mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-22 07:36:33 +01:00
ecd6d76bc8
* fix: Add removePorts keyGenerator to all IP-based rate limiters Six IP-based rate limiters are missing the `keyGenerator: removePorts` option that is already used by the auth-related limiters (login, register, resetPassword, verifyEmail). Without it, reverse proxies that include ports in X-Forwarded-For headers cause ERR_ERL_INVALID_IP_ADDRESS errors from express-rate-limit. Fixes #12318 * fix: make removePorts IPv6-safe to prevent rate-limit key collisions The original regex `/:\d+[^:]*$/` treated the last colon-delimited segment of bare IPv6 addresses as a port, mangling valid IPs (e.g. `::1` → `::`, `2001:db8::1` → `2001:db8::`). Distinct IPv6 clients could collapse into the same rate-limit bucket. Use `net.isIP()` as a fast path for already-valid IPs, then match bracketed IPv6+port and IPv4+port explicitly. Bare IPv6 addresses are now returned unchanged. Also fixes pre-existing property ordering inconsistency in ttsLimiters.js userLimiterOptions (keyGenerator before store). * refactor: move removePorts to packages/api as TypeScript, fix import order - Move removePorts implementation to packages/api/src/utils/removePorts.ts with proper Express Request typing - Reduce api/server/utils/removePorts.js to a thin re-export from @librechat/api for backward compatibility - Consolidate removePorts import with limiterCache from @librechat/api in all 6 limiter files, fixing import order (package imports shortest to longest, local imports longest to shortest) - Remove narrating inline comments per code style guidelines --------- Co-authored-by: Danny Avila <danny@librechat.ai> |
||
|---|---|---|
| .. | ||
| accessResources | ||
| assistants | ||
| config | ||
| limiters | ||
| roles | ||
| spec | ||
| validate | ||
| abortMiddleware.js | ||
| abortMiddleware.spec.js | ||
| abortRun.js | ||
| buildEndpointOption.js | ||
| buildEndpointOption.spec.js | ||
| canDeleteAccount.js | ||
| checkBan.js | ||
| checkDomainAllowed.js | ||
| checkInviteUser.js | ||
| checkPeoplePickerAccess.js | ||
| checkPeoplePickerAccess.spec.js | ||
| checkSharePublicAccess.js | ||
| checkSharePublicAccess.spec.js | ||
| denyRequest.js | ||
| error.js | ||
| index.js | ||
| logHeaders.js | ||
| moderateText.js | ||
| noIndex.js | ||
| optionalJwtAuth.js | ||
| requireJwtAuth.js | ||
| requireLdapAuth.js | ||
| requireLocalAuth.js | ||
| setHeaders.js | ||
| uaParser.js | ||
| validateImageRequest.js | ||
| validateMessageReq.js | ||
| validateModel.js | ||
| validatePasswordReset.js | ||
| validateRegistration.js | ||