✨feat: OAuth for Actions (#5693)

* ✨feat: OAuth for Actions * WIP: PoC flow state manager * refactor: Add identifier field to token model from action schema * chore: fix potential file type issues * ci: fix type issue with action metadata auth * fix: ensure FlowManagerOptions has a default ttl value * WIP: OAUTH actions * WIP: first pass OAuth Action * fix: standardize identifier usage in OAuth flow handling * fix: update token retrieval to include userId in query and use correct identifier * refacotr: update token retrieval to use userId for OAuth token query * feat: Tool Call Auth styling * fix: streamline token creation and add type field to token schema * refactor: cleanup OAuth flow by encrypting client credentials and ensuring oauth operations only run under condition * refactor: use encrypted credentials in OAuth callback * fix: update Token collection indexes to use expiresAt TTL index and not createdAt legacy index * refactor: enhance Token index cleanup by improving logging and removing redundant index creation logic * refactor: remove unused OAuth login route and related logic for improved clarity * refactor: replace fetch with axios for OAuth token exchange and improve error handling * refactor: better UX after authentication before oauth tool execution * refactor: implement cleanup handlers for FlowStateManager intervals to enhance resource management * refactor: encrypt OAuth tokens before storing and decrypt upon retrieval for enhanced security * refactor: enhance authentication success page with improved styling and countdown feature * refactor: add response_type parameter to OAuth redirect URI for improved compatibility * chore: update translation.json new localizations * chore: remove unused OGDialog import from OGDialogTemplate component * refactor: Actions Auth using new Dialog styling, use same component with Agents/Assistants * refactor: update removeNullishValues function to support removal of empty strings and adjust transform usage in schemas * chore: bump version of librechat-data-provider to 0.7.6991 * refactor: integrate removeNullishValues function to clean metadata before encryption in agent and assistant routes * refactor: update OAuth input fields to use 'password' type for better security * refactor: update localization placeholders for sign-in message to use double curly braces * refactor: add access_type parameter for offline access in createActionTool function * refactor: implement handleOAuthToken function for token management and encryption * feat: refresh token support * refactor: add default expiration for access token and error handling for missing token * feat: localizations for ActionAuth * refactor: set refresh token expiration to null to not expire if expiry never given * fix: prevent crash fromerror within async handleAbortError in AskController, EditController, and AgentController * feat: Action Callback URL * 🌍 i18n: Update translation.json with latest translations * refactor: handle errors in flow state checking to prevent unhandled promise rejections * fix: improve flow state concurrency to prevent multiple token creation calls * refactor: RequestExecutor to use separate axios instance * refactor: improve concurrency flows by keeping completed state until TTL expiry * refactor: increase TTL for flow state management and adjust monitoring interval * ci: mock axios instance creation in actions spec * feat: add Babel and Jest configuration files; implement FlowStateManager tests with concurrency handling * chore: add disableOAuth prop to ActionsAuth (not implemented for Assistants yet) --------- Co-authored-by: Danny Avila <danny@librechat.ai> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-12-17 08:50:15 +01:00 · 2025-02-10 21:56:08 +01:00 · 2025-02-10 21:56:08 +01:00 · d99a9db3f6
commit d99a9db3f6
parent 71c30a3640
58 changed files with 2146 additions and 1223 deletions
--- a/api/models/Token.js
+++ b/api/models/Token.js
@ -1,5 +1,6 @@
-const tokenSchema = require('./schema/tokenSchema');
 const mongoose = require('mongoose');
+const { encryptV2 } = require('~/server/utils/crypto');
+const tokenSchema = require('./schema/tokenSchema');
 const { logger } = require('~/config');

 /**
@ -7,6 +8,32 @@ const { logger } = require('~/config');
 * @type {mongoose.Model}
 */
 const Token = mongoose.model('Token', tokenSchema);
+/**
+ * Fixes the indexes for the Token collection from legacy TTL indexes to the new expiresAt index.
+ */
+async function fixIndexes() {
+  try {
+    const indexes = await Token.collection.indexes();
+    logger.debug('Existing Token Indexes:', JSON.stringify(indexes, null, 2));
+    const unwantedTTLIndexes = indexes.filter(
+      (index) => index.key.createdAt === 1 && index.expireAfterSeconds !== undefined,
+    );
+    if (unwantedTTLIndexes.length === 0) {
+      logger.debug('No unwanted Token indexes found.');
+      return;
+    }
+    for (const index of unwantedTTLIndexes) {
+      logger.debug(`Dropping unwanted Token index: ${index.name}`);
+      await Token.collection.dropIndex(index.name);
+      logger.debug(`Dropped Token index: ${index.name}`);
+    }
+    logger.debug('Token index cleanup completed successfully.');
+  } catch (error) {
+    logger.error('An error occurred while fixing Token indexes:', error);
+  }
+}
+
+fixIndexes();

 /**
 * Creates a new Token instance.
@ -29,8 +56,7 @@ async function createToken(tokenData) {
      expiresAt,
    };

-    const newToken = new Token(newTokenData);
-    return await newToken.save();
+    return await Token.create(newTokenData);
  } catch (error) {
    logger.debug('An error occurred while creating token:', error);
    throw error;
@ -42,7 +68,8 @@ async function createToken(tokenData) {
 * @param {Object} query - The query to match against.
 * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
 * @param {String} query.token - The token value.
- * @param {String} query.email - The email of the user.
+ * @param {String} [query.email] - The email of the user.
+ * @param {String} [query.identifier] - Unique, alternative identifier for the token.
 * @returns {Promise<Object|null>} The matched Token document, or null if not found.
 * @throws Will throw an error if the find operation fails.
 */
@ -59,6 +86,9 @@ async function findToken(query) {
    if (query.email) {
      conditions.push({ email: query.email });
    }
+    if (query.identifier) {
+      conditions.push({ identifier: query.identifier });
+    }

    const token = await Token.findOne({
      $and: conditions,
@ -76,6 +106,8 @@ async function findToken(query) {
 * @param {Object} query - The query to match against.
 * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
 * @param {String} query.token - The token value.
+ * @param {String} [query.email] - The email of the user.
+ * @param {String} [query.identifier] - Unique, alternative identifier for the token.
 * @param {Object} updateData - The data to update the Token with.
 * @returns {Promise<mongoose.Document|null>} The updated Token document, or null if not found.
 * @throws Will throw an error if the update operation fails.
@ -94,14 +126,20 @@ async function updateToken(query, updateData) {
 * @param {Object} query - The query to match against.
 * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
 * @param {String} query.token - The token value.
- * @param {String} query.email - The email of the user.
+ * @param {String} [query.email] - The email of the user.
+ * @param {String} [query.identifier] - Unique, alternative identifier for the token.
 * @returns {Promise<Object>} The result of the delete operation.
 * @throws Will throw an error if the delete operation fails.
 */
 async function deleteTokens(query) {
  try {
    return await Token.deleteMany({
-      $or: [{ userId: query.userId }, { token: query.token }, { email: query.email }],
+      $or: [
+        { userId: query.userId },
+        { token: query.token },
+        { email: query.email },
+        { identifier: query.identifier },
+      ],
    });
  } catch (error) {
    logger.debug('An error occurred while deleting tokens:', error);
@ -109,9 +147,46 @@ async function deleteTokens(query) {
  }
 }

+/**
+ * Handles the OAuth token by creating or updating the token.
+ * @param {object} fields
+ * @param {string} fields.userId - The user's ID.
+ * @param {string} fields.token - The full token to store.
+ * @param {string} fields.identifier - Unique, alternative identifier for the token.
+ * @param {number} fields.expiresIn - The number of seconds until the token expires.
+ * @param {object} fields.metadata - Additional metadata to store with the token.
+ * @param {string} [fields.type="oauth"] - The type of token. Default is 'oauth'.
+ */
+async function handleOAuthToken({
+  token,
+  userId,
+  identifier,
+  expiresIn,
+  metadata,
+  type = 'oauth',
+}) {
+  const encrypedToken = await encryptV2(token);
+  const tokenData = {
+    type,
+    userId,
+    metadata,
+    identifier,
+    token: encrypedToken,
+    expiresIn: parseInt(expiresIn, 10) || 3600,
+  };
+
+  const existingToken = await findToken({ userId, identifier });
+  if (existingToken) {
+    return await updateToken({ identifier }, tokenData);
+  } else {
+    return await createToken(tokenData);
+  }
+}
+
 module.exports = {
-  createToken,
  findToken,
+  createToken,
  updateToken,
  deleteTokens,
+  handleOAuthToken,
 };