies/ldapStrategy.spec.js

@@ -11,6 +11,7 @@ jest.mock('@librechat/data-schemas', () => ({
 jest.mock('@librechat/api', () => ({
   // isEnabled used for TLS flags
   isEnabled: jest.fn(() => false),
+  isEmailDomainAllowed: jest.fn(() => true),
   getBalanceConfig: jest.fn(() => ({ enabled: false })),
 }));
 
@@ -25,10 +26,6 @@ jest.mock('~/server/services/Config', () => ({
   getAppConfig: jest.fn().mockResolvedValue({}),
 }));
 
-jest.mock('~/server/services/domains', () => ({
-  isEmailDomainAllowed: jest.fn(() => true),
-}));
-
 // Mock passport-ldapauth to capture verify callback
 let verifyCallback;
 jest.mock('passport-ldapauth', () => {
@@ -39,8 +36,8 @@ jest.mock('passport-ldapauth', () => {
 });
 
 const { ErrorTypes } = require('librechat-data-provider');
+const { isEmailDomainAllowed } = require('@librechat/api');
 const { findUser, createUser, updateUser, countUsers } = require('~/models');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
 
 // Helper to call the verify callback and wrap in a Promise for convenience
 const callVerify = (userinfo) =>

api/strategies/openidStrategy.js

@@ -13,9 +13,9 @@ const {
   safeStringify,
   findOpenIDUser,
   getBalanceConfig,
+  isEmailDomainAllowed,
 } = require('@librechat/api');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { findUser, createUser, updateUser } = require('~/models');
 const { getAppConfig } = require('~/server/services/Config');
 const getLogStores = require('~/cache/getLogStores');

api/strategies/samlStrategy.js

@@ -2,12 +2,11 @@ const fs = require('fs');
 const path = require('path');
 const fetch = require('node-fetch');
 const passport = require('passport');
-const { getBalanceConfig } = require('@librechat/api');
 const { ErrorTypes } = require('librechat-data-provider');
 const { hashToken, logger } = require('@librechat/data-schemas');
 const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
+const { getBalanceConfig, isEmailDomainAllowed } = require('@librechat/api');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { findUser, createUser, updateUser } = require('~/models');
 const { getAppConfig } = require('~/server/services/Config');
 const paths = require('~/config/paths');

api/strategies/samlStrategy.spec.js

@@ -26,6 +26,7 @@ jest.mock('~/server/services/Config', () => ({
   getAppConfig: jest.fn().mockResolvedValue({}),
 }));
 jest.mock('@librechat/api', () => ({
+  isEmailDomainAllowed: jest.fn(() => true),
   getBalanceConfig: jest.fn(() => ({
     tokenCredits: 1000,
     startBalance: 1000,

api/strategies/socialLogin.js

@@ -1,8 +1,7 @@
-const { isEnabled } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { ErrorTypes } = require('librechat-data-provider');
+const { isEnabled, isEmailDomainAllowed } = require('@librechat/api');
 const { createSocialUser, handleExistingUser } = require('./process');
-const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { getAppConfig } = require('~/server/services/Config');
 const { findUser } = require('~/models');