mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-25 12:48:53 +01:00
ec7370dfe9
* chore: Update @modelcontextprotocol/sdk to version 1.12.3 in package.json and package-lock.json - Bump version of @modelcontextprotocol/sdk to 1.12.3 to incorporate recent updates. - Update dependencies for ajv and cross-spawn to their latest versions. - Add ajv as a new dependency in the sdk module. - Include json-schema-traverse as a new dependency in the sdk module. * feat: @librechat/auth * feat: Add crypto module exports to auth package - Introduced a new crypto module by creating index.ts in the crypto directory. - Updated the main index.ts of the auth package to export from the new crypto module. * feat: Update package dependencies and build scripts for auth package - Added @librechat/auth as a dependency in package.json and package-lock.json. - Updated build scripts to include the auth package in both frontend and bun build processes. - Removed unused mongoose and openid-client dependencies from package-lock.json for cleaner dependency management. * refactor: Migrate crypto utility functions to @librechat/auth - Replaced local crypto utility imports with the new @librechat/auth package across multiple files. - Removed the obsolete crypto.js file and its exports. - Updated relevant services and models to utilize the new encryption and decryption methods from @librechat/auth. * feat: Enhance OAuth token handling and update dependencies in auth package * chore: Remove Token model and TokenService due to restructuring of OAuth handling - Deleted the Token.js model and TokenService.js, which were responsible for managing OAuth tokens. - This change is part of a broader refactor to streamline OAuth token management and improve code organization. * refactor: imports from '@librechat/auth' to '@librechat/api' and add OAuth token handling functionality * refactor: Simplify logger usage in MCP and FlowStateManager classes * chore: fix imports * feat: Add OAuth configuration schema to MCP with token exchange method support * feat: FIRST PASS Implement MCP OAuth flow with token management and error handling - Added a new route for handling OAuth callbacks and token retrieval. - Integrated OAuth token storage and retrieval mechanisms. - Enhanced MCP connection to support automatic OAuth flow initiation on 401 errors. - Implemented dynamic client registration and metadata discovery for OAuth. - Updated MCPManager to manage OAuth tokens and handle authentication requirements. - Introduced comprehensive logging for OAuth processes and error handling. * refactor: Update MCPConnection and MCPManager to utilize new URL handling - Added a `url` property to MCPConnection for better URL management. - Refactored MCPManager to use the new `url` property instead of a deprecated method for OAuth handling. - Changed logging from info to debug level for flow manager and token methods initialization. - Improved comments for clarity on existing tokens and OAuth event listener setup. * refactor: Improve connection timeout error messages in MCPConnection and MCPManager and use initTimeout for connection - Updated the connection timeout error messages to include the duration of the timeout. - Introduced a configurable `connectTimeout` variable in both MCPConnection and MCPManager for better flexibility. * chore: cleanup MCP OAuth Token exchange handling; fix: erroneous use of flowsCache and remove verbose logs * refactor: Update MCPManager and MCPTokenStorage to use TokenMethods for token management - Removed direct token storage handling in MCPManager and replaced it with TokenMethods for better abstraction. - Refactored MCPTokenStorage methods to accept parameters for token operations, enhancing flexibility and readability. - Improved logging messages related to token persistence and retrieval processes. * refactor: Update MCP OAuth handling to use static methods and improve flow management - Refactored MCPOAuthHandler to utilize static methods for initiating and completing OAuth flows, enhancing clarity and reducing instance dependencies. - Updated MCPManager to pass flowManager explicitly to OAuth handling methods, improving flexibility in flow state management. - Enhanced comments and logging for better understanding of OAuth processes and flow state retrieval. * refactor: Integrate token methods into createMCPTool for enhanced token management * refactor: Change logging from info to debug level in MCPOAuthHandler for improved log management * chore: clean up logging * feat: first pass, auth URL from MCP OAuth flow * chore: Improve logging format for OAuth authentication URL display * chore: cleanup mcp manager comments * feat: add connection reconnection logic in MCPManager * refactor: reorganize token storage handling in MCP - Moved token storage logic from MCPManager to a new MCPTokenStorage class for better separation of concerns. - Updated imports to reflect the new token storage structure. - Enhanced methods for storing, retrieving, updating, and deleting OAuth tokens, improving overall token management. * chore: update comment for SYSTEM_USER_ID in MCPManager for clarity * feat: implement refresh token functionality in MCP - Added refresh token handling in MCPManager to support token renewal for both app-level and user-specific connections. - Introduced a refreshTokens function to facilitate token refresh logic. - Enhanced MCPTokenStorage to manage client information and refresh token processes. - Updated logging for better traceability during token operations. * chore: cleanup @librechat/auth * feat: implement MCP server initialization in a separate service - Added a new service to handle the initialization of MCP servers, improving code organization and readability. - Refactored the server startup logic to utilize the new initializeMCP function. - Removed redundant MCP initialization code from the main server file. * fix: don't log auth url for user connections * feat: enhance OAuth flow with success and error handling components - Updated OAuth callback routes to redirect to new success and error pages instead of sending status messages. - Introduced `OAuthSuccess` and `OAuthError` components to provide user feedback during authentication. - Added localization support for success and error messages in the translation files. - Implemented countdown functionality in the success component for a better user experience. * fix: refresh token handling for user connections, add missing URL and methods - add standard enum for system user id and helper for determining app-lvel vs. user-level connections * refactor: update token handling in MCPManager and MCPTokenStorage * fix: improve error logging in OAuth authentication handler * fix: concurrency issues for both login url emission and concurrency of oauth flows for shared flows (same user, same server, multiple calls for same server) * fix: properly fail shared flows for concurrent server calls and prevent duplication of tokens * chore: remove unused auth package directory from update configuration * ci: fix mocks in samlStrategy tests * ci: add mcpConfig to AppService test setup * chore: remove obsolete MCP OAuth implementation documentation * fix: update build script for API to use correct command * chore: bump version of @librechat/api to 1.2.4 * fix: update abort signal handling in createMCPTool function * fix: add optional clientInfo parameter to refreshTokensFunction metadata * refactor: replace app.locals.availableTools with getCachedTools in multiple services and controllers for improved tool management * fix: concurrent refresh token handling issue * refactor: add signal parameter to getUserConnection method for improved abort handling * chore: JSDoc typing for `loadEphemeralAgent` * refactor: update isConnectionActive method to use destructured parameters for improved readability * feat: implement caching for MCP tools to handle app-level disconnects for loading list of tools * ci: fix agent test
129 lines
4.4 KiB
TypeScript
129 lines
4.4 KiB
TypeScript
import 'dotenv/config';
|
|
import crypto from 'node:crypto';
|
|
const { webcrypto } = crypto;
|
|
|
|
// Use hex decoding for both key and IV for legacy methods.
|
|
const key = Buffer.from(process.env.CREDS_KEY ?? '', 'hex');
|
|
const iv = Buffer.from(process.env.CREDS_IV ?? '', 'hex');
|
|
const algorithm = 'AES-CBC';
|
|
|
|
// --- Legacy v1/v2 Setup: AES-CBC with fixed key and IV ---
|
|
|
|
export async function encrypt(value: string) {
|
|
const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
|
|
'encrypt',
|
|
]);
|
|
const encoder = new TextEncoder();
|
|
const data = encoder.encode(value);
|
|
const encryptedBuffer = await webcrypto.subtle.encrypt(
|
|
{ name: algorithm, iv: iv },
|
|
cryptoKey,
|
|
data,
|
|
);
|
|
return Buffer.from(encryptedBuffer).toString('hex');
|
|
}
|
|
|
|
export async function decrypt(encryptedValue: string) {
|
|
const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
|
|
'decrypt',
|
|
]);
|
|
const encryptedBuffer = Buffer.from(encryptedValue, 'hex');
|
|
const decryptedBuffer = await webcrypto.subtle.decrypt(
|
|
{ name: algorithm, iv: iv },
|
|
cryptoKey,
|
|
encryptedBuffer,
|
|
);
|
|
const decoder = new TextDecoder();
|
|
return decoder.decode(decryptedBuffer);
|
|
}
|
|
|
|
// --- v2: AES-CBC with a random IV per encryption ---
|
|
|
|
export async function encryptV2(value: string) {
|
|
const gen_iv = webcrypto.getRandomValues(new Uint8Array(16));
|
|
const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
|
|
'encrypt',
|
|
]);
|
|
const encoder = new TextEncoder();
|
|
const data = encoder.encode(value);
|
|
const encryptedBuffer = await webcrypto.subtle.encrypt(
|
|
{ name: algorithm, iv: gen_iv },
|
|
cryptoKey,
|
|
data,
|
|
);
|
|
return Buffer.from(gen_iv).toString('hex') + ':' + Buffer.from(encryptedBuffer).toString('hex');
|
|
}
|
|
|
|
export async function decryptV2(encryptedValue: string) {
|
|
const parts = encryptedValue.split(':');
|
|
if (parts.length === 1) {
|
|
return parts[0];
|
|
}
|
|
const gen_iv = Buffer.from(parts.shift() ?? '', 'hex');
|
|
const encrypted = parts.join(':');
|
|
const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
|
|
'decrypt',
|
|
]);
|
|
const encryptedBuffer = Buffer.from(encrypted, 'hex');
|
|
const decryptedBuffer = await webcrypto.subtle.decrypt(
|
|
{ name: algorithm, iv: gen_iv },
|
|
cryptoKey,
|
|
encryptedBuffer,
|
|
);
|
|
const decoder = new TextDecoder();
|
|
return decoder.decode(decryptedBuffer);
|
|
}
|
|
|
|
// --- v3: AES-256-CTR using Node's crypto functions ---
|
|
const algorithm_v3 = 'aes-256-ctr';
|
|
|
|
/**
|
|
* Encrypts a value using AES-256-CTR.
|
|
* Note: AES-256 requires a 32-byte key. Ensure that process.env.CREDS_KEY is a 64-character hex string.
|
|
*
|
|
* @param value - The plaintext to encrypt.
|
|
* @returns The encrypted string with a "v3:" prefix.
|
|
*/
|
|
export function encryptV3(value: string) {
|
|
if (key.length !== 32) {
|
|
throw new Error(`Invalid key length: expected 32 bytes, got ${key.length} bytes`);
|
|
}
|
|
const iv_v3 = crypto.randomBytes(16);
|
|
const cipher = crypto.createCipheriv(algorithm_v3, key, iv_v3);
|
|
const encrypted = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()]);
|
|
return `v3:${iv_v3.toString('hex')}:${encrypted.toString('hex')}`;
|
|
}
|
|
|
|
export function decryptV3(encryptedValue: string) {
|
|
const parts = encryptedValue.split(':');
|
|
if (parts[0] !== 'v3') {
|
|
throw new Error('Not a v3 encrypted value');
|
|
}
|
|
const iv_v3 = Buffer.from(parts[1], 'hex');
|
|
const encryptedText = Buffer.from(parts.slice(2).join(':'), 'hex');
|
|
const decipher = crypto.createDecipheriv(algorithm_v3, key, iv_v3);
|
|
const decrypted = Buffer.concat([decipher.update(encryptedText), decipher.final()]);
|
|
return decrypted.toString('utf8');
|
|
}
|
|
|
|
export async function getRandomValues(length: number) {
|
|
if (!Number.isInteger(length) || length <= 0) {
|
|
throw new Error('Length must be a positive integer');
|
|
}
|
|
const randomValues = new Uint8Array(length);
|
|
webcrypto.getRandomValues(randomValues);
|
|
return Buffer.from(randomValues).toString('hex');
|
|
}
|
|
|
|
/**
|
|
* Computes SHA-256 hash for the given input.
|
|
* @param input - The input to hash.
|
|
* @returns The SHA-256 hash of the input.
|
|
*/
|
|
export async function hashBackupCode(input: string) {
|
|
const encoder = new TextEncoder();
|
|
const data = encoder.encode(input);
|
|
const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
|
|
const hashArray = Array.from(new Uint8Array(hashBuffer));
|
|
return hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
|
|
}
|