mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-05-13 16:07:30 +00:00
9c81792d25
* feat: add signed CloudFront downloads * fix: preserve local IdP avatar paths * fix: address signed download review findings * fix: harden CloudFront cookie scope validation * fix: preserve URL save API compatibility * fix: store CDN SSO avatars under shared prefix * fix: Harden CloudFront tenant file access * fix: Preserve CloudFront download compatibility * fix: Address CloudFront review follow-ups * fix: Preserve file URL fallback user paths * fix: Address download review hardening * fix: Use file owner for S3 RAG cleanup * fix: Address final download review nits * fix: Clear stale avatar CloudFront cookies * fix: Align download filename helpers with dev * fix: Address final CloudFront review follow-ups * fix: Stream S3 URL uploads * fix: Set S3 stream upload length * fix: Preserve download metadata filepath * fix: Avoid remote content length for stream uploads * fix: Use bounded multipart URL uploads * fix: Harden S3 filename boundaries
61 lines
2 KiB
JavaScript
61 lines
2 KiB
JavaScript
const jwt = require('jsonwebtoken');
|
|
const { logger } = require('@librechat/data-schemas');
|
|
const {
|
|
verifyTOTP,
|
|
getTOTPSecret,
|
|
verifyBackupCode,
|
|
} = require('~/server/services/twoFactorService');
|
|
const { setAuthTokens } = require('~/server/services/AuthService');
|
|
const { getUserById } = require('~/models');
|
|
|
|
/**
|
|
* Verifies the 2FA code during login using a temporary token.
|
|
*/
|
|
const verify2FAWithTempToken = async (req, res) => {
|
|
try {
|
|
const { tempToken, token, backupCode } = req.body;
|
|
if (!tempToken) {
|
|
return res.status(400).json({ message: 'Missing temporary token' });
|
|
}
|
|
|
|
let payload;
|
|
try {
|
|
payload = jwt.verify(tempToken, process.env.JWT_SECRET);
|
|
} catch (err) {
|
|
logger.error('Failed to verify temporary token:', err);
|
|
return res.status(401).json({ message: 'Invalid or expired temporary token' });
|
|
}
|
|
|
|
const user = await getUserById(payload.userId, '+totpSecret +backupCodes');
|
|
if (!user || !user.twoFactorEnabled) {
|
|
return res.status(400).json({ message: '2FA is not enabled for this user' });
|
|
}
|
|
|
|
const secret = await getTOTPSecret(user.totpSecret);
|
|
let isVerified = false;
|
|
if (token) {
|
|
isVerified = await verifyTOTP(secret, token);
|
|
} else if (backupCode) {
|
|
isVerified = await verifyBackupCode({ user, backupCode });
|
|
}
|
|
|
|
if (!isVerified) {
|
|
return res.status(401).json({ message: 'Invalid 2FA code or backup code' });
|
|
}
|
|
|
|
const userData = user.toObject ? user.toObject() : { ...user };
|
|
delete userData.__v;
|
|
delete userData.password;
|
|
delete userData.totpSecret;
|
|
delete userData.backupCodes;
|
|
userData.id = user._id.toString();
|
|
|
|
const authToken = await setAuthTokens(user._id, res, null, req);
|
|
return res.status(200).json({ token: authToken, user: userData });
|
|
} catch (err) {
|
|
logger.error('[verify2FAWithTempToken]', err);
|
|
return res.status(500).json({ message: 'Something went wrong' });
|
|
}
|
|
};
|
|
|
|
module.exports = { verify2FAWithTempToken };
|