Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-09-22 06:00:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

📧 feat: email verification (#2344)

Browse source 
* feat: verification email

* chore: email verification invalid; localize: update

* fix: redirect to login when signup: fix: save emailVerified correctly

* docs: update ALLOW_UNVERIFIED_EMAIL_LOGIN; fix: don't accept login only when ALLOW_UNVERIFIED_EMAIL_LOGIN = true

* fix: user needs to be authenticated

* style: update

* fix: registration success message and redirect logic

* refactor: use `isEnabled` in ALLOW_UNVERIFIED_EMAIL_LOGIN

* refactor: move checkEmailConfig to server/utils

* refactor: use req as param for verifyEmail function

* chore: jsdoc

* chore: remove console log

* refactor: rename `createNewUser` to `createSocialUser`

* refactor: update typing and add expiresAt field to userSchema

* refactor: begin use of user methods over direct model access for User

* refactor: initial email verification rewrite

* chore: typing

* refactor: registration flow rewrite

* chore: remove help center text

* refactor: update getUser to getUserById and add findUser methods. general fixes from recent changes

* refactor: Update updateUser method to remove expiresAt field and use $set and $unset operations, createUser now returns Id only

* refactor: Update openidStrategy to use optional chaining for avatar check, move saveBuffer init to buffer condition

* refactor: logout on deleteUser mutatation

* refactor: Update openidStrategy login success message format

* refactor: Add emailVerified field to Discord and Facebook profile details

* refactor: move limiters to separate middleware dir

* refactor: Add limiters for email verification and password reset

* refactor: Remove getUserController and update routes and controllers accordingly

* refactor: Update getUserById method to exclude password and version fields

* refactor: move verification to user route, add resend verification option

* refactor: Improve email verification process and resend option

* refactor: remove more direct model access of User and remove unused code

* refactor: replace user authentication methods and token generation

* fix: add user.id to jwt user

* refactor: Update AuthContext to include setError function, add resend link to Login Form, make registration redirect shorter

* fix(updateUserPluginsService): ensure userPlugins variable is defined

* refactor: Delete all shared links for a specific user

* fix: remove use of direct User.save() in handleExistingUser

* fix(importLibreChatConvo): handle missing createdAt field in messages

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
This commit is contained in:
Marco Beretta 2024-06-07 21:06:47 +02:00 committed by GitHub
parent b7fef6958b
commit ee673d682e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
67 changed files with 1863 additions and 1117 deletions
Download patch file Download diff file Expand all files Collapse all files

214
api/server/services/AuthService.js
View file

@ -1,13 +1,20 @@
const crypto = require('crypto');
const bcrypt = require('bcryptjs');
const { errorsToString } = require('librechat-data-provider');
const {
countUsers,
createUser,
findUser,
updateUser,
generateToken,
getUserById,
} = require('~/models/userMethods');
const { sendEmail, checkEmailConfig } = require('~/server/utils');
const { registerSchema } = require('~/strategies/validators');
const isDomainAllowed = require('./isDomainAllowed');
const Token = require('~/models/schema/tokenSchema');
const { sendEmail } = require('~/server/utils');
const Session = require('~/models/Session');
const { logger } = require('~/config');
const User = require('~/models/User');
const domains = {
client: process.env.DOMAIN_CLIENT,
@ -15,19 +22,7 @@ const domains = {
};
const isProduction = process.env.NODE_ENV === 'production';
/**
* Check if email configuration is set
* @returns {Boolean}
*/
function checkEmailConfig() {
return (
(!!process.env.EMAIL_SERVICE || !!process.env.EMAIL_HOST) &&
!!process.env.EMAIL_USERNAME &&
!!process.env.EMAIL_PASSWORD &&
!!process.env.EMAIL_FROM
);
}
const genericVerificationMessage = 'Please check your email to verify your email address.';
/**
* Logout user
@ -58,10 +53,73 @@ const logoutUser = async (userId, refreshToken) => {
};
/**
* Register a new user
*
* @param {Object} user <email, password, name, username>
* @returns
* Send Verification Email
* @param {Partial<MongoUser> & { _id: ObjectId, email: string, name: string}} user
* @returns {Promise<void>}
*/
const sendVerificationEmail = async (user) => {
let verifyToken = crypto.randomBytes(32).toString('hex');
const hash = bcrypt.hashSync(verifyToken, 10);
await new Token({
userId: user._id,
email: user.email,
token: hash,
createdAt: Date.now(),
}).save();
const verificationLink = `${domains.client}/verify?token=${verifyToken}&email=${user.email}`;
logger.info(`[sendVerificationEmail] Verification link issued. [Email: ${user.email}]`);
sendEmail(
user.email,
'Verify your email',
{
appName: process.env.APP_TITLE || 'LibreChat',
name: user.name,
verificationLink: verificationLink,
year: new Date().getFullYear(),
},
'verifyEmail.handlebars',
);
return;
};
/**
* Verify Email
* @param {Express.Request} req
*/
const verifyEmail = async (req) => {
const { email, token } = req.body;
let emailVerificationData = await Token.findOne({ email });
if (!emailVerificationData) {
logger.warn(`[verifyEmail] [No email verification data found] [Email: ${email}]`);
return new Error('Invalid or expired password reset token');
}
const isValid = bcrypt.compareSync(token, emailVerificationData.token);
if (!isValid) {
logger.warn(`[verifyEmail] [Invalid or expired email verification token] [Email: ${email}]`);
return new Error('Invalid or expired email verification token');
}
const updatedUser = await updateUser(emailVerificationData.userId, { emailVerified: true });
if (!updatedUser) {
logger.warn(`[verifyEmail] [User not found] [Email: ${email}]`);
return new Error('User not found');
}
await emailVerificationData.deleteOne();
logger.info(`[verifyEmail] Email verification successful. [Email: ${email}]`);
return { message: 'Email verification was successful' };
};
/**
* Register a new user.
* @param {MongoUser} user <email, password, name, username>
* @returns {Promise<{status: number, message: string, user?: MongoUser}>}
*/
const registerUser = async (user) => {
const { error } = registerSchema.safeParse(user);
@ -73,13 +131,13 @@ const registerUser = async (user) => {
{ name: 'Validation error:', value: errorMessage },
);
return { status: 422, message: errorMessage };
return { status: 404, message: errorMessage };
}
const { email, password, name, username } = user;
try {
const existingUser = await User.findOne({ email }).lean();
const existingUser = await findUser({ email }, 'email _id');
if (existingUser) {
logger.info(
@ -90,38 +148,46 @@ const registerUser = async (user) => {
// Sleep for 1 second
await new Promise((resolve) => setTimeout(resolve, 1000));
// TODO: We should change the process to always email and be generic is signup works or fails (user enum)
return { status: 500, message: 'Something went wrong' };
return { status: 200, message: genericVerificationMessage };
}
if (!(await isDomainAllowed(email))) {
const errorMessage = 'Registration from this domain is not allowed.';
const errorMessage =
'The email address provided cannot be used. Please use a different email address.';
logger.error(`[registerUser] [Registration not allowed] [Email: ${user.email}]`);
return { status: 403, message: errorMessage };
}
//determine if this is the first registered user (not counting anonymous_user)
const isFirstRegisteredUser = (await User.countDocuments({})) === 0;
const isFirstRegisteredUser = (await countUsers()) === 0;
const newUser = await new User({
const salt = bcrypt.genSaltSync(10);
const newUserData = {
provider: 'local',
email,
password,
username,
name,
avatar: null,
role: isFirstRegisteredUser ? 'ADMIN' : 'USER',
});
password: bcrypt.hashSync(password, salt),
};
const salt = bcrypt.genSaltSync(10);
const hash = bcrypt.hashSync(newUser.password, salt);
newUser.password = hash;
await newUser.save();
const emailEnabled = checkEmailConfig();
const newUserId = await createUser(newUserData, false);
if (emailEnabled) {
await sendVerificationEmail({
_id: newUserId,
email,
name,
});
} else {
await updateUser(newUserId, { emailVerified: true });
}
return { status: 200, user: newUser };
return { status: 200, message: genericVerificationMessage };
} catch (err) {
return { status: 500, message: err?.message || 'Something went wrong' };
logger.error('[registerUser] Error in registering user:', err);
return { status: 500, message: 'Something went wrong' };
}
};
@ -131,7 +197,7 @@ const registerUser = async (user) => {
*/
const requestPasswordReset = async (req) => {
const { email } = req.body;
const user = await User.findOne({ email }).lean();
const user = await findUser({ email }, 'email _id');
const emailEnabled = checkEmailConfig();
logger.warn(`[requestPasswordReset] [Password reset request initiated] [Email: ${email}]`);
@ -208,13 +274,9 @@ const resetPassword = async (userId, token, password) => {
}
const hash = bcrypt.hashSync(password, 10);
const user = await updateUser(userId, { password: hash });
await User.updateOne({ _id: userId }, { $set: { password: hash } }, { new: true });
const user = await User.findById({ _id: userId });
const emailEnabled = checkEmailConfig();
if (emailEnabled) {
if (checkEmailConfig()) {
sendEmail(
user.email,
'Password Reset Successfully',
@ -242,8 +304,8 @@ const resetPassword = async (userId, token, password) => {
*/
const setAuthTokens = async (userId, res, sessionId = null) => {
try {
const user = await User.findOne({ _id: userId });
const token = await user.generateToken();
const user = await getUserById(userId);
const token = await generateToken(user);
let session;
let refreshTokenExpires;
@ -273,11 +335,69 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
}
};
/**
* Resend Verification Email
* @param {Object} req
* @param {Object} req.body
* @param {String} req.body.email
* @returns {Promise<{status: number, message: string}>}
*/
const resendVerificationEmail = async (req) => {
try {
const { email } = req.body;
await Token.deleteMany({ email });
const user = await findUser({ email }, 'email _id name');
if (!user) {
logger.warn(`[resendVerificationEmail] [No user found] [Email: ${email}]`);
return { status: 200, message: genericVerificationMessage };
}
let verifyToken = crypto.randomBytes(32).toString('hex');
const hash = bcrypt.hashSync(verifyToken, 10);
await new Token({
userId: user._id,
email: user.email,
token: hash,
createdAt: Date.now(),
}).save();
const verificationLink = `${domains.client}/verify?token=${verifyToken}&email=${user.email}`;
logger.info(`[resendVerificationEmail] Verification link issued. [Email: ${user.email}]`);
sendEmail(
user.email,
'Verify your email',
{
appName: process.env.APP_TITLE || 'LibreChat',
name: user.name,
verificationLink: verificationLink,
year: new Date().getFullYear(),
},
'verifyEmail.handlebars',
);
return {
status: 200,
message: genericVerificationMessage,
};
} catch (error) {
logger.error(`[resendVerificationEmail] Error resending verification email: ${error.message}`);
return {
status: 500,
message: 'Something went wrong.',
};
}
};
module.exports = {
registerUser,
logoutUser,
verifyEmail,
registerUser,
setAuthTokens,
resetPassword,
isDomainAllowed,
requestPasswordReset,
resetPassword,
setAuthTokens,
resendVerificationEmail,
};