📧 feat: email verification (#2344)

* feat: verification email

* chore: email verification invalid; localize: update

* fix: redirect to login when signup: fix: save emailVerified correctly

* docs: update ALLOW_UNVERIFIED_EMAIL_LOGIN; fix: don't accept login only when ALLOW_UNVERIFIED_EMAIL_LOGIN = true

* fix: user needs to be authenticated

* style: update

* fix: registration success message and redirect logic

* refactor: use `isEnabled` in ALLOW_UNVERIFIED_EMAIL_LOGIN

* refactor: move checkEmailConfig to server/utils

* refactor: use req as param for verifyEmail function

* chore: jsdoc

* chore: remove console log

* refactor: rename `createNewUser` to `createSocialUser`

* refactor: update typing and add expiresAt field to userSchema

* refactor: begin use of user methods over direct model access for User

* refactor: initial email verification rewrite

* chore: typing

* refactor: registration flow rewrite

* chore: remove help center text

* refactor: update getUser to getUserById and add findUser methods. general fixes from recent changes

* refactor: Update updateUser method to remove expiresAt field and use $set and $unset operations, createUser now returns Id only

* refactor: Update openidStrategy to use optional chaining for avatar check, move saveBuffer init to buffer condition

* refactor: logout on deleteUser mutatation

* refactor: Update openidStrategy login success message format

* refactor: Add emailVerified field to Discord and Facebook profile details

* refactor: move limiters to separate middleware dir

* refactor: Add limiters for email verification and password reset

* refactor: Remove getUserController and update routes and controllers accordingly

* refactor: Update getUserById method to exclude password and version fields

* refactor: move verification to user route, add resend verification option

* refactor: Improve email verification process and resend option

* refactor: remove more direct model access of User and remove unused code

* refactor: replace user authentication methods and token generation

* fix: add user.id to jwt user

* refactor: Update AuthContext to include setError function, add resend link to Login Form, make registration redirect shorter

* fix(updateUserPluginsService): ensure userPlugins variable is defined

* refactor: Delete all shared links for a specific user

* fix: remove use of direct User.save() in handleExistingUser

* fix(importLibreChatConvo): handle missing createdAt field in messages

---------

Co-authored-by: Danny Avila <danny@librechat.ai>

api/server/middleware/checkBan.js

@@ -1,11 +1,11 @@
 const Keyv = require('keyv');
 const uap = require('ua-parser-js');
 const { ViolationTypes } = require('librechat-data-provider');
-const { isEnabled, removePorts } = require('../utils');
+const { isEnabled, removePorts } = require('~/server/utils');
 const keyvMongo = require('~/cache/keyvMongo');
 const denyRequest = require('./denyRequest');
 const { getLogStores } = require('~/cache');
-const User = require('~/models/User');
+const { findUser } = require('~/models');
 
 const banCache = new Keyv({ store: keyvMongo, namespace: ViolationTypes.BAN, ttl: 0 });
 const message = 'Your account has been temporarily banned due to violations of our service.';
@@ -55,7 +55,7 @@ const checkBan = async (req, res, next = () => {}) => {
   let userId = req.user?.id ?? req.user?._id ?? null;
 
   if (!userId && req?.body?.email) {
-    const user = await User.findOne({ email: req.body.email }, '_id').lean();
+    const user = await findUser({ email: req.body.email }, '_id');
     userId = user?._id ? user._id.toString() : userId;
   }
 

api/server/middleware/index.js

@@ -1,51 +1,43 @@
-const abortMiddleware = require('./abortMiddleware');
-const checkBan = require('./checkBan');
-const checkDomainAllowed = require('./checkDomainAllowed');
-const uaParser = require('./uaParser');
-const setHeaders = require('./setHeaders');
-const loginLimiter = require('./loginLimiter');
-const validateModel = require('./validateModel');
-const requireJwtAuth = require('./requireJwtAuth');
-const requireLdapAuth = require('./requireLdapAuth');
-const uploadLimiters = require('./uploadLimiters');
-const registerLimiter = require('./registerLimiter');
-const messageLimiters = require('./messageLimiters');
-const requireLocalAuth = require('./requireLocalAuth');
-const validateEndpoint = require('./validateEndpoint');
-const concurrentLimiter = require('./concurrentLimiter');
-const validateMessageReq = require('./validateMessageReq');
-const buildEndpointOption = require('./buildEndpointOption');
+const validatePasswordReset = require('./validatePasswordReset');
 const validateRegistration = require('./validateRegistration');
 const validateImageRequest = require('./validateImageRequest');
-const validatePasswordReset = require('./validatePasswordReset');
-const moderateText = require('./moderateText');
-const noIndex = require('./noIndex');
-const importLimiters = require('./importLimiters');
+const buildEndpointOption = require('./buildEndpointOption');
+const validateMessageReq = require('./validateMessageReq');
+const checkDomainAllowed = require('./checkDomainAllowed');
+const concurrentLimiter = require('./concurrentLimiter');
+const validateEndpoint = require('./validateEndpoint');
+const requireLocalAuth = require('./requireLocalAuth');
 const canDeleteAccount = require('./canDeleteAccount');
+const requireLdapAuth = require('./requireLdapAuth');
+const abortMiddleware = require('./abortMiddleware');
+const requireJwtAuth = require('./requireJwtAuth');
+const validateModel = require('./validateModel');
+const moderateText = require('./moderateText');
+const setHeaders = require('./setHeaders');
+const limiters = require('./limiters');
+const uaParser = require('./uaParser');
+const checkBan = require('./checkBan');
+const noIndex = require('./noIndex');
 
 module.exports = {
-  ...uploadLimiters,
   ...abortMiddleware,
-  ...messageLimiters,
+  ...limiters,
+  noIndex,
   checkBan,
   uaParser,
   setHeaders,
-  loginLimiter,
+  moderateText,
+  validateModel,
   requireJwtAuth,
   requireLdapAuth,
-  registerLimiter,
   requireLocalAuth,
+  canDeleteAccount,
   validateEndpoint,
   concurrentLimiter,
+  checkDomainAllowed,
   validateMessageReq,
   buildEndpointOption,
   validateRegistration,
   validateImageRequest,
   validatePasswordReset,
-  validateModel,
-  moderateText,
-  noIndex,
-  ...importLimiters,
-  checkDomainAllowed,
-  canDeleteAccount,
 };

api/server/middleware/limiters/index.js

@@ -0,0 +1,22 @@
+const createTTSLimiters = require('./ttsLimiters');
+const createSTTLimiters = require('./sttLimiters');
+
+const loginLimiter = require('./loginLimiter');
+const importLimiters = require('./importLimiters');
+const uploadLimiters = require('./uploadLimiters');
+const registerLimiter = require('./registerLimiter');
+const messageLimiters = require('./messageLimiters');
+const verifyEmailLimiter = require('./verifyEmailLimiter');
+const resetPasswordLimiter = require('./resetPasswordLimiter');
+
+module.exports = {
+  ...uploadLimiters,
+  ...importLimiters,
+  ...messageLimiters,
+  loginLimiter,
+  registerLimiter,
+  createTTSLimiters,
+  createSTTLimiters,
+  verifyEmailLimiter,
+  resetPasswordLimiter,
+};

api/server/middleware/limiters/loginLimiter.js

@@ -1,6 +1,6 @@
 const rateLimit = require('express-rate-limit');
-const { logViolation } = require('../../cache');
-const { removePorts } = require('../utils');
+const { removePorts } = require('~/server/utils');
+const { logViolation } = require('~/cache');
 
 const { LOGIN_WINDOW = 5, LOGIN_MAX = 7, LOGIN_VIOLATION_SCORE: score } = process.env;
 const windowMs = LOGIN_WINDOW * 60 * 1000;

api/server/middleware/limiters/messageLimiters.js

@@ -1,6 +1,6 @@
 const rateLimit = require('express-rate-limit');
-const { logViolation } = require('../../cache');
-const denyRequest = require('./denyRequest');
+const denyRequest = require('~/server/middleware/denyRequest');
+const { logViolation } = require('~/cache');
 
 const {
   MESSAGE_IP_MAX = 40,

api/server/middleware/limiters/registerLimiter.js

@@ -1,6 +1,6 @@
 const rateLimit = require('express-rate-limit');
-const { logViolation } = require('../../cache');
-const { removePorts } = require('../utils');
+const { removePorts } = require('~/server/utils');
+const { logViolation } = require('~/cache');
 
 const { REGISTER_WINDOW = 60, REGISTER_MAX = 5, REGISTRATION_VIOLATION_SCORE: score } = process.env;
 const windowMs = REGISTER_WINDOW * 60 * 1000;

api/server/middleware/limiters/resetPasswordLimiter.js

@@ -0,0 +1,35 @@
+const rateLimit = require('express-rate-limit');
+const { ViolationTypes } = require('librechat-data-provider');
+const { removePorts } = require('~/server/utils');
+const { logViolation } = require('~/cache');
+
+const {
+  RESET_PASSWORD_WINDOW = 2,
+  RESET_PASSWORD_MAX = 2,
+  RESET_PASSWORD_VIOLATION_SCORE: score,
+} = process.env;
+const windowMs = RESET_PASSWORD_WINDOW * 60 * 1000;
+const max = RESET_PASSWORD_MAX;
+const windowInMinutes = windowMs / 60000;
+const message = `Too many attempts, please try again after ${windowInMinutes} minute(s)`;
+
+const handler = async (req, res) => {
+  const type = ViolationTypes.RESET_PASSWORD_LIMIT;
+  const errorMessage = {
+    type,
+    max,
+    windowInMinutes,
+  };
+
+  await logViolation(req, res, type, errorMessage, score);
+  return res.status(429).json({ message });
+};
+
+const resetPasswordLimiter = rateLimit({
+  windowMs,
+  max,
+  handler,
+  keyGenerator: removePorts,
+});
+
+module.exports = resetPasswordLimiter;

api/server/middleware/limiters/verifyEmailLimiter.js

@@ -0,0 +1,35 @@
+const rateLimit = require('express-rate-limit');
+const { ViolationTypes } = require('librechat-data-provider');
+const { removePorts } = require('~/server/utils');
+const { logViolation } = require('~/cache');
+
+const {
+  VERIFY_EMAIL_WINDOW = 2,
+  VERIFY_EMAIL_MAX = 2,
+  VERIFY_EMAIL_VIOLATION_SCORE: score,
+} = process.env;
+const windowMs = VERIFY_EMAIL_WINDOW * 60 * 1000;
+const max = VERIFY_EMAIL_MAX;
+const windowInMinutes = windowMs / 60000;
+const message = `Too many attempts, please try again after ${windowInMinutes} minute(s)`;
+
+const handler = async (req, res) => {
+  const type = ViolationTypes.VERIFY_EMAIL_LIMIT;
+  const errorMessage = {
+    type,
+    max,
+    windowInMinutes,
+  };
+
+  await logViolation(req, res, type, errorMessage, score);
+  return res.status(429).json({ message });
+};
+
+const verifyEmailLimiter = rateLimit({
+  windowMs,
+  max,
+  handler,
+  keyGenerator: removePorts,
+});
+
+module.exports = verifyEmailLimiter;

api/server/middleware/requireLocalAuth.js

@@ -21,7 +21,13 @@ const requireLocalAuth = (req, res, next) => {
       log({
         title: '(requireLocalAuth) Error: No user',
       });
-      return res.status(422).send(info);
+      return res.status(404).send(info);
+    }
+    if (info && info.message) {
+      log({
+        title: '(requireLocalAuth) Error: ' + info.message,
+      });
+      return res.status(422).send({ message: info.message });
     }
     req.user = user;
     next();

api/server/middleware/speech/index.js

@@ -1,7 +0,0 @@
-const createTTSLimiters = require('./ttsLimiters');
-const createSTTLimiters = require('./sttLimiters');
-
-module.exports = {
-  createTTSLimiters,
-  createSTTLimiters,
-};