librechat-data-provider 0.8.302 → 0.8.401

package/src/roles.ts

@@ -180,10 +180,20 @@ export const roleDefaults = defaultRolesSchema.parse({
   [SystemRoles.USER]: {
     name: SystemRoles.USER,
     permissions: {
-      [PermissionTypes.PROMPTS]: {},
+      [PermissionTypes.PROMPTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
       [PermissionTypes.BOOKMARKS]: {},
       [PermissionTypes.MEMORIES]: {},
-      [PermissionTypes.AGENTS]: {},
+      [PermissionTypes.AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
       [PermissionTypes.MULTI_CONVO]: {},
       [PermissionTypes.TEMPORARY_CHAT]: {},
       [PermissionTypes.RUN_CODE]: {},
@@ -198,8 +208,18 @@ export const roleDefaults = defaultRolesSchema.parse({
       },
       [PermissionTypes.FILE_SEARCH]: {},
       [PermissionTypes.FILE_CITATIONS]: {},
-      [PermissionTypes.MCP_SERVERS]: {},
-      [PermissionTypes.REMOTE_AGENTS]: {},
+      [PermissionTypes.MCP_SERVERS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     },
   },
 });

package/src/types.ts

@@ -425,28 +425,29 @@ export type TLoginResponse = {
   tempToken?: string;
 };
 
+/** Shared payload for any operation that requires OTP or backup-code verification. */
+export type TOTPVerificationPayload = {
+  token?: string;
+  backupCode?: string;
+};
+
+export type TEnable2FARequest = TOTPVerificationPayload;
+
 export type TEnable2FAResponse = {
   otpauthUrl: string;
   backupCodes: string[];
   message?: string;
 };
 
-export type TVerify2FARequest = {
-  token?: string;
-  backupCode?: string;
-};
+export type TVerify2FARequest = TOTPVerificationPayload;
 
 export type TVerify2FAResponse = {
   message: string;
 };
 
-/**
- * For verifying 2FA during login with a temporary token.
- */
-export type TVerify2FATempRequest = {
+/** For verifying 2FA during login with a temporary token. */
+export type TVerify2FATempRequest = TOTPVerificationPayload & {
   tempToken: string;
-  token?: string;
-  backupCode?: string;
 };
 
 export type TVerify2FATempResponse = {
@@ -455,30 +456,22 @@ export type TVerify2FATempResponse = {
   message?: string;
 };
 
-/**
- * Request for disabling 2FA.
- */
-export type TDisable2FARequest = {
-  token?: string;
-  backupCode?: string;
-};
+export type TDisable2FARequest = TOTPVerificationPayload;
 
-/**
- * Response from disabling 2FA.
- */
 export type TDisable2FAResponse = {
   message: string;
 };
 
-/**
- * Response from regenerating backup codes.
- */
+export type TRegenerateBackupCodesRequest = TOTPVerificationPayload;
+
 export type TRegenerateBackupCodesResponse = {
-  message: string;
+  message?: string;
   backupCodes: string[];
-  backupCodesHash: string[];
+  backupCodesHash: TBackupCode[];
 };
 
+export type TDeleteUserRequest = TOTPVerificationPayload;
+
 export type TRequestPasswordReset = {
   email: string;
 };

package/src/utils.ts

@@ -1,5 +1,29 @@
 export const envVarRegex = /^\${(.+)}$/;
 
+/**
+ * Infrastructure env vars that must never be resolved via placeholder expansion.
+ * These are internal secrets whose exposure would compromise the system —
+ * they have no legitimate reason to appear in outbound headers, MCP env/args, or OAuth config.
+ *
+ * Intentionally excludes API keys (operators reference them in config) and
+ * OAuth/session secrets (referenced in MCP OAuth config via processMCPEnv).
+ */
+const SENSITIVE_ENV_VARS = new Set([
+  'JWT_SECRET',
+  'JWT_REFRESH_SECRET',
+  'CREDS_KEY',
+  'CREDS_IV',
+  'MEILI_MASTER_KEY',
+  'MONGO_URI',
+  'REDIS_URI',
+  'REDIS_PASSWORD',
+]);
+
+/** Returns true when `varName` refers to an infrastructure secret that must not leak. */
+export function isSensitiveEnvVar(varName: string): boolean {
+  return SENSITIVE_ENV_VARS.has(varName);
+}
+
 /** Extracts the environment variable name from a template literal string */
 export function extractVariableName(value: string): string | null {
   if (!value) {
@@ -16,21 +40,20 @@ export function extractEnvVariable(value: string) {
     return value;
   }
 
-  // Trim the input
   const trimmed = value.trim();
 
-  // Special case: if it's just a single environment variable
   const singleMatch = trimmed.match(envVarRegex);
   if (singleMatch) {
     const varName = singleMatch[1];
+    if (isSensitiveEnvVar(varName)) {
+      return trimmed;
+    }
     return process.env[varName] || trimmed;
   }
 
-  // For multiple variables, process them using a regex loop
   const regex = /\${([^}]+)}/g;
   let result = trimmed;
 
-  // First collect all matches and their positions
   const matches = [];
   let match;
   while ((match = regex.exec(trimmed)) !== null) {
@@ -41,12 +64,12 @@ export function extractEnvVariable(value: string) {
     });
   }
 
-  // Process matches in reverse order to avoid position shifts
   for (let i = matches.length - 1; i >= 0; i--) {
     const { fullMatch, varName, index } = matches[i];
+    if (isSensitiveEnvVar(varName)) {
+      continue;
+    }
     const envValue = process.env[varName] || fullMatch;
-
-    // Replace at exact position
     result = result.substring(0, index) + envValue + result.substring(index + fullMatch.length);
   }