mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-13 01:39:24 +00:00
* 🔒 fix: Enforce ALLOW_EMAIL_LOGIN on Backend Login Route
ALLOW_EMAIL_LOGIN=false previously only hid the login form; POST
/api/auth/login stayed mounted and accepted valid credentials. Add a
validateEmailLogin middleware (mirroring validateRegistration /
validatePasswordReset) that rejects login with 403 when the flag is
disabled, with an ALLOW_EMAIL_LOGIN_OVERRIDE escape hatch for
intentional direct API login (each use logged with request IP).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
* fix: Gate admin local login by email login flag
* fix: Move email login gate into api package
* test: Avoid mutating readonly request ip
---------
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Danny Avila <danny@librechat.ai>
|
||
|---|---|---|
| .. | ||
| __tests__ | ||
| accessResources | ||
| assistants | ||
| config | ||
| limiters | ||
| roles | ||
| spec | ||
| validate | ||
| abortMiddleware.js | ||
| abortMiddleware.spec.js | ||
| abortRun.js | ||
| buildEndpointOption.js | ||
| buildEndpointOption.spec.js | ||
| canAccessSharedLink.js | ||
| canDeleteAccount.js | ||
| canDeleteAccount.spec.js | ||
| checkBan.js | ||
| checkDomainAllowed.js | ||
| checkInviteUser.js | ||
| checkPeoplePickerAccess.js | ||
| checkPeoplePickerAccess.spec.js | ||
| checkSharePublicAccess.js | ||
| checkSharePublicAccess.spec.js | ||
| denyRequest.js | ||
| error.js | ||
| index.js | ||
| logHeaders.js | ||
| messageValidation.js | ||
| moderateText.js | ||
| noIndex.js | ||
| optionalJwtAuth.js | ||
| optionalShareFileAuth.js | ||
| optionalShareFileAuth.spec.js | ||
| requireJwtAuth.js | ||
| requireLdapAuth.js | ||
| requireLocalAuth.js | ||
| setHeaders.js | ||
| setTwoFactorTempUser.js | ||
| uaParser.js | ||
| validateEmailLogin.js | ||
| validateImageRequest.js | ||
| validateMessageReq.js | ||
| validateModel.js | ||
| validatePasswordReset.js | ||
| validateRegistration.js | ||