librechat-data-provider 0.8.301 → 0.8.400

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/dist/index.es.js +1 -1
  2. package/dist/index.es.js.map +1 -1
  3. package/dist/index.js +1 -1
  4. package/dist/index.js.map +1 -1
  5. package/dist/react-query/index.es.js +1 -1
  6. package/dist/react-query/index.es.js.map +1 -1
  7. package/jest.config.js +1 -0
  8. package/package.json +1 -1
  9. package/specs/api-endpoints-subdir.spec.ts +140 -0
  10. package/specs/api-endpoints.spec.ts +13 -25
  11. package/specs/mcp.spec.ts +147 -0
  12. package/specs/request-interceptor.spec.ts +7 -2
  13. package/specs/utils.spec.ts +71 -4
  14. package/src/accessPermissions.ts +4 -4
  15. package/src/api-endpoints.ts +11 -4
  16. package/src/config.spec.ts +315 -0
  17. package/src/config.ts +44 -3
  18. package/src/data-service.ts +8 -6
  19. package/src/file-config.spec.ts +39 -2
  20. package/src/file-config.ts +11 -5
  21. package/src/mcp.ts +32 -3
  22. package/src/request.ts +1 -1
  23. package/src/types.ts +18 -25
  24. package/src/utils.ts +30 -7
package/src/utils.ts CHANGED
@@ -1,5 +1,29 @@
1
1
  export const envVarRegex = /^\${(.+)}$/;
2
2
 
3
+ /**
4
+ * Infrastructure env vars that must never be resolved via placeholder expansion.
5
+ * These are internal secrets whose exposure would compromise the system —
6
+ * they have no legitimate reason to appear in outbound headers, MCP env/args, or OAuth config.
7
+ *
8
+ * Intentionally excludes API keys (operators reference them in config) and
9
+ * OAuth/session secrets (referenced in MCP OAuth config via processMCPEnv).
10
+ */
11
+ const SENSITIVE_ENV_VARS = new Set([
12
+ 'JWT_SECRET',
13
+ 'JWT_REFRESH_SECRET',
14
+ 'CREDS_KEY',
15
+ 'CREDS_IV',
16
+ 'MEILI_MASTER_KEY',
17
+ 'MONGO_URI',
18
+ 'REDIS_URI',
19
+ 'REDIS_PASSWORD',
20
+ ]);
21
+
22
+ /** Returns true when `varName` refers to an infrastructure secret that must not leak. */
23
+ export function isSensitiveEnvVar(varName: string): boolean {
24
+ return SENSITIVE_ENV_VARS.has(varName);
25
+ }
26
+
3
27
  /** Extracts the environment variable name from a template literal string */
4
28
  export function extractVariableName(value: string): string | null {
5
29
  if (!value) {
@@ -16,21 +40,20 @@ export function extractEnvVariable(value: string) {
16
40
  return value;
17
41
  }
18
42
 
19
- // Trim the input
20
43
  const trimmed = value.trim();
21
44
 
22
- // Special case: if it's just a single environment variable
23
45
  const singleMatch = trimmed.match(envVarRegex);
24
46
  if (singleMatch) {
25
47
  const varName = singleMatch[1];
48
+ if (isSensitiveEnvVar(varName)) {
49
+ return trimmed;
50
+ }
26
51
  return process.env[varName] || trimmed;
27
52
  }
28
53
 
29
- // For multiple variables, process them using a regex loop
30
54
  const regex = /\${([^}]+)}/g;
31
55
  let result = trimmed;
32
56
 
33
- // First collect all matches and their positions
34
57
  const matches = [];
35
58
  let match;
36
59
  while ((match = regex.exec(trimmed)) !== null) {
@@ -41,12 +64,12 @@ export function extractEnvVariable(value: string) {
41
64
  });
42
65
  }
43
66
 
44
- // Process matches in reverse order to avoid position shifts
45
67
  for (let i = matches.length - 1; i >= 0; i--) {
46
68
  const { fullMatch, varName, index } = matches[i];
69
+ if (isSensitiveEnvVar(varName)) {
70
+ continue;
71
+ }
47
72
  const envValue = process.env[varName] || fullMatch;
48
-
49
- // Replace at exact position
50
73
  result = result.substring(0, index) + envValue + result.substring(index + fullMatch.length);
51
74
  }
52
75