mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 17:00:15 +01:00
f0f09138bd
* 🔒 feat: add Two-Factor Authentication (2FA) with backup codes & QR support (#5684) * working version for generating TOTP and authenticate. * better looking UI * refactored + better TOTP logic * fixed issue with UI * fixed issue: remove initial setup when closing window before completion. * added: onKeyDown for verify and disable * refactored some code and cleaned it up a bit. * refactored some code and cleaned it up a bit. * refactored some code and cleaned it up a bit. * refactored some code and cleaned it up a bit. * fixed issue after updating to new main branch * updated example * refactored controllers * removed `passport-totp` not used. * update the generateBackupCodes function to generate 10 codes by default: * update the backup codes to an object. * fixed issue with backup codes not working * be able to disable 2FA with backup codes. * removed new env. replaced with JWT_SECRET * ✨ style: improved a11y and style for TwoFactorAuthentication * 🔒 fix: small types checks * ✨ feat: improve 2FA UI components * fix: remove unnecessary console log * add option to disable 2FA with backup codes * - add option to refresh backup codes - (optional) maybe show the user which backup codes have already been used? * removed text to be able to merge the main. * removed eng tx to be able to merge * fix: migrated lang to new format. * feat: rewrote whole 2FA UI + refactored 2FA backend * chore: resolving conflicts * chore: resolving conflicts * fix: missing packages, because of resolving conflicts. * fix: UI issue and improved a11y * fix: 2FA backup code not working * fix: update localization keys for UI consistency * fix: update button label to use localized text * fix: refactor backup codes regeneration and update localization keys * fix: remove outdated translation for shared links management * fix: remove outdated 2FA code prompts from translation.json * fix: add cursor styles for backup codes item based on usage state * fix: resolve conflict issue * fix: resolve conflict issue * fix: resolve conflict issue * fix: missing packages in package-lock.json * fix: add disabled opacity to the verify button in TwoFactorScreen * ⚙ fix: update 2FA logic to rely on backup codes instead of TOTP status * ⚙️ fix: Simplify user retrieval in 2FA logic by removing unnecessary TOTP secret query * ⚙️ test: Add unit tests for TwoFactorAuthController and twoFactorControllers * ⚙️ fix: Ensure backup codes are validated as an array before usage in 2FA components * ⚙️ fix: Update module path mappings in tests to use relative paths * ⚙️ fix: Update moduleNameMapper in jest.config.js to remove the caret from path mapping * ⚙️ refactor: Simplify import paths in TwoFactorAuthController and twoFactorControllers test files * ⚙️ test: Mock twoFactorService methods in twoFactorControllers tests * ⚙️ refactor: Comment out unused imports and mock setups in test files for two-factor authentication * ⚙️ refactor: removed files * refactor: Exclude totpSecret from user data retrieval in AuthController, LoginController, and jwtStrategy * refactor: Consolidate backup code verification to apply DRY and remove default array in user schema * refactor: Enhance two-factor authentication ux/flow with improved error handling and loading state management, prevent redirect to /login --------- Co-authored-by: Marco Beretta <81851188+berry-13@users.noreply.github.com> Co-authored-by: Danny Avila <danny@librechat.ai>
151 lines
3.8 KiB
JavaScript
151 lines
3.8 KiB
JavaScript
const mongoose = require('mongoose');
|
|
const { SystemRoles } = require('librechat-data-provider');
|
|
|
|
/**
|
|
* @typedef {Object} MongoSession
|
|
* @property {string} [refreshToken] - The refresh token
|
|
*/
|
|
|
|
/**
|
|
* @typedef {Object} MongoUser
|
|
* @property {ObjectId} [_id] - MongoDB Document ID
|
|
* @property {string} [name] - The user's name
|
|
* @property {string} [username] - The user's username, in lowercase
|
|
* @property {string} email - The user's email address
|
|
* @property {boolean} emailVerified - Whether the user's email is verified
|
|
* @property {string} [password] - The user's password, trimmed with 8-128 characters
|
|
* @property {string} [avatar] - The URL of the user's avatar
|
|
* @property {string} provider - The provider of the user's account (e.g., 'local', 'google')
|
|
* @property {string} [role='USER'] - The role of the user
|
|
* @property {string} [googleId] - Optional Google ID for the user
|
|
* @property {string} [facebookId] - Optional Facebook ID for the user
|
|
* @property {string} [openidId] - Optional OpenID ID for the user
|
|
* @property {string} [ldapId] - Optional LDAP ID for the user
|
|
* @property {string} [githubId] - Optional GitHub ID for the user
|
|
* @property {string} [discordId] - Optional Discord ID for the user
|
|
* @property {string} [appleId] - Optional Apple ID for the user
|
|
* @property {Array} [plugins=[]] - List of plugins used by the user
|
|
* @property {Array.<MongoSession>} [refreshToken] - List of sessions with refresh tokens
|
|
* @property {Date} [expiresAt] - Optional expiration date of the file
|
|
* @property {Date} [createdAt] - Date when the user was created (added by timestamps)
|
|
* @property {Date} [updatedAt] - Date when the user was last updated (added by timestamps)
|
|
*/
|
|
|
|
/** @type {MongooseSchema<MongoSession>} */
|
|
const Session = mongoose.Schema({
|
|
refreshToken: {
|
|
type: String,
|
|
default: '',
|
|
},
|
|
});
|
|
|
|
const backupCodeSchema = mongoose.Schema({
|
|
codeHash: { type: String, required: true },
|
|
used: { type: Boolean, default: false },
|
|
usedAt: { type: Date, default: null },
|
|
});
|
|
|
|
/** @type {MongooseSchema<MongoUser>} */
|
|
const userSchema = mongoose.Schema(
|
|
{
|
|
name: {
|
|
type: String,
|
|
},
|
|
username: {
|
|
type: String,
|
|
lowercase: true,
|
|
default: '',
|
|
},
|
|
email: {
|
|
type: String,
|
|
required: [true, 'can\'t be blank'],
|
|
lowercase: true,
|
|
unique: true,
|
|
match: [/\S+@\S+\.\S+/, 'is invalid'],
|
|
index: true,
|
|
},
|
|
emailVerified: {
|
|
type: Boolean,
|
|
required: true,
|
|
default: false,
|
|
},
|
|
password: {
|
|
type: String,
|
|
trim: true,
|
|
minlength: 8,
|
|
maxlength: 128,
|
|
},
|
|
avatar: {
|
|
type: String,
|
|
required: false,
|
|
},
|
|
provider: {
|
|
type: String,
|
|
required: true,
|
|
default: 'local',
|
|
},
|
|
role: {
|
|
type: String,
|
|
default: SystemRoles.USER,
|
|
},
|
|
googleId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
facebookId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
openidId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
ldapId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
githubId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
discordId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
appleId: {
|
|
type: String,
|
|
unique: true,
|
|
sparse: true,
|
|
},
|
|
plugins: {
|
|
type: Array,
|
|
},
|
|
totpSecret: {
|
|
type: String,
|
|
},
|
|
backupCodes: {
|
|
type: [backupCodeSchema],
|
|
},
|
|
refreshToken: {
|
|
type: [Session],
|
|
},
|
|
expiresAt: {
|
|
type: Date,
|
|
expires: 604800, // 7 days in seconds
|
|
},
|
|
termsAccepted: {
|
|
type: Boolean,
|
|
default: false,
|
|
},
|
|
},
|
|
|
|
{ timestamps: true },
|
|
);
|
|
|
|
module.exports = userSchema;
|