📧 feat: email verification (#2344)

* feat: verification email

* chore: email verification invalid; localize: update

* fix: redirect to login when signup: fix: save emailVerified correctly

* docs: update ALLOW_UNVERIFIED_EMAIL_LOGIN; fix: don't accept login only when ALLOW_UNVERIFIED_EMAIL_LOGIN = true

* fix: user needs to be authenticated

* style: update

* fix: registration success message and redirect logic

* refactor: use `isEnabled` in ALLOW_UNVERIFIED_EMAIL_LOGIN

* refactor: move checkEmailConfig to server/utils

* refactor: use req as param for verifyEmail function

* chore: jsdoc

* chore: remove console log

* refactor: rename `createNewUser` to `createSocialUser`

* refactor: update typing and add expiresAt field to userSchema

* refactor: begin use of user methods over direct model access for User

* refactor: initial email verification rewrite

* chore: typing

* refactor: registration flow rewrite

* chore: remove help center text

* refactor: update getUser to getUserById and add findUser methods. general fixes from recent changes

* refactor: Update updateUser method to remove expiresAt field and use $set and $unset operations, createUser now returns Id only

* refactor: Update openidStrategy to use optional chaining for avatar check, move saveBuffer init to buffer condition

* refactor: logout on deleteUser mutatation

* refactor: Update openidStrategy login success message format

* refactor: Add emailVerified field to Discord and Facebook profile details

* refactor: move limiters to separate middleware dir

* refactor: Add limiters for email verification and password reset

* refactor: Remove getUserController and update routes and controllers accordingly

* refactor: Update getUserById method to exclude password and version fields

* refactor: move verification to user route, add resend verification option

* refactor: Improve email verification process and resend option

* refactor: remove more direct model access of User and remove unused code

* refactor: replace user authentication methods and token generation

* fix: add user.id to jwt user

* refactor: Update AuthContext to include setError function, add resend link to Login Form, make registration redirect shorter

* fix(updateUserPluginsService): ensure userPlugins variable is defined

* refactor: Delete all shared links for a specific user

* fix: remove use of direct User.save() in handleExistingUser

* fix(importLibreChatConvo): handle missing createdAt field in messages

---------

Co-authored-by: Danny Avila <danny@librechat.ai>

api/models/Share.js

@@ -86,4 +86,21 @@ module.exports = {
     }
     return await SharedLink.findOneAndDelete({ shareId, user });
   },
+  /**
+   * Deletes all shared links for a specific user.
+   * @param {string} user - The user ID.
+   * @returns {Promise<{ message: string, deletedCount?: number }>} A result object indicating success or error message.
+   */
+  deleteAllSharedLinks: async (user) => {
+    try {
+      const result = await SharedLink.deleteMany({ user });
+      return {
+        message: 'All shared links have been deleted successfully',
+        deletedCount: result.deletedCount,
+      };
+    } catch (error) {
+      logger.error('[deleteAllSharedLinks] Error deleting shared links', error);
+      return { message: 'Error deleting shared links' };
+    }
+  },
 };

api/models/User.js

@@ -1,61 +1,5 @@
 const mongoose = require('mongoose');
-const bcrypt = require('bcryptjs');
-const signPayload = require('../server/services/signPayload');
-const userSchema = require('./schema/userSchema.js');
-const { SESSION_EXPIRY } = process.env ?? {};
-const expires = eval(SESSION_EXPIRY) ?? 1000 * 60 * 15;
-
-userSchema.methods.toJSON = function () {
-  return {
-    id: this._id,
-    provider: this.provider,
-    email: this.email,
-    name: this.name,
-    username: this.username,
-    avatar: this.avatar,
-    role: this.role,
-    emailVerified: this.emailVerified,
-    plugins: this.plugins,
-    createdAt: this.createdAt,
-    updatedAt: this.updatedAt,
-  };
-};
-
-userSchema.methods.generateToken = async function () {
-  return await signPayload({
-    payload: {
-      id: this._id,
-      username: this.username,
-      provider: this.provider,
-      email: this.email,
-    },
-    secret: process.env.JWT_SECRET,
-    expirationTime: expires / 1000,
-  });
-};
-
-userSchema.methods.comparePassword = function (candidatePassword, callback) {
-  bcrypt.compare(candidatePassword, this.password, (err, isMatch) => {
-    if (err) {
-      return callback(err);
-    }
-    callback(null, isMatch);
-  });
-};
-
-module.exports.hashPassword = async (password) => {
-  const hashedPassword = await new Promise((resolve, reject) => {
-    bcrypt.hash(password, 10, function (err, hash) {
-      if (err) {
-        reject(err);
-      } else {
-        resolve(hash);
-      }
-    });
-  });
-
-  return hashedPassword;
-};
+const userSchema = require('~/models/schema/userSchema');
 
 const User = mongoose.model('User', userSchema);
 

api/models/index.js

@@ -6,9 +6,18 @@ const {
   deleteMessagesSince,
   deleteMessages,
 } = require('./Message');
+const {
+  comparePassword,
+  deleteUserById,
+  generateToken,
+  getUserById,
+  updateUser,
+  createUser,
+  countUsers,
+  findUser,
+} = require('./userMethods');
 const { getConvoTitle, getConvo, saveConvo, deleteConvos } = require('./Conversation');
 const { getPreset, getPresets, savePreset, deletePresets } = require('./Preset');
-const { hashPassword, getUser, updateUser } = require('./userMethods');
 const {
   findFileById,
   createFile,
@@ -29,9 +38,14 @@ module.exports = {
   Session,
   Balance,
 
-  hashPassword,
+  comparePassword,
+  deleteUserById,
+  generateToken,
+  getUserById,
+  countUsers,
+  createUser,
   updateUser,
-  getUser,
+  findUser,
 
   getMessages,
   saveMessage,

api/models/schema/fileSchema.js

@@ -3,9 +3,9 @@ const mongoose = require('mongoose');
 
 /**
  * @typedef {Object} MongoFile
- * @property {mongoose.Schema.Types.ObjectId} [_id] - MongoDB Document ID
+ * @property {ObjectId} [_id] - MongoDB Document ID
  * @property {number} [__v] - MongoDB Version Key
- * @property {mongoose.Schema.Types.ObjectId} user - User ID
+ * @property {ObjectId} user - User ID
  * @property {string} [conversationId] - Optional conversation ID
  * @property {string} file_id - File identifier
  * @property {string} [temp_file_id] - Temporary File identifier
@@ -14,17 +14,19 @@ const mongoose = require('mongoose');
  * @property {string} filepath - Location of the file
  * @property {'file'} object - Type of object, always 'file'
  * @property {string} type - Type of file
- * @property {number} usage - Number of uses of the file
+ * @property {number} [usage=0] - Number of uses of the file
  * @property {string} [context] - Context of the file origin
- * @property {boolean} [embedded] - Whether or not the file is embedded in vector db
+ * @property {boolean} [embedded=false] - Whether or not the file is embedded in vector db
  * @property {string} [model] - The model to identify the group region of the file (for Azure OpenAI hosting)
- * @property {string} [source] - The source of the file
+ * @property {string} [source] - The source of the file (e.g., from FileSources)
  * @property {number} [width] - Optional width of the file
  * @property {number} [height] - Optional height of the file
- * @property {Date} [expiresAt] - Optional height of the file
+ * @property {Date} [expiresAt] - Optional expiration date of the file
  * @property {Date} [createdAt] - Date when the file was created
  * @property {Date} [updatedAt] - Date when the file was updated
  */
+
+/** @type {MongooseSchema<MongoFile>} */
 const fileSchema = mongoose.Schema(
   {
     user: {
@@ -91,7 +93,7 @@ const fileSchema = mongoose.Schema(
     height: Number,
     expiresAt: {
       type: Date,
-      expires: 3600,
+      expires: 3600, // 1 hour in seconds
     },
   },
   {

api/models/schema/tokenSchema.js

@@ -7,6 +7,9 @@ const tokenSchema = new Schema({
     required: true,
     ref: 'user',
   },
+  email: {
+    type: String,
+  },
   token: {
     type: String,
     required: true,

api/models/schema/userSchema.js

@@ -1,5 +1,35 @@
 const mongoose = require('mongoose');
 
+/**
+ * @typedef {Object} MongoSession
+ * @property {string} [refreshToken] - The refresh token
+ */
+
+/**
+ * @typedef {Object} MongoUser
+ * @property {ObjectId} [_id] - MongoDB Document ID
+ * @property {string} [name] - The user's name
+ * @property {string} [username] - The user's username, in lowercase
+ * @property {string} email - The user's email address
+ * @property {boolean} emailVerified - Whether the user's email is verified
+ * @property {string} [password] - The user's password, trimmed with 8-128 characters
+ * @property {string} [avatar] - The URL of the user's avatar
+ * @property {string} provider - The provider of the user's account (e.g., 'local', 'google')
+ * @property {string} [role='USER'] - The role of the user
+ * @property {string} [googleId] - Optional Google ID for the user
+ * @property {string} [facebookId] - Optional Facebook ID for the user
+ * @property {string} [openidId] - Optional OpenID ID for the user
+ * @property {string} [ldapId] - Optional LDAP ID for the user
+ * @property {string} [githubId] - Optional GitHub ID for the user
+ * @property {string} [discordId] - Optional Discord ID for the user
+ * @property {Array} [plugins=[]] - List of plugins used by the user
+ * @property {Array.<MongoSession>} [refreshToken] - List of sessions with refresh tokens
+ * @property {Date} [expiresAt] - Optional expiration date of the file
+ * @property {Date} [createdAt] - Date when the user was created (added by timestamps)
+ * @property {Date} [updatedAt] - Date when the user was last updated (added by timestamps)
+ */
+
+/** @type {MongooseSchema<MongoSession>} */
 const Session = mongoose.Schema({
   refreshToken: {
     type: String,
@@ -7,6 +37,7 @@ const Session = mongoose.Schema({
   },
 });
 
+/** @type {MongooseSchema<MongoUser>} */
 const userSchema = mongoose.Schema(
   {
     name: {
@@ -86,6 +117,10 @@ const userSchema = mongoose.Schema(
     refreshToken: {
       type: [Session],
     },
+    expiresAt: {
+      type: Date,
+      expires: 604800, // 7 days in seconds
+    },
   },
   { timestamps: true },
 );

api/models/userMethods.js

@@ -1,28 +1,37 @@
 const bcrypt = require('bcryptjs');
+const signPayload = require('~/server/services/signPayload');
 const User = require('./User');
 
-const hashPassword = async (password) => {
-  const hashedPassword = await new Promise((resolve, reject) => {
-    bcrypt.hash(password, 10, function (err, hash) {
-      if (err) {
-        reject(err);
-      } else {
-        resolve(hash);
-      }
-    });
-  });
-
-  return hashedPassword;
-};
-
 /**
  * Retrieve a user by ID and convert the found user document to a plain object.
  *
  * @param {string} userId - The ID of the user to find and return as a plain object.
- * @returns {Promise<Object>} A plain object representing the user document, or `null` if no user is found.
+ * @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
+ * @returns {Promise<MongoUser>} A plain object representing the user document, or `null` if no user is found.
  */
-const getUser = async function (userId) {
-  return await User.findById(userId).lean();
+const getUserById = async function (userId, fieldsToSelect = null) {
+  const query = User.findById(userId);
+
+  if (fieldsToSelect) {
+    query.select(fieldsToSelect);
+  }
+
+  return await query.lean();
+};
+
+/**
+ * Search for a single user based on partial data and return matching user document as plain object.
+ * @param {Partial<MongoUser>} searchCriteria - The partial data to use for searching the user.
+ * @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
+ * @returns {Promise<MongoUser>} A plain object representing the user document, or `null` if no user is found.
+ */
+const findUser = async function (searchCriteria, fieldsToSelect = null) {
+  const query = User.findOne(searchCriteria);
+  if (fieldsToSelect) {
+    query.select(fieldsToSelect);
+  }
+
+  return await query.lean();
 };
 
 /**
@@ -30,17 +39,132 @@ const getUser = async function (userId) {
  *
  * @param {string} userId - The ID of the user to update.
  * @param {Object} updateData - An object containing the properties to update.
- * @returns {Promise<Object>} The updated user document as a plain object, or `null` if no user is found.
+ * @returns {Promise<MongoUser>} The updated user document as a plain object, or `null` if no user is found.
  */
 const updateUser = async function (userId, updateData) {
-  return await User.findByIdAndUpdate(userId, updateData, {
+  const updateOperation = {
+    $set: updateData,
+    $unset: { expiresAt: '' }, // Remove the expiresAt field to prevent TTL
+  };
+  return await User.findByIdAndUpdate(userId, updateOperation, {
     new: true,
     runValidators: true,
   }).lean();
 };
 
-module.exports = {
-  hashPassword,
-  updateUser,
-  getUser,
+/**
+ * Creates a new user, optionally with a TTL of 1 week.
+ * @param {MongoUser} data - The user data to be created, must contain user_id.
+ * @param {boolean} [disableTTL=true] - Whether to disable the TTL. Defaults to `true`.
+ * @returns {Promise<string>} A promise that resolves to the created user document ID.
+ * @throws {Error} If a user with the same user_id already exists.
+ */
+const createUser = async (data, disableTTL = true) => {
+  const userData = {
+    ...data,
+    expiresAt: new Date(Date.now() + 604800 * 1000), // 1 week in milliseconds
+  };
+
+  if (disableTTL) {
+    delete userData.expiresAt;
+  }
+
+  try {
+    const result = await User.collection.insertOne(userData);
+    return result.insertedId;
+  } catch (error) {
+    if (error.code === 11000) {
+      // Duplicate key error code
+      throw new Error(`User with \`_id\` ${data._id} already exists.`);
+    } else {
+      throw error;
+    }
+  }
+};
+
+/**
+ * Count the number of user documents in the collection based on the provided filter.
+ *
+ * @param {Object} [filter={}] - The filter to apply when counting the documents.
+ * @returns {Promise<number>} The count of documents that match the filter.
+ */
+const countUsers = async function (filter = {}) {
+  return await User.countDocuments(filter);
+};
+
+/**
+ * Delete a user by their unique ID.
+ *
+ * @param {string} userId - The ID of the user to delete.
+ * @returns {Promise<{ deletedCount: number }>} An object indicating the number of deleted documents.
+ */
+const deleteUserById = async function (userId) {
+  try {
+    const result = await User.deleteOne({ _id: userId });
+    if (result.deletedCount === 0) {
+      return { deletedCount: 0, message: 'No user found with that ID.' };
+    }
+    return { deletedCount: result.deletedCount, message: 'User was deleted successfully.' };
+  } catch (error) {
+    throw new Error('Error deleting user: ' + error.message);
+  }
+};
+
+const { SESSION_EXPIRY } = process.env ?? {};
+const expires = eval(SESSION_EXPIRY) ?? 1000 * 60 * 15;
+
+/**
+ * Generates a JWT token for a given user.
+ *
+ * @param {MongoUser} user - ID of the user for whom the token is being generated.
+ * @returns {Promise<string>} A promise that resolves to a JWT token.
+ */
+const generateToken = async (user) => {
+  if (!user) {
+    throw new Error('No user provided');
+  }
+
+  return await signPayload({
+    payload: {
+      id: user._id,
+      username: user.username,
+      provider: user.provider,
+      email: user.email,
+    },
+    secret: process.env.JWT_SECRET,
+    expirationTime: expires / 1000,
+  });
+};
+
+/**
+ * Compares the provided password with the user's password.
+ *
+ * @param {MongoUser} user - the user to compare password for.
+ * @param {string} candidatePassword - The password to test against the user's password.
+ * @returns {Promise<boolean>} A promise that resolves to a boolean indicating if the password matches.
+ */
+const comparePassword = async (user, candidatePassword) => {
+  if (!user) {
+    throw new Error('No user provided');
+  }
+
+  return new Promise((resolve, reject) => {
+    bcrypt.compare(candidatePassword, user.password, (err, isMatch) => {
+      if (err) {
+        reject(err);
+      }
+      resolve(isMatch);
+    });
+  });
+};
+
+module.exports = {
+  comparePassword,
+  deleteUserById,
+  generateToken,
+  getUserById,
+  countUsers,
+  createUser,
+  updateUser,
+  findUser,
 };