📧 feat: email verification (#2344)

* feat: verification email * chore: email verification invalid; localize: update * fix: redirect to login when signup: fix: save emailVerified correctly * docs: update ALLOW_UNVERIFIED_EMAIL_LOGIN; fix: don't accept login only when ALLOW_UNVERIFIED_EMAIL_LOGIN = true * fix: user needs to be authenticated * style: update * fix: registration success message and redirect logic * refactor: use `isEnabled` in ALLOW_UNVERIFIED_EMAIL_LOGIN * refactor: move checkEmailConfig to server/utils * refactor: use req as param for verifyEmail function * chore: jsdoc * chore: remove console log * refactor: rename `createNewUser` to `createSocialUser` * refactor: update typing and add expiresAt field to userSchema * refactor: begin use of user methods over direct model access for User * refactor: initial email verification rewrite * chore: typing * refactor: registration flow rewrite * chore: remove help center text * refactor: update getUser to getUserById and add findUser methods. general fixes from recent changes * refactor: Update updateUser method to remove expiresAt field and use $set and $unset operations, createUser now returns Id only * refactor: Update openidStrategy to use optional chaining for avatar check, move saveBuffer init to buffer condition * refactor: logout on deleteUser mutatation * refactor: Update openidStrategy login success message format * refactor: Add emailVerified field to Discord and Facebook profile details * refactor: move limiters to separate middleware dir * refactor: Add limiters for email verification and password reset * refactor: Remove getUserController and update routes and controllers accordingly * refactor: Update getUserById method to exclude password and version fields * refactor: move verification to user route, add resend verification option * refactor: Improve email verification process and resend option * refactor: remove more direct model access of User and remove unused code * refactor: replace user authentication methods and token generation * fix: add user.id to jwt user * refactor: Update AuthContext to include setError function, add resend link to Login Form, make registration redirect shorter * fix(updateUserPluginsService): ensure userPlugins variable is defined * refactor: Delete all shared links for a specific user * fix: remove use of direct User.save() in handleExistingUser * fix(importLibreChatConvo): handle missing createdAt field in messages --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-17 08:50:15 +01:00 · 2024-06-07 21:06:47 +02:00 · 2024-06-07 21:06:47 +02:00 · ee673d682e
commit ee673d682e
parent b7fef6958b
67 changed files with 1863 additions and 1117 deletions
--- a/api/server/middleware/limiters/messageLimiters.js
+++ b/api/server/middleware/limiters/messageLimiters.js
@ -0,0 +1,67 @@
+const rateLimit = require('express-rate-limit');
+const denyRequest = require('~/server/middleware/denyRequest');
+const { logViolation } = require('~/cache');
+
+const {
+  MESSAGE_IP_MAX = 40,
+  MESSAGE_IP_WINDOW = 1,
+  MESSAGE_USER_MAX = 40,
+  MESSAGE_USER_WINDOW = 1,
+} = process.env;
+
+const ipWindowMs = MESSAGE_IP_WINDOW * 60 * 1000;
+const ipMax = MESSAGE_IP_MAX;
+const ipWindowInMinutes = ipWindowMs / 60000;
+
+const userWindowMs = MESSAGE_USER_WINDOW * 60 * 1000;
+const userMax = MESSAGE_USER_MAX;
+const userWindowInMinutes = userWindowMs / 60000;
+
+/**
+ * Creates either an IP/User message request rate limiter for excessive requests
+ * that properly logs and denies the violation.
+ *
+ * @param {boolean} [ip=true] - Whether to create an IP limiter or a user limiter.
+ * @returns {function} A rate limiter function.
+ *
+ */
+const createHandler = (ip = true) => {
+  return async (req, res) => {
+    const type = 'message_limit';
+    const errorMessage = {
+      type,
+      max: ip ? ipMax : userMax,
+      limiter: ip ? 'ip' : 'user',
+      windowInMinutes: ip ? ipWindowInMinutes : userWindowInMinutes,
+    };
+
+    await logViolation(req, res, type, errorMessage);
+    return await denyRequest(req, res, errorMessage);
+  };
+};
+
+/**
+ * Message request rate limiter by IP
+ */
+const messageIpLimiter = rateLimit({
+  windowMs: ipWindowMs,
+  max: ipMax,
+  handler: createHandler(),
+});
+
+/**
+ * Message request rate limiter by userId
+ */
+const messageUserLimiter = rateLimit({
+  windowMs: userWindowMs,
+  max: userMax,
+  handler: createHandler(false),
+  keyGenerator: function (req) {
+    return req.user?.id; // Use the user ID or NULL if not available
+  },
+});
+
+module.exports = {
+  messageIpLimiter,
+  messageUserLimiter,
+};