Merge branch 'main' into feat/CAPTCHA

api/cache/keyvRedis.js

@@ -9,7 +9,7 @@ const { REDIS_URI, USE_REDIS, USE_REDIS_CLUSTER, REDIS_CA, REDIS_KEY_PREFIX, RED
 
 let keyvRedis;
 const redis_prefix = REDIS_KEY_PREFIX || '';
-const redis_max_listeners = REDIS_MAX_LISTENERS || 10;
+const redis_max_listeners = Number(REDIS_MAX_LISTENERS) || 10;
 
 function mapURI(uri) {
   const regex =

api/models/Role.js

@@ -6,8 +6,10 @@ const {
   removeNullishValues,
   agentPermissionsSchema,
   promptPermissionsSchema,
+  runCodePermissionsSchema,
   bookmarkPermissionsSchema,
   multiConvoPermissionsSchema,
+  temporaryChatPermissionsSchema,
 } = require('librechat-data-provider');
 const getLogStores = require('~/cache/getLogStores');
 const Role = require('~/models/schema/roleSchema');
@@ -77,6 +79,8 @@ const permissionSchemas = {
   [PermissionTypes.PROMPTS]: promptPermissionsSchema,
   [PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema,
   [PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema,
+  [PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
+  [PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
 };
 
 /**

api/models/schema/roleSchema.js

@@ -48,6 +48,18 @@ const roleSchema = new mongoose.Schema({
       default: true,
     },
   },
+  [PermissionTypes.TEMPORARY_CHAT]: {
+    [Permissions.USE]: {
+      type: Boolean,
+      default: true,
+    },
+  },
+  [PermissionTypes.RUN_CODE]: {
+    [Permissions.USE]: {
+      type: Boolean,
+      default: true,
+    },
+  },
 });
 
 const Role = mongoose.model('Role', roleSchema);

api/server/controllers/tools.js

@@ -1,17 +1,28 @@
 const { nanoid } = require('nanoid');
 const { EnvVar } = require('@librechat/agents');
-const { Tools, AuthType, ToolCallTypes } = require('librechat-data-provider');
+const {
+  Tools,
+  AuthType,
+  Permissions,
+  ToolCallTypes,
+  PermissionTypes,
+} = require('librechat-data-provider');
 const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/process');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');
-const { loadAuthValues, loadTools } = require('~/app/clients/tools/util');
 const { createToolCall, getToolCallsByConvo } = require('~/models/ToolCall');
+const { loadAuthValues, loadTools } = require('~/app/clients/tools/util');
+const { checkAccess } = require('~/server/middleware');
 const { getMessage } = require('~/models/Message');
 const { logger } = require('~/config');
 
 const fieldsMap = {
   [Tools.execute_code]: [EnvVar.CODE_API_KEY],
 };
 
+const toolAccessPermType = {
+  [Tools.execute_code]: PermissionTypes.RUN_CODE,
+};
+
 /**
  * @param {ServerRequest} req - The request object, containing information about the HTTP request.
  * @param {ServerResponse} res - The response object, used to send back the desired HTTP response.
@@ -58,6 +69,7 @@ const verifyToolAuth = async (req, res) => {
 /**
  * @param {ServerRequest} req - The request object, containing information about the HTTP request.
  * @param {ServerResponse} res - The response object, used to send back the desired HTTP response.
+ * @param {NextFunction} next - The next middleware function to call.
  * @returns {Promise<void>} A promise that resolves when the function has completed.
  */
 const callTool = async (req, res) => {
@@ -83,6 +95,16 @@ const callTool = async (req, res) => {
       return;
     }
     logger.debug(`[${toolId}/call] User: ${req.user.id}`);
+    let hasAccess = true;
+    if (toolAccessPermType[toolId]) {
+      hasAccess = await checkAccess(req.user, toolAccessPermType[toolId], [Permissions.USE]);
+    }
+    if (!hasAccess) {
+      logger.warn(
+        `[${toolAccessPermType[toolId]}] Forbidden: Insufficient permissions for User ${req.user.id}: ${Permissions.USE}`,
+      );
+      return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
+    }
     const { loadedTools } = await loadTools({
       user: req.user.id,
       tools: [toolId],

api/server/middleware/roles/generateCheckAccess.js

@@ -1,47 +1,78 @@
 const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Core function to check if a user has one or more required permissions
+ *
+ * @param {object} user - The user object
+ * @param {PermissionTypes} permissionType - The type of permission to check
+ * @param {Permissions[]} permissions - The list of specific permissions to check
+ * @param {Record<Permissions, string[]>} [bodyProps] - An optional object where keys are permissions and values are arrays of properties to check
+ * @param {object} [checkObject] - The object to check properties against
+ * @returns {Promise<boolean>} Whether the user has the required permissions
+ */
+const checkAccess = async (user, permissionType, permissions, bodyProps = {}, checkObject = {}) => {
+  if (!user) {
+    return false;
+  }
+
+  const role = await getRoleByName(user.role);
+  if (role && role[permissionType]) {
+    const hasAnyPermission = permissions.some((permission) => {
+      if (role[permissionType][permission]) {
+        return true;
+      }
+
+      if (bodyProps[permission] && checkObject) {
+        return bodyProps[permission].some((prop) =>
+          Object.prototype.hasOwnProperty.call(checkObject, prop),
+        );
+      }
+
+      return false;
+    });
+
+    return hasAnyPermission;
+  }
+
+  return false;
+};
 
 /**
  * Middleware to check if a user has one or more required permissions, optionally based on `req.body` properties.
  *
  * @param {PermissionTypes} permissionType - The type of permission to check.
  * @param {Permissions[]} permissions - The list of specific permissions to check.
  * @param {Record<Permissions, string[]>} [bodyProps] - An optional object where keys are permissions and values are arrays of `req.body` properties to check.
- * @returns {Function} Express middleware function.
+ * @returns {(req: ServerRequest, res: ServerResponse, next: NextFunction) => Promise<void>} Express middleware function.
  */
 const generateCheckAccess = (permissionType, permissions, bodyProps = {}) => {
   return async (req, res, next) => {
     try {
-      const { user } = req;
-      if (!user) {
-        return res.status(401).json({ message: 'Authorization required' });
-      }
+      const hasAccess = await checkAccess(
+        req.user,
+        permissionType,
+        permissions,
+        bodyProps,
+        req.body,
+      );
 
-      const role = await getRoleByName(user.role);
-      if (role && role[permissionType]) {
-        const hasAnyPermission = permissions.some((permission) => {
-          if (role[permissionType][permission]) {
-            return true;
-          }
-
-          if (bodyProps[permission] && req.body) {
-            return bodyProps[permission].some((prop) =>
-              Object.prototype.hasOwnProperty.call(req.body, prop),
-            );
-          }
-
-          return false;
-        });
-
-        if (hasAnyPermission) {
-          return next();
-        }
+      if (hasAccess) {
+        return next();
       }
 
+      logger.warn(
+        `[${permissionType}] Forbidden: Insufficient permissions for User ${req.user.id}: ${permissions.join(', ')}`,
+      );
       return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
     } catch (error) {
+      logger.error(error);
       return res.status(500).json({ message: `Server error: ${error.message}` });
     }
   };
 };
 
-module.exports = generateCheckAccess;
+module.exports = {
+  checkAccess,
+  generateCheckAccess,
+};

api/server/middleware/roles/index.js

@@ -1,7 +1,8 @@
 const checkAdmin = require('./checkAdmin');
-const generateCheckAccess = require('./generateCheckAccess');
+const { checkAccess, generateCheckAccess } = require('./generateCheckAccess');
 
 module.exports = {
   checkAdmin,
+  checkAccess,
   generateCheckAccess,
 };

api/server/services/start/interface.js

@@ -34,6 +34,7 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     multiConvo: interfaceConfig?.multiConvo ?? defaults.multiConvo,
     agents: interfaceConfig?.agents ?? defaults.agents,
     temporaryChat: interfaceConfig?.temporaryChat ?? defaults.temporaryChat,
+    runCode: interfaceConfig?.runCode ?? defaults.runCode,
     customWelcome: interfaceConfig?.customWelcome ?? defaults.customWelcome,
   });
 
@@ -42,12 +43,16 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: loadedInterface.bookmarks },
     [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: loadedInterface.multiConvo },
     [PermissionTypes.AGENTS]: { [Permissions.USE]: loadedInterface.agents },
+    [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
+    [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
   });
   await updateAccessPermissions(SystemRoles.ADMIN, {
     [PermissionTypes.PROMPTS]: { [Permissions.USE]: loadedInterface.prompts },
     [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: loadedInterface.bookmarks },
     [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: loadedInterface.multiConvo },
     [PermissionTypes.AGENTS]: { [Permissions.USE]: loadedInterface.agents },
+    [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
+    [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
   });
 
   let i = 0;