mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 00:40:14 +01:00
📧 fix: Case-Insensitive Domain Matching (#9868)
Some checks failed
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Has been cancelled
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Has been cancelled
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Has been cancelled
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Has been cancelled
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Has been cancelled
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Has been cancelled
Some checks failed
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Has been cancelled
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Has been cancelled
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Has been cancelled
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Has been cancelled
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Has been cancelled
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Has been cancelled
* chore: move domain related functions to `packages/api` * fix: isEmailDomainAllowed for case-insensitive domain matching - Added tests to validate case-insensitive matching for email domains in various scenarios. - Updated isEmailDomainAllowed function to convert email domains to lowercase for consistent comparison. - Improved handling of null/undefined entries in allowedDomains. * ci: Mock isEmailDomainAllowed in samlStrategy tests - Added a mock implementation for isEmailDomainAllowed to return true in samlStrategy tests, ensuring consistent behavior during test execution. * ci: Update import of isEmailDomainAllowed in ldapStrategy tests - Changed the import of isEmailDomainAllowed from the domains service to the api package for consistency and to reflect recent refactoring.
This commit is contained in:
Danny Avila
GitHub
parent
712f0b3ca2
commit
a1471c2f37
14 changed files with 84 additions and 88 deletions
|
|
@ -1,5 +1,5 @@
|
|||
const { logger } = require('@librechat/data-schemas');
|
||||
const { isEmailDomainAllowed } = require('~/server/services/domains');
|
||||
const { isEmailDomainAllowed } = require('@librechat/api');
|
||||
const { getAppConfig } = require('~/server/services/Config');
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -1,20 +1,19 @@
|
|||
const express = require('express');
|
||||
const { nanoid } = require('nanoid');
|
||||
const { logger } = require('@librechat/data-schemas');
|
||||
const { generateCheckAccess } = require('@librechat/api');
|
||||
const { generateCheckAccess, isActionDomainAllowed } = require('@librechat/api');
|
||||
const {
|
||||
Permissions,
|
||||
ResourceType,
|
||||
PermissionBits,
|
||||
PermissionTypes,
|
||||
actionDelimiter,
|
||||
PermissionBits,
|
||||
removeNullishValues,
|
||||
} = require('librechat-data-provider');
|
||||
const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
|
||||
const { findAccessibleResources } = require('~/server/services/PermissionService');
|
||||
const { getAgent, updateAgent, getListAgentsByAccess } = require('~/models/Agent');
|
||||
const { updateAction, getActions, deleteAction } = require('~/models/Action');
|
||||
const { isActionDomainAllowed } = require('~/server/services/domains');
|
||||
const { canAccessAgentResource } = require('~/server/middleware');
|
||||
const { getRoleByName } = require('~/models/Role');
|
||||
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
const express = require('express');
|
||||
const { nanoid } = require('nanoid');
|
||||
const { logger } = require('@librechat/data-schemas');
|
||||
const { isActionDomainAllowed } = require('@librechat/api');
|
||||
const { actionDelimiter, EModelEndpoint, removeNullishValues } = require('librechat-data-provider');
|
||||
const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
|
||||
const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
|
||||
const { updateAction, getActions, deleteAction } = require('~/models/Action');
|
||||
const { updateAssistantDoc, getAssistant } = require('~/models/Assistant');
|
||||
const { isActionDomainAllowed } = require('~/server/services/domains');
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ const bcrypt = require('bcryptjs');
|
|||
const jwt = require('jsonwebtoken');
|
||||
const { webcrypto } = require('node:crypto');
|
||||
const { logger } = require('@librechat/data-schemas');
|
||||
const { isEnabled, checkEmailConfig } = require('@librechat/api');
|
||||
const { isEnabled, checkEmailConfig, isEmailDomainAllowed } = require('@librechat/api');
|
||||
const { ErrorTypes, SystemRoles, errorsToString } = require('librechat-data-provider');
|
||||
const {
|
||||
findUser,
|
||||
|
|
@ -20,7 +20,6 @@ const {
|
|||
deleteUserById,
|
||||
generateRefreshToken,
|
||||
} = require('~/models');
|
||||
const { isEmailDomainAllowed } = require('~/server/services/domains');
|
||||
const { registerSchema } = require('~/strategies/validators');
|
||||
const { getAppConfig } = require('~/server/services/Config');
|
||||
const { sendEmail } = require('~/server/utils');
|
||||
|
|
|
|||
|
|
@ -1,7 +1,12 @@
|
|||
const { sleep } = require('@librechat/agents');
|
||||
const { logger } = require('@librechat/data-schemas');
|
||||
const { tool: toolFn, DynamicStructuredTool } = require('@langchain/core/tools');
|
||||
const { getToolkitKey, hasCustomUserVars, getUserMCPAuthMap } = require('@librechat/api');
|
||||
const {
|
||||
getToolkitKey,
|
||||
hasCustomUserVars,
|
||||
getUserMCPAuthMap,
|
||||
isActionDomainAllowed,
|
||||
} = require('@librechat/api');
|
||||
const {
|
||||
Tools,
|
||||
Constants,
|
||||
|
|
@ -26,7 +31,6 @@ const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/p
|
|||
const { getEndpointsConfig, getCachedTools } = require('~/server/services/Config');
|
||||
const { manifestToolMap, toolkits } = require('~/app/clients/tools/manifest');
|
||||
const { createOnSearchResults } = require('~/server/services/Tools/search');
|
||||
const { isActionDomainAllowed } = require('~/server/services/domains');
|
||||
const { recordUsage } = require('~/server/services/Threads');
|
||||
const { loadTools } = require('~/app/clients/tools/util');
|
||||
const { redactMessage } = require('~/config/parsers');
|
||||
|
|
|
|||
|
|
@ -1,105 +0,0 @@
|
|||
/**
|
||||
* @param {string} email
|
||||
* @param {string[]} [allowedDomains]
|
||||
* @returns {boolean}
|
||||
*/
|
||||
function isEmailDomainAllowed(email, allowedDomains) {
|
||||
if (!email) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const domain = email.split('@')[1];
|
||||
|
||||
if (!domain) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!allowedDomains) {
|
||||
return true;
|
||||
} else if (!Array.isArray(allowedDomains) || !allowedDomains.length) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return allowedDomains.includes(domain);
|
||||
}
|
||||
|
||||
/**
|
||||
* Normalizes a domain string
|
||||
* @param {string} domain
|
||||
* @returns {string|null}
|
||||
*/
|
||||
/**
|
||||
* Normalizes a domain string. If the domain is invalid, returns null.
|
||||
* Normalized === lowercase, trimmed, and protocol added if missing.
|
||||
* @param {string} domain
|
||||
* @returns {string|null}
|
||||
*/
|
||||
function normalizeDomain(domain) {
|
||||
try {
|
||||
let normalizedDomain = domain.toLowerCase().trim();
|
||||
|
||||
// Early return for obviously invalid formats
|
||||
if (normalizedDomain === 'http://' || normalizedDomain === 'https://') {
|
||||
return null;
|
||||
}
|
||||
|
||||
// If it's not already a URL, make it one
|
||||
if (!normalizedDomain.startsWith('http://') && !normalizedDomain.startsWith('https://')) {
|
||||
normalizedDomain = `https://${normalizedDomain}`;
|
||||
}
|
||||
|
||||
const url = new URL(normalizedDomain);
|
||||
// Additional validation that hostname isn't just protocol
|
||||
if (!url.hostname || url.hostname === 'http:' || url.hostname === 'https:') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return url.hostname.replace(/^www\./i, '');
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the given domain is allowed. If no restrictions are set, allows all domains.
|
||||
* @param {string} [domain]
|
||||
* @param {string[]} [allowedDomains]
|
||||
* @returns {Promise<boolean>}
|
||||
*/
|
||||
async function isActionDomainAllowed(domain, allowedDomains) {
|
||||
if (!domain || typeof domain !== 'string') {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!Array.isArray(allowedDomains) || !allowedDomains.length) {
|
||||
return true;
|
||||
}
|
||||
|
||||
const normalizedInputDomain = normalizeDomain(domain);
|
||||
if (!normalizedInputDomain) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (const allowedDomain of allowedDomains) {
|
||||
const normalizedAllowedDomain = normalizeDomain(allowedDomain);
|
||||
if (!normalizedAllowedDomain) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (normalizedAllowedDomain.startsWith('*.')) {
|
||||
const baseDomain = normalizedAllowedDomain.slice(2);
|
||||
if (
|
||||
normalizedInputDomain === baseDomain ||
|
||||
normalizedInputDomain.endsWith(`.${baseDomain}`)
|
||||
) {
|
||||
return true;
|
||||
}
|
||||
} else if (normalizedInputDomain === normalizedAllowedDomain) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
module.exports = { isEmailDomainAllowed, isActionDomainAllowed };
|
||||
|
|
@ -1,198 +0,0 @@
|
|||
const { isEmailDomainAllowed, isActionDomainAllowed } = require('~/server/services/domains');
|
||||
const { getAppConfig } = require('~/server/services/Config');
|
||||
|
||||
jest.mock('~/server/services/Config', () => ({
|
||||
getAppConfig: jest.fn(),
|
||||
}));
|
||||
|
||||
describe('isEmailDomainAllowed', () => {
|
||||
afterEach(() => {
|
||||
jest.clearAllMocks();
|
||||
});
|
||||
|
||||
it('should return false if email is falsy', async () => {
|
||||
const email = '';
|
||||
const result = isEmailDomainAllowed(email);
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
|
||||
it('should return false if domain is not present in the email', async () => {
|
||||
const email = 'test';
|
||||
const result = isEmailDomainAllowed(email);
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
|
||||
it('should return true if customConfig is not available', async () => {
|
||||
const email = 'test@domain1.com';
|
||||
getAppConfig.mockResolvedValue(null);
|
||||
const result = isEmailDomainAllowed(email, null);
|
||||
expect(result).toBe(true);
|
||||
});
|
||||
|
||||
it('should return true if allowedDomains is not defined in customConfig', async () => {
|
||||
const email = 'test@domain1.com';
|
||||
getAppConfig.mockResolvedValue({});
|
||||
const result = isEmailDomainAllowed(email, undefined);
|
||||
expect(result).toBe(true);
|
||||
});
|
||||
|
||||
it('should return true if domain is included in the allowedDomains', async () => {
|
||||
const email = 'user@domain1.com';
|
||||
getAppConfig.mockResolvedValue({
|
||||
registration: {
|
||||
allowedDomains: ['domain1.com', 'domain2.com'],
|
||||
},
|
||||
});
|
||||
const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
|
||||
expect(result).toBe(true);
|
||||
});
|
||||
|
||||
it('should return false if domain is not included in the allowedDomains', async () => {
|
||||
const email = 'user@domain3.com';
|
||||
getAppConfig.mockResolvedValue({
|
||||
registration: {
|
||||
allowedDomains: ['domain1.com', 'domain2.com'],
|
||||
},
|
||||
});
|
||||
const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
describe('isActionDomainAllowed', () => {
|
||||
afterEach(() => {
|
||||
jest.clearAllMocks();
|
||||
});
|
||||
|
||||
// Basic Input Validation Tests
|
||||
describe('input validation', () => {
|
||||
it('should return false for falsy values', async () => {
|
||||
expect(await isActionDomainAllowed()).toBe(false);
|
||||
expect(await isActionDomainAllowed(null)).toBe(false);
|
||||
expect(await isActionDomainAllowed('')).toBe(false);
|
||||
expect(await isActionDomainAllowed(undefined)).toBe(false);
|
||||
});
|
||||
|
||||
it('should return false for non-string inputs', async () => {
|
||||
expect(await isActionDomainAllowed(123)).toBe(false);
|
||||
expect(await isActionDomainAllowed({})).toBe(false);
|
||||
expect(await isActionDomainAllowed([])).toBe(false);
|
||||
});
|
||||
|
||||
it('should return false for invalid domain formats', async () => {
|
||||
getAppConfig.mockResolvedValue({
|
||||
actions: { allowedDomains: ['http://', 'https://'] },
|
||||
});
|
||||
expect(await isActionDomainAllowed('http://', ['http://', 'https://'])).toBe(false);
|
||||
expect(await isActionDomainAllowed('https://', ['http://', 'https://'])).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
// Configuration Tests
|
||||
describe('configuration handling', () => {
|
||||
it('should return true if customConfig is null', async () => {
|
||||
getAppConfig.mockResolvedValue(null);
|
||||
expect(await isActionDomainAllowed('example.com', null)).toBe(true);
|
||||
});
|
||||
|
||||
it('should return true if actions.allowedDomains is not defined', async () => {
|
||||
getAppConfig.mockResolvedValue({});
|
||||
expect(await isActionDomainAllowed('example.com', undefined)).toBe(true);
|
||||
});
|
||||
|
||||
it('should return true if allowedDomains is empty array', async () => {
|
||||
getAppConfig.mockResolvedValue({
|
||||
actions: { allowedDomains: [] },
|
||||
});
|
||||
expect(await isActionDomainAllowed('example.com', [])).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
// Domain Matching Tests
|
||||
describe('domain matching', () => {
|
||||
const allowedDomains = [
|
||||
'example.com',
|
||||
'*.subdomain.com',
|
||||
'specific.domain.com',
|
||||
'www.withprefix.com',
|
||||
'swapi.dev',
|
||||
];
|
||||
|
||||
beforeEach(() => {
|
||||
getAppConfig.mockResolvedValue({
|
||||
actions: {
|
||||
allowedDomains,
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
it('should match exact domains', async () => {
|
||||
expect(await isActionDomainAllowed('example.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('other.com', allowedDomains)).toBe(false);
|
||||
expect(await isActionDomainAllowed('swapi.dev', allowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle domains with www prefix', async () => {
|
||||
expect(await isActionDomainAllowed('www.example.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('www.withprefix.com', allowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle full URLs', async () => {
|
||||
expect(await isActionDomainAllowed('https://example.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('http://example.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('https://example.com/path', allowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle wildcard subdomains', async () => {
|
||||
expect(await isActionDomainAllowed('test.subdomain.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('any.subdomain.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('subdomain.com', allowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle specific subdomains', async () => {
|
||||
expect(await isActionDomainAllowed('specific.domain.com', allowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('other.domain.com', allowedDomains)).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
// Edge Cases
|
||||
describe('edge cases', () => {
|
||||
const edgeAllowedDomains = ['example.com', '*.test.com'];
|
||||
|
||||
beforeEach(() => {
|
||||
getAppConfig.mockResolvedValue({
|
||||
actions: {
|
||||
allowedDomains: edgeAllowedDomains,
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
it('should handle domains with query parameters', async () => {
|
||||
expect(await isActionDomainAllowed('example.com?param=value', edgeAllowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle domains with ports', async () => {
|
||||
expect(await isActionDomainAllowed('example.com:8080', edgeAllowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle domains with trailing slashes', async () => {
|
||||
expect(await isActionDomainAllowed('example.com/', edgeAllowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle case insensitivity', async () => {
|
||||
expect(await isActionDomainAllowed('EXAMPLE.COM', edgeAllowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('Example.Com', edgeAllowedDomains)).toBe(true);
|
||||
});
|
||||
|
||||
it('should handle invalid entries in allowedDomains', async () => {
|
||||
const invalidAllowedDomains = ['example.com', null, undefined, '', 'test.com'];
|
||||
getAppConfig.mockResolvedValue({
|
||||
actions: {
|
||||
allowedDomains: invalidAllowedDomains,
|
||||
},
|
||||
});
|
||||
expect(await isActionDomainAllowed('example.com', invalidAllowedDomains)).toBe(true);
|
||||
expect(await isActionDomainAllowed('test.com', invalidAllowedDomains)).toBe(true);
|
||||
});
|
||||
});
|
||||
});
|
||||
Loading…
Add table
Add a link
Reference in a new issue