Adds federatedTokens object to user during authentication to enable
federated provider token template variables in LibreChat configuration.
Changes:
- OpenID JWT Strategy: Extract raw JWT from Authorization header and
attach as federatedTokens.access_token to enable {{LIBRECHAT_OPENID_TOKEN}}
placeholder resolution
- OpenID Strategy: Attach tokenset tokens as federatedTokens object to
standardize token access across both authentication strategies
This enables proper token propagation for custom endpoints and MCP
servers that require federated provider tokens for authorization.
Resolves missing token issue reported by @ramden in PR #9931🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Denis Ramic <denis.ramic@nfon.com>
Co-Authored-By: Claude <noreply@anthropic.com>
* 🧹 chore: Update logger imports to use @librechat/data-schemas across multiple files and remove unused sleep function from queue.js (#9930)
* chore: Replace local isEnabled utility with @librechat/api import across multiple files, update test files
* chore: Replace local logger import with @librechat/data-schemas logger in countTokens.js and fork.js
* chore: Update logs volume path in docker-compose.yml to correct directory
* chore: import order of isEnabled in static.js
* ✨ v0.8.0
* 🔧 chore: Update config version to 1.3.0
* 🔧 chore: Bump @librechat/api version to 1.4.1
* 🔧 chore: Update @librechat/client version to 0.3.1
* 🔧 chore: Bump librechat-data-provider version to 0.8.020
* 🔧 chore: Bump @librechat/data-schemas version to 0.0.23
* initialize servers sequentially
* adjust for exported properties that are not nullable anymore
* use underscore separator
* mock with set
* customize init timeout via env var
* feat: Add new Claude models to sharedAnthropicModels list
* chore: use correct claude aliases for default list
* chore: update deepseek model rates for accuracy
* chore: update @librechat/agents dependency to version 2.4.82
* chore: move domain related functions to `packages/api`
* fix: isEmailDomainAllowed for case-insensitive domain matching
- Added tests to validate case-insensitive matching for email domains in various scenarios.
- Updated isEmailDomainAllowed function to convert email domains to lowercase for consistent comparison.
- Improved handling of null/undefined entries in allowedDomains.
* ci: Mock isEmailDomainAllowed in samlStrategy tests
- Added a mock implementation for isEmailDomainAllowed to return true in samlStrategy tests, ensuring consistent behavior during test execution.
* ci: Update import of isEmailDomainAllowed in ldapStrategy tests
- Changed the import of isEmailDomainAllowed from the domains service to the api package for consistency and to reflect recent refactoring.
* refactor: move `loadOCRConfig` from `packages/data-provider` to `packages/api` and return `undefined` if not explicitly configured
* fix: loadOCRConfig import from @librechat/api
* refactor: update defaultTextMimeTypes to support virtually all file types for text parsing
* fix: improve OCR capability check and error message for unsupported file types
* ci: remove unnecessary ocr expectation from AppService test
* 🌐 feat: OpenRouter Web Search
- Added tests for handling web_search parameter with OpenRouter in various scenarios.
- Implemented logic to manage web_search in modelOptions and addParams/dropParams.
- Ensured correct configuration of llmConfig and modelKwargs for OpenRouter, including handling of plugins.
- Improved overall integration of OpenRouter with OpenAI API, ensuring expected behavior across different configurations.
* chore: bump @librechat/agents to v2.4.81
- Fixed a bug in reinitMCPServer where a user connection was created for an app-level server whenever this server is reinitialized
- Made MCPManager.getUserConnection to return an error if the connection is app-level
- Add MCPManager.getConnection to return either an app connection or a user connection based on the serverName
- Made MCPManager.appConnections public to avoid unnecessary wrapper methods.
* 🕵️ feat: Enhance Index Sync and MeiliSearch filtering for User Field
- Implemented `ensureFilterableAttributes` function to configure MeiliSearch indexes for messages and conversations to filter by user.
- Updated sync logic to trigger a full re-sync if the user field is missing or index settings are modified.
- Adjusted search queries in Conversation and Message models to include user filtering.
- Ensured 'user' field is marked as filterable in MongoDB schema for both messages and conversations.
This update improves data integrity and search capabilities by ensuring user-related data is properly indexed and retrievable.
* fix: message processing in Search component to use linear list and not tree
* feat: Implement user filtering in MeiliSearch for shared links
* refactor: Optimize message search retrieval by batching database calls
* chore: Update MeiliSearch parameters type to use SearchParams for improved type safety
* add use of immutable claims to identify user object
* fix semicolons
* update email attribute on change
* replace ternary expressions
* fix semicolon
* chore: add typing
* chore: reorder fields in `findOpenIDUser`
* refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips
* refactor: integrate findOpenIDUser for improved user retrieval in refreshController
* refactor: improve error logging for invalid refresh tokens in refreshController
* ci: mock findUser correctly in openidStrategy tests
* test: add unit tests for findOpenIDUser function to enhance user retrieval logic
---------
Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com>
* feat: support multiple roles in OPENID_REQUIRED_ROLE
- Allow comma-separated roles in OPENID_REQUIRED_ROLE environment variable
- User needs ANY of the specified roles to login (OR logic)
- Maintain backward compatibility with single role configuration
- Add comprehensive test coverage for multiple role scenarios
* Add tests
* Fix linter
* Add missing closing brace
* Add new line
* Simplify tests
* Refresh OpenID verify callback in tests
* Fix OpenID spec and resolve linting errors
* test: Add backward compatibility test for single required role in OpenID strategy
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
* refactor: Implement gradual backoff polling for oauth connection status with timeout handling
* refactor: Enhance OAuth polling with gradual backoff and timeout handling; update reconnection tracking
* refactor: reconnection timeout behavior in OAuthReconnectionManager and OAuthReconnectionTracker
- Implement tests to verify reconnection timeout handling, including tracking of reconnection states and cleanup of timed-out entries.
- Enhance existing methods in OAuthReconnectionManager and OAuthReconnectionTracker to support timeout checks and cleanup logic.
- Ensure proper handling of multiple servers with different timeout periods and edge cases for active states.
* chore: remove comment
* refactor: Enforce strict 3-minute OAuth timeout with updated polling intervals and improved timeout handling
* refactor: Remove unused polling logic and prevent duplicate polling for servers in MCP server manager
* refactor: Update localization key for no memories message in MemoryViewer
* refactor: Improve MCP tool initialization by handling server failures
- Introduced a mechanism to track failed MCP servers, preventing retries for unavailable servers.
- Added logging for failed tool creation attempts to enhance debugging and monitoring.
* refactor: Update reconnection timeout to enforce a strict 3-minute limit
* ci: Update reconnection timeout tests to reflect a strict 3-minute limit
* ci: Update reconnection timeout tests to enforce a strict 3-minute limit
* chore: Remove unused MCP connection timeout message
🔄 refactor: Optimize MCP Tool Initialization
fix: update tool caching to use separated mcp logic
refactor: Replace `req.user` with `userId` in MCP handling functions
refactor: Replace `req` parameter with `userId` in file search tool functions
fix: Update user connection parameter to use object format in reinitMCPServer
refactor: Simplify MCP tool creation logic and improve handling of tool configurations to avoid capturing too much in closures
refactor: ensure MCP available tools are fetched from cache only when needed
* fix: axios response logging for text parsing, remove console logging, remove jsdoc
* refactor: error logging in logAxiosError function to handle various error types with type guards
* refactor: enhance text parsing with improved error handling and async file reading
* refactor: replace synchronous file reading with asynchronous methods for improved performance and memory management
* ci: update tests
* fix: increment tag counters when forking/duplicating conversations
- Add bulkIncrementTagCounts to update existing tag counts in bulk
- Integrate tag count updates into importBatchBuilder.saveBatch() using Promise.all
- Update frontend mutations to directly update cache instead of invalidating queries
- Optimize bulkIncrementTagCounts to skip unnecessary database queries
Fixes issue where forked/duplicated conversations with bookmarks would not increment
tag counters, leading to negative counts when bookmarks were later removed.
* chore: reorder import statements for clarity in fork.spec.js
* fix: respect server's token endpoint auth methods for MCP OAuth refresh
Previously, LibreChat always used Basic Auth when refreshing OAuth tokens if a
client_secret was present. This caused issues with servers (like FastMCP) that
only support client_secret_post. Now properly checks and respects the server's
advertised token_endpoint_auth_methods_supported.
Fixes token refresh failures with error: "refresh_token.client_id: Field required"
* chore: remove MCP OAuth URL Logging
* WIP: conversion of `ocr` to `context`
* refactor: make `primeResources` backwards-compatible for `ocr` tool_resources
* refactor: Convert legacy `ocr` tool resource to `context` in agent updates
- Implemented conversion logic to replace `ocr` with `context` in both incoming updates and existing agent data.
- Merged file IDs and files from `ocr` into `context` while ensuring deduplication.
- Updated tools array to reflect the change from `ocr` to `context`.
* refactor: Enhance context file handling in agent processing
- Updated the logic for managing context files by consolidating file IDs from both `ocr` and `context` resources.
- Improved backwards compatibility by ensuring that context files are correctly populated and handled.
- Simplified the iteration over context files for better readability and maintainability.
* refactor: Enhance tool_resources handling in primeResources
- Added tests to verify the deletion behavior of tool_resources fields, ensuring original objects remain unchanged.
- Implemented logic to delete `ocr` and `context` fields after fetching and re-categorizing files.
- Preserved context field when the context capability is disabled, ensuring correct behavior in various scenarios.
* refactor: Replace `ocrEnabled` with `contextEnabled` in AgentConfig
* refactor: Adjust legacy tool handling order for improved clarity
* refactor: Implement OCR to context conversion functions and remove original conversion logic in update agent handling
* refactor: Move contextEnabled declaration to maintain consistent order in capabilities
* refactor: Update localization keys for file context to improve clarity and accuracy
* chore: Update localization key for file context information to improve clarity
- Implemented `getAgents` function to retrieve multiple agent documents based on search parameters.
- Updated `fileAccess` middleware to utilize `getAgents` instead of `getAgent` for improved file access checks.
- Added comprehensive tests for file access middleware, covering various scenarios including user permissions and agent ownership.
* ✂️ refactor: use artifacts and callbacks to pass UI resources
* chore: imports
* refactor: Update UIResource type imports and definitions across components and tests
* refactor: Update ToolCallInfo test data structure and enhance TAttachment type definition
---------
Co-authored-by: Samuel Path <samuel.path@shopify.com>
* refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Login Strategies
- Implemented email domain validation for user authentication in OpenID and SAML strategies, ensuring only allowed domains are processed.
- Adjusted error messages for clarity and consistency across authentication methods.
- Refactored social login to validate email domains before checking for existing users, improving registration flow.
* refactor: Email Domain Validation in LDAP and Social Login Strategies
* Remove unused STATIC_CONFIG and LIBRECHAT_YAML_CONFIG cache keys.
These cache keys were identified as dead code - they were being written to but never read from anywhere in the codebase after a recent refactor:
- STATIC_CONFIG was used as a cache namespace that stored configuration data
- LIBRECHAT_YAML_CONFIG was the key used within that namespace to store parsed YAML config
- The cache.set() operation in loadCustomConfig.js stored the config but no cache.get() operations retrieved it
- Configuration data is already handled through other mechanisms without caching
* # removed tests regarding cache
- This allows use APP_CONFIG in FORCED_IN_MEMORY_CACHE_NAMESPACES
- Remove the complexity of nested namespace (e.g. we no longer have to worry about the prefix of every role key)
* fix: ChatGPT import logic breaks message graph when it encounters a system message
- Implemented `findNonSystemParent` to maintain parent-child relationships by skipping system messages.
- Added a test case to ensure system messages do not disrupt the conversation flow during import.
* fix: ChatGPT import, correct sender for user messages with GPT-4 model
* fix: Enhance model name extraction for assistant messages in import process
- Updated sender assignment logic to dynamically extract model names from model slugs, improving accuracy for various GPT models.
- Added comprehensive tests to validate the extraction and formatting of model names from different model slugs, ensuring robustness in the import functionality.
* refactor: modularize openai llm config logic into new getOpenAILLMConfig function (#9412)
* ✈️ refactor: Migrate Anthropic's getLLMConfig to TypeScript (#9413)
* refactor: move tokens.js over to packages/api and update imports
* refactor: port tokens.js to typescript
* refactor: move helpers.js over to packages/api and update imports
* refactor: port helpers.js to typescript
* refactor: move anthropic/llm.js over to packages/api and update imports
* refactor: port anthropic/llm.js to typescript with supporting types in types/anthropic.ts and updated tests in llm.spec.js
* refactor: move llm.spec.js over to packages/api and update import
* refactor: port llm.spec.js over to typescript
* 📝 Add Prompt Parameter Support for Anthropic Custom Endpoints (#9414)
feat: add anthropic llm config support for openai-like (custom) endpoints
* fix: missed compiler / type issues from addition of getAnthropicLLMConfig
* refactor: update tokens.ts to export constants and functions, enhance type definitions, and adjust default values
* WIP: first pass, decouple `llmConfig` from `configOptions`
* chore: update import path for OpenAI configuration from 'llm' to 'config'
* refactor: enhance type definitions for ThinkingConfig and update modelOptions in AnthropicConfigOptions
* refactor: cleanup type, introduce openai transform from alt provider
* chore: integrate removeNullishValues in Google llmConfig and update OpenAI exports
* chore: bump version of @librechat/api to 1.3.5 in package.json and package-lock.json
* refactor: update customParams type in OpenAIConfigOptions to use TConfig['customParams']
* refactor: enhance transformToOpenAIConfig to include fromEndpoint and improve config extraction
* refactor: conform userId field for anthropic/openai, cleanup anthropic typing
* ci: add backward compatibility tests for getOpenAIConfig with various endpoints and configurations
* ci: replace userId with user in clientOptions for getLLMConfig
* test: add Azure OpenAI endpoint tests for various configurations in getOpenAIConfig
* refactor: defaultHeaders retrieval for prompt caching for anthropic-based custom endpoint (litellm)
* test: add unit tests for getOpenAIConfig with various Anthropic model configurations
* test: enhance Anthropic compatibility tests with addParams and dropParams handling
* chore: update @librechat/agents dependency to version 2.4.78 in package.json and package-lock.json
* chore: update @librechat/agents dependency to version 2.4.79 in package.json and package-lock.json
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
* fix: freq. and pres. penalty use camelcase
* ci: OpenAI Configuration Tests
* ci: Enhance OpenAI Configuration Tests with Azure and Custom Endpoint Scenarios
* Added integration tests for OpenAI and Azure configurations simulating various initialization scenarios.
* Updated OpenAIConfigOptions to allow null values for reverseProxyUrl and proxy.
* Improved handling of reasoning parameters in tests for both OpenAI and Azure setups.
* Ensured robust error handling for missing API keys and malformed configurations.
* Optimized performance for large parameter sets in configuration.
* test: Add comprehensive integration tests for Anthropic LLM configuration
* Introduced real usage integration tests for various Anthropic endpoint configurations, including handling of proxy and reverse proxy setups.
* Implemented model-specific scenarios for Claude-3.7 and web search functionality.
* Enhanced error handling for missing user IDs and large parameter sets.
* Validated parameter logic, including default values, boundary conditions, and type handling for numeric and array parameters.
* Ensured proper exclusion of system options from model options and maintained expected behavior across different model variations.
* feat: added support for custom JINA_API_URL
* fixed tests
* chore: Update @librechat/agents dependency to version 2.4.77 in package-lock.json and package.json files
* fix: Update Jina API URL to use environment variable in configuration files
* Refactor AppService, web.ts, and config.ts to replace hardcoded Jina API URL with an environment variable placeholder.
* Ensure consistency across tests and configuration for Jina API URL.
* chore: alphabetical order translation.json
* fix: alphabetical order
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
* Refactor deleteTokens to use an array of conditions for querying, ensuring only specified fields are considered for deletion.
* Add error handling to prevent accidental deletion when no query parameters are provided.
* Update AuthService to match the new deleteTokens signature by passing an object instead of a string for email.
