mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-01-31 14:55:19 +01:00
65c81955f0
* feat: Add granular role-based permissions system with Entra ID integration
- Implement RBAC with viewer/editor/owner roles using bitwise permissions
- Add AccessRole, AclEntry, and Group models for permission management
- Create PermissionService for core permission logic and validation
- Integrate Microsoft Graph API for Entra ID user/group search
- Add middleware for resource access validation with custom ID resolvers
- Implement bulk permission updates with transaction support
- Create permission management UI with people picker and role selection
- Add public sharing capabilities for resources
- Include database migration for existing agent ownership
- Support hybrid local/Entra ID identity management
- Add comprehensive test coverage for all new services
chore: Update @librechat/data-schemas to version 0.0.9 and export common module in index.ts
fix: Update userGroup tests to mock logger correctly and change principalId expectation from null to undefined
* fix(data-schemas): use partial index for group idOnTheSource uniqueness
Replace sparse index with partial filter expression to allow multiple local groups
while maintaining unique constraint for external source IDs. The sparse option
on compound indexes doesn't work as expected when one field is always present.
* fix: imports in migrate-agent-permissions.js
* chore(data-schemas): add comprehensive README for data schemas package
- Introduced a detailed README.md file outlining the structure, architecture patterns, and best practices for the LibreChat Data Schemas package.
- Included guidelines for creating new entities, type definitions, schema files, model factory functions, and database methods.
- Added examples and common patterns to enhance understanding and usage of the package.
* chore: remove unused translation keys from localization file
* ci: fix existing tests based off new permission handling
- Renamed test cases to reflect changes in permission checks being handled at the route level.
- Updated assertions to verify that agents are returned regardless of user permissions due to the new permission system.
- Adjusted mocks in AppService and PermissionService tests to ensure proper functionality without relying on actual implementations.
* ci: add unit tests for access control middleware
- Introduced tests for the `canAccessAgentResource` middleware to validate permission checks for agent resources.
- Implemented tests for various scenarios including user roles, ACL entries, and permission levels.
- Added tests for the `checkAccess` function to ensure proper permission handling based on user roles and permissions.
- Utilized MongoDB in-memory server for isolated test environments.
* refactor: remove unused mocks from GraphApiService tests
* ci: enhance AgentFooter tests with improved mocks and permission handling
- Updated mocks for `useWatch`, `useAuthContext`, `useHasAccess`, and `useResourcePermissions` to streamline test setup.
- Adjusted assertions to reflect changes in UI based on agent ID and user roles.
- Replaced `share-agent` component with `grant-access-dialog` in tests to align with recent UI updates.
- Added tests for handling null agent data and permissions loading scenarios.
* ci: enhance GraphApiService tests with MongoDB in-memory server
- Updated test setup to use MongoDB in-memory server for isolated testing.
- Refactored beforeEach to beforeAll for database connection management.
- Cleared database before each test to ensure a clean state.
- Retained existing mocks while improving test structure for better clarity.
* ci: enhance GraphApiService tests with additional logger mocks
- Added mock implementation for logger methods in GraphApiService tests to improve error and debug logging during test execution.
- Ensured existing mocks remain intact while enhancing test coverage and clarity.
* chore: address ESLint Warnings
* - add cursor-based pagination to getListAgentsByAccess and update handler
- add index on updatedAt and _id in agent schema for improved query performance
* refactor permission service with reuse of model methods from data-schema package
* - Fix ObjectId comparison in getListAgentsHandler using .equals() method instead of strict equality
- Add findPubliclyAccessibleResources function to PermissionService for bulk public resource queries
- Add hasPublicPermission function to PermissionService for individual resource public permission checks
- Update getAgentHandler to use hasPublicPermission for accurate individual agent public status
- Replace instanceProjectId-based global checks with isPublic property from backend in client code
- Add isPublic property to Agent type definition
- Add NODE_TLS_REJECT_UNAUTHORIZED debug setting to VS Code launch config
* feat: add check for People.Read scope in searchContacts
* fix: add roleId parameter to grantPermission and update tests for GraphApiService
* refactor: remove problematic projection pipelines in getResourcePermissions for document db aws compatibility
* feat: enhance agent permissions migration with DocumentDB compatibility and add dry-run script
* feat: add support for including Entra ID group owners as members in permissions management + fix Group members paging
* feat: enforce at least one owner requirement for permission updates and add corresponding localization messages
* refactor: remove German locale (must be added via i18n)
* chore: linting in `api/models/Agent.js` and removed unused variables
* chore: linting, remove unused vars, and remove project-related parameters from `updateAgentHandler`
* chore: address ESLint errors
* chore: revert removal of unused vars for versioning
---------
Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
675 lines
No EOL
20 KiB
Text
675 lines
No EOL
20 KiB
Text
#=====================================================================#
|
|
# LibreChat Configuration #
|
|
#=====================================================================#
|
|
# Please refer to the reference documentation for assistance #
|
|
# with configuring your LibreChat environment. #
|
|
# #
|
|
# https://www.librechat.ai/docs/configuration/dotenv #
|
|
#=====================================================================#
|
|
|
|
#==================================================#
|
|
# Server Configuration #
|
|
#==================================================#
|
|
|
|
HOST=localhost
|
|
PORT=3080
|
|
|
|
MONGO_URI=mongodb://127.0.0.1:27017/LibreChat
|
|
|
|
DOMAIN_CLIENT=http://localhost:3080
|
|
DOMAIN_SERVER=http://localhost:3080
|
|
|
|
NO_INDEX=true
|
|
# Use the address that is at most n number of hops away from the Express application.
|
|
# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
|
|
# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
|
|
# Defaulted to 1.
|
|
TRUST_PROXY=1
|
|
|
|
#===============#
|
|
# JSON Logging #
|
|
#===============#
|
|
|
|
# Use when process console logs in cloud deployment like GCP/AWS
|
|
CONSOLE_JSON=false
|
|
|
|
#===============#
|
|
# Debug Logging #
|
|
#===============#
|
|
|
|
DEBUG_LOGGING=true
|
|
DEBUG_CONSOLE=false
|
|
|
|
#=============#
|
|
# Permissions #
|
|
#=============#
|
|
|
|
# UID=1000
|
|
# GID=1000
|
|
|
|
#===============#
|
|
# Configuration #
|
|
#===============#
|
|
# Use an absolute path, a relative path, or a URL
|
|
|
|
# CONFIG_PATH="/alternative/path/to/librechat.yaml"
|
|
|
|
#===================================================#
|
|
# Endpoints #
|
|
#===================================================#
|
|
|
|
# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
|
|
|
|
PROXY=
|
|
|
|
#===================================#
|
|
# Known Endpoints - librechat.yaml #
|
|
#===================================#
|
|
# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
|
|
|
|
# ANYSCALE_API_KEY=
|
|
# APIPIE_API_KEY=
|
|
# COHERE_API_KEY=
|
|
# DEEPSEEK_API_KEY=
|
|
# DATABRICKS_API_KEY=
|
|
# FIREWORKS_API_KEY=
|
|
# GROQ_API_KEY=
|
|
# HUGGINGFACE_TOKEN=
|
|
# MISTRAL_API_KEY=
|
|
# OPENROUTER_KEY=
|
|
# PERPLEXITY_API_KEY=
|
|
# SHUTTLEAI_API_KEY=
|
|
# TOGETHERAI_API_KEY=
|
|
# UNIFY_API_KEY=
|
|
# XAI_API_KEY=
|
|
|
|
#============#
|
|
# Anthropic #
|
|
#============#
|
|
|
|
ANTHROPIC_API_KEY=user_provided
|
|
# ANTHROPIC_MODELS=claude-opus-4-20250514,claude-sonnet-4-20250514,claude-3-7-sonnet-20250219,claude-3-5-sonnet-20241022,claude-3-5-haiku-20241022,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307
|
|
# ANTHROPIC_REVERSE_PROXY=
|
|
|
|
#============#
|
|
# Azure #
|
|
#============#
|
|
|
|
# Note: these variables are DEPRECATED
|
|
# Use the `librechat.yaml` configuration for `azureOpenAI` instead
|
|
# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
|
|
|
|
# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
|
|
# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
|
|
# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
|
|
# AZURE_API_KEY= # Deprecated
|
|
# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
|
|
# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
|
|
# AZURE_OPENAI_API_VERSION= # Deprecated
|
|
# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
|
|
# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
|
|
# PLUGINS_USE_AZURE="true" # Deprecated
|
|
|
|
#=================#
|
|
# AWS Bedrock #
|
|
#=================#
|
|
|
|
# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
|
|
# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
|
|
# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
|
|
# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
|
|
|
|
# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
|
|
# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
|
|
|
|
# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
|
|
|
|
# Notes on specific models:
|
|
# The following models are not support due to not supporting streaming:
|
|
# ai21.j2-mid-v1
|
|
|
|
# The following models are not support due to not supporting conversation history:
|
|
# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
|
|
|
|
#============#
|
|
# Google #
|
|
#============#
|
|
|
|
GOOGLE_KEY=user_provided
|
|
|
|
# GOOGLE_REVERSE_PROXY=
|
|
# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
|
|
# GOOGLE_AUTH_HEADER=true
|
|
|
|
# Gemini API (AI Studio)
|
|
# GOOGLE_MODELS=gemini-2.5-pro-preview-05-06,gemini-2.5-flash-preview-04-17,gemini-2.0-flash-001,gemini-2.0-flash-exp,gemini-2.0-flash-lite-001,gemini-1.5-pro-002,gemini-1.5-flash-002
|
|
|
|
# Vertex AI
|
|
# GOOGLE_MODELS=gemini-2.5-pro-preview-05-06,gemini-2.5-flash-preview-04-17,gemini-2.0-flash-001,gemini-2.0-flash-exp,gemini-2.0-flash-lite-001,gemini-1.5-pro-002,gemini-1.5-flash-002
|
|
|
|
# GOOGLE_TITLE_MODEL=gemini-2.0-flash-lite-001
|
|
|
|
# GOOGLE_LOC=us-central1
|
|
|
|
# Google Safety Settings
|
|
# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
|
|
#
|
|
# For Vertex AI:
|
|
# To use the BLOCK_NONE setting, you need either:
|
|
# (a) Access through an allowlist via your Google account team, or
|
|
# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
|
|
#
|
|
# For Gemini API (AI Studio):
|
|
# BLOCK_NONE is available by default, no special account requirements.
|
|
#
|
|
# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
|
|
#
|
|
# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
|
|
|
|
#============#
|
|
# OpenAI #
|
|
#============#
|
|
|
|
OPENAI_API_KEY=user_provided
|
|
# OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,gpt-4.5-preview,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
|
|
|
|
DEBUG_OPENAI=false
|
|
|
|
# TITLE_CONVO=false
|
|
# OPENAI_TITLE_MODEL=gpt-4o-mini
|
|
|
|
# OPENAI_SUMMARIZE=true
|
|
# OPENAI_SUMMARY_MODEL=gpt-4o-mini
|
|
|
|
# OPENAI_FORCE_PROMPT=true
|
|
|
|
# OPENAI_REVERSE_PROXY=
|
|
|
|
# OPENAI_ORGANIZATION=
|
|
|
|
#====================#
|
|
# Assistants API #
|
|
#====================#
|
|
|
|
ASSISTANTS_API_KEY=user_provided
|
|
# ASSISTANTS_BASE_URL=
|
|
# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
|
|
|
|
#==========================#
|
|
# Azure Assistants API #
|
|
#==========================#
|
|
|
|
# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
|
|
# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
|
|
|
|
# More info, including how to enable use of Assistants with Azure here:
|
|
# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
|
|
|
|
#============#
|
|
# Plugins #
|
|
#============#
|
|
|
|
# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
|
|
|
|
DEBUG_PLUGINS=true
|
|
|
|
CREDS_KEY=f34be427ebb29de8d88c107a71546019685ed8b241d8f2ed00c3df97ad2566f0
|
|
CREDS_IV=e2341419ec3dd3d19b13a1a87fafcbfb
|
|
|
|
# Azure AI Search
|
|
#-----------------
|
|
AZURE_AI_SEARCH_SERVICE_ENDPOINT=
|
|
AZURE_AI_SEARCH_INDEX_NAME=
|
|
AZURE_AI_SEARCH_API_KEY=
|
|
|
|
AZURE_AI_SEARCH_API_VERSION=
|
|
AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
|
|
AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
|
|
AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
|
|
|
|
# OpenAI Image Tools Customization
|
|
#----------------
|
|
# IMAGE_GEN_OAI_DESCRIPTION_WITH_FILES=Custom description for image generation tool when files are present
|
|
# IMAGE_GEN_OAI_DESCRIPTION_NO_FILES=Custom description for image generation tool when no files are present
|
|
# IMAGE_EDIT_OAI_DESCRIPTION=Custom description for image editing tool
|
|
# IMAGE_GEN_OAI_PROMPT_DESCRIPTION=Custom prompt description for image generation tool
|
|
# IMAGE_EDIT_OAI_PROMPT_DESCRIPTION=Custom prompt description for image editing tool
|
|
|
|
# DALL·E
|
|
#----------------
|
|
# DALLE_API_KEY=
|
|
# DALLE3_API_KEY=
|
|
# DALLE2_API_KEY=
|
|
# DALLE3_SYSTEM_PROMPT=
|
|
# DALLE2_SYSTEM_PROMPT=
|
|
# DALLE_REVERSE_PROXY=
|
|
# DALLE3_BASEURL=
|
|
# DALLE2_BASEURL=
|
|
|
|
# DALL·E (via Azure OpenAI)
|
|
# Note: requires some of the variables above to be set
|
|
#----------------
|
|
# DALLE3_AZURE_API_VERSION=
|
|
# DALLE2_AZURE_API_VERSION=
|
|
|
|
# Flux
|
|
#-----------------
|
|
FLUX_API_BASE_URL=https://api.us1.bfl.ai
|
|
# FLUX_API_BASE_URL = 'https://api.bfl.ml';
|
|
|
|
# Get your API key at https://api.us1.bfl.ai/auth/profile
|
|
# FLUX_API_KEY=
|
|
|
|
# Google
|
|
#-----------------
|
|
GOOGLE_SEARCH_API_KEY=
|
|
GOOGLE_CSE_ID=
|
|
|
|
# YOUTUBE
|
|
#-----------------
|
|
YOUTUBE_API_KEY=
|
|
|
|
# SerpAPI
|
|
#-----------------
|
|
SERPAPI_API_KEY=
|
|
|
|
# Stable Diffusion
|
|
#-----------------
|
|
SD_WEBUI_URL=http://host.docker.internal:7860
|
|
|
|
# Tavily
|
|
#-----------------
|
|
TAVILY_API_KEY=
|
|
|
|
# Traversaal
|
|
#-----------------
|
|
TRAVERSAAL_API_KEY=
|
|
|
|
# WolframAlpha
|
|
#-----------------
|
|
WOLFRAM_APP_ID=
|
|
|
|
# Zapier
|
|
#-----------------
|
|
ZAPIER_NLA_API_KEY=
|
|
|
|
#==================================================#
|
|
# Search #
|
|
#==================================================#
|
|
|
|
SEARCH=true
|
|
MEILI_NO_ANALYTICS=true
|
|
MEILI_HOST=http://0.0.0.0:7700
|
|
MEILI_MASTER_KEY=DrhYf7zENyR6AlUCKmnz0eYASOQdl6zxH7s7MKFSfFCt
|
|
|
|
# Optional: Disable indexing, useful in a multi-node setup
|
|
# where only one instance should perform an index sync.
|
|
# MEILI_NO_SYNC=true
|
|
|
|
#==================================================#
|
|
# Speech to Text & Text to Speech #
|
|
#==================================================#
|
|
|
|
STT_API_KEY=
|
|
TTS_API_KEY=
|
|
|
|
#==================================================#
|
|
# RAG #
|
|
#==================================================#
|
|
# More info: https://www.librechat.ai/docs/configuration/rag_api
|
|
|
|
# RAG_OPENAI_BASEURL=
|
|
# RAG_OPENAI_API_KEY=
|
|
# RAG_USE_FULL_CONTEXT=
|
|
# EMBEDDINGS_PROVIDER=openai
|
|
# EMBEDDINGS_MODEL=text-embedding-3-small
|
|
|
|
#===================================================#
|
|
# User System #
|
|
#===================================================#
|
|
|
|
#========================#
|
|
# Moderation #
|
|
#========================#
|
|
|
|
OPENAI_MODERATION=false
|
|
OPENAI_MODERATION_API_KEY=
|
|
# OPENAI_MODERATION_REVERSE_PROXY=
|
|
|
|
BAN_VIOLATIONS=true
|
|
BAN_DURATION=1000 * 60 * 60 * 2
|
|
BAN_INTERVAL=20
|
|
|
|
LOGIN_VIOLATION_SCORE=1
|
|
REGISTRATION_VIOLATION_SCORE=1
|
|
CONCURRENT_VIOLATION_SCORE=1
|
|
MESSAGE_VIOLATION_SCORE=1
|
|
NON_BROWSER_VIOLATION_SCORE=20
|
|
|
|
LOGIN_MAX=7
|
|
LOGIN_WINDOW=5
|
|
REGISTER_MAX=5
|
|
REGISTER_WINDOW=60
|
|
|
|
LIMIT_CONCURRENT_MESSAGES=true
|
|
CONCURRENT_MESSAGE_MAX=2
|
|
|
|
LIMIT_MESSAGE_IP=true
|
|
MESSAGE_IP_MAX=40
|
|
MESSAGE_IP_WINDOW=1
|
|
|
|
LIMIT_MESSAGE_USER=false
|
|
MESSAGE_USER_MAX=40
|
|
MESSAGE_USER_WINDOW=1
|
|
|
|
ILLEGAL_MODEL_REQ_SCORE=5
|
|
|
|
#========================#
|
|
# Balance #
|
|
#========================#
|
|
|
|
# CHECK_BALANCE=false
|
|
# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
|
|
|
|
#========================#
|
|
# Registration and Login #
|
|
#========================#
|
|
|
|
ALLOW_EMAIL_LOGIN=true
|
|
ALLOW_REGISTRATION=true
|
|
ALLOW_SOCIAL_LOGIN=false
|
|
ALLOW_SOCIAL_REGISTRATION=false
|
|
ALLOW_PASSWORD_RESET=false
|
|
# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
|
|
ALLOW_UNVERIFIED_EMAIL_LOGIN=true
|
|
|
|
SESSION_EXPIRY=1000 * 60 * 15
|
|
REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
|
|
|
|
JWT_SECRET=16f8c0ef4a5d391b26034086c628469d3f9f497f08163ab9b40137092f2909ef
|
|
JWT_REFRESH_SECRET=eaa5191f2914e30b9387fd84e254e4ba6fc51b4654968a9b0803b456a54b8418
|
|
|
|
# Discord
|
|
DISCORD_CLIENT_ID=
|
|
DISCORD_CLIENT_SECRET=
|
|
DISCORD_CALLBACK_URL=/oauth/discord/callback
|
|
|
|
# Facebook
|
|
FACEBOOK_CLIENT_ID=
|
|
FACEBOOK_CLIENT_SECRET=
|
|
FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
|
|
|
|
# GitHub
|
|
GITHUB_CLIENT_ID=
|
|
GITHUB_CLIENT_SECRET=
|
|
GITHUB_CALLBACK_URL=/oauth/github/callback
|
|
# GitHub Enterprise
|
|
# GITHUB_ENTERPRISE_BASE_URL=
|
|
# GITHUB_ENTERPRISE_USER_AGENT=
|
|
|
|
# Google
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
GOOGLE_CALLBACK_URL=/oauth/google/callback
|
|
|
|
# Apple
|
|
APPLE_CLIENT_ID=
|
|
APPLE_TEAM_ID=
|
|
APPLE_KEY_ID=
|
|
APPLE_PRIVATE_KEY_PATH=
|
|
APPLE_CALLBACK_URL=/oauth/apple/callback
|
|
|
|
# OpenID
|
|
OPENID_CLIENT_ID=
|
|
OPENID_CLIENT_SECRET=
|
|
OPENID_ISSUER=
|
|
OPENID_SESSION_SECRET=
|
|
OPENID_SCOPE="openid profile email"
|
|
OPENID_CALLBACK_URL=/oauth/openid/callback
|
|
OPENID_REQUIRED_ROLE=
|
|
OPENID_REQUIRED_ROLE_TOKEN_KIND=
|
|
OPENID_REQUIRED_ROLE_PARAMETER_PATH=
|
|
# Set to determine which user info property returned from OpenID Provider to store as the User's username
|
|
OPENID_USERNAME_CLAIM=
|
|
# Set to determine which user info property returned from OpenID Provider to store as the User's name
|
|
OPENID_NAME_CLAIM=
|
|
|
|
OPENID_BUTTON_LABEL=
|
|
OPENID_IMAGE_URL=
|
|
# Set to true to automatically redirect to the OpenID provider when a user visits the login page
|
|
# This will bypass the login form completely for users, only use this if OpenID is your only authentication method
|
|
OPENID_AUTO_REDIRECT=false
|
|
# Set to true to use PKCE (Proof Key for Code Exchange) for OpenID authentication
|
|
OPENID_USE_PKCE=false
|
|
#Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
|
|
OPENID_REUSE_TOKENS=
|
|
#By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint.
|
|
#If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache.
|
|
#Default is true.
|
|
OPENID_JWKS_URL_CACHE_ENABLED=
|
|
OPENID_JWKS_URL_CACHE_TIME= # 600000 ms eq to 10 minutes leave empty to disable caching
|
|
#Set to true to trigger token exchange flow to acquire access token for the userinfo endpoint.
|
|
OPENID_ON_BEHALF_FLOW_FOR_USERINFRO_REQUIRED=
|
|
OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE = "user.read" # example for Scope Needed for Microsoft Graph API
|
|
# Set to true to use the OpenID Connect end session endpoint for logout
|
|
OPENID_USE_END_SESSION_ENDPOINT=
|
|
|
|
|
|
# SAML
|
|
# Note: If OpenID is enabled, SAML authentication will be automatically disabled.
|
|
SAML_ENTRY_POINT=
|
|
SAML_ISSUER=
|
|
SAML_CERT=
|
|
SAML_CALLBACK_URL=/oauth/saml/callback
|
|
SAML_SESSION_SECRET=
|
|
|
|
# Attribute mappings (optional)
|
|
SAML_EMAIL_CLAIM=
|
|
SAML_USERNAME_CLAIM=
|
|
SAML_GIVEN_NAME_CLAIM=
|
|
SAML_FAMILY_NAME_CLAIM=
|
|
SAML_PICTURE_CLAIM=
|
|
SAML_NAME_CLAIM=
|
|
|
|
# Logint buttion settings (optional)
|
|
SAML_BUTTON_LABEL=
|
|
SAML_IMAGE_URL=
|
|
|
|
# Whether the SAML Response should be signed.
|
|
# - If "true", the entire `SAML Response` will be signed.
|
|
# - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
|
|
# SAML_USE_AUTHN_RESPONSE_SIGNED=
|
|
|
|
|
|
#===============================================#
|
|
# Microsoft Graph API / Entra ID Integration #
|
|
#===============================================#
|
|
|
|
# Enable Entra ID people search integration in permissions/sharing system
|
|
# When enabled, the people picker will search both local database and Entra ID
|
|
USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
|
|
|
|
# When enabled, entra id groups owners will be considered as members of the group
|
|
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
|
|
|
|
# Microsoft Graph API scopes needed for people/group search
|
|
# Default scopes provide access to user profiles and group memberships
|
|
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
|
|
|
|
# LDAP
|
|
LDAP_URL=
|
|
LDAP_BIND_DN=
|
|
LDAP_BIND_CREDENTIALS=
|
|
LDAP_USER_SEARCH_BASE=
|
|
#LDAP_SEARCH_FILTER="mail="
|
|
LDAP_CA_CERT_PATH=
|
|
# LDAP_TLS_REJECT_UNAUTHORIZED=
|
|
# LDAP_STARTTLS=
|
|
# LDAP_LOGIN_USES_USERNAME=true
|
|
# LDAP_ID=
|
|
# LDAP_USERNAME=
|
|
# LDAP_EMAIL=
|
|
# LDAP_FULL_NAME=
|
|
|
|
#========================#
|
|
# Email Password Reset #
|
|
#========================#
|
|
|
|
EMAIL_SERVICE=
|
|
EMAIL_HOST=
|
|
EMAIL_PORT=25
|
|
EMAIL_ENCRYPTION=
|
|
EMAIL_ENCRYPTION_HOSTNAME=
|
|
EMAIL_ALLOW_SELFSIGNED=
|
|
EMAIL_USERNAME=
|
|
EMAIL_PASSWORD=
|
|
EMAIL_FROM_NAME=
|
|
EMAIL_FROM=noreply@librechat.ai
|
|
|
|
#========================#
|
|
# Mailgun API #
|
|
#========================#
|
|
|
|
# MAILGUN_API_KEY=your-mailgun-api-key
|
|
# MAILGUN_DOMAIN=mg.yourdomain.com
|
|
# EMAIL_FROM=noreply@yourdomain.com
|
|
# EMAIL_FROM_NAME="LibreChat"
|
|
|
|
# # Optional: For EU region
|
|
# MAILGUN_HOST=https://api.eu.mailgun.net
|
|
|
|
#========================#
|
|
# Firebase CDN #
|
|
#========================#
|
|
|
|
FIREBASE_API_KEY=
|
|
FIREBASE_AUTH_DOMAIN=
|
|
FIREBASE_PROJECT_ID=
|
|
FIREBASE_STORAGE_BUCKET=
|
|
FIREBASE_MESSAGING_SENDER_ID=
|
|
FIREBASE_APP_ID=
|
|
|
|
#========================#
|
|
# S3 AWS Bucket #
|
|
#========================#
|
|
|
|
AWS_ENDPOINT_URL=
|
|
AWS_ACCESS_KEY_ID=
|
|
AWS_SECRET_ACCESS_KEY=
|
|
AWS_REGION=
|
|
AWS_BUCKET_NAME=
|
|
|
|
#========================#
|
|
# Azure Blob Storage #
|
|
#========================#
|
|
|
|
AZURE_STORAGE_CONNECTION_STRING=
|
|
AZURE_STORAGE_PUBLIC_ACCESS=false
|
|
AZURE_CONTAINER_NAME=files
|
|
|
|
#========================#
|
|
# Shared Links #
|
|
#========================#
|
|
|
|
ALLOW_SHARED_LINKS=true
|
|
ALLOW_SHARED_LINKS_PUBLIC=true
|
|
|
|
#==============================#
|
|
# Static File Cache Control #
|
|
#==============================#
|
|
|
|
# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
|
|
# NODE_ENV must be set to production for these to take effect
|
|
# STATIC_CACHE_MAX_AGE=172800
|
|
# STATIC_CACHE_S_MAX_AGE=86400
|
|
|
|
# If you have another service in front of your LibreChat doing compression, disable express based compression here
|
|
# DISABLE_COMPRESSION=true
|
|
|
|
#===================================================#
|
|
# UI #
|
|
#===================================================#
|
|
|
|
APP_TITLE=LibreChat
|
|
# CUSTOM_FOOTER="My custom footer"
|
|
HELP_AND_FAQ_URL=https://librechat.ai
|
|
|
|
# SHOW_BIRTHDAY_ICON=true
|
|
|
|
# Google tag manager id
|
|
#ANALYTICS_GTM_ID=user provided google tag manager id
|
|
|
|
#===============#
|
|
# REDIS Options #
|
|
#===============#
|
|
|
|
# REDIS_URI=10.10.10.10:6379
|
|
# USE_REDIS=true
|
|
|
|
# USE_REDIS_CLUSTER=true
|
|
# REDIS_CA=/path/to/ca.crt
|
|
|
|
#==================================================#
|
|
# Others #
|
|
#==================================================#
|
|
# You should leave the following commented out #
|
|
|
|
# NODE_ENV=
|
|
|
|
# E2E_USER_EMAIL=
|
|
# E2E_USER_PASSWORD=
|
|
|
|
#=====================================================#
|
|
# Cache Headers #
|
|
#=====================================================#
|
|
# Headers that control caching of the index.html #
|
|
# Default configuration prevents caching to ensure #
|
|
# users always get the latest version. Customize #
|
|
# only if you understand caching implications. #
|
|
|
|
# INDEX_CACHE_CONTROL=no-cache, no-store, must-revalidate
|
|
# INDEX_PRAGMA=no-cache
|
|
# INDEX_EXPIRES=0
|
|
|
|
# no-cache: Forces validation with server before using cached version
|
|
# no-store: Prevents storing the response entirely
|
|
# must-revalidate: Prevents using stale content when offline
|
|
|
|
#=====================================================#
|
|
# OpenWeather #
|
|
#=====================================================#
|
|
OPENWEATHER_API_KEY=
|
|
|
|
#====================================#
|
|
# LibreChat Code Interpreter API #
|
|
#====================================#
|
|
|
|
# https://code.librechat.ai
|
|
# LIBRECHAT_CODE_API_KEY=your-key
|
|
|
|
#======================#
|
|
# Web Search #
|
|
#======================#
|
|
|
|
# Note: All of the following variable names can be customized.
|
|
# Omit values to allow user to provide them.
|
|
|
|
# For more information on configuration values, see:
|
|
# https://librechat.ai/docs/features/web_search
|
|
|
|
# Search Provider (Required)
|
|
# SERPER_API_KEY=your_serper_api_key
|
|
|
|
# Scraper (Required)
|
|
# FIRECRAWL_API_KEY=your_firecrawl_api_key
|
|
# Optional: Custom Firecrawl API URL
|
|
# FIRECRAWL_API_URL=your_firecrawl_api_url
|
|
|
|
# Reranker (Required)
|
|
# JINA_API_KEY=your_jina_api_key
|
|
# or
|
|
# COHERE_API_KEY=your_cohere_api_key |