* fix: Add removePorts keyGenerator to all IP-based rate limiters
Six IP-based rate limiters are missing the `keyGenerator: removePorts`
option that is already used by the auth-related limiters (login,
register, resetPassword, verifyEmail). Without it, reverse proxies that
include ports in X-Forwarded-For headers cause
ERR_ERL_INVALID_IP_ADDRESS errors from express-rate-limit.
Fixes#12318
* fix: make removePorts IPv6-safe to prevent rate-limit key collisions
The original regex `/:\d+[^:]*$/` treated the last colon-delimited
segment of bare IPv6 addresses as a port, mangling valid IPs
(e.g. `::1` → `::`, `2001:db8::1` → `2001:db8::`). Distinct IPv6
clients could collapse into the same rate-limit bucket.
Use `net.isIP()` as a fast path for already-valid IPs, then match
bracketed IPv6+port and IPv4+port explicitly. Bare IPv6 addresses
are now returned unchanged.
Also fixes pre-existing property ordering inconsistency in
ttsLimiters.js userLimiterOptions (keyGenerator before store).
* refactor: move removePorts to packages/api as TypeScript, fix import order
- Move removePorts implementation to packages/api/src/utils/removePorts.ts
with proper Express Request typing
- Reduce api/server/utils/removePorts.js to a thin re-export from
@librechat/api for backward compatibility
- Consolidate removePorts import with limiterCache from @librechat/api
in all 6 limiter files, fixing import order (package imports shortest
to longest, local imports longest to shortest)
- Remove narrating inline comments per code style guidelines
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
* fix: add rate limiting to conversation duplicate endpoint
* chore: linter
* fix: address review findings for conversation duplicate rate limiting
* refactor: streamline test mocks for conversation routes
- Consolidated mock implementations into a dedicated `convos-route-mocks.js` file to enhance maintainability and readability of test files.
- Updated tests in `convos-duplicate-ratelimit.spec.js` and `convos.spec.js` to utilize the new mock structure, improving clarity and reducing redundancy.
- Enhanced the `duplicateConversation` function to accept an optional title parameter for better flexibility in conversation duplication.
* chore: rename files
* Refactor: Moved Redis cache infra logic into `packages/api`
- Moved cacheFactory and redisClients from `api/cache` into `packages/api/src/cache` so that features in `packages/api` can use cache without importing backward from the backend.
- Converted all moved files into TS with proper typing.
- Created integration tests to run against actual Redis servers for redisClients and cacheFactory.
- Added a GitHub workflow to run integration tests for the cache feature.
- Bug fix: keyvRedisClient now implements the PING feature properly.
* chore: consolidate imports in getLogStores.js
* chore: reorder imports
* chore: re-add fs-extra as dev dep.
* chore: reorder imports in cacheConfig.ts, cacheFactory.ts, and keyvMongo.ts
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
- Introduced new violation scores for TTS, STT, Fork, Import, and File Upload actions in the .env.example file.
- Updated logViolation function to accept a score parameter, allowing for dynamic severity levels based on the action type.
- Modified limiters for Fork, Import, Message, STT, TTS, Tool Call, and File Upload to utilize the new violation scores when logging violations.
* chore: Improve error logging for fetching conversations, and use new TS packages for utils
* feat: Implement fork limiters for conversation forking requests
* chore: error message for conversation index deletion to clarify syncing behavior
* feat: Enhance error handling for forking with rate limit message
