WIP: admin auth

api/server/middleware/index.js

@@ -1,12 +1,14 @@
 const validatePasswordReset = require('./validatePasswordReset');
 const validateRegistration = require('./validateRegistration');
 const buildEndpointOption = require('./buildEndpointOption');
+const requireAdminJwtAuth = require('./requireAdminJwtAuth');
 const validateMessageReq = require('./validateMessageReq');
 const checkDomainAllowed = require('./checkDomainAllowed');
 const concurrentLimiter = require('./concurrentLimiter');
 const validateEndpoint = require('./validateEndpoint');
 const requireLocalAuth = require('./requireLocalAuth');
 const canDeleteAccount = require('./canDeleteAccount');
+const requireAdminAuth = require('./requireAdminAuth');
 const accessResources = require('./accessResources');
 const requireLdapAuth = require('./requireLdapAuth');
 const abortMiddleware = require('./abortMiddleware');
@@ -38,6 +40,8 @@ module.exports = {
   moderateText,
   validateModel,
   requireJwtAuth,
+  requireAdminAuth,
+  requireAdminJwtAuth,
   checkInviteUser,
   requireLdapAuth,
   requireLocalAuth,

api/server/middleware/requireAdminAuth.js

@@ -0,0 +1,35 @@
+const passport = require('passport');
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles } = require('librechat-data-provider');
+
+/**
+ * Middleware for admin authentication using local strategy
+ * Validates credentials and ensures user has admin role
+ */
+const requireAdminAuth = (req, res, next) => {
+  passport.authenticate('local', (err, user, info) => {
+    if (err) {
+      logger.error('[requireAdminAuth] Error at passport.authenticate:', err);
+      return next(err);
+    }
+    if (!user) {
+      logger.debug('[requireAdminAuth] Error: No user');
+      return res.status(404).send(info);
+    }
+    if (info && info.message) {
+      logger.debug('[requireAdminAuth] Error: ' + info.message);
+      return res.status(422).send({ message: info.message });
+    }
+
+    // Check if user has admin role
+    if (!user.role || user.role !== SystemRoles.ADMIN) {
+      logger.debug('[requireAdminAuth] Error: User is not an admin');
+      return res.status(403).send({ message: 'Access denied: Admin privileges required' });
+    }
+
+    req.user = user;
+    next();
+  })(req, res, next);
+};
+
+module.exports = requireAdminAuth;

api/server/middleware/requireAdminJwtAuth.js

@@ -0,0 +1,42 @@
+const cookies = require('cookie');
+const passport = require('passport');
+const { isEnabled } = require('@librechat/api');
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles } = require('librechat-data-provider');
+
+/**
+ * Custom Middleware to handle JWT authentication for admin endpoints
+ * Validates JWT token and ensures user has admin role
+ */
+const requireAdminJwtAuth = (req, res, next) => {
+  // Check if token provider is specified in cookies
+  const cookieHeader = req.headers.cookie;
+  const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null;
+
+  // Use OpenID authentication if token provider is OpenID and OPENID_REUSE_TOKENS is enabled
+  const authStrategy =
+    tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) ? 'openidJwt' : 'jwt';
+
+  passport.authenticate(authStrategy, { session: false }, (err, user, _info) => {
+    if (err) {
+      logger.error('[requireAdminJwtAuth] Authentication error:', err);
+      return res.status(500).json({ message: 'Authentication error' });
+    }
+
+    if (!user) {
+      logger.debug('[requireAdminJwtAuth] No user found');
+      return res.status(401).json({ message: 'Unauthorized' });
+    }
+
+    // Check if user has admin role
+    if (!user.role || user.role !== SystemRoles.ADMIN) {
+      logger.debug('[requireAdminJwtAuth] User is not an admin:', user.email);
+      return res.status(403).json({ message: 'Access denied: Admin privileges required' });
+    }
+
+    req.user = user;
+    next();
+  })(req, res, next);
+};
+
+module.exports = requireAdminJwtAuth;