mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-24 04:10:15 +01:00
refactor: re-use logic for admin routes
This commit is contained in:
Danny Avila
parent
fbe0def2fa
commit
a1f9f3dd39
7 changed files with 47 additions and 203 deletions
|
|
@ -14,6 +14,7 @@ const requireLdapAuth = require('./requireLdapAuth');
|
|||
const abortMiddleware = require('./abortMiddleware');
|
||||
const checkInviteUser = require('./checkInviteUser');
|
||||
const requireJwtAuth = require('./requireJwtAuth');
|
||||
const requireAdmin = require('./requireAdmin');
|
||||
const configMiddleware = require('./config/app');
|
||||
const validateModel = require('./validateModel');
|
||||
const moderateText = require('./moderateText');
|
||||
|
|
@ -40,8 +41,7 @@ module.exports = {
|
|||
moderateText,
|
||||
validateModel,
|
||||
requireJwtAuth,
|
||||
requireAdminAuth,
|
||||
requireAdminJwtAuth,
|
||||
requireAdmin,
|
||||
checkInviteUser,
|
||||
requireLdapAuth,
|
||||
requireLocalAuth,
|
||||
|
|
|
|||
22
api/server/middleware/requireAdmin.js
Normal file
22
api/server/middleware/requireAdmin.js
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
const { SystemRoles } = require('librechat-data-provider');
|
||||
const { logger } = require('~/config');
|
||||
|
||||
/**
|
||||
* Middleware to check if authenticated user has admin role
|
||||
* Should be used AFTER authentication middleware (requireJwtAuth, requireLocalAuth, etc.)
|
||||
*/
|
||||
const requireAdmin = (req, res, next) => {
|
||||
if (!req.user) {
|
||||
logger.warn('[requireAdmin] No user found in request');
|
||||
return res.status(401).json({ message: 'Authentication required' });
|
||||
}
|
||||
|
||||
if (!req.user.role || req.user.role !== SystemRoles.ADMIN) {
|
||||
logger.debug('[requireAdmin] Access denied for non-admin user:', req.user.email);
|
||||
return res.status(403).json({ message: 'Access denied: Admin privileges required' });
|
||||
}
|
||||
|
||||
next();
|
||||
};
|
||||
|
||||
module.exports = requireAdmin;
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
const passport = require('passport');
|
||||
const { logger } = require('@librechat/data-schemas');
|
||||
const { SystemRoles } = require('librechat-data-provider');
|
||||
|
||||
/**
|
||||
* Middleware for admin authentication using local strategy
|
||||
* Validates credentials and ensures user has admin role
|
||||
*/
|
||||
const requireAdminAuth = (req, res, next) => {
|
||||
passport.authenticate('local', (err, user, info) => {
|
||||
if (err) {
|
||||
logger.error('[requireAdminAuth] Error at passport.authenticate:', err);
|
||||
return next(err);
|
||||
}
|
||||
if (!user) {
|
||||
logger.debug('[requireAdminAuth] Error: No user');
|
||||
return res.status(404).send(info);
|
||||
}
|
||||
if (info && info.message) {
|
||||
logger.debug('[requireAdminAuth] Error: ' + info.message);
|
||||
return res.status(422).send({ message: info.message });
|
||||
}
|
||||
|
||||
// Check if user has admin role
|
||||
if (!user.role || user.role !== SystemRoles.ADMIN) {
|
||||
logger.debug('[requireAdminAuth] Error: User is not an admin');
|
||||
return res.status(403).send({ message: 'Access denied: Admin privileges required' });
|
||||
}
|
||||
|
||||
req.user = user;
|
||||
next();
|
||||
})(req, res, next);
|
||||
};
|
||||
|
||||
module.exports = requireAdminAuth;
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
const cookies = require('cookie');
|
||||
const passport = require('passport');
|
||||
const { isEnabled } = require('@librechat/api');
|
||||
const { logger } = require('@librechat/data-schemas');
|
||||
const { SystemRoles } = require('librechat-data-provider');
|
||||
|
||||
/**
|
||||
* Custom Middleware to handle JWT authentication for admin endpoints
|
||||
* Validates JWT token and ensures user has admin role
|
||||
*/
|
||||
const requireAdminJwtAuth = (req, res, next) => {
|
||||
// Check if token provider is specified in cookies
|
||||
const cookieHeader = req.headers.cookie;
|
||||
const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null;
|
||||
|
||||
// Use OpenID authentication if token provider is OpenID and OPENID_REUSE_TOKENS is enabled
|
||||
const authStrategy =
|
||||
tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) ? 'openidJwt' : 'jwt';
|
||||
|
||||
passport.authenticate(authStrategy, { session: false }, (err, user, _info) => {
|
||||
if (err) {
|
||||
logger.error('[requireAdminJwtAuth] Authentication error:', err);
|
||||
return res.status(500).json({ message: 'Authentication error' });
|
||||
}
|
||||
|
||||
if (!user) {
|
||||
logger.debug('[requireAdminJwtAuth] No user found');
|
||||
return res.status(401).json({ message: 'Unauthorized' });
|
||||
}
|
||||
|
||||
// Check if user has admin role
|
||||
if (!user.role || user.role !== SystemRoles.ADMIN) {
|
||||
logger.debug('[requireAdminJwtAuth] User is not an admin:', user.email);
|
||||
return res.status(403).json({ message: 'Access denied: Admin privileges required' });
|
||||
}
|
||||
|
||||
req.user = user;
|
||||
next();
|
||||
})(req, res, next);
|
||||
};
|
||||
|
||||
module.exports = requireAdminJwtAuth;
|
||||
Loading…
Add table
Add a link
Reference in a new issue