📧 feat: email verification

.env.example

@@ -319,6 +319,7 @@ ALLOW_EMAIL_LOGIN=true
 ALLOW_REGISTRATION=true
 ALLOW_SOCIAL_LOGIN=false
 ALLOW_SOCIAL_REGISTRATION=false
+ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7

api/server/controllers/AuthController.js

@@ -5,6 +5,7 @@ const { Session, User } = require('~/models');
 const {
  registerUser,
  resetPassword,
+ verifyEmail,
  setAuthTokens,
  requestPasswordReset,
 } = require('~/server/services/AuthService');
@@ -20,9 +21,10 @@ const registrationController = async (req, res) => {
  newUser = new User(user);
  await newUser.save();
  }
- const token = await setAuthTokens(user._id, res);
- res.setHeader('Authorization', `Bearer ${token}`);
- res.status(status).send({ user });
+ // Do not set the authorization header or send the user object in the response
+ res.status(status).send({
+ message: 'Registration successful. Please check your email to verify your email address.',
+ });
  } else {
  const { status, message } = response;
  res.status(status).send({ message });
@@ -69,6 +71,20 @@ const resetPasswordController = async (req, res) => {
  }
 };
 
+const verifyEmailController = async (req, res) => {
+ try {
+ const verifyEmailService = await verifyEmail(req.body.userId, req.body.token);
+ if (verifyEmailService instanceof Error) {
+ return res.status(400).json(verifyEmailService);
+ } else {
+ return res.status(200).json(verifyEmailService);
+ }
+ } catch (e) {
+ logger.error('[verifyEmailController]', e);
+ return res.status(400).json({ message: e.message });
+ }
+};
+
 const refreshController = async (req, res) => {
  const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
  if (!refreshToken) {
@@ -120,4 +136,5 @@ module.exports = {
  registrationController,
  resetPasswordController,
  resetPasswordRequestController,
+ verifyEmailController,
 };

api/server/controllers/auth/LoginController.js

@@ -1,6 +1,7 @@
 const User = require('~/models/User');
 const { setAuthTokens } = require('~/server/services/AuthService');
 const { logger } = require('~/config');
+const { isEnabled } = require('~/server/utils');
 
 const loginController = async (req, res) => {
  try {
@@ -12,6 +13,10 @@ const loginController = async (req, res) => {
  return res.status(400).json({ message: 'Invalid credentials' });
  }
 
+ if (!user.emailVerified && !isEnabled(process.env.ALLOW_UNVERIFIED_EMAIL_LOGIN)) {
+ return res.status(422).json({ message: 'Email not verified' });
+ }
+
  const token = await setAuthTokens(user._id, res);
 
  return res.status(200).send({ token, user });

api/server/middleware/requireLocalAuth.js

@@ -21,7 +21,13 @@ const requireLocalAuth = (req, res, next) => {
  log({
  title: '(requireLocalAuth) Error: No user',
  });
- return res.status(422).send(info);
+ return res.status(404).send(info);
+ }
+ if (info && info.message) {
+ log({
+ title: '(requireLocalAuth) Error: ' + info.message,
+ });
+ return res.status(422).send({ message: info.message });
  }
  req.user = user;
  next();

api/server/routes/auth.js

@@ -2,6 +2,7 @@ const express = require('express');
 const {
  resetPasswordRequestController,
  resetPasswordController,
+ verifyEmailController,
  refreshController,
  registrationController,
 } = require('../controllers/AuthController');
@@ -34,5 +35,6 @@ router.post('/refresh', refreshController);
 router.post('/register', registerLimiter, checkBan, validateRegistration, registrationController);
 router.post('/requestPasswordReset', resetPasswordRequestController);
 router.post('/resetPassword', resetPasswordController);
+router.post('/verify', verifyEmailController);
 
 module.exports = router;

api/server/services/AuthService.js

@@ -44,6 +44,59 @@ const logoutUser = async (userId, refreshToken) => {
  }
 };
 
+const sendVerificationEmail = async (user) => {
+ let verifyToken = crypto.randomBytes(32).toString('hex');
+ const hash = bcrypt.hashSync(verifyToken, 10);
+
+ await new Token({
+ userId: user._id,
+ token: hash,
+ createdAt: Date.now(),
+ }).save();
+
+ const verificationLink = `${domains.client}/verify?token=${verifyToken}&userId=${user._id}`;
+
+ sendEmail(
+ user.email,
+ 'Verify your email',
+ {
+ appName: process.env.APP_TITLE || 'LibreChat',
+ name: user.name,
+ verificationLink: verificationLink,
+ year: new Date().getFullYear(),
+ },
+ 'verifyEmail.handlebars',
+ );
+ return;
+};
+
+/**
+ * Verify Email
+ *
+ * @param {*} userId
+ * @param {String} token
+ * @returns
+ */
+const verifyEmail = async (userId, token) => {
+ let emailVerificationToken = await Token.findOne({ userId });
+
+ if (!emailVerificationToken) {
+ return new Error('Invalid or expired password reset token');
+ }
+
+ const isValid = bcrypt.compareSync(token, emailVerificationToken.token);
+
+ if (!isValid) {
+ return new Error('Invalid or expired email verification token');
+ }
+
+ await User.updateOne({ _id: userId }, { $set: { emailVerified: true } });
+
+ await emailVerificationToken.deleteOne();
+
+ return { message: 'Email verification was successful' };
+};
+
 /**
  * Register a new user
  *
@@ -60,7 +113,7 @@ const registerUser = async (user) => {
  { name: 'Validation error:', value: errorMessage },
  );
 
- return { status: 422, message: errorMessage };
+ return { status: 404, message: errorMessage };
  }
 
  const { email, password, name, username } = user;
@@ -106,6 +159,23 @@ const registerUser = async (user) => {
  newUser.password = hash;
  await newUser.save();
 
+ console.log('userId', newUser._id);
+
+ const emailEnabled =
+ (!!process.env.EMAIL_SERVICE || !!process.env.EMAIL_HOST) &&
+ !!process.env.EMAIL_USERNAME &&
+ !!process.env.EMAIL_PASSWORD &&
+ !!process.env.EMAIL_FROM;
+
+ if (emailEnabled) {
+ await sendVerificationEmail(newUser);
+ }
+
+ if (!emailEnabled) {
+ newUser.emailVerified = true;
+ await newUser.save();
+ }
+
  return { status: 200, user: newUser };
  } catch (err) {
  return { status: 500, message: err?.message || 'Something went wrong' };
@@ -251,6 +321,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
 module.exports = {
  registerUser,
  logoutUser,
+ verifyEmail,
  isDomainAllowed,
  requestPasswordReset,
  resetPassword,