chore: remove test code

- Modified the user creation process to incorporate balance configuration retrieved from the new getBalanceConfig function.
- Adjusted imports for user methods to streamline the code structure.

.env.example

@@ -443,7 +443,6 @@ OPENID_IMAGE_URL=
 # Set to true to automatically redirect to the OpenID provider when a user visits the login page
 # This will bypass the login form completely for users, only use this if OpenID is your only authentication method
 OPENID_AUTO_REDIRECT=false
-
 # Set to true to use PKCE (Proof Key for Code Exchange) for OpenID authentication
 OPENID_USE_PKCE=false
 #Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
@@ -459,6 +458,33 @@ OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE = "user.read" # example for Scope Needed f
 # Set to true to use the OpenID Connect end session endpoint for logout
 OPENID_USE_END_SESSION_ENDPOINT=
 
+
+# SAML
+# Note: If OpenID is enabled, SAML authentication will be automatically disabled.
+SAML_ENTRY_POINT=
+SAML_ISSUER=
+SAML_CERT=
+SAML_CALLBACK_URL=/oauth/saml/callback
+SAML_SESSION_SECRET=
+
+# Attribute mappings (optional)
+SAML_EMAIL_CLAIM=
+SAML_USERNAME_CLAIM=
+SAML_GIVEN_NAME_CLAIM=
+SAML_FAMILY_NAME_CLAIM=
+SAML_PICTURE_CLAIM=
+SAML_NAME_CLAIM=
+
+# Logint buttion settings (optional)
+SAML_BUTTON_LABEL=
+SAML_IMAGE_URL=
+
+# Whether the SAML Response should be signed.
+# - If "true", the entire `SAML Response` will be signed.
+# - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
+# SAML_USE_AUTHN_RESPONSE_SIGNED=
+
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=

.gitignore

@@ -122,3 +122,5 @@ helm/**/.values.yaml
 
 !/client/src/@types/i18next.d.ts
 
+# SAML Idp cert
+*.cert

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 
 
+
 ## [Unreleased]
 
 ### ✨ New Features
@@ -15,11 +16,14 @@ All notable changes to this project will be documented in this file.
 - 🔒 feat: Add Content Security Policy using Helmet middleware by **@rubentalstra** in [#7377](https://github.com/danny-avila/LibreChat/pull/7377)
 - ✨ feat: Add Normalization for MCP Server Names by **@danny-avila** in [#7421](https://github.com/danny-avila/LibreChat/pull/7421)
 - 📊 feat: Improve Helm Chart by **@hofq** in [#3638](https://github.com/danny-avila/LibreChat/pull/3638)
+- 🦾 feat: Claude-4 Support by **@danny-avila** in [#7509](https://github.com/danny-avila/LibreChat/pull/7509)
+- 🪨 feat: Bedrock Support for Claude-4 Reasoning by **@danny-avila** in [#7517](https://github.com/danny-avila/LibreChat/pull/7517)
 
 ### 🌍 Internationalization
 
 - 🌍 i18n: Add `Danish` and `Czech` and `Catalan` localization support by **@rubentalstra** in [#7373](https://github.com/danny-avila/LibreChat/pull/7373)
 - 🌍 i18n: Update translation.json with latest translations by **@github-actions[bot]** in [#7375](https://github.com/danny-avila/LibreChat/pull/7375)
+- 🌍 i18n: Update translation.json with latest translations by **@github-actions[bot]** in [#7468](https://github.com/danny-avila/LibreChat/pull/7468)
 
 ### 🔧 Fixes
 
@@ -37,6 +41,11 @@ All notable changes to this project will be documented in this file.
 - 📜 docs: CHANGELOG for release v0.7.8 by **@github-actions[bot]** in [#7290](https://github.com/danny-avila/LibreChat/pull/7290)
 - 📦 chore: Update API Package Dependencies by **@danny-avila** in [#7359](https://github.com/danny-avila/LibreChat/pull/7359)
 - 📜 docs: Unreleased Changelog by **@github-actions[bot]** in [#7321](https://github.com/danny-avila/LibreChat/pull/7321)
+- 📜 docs: Unreleased Changelog by **@github-actions[bot]** in [#7434](https://github.com/danny-avila/LibreChat/pull/7434)
+- 🛡️ chore: `multer` v2.0.0 for CVE-2025-47935 and CVE-2025-47944 by **@danny-avila** in [#7454](https://github.com/danny-avila/LibreChat/pull/7454)
+- 📂 refactor: Improve `FileAttachment` & File Form Deletion by **@danny-avila** in [#7471](https://github.com/danny-avila/LibreChat/pull/7471)
+- 📊 chore: Remove Old Helm Chart by **@hofq** in [#7512](https://github.com/danny-avila/LibreChat/pull/7512)
+- 🪖 chore: bump helm app version to v0.7.8 by **@austin-barrington** in [#7524](https://github.com/danny-avila/LibreChat/pull/7524)
 
 
 

api/app/clients/AnthropicClient.js

@@ -74,9 +74,6 @@ class AnthropicClient extends BaseClient {
     /** Whether to use Messages API or Completions API
      * @type {boolean} */
     this.useMessages;
-    /** Whether or not the model is limited to the legacy amount of output tokens
-     * @type {boolean} */
-    this.isLegacyOutput;
     /** Whether or not the model supports Prompt Caching
      * @type {boolean} */
     this.supportsCacheControl;
@@ -118,13 +115,16 @@ class AnthropicClient extends BaseClient {
     const modelMatch = matchModelName(this.modelOptions.model, EModelEndpoint.anthropic);
     this.isClaudeLatest =
       /claude-[3-9]/.test(modelMatch) || /claude-(?:sonnet|opus|haiku)-[4-9]/.test(modelMatch);
-    this.isLegacyOutput = !(
-      /claude-3[-.]5-sonnet/.test(modelMatch) || /claude-3[-.]7/.test(modelMatch)
+    const isLegacyOutput = !(
+      /claude-3[-.]5-sonnet/.test(modelMatch) ||
+      /claude-3[-.]7/.test(modelMatch) ||
+      /claude-(?:sonnet|opus|haiku)-[4-9]/.test(modelMatch) ||
+      /claude-[4-9]/.test(modelMatch)
     );
     this.supportsCacheControl = this.options.promptCache && checkPromptCacheSupport(modelMatch);
 
     if (
-      this.isLegacyOutput &&
+      isLegacyOutput &&
       this.modelOptions.maxOutputTokens &&
       this.modelOptions.maxOutputTokens > legacy.maxOutputTokens.default
     ) {

api/app/clients/specs/AnthropicClient.test.js

@@ -514,6 +514,34 @@ describe('AnthropicClient', () => {
       expect(client.modelOptions.maxOutputTokens).toBe(highTokenValue);
     });
 
+    it('should not cap maxOutputTokens for Claude 4 Sonnet models', () => {
+      const client = new AnthropicClient('test-api-key');
+      const highTokenValue = anthropicSettings.legacy.maxOutputTokens.default * 10; // 40,960 tokens
+
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-sonnet-4-20250514',
+          maxOutputTokens: highTokenValue,
+        },
+      });
+
+      expect(client.modelOptions.maxOutputTokens).toBe(highTokenValue);
+    });
+
+    it('should not cap maxOutputTokens for Claude 4 Opus models', () => {
+      const client = new AnthropicClient('test-api-key');
+      const highTokenValue = anthropicSettings.legacy.maxOutputTokens.default * 6; // 24,576 tokens (under 32K limit)
+
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-opus-4-20250514',
+          maxOutputTokens: highTokenValue,
+        },
+      });
+
+      expect(client.modelOptions.maxOutputTokens).toBe(highTokenValue);
+    });
+
     it('should cap maxOutputTokens for Claude 3.5 Haiku models', () => {
       const client = new AnthropicClient('test-api-key');
       const highTokenValue = anthropicSettings.legacy.maxOutputTokens.default * 2;

api/app/clients/specs/BaseClient.test.js

@@ -1,7 +1,7 @@
 const { Constants } = require('librechat-data-provider');
 const { initializeFakeClient } = require('./FakeClient');
 
-jest.mock('~/lib/db/connectDb');
+jest.mock('~/db/connect');
 jest.mock('~/models', () => ({
   User: jest.fn(),
   Key: jest.fn(),
@@ -52,7 +52,7 @@ const messageHistory = [
   {
     role: 'user',
     isCreatedByUser: true,
-    text: 'What\'s up',
+    text: "What's up",
     messageId: '3',
     parentMessageId: '2',
   },
@@ -456,7 +456,7 @@ describe('BaseClient', () => {
 
       const chatMessages2 = await TestClient.loadHistory(conversationId, '3');
       expect(TestClient.currentMessages).toHaveLength(3);
-      expect(chatMessages2[chatMessages2.length - 1].text).toEqual('What\'s up');
+      expect(chatMessages2[chatMessages2.length - 1].text).toEqual("What's up");
     });
 
     /* Most of the new sendMessage logic revolving around edited/continued AI messages

api/app/clients/specs/OpenAIClient.test.js

@@ -5,7 +5,7 @@ const getLogStores = require('~/cache/getLogStores');
 const OpenAIClient = require('../OpenAIClient');
 jest.mock('meilisearch');
 
-jest.mock('~/lib/db/connectDb');
+jest.mock('~/db/connect');
 jest.mock('~/models', () => ({
   User: jest.fn(),
   Key: jest.fn(),
@@ -462,17 +462,17 @@ describe('OpenAIClient', () => {
         role: 'system',
         name: 'example_user',
         content:
-          'Let\'s circle back when we have more bandwidth to touch base on opportunities for increased leverage.',
+          "Let's circle back when we have more bandwidth to touch base on opportunities for increased leverage.",
       },
       {
         role: 'system',
         name: 'example_assistant',
-        content: 'Let\'s talk later when we\'re less busy about how to do better.',
+        content: "Let's talk later when we're less busy about how to do better.",
       },
       {
         role: 'user',
         content:
-          'This late pivot means we don\'t have time to boil the ocean for the client deliverable.',
+          "This late pivot means we don't have time to boil the ocean for the client deliverable.",
       },
     ];
 

api/app/clients/specs/PluginsClient.test.js

@@ -3,7 +3,7 @@ const { Constants } = require('librechat-data-provider');
 const { HumanMessage, AIMessage } = require('@langchain/core/messages');
 const PluginsClient = require('../PluginsClient');
 
-jest.mock('~/lib/db/connectDb');
+jest.mock('~/db/connect');
 jest.mock('~/models/Conversation', () => {
   return function () {
     return {

api/app/clients/tools/util/handleTools.test.js

@@ -10,18 +10,24 @@ const mockPluginService = {
   getUserPluginAuthValue: jest.fn(),
 };
 
-jest.mock('~/models/User', () => {
-  return function () {
-    return mockUser;
+const mockModels = {
+  User: mockUser,
+};
+jest.mock('~/db/connect', () => {
+  return {
+    connectDb: jest.fn(),
+    User: mockModels.mockUser,
   };
 });
+jest.mock('~/models/File', () => ({
+  File: jest.fn(),
+}));
 
 jest.mock('~/server/services/PluginService', () => mockPluginService);
 
 const { BaseLLM } = require('@langchain/openai');
 const { Calculator } = require('@langchain/community/tools/calculator');
 
-const User = require('~/models/User');
 const PluginService = require('~/server/services/PluginService');
 const { validateTools, loadTools, loadToolWithAuth } = require('./handleTools');
 const { StructuredSD, availableTools, DALLE3 } = require('../');
@@ -52,7 +58,7 @@ describe('Tool Handlers', () => {
       },
     );
 
-    fakeUser = new User({
+    fakeUser = await mockModels.User.createUser({
       name: 'Fake User',
       username: 'fakeuser',
       email: 'fakeuser@example.com',
@@ -218,7 +224,6 @@ describe('Tool Handlers', () => {
       try {
         await loadTool2();
       } catch (error) {
-        // eslint-disable-next-line jest/no-conditional-expect
         expect(error).toBeDefined();
       }
     });

api/cache/banViolation.js

@@ -1,8 +1,8 @@
+const { logger } = require('@librechat/data-schemas');
 const { ViolationTypes } = require('librechat-data-provider');
 const { isEnabled, math, removePorts } = require('~/server/utils');
 const { deleteAllUserSessions } = require('~/models');
 const getLogStores = require('./getLogStores');
-const { logger } = require('~/config');
 
 const { BAN_VIOLATIONS, BAN_INTERVAL } = process.env ?? {};
 const interval = math(BAN_INTERVAL, 20);
@@ -32,7 +32,6 @@ const banViolation = async (req, res, errorMessage) => {
   if (!isEnabled(BAN_VIOLATIONS)) {
     return;
   }
-
   if (!errorMessage) {
     return;
   }
@@ -51,7 +50,6 @@ const banViolation = async (req, res, errorMessage) => {
 
   const banLogs = getLogStores(ViolationTypes.BAN);
   const duration = errorMessage.duration || banLogs.opts.ttl;
-
   if (duration <= 0) {
     return;
   }

api/cache/banViolation.spec.js

@@ -1,7 +1,28 @@
 const banViolation = require('./banViolation');
 
+const mockModels = {
+  Session: {
+    deleteAllUserSessions: jest.fn(),
+  },
+};
+
+jest.mock('~/db/connect', () => {
+  return {
+    connectDb: jest.fn(),
+    get models() {
+      return mockModels;
+    },
+  };
+});
+
+jest.mock('~/server/utils', () => ({
+  isEnabled: jest.fn(() => true), // default to false, override per test if needed
+  math: jest.fn(() => 20), // default to false, override per test if needed
+  removePorts: jest.fn(),
+}));
+
 jest.mock('keyv');
-jest.mock('../models/Session');
+// jest.mock('../models/Session');
 // Mocking the getLogStores function
 jest.mock('./getLogStores', () => {
   return jest.fn().mockImplementation(() => {

api/db/connect.js

@@ -39,7 +39,10 @@ async function connectDb() {
     });
   }
   cached.conn = await cached.promise;
+
   return cached.conn;
 }
 
-module.exports = connectDb;
+module.exports = {
+  connectDb,
+};

api/db/index.js

@@ -0,0 +1,8 @@
+const mongoose = require('mongoose');
+const { createModels } = require('@librechat/data-schemas');
+const { connectDb } = require('./connect');
+const indexSync = require('./indexSync');
+
+createModels(mongoose);
+
+module.exports = { connectDb, indexSync };

api/db/indexSync.js

@@ -1,8 +1,11 @@
+const mongoose = require('mongoose');
 const { MeiliSearch } = require('meilisearch');
-const { Conversation } = require('~/models/Conversation');
-const { Message } = require('~/models/Message');
+const { logger } = require('@librechat/data-schemas');
+
 const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+
+const Conversation = mongoose.models.Conversation;
+const Message = mongoose.models.Message;
 
 const searchEnabled = isEnabled(process.env.SEARCH);
 const indexingDisabled = isEnabled(process.env.MEILI_NO_SYNC);
@@ -29,7 +32,6 @@ async function indexSync() {
   if (!searchEnabled) {
     return;
   }
-
   try {
     const client = MeiliSearchClient.getInstance();
 

api/db/models.js

@@ -0,0 +1,5 @@
+const mongoose = require('mongoose');
+const { createModels } = require('@librechat/data-schemas');
+const models = createModels(mongoose);
+
+module.exports = { ...models };

api/lib/db/index.js

@@ -1,4 +0,0 @@
-const connectDb = require('./connectDb');
-const indexSync = require('./indexSync');
-
-module.exports = { connectDb, indexSync };

api/models/Action.js

@@ -1,7 +1,5 @@
 const mongoose = require('mongoose');
-const { actionSchema } = require('@librechat/data-schemas');
-
-const Action = mongoose.model('action', actionSchema);
+const Action = require('~/db/models').Action;
 
 /**
  * Update an action with new data without overwriting existing properties,

api/models/Agent.js

@@ -1,6 +1,7 @@
 const mongoose = require('mongoose');
-const { agentSchema } = require('@librechat/data-schemas');
-const { SystemRoles, Tools } = require('librechat-data-provider');
+const crypto = require('node:crypto');
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
   require('librechat-data-provider').Constants;
 const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
@@ -11,8 +12,9 @@ const {
   removeAgentFromAllProjects,
 } = require('./Project');
 const getLogStores = require('~/cache/getLogStores');
+const { getActions } = require('./Action');
 
-const Agent = mongoose.model('agent', agentSchema);
+const Agent = require('~/db/models').Agent;
 
 /**
  * Create an agent with the provided data.
@@ -149,10 +151,12 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
 /**
  * Check if a version already exists in the versions array, excluding timestamp and author fields
  * @param {Object} updateData - The update data to compare
+ * @param {Object} currentData - The current agent data
  * @param {Array} versions - The existing versions array
+ * @param {string} [actionsHash] - Hash of current action metadata
  * @returns {Object|null} - The matching version if found, null otherwise
  */
-const isDuplicateVersion = (updateData, currentData, versions) => {
+const isDuplicateVersion = (updateData, currentData, versions, actionsHash = null) => {
   if (!versions || versions.length === 0) {
     return null;
   }
@@ -169,17 +173,22 @@ const isDuplicateVersion = (updateData, currentData, versions) => {
     '__v',
     'agent_ids',
     'versions',
+    'actionsHash', // Exclude actionsHash from direct comparison
   ];
 
   const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
-  if (Object.keys(directUpdates).length === 0) {
+  if (Object.keys(directUpdates).length === 0 && !actionsHash) {
     return null;
   }
 
   const wouldBeVersion = { ...currentData, ...directUpdates };
   const lastVersion = versions[versions.length - 1];
 
+  if (actionsHash && lastVersion.actionsHash !== actionsHash) {
+    return null;
+  }
+
   const allFields = new Set([...Object.keys(wouldBeVersion), ...Object.keys(lastVersion)]);
 
   const importantFields = Array.from(allFields).filter((field) => !excludeFields.includes(field));
@@ -249,21 +258,58 @@ const isDuplicateVersion = (updateData, currentData, versions) => {
  * @param {string} searchParameter.id - The ID of the agent to update.
  * @param {string} [searchParameter.author] - The user ID of the agent's author.
  * @param {Object} updateData - An object containing the properties to update.
- * @param {string} [updatingUserId] - The ID of the user performing the update (used for tracking non-author updates).
+ * @param {Object} [options] - Optional configuration object.
+ * @param {string} [options.updatingUserId] - The ID of the user performing the update (used for tracking non-author updates).
+ * @param {boolean} [options.forceVersion] - Force creation of a new version even if no fields changed.
  * @returns {Promise<Agent>} The updated or newly created agent document as a plain object.
  * @throws {Error} If the update would create a duplicate version
  */
-const updateAgent = async (searchParameter, updateData, updatingUserId = null) => {
-  const options = { new: true, upsert: false };
+const updateAgent = async (searchParameter, updateData, options = {}) => {
+  const { updatingUserId = null, forceVersion = false } = options;
+  const mongoOptions = { new: true, upsert: false };
 
   const currentAgent = await Agent.findOne(searchParameter);
   if (currentAgent) {
     const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
     const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
-    if (Object.keys(directUpdates).length > 0 && versions && versions.length > 0) {
-      const duplicateVersion = isDuplicateVersion(updateData, versionData, versions);
-      if (duplicateVersion) {
+    let actionsHash = null;
+
+    // Generate actions hash if agent has actions
+    if (currentAgent.actions && currentAgent.actions.length > 0) {
+      // Extract action IDs from the format "domain_action_id"
+      const actionIds = currentAgent.actions
+        .map((action) => {
+          const parts = action.split(actionDelimiter);
+          return parts[1]; // Get just the action ID part
+        })
+        .filter(Boolean);
+
+      if (actionIds.length > 0) {
+        try {
+          const actions = await getActions(
+            {
+              action_id: { $in: actionIds },
+            },
+            true,
+          ); // Include sensitive data for hash
+
+          actionsHash = await generateActionMetadataHash(currentAgent.actions, actions);
+        } catch (error) {
+          logger.error('Error fetching actions for hash generation:', error);
+        }
+      }
+    }
+
+    const shouldCreateVersion =
+      forceVersion ||
+      (versions &&
+        versions.length > 0 &&
+        (Object.keys(directUpdates).length > 0 || $push || $pull || $addToSet));
+
+    if (shouldCreateVersion) {
+      const duplicateVersion = isDuplicateVersion(updateData, versionData, versions, actionsHash);
+      if (duplicateVersion && !forceVersion) {
         const error = new Error(
           'Duplicate version: This would create a version identical to an existing one',
         );
@@ -284,18 +330,25 @@ const updateAgent = async (searchParameter, updateData, updatingUserId = null) =
       updatedAt: new Date(),
     };
 
+    // Include actions hash in version if available
+    if (actionsHash) {
+      versionEntry.actionsHash = actionsHash;
+    }
+
     // Always store updatedBy field to track who made the change
     if (updatingUserId) {
       versionEntry.updatedBy = new mongoose.Types.ObjectId(updatingUserId);
     }
 
-    updateData.$push = {
-      ...($push || {}),
-      versions: versionEntry,
-    };
+    if (shouldCreateVersion || forceVersion) {
+      updateData.$push = {
+        ...($push || {}),
+        versions: versionEntry,
+      };
+    }
   }
 
-  return Agent.findOneAndUpdate(searchParameter, updateData, options).lean();
+  return Agent.findOneAndUpdate(searchParameter, updateData, mongoOptions).lean();
 };
 
 /**
@@ -333,7 +386,9 @@ const addAgentResourceFile = async ({ req, agent_id, tool_resource, file_id }) =
     },
   };
 
-  const updatedAgent = await updateAgent(searchParameter, updateData, req?.user?.id);
+  const updatedAgent = await updateAgent(searchParameter, updateData, {
+    updatingUserId: req?.user?.id,
+  });
   if (updatedAgent) {
     return updatedAgent;
   } else {
@@ -425,7 +480,6 @@ const getListAgents = async (searchParameter) => {
     delete globalQuery.author;
     query = { $or: [globalQuery, query] };
   }
-
   const agents = (
     await Agent.find(query, {
       id: 1,
@@ -497,7 +551,7 @@ const updateAgentProjects = async ({ user, agentId, projectIds, removeProjectIds
     delete updateQuery.author;
   }
 
-  const updatedAgent = await updateAgent(updateQuery, updateOps, user.id);
+  const updatedAgent = await updateAgent(updateQuery, updateOps, { updatingUserId: user.id });
   if (updatedAgent) {
     return updatedAgent;
   }
@@ -548,16 +602,73 @@ const revertAgentVersion = async (searchParameter, versionIndex) => {
   return Agent.findOneAndUpdate(searchParameter, updateData, { new: true }).lean();
 };
 
+/**
+ * Generates a hash of action metadata for version comparison
+ * @param {string[]} actionIds - Array of action IDs in format "domain_action_id"
+ * @param {Action[]} actions - Array of action documents
+ * @returns {Promise<string>} - SHA256 hash of the action metadata
+ */
+const generateActionMetadataHash = async (actionIds, actions) => {
+  if (!actionIds || actionIds.length === 0) {
+    return '';
+  }
+
+  // Create a map of action_id to metadata for quick lookup
+  const actionMap = new Map();
+  actions.forEach((action) => {
+    actionMap.set(action.action_id, action.metadata);
+  });
+
+  // Sort action IDs for consistent hashing
+  const sortedActionIds = [...actionIds].sort();
+
+  // Build a deterministic string representation of all action metadata
+  const metadataString = sortedActionIds
+    .map((actionFullId) => {
+      // Extract just the action_id part (after the delimiter)
+      const parts = actionFullId.split(actionDelimiter);
+      const actionId = parts[1];
+
+      const metadata = actionMap.get(actionId);
+      if (!metadata) {
+        return `${actionId}:null`;
+      }
+
+      // Sort metadata keys for deterministic output
+      const sortedKeys = Object.keys(metadata).sort();
+      const metadataStr = sortedKeys
+        .map((key) => `${key}:${JSON.stringify(metadata[key])}`)
+        .join(',');
+      return `${actionId}:{${metadataStr}}`;
+    })
+    .join(';');
+
+  // Use Web Crypto API to generate hash
+  const encoder = new TextEncoder();
+  const data = encoder.encode(metadataString);
+  const hashBuffer = await crypto.webcrypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+
+  return hashHex;
+};
+
+/**
+ * Load a default agent based on the endpoint
+ * @param {string} endpoint
+ * @returns {Agent | null}
+ */
+
 module.exports = {
-  Agent,
   getAgent,
   loadAgent,
   createAgent,
   updateAgent,
   deleteAgent,
   getListAgents,
+  revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
   removeAgentResourceFiles,
-  revertAgentVersion,
+  generateActionMetadataHash,
 };

api/models/Agent.spec.js

@@ -8,19 +8,21 @@ process.env.CREDS_IV = '0123456789abcdef';
 
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
+
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const {
-  Agent,
-  addAgentResourceFile,
-  removeAgentResourceFiles,
-  createAgent,
-  updateAgent,
   getAgent,
+  updateAgent,
   deleteAgent,
+  createAgent,
   getListAgents,
   updateAgentProjects,
+  addAgentResourceFile,
+  removeAgentResourceFiles,
 } = require('./Agent');
 
+const Agent = require('~/db/models').Agent;
+
 describe('Agent Resource File Operations', () => {
   let mongoServer;
 
@@ -55,6 +57,7 @@ describe('Agent Resource File Operations', () => {
 
   test('should add tool_resource to tools if missing', async () => {
     const agent = await createBasicAgent();
+
     const fileId = uuidv4();
     const toolResource = 'file_search';
 
@@ -903,7 +906,7 @@ describe('Agent Version History', () => {
     const updatedAgent = await updateAgent(
       { id: agentId },
       { name: 'Updated Agent', description: 'Updated description' },
-      updatingUser.toString(),
+      { updatingUserId: updatingUser.toString() },
     );
 
     expect(updatedAgent.versions).toHaveLength(2);
@@ -927,7 +930,7 @@ describe('Agent Version History', () => {
     const updatedAgent = await updateAgent(
       { id: agentId },
       { name: 'Updated Agent', description: 'Updated description' },
-      originalAuthor.toString(),
+      { updatingUserId: originalAuthor.toString() },
     );
 
     expect(updatedAgent.versions).toHaveLength(2);
@@ -955,28 +958,28 @@ describe('Agent Version History', () => {
     await updateAgent(
       { id: agentId },
       { name: 'Updated by User 1', description: 'First update' },
-      user1.toString(),
+      { updatingUserId: user1.toString() },
     );
 
     // Original author makes an update
     await updateAgent(
       { id: agentId },
       { description: 'Updated by original author' },
-      originalAuthor.toString(),
+      { updatingUserId: originalAuthor.toString() },
     );
 
     // User 2 makes an update
     await updateAgent(
       { id: agentId },
       { name: 'Updated by User 2', model: 'new-model' },
-      user2.toString(),
+      { updatingUserId: user2.toString() },
     );
 
     // User 3 makes an update
     const finalAgent = await updateAgent(
       { id: agentId },
       { description: 'Final update by User 3' },
-      user3.toString(),
+      { updatingUserId: user3.toString() },
     );
 
     expect(finalAgent.versions).toHaveLength(5);
@@ -1012,7 +1015,7 @@ describe('Agent Version History', () => {
     await updateAgent(
       { id: agentId },
       { name: 'Updated Agent', description: 'Updated description' },
-      updatingUser.toString(),
+      { updatingUserId: updatingUser.toString() },
     );
 
     const { revertAgentVersion } = require('./Agent');
@@ -1022,4 +1025,55 @@ describe('Agent Version History', () => {
     expect(revertedAgent.name).toBe('Original Agent');
     expect(revertedAgent.description).toBe('Original description');
   });
+
+  test('should detect action metadata changes and force version update', async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const authorId = new mongoose.Types.ObjectId();
+    const actionId = 'testActionId123';
+
+    // Create agent with actions
+    await createAgent({
+      id: agentId,
+      name: 'Agent with Actions',
+      provider: 'test',
+      model: 'test-model',
+      author: authorId,
+      actions: [`test.com_action_${actionId}`],
+      tools: ['listEvents_action_test.com', 'createEvent_action_test.com'],
+    });
+
+    // First update with forceVersion should create a version
+    const firstUpdate = await updateAgent(
+      { id: agentId },
+      { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+      { updatingUserId: authorId.toString(), forceVersion: true },
+    );
+
+    expect(firstUpdate.versions).toHaveLength(2);
+
+    // Second update with same data but forceVersion should still create a version
+    const secondUpdate = await updateAgent(
+      { id: agentId },
+      { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+      { updatingUserId: authorId.toString(), forceVersion: true },
+    );
+
+    expect(secondUpdate.versions).toHaveLength(3);
+
+    // Update without forceVersion and no changes should not create a version
+    let error;
+    try {
+      await updateAgent(
+        { id: agentId },
+        { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+        { updatingUserId: authorId.toString(), forceVersion: false },
+      );
+    } catch (e) {
+      error = e;
+    }
+
+    expect(error).toBeDefined();
+    expect(error.message).toContain('Duplicate version');
+    expect(error.statusCode).toBe(409);
+  });
 });

api/models/Assistant.js

@@ -1,7 +1,5 @@
 const mongoose = require('mongoose');
-const { assistantSchema } = require('@librechat/data-schemas');
-
-const Assistant = mongoose.model('assistant', assistantSchema);
+const Assistant = require('~/db/models').Assistant;
 
 /**
  * Update an assistant with new data without overwriting existing properties,

api/models/Balance.js

@@ -1,4 +0,0 @@
-const mongoose = require('mongoose');
-const { balanceSchema } = require('@librechat/data-schemas');
-
-module.exports = mongoose.model('Balance', balanceSchema);

api/models/Banner.js

@@ -1,8 +1,7 @@
 const mongoose = require('mongoose');
-const logger = require('~/config/winston');
-const { bannerSchema } = require('@librechat/data-schemas');
+const { logger } = require('@librechat/data-schemas');
 
-const Banner = mongoose.model('Banner', bannerSchema);
+const Banner = require('~/db/models').Banner;
 
 /**
  * Retrieves the current active banner.
@@ -28,4 +27,4 @@ const getBanner = async (user) => {
   }
 };
 
-module.exports = { Banner, getBanner };
+module.exports = { getBanner };

api/models/Config.js

@@ -1,86 +0,0 @@
-const mongoose = require('mongoose');
-const { logger } = require('~/config');
-
-const major = [0, 0];
-const minor = [0, 0];
-const patch = [0, 5];
-
-const configSchema = mongoose.Schema(
-  {
-    tag: {
-      type: String,
-      required: true,
-      validate: {
-        validator: function (tag) {
-          const [part1, part2, part3] = tag.replace('v', '').split('.').map(Number);
-
-          // Check if all parts are numbers
-          if (isNaN(part1) || isNaN(part2) || isNaN(part3)) {
-            return false;
-          }
-
-          // Check if all parts are within their respective ranges
-          if (part1 < major[0] || part1 > major[1]) {
-            return false;
-          }
-          if (part2 < minor[0] || part2 > minor[1]) {
-            return false;
-          }
-          if (part3 < patch[0] || part3 > patch[1]) {
-            return false;
-          }
-          return true;
-        },
-        message: 'Invalid tag value',
-      },
-    },
-    searchEnabled: {
-      type: Boolean,
-      default: false,
-    },
-    usersEnabled: {
-      type: Boolean,
-      default: false,
-    },
-    startupCounts: {
-      type: Number,
-      default: 0,
-    },
-  },
-  { timestamps: true },
-);
-
-// Instance method
-configSchema.methods.incrementCount = function () {
-  this.startupCounts += 1;
-};
-
-// Static methods
-configSchema.statics.findByTag = async function (tag) {
-  return await this.findOne({ tag }).lean();
-};
-
-configSchema.statics.updateByTag = async function (tag, update) {
-  return await this.findOneAndUpdate({ tag }, update, { new: true });
-};
-
-const Config = mongoose.models.Config || mongoose.model('Config', configSchema);
-
-module.exports = {
-  getConfigs: async (filter) => {
-    try {
-      return await Config.find(filter).lean();
-    } catch (error) {
-      logger.error('Error getting configs', error);
-      return { config: 'Error getting configs' };
-    }
-  },
-  deleteConfigs: async (filter) => {
-    try {
-      return await Config.deleteMany(filter);
-    } catch (error) {
-      logger.error('Error deleting configs', error);
-      return { config: 'Error deleting configs' };
-    }
-  },
-};

api/models/Conversation.js

@@ -1,6 +1,8 @@
-const Conversation = require('./schema/convoSchema');
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
 const { getMessages, deleteMessages } = require('./Message');
-const logger = require('~/config/winston');
+
+const Conversation = require('~/db/models').Conversation;
 
 /**
  * Searches for a conversation by conversationId and returns a lean document with only conversationId and user.
@@ -75,7 +77,6 @@ const getConvoFiles = async (conversationId) => {
 };
 
 module.exports = {
-  Conversation,
   getConvoFiles,
   searchConversation,
   deleteNullOrEmptyConversations,
@@ -155,7 +156,6 @@ module.exports = {
     { cursor, limit = 25, isArchived = false, tags, search, order = 'desc' } = {},
   ) => {
     const filters = [{ user }];
-
     if (isArchived) {
       filters.push({ isArchived: true });
     } else {
@@ -288,7 +288,6 @@ module.exports = {
   deleteConvos: async (user, filter) => {
     try {
       const userFilter = { ...filter, user };
-
       const conversations = await Conversation.find(userFilter).select('conversationId');
       const conversationIds = conversations.map((c) => c.conversationId);
 

api/models/ConversationTag.js

@@ -1,10 +1,8 @@
 const mongoose = require('mongoose');
-const Conversation = require('./schema/convoSchema');
-const logger = require('~/config/winston');
+const { logger } = require('@librechat/data-schemas');
 
-const { conversationTagSchema } = require('@librechat/data-schemas');
-
-const ConversationTag = mongoose.model('ConversationTag', conversationTagSchema);
+const ConversationTag = require('~/db/models').ConversationTag;
+const Conversation = require('~/db/models').Conversation;
 
 /**
  * Retrieves all conversation tags for a user.
@@ -140,13 +138,13 @@ const adjustPositions = async (user, oldPosition, newPosition) => {
   const position =
     oldPosition < newPosition
       ? {
-        $gt: Math.min(oldPosition, newPosition),
-        $lte: Math.max(oldPosition, newPosition),
-      }
+          $gt: Math.min(oldPosition, newPosition),
+          $lte: Math.max(oldPosition, newPosition),
+        }
       : {
-        $gte: Math.min(oldPosition, newPosition),
-        $lt: Math.max(oldPosition, newPosition),
-      };
+          $gte: Math.min(oldPosition, newPosition),
+          $lt: Math.max(oldPosition, newPosition),
+        };
 
   await ConversationTag.updateMany(
     {

api/models/File.js

@@ -1,9 +1,8 @@
 const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
 const { EToolResources } = require('librechat-data-provider');
-const { fileSchema } = require('@librechat/data-schemas');
-const { logger } = require('~/config');
 
-const File = mongoose.model('File', fileSchema);
+const File = require('~/db/models').File;
 
 /**
  * Finds a file by its file_id with additional query options.
@@ -169,7 +168,6 @@ async function batchUpdateFiles(updates) {
 }
 
 module.exports = {
-  File,
   findFileById,
   getFiles,
   getToolFilesByIds,

api/models/Key.js

@@ -1,4 +0,0 @@
-const mongoose = require('mongoose');
-const { keySchema } = require('@librechat/data-schemas');
-
-module.exports = mongoose.model('Key', keySchema);

api/models/Message.js

@@ -1,7 +1,7 @@
 const { z } = require('zod');
-const Message = require('./schema/messageSchema');
-const { logger } = require('~/config');
+const { logger } = require('@librechat/data-schemas');
 
+const Message = require('~/db/models').Message;
 const idSchema = z.string().uuid();
 
 /**
@@ -68,7 +68,6 @@ async function saveMessage(req, params, metadata) {
       logger.info(`---\`saveMessage\` context: ${metadata?.context}`);
       update.tokenCount = 0;
     }
-
     const message = await Message.findOneAndUpdate(
       { messageId: params.messageId, user: req.user.id },
       update,
@@ -140,7 +139,6 @@ async function bulkSaveMessages(messages, overrideTimestamp = false) {
         upsert: true,
       },
     }));
-
     const result = await Message.bulkWrite(bulkOps);
     return result;
   } catch (err) {
@@ -355,7 +353,6 @@ async function deleteMessages(filter) {
 }
 
 module.exports = {
-  Message,
   saveMessage,
   bulkSaveMessages,
   recordMessage,

api/models/Message.spec.js

@@ -1,4 +1,3 @@
-const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
 
 jest.mock('mongoose');
@@ -20,14 +19,20 @@ const mockSchema = {
   deleteMany: jest.fn(),
 };
 
-mongoose.model.mockReturnValue(mockSchema);
-
-jest.mock('~/models/schema/messageSchema', () => mockSchema);
-
 jest.mock('~/config/winston', () => ({
   error: jest.fn(),
 }));
 
+const mockModels = {
+  Message: {
+    findOneAndUpdate: mockSchema.findOneAndUpdate,
+    updateOne: mockSchema.updateOne,
+    findOne: mockSchema.findOne,
+    find: mockSchema.find,
+    deleteMany: mockSchema.deleteMany,
+  },
+};
+
 const {
   saveMessage,
   getMessages,
@@ -153,7 +158,7 @@ describe('Message Operations', () => {
   });
 
   describe('Conversation Hijacking Prevention', () => {
-    it('should not allow editing a message in another user\'s conversation', async () => {
+    it("should not allow editing a message in another user's conversation", async () => {
       const attackerReq = { user: { id: 'attacker123' } };
       const victimConversationId = 'victim-convo-123';
       const victimMessageId = 'victim-msg-123';
@@ -175,7 +180,7 @@ describe('Message Operations', () => {
       );
     });
 
-    it('should not allow deleting messages from another user\'s conversation', async () => {
+    it("should not allow deleting messages from another user's conversation", async () => {
       const attackerReq = { user: { id: 'attacker123' } };
       const victimConversationId = 'victim-convo-123';
       const victimMessageId = 'victim-msg-123';
@@ -193,7 +198,7 @@ describe('Message Operations', () => {
       });
     });
 
-    it('should not allow inserting a new message into another user\'s conversation', async () => {
+    it("should not allow inserting a new message into another user's conversation", async () => {
       const attackerReq = { user: { id: 'attacker123' } };
       const victimConversationId = uuidv4(); // Use a valid UUID
 

api/models/Preset.js

@@ -1,5 +1,7 @@
-const Preset = require('./schema/presetSchema');
-const { logger } = require('~/config');
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
+
+const Preset = require('~/db/models').Preset;
 
 const getPreset = async (user, presetId) => {
   try {
@@ -11,7 +13,6 @@ const getPreset = async (user, presetId) => {
 };
 
 module.exports = {
-  Preset,
   getPreset,
   getPresets: async (user, filter) => {
     try {

api/models/Project.js

@@ -1,8 +1,7 @@
-const { model } = require('mongoose');
+const mongoose = require('mongoose');
 const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
-const { projectSchema } = require('@librechat/data-schemas');
 
-const Project = model('Project', projectSchema);
+const Project = require('~/db/models').Project;
 
 /**
  * Retrieve a project by ID and convert the found project document to a plain object.

api/models/Prompt.js

@@ -1,5 +1,6 @@
 const mongoose = require('mongoose');
 const { ObjectId } = require('mongodb');
+const { logger } = require('@librechat/data-schemas');
 const { SystemRoles, SystemCategories, Constants } = require('librechat-data-provider');
 const {
   getProjectByName,
@@ -7,12 +8,10 @@ const {
   removeGroupIdsFromProject,
   removeGroupFromAllProjects,
 } = require('./Project');
-const { promptGroupSchema, promptSchema } = require('@librechat/data-schemas');
 const { escapeRegExp } = require('~/server/utils');
-const { logger } = require('~/config');
 
-const PromptGroup = mongoose.model('PromptGroup', promptGroupSchema);
-const Prompt = mongoose.model('Prompt', promptSchema);
+const PromptGroup = require('~/db/models').PromptGroup;
+const Prompt = require('~/db/models').Prompt;
 
 /**
  * Create a pipeline for the aggregation to get prompt groups

api/models/Role.js

@@ -1,4 +1,3 @@
-const mongoose = require('mongoose');
 const {
   CacheKeys,
   SystemRoles,
@@ -7,11 +6,10 @@ const {
   permissionsSchema,
   removeNullishValues,
 } = require('librechat-data-provider');
+const { logger } = require('@librechat/data-schemas');
 const getLogStores = require('~/cache/getLogStores');
-const { roleSchema } = require('@librechat/data-schemas');
-const { logger } = require('~/config');
 
-const Role = mongoose.model('Role', roleSchema);
+const Role = require('~/db/models').Role;
 
 /**
  * Retrieve a role by name and convert the found role document to a plain object.
@@ -282,7 +280,6 @@ const migrateRoleSchema = async function (roleName) {
 };
 
 module.exports = {
-  Role,
   getRoleByName,
   initializeRoles,
   updateRoleByName,

api/models/Role.spec.js

@@ -6,9 +6,11 @@ const {
   roleDefaults,
   PermissionTypes,
 } = require('librechat-data-provider');
-const { Role, getRoleByName, updateAccessPermissions, initializeRoles } = require('~/models/Role');
+const { getRoleByName, updateAccessPermissions, initializeRoles } = require('~/models/Role');
 const getLogStores = require('~/cache/getLogStores');
 
+const Role = require('~/db/models').Role;
+
 // Mock the cache
 jest.mock('~/cache/getLogStores', () =>
   jest.fn().mockReturnValue({

api/models/Session.js

@@ -1,275 +0,0 @@
-const mongoose = require('mongoose');
-const signPayload = require('~/server/services/signPayload');
-const { hashToken } = require('~/server/utils/crypto');
-const { sessionSchema } = require('@librechat/data-schemas');
-const { logger } = require('~/config');
-
-const Session = mongoose.model('Session', sessionSchema);
-
-const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
-const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7; // 7 days default
-
-/**
- * Error class for Session-related errors
- */
-class SessionError extends Error {
-  constructor(message, code = 'SESSION_ERROR') {
-    super(message);
-    this.name = 'SessionError';
-    this.code = code;
-  }
-}
-
-/**
- * Creates a new session for a user
- * @param {string} userId - The ID of the user
- * @param {Object} options - Additional options for session creation
- * @param {Date} options.expiration - Custom expiration date
- * @returns {Promise<{session: Session, refreshToken: string}>}
- * @throws {SessionError}
- */
-const createSession = async (userId, options = {}) => {
-  if (!userId) {
-    throw new SessionError('User ID is required', 'INVALID_USER_ID');
-  }
-
-  try {
-    const session = new Session({
-      user: userId,
-      expiration: options.expiration || new Date(Date.now() + expires),
-    });
-    const refreshToken = await generateRefreshToken(session);
-    return { session, refreshToken };
-  } catch (error) {
-    logger.error('[createSession] Error creating session:', error);
-    throw new SessionError('Failed to create session', 'CREATE_SESSION_FAILED');
-  }
-};
-
-/**
- * Finds a session by various parameters
- * @param {Object} params - Search parameters
- * @param {string} [params.refreshToken] - The refresh token to search by
- * @param {string} [params.userId] - The user ID to search by
- * @param {string} [params.sessionId] - The session ID to search by
- * @param {Object} [options] - Additional options
- * @param {boolean} [options.lean=true] - Whether to return plain objects instead of documents
- * @returns {Promise<Session|null>}
- * @throws {SessionError}
- */
-const findSession = async (params, options = { lean: true }) => {
-  try {
-    const query = {};
-
-    if (!params.refreshToken && !params.userId && !params.sessionId) {
-      throw new SessionError('At least one search parameter is required', 'INVALID_SEARCH_PARAMS');
-    }
-
-    if (params.refreshToken) {
-      const tokenHash = await hashToken(params.refreshToken);
-      query.refreshTokenHash = tokenHash;
-    }
-
-    if (params.userId) {
-      query.user = params.userId;
-    }
-
-    if (params.sessionId) {
-      const sessionId = params.sessionId.sessionId || params.sessionId;
-      if (!mongoose.Types.ObjectId.isValid(sessionId)) {
-        throw new SessionError('Invalid session ID format', 'INVALID_SESSION_ID');
-      }
-      query._id = sessionId;
-    }
-
-    // Add expiration check to only return valid sessions
-    query.expiration = { $gt: new Date() };
-
-    const sessionQuery = Session.findOne(query);
-
-    if (options.lean) {
-      return await sessionQuery.lean();
-    }
-
-    return await sessionQuery.exec();
-  } catch (error) {
-    logger.error('[findSession] Error finding session:', error);
-    throw new SessionError('Failed to find session', 'FIND_SESSION_FAILED');
-  }
-};
-
-/**
- * Updates session expiration
- * @param {Session|string} session - The session or session ID to update
- * @param {Date} [newExpiration] - Optional new expiration date
- * @returns {Promise<Session>}
- * @throws {SessionError}
- */
-const updateExpiration = async (session, newExpiration) => {
-  try {
-    const sessionDoc = typeof session === 'string' ? await Session.findById(session) : session;
-
-    if (!sessionDoc) {
-      throw new SessionError('Session not found', 'SESSION_NOT_FOUND');
-    }
-
-    sessionDoc.expiration = newExpiration || new Date(Date.now() + expires);
-    return await sessionDoc.save();
-  } catch (error) {
-    logger.error('[updateExpiration] Error updating session:', error);
-    throw new SessionError('Failed to update session expiration', 'UPDATE_EXPIRATION_FAILED');
-  }
-};
-
-/**
- * Deletes a session by refresh token or session ID
- * @param {Object} params - Delete parameters
- * @param {string} [params.refreshToken] - The refresh token of the session to delete
- * @param {string} [params.sessionId] - The ID of the session to delete
- * @returns {Promise<Object>}
- * @throws {SessionError}
- */
-const deleteSession = async (params) => {
-  try {
-    if (!params.refreshToken && !params.sessionId) {
-      throw new SessionError(
-        'Either refreshToken or sessionId is required',
-        'INVALID_DELETE_PARAMS',
-      );
-    }
-
-    const query = {};
-
-    if (params.refreshToken) {
-      query.refreshTokenHash = await hashToken(params.refreshToken);
-    }
-
-    if (params.sessionId) {
-      query._id = params.sessionId;
-    }
-
-    const result = await Session.deleteOne(query);
-
-    if (result.deletedCount === 0) {
-      logger.warn('[deleteSession] No session found to delete');
-    }
-
-    return result;
-  } catch (error) {
-    logger.error('[deleteSession] Error deleting session:', error);
-    throw new SessionError('Failed to delete session', 'DELETE_SESSION_FAILED');
-  }
-};
-
-/**
- * Deletes all sessions for a user
- * @param {string} userId - The ID of the user
- * @param {Object} [options] - Additional options
- * @param {boolean} [options.excludeCurrentSession] - Whether to exclude the current session
- * @param {string} [options.currentSessionId] - The ID of the current session to exclude
- * @returns {Promise<Object>}
- * @throws {SessionError}
- */
-const deleteAllUserSessions = async (userId, options = {}) => {
-  try {
-    if (!userId) {
-      throw new SessionError('User ID is required', 'INVALID_USER_ID');
-    }
-
-    // Extract userId if it's passed as an object
-    const userIdString = userId.userId || userId;
-
-    if (!mongoose.Types.ObjectId.isValid(userIdString)) {
-      throw new SessionError('Invalid user ID format', 'INVALID_USER_ID_FORMAT');
-    }
-
-    const query = { user: userIdString };
-
-    if (options.excludeCurrentSession && options.currentSessionId) {
-      query._id = { $ne: options.currentSessionId };
-    }
-
-    const result = await Session.deleteMany(query);
-
-    if (result.deletedCount > 0) {
-      logger.debug(
-        `[deleteAllUserSessions] Deleted ${result.deletedCount} sessions for user ${userIdString}.`,
-      );
-    }
-
-    return result;
-  } catch (error) {
-    logger.error('[deleteAllUserSessions] Error deleting user sessions:', error);
-    throw new SessionError('Failed to delete user sessions', 'DELETE_ALL_SESSIONS_FAILED');
-  }
-};
-
-/**
- * Generates a refresh token for a session
- * @param {Session} session - The session to generate a token for
- * @returns {Promise<string>}
- * @throws {SessionError}
- */
-const generateRefreshToken = async (session) => {
-  if (!session || !session.user) {
-    throw new SessionError('Invalid session object', 'INVALID_SESSION');
-  }
-
-  try {
-    const expiresIn = session.expiration ? session.expiration.getTime() : Date.now() + expires;
-
-    if (!session.expiration) {
-      session.expiration = new Date(expiresIn);
-    }
-
-    const refreshToken = await signPayload({
-      payload: {
-        id: session.user,
-        sessionId: session._id,
-      },
-      secret: process.env.JWT_REFRESH_SECRET,
-      expirationTime: Math.floor((expiresIn - Date.now()) / 1000),
-    });
-
-    session.refreshTokenHash = await hashToken(refreshToken);
-    await session.save();
-
-    return refreshToken;
-  } catch (error) {
-    logger.error('[generateRefreshToken] Error generating refresh token:', error);
-    throw new SessionError('Failed to generate refresh token', 'GENERATE_TOKEN_FAILED');
-  }
-};
-
-/**
- * Counts active sessions for a user
- * @param {string} userId - The ID of the user
- * @returns {Promise<number>}
- * @throws {SessionError}
- */
-const countActiveSessions = async (userId) => {
-  try {
-    if (!userId) {
-      throw new SessionError('User ID is required', 'INVALID_USER_ID');
-    }
-
-    return await Session.countDocuments({
-      user: userId,
-      expiration: { $gt: new Date() },
-    });
-  } catch (error) {
-    logger.error('[countActiveSessions] Error counting active sessions:', error);
-    throw new SessionError('Failed to count active sessions', 'COUNT_SESSIONS_FAILED');
-  }
-};
-
-module.exports = {
-  createSession,
-  findSession,
-  updateExpiration,
-  deleteSession,
-  deleteAllUserSessions,
-  generateRefreshToken,
-  countActiveSessions,
-  SessionError,
-};

api/models/Share.js

@@ -1,11 +1,11 @@
-const mongoose = require('mongoose');
 const { nanoid } = require('nanoid');
+const mongoose = require('mongoose');
 const { Constants } = require('librechat-data-provider');
-const { Conversation } = require('~/models/Conversation');
-const { shareSchema } = require('@librechat/data-schemas');
-const SharedLink = mongoose.model('SharedLink', shareSchema);
+const { logger } = require('@librechat/data-schemas');
 const { getMessages } = require('./Message');
-const logger = require('~/config/winston');
+
+const Conversation = require('~/db/models').Conversation;
+const SharedLink = require('~/db/models').SharedLink;
 
 class ShareServiceError extends Error {
   constructor(message, code) {
@@ -202,7 +202,6 @@ async function createSharedLink(user, conversationId) {
   if (!user || !conversationId) {
     throw new ShareServiceError('Missing required parameters', 'INVALID_PARAMS');
   }
-
   try {
     const [existingShare, conversationMessages] = await Promise.all([
       SharedLink.findOne({ conversationId, isPublic: true }).select('-_id -__v -user').lean(),
@@ -340,7 +339,6 @@ async function deleteSharedLink(user, shareId) {
 }
 
 module.exports = {
-  SharedLink,
   getSharedLink,
   getSharedLinks,
   createSharedLink,

api/models/Token.js

@@ -1,158 +1,5 @@
-const mongoose = require('mongoose');
+const { findToken, updateToken, createToken } = require('~/models');
 const { encryptV2 } = require('~/server/utils/crypto');
-const { tokenSchema } = require('@librechat/data-schemas');
-const { logger } = require('~/config');
-
-/**
- * Token model.
- * @type {mongoose.Model}
- */
-const Token = mongoose.model('Token', tokenSchema);
-/**
- * Fixes the indexes for the Token collection from legacy TTL indexes to the new expiresAt index.
- */
-async function fixIndexes() {
-  try {
-    if (
-      process.env.NODE_ENV === 'CI' ||
-      process.env.NODE_ENV === 'development' ||
-      process.env.NODE_ENV === 'test'
-    ) {
-      return;
-    }
-    const indexes = await Token.collection.indexes();
-    logger.debug('Existing Token Indexes:', JSON.stringify(indexes, null, 2));
-    const unwantedTTLIndexes = indexes.filter(
-      (index) => index.key.createdAt === 1 && index.expireAfterSeconds !== undefined,
-    );
-    if (unwantedTTLIndexes.length === 0) {
-      logger.debug('No unwanted Token indexes found.');
-      return;
-    }
-    for (const index of unwantedTTLIndexes) {
-      logger.debug(`Dropping unwanted Token index: ${index.name}`);
-      await Token.collection.dropIndex(index.name);
-      logger.debug(`Dropped Token index: ${index.name}`);
-    }
-    logger.debug('Token index cleanup completed successfully.');
-  } catch (error) {
-    logger.error('An error occurred while fixing Token indexes:', error);
-  }
-}
-
-fixIndexes();
-
-/**
- * Creates a new Token instance.
- * @param {Object} tokenData - The data for the new Token.
- * @param {mongoose.Types.ObjectId} tokenData.userId - The user's ID. It is required.
- * @param {String} tokenData.email - The user's email.
- * @param {String} tokenData.token - The token. It is required.
- * @param {Number} tokenData.expiresIn - The number of seconds until the token expires.
- * @returns {Promise<mongoose.Document>} The new Token instance.
- * @throws Will throw an error if token creation fails.
- */
-async function createToken(tokenData) {
-  try {
-    const currentTime = new Date();
-    const expiresAt = new Date(currentTime.getTime() + tokenData.expiresIn * 1000);
-
-    const newTokenData = {
-      ...tokenData,
-      createdAt: currentTime,
-      expiresAt,
-    };
-
-    return await Token.create(newTokenData);
-  } catch (error) {
-    logger.debug('An error occurred while creating token:', error);
-    throw error;
-  }
-}
-
-/**
- * Finds a Token document that matches the provided query.
- * @param {Object} query - The query to match against.
- * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
- * @param {String} query.token - The token value.
- * @param {String} [query.email] - The email of the user.
- * @param {String} [query.identifier] - Unique, alternative identifier for the token.
- * @returns {Promise<Object|null>} The matched Token document, or null if not found.
- * @throws Will throw an error if the find operation fails.
- */
-async function findToken(query) {
-  try {
-    const conditions = [];
-
-    if (query.userId) {
-      conditions.push({ userId: query.userId });
-    }
-    if (query.token) {
-      conditions.push({ token: query.token });
-    }
-    if (query.email) {
-      conditions.push({ email: query.email });
-    }
-    if (query.identifier) {
-      conditions.push({ identifier: query.identifier });
-    }
-
-    const token = await Token.findOne({
-      $and: conditions,
-    }).lean();
-
-    return token;
-  } catch (error) {
-    logger.debug('An error occurred while finding token:', error);
-    throw error;
-  }
-}
-
-/**
- * Updates a Token document that matches the provided query.
- * @param {Object} query - The query to match against.
- * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
- * @param {String} query.token - The token value.
- * @param {String} [query.email] - The email of the user.
- * @param {String} [query.identifier] - Unique, alternative identifier for the token.
- * @param {Object} updateData - The data to update the Token with.
- * @returns {Promise<mongoose.Document|null>} The updated Token document, or null if not found.
- * @throws Will throw an error if the update operation fails.
- */
-async function updateToken(query, updateData) {
-  try {
-    return await Token.findOneAndUpdate(query, updateData, { new: true });
-  } catch (error) {
-    logger.debug('An error occurred while updating token:', error);
-    throw error;
-  }
-}
-
-/**
- * Deletes all Token documents that match the provided token, user ID, or email.
- * @param {Object} query - The query to match against.
- * @param {mongoose.Types.ObjectId|String} query.userId - The ID of the user.
- * @param {String} query.token - The token value.
- * @param {String} [query.email] - The email of the user.
- * @param {String} [query.identifier] - Unique, alternative identifier for the token.
- * @returns {Promise<Object>} The result of the delete operation.
- * @throws Will throw an error if the delete operation fails.
- */
-async function deleteTokens(query) {
-  try {
-    return await Token.deleteMany({
-      $or: [
-        { userId: query.userId },
-        { token: query.token },
-        { email: query.email },
-        { identifier: query.identifier },
-      ],
-    });
-  } catch (error) {
-    logger.debug('An error occurred while deleting tokens:', error);
-    throw error;
-  }
-}
 
 /**
  * Handles the OAuth token by creating or updating the token.
@@ -191,9 +38,5 @@ async function handleOAuthToken({
 }
 
 module.exports = {
-  findToken,
-  createToken,
-  updateToken,
-  deleteTokens,
   handleOAuthToken,
 };

api/models/ToolCall.js

@@ -1,6 +1,6 @@
 const mongoose = require('mongoose');
-const { toolCallSchema } = require('@librechat/data-schemas');
-const ToolCall = mongoose.model('ToolCall', toolCallSchema);
+
+const ToolCall = require('~/db/models').ToolCall;
 
 /**
  * Create a new tool call

api/models/Transaction.js

@@ -1,9 +1,10 @@
 const mongoose = require('mongoose');
-const { transactionSchema } = require('@librechat/data-schemas');
+const { logger } = require('@librechat/data-schemas');
 const { getBalanceConfig } = require('~/server/services/Config');
 const { getMultiplier, getCacheMultiplier } = require('./tx');
-const { logger } = require('~/config');
-const Balance = require('./Balance');
+
+const Transaction = require('~/db/models').Transaction;
+const Balance = require('~/db/models').Balance;
 
 const cancelRate = 1.15;
 
@@ -140,19 +141,19 @@ const updateBalance = async ({ user, incrementValue, setValues }) => {
 };
 
 /** Method to calculate and set the tokenValue for a transaction */
-transactionSchema.methods.calculateTokenValue = function () {
-  if (!this.valueKey || !this.tokenType) {
-    this.tokenValue = this.rawAmount;
+function calculateTokenValue(txn) {
+  if (!txn.valueKey || !txn.tokenType) {
+    txn.tokenValue = txn.rawAmount;
   }
-  const { valueKey, tokenType, model, endpointTokenConfig } = this;
+  const { valueKey, tokenType, model, endpointTokenConfig } = txn;
   const multiplier = Math.abs(getMultiplier({ valueKey, tokenType, model, endpointTokenConfig }));
-  this.rate = multiplier;
-  this.tokenValue = this.rawAmount * multiplier;
-  if (this.context && this.tokenType === 'completion' && this.context === 'incomplete') {
-    this.tokenValue = Math.ceil(this.tokenValue * cancelRate);
-    this.rate *= cancelRate;
+  txn.rate = multiplier;
+  txn.tokenValue = txn.rawAmount * multiplier;
+  if (txn.context && txn.tokenType === 'completion' && txn.context === 'incomplete') {
+    txn.tokenValue = Math.ceil(txn.tokenValue * cancelRate);
+    txn.rate *= cancelRate;
   }
-};
+}
 
 /**
  * New static method to create an auto-refill transaction that does NOT trigger a balance update.
@@ -163,13 +164,13 @@ transactionSchema.methods.calculateTokenValue = function () {
  * @param {number} txData.rawAmount - The raw amount of tokens.
  * @returns {Promise<object>} - The created transaction.
  */
-transactionSchema.statics.createAutoRefillTransaction = async function (txData) {
+async function createAutoRefillTransaction(txData) {
   if (txData.rawAmount != null && isNaN(txData.rawAmount)) {
     return;
   }
-  const transaction = new this(txData);
+  const transaction = new Transaction(txData);
   transaction.endpointTokenConfig = txData.endpointTokenConfig;
-  transaction.calculateTokenValue();
+  calculateTokenValue(transaction);
   await transaction.save();
 
   const balanceResponse = await updateBalance({
@@ -185,21 +186,20 @@ transactionSchema.statics.createAutoRefillTransaction = async function (txData)
   logger.debug('[Balance.check] Auto-refill performed', result);
   result.transaction = transaction;
   return result;
-};
+}
 
 /**
  * Static method to create a transaction and update the balance
  * @param {txData} txData - Transaction data.
  */
-transactionSchema.statics.create = async function (txData) {
-  const Transaction = this;
+async function createTransaction(txData) {
   if (txData.rawAmount != null && isNaN(txData.rawAmount)) {
     return;
   }
 
   const transaction = new Transaction(txData);
   transaction.endpointTokenConfig = txData.endpointTokenConfig;
-  transaction.calculateTokenValue();
+  calculateTokenValue(transaction);
 
   await transaction.save();
 
@@ -209,7 +209,6 @@ transactionSchema.statics.create = async function (txData) {
   }
 
   let incrementValue = transaction.tokenValue;
-
   const balanceResponse = await updateBalance({
     user: transaction.user,
     incrementValue,
@@ -221,21 +220,19 @@ transactionSchema.statics.create = async function (txData) {
     balance: balanceResponse.tokenCredits,
     [transaction.tokenType]: incrementValue,
   };
-};
+}
 
 /**
  * Static method to create a structured transaction and update the balance
  * @param {txData} txData - Transaction data.
  */
-transactionSchema.statics.createStructured = async function (txData) {
-  const Transaction = this;
-
+async function createStructuredTransaction(txData) {
   const transaction = new Transaction({
     ...txData,
     endpointTokenConfig: txData.endpointTokenConfig,
   });
 
-  transaction.calculateStructuredTokenValue();
+  calculateStructuredTokenValue(transaction);
 
   await transaction.save();
 
@@ -257,71 +254,69 @@ transactionSchema.statics.createStructured = async function (txData) {
     balance: balanceResponse.tokenCredits,
     [transaction.tokenType]: incrementValue,
   };
-};
+}
 
 /** Method to calculate token value for structured tokens */
-transactionSchema.methods.calculateStructuredTokenValue = function () {
-  if (!this.tokenType) {
-    this.tokenValue = this.rawAmount;
+function calculateStructuredTokenValue(txn) {
+  if (!txn.tokenType) {
+    txn.tokenValue = txn.rawAmount;
     return;
   }
 
-  const { model, endpointTokenConfig } = this;
+  const { model, endpointTokenConfig } = txn;
 
-  if (this.tokenType === 'prompt') {
+  if (txn.tokenType === 'prompt') {
     const inputMultiplier = getMultiplier({ tokenType: 'prompt', model, endpointTokenConfig });
     const writeMultiplier =
       getCacheMultiplier({ cacheType: 'write', model, endpointTokenConfig }) ?? inputMultiplier;
     const readMultiplier =
       getCacheMultiplier({ cacheType: 'read', model, endpointTokenConfig }) ?? inputMultiplier;
 
-    this.rateDetail = {
+    txn.rateDetail = {
       input: inputMultiplier,
       write: writeMultiplier,
       read: readMultiplier,
     };
 
     const totalPromptTokens =
-      Math.abs(this.inputTokens || 0) +
-      Math.abs(this.writeTokens || 0) +
-      Math.abs(this.readTokens || 0);
+      Math.abs(txn.inputTokens || 0) +
+      Math.abs(txn.writeTokens || 0) +
+      Math.abs(txn.readTokens || 0);
 
     if (totalPromptTokens > 0) {
-      this.rate =
-        (Math.abs(inputMultiplier * (this.inputTokens || 0)) +
-          Math.abs(writeMultiplier * (this.writeTokens || 0)) +
-          Math.abs(readMultiplier * (this.readTokens || 0))) /
+      txn.rate =
+        (Math.abs(inputMultiplier * (txn.inputTokens || 0)) +
+          Math.abs(writeMultiplier * (txn.writeTokens || 0)) +
+          Math.abs(readMultiplier * (txn.readTokens || 0))) /
         totalPromptTokens;
     } else {
-      this.rate = Math.abs(inputMultiplier); // Default to input rate if no tokens
+      txn.rate = Math.abs(inputMultiplier); // Default to input rate if no tokens
     }
 
-    this.tokenValue = -(
-      Math.abs(this.inputTokens || 0) * inputMultiplier +
-      Math.abs(this.writeTokens || 0) * writeMultiplier +
-      Math.abs(this.readTokens || 0) * readMultiplier
+    txn.tokenValue = -(
+      Math.abs(txn.inputTokens || 0) * inputMultiplier +
+      Math.abs(txn.writeTokens || 0) * writeMultiplier +
+      Math.abs(txn.readTokens || 0) * readMultiplier
     );
 
-    this.rawAmount = -totalPromptTokens;
-  } else if (this.tokenType === 'completion') {
-    const multiplier = getMultiplier({ tokenType: this.tokenType, model, endpointTokenConfig });
-    this.rate = Math.abs(multiplier);
-    this.tokenValue = -Math.abs(this.rawAmount) * multiplier;
-    this.rawAmount = -Math.abs(this.rawAmount);
+    txn.rawAmount = -totalPromptTokens;
+  } else if (txn.tokenType === 'completion') {
+    const multiplier = getMultiplier({ tokenType: txn.tokenType, model, endpointTokenConfig });
+    txn.rate = Math.abs(multiplier);
+    txn.tokenValue = -Math.abs(txn.rawAmount) * multiplier;
+    txn.rawAmount = -Math.abs(txn.rawAmount);
   }
 
-  if (this.context && this.tokenType === 'completion' && this.context === 'incomplete') {
-    this.tokenValue = Math.ceil(this.tokenValue * cancelRate);
-    this.rate *= cancelRate;
-    if (this.rateDetail) {
-      this.rateDetail = Object.fromEntries(
-        Object.entries(this.rateDetail).map(([k, v]) => [k, v * cancelRate]),
+  if (txn.context && txn.tokenType === 'completion' && txn.context === 'incomplete') {
+    txn.tokenValue = Math.ceil(txn.tokenValue * cancelRate);
+    txn.rate *= cancelRate;
+    if (txn.rateDetail) {
+      txn.rateDetail = Object.fromEntries(
+        Object.entries(txn.rateDetail).map(([k, v]) => [k, v * cancelRate]),
       );
     }
   }
-};
-
-const Transaction = mongoose.model('Transaction', transactionSchema);
+}
 
 /**
  * Queries and retrieves transactions based on a given filter.
@@ -340,4 +335,9 @@ async function getTransactions(filter) {
   }
 }
 
-module.exports = { Transaction, getTransactions };
+module.exports = {
+  getTransactions,
+  createTransaction,
+  createAutoRefillTransaction,
+  createStructuredTransaction,
+};

api/models/Transaction.spec.js

@@ -3,14 +3,13 @@ const { MongoMemoryServer } = require('mongodb-memory-server');
 const { spendTokens, spendStructuredTokens } = require('./spendTokens');
 const { getBalanceConfig } = require('~/server/services/Config');
 const { getMultiplier, getCacheMultiplier } = require('./tx');
-const { Transaction } = require('./Transaction');
-const Balance = require('./Balance');
+const { createTransaction } = require('./Transaction');
+const Balance = require('~/db/models').Balance;
 
 // Mock the custom config module so we can control the balance flag.
 jest.mock('~/server/services/Config');
 
 let mongoServer;
-
 beforeAll(async () => {
   mongoServer = await MongoMemoryServer.create();
   const mongoUri = mongoServer.getUri();
@@ -368,7 +367,7 @@ describe('NaN Handling Tests', () => {
     };
 
     // Act
-    const result = await Transaction.create(txData);
+    const result = await createTransaction(txData);
 
     // Assert: No transaction should be created and balance remains unchanged.
     expect(result).toBeUndefined();

api/models/User.js

@@ -1,6 +0,0 @@
-const mongoose = require('mongoose');
-const { userSchema } = require('@librechat/data-schemas');
-
-const User = mongoose.model('User', userSchema);
-
-module.exports = User;

api/models/balanceMethods.js

@@ -1,9 +1,11 @@
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
 const { ViolationTypes } = require('librechat-data-provider');
-const { Transaction } = require('./Transaction');
+const { createAutoRefillTransaction } = require('./Transaction');
 const { logViolation } = require('~/cache');
 const { getMultiplier } = require('./tx');
-const { logger } = require('~/config');
-const Balance = require('./Balance');
+
+const Balance = require('~/db/models').Balance;
 
 function isInvalidDate(date) {
   return isNaN(date);
@@ -60,7 +62,7 @@ const checkBalanceRecord = async function ({
     ) {
       try {
         /** @type {{ rate: number, user: string, balance: number, transaction: import('@librechat/data-schemas').ITransaction}} */
-        const result = await Transaction.createAutoRefillTransaction({
+        const result = await createAutoRefillTransaction({
           user: user,
           tokenType: 'credits',
           context: 'autoRefill',

api/models/convoStructure.spec.js

@@ -1,6 +1,8 @@
 const mongoose = require('mongoose');
 const { MongoMemoryServer } = require('mongodb-memory-server');
-const { Message, getMessages, bulkSaveMessages } = require('./Message');
+const { getMessages, bulkSaveMessages } = require('./Message');
+
+const Message = require('~/db/models').Message;
 
 // Original version of buildTree function
 function buildTree({ messages, fileMap }) {
@@ -42,7 +44,6 @@ function buildTree({ messages, fileMap }) {
 }
 
 let mongod;
-
 beforeAll(async () => {
   mongod = await MongoMemoryServer.create();
   const uri = mongod.getUri();

api/models/index.js

@@ -1,13 +1,7 @@
-const {
-  comparePassword,
-  deleteUserById,
-  generateToken,
-  getUserById,
-  updateUser,
-  createUser,
-  countUsers,
-  findUser,
-} = require('./userMethods');
+const mongoose = require('mongoose');
+const { createMethods } = require('@librechat/data-schemas');
+const methods = createMethods(mongoose);
+const { comparePassword } = require('./userMethods');
 const {
   findFileById,
   createFile,
@@ -26,32 +20,12 @@ const {
   deleteMessagesSince,
   deleteMessages,
 } = require('./Message');
-const {
-  createSession,
-  findSession,
-  updateExpiration,
-  deleteSession,
-  deleteAllUserSessions,
-  generateRefreshToken,
-  countActiveSessions,
-} = require('./Session');
 const { getConvoTitle, getConvo, saveConvo, deleteConvos } = require('./Conversation');
 const { getPreset, getPresets, savePreset, deletePresets } = require('./Preset');
-const { createToken, findToken, updateToken, deleteTokens } = require('./Token');
-const Balance = require('./Balance');
-const User = require('./User');
-const Key = require('./Key');
 
 module.exports = {
+  ...methods,
   comparePassword,
-  deleteUserById,
-  generateToken,
-  getUserById,
-  updateUser,
-  createUser,
-  countUsers,
-  findUser,
-
   findFileById,
   createFile,
   updateFile,
@@ -77,21 +51,4 @@ module.exports = {
   getPresets,
   savePreset,
   deletePresets,
-
-  createToken,
-  findToken,
-  updateToken,
-  deleteTokens,
-
-  createSession,
-  findSession,
-  updateExpiration,
-  deleteSession,
-  deleteAllUserSessions,
-  generateRefreshToken,
-  countActiveSessions,
-
-  User,
-  Key,
-  Balance,
 };

api/models/inviteUser.js

@@ -1,7 +1,7 @@
 const mongoose = require('mongoose');
-const { getRandomValues, hashToken } = require('~/server/utils/crypto');
-const { createToken, findToken } = require('./Token');
-const logger = require('~/config/winston');
+const { logger, hashToken } = require('@librechat/data-schemas');
+const { getRandomValues } = require('~/server/utils/crypto');
+const { createToken, findToken } = require('~/models');
 
 /**
  * @module inviteUser

api/models/schema/convoSchema.js

@@ -1,18 +0,0 @@
-const mongoose = require('mongoose');
-const mongoMeili = require('../plugins/mongoMeili');
-
-const { convoSchema } = require('@librechat/data-schemas');
-
-if (process.env.MEILI_HOST && process.env.MEILI_MASTER_KEY) {
-  convoSchema.plugin(mongoMeili, {
-    host: process.env.MEILI_HOST,
-    apiKey: process.env.MEILI_MASTER_KEY,
-    /** Note: Will get created automatically if it doesn't exist already */
-    indexName: 'convos',
-    primaryKey: 'conversationId',
-  });
-}
-
-const Conversation = mongoose.models.Conversation || mongoose.model('Conversation', convoSchema);
-
-module.exports = Conversation;

api/models/schema/messageSchema.js

@@ -1,16 +0,0 @@
-const mongoose = require('mongoose');
-const mongoMeili = require('~/models/plugins/mongoMeili');
-const { messageSchema } = require('@librechat/data-schemas');
-
-if (process.env.MEILI_HOST && process.env.MEILI_MASTER_KEY) {
-  messageSchema.plugin(mongoMeili, {
-    host: process.env.MEILI_HOST,
-    apiKey: process.env.MEILI_MASTER_KEY,
-    indexName: 'messages',
-    primaryKey: 'messageId',
-  });
-}
-
-const Message = mongoose.models.Message || mongoose.model('Message', messageSchema);
-
-module.exports = Message;

api/models/schema/pluginAuthSchema.js

@@ -1,6 +0,0 @@
-const mongoose = require('mongoose');
-const { pluginAuthSchema } = require('@librechat/data-schemas');
-
-const PluginAuth = mongoose.models.Plugin || mongoose.model('PluginAuth', pluginAuthSchema);
-
-module.exports = PluginAuth;

api/models/schema/presetSchema.js

@@ -1,6 +0,0 @@
-const mongoose = require('mongoose');
-const { presetSchema } = require('@librechat/data-schemas');
-
-const Preset = mongoose.models.Preset || mongoose.model('Preset', presetSchema);
-
-module.exports = Preset;

api/models/spendTokens.js

@@ -1,6 +1,5 @@
-const { Transaction } = require('./Transaction');
 const { logger } = require('~/config');
-
+const { createTransaction, createStructuredTransaction } = require('./Transaction');
 /**
  * Creates up to two transactions to record the spending of tokens.
  *
@@ -33,7 +32,7 @@ const spendTokens = async (txData, tokenUsage) => {
   let prompt, completion;
   try {
     if (promptTokens !== undefined) {
-      prompt = await Transaction.create({
+      prompt = await createTransaction({
         ...txData,
         tokenType: 'prompt',
         rawAmount: promptTokens === 0 ? 0 : -Math.max(promptTokens, 0),
@@ -41,7 +40,7 @@ const spendTokens = async (txData, tokenUsage) => {
     }
 
     if (completionTokens !== undefined) {
-      completion = await Transaction.create({
+      completion = await createTransaction({
         ...txData,
         tokenType: 'completion',
         rawAmount: completionTokens === 0 ? 0 : -Math.max(completionTokens, 0),
@@ -101,7 +100,7 @@ const spendStructuredTokens = async (txData, tokenUsage) => {
   try {
     if (promptTokens) {
       const { input = 0, write = 0, read = 0 } = promptTokens;
-      prompt = await Transaction.createStructured({
+      prompt = await createStructuredTransaction({
         ...txData,
         tokenType: 'prompt',
         inputTokens: -input,
@@ -111,7 +110,7 @@ const spendStructuredTokens = async (txData, tokenUsage) => {
     }
 
     if (completionTokens) {
-      completion = await Transaction.create({
+      completion = await createTransaction({
         ...txData,
         tokenType: 'completion',
         rawAmount: -completionTokens,

api/models/spendTokens.spec.js

@@ -1,8 +1,9 @@
 const mongoose = require('mongoose');
 const { MongoMemoryServer } = require('mongodb-memory-server');
-const { Transaction } = require('./Transaction');
-const Balance = require('./Balance');
 const { spendTokens, spendStructuredTokens } = require('./spendTokens');
+const { createTransaction, createAutoRefillTransaction } = require('./Transaction');
+const Transaction = require('~/db/models').Transaction;
+const Balance = require('~/db/models').Balance;
 
 // Mock the logger to prevent console output during tests
 jest.mock('~/config', () => ({
@@ -22,8 +23,7 @@ describe('spendTokens', () => {
 
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create();
-    const mongoUri = mongoServer.getUri();
-    await mongoose.connect(mongoUri);
+    await mongoose.connect(mongoServer.getUri());
   });
 
   afterAll(async () => {
@@ -197,7 +197,7 @@ describe('spendTokens', () => {
     // Check that the transaction records show the adjusted values
     const transactionResults = await Promise.all(
       transactions.map((t) =>
-        Transaction.create({
+        createTransaction({
           ...txData,
           tokenType: t.tokenType,
           rawAmount: t.rawAmount,
@@ -280,7 +280,7 @@ describe('spendTokens', () => {
 
     // Check the return values from Transaction.create directly
     // This is to verify that the incrementValue is not becoming positive
-    const directResult = await Transaction.create({
+    const directResult = await createTransaction({
       user: userId,
       conversationId: 'test-convo-3',
       model: 'gpt-4',
@@ -607,7 +607,7 @@ describe('spendTokens', () => {
     const promises = [];
     for (let i = 0; i < numberOfRefills; i++) {
       promises.push(
-        Transaction.createAutoRefillTransaction({
+        createAutoRefillTransaction({
           user: userId,
           tokenType: 'credits',
           context: 'concurrent-refill-test',

api/models/userMethods.js

@@ -1,159 +1,4 @@
 const bcrypt = require('bcryptjs');
-const { getBalanceConfig } = require('~/server/services/Config');
-const signPayload = require('~/server/services/signPayload');
-const Balance = require('./Balance');
-const User = require('./User');
-
-/**
- * Retrieve a user by ID and convert the found user document to a plain object.
- *
- * @param {string} userId - The ID of the user to find and return as a plain object.
- * @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
- * @returns {Promise<MongoUser>} A plain object representing the user document, or `null` if no user is found.
- */
-const getUserById = async function (userId, fieldsToSelect = null) {
-  const query = User.findById(userId);
-  if (fieldsToSelect) {
-    query.select(fieldsToSelect);
-  }
-  return await query.lean();
-};
-
-/**
- * Search for a single user based on partial data and return matching user document as plain object.
- * @param {Partial<MongoUser>} searchCriteria - The partial data to use for searching the user.
- * @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
- * @returns {Promise<MongoUser>} A plain object representing the user document, or `null` if no user is found.
- */
-const findUser = async function (searchCriteria, fieldsToSelect = null) {
-  const query = User.findOne(searchCriteria);
-  if (fieldsToSelect) {
-    query.select(fieldsToSelect);
-  }
-  return await query.lean();
-};
-
-/**
- * Update a user with new data without overwriting existing properties.
- *
- * @param {string} userId - The ID of the user to update.
- * @param {Object} updateData - An object containing the properties to update.
- * @returns {Promise<MongoUser>} The updated user document as a plain object, or `null` if no user is found.
- */
-const updateUser = async function (userId, updateData) {
-  const updateOperation = {
-    $set: updateData,
-    $unset: { expiresAt: '' }, // Remove the expiresAt field to prevent TTL
-  };
-  return await User.findByIdAndUpdate(userId, updateOperation, {
-    new: true,
-    runValidators: true,
-  }).lean();
-};
-
-/**
- * Creates a new user, optionally with a TTL of 1 week.
- * @param {MongoUser} data - The user data to be created, must contain user_id.
- * @param {boolean} [disableTTL=true] - Whether to disable the TTL. Defaults to `true`.
- * @param {boolean} [returnUser=false] - Whether to return the created user object.
- * @returns {Promise<ObjectId|MongoUser>} A promise that resolves to the created user document ID or user object.
- * @throws {Error} If a user with the same user_id already exists.
- */
-const createUser = async (data, disableTTL = true, returnUser = false) => {
-  const balance = await getBalanceConfig();
-  const userData = {
-    ...data,
-    expiresAt: disableTTL ? null : new Date(Date.now() + 604800 * 1000), // 1 week in milliseconds
-  };
-
-  if (disableTTL) {
-    delete userData.expiresAt;
-  }
-
-  const user = await User.create(userData);
-
-  // If balance is enabled, create or update a balance record for the user using global.interfaceConfig.balance
-  if (balance?.enabled && balance?.startBalance) {
-    const update = {
-      $inc: { tokenCredits: balance.startBalance },
-    };
-
-    if (
-      balance.autoRefillEnabled &&
-      balance.refillIntervalValue != null &&
-      balance.refillIntervalUnit != null &&
-      balance.refillAmount != null
-    ) {
-      update.$set = {
-        autoRefillEnabled: true,
-        refillIntervalValue: balance.refillIntervalValue,
-        refillIntervalUnit: balance.refillIntervalUnit,
-        refillAmount: balance.refillAmount,
-      };
-    }
-
-    await Balance.findOneAndUpdate({ user: user._id }, update, { upsert: true, new: true }).lean();
-  }
-
-  if (returnUser) {
-    return user.toObject();
-  }
-  return user._id;
-};
-
-/**
- * Count the number of user documents in the collection based on the provided filter.
- *
- * @param {Object} [filter={}] - The filter to apply when counting the documents.
- * @returns {Promise<number>} The count of documents that match the filter.
- */
-const countUsers = async function (filter = {}) {
-  return await User.countDocuments(filter);
-};
-
-/**
- * Delete a user by their unique ID.
- *
- * @param {string} userId - The ID of the user to delete.
- * @returns {Promise<{ deletedCount: number }>} An object indicating the number of deleted documents.
- */
-const deleteUserById = async function (userId) {
-  try {
-    const result = await User.deleteOne({ _id: userId });
-    if (result.deletedCount === 0) {
-      return { deletedCount: 0, message: 'No user found with that ID.' };
-    }
-    return { deletedCount: result.deletedCount, message: 'User was deleted successfully.' };
-  } catch (error) {
-    throw new Error('Error deleting user: ' + error.message);
-  }
-};
-
-const { SESSION_EXPIRY } = process.env ?? {};
-const expires = eval(SESSION_EXPIRY) ?? 1000 * 60 * 15;
-
-/**
- * Generates a JWT token for a given user.
- *
- * @param {MongoUser} user - The user for whom the token is being generated.
- * @returns {Promise<string>} A promise that resolves to a JWT token.
- */
-const generateToken = async (user) => {
-  if (!user) {
-    throw new Error('No user provided');
-  }
-
-  return await signPayload({
-    payload: {
-      id: user._id,
-      username: user.username,
-      provider: user.provider,
-      email: user.email,
-    },
-    secret: process.env.JWT_SECRET,
-    expirationTime: expires / 1000,
-  });
-};
 
 /**
  * Compares the provided password with the user's password.
@@ -179,11 +24,4 @@ const comparePassword = async (user, candidatePassword) => {
 
 module.exports = {
   comparePassword,
-  deleteUserById,
-  generateToken,
-  getUserById,
-  countUsers,
-  createUser,
-  updateUser,
-  findUser,
 };

api/package.json

@@ -50,6 +50,7 @@
     "@langchain/textsplitters": "^0.1.0",
     "@librechat/agents": "^2.4.37",
     "@librechat/data-schemas": "*",
+    "@node-saml/passport-saml": "^5.0.0",
     "@waylaidwanderer/fetch-event-source": "^3.0.1",
     "axios": "^1.8.2",
     "bcryptjs": "^2.4.3",

api/server/cleanup.js

@@ -140,9 +140,6 @@ function disposeClient(client) {
     if (client.useMessages !== undefined) {
       client.useMessages = null;
     }
-    if (client.isLegacyOutput !== undefined) {
-      client.isLegacyOutput = null;
-    }
     if (client.supportsCacheControl !== undefined) {
       client.supportsCacheControl = null;
     }

api/server/controllers/AuthController.js

@@ -1,6 +1,7 @@
-const openIdClient = require('openid-client');
 const cookies = require('cookie');
 const jwt = require('jsonwebtoken');
+const openIdClient = require('openid-client');
+const { logger } = require('@librechat/data-schemas');
 const {
   registerUser,
   resetPassword,
@@ -8,9 +9,8 @@ const {
   requestPasswordReset,
   setOpenIDAuthTokens,
 } = require('~/server/services/AuthService');
-const { findSession, getUserById, deleteAllUserSessions, findUser } = require('~/models');
+const { findUser, getUserById, deleteAllUserSessions, findSession } = require('~/models');
 const { getOpenIdConfig } = require('~/strategies');
-const { logger } = require('~/config');
 const { isEnabled } = require('~/server/utils');
 
 const registrationController = async (req, res) => {
@@ -96,7 +96,10 @@ const refreshController = async (req, res) => {
     }
 
     // Find the session with the hashed refresh token
-    const session = await findSession({ userId: userId, refreshToken: refreshToken });
+    const session = await findSession({
+      userId: userId,
+      refreshToken: refreshToken,
+    });
 
     if (session && session.expiration > new Date()) {
       const token = await setAuthTokens(userId, res, session._id);

api/server/controllers/Balance.js

@@ -1,9 +1,26 @@
-const Balance = require('~/models/Balance');
+const mongoose = require('mongoose');
+
+const Balance = require('~/db/models').Balance;
 
 async function balanceController(req, res) {
-  const { tokenCredits: balance = '' } =
-    (await Balance.findOne({ user: req.user.id }, 'tokenCredits').lean()) ?? {};
-  res.status(200).send('' + balance);
+  const balanceData = await Balance.findOne(
+    { user: req.user.id },
+    '-_id tokenCredits autoRefillEnabled refillIntervalValue refillIntervalUnit lastRefill refillAmount',
+  ).lean();
+
+  if (!balanceData) {
+    return res.status(404).json({ error: 'Balance not found' });
+  }
+
+  // If auto-refill is not enabled, remove auto-refill related fields from the response
+  if (!balanceData.autoRefillEnabled) {
+    delete balanceData.refillIntervalValue;
+    delete balanceData.refillIntervalUnit;
+    delete balanceData.lastRefill;
+    delete balanceData.refillAmount;
+  }
+
+  res.status(200).json(balanceData);
 }
 
 module.exports = balanceController;

api/server/controllers/TwoFactorController.js

@@ -1,12 +1,12 @@
+const { logger } = require('@librechat/data-schemas');
 const {
+  verifyTOTP,
+  getTOTPSecret,
+  verifyBackupCode,
   generateTOTPSecret,
   generateBackupCodes,
-  verifyTOTP,
-  verifyBackupCode,
-  getTOTPSecret,
 } = require('~/server/services/twoFactorService');
-const { updateUser, getUserById } = require('~/models');
-const { logger } = require('~/config');
+const { getUserById, updateUser } = require('~/models');
 const { encryptV3 } = require('~/server/utils/crypto');
 
 const safeAppTitle = (process.env.APP_TITLE || 'LibreChat').replace(/\s+/g, '');

api/server/controllers/UserController.js

@@ -1,12 +1,11 @@
 const {
   Tools,
-  Constants,
   FileSources,
   webSearchKeys,
   extractWebSearchEnvVars,
 } = require('librechat-data-provider');
+const { logger } = require('@librechat/data-schemas');
 const {
-  Balance,
   getFiles,
   updateUser,
   deleteFiles,
@@ -16,7 +15,6 @@ const {
   deleteUserById,
   deleteAllUserSessions,
 } = require('~/models');
-const User = require('~/models/User');
 const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/services/PluginService');
 const { updateUserPluginsService, deleteUserKey } = require('~/server/services/UserService');
 const { verifyEmail, resendVerificationEmail } = require('~/server/services/AuthService');
@@ -24,8 +22,10 @@ const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud')
 const { processDeleteRequest } = require('~/server/services/Files/process');
 const { deleteAllSharedLinks } = require('~/models/Share');
 const { deleteToolCalls } = require('~/models/ToolCall');
-const { Transaction } = require('~/models/Transaction');
-const { logger } = require('~/config');
+
+const Transaction = require('~/db/models').Transaction;
+const Balance = require('~/db/models').Balance;
+const User = require('~/db/models').User;
 
 const getUserController = async (req, res) => {
   /** @type {MongoUser} */

api/server/controllers/agents/v1.js

@@ -111,7 +111,7 @@ const getAgentHandler = async (req, res) => {
       const originalUrl = agent.avatar.filepath;
       agent.avatar.filepath = await refreshS3Url(agent.avatar);
       if (originalUrl !== agent.avatar.filepath) {
-        await updateAgent({ id }, { avatar: agent.avatar }, req.user.id);
+        await updateAgent({ id }, { avatar: agent.avatar }, { updatingUserId: req.user.id });
       }
     }
 
@@ -170,7 +170,7 @@ const updateAgentHandler = async (req, res) => {
 
     let updatedAgent =
       Object.keys(updateData).length > 0
-        ? await updateAgent({ id }, updateData, req.user.id)
+        ? await updateAgent({ id }, updateData, { updatingUserId: req.user.id })
         : existingAgent;
 
     if (projectIds || removeProjectIds) {
@@ -407,7 +407,11 @@ const uploadAgentAvatarHandler = async (req, res) => {
       },
     };
 
-    promises.push(await updateAgent({ id: agent_id, author: req.user.id }, data, req.user.id));
+    promises.push(
+      await updateAgent({ id: agent_id, author: req.user.id }, data, {
+        updatingUserId: req.user.id,
+      }),
+    );
 
     const resolved = await Promise.all(promises);
     res.status(201).json(resolved[0]);

api/server/controllers/auth/TwoFactorAuthController.js

@@ -1,12 +1,12 @@
 const jwt = require('jsonwebtoken');
+const { logger } = require('@librechat/data-schemas');
 const {
   verifyTOTP,
-  verifyBackupCode,
   getTOTPSecret,
+  verifyBackupCode,
 } = require('~/server/services/twoFactorService');
 const { setAuthTokens } = require('~/server/services/AuthService');
-const { getUserById } = require('~/models/userMethods');
-const { logger } = require('~/config');
+const { getUserById } = require('~/models');
 
 /**
  * Verifies the 2FA code during login using a temporary token.

api/server/index.js

@@ -9,8 +9,9 @@ const passport = require('passport');
 const mongoSanitize = require('express-mongo-sanitize');
 const fs = require('fs');
 const cookieParser = require('cookie-parser');
+const { connectDb, indexSync } = require('~/db');
+
 const { jwtLogin, passportLogin } = require('~/strategies');
-const { connectDb, indexSync } = require('~/lib/db');
 const { isEnabled } = require('~/server/utils');
 const { ldapLogin } = require('~/strategies');
 const { logger } = require('~/config');
@@ -36,6 +37,7 @@ const startServer = async () => {
     axios.defaults.headers.common['Accept-Encoding'] = 'gzip';
   }
   await connectDb();
+
   logger.info('Connected to MongoDB');
   await indexSync();
 

api/server/index.spec.js

@@ -4,6 +4,10 @@ const request = require('supertest');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const mongoose = require('mongoose');
 
+jest.mock('~/server/services/Config/loadCustomConfig', () => {
+  return jest.fn(() => Promise.resolve({}));
+});
+
 describe('Server Configuration', () => {
   // Increase the default timeout to allow for Mongo cleanup
   jest.setTimeout(30_000);

api/server/middleware/checkBan.js

@@ -1,12 +1,12 @@
 const { Keyv } = require('keyv');
 const uap = require('ua-parser-js');
+const { logger } = require('@librechat/data-schemas');
 const { ViolationTypes } = require('librechat-data-provider');
 const { isEnabled, removePorts } = require('~/server/utils');
 const keyvMongo = require('~/cache/keyvMongo');
 const denyRequest = require('./denyRequest');
 const { getLogStores } = require('~/cache');
 const { findUser } = require('~/models');
-const { logger } = require('~/config');
 
 const banCache = new Keyv({ store: keyvMongo, namespace: ViolationTypes.BAN, ttl: 0 });
 const message = 'Your account has been temporarily banned due to violations of our service.';

api/server/middleware/checkInviteUser.js

@@ -1,5 +1,5 @@
 const { getInvite } = require('~/models/inviteUser');
-const { deleteTokens } = require('~/models/Token');
+const { deleteTokens } = require('~/models');
 
 async function checkInviteUser(req, res, next) {
   const token = req.body.token;

api/server/middleware/setBalanceConfig.js

@@ -1,6 +1,8 @@
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
 const { getBalanceConfig } = require('~/server/services/Config');
-const Balance = require('~/models/Balance');
-const { logger } = require('~/config');
+
+const Balance = require('~/db/models').Balance;
 
 /**
  * Middleware to synchronize user balance settings with current balance configuration.

api/server/routes/__tests__/config.spec.js

@@ -24,6 +24,12 @@ afterEach(() => {
   delete process.env.GITHUB_CLIENT_SECRET;
   delete process.env.DISCORD_CLIENT_ID;
   delete process.env.DISCORD_CLIENT_SECRET;
+  delete process.env.SAML_ENTRY_POINT;
+  delete process.env.SAML_ISSUER;
+  delete process.env.SAML_CERT;
+  delete process.env.SAML_SESSION_SECRET;
+  delete process.env.SAML_BUTTON_LABEL;
+  delete process.env.SAML_IMAGE_URL;
   delete process.env.DOMAIN_SERVER;
   delete process.env.ALLOW_REGISTRATION;
   delete process.env.ALLOW_SOCIAL_LOGIN;
@@ -55,6 +61,12 @@ describe.skip('GET /', () => {
     process.env.GITHUB_CLIENT_SECRET = 'Test Github client Secret';
     process.env.DISCORD_CLIENT_ID = 'Test Discord client Id';
     process.env.DISCORD_CLIENT_SECRET = 'Test Discord client Secret';
+    process.env.SAML_ENTRY_POINT = 'http://test-server.com';
+    process.env.SAML_ISSUER = 'Test SAML Issuer';
+    process.env.SAML_CERT = 'saml.pem';
+    process.env.SAML_SESSION_SECRET = 'Test Secret';
+    process.env.SAML_BUTTON_LABEL = 'Test SAML';
+    process.env.SAML_IMAGE_URL = 'http://test-server.com';
     process.env.DOMAIN_SERVER = 'http://test-server.com';
     process.env.ALLOW_REGISTRATION = 'true';
     process.env.ALLOW_SOCIAL_LOGIN = 'true';
@@ -70,7 +82,7 @@ describe.skip('GET /', () => {
     expect(response.statusCode).toBe(200);
     expect(response.body).toEqual({
       appTitle: 'Test Title',
-      socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+      socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
       discordLoginEnabled: true,
       facebookLoginEnabled: true,
       githubLoginEnabled: true,
@@ -78,6 +90,9 @@ describe.skip('GET /', () => {
       openidLoginEnabled: true,
       openidLabel: 'Test OpenID',
       openidImageUrl: 'http://test-server.com',
+      samlLoginEnabled: true,
+      samlLabel: 'Test SAML',
+      samlImageUrl: 'http://test-server.com',
       ldap: {
         enabled: true,
       },

api/server/routes/agents/actions.js

@@ -107,7 +107,15 @@ router.post('/:agent_id', async (req, res) => {
       .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
       .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
 
-    const updatedAgent = await updateAgent(agentQuery, { tools, actions }, req.user.id);
+    // Force version update since actions are changing
+    const updatedAgent = await updateAgent(
+      agentQuery,
+      { tools, actions },
+      {
+        updatingUserId: req.user.id,
+        forceVersion: true,
+      },
+    );
 
     // Only update user field for new actions
     const actionUpdateData = { metadata, agent_id };
@@ -172,7 +180,12 @@ router.delete('/:agent_id/:action_id', async (req, res) => {
 
     const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
 
-    await updateAgent(agentQuery, { tools: updatedTools, actions: updatedActions }, req.user.id);
+    // Force version update since actions are being removed
+    await updateAgent(
+      agentQuery,
+      { tools: updatedTools, actions: updatedActions },
+      { updatingUserId: req.user.id, forceVersion: true },
+    );
     // If admin, can delete any action, otherwise only user's actions
     const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
     await deleteAction(actionQuery);

api/server/routes/config.js

@@ -37,6 +37,18 @@ router.get('/', async function (req, res) {
   const ldap = getLdapConfig();
 
   try {
+    const isOpenIdEnabled =
+      !!process.env.OPENID_CLIENT_ID &&
+      !!process.env.OPENID_CLIENT_SECRET &&
+      !!process.env.OPENID_ISSUER &&
+      !!process.env.OPENID_SESSION_SECRET;
+
+    const isSamlEnabled =
+      !!process.env.SAML_ENTRY_POINT &&
+      !!process.env.SAML_ISSUER &&
+      !!process.env.SAML_CERT &&
+      !!process.env.SAML_SESSION_SECRET;
+
     /** @type {TStartupConfig} */
     const payload = {
       appTitle: process.env.APP_TITLE || 'LibreChat',
@@ -51,14 +63,13 @@ router.get('/', async function (req, res) {
         !!process.env.APPLE_TEAM_ID &&
         !!process.env.APPLE_KEY_ID &&
         !!process.env.APPLE_PRIVATE_KEY_PATH,
-      openidLoginEnabled:
-        !!process.env.OPENID_CLIENT_ID &&
-        !!process.env.OPENID_CLIENT_SECRET &&
-        !!process.env.OPENID_ISSUER &&
-        !!process.env.OPENID_SESSION_SECRET,
+      openidLoginEnabled: isOpenIdEnabled,
       openidLabel: process.env.OPENID_BUTTON_LABEL || 'Continue with OpenID',
       openidImageUrl: process.env.OPENID_IMAGE_URL,
       openidAutoRedirect: isEnabled(process.env.OPENID_AUTO_REDIRECT),
+      samlLoginEnabled: !isOpenIdEnabled && isSamlEnabled,
+      samlLabel: process.env.SAML_BUTTON_LABEL,
+      samlImageUrl: process.env.SAML_IMAGE_URL,
       serverDomain: process.env.DOMAIN_SERVER || 'http://localhost:3080',
       emailLoginEnabled,
       registrationEnabled: !ldap?.enabled && isEnabled(process.env.ALLOW_REGISTRATION),

api/server/routes/files/files.js

@@ -283,6 +283,10 @@ router.post('/', async (req, res) => {
       message += ': ' + error.message;
     }
 
+    if (error.message?.includes('Invalid file format')) {
+      message = error.message;
+    }
+
     // TODO: delete remote file if it exists
     try {
       await fs.unlink(req.file.path);

api/server/routes/messages.js

@@ -1,4 +1,5 @@
 const express = require('express');
+const { logger } = require('@librechat/data-schemas');
 const { ContentTypes } = require('librechat-data-provider');
 const {
   saveConvo,
@@ -13,8 +14,8 @@ const { requireJwtAuth, validateMessageReq } = require('~/server/middleware');
 const { cleanUpPrimaryKeyValue } = require('~/lib/utils/misc');
 const { getConvosQueried } = require('~/models/Conversation');
 const { countTokens } = require('~/server/utils');
-const { Message } = require('~/models/Message');
-const { logger } = require('~/config');
+
+const Message = require('~/db/models').Message;
 
 const router = express.Router();
 router.use(requireJwtAuth);
@@ -40,7 +41,11 @@ router.get('/', async (req, res) => {
     const sortOrder = sortDirection === 'asc' ? 1 : -1;
 
     if (conversationId && messageId) {
-      const message = await Message.findOne({ conversationId, messageId, user: user }).lean();
+      const message = await Message.findOne({
+        conversationId,
+        messageId,
+        user: user,
+      }).lean();
       response = { messages: message ? [message] : [], nextCursor: null };
     } else if (conversationId) {
       const filter = { conversationId, user: user };

api/server/routes/oauth.js

@@ -1,6 +1,7 @@
 // file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
 const express = require('express');
 const passport = require('passport');
+const { randomState } = require('openid-client');
 const {
   checkBan,
   logHeaders,
@@ -9,8 +10,8 @@ const {
   checkDomainAllowed,
 } = require('~/server/middleware');
 const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
-const { logger } = require('~/config');
 const { isEnabled } = require('~/server/utils');
+const { logger } = require('~/config');
 
 const router = express.Router();
 
@@ -103,12 +104,12 @@ router.get(
 /**
  * OpenID Routes
  */
-router.get(
-  '/openid',
-  passport.authenticate('openid', {
+router.get('/openid', (req, res, next) => {
+  return passport.authenticate('openid', {
     session: false,
-  }),
-);
+    state: randomState(),
+  })(req, res, next);
+});
 
 router.get(
   '/openid/callback',
@@ -188,4 +189,24 @@ router.post(
   oauthHandler,
 );
 
+/**
+ * SAML Routes
+ */
+router.get(
+  '/saml',
+  passport.authenticate('saml', {
+    session: false,
+  }),
+);
+
+router.post(
+  '/saml/callback',
+  passport.authenticate('saml', {
+    failureRedirect: `${domains.client}/oauth/error`,
+    failureMessage: true,
+    session: false,
+  }),
+  oauthHandler,
+);
+
 module.exports = router;

api/server/services/ActionService.js

@@ -17,9 +17,9 @@ const { logger, getFlowStateManager, sendEvent } = require('~/config');
 const { encryptV2, decryptV2 } = require('~/server/utils/crypto');
 const { getActions, deleteActions } = require('~/models/Action');
 const { deleteAssistant } = require('~/models/Assistant');
-const { findToken } = require('~/models/Token');
 const { logAxiosError } = require('~/utils');
 const { getLogStores } = require('~/cache');
+const { findToken } = require('~/models');
 
 const JWT_SECRET = process.env.JWT_SECRET;
 const toolNameRegex = /^[a-zA-Z0-9_-]+$/;
@@ -207,7 +207,7 @@ async function createActionTool({
                     state: stateToken,
                     userId: userId,
                     client_url: metadata.auth.client_url,
-                    redirect_uri: `${process.env.DOMAIN_CLIENT}/api/actions/${action_id}/oauth/callback`,
+                    redirect_uri: `${process.env.DOMAIN_SERVER}/api/actions/${action_id}/oauth/callback`,
                     /** Encrypted values */
                     encrypted_oauth_client_id: encrypted.oauth_client_id,
                     encrypted_oauth_client_secret: encrypted.oauth_client_secret,

api/server/services/AuthService.js

@@ -3,24 +3,23 @@ const { webcrypto } = require('node:crypto');
 const { SystemRoles, errorsToString } = require('librechat-data-provider');
 const {
   findUser,
-  countUsers,
   createUser,
   updateUser,
-  getUserById,
-  generateToken,
-  deleteUserById,
-} = require('~/models/userMethods');
-const {
-  createToken,
   findToken,
-  deleteTokens,
+  countUsers,
+  getUserById,
   findSession,
+  createToken,
+  deleteTokens,
   deleteSession,
   createSession,
+  generateToken,
+  deleteUserById,
   generateRefreshToken,
 } = require('~/models');
 const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
 const { isEmailDomainAllowed } = require('~/server/services/domains');
+const { getBalanceConfig } = require('~/server/services/Config');
 const { registerSchema } = require('~/strategies/validators');
 const { logger } = require('~/config');
 
@@ -146,6 +145,7 @@ const verifyEmail = async (req) => {
   }
 
   const updatedUser = await updateUser(emailVerificationData.userId, { emailVerified: true });
+
   if (!updatedUser) {
     logger.warn(`[verifyEmail] [User update failed] [Email: ${decodedEmail}]`);
     return new Error('Failed to update user verification status');
@@ -155,6 +155,7 @@ const verifyEmail = async (req) => {
   logger.info(`[verifyEmail] Email verification successful [Email: ${decodedEmail}]`);
   return { message: 'Email verification was successful', status: 'success' };
 };
+
 /**
  * Register a new user.
  * @param {MongoUser} user <email, password, name, username>
@@ -216,7 +217,9 @@ const registerUser = async (user, additionalData = {}) => {
 
     const emailEnabled = checkEmailConfig();
     const disableTTL = isEnabled(process.env.ALLOW_UNVERIFIED_EMAIL_LOGIN);
-    const newUser = await createUser(newUserData, disableTTL, true);
+    const balanceConfig = await getBalanceConfig();
+
+    const newUser = await createUser(newUserData, balanceConfig, disableTTL, true);
     newUserId = newUser._id;
     if (emailEnabled && !newUser.emailVerified) {
       await sendVerificationEmail({
@@ -389,6 +392,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
     throw error;
   }
 };
+
 /**
  * @function setOpenIDAuthTokens
  * Set OpenID Authentication Tokens

api/server/services/Files/Azure/images.js

@@ -1,10 +1,9 @@
 const fs = require('fs');
 const path = require('path');
 const sharp = require('sharp');
+const { logger } = require('@librechat/data-schemas');
 const { resizeImageBuffer } = require('../images/resize');
-const { updateUser } = require('~/models/userMethods');
-const { updateFile } = require('~/models/File');
-const { logger } = require('~/config');
+const { updateUser, updateFile } = require('~/models');
 const { saveBufferToAzure } = require('./crud');
 
 /**

api/server/services/Files/Firebase/images.js

@@ -1,11 +1,10 @@
 const fs = require('fs');
 const path = require('path');
 const sharp = require('sharp');
+const { logger } = require('@librechat/data-schemas');
 const { resizeImageBuffer } = require('../images/resize');
-const { updateUser } = require('~/models/userMethods');
+const { updateUser, updateFile } = require('~/models');
 const { saveBufferToFirebase } = require('./crud');
-const { updateFile } = require('~/models/File');
-const { logger } = require('~/config');
 
 /**
  * Converts an image file to the target format. The function first resizes the image based on the specified

api/server/services/Files/Local/images.js

@@ -2,8 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const sharp = require('sharp');
 const { resizeImageBuffer } = require('../images/resize');
-const { updateUser } = require('~/models/userMethods');
-const { updateFile } = require('~/models/File');
+const { updateUser, updateFile } = require('~/models');
 
 /**
  * Converts an image file to the target format. The function first resizes the image based on the specified

api/server/services/Files/MistralOCR/crud.js

@@ -47,7 +47,6 @@ async function uploadDocumentToMistral({
     })
     .then((res) => res.data)
     .catch((error) => {
-      logger.error('Error uploading document to Mistral:', error.message);
       throw error;
     });
 }
@@ -217,8 +216,16 @@ const uploadMistralOCR = async ({ req, file, file_id, entity_id }) => {
       images,
     };
   } catch (error) {
-    const message = 'Error uploading document to Mistral OCR API';
-    throw new Error(logAxiosError({ error, message }));
+    let message = 'Error uploading document to Mistral OCR API';
+    const detail = error?.response?.data?.detail;
+    if (detail && detail !== '') {
+      message = detail;
+    }
+
+    const responseMessage = error?.response?.data?.message;
+    throw new Error(
+      `${logAxiosError({ error, message })}${responseMessage && responseMessage !== '' ? ` - ${responseMessage}` : ''}`,
+    );
   }
 };
 

api/server/services/Files/MistralOCR/crud.spec.js

@@ -124,13 +124,7 @@ describe('MistralOCR Service', () => {
           fileName: 'test.pdf',
           apiKey: 'test-api-key',
         }),
-      ).rejects.toThrow();
-
-      const { logger } = require('~/config');
-      expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining('Error uploading document to Mistral:'),
-        expect.any(String),
-      );
+      ).rejects.toThrow(errorMessage);
     });
   });
 

api/server/services/Files/S3/images.js

@@ -1,11 +1,10 @@
 const fs = require('fs');
 const path = require('path');
 const sharp = require('sharp');
+const { logger } = require('@librechat/data-schemas');
 const { resizeImageBuffer } = require('../images/resize');
-const { updateUser } = require('~/models/userMethods');
+const { updateUser, updateFile } = require('~/models');
 const { saveBufferToS3 } = require('./crud');
-const { updateFile } = require('~/models/File');
-const { logger } = require('~/config');
 
 const defaultBasePath = 'images';
 

api/server/services/PluginService.js

@@ -1,7 +1,8 @@
-const PluginAuth = require('~/models/schema/pluginAuthSchema');
-const { encrypt, decrypt } = require('~/server/utils/');
+const { encrypt, decrypt } = require('~/server/utils/crypto');
 const { logger } = require('~/config');
 
+const PluginAuth = require('~/db/models').PluginAuth;
+
 /**
  * Asynchronously retrieves and decrypts the authentication value for a user's plugin, based on a specified authentication field.
  *

api/server/services/ToolService.js

@@ -5,6 +5,7 @@ const { Calculator } = require('@langchain/community/tools/calculator');
 const { tool: toolFn, Tool, DynamicStructuredTool } = require('@langchain/core/tools');
 const {
   Tools,
+  Constants,
   ErrorTypes,
   ContentTypes,
   imageGenTools,
@@ -14,6 +15,7 @@ const {
   ImageVisionTool,
   openapiToFunction,
   AgentCapabilities,
+  defaultAgentCapabilities,
   validateAndParseOpenAPISpec,
 } = require('librechat-data-provider');
 const {
@@ -501,8 +503,22 @@ async function loadAgentTools({ req, res, agent, tool_resources, openAIApiKey })
   }
 
   const endpointsConfig = await getEndpointsConfig(req);
-  const enabledCapabilities = new Set(endpointsConfig?.[EModelEndpoint.agents]?.capabilities ?? []);
-  const checkCapability = (capability) => enabledCapabilities.has(capability);
+  let enabledCapabilities = new Set(endpointsConfig?.[EModelEndpoint.agents]?.capabilities ?? []);
+  /** Edge case: use defined/fallback capabilities when the "agents" endpoint is not enabled */
+  if (enabledCapabilities.size === 0 && agent.id === Constants.EPHEMERAL_AGENT_ID) {
+    enabledCapabilities = new Set(
+      req.app?.locals?.[EModelEndpoint.agents]?.capabilities ?? defaultAgentCapabilities,
+    );
+  }
+  const checkCapability = (capability) => {
+    const enabled = enabledCapabilities.has(capability);
+    if (!enabled) {
+      logger.warn(
+        `Capability "${capability}" disabled${capability === AgentCapabilities.tools ? '.' : ' despite configured tool.'} User: ${req.user.id} | Agent: ${agent.id}`,
+      );
+    }
+    return enabled;
+  };
   const areToolsEnabled = checkCapability(AgentCapabilities.tools);
 
   let includesWebSearch = false;

api/server/services/UserService.js

@@ -1,7 +1,10 @@
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
 const { ErrorTypes } = require('librechat-data-provider');
-const { encrypt, decrypt } = require('~/server/utils');
-const { updateUser, Key } = require('~/models');
-const { logger } = require('~/config');
+const { encrypt, decrypt } = require('~/server/utils/crypto');
+const { updateUser } = require('~/models');
+
+const Key = require('~/db/models').Key;
 
 /**
  * Updates the plugins for a user based on the action specified (install/uninstall).

api/server/services/signPayload.js

@@ -1,26 +0,0 @@
-const jwt = require('jsonwebtoken');
-
-/**
- * Signs a given payload using either the `jose` library (for Bun runtime) or `jsonwebtoken`.
- *
- * @async
- * @function
- * @param {Object} options - The options for signing the payload.
- * @param {Object} options.payload - The payload to be signed.
- * @param {string} options.secret - The secret key used for signing.
- * @param {number} options.expirationTime - The expiration time in seconds.
- * @returns {Promise<string>} Returns a promise that resolves to the signed JWT.
- * @throws {Error} Throws an error if there's an issue during signing.
- *
- * @example
- * const signedPayload = await signPayload({
- *   payload: { userId: 123 },
- *   secret: 'my-secret-key',
- *   expirationTime: 3600
- * });
- */
-async function signPayload({ payload, secret, expirationTime }) {
-  return jwt.sign(payload, secret, { expiresIn: expirationTime });
-}
-
-module.exports = signPayload;

api/server/services/twoFactorService.js

@@ -1,6 +1,6 @@
 const { webcrypto } = require('node:crypto');
-const { decryptV3, decryptV2 } = require('../utils/crypto');
-const { hashBackupCode } = require('~/server/utils/crypto');
+const { hashBackupCode, decryptV3, decryptV2 } = require('~/server/utils/crypto');
+const { updateUser } = require('~/models');
 
 // Base32 alphabet for TOTP secret encoding.
 const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
@@ -172,7 +172,6 @@ const verifyBackupCode = async ({ user, backupCode }) => {
         : codeObj,
     );
     // Update the user record with the marked backup code.
-    const { updateUser } = require('~/models');
     await updateUser(user._id, { backupCodes: updatedBackupCodes });
     return true;
   }

api/server/socialLogins.js

@@ -10,6 +10,7 @@ const {
   discordLogin,
   facebookLogin,
   appleLogin,
+  setupSaml,
   openIdJwtLogin,
 } = require('~/strategies');
 const { isEnabled } = require('~/server/utils');
@@ -70,6 +71,34 @@ const configureSocialLogins = async (app) => {
     }
     logger.info('OpenID Connect configured.');
   }
+  if (
+    process.env.SAML_ENTRY_POINT &&
+    process.env.SAML_ISSUER &&
+    process.env.SAML_CERT &&
+    process.env.SAML_SESSION_SECRET
+  ) {
+    logger.info('Configuring SAML Connect...');
+    const sessionOptions = {
+      secret: process.env.SAML_SESSION_SECRET,
+      resave: false,
+      saveUninitialized: false,
+    };
+    if (isEnabled(process.env.USE_REDIS)) {
+      logger.debug('Using Redis for session storage in SAML...');
+      const keyv = new Keyv({ store: keyvRedis });
+      const client = keyv.opts.store.client;
+      sessionOptions.store = new RedisStore({ client, prefix: 'saml_session' });
+    } else {
+      sessionOptions.store = new MemoryStore({
+        checkPeriod: 86400000, // prune expired entries every 24h
+      });
+    }
+    app.use(session(sessionOptions));
+    app.use(passport.session());
+    setupSaml();
+
+    logger.info('SAML Connect configured.');
+  }
 };
 
 module.exports = configureSocialLogins;

api/server/utils/crypto.js

@@ -106,12 +106,6 @@ function decryptV3(encryptedValue) {
   return decrypted.toString('utf8');
 }
 
-async function hashToken(str) {
-  const data = new TextEncoder().encode(str);
-  const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
-  return Buffer.from(hashBuffer).toString('hex');
-}
-
 async function getRandomValues(length) {
   if (!Number.isInteger(length) || length <= 0) {
     throw new Error('Length must be a positive integer');
@@ -141,7 +135,6 @@ module.exports = {
   decryptV2,
   encryptV3,
   decryptV3,
-  hashToken,
   hashBackupCode,
   getRandomValues,
 };

api/server/utils/handleText.js

@@ -4,10 +4,10 @@ const {
   Capabilities,
   EModelEndpoint,
   isAgentsEndpoint,
-  AgentCapabilities,
   isAssistantsEndpoint,
   defaultRetrievalModels,
   defaultAssistantsVersion,
+  defaultAgentCapabilities,
 } = require('librechat-data-provider');
 const { Providers } = require('@librechat/agents');
 const partialRight = require('lodash/partialRight');
@@ -197,16 +197,7 @@ function generateConfig(key, baseURL, endpoint) {
   }
 
   if (agents) {
-    config.capabilities = [
-      AgentCapabilities.execute_code,
-      AgentCapabilities.file_search,
-      AgentCapabilities.web_search,
-      AgentCapabilities.artifacts,
-      AgentCapabilities.actions,
-      AgentCapabilities.tools,
-      AgentCapabilities.chain,
-      AgentCapabilities.ocr,
-    ];
+    config.capabilities = defaultAgentCapabilities;
   }
 
   if (assistants && endpoint === EModelEndpoint.azureAssistants) {

api/server/utils/handleText.spec.js

@@ -1,3 +1,9 @@
+jest.mock('~/models/Message', () => ({
+  Message: jest.fn(),
+}));
+jest.mock('~/models/Conversation', () => ({
+  Conversation: jest.fn(),
+}));
 const { isEnabled, sanitizeFilename } = require('./handleText');
 
 describe('isEnabled', () => {

api/server/utils/staticCache.js

@@ -1,3 +1,4 @@
+const path = require('path');
 const expressStaticGzip = require('express-static-gzip');
 
 const oneDayInSeconds = 24 * 60 * 60;
@@ -5,16 +6,45 @@ const oneDayInSeconds = 24 * 60 * 60;
 const sMaxAge = process.env.STATIC_CACHE_S_MAX_AGE || oneDayInSeconds;
 const maxAge = process.env.STATIC_CACHE_MAX_AGE || oneDayInSeconds * 2;
 
-const staticCache = (staticPath) =>
-  expressStaticGzip(staticPath, {
-    enableBrotli: false, // disable Brotli, only using gzip
+/**
+ * Creates an Express static middleware with gzip compression and configurable caching
+ *
+ * @param {string} staticPath - The file system path to serve static files from
+ * @param {Object} [options={}] - Configuration options
+ * @param {boolean} [options.noCache=false] - If true, disables caching entirely for all files
+ * @returns {ReturnType<expressStaticGzip>} Express middleware function for serving static files
+ */
+function staticCache(staticPath, options = {}) {
+  const { noCache = false } = options;
+  return expressStaticGzip(staticPath, {
+    enableBrotli: false,
     orderPreference: ['gz'],
-    setHeaders: (res, _path) => {
-      if (process.env.NODE_ENV?.toLowerCase() === 'production') {
+    setHeaders: (res, filePath) => {
+      if (process.env.NODE_ENV?.toLowerCase() !== 'production') {
+        return;
+      }
+      if (noCache) {
+        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
+        return;
+      }
+      if (filePath.includes('/dist/images/')) {
+        return;
+      }
+      const fileName = path.basename(filePath);
+
+      if (
+        fileName === 'index.html' ||
+        fileName.endsWith('.webmanifest') ||
+        fileName === 'manifest.json' ||
+        fileName === 'sw.js'
+      ) {
+        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
+      } else {
         res.setHeader('Cache-Control', `public, max-age=${maxAge}, s-maxage=${sMaxAge}`);
       }
     },
     index: false,
   });
+}
 
 module.exports = staticCache;

api/strategies/appleStrategy.js

@@ -18,17 +18,13 @@ const getProfileDetails = ({ idToken, profile }) => {
 
   const decoded = jwt.decode(idToken);
 
-  logger.debug(
-    `Decoded Apple JWT: ${JSON.stringify(decoded, null, 2)}`,
-  );
+  logger.debug(`Decoded Apple JWT: ${JSON.stringify(decoded, null, 2)}`);
 
   return {
     email: decoded.email,
     id: decoded.sub,
     avatarUrl: null, // Apple does not provide an avatar URL
-    username: decoded.email
-      ? decoded.email.split('@')[0].toLowerCase()
-      : `user_${decoded.sub}`,
+    username: decoded.email ? decoded.email.split('@')[0].toLowerCase() : `user_${decoded.sub}`,
     name: decoded.name
       ? `${decoded.name.firstName} ${decoded.name.lastName}`
       : profile.displayName || null,

api/strategies/appleStrategy.test.js

@@ -1,13 +1,13 @@
 const mongoose = require('mongoose');
-const { MongoMemoryServer } = require('mongodb-memory-server');
 const jwt = require('jsonwebtoken');
+const { logger } = require('@librechat/data-schemas');
 const { Strategy: AppleStrategy } = require('passport-apple');
-const socialLogin = require('./socialLogin');
-const User = require('~/models/User');
-const { logger } = require('~/config');
+const { MongoMemoryServer } = require('mongodb-memory-server');
 const { createSocialUser, handleExistingUser } = require('./process');
 const { isEnabled } = require('~/server/utils');
-const { findUser } = require('~/models');
+const socialLogin = require('./socialLogin');
+
+const User = require('~/db/models').User;
 
 // Mocking external dependencies
 jest.mock('jsonwebtoken');
@@ -24,16 +24,12 @@ jest.mock('./process', () => ({
 jest.mock('~/server/utils', () => ({
   isEnabled: jest.fn(),
 }));
-jest.mock('~/models', () => ({
-  findUser: jest.fn(),
-}));
 
 describe('Apple Login Strategy', () => {
   let mongoServer;
   let appleStrategyInstance;
   const OLD_ENV = process.env;
   let getProfileDetails;
-
   // Start and stop in-memory MongoDB
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create();
@@ -64,7 +60,6 @@ describe('Apple Login Strategy', () => {
 
     // Define getProfileDetails within the test scope
     getProfileDetails = ({ idToken, profile }) => {
-      console.log('getProfileDetails called with idToken:', idToken);
       if (!idToken) {
         logger.error('idToken is missing');
         throw new Error('idToken is missing');
@@ -84,9 +79,7 @@ describe('Apple Login Strategy', () => {
         email: decoded.email,
         id: decoded.sub,
         avatarUrl: null, // Apple does not provide an avatar URL
-        username: decoded.email
-          ? decoded.email.split('@')[0].toLowerCase()
-          : `user_${decoded.sub}`,
+        username: decoded.email ? decoded.email.split('@')[0].toLowerCase() : `user_${decoded.sub}`,
         name: decoded.name
           ? `${decoded.name.firstName} ${decoded.name.lastName}`
           : profile.displayName || null,
@@ -96,8 +89,12 @@ describe('Apple Login Strategy', () => {
 
     // Mock isEnabled based on environment variable
     isEnabled.mockImplementation((flag) => {
-      if (flag === 'true') { return true; }
-      if (flag === 'false') { return false; }
+      if (flag === 'true') {
+        return true;
+      }
+      if (flag === 'false') {
+        return false;
+      }
       return false;
     });
 
@@ -154,9 +151,7 @@ describe('Apple Login Strategy', () => {
       });
 
       expect(jwt.decode).toHaveBeenCalledWith('fake_id_token');
-      expect(logger.debug).toHaveBeenCalledWith(
-        expect.stringContaining('Decoded Apple JWT'),
-      );
+      expect(logger.debug).toHaveBeenCalledWith(expect.stringContaining('Decoded Apple JWT'));
       expect(profileDetails).toEqual({
         email: 'john.doe@example.com',
         id: 'apple-sub-1234',
@@ -209,12 +204,13 @@ describe('Apple Login Strategy', () => {
 
     beforeEach(() => {
       jwt.decode.mockReturnValue(decodedToken);
-      findUser.mockImplementation(({ email }) => User.findOne({ email }));
+      User.findUser = jest.fn();
+      User.findUser.mockImplementation(({ email }) => User.findOne({ email }));
     });
 
     it('should create a new user if one does not exist and registration is allowed', async () => {
       // Mock findUser to return null (user does not exist)
-      findUser.mockResolvedValue(null);
+      User.findUser.mockResolvedValue(null);
 
       // Mock createSocialUser to create a user
       createSocialUser.mockImplementation(async (userData) => {
@@ -260,7 +256,7 @@ describe('Apple Login Strategy', () => {
       await existingUser.save();
 
       // Mock findUser to return the existing user
-      findUser.mockResolvedValue(existingUser);
+      User.findUser.mockResolvedValue(existingUser);
 
       // Mock handleExistingUser to update avatarUrl
       handleExistingUser.mockImplementation(async (user, avatarUrl) => {
@@ -297,7 +293,7 @@ describe('Apple Login Strategy', () => {
         appleStrategyInstance._verify(
           fakeAccessToken,
           fakeRefreshToken,
-          null,               // idToken is missing
+          null, // idToken is missing
           mockProfile,
           (err, user) => {
             mockVerifyCallback(err, user);
@@ -344,7 +340,7 @@ describe('Apple Login Strategy', () => {
 
     it('should handle errors during user creation', async () => {
       // Mock findUser to return null (user does not exist)
-      findUser.mockResolvedValue(null);
+      User.findUser.mockResolvedValue(null);
 
       // Mock createSocialUser to throw an error
       createSocialUser.mockImplementation(() => {

api/strategies/index.js

@@ -7,6 +7,7 @@ const facebookLogin = require('./facebookStrategy');
 const { setupOpenId, getOpenIdConfig } = require('./openidStrategy');
 const jwtLogin = require('./jwtStrategy');
 const ldapLogin = require('./ldapStrategy');
+const { setupSaml } = require('./samlStrategy');
 const openIdJwtLogin = require('./openIdJwtStrategy');
 
 module.exports = {
@@ -20,5 +21,6 @@ module.exports = {
   setupOpenId,
   getOpenIdConfig,
   ldapLogin,
+  setupSaml,
   openIdJwtLogin,
 };

api/strategies/jwtStrategy.js

@@ -1,7 +1,7 @@
+const { logger } = require('@librechat/data-schemas');
 const { SystemRoles } = require('librechat-data-provider');
 const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
 const { getUserById, updateUser } = require('~/models');
-const { logger } = require('~/config');
 
 // JWT strategy
 const jwtLogin = () =>

api/strategies/ldapStrategy.js

@@ -1,10 +1,10 @@
 const fs = require('fs');
 const LdapStrategy = require('passport-ldapauth');
 const { SystemRoles } = require('librechat-data-provider');
-const { findUser, createUser, updateUser } = require('~/models/userMethods');
-const { countUsers } = require('~/models/userMethods');
+const { logger } = require('@librechat/data-schemas');
+const { createUser, findUser, updateUser, countUsers } = require('~/models');
+const { getBalanceConfig } = require('~/server/services/Config');
 const { isEnabled } = require('~/server/utils');
-const logger = require('~/utils/logger');
 
 const {
   LDAP_URL,
@@ -124,7 +124,8 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
         name: fullName,
         role: isFirstRegisteredUser ? SystemRoles.ADMIN : SystemRoles.USER,
       };
-      const userId = await createUser(user);
+      const balanceConfig = await getBalanceConfig();
+      const userId = await createUser(user, balanceConfig);
       user._id = userId;
     } else {
       // Users registered in LDAP are assumed to have their user information managed in LDAP,

api/strategies/localStrategy.js

@@ -1,9 +1,9 @@
+const { logger } = require('@librechat/data-schemas');
 const { errorsToString } = require('librechat-data-provider');
 const { Strategy: PassportLocalStrategy } = require('passport-local');
-const { findUser, comparePassword, updateUser } = require('~/models');
 const { isEnabled, checkEmailConfig } = require('~/server/utils');
+const { findUser, comparePassword, updateUser } = require('~/models');
 const { loginSchema } = require('./validators');
-const logger = require('~/utils/logger');
 
 // Unix timestamp for 2024-06-07 15:20:18 Eastern Time
 const verificationEnabledTimestamp = 1717788018;

api/strategies/openidStrategy.js

@@ -1,16 +1,16 @@
-const { CacheKeys } = require('librechat-data-provider');
 const fetch = require('node-fetch');
 const passport = require('passport');
-const jwtDecode = require('jsonwebtoken/decode');
-const { HttpsProxyAgent } = require('https-proxy-agent');
 const client = require('openid-client');
+const jwtDecode = require('jsonwebtoken/decode');
+const { CacheKeys } = require('librechat-data-provider');
+const { HttpsProxyAgent } = require('https-proxy-agent');
+const { hashToken, logger } = require('@librechat/data-schemas');
 const { Strategy: OpenIDStrategy } = require('openid-client/passport');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { findUser, createUser, updateUser } = require('~/models/userMethods');
-const { hashToken } = require('~/server/utils/crypto');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+const { findUser, createUser, updateUser } = require('~/models');
+const { getBalanceConfig } = require('~/server/services/Config');
 const getLogStores = require('~/cache/getLogStores');
+const { isEnabled } = require('~/server/utils');
 
 /**
  * @typedef {import('openid-client').ClientMetadata} ClientMetadata
@@ -28,6 +28,13 @@ class CustomOpenIDStrategy extends OpenIDStrategy {
     const hostAndProtocol = process.env.DOMAIN_SERVER;
     return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
   }
+  authorizationRequestParams(req, options) {
+    const params = super.authorizationRequestParams(req, options);
+    if (options?.state && !params.has('state')) {
+      params.set('state', options.state);
+    }
+    return params;
+  }
 }
 
 /**
@@ -290,7 +297,10 @@ async function setupOpenId() {
               emailVerified: userinfo.email_verified || false,
               name: fullName,
             };
-            user = await createUser(user, true, true);
+
+            const balanceConfig = await getBalanceConfig();
+
+            user = await createUser(user, balanceConfig, true, true);
           } else {
             user.provider = 'openid';
             user.openidId = userinfo.sub;

api/strategies/openidStrategy.spec.js

@@ -1,9 +1,26 @@
 const fetch = require('node-fetch');
+const mongoose = require('mongoose');
 const jwtDecode = require('jsonwebtoken/decode');
-const { findUser, createUser, updateUser } = require('~/models/userMethods');
 const { setupOpenId } = require('./openidStrategy');
+const { getBalanceConfig } = require('~/server/services/Config');
 
 // --- Mocks ---
+const mockCreateUser = jest.fn();
+const mockFindUser = jest.fn();
+const mockUpdateUser = jest.fn();
+
+const mockModels = {
+  User: {
+    createUser: mockCreateUser,
+    findUser: mockFindUser,
+    updateUser: mockUpdateUser,
+  },
+};
+
+jest.mock('~/server/services/Config', () => ({
+  getBalanceConfig: jest.fn(),
+}));
+
 jest.mock('node-fetch');
 jest.mock('jsonwebtoken/decode');
 jest.mock('~/server/services/Files/strategies', () => ({
@@ -11,11 +28,7 @@ jest.mock('~/server/services/Files/strategies', () => ({
     saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
   })),
 }));
-jest.mock('~/models/userMethods', () => ({
-  findUser: jest.fn(),
-  createUser: jest.fn(),
-  updateUser: jest.fn(),
-}));
+
 jest.mock('~/server/utils/crypto', () => ({
   hashToken: jest.fn().mockResolvedValue('hashed-token'),
 }));
@@ -109,7 +122,7 @@ describe('setupOpenId', () => {
       picture: 'https://example.com/avatar.png',
     }),
   };
-
+  const User = require('~/db/models').User;
   beforeEach(async () => {
     // Clear previous mock calls and reset implementations
     jest.clearAllMocks();
@@ -134,13 +147,16 @@ describe('setupOpenId', () => {
       roles: ['requiredRole'],
     });
 
+    User.findUser = jest.fn();
     // By default, assume that no user is found, so createUser will be called
-    findUser.mockResolvedValue(null);
-    createUser.mockImplementation(async (userData) => {
+
+    const balance = await getBalanceConfig.mockResolvedValue({ enabled: false });
+    User.createUser.mockImplementation(async (userData, balance) => {
       // simulate created user with an _id property
       return { _id: 'newUserId', ...userData };
     });
-    updateUser.mockImplementation(async (id, userData) => {
+    // User.updateUser = jest.fn();
+    User.updateUser.mockImplementation(async (id, userData) => {
       return { _id: id, ...userData };
     });
 
@@ -166,7 +182,7 @@ describe('setupOpenId', () => {
 
     // Assert
     expect(user.username).toBe(userinfo.username);
-    expect(createUser).toHaveBeenCalledWith(
+    expect(User.createUser).toHaveBeenCalledWith(
       expect.objectContaining({
         provider: 'openid',
         openidId: userinfo.sub,
@@ -174,6 +190,7 @@ describe('setupOpenId', () => {
         email: userinfo.email,
         name: `${userinfo.given_name} ${userinfo.family_name}`,
       }),
+      { enabled: false },
       true,
       true,
     );
@@ -191,8 +208,9 @@ describe('setupOpenId', () => {
 
     // Assert
     expect(user.username).toBe(expectUsername);
-    expect(createUser).toHaveBeenCalledWith(
+    expect(User.createUser).toHaveBeenCalledWith(
       expect.objectContaining({ username: expectUsername }),
+      { enabled: false },
       true,
       true,
     );
@@ -210,8 +228,9 @@ describe('setupOpenId', () => {
 
     // Assert
     expect(user.username).toBe(expectUsername);
-    expect(createUser).toHaveBeenCalledWith(
+    expect(User.createUser).toHaveBeenCalledWith(
       expect.objectContaining({ username: expectUsername }),
+      { enabled: false },
       true,
       true,
     );
@@ -227,8 +246,9 @@ describe('setupOpenId', () => {
 
     // Assert – username should equal the sub (converted as-is)
     expect(user.username).toBe(userinfo.sub);
-    expect(createUser).toHaveBeenCalledWith(
+    expect(User.createUser).toHaveBeenCalledWith(
       expect.objectContaining({ username: userinfo.sub }),
+      { enabled: false },
       true,
       true,
     );
@@ -268,11 +288,8 @@ describe('setupOpenId', () => {
       username: '',
       name: '',
     };
-    findUser.mockImplementation(async (query) => {
-      if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
-        return existingUser;
-      }
-      return null;
+    mockFindUser.mockImplementation(async (query) => {
+      return existingUser;
     });
 
     const userinfo = tokenset.claims();
@@ -281,7 +298,7 @@ describe('setupOpenId', () => {
     await validate(tokenset);
 
     // Assert – updateUser should be called and the user object updated
-    expect(updateUser).toHaveBeenCalledWith(
+    expect(User.updateUser).toHaveBeenCalledWith(
       existingUser._id,
       expect.objectContaining({
         provider: 'openid',

api/strategies/process.js

@@ -1,7 +1,8 @@
 const { FileSources } = require('librechat-data-provider');
-const { createUser, updateUser, getUserById } = require('~/models/userMethods');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
+const { updateUser, createUser, getUserById } = require('~/models');
+const { getBalanceConfig } = require('~/server/services/Config');
 
 /**
  * Updates the avatar URL of an existing user. If the user's avatar URL does not include the query parameter
@@ -78,7 +79,8 @@ const createSocialUser = async ({
     emailVerified,
   };
 
-  const newUserId = await createUser(update);
+  const balanceConfig = await getBalanceConfig();
+  const newUserId = await createUser(update, balanceConfig);
   const fileStrategy = process.env.CDN_PROVIDER;
   const isLocal = fileStrategy === FileSources.local;
 

api/strategies/samlStrategy.js

@@ -0,0 +1,277 @@
+const fs = require('fs');
+const path = require('path');
+const fetch = require('node-fetch');
+const passport = require('passport');
+const { hashToken, logger } = require('@librechat/data-schemas');
+const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
+const { getStrategyFunctions } = require('~/server/services/Files/strategies');
+const { findUser, createUser, updateUser } = require('~/models');
+const { getBalanceConfig } = require('~/server/services/Config');
+const paths = require('~/config/paths');
+
+let crypto;
+try {
+  crypto = require('node:crypto');
+} catch (err) {
+  logger.error('[samlStrategy] crypto support is disabled!', err);
+}
+
+/**
+ * Retrieves the certificate content from the given value.
+ *
+ * This function determines whether the provided value is a certificate string (RFC7468 format or
+ * base64-encoded without a header) or a valid file path. If the value matches one of these formats,
+ * the certificate content is returned. Otherwise, an error is thrown.
+ *
+ * @see https://github.com/node-saml/node-saml/tree/master?tab=readme-ov-file#configuration-option-idpcert
+ * @param {string} value - The certificate string or file path.
+ * @returns {string} The certificate content if valid.
+ * @throws {Error} If the value is not a valid certificate string or file path.
+ */
+function getCertificateContent(value) {
+  if (typeof value !== 'string') {
+    throw new Error('Invalid input: SAML_CERT must be a string.');
+  }
+
+  // Check if it's an RFC7468 formatted PEM certificate
+  const pemRegex = new RegExp(
+    '-----BEGIN (CERTIFICATE|PUBLIC KEY)-----\n' + // header
+      '([A-Za-z0-9+/=]{64}\n)+' + // base64 content (64 characters per line)
+      '[A-Za-z0-9+/=]{1,64}\n' + //  base64 content (last line)
+      '-----END (CERTIFICATE|PUBLIC KEY)-----', // footer
+  );
+  if (pemRegex.test(value)) {
+    logger.info('[samlStrategy] Detected RFC7468-formatted certificate string.');
+    return value;
+  }
+
+  // Check if it's a Base64-encoded certificate (no header)
+  if (/^[A-Za-z0-9+/=]+$/.test(value) && value.length % 4 === 0) {
+    logger.info('[samlStrategy] Detected base64-encoded certificate string (no header).');
+    return value;
+  }
+
+  // Check if file exists and is readable
+  const certPath = path.normalize(path.isAbsolute(value) ? value : path.join(paths.root, value));
+  if (fs.existsSync(certPath) && fs.statSync(certPath).isFile()) {
+    try {
+      logger.info(`[samlStrategy] Loading certificate from file: ${certPath}`);
+      return fs.readFileSync(certPath, 'utf8').trim();
+    } catch (error) {
+      throw new Error(`Error reading certificate file: ${error.message}`);
+    }
+  }
+
+  throw new Error('Invalid cert: SAML_CERT must be a valid file path or certificate string.');
+}
+
+/**
+ * Retrieves a SAML claim from a profile object based on environment configuration.
+ * @param {object} profile - Saml profile
+ * @param {string} envVar - Environment variable name (SAML_*)
+ * @param {string} defaultKey -  Default key to use if the environment variable is not set
+ * @returns {string}
+ */
+function getSamlClaim(profile, envVar, defaultKey) {
+  const claimKey = process.env[envVar];
+
+  // Avoids accessing `profile[""]` when the environment variable is empty string.
+  if (claimKey) {
+    return profile[claimKey] ?? profile[defaultKey];
+  }
+  return profile[defaultKey];
+}
+
+function getEmail(profile) {
+  return getSamlClaim(profile, 'SAML_EMAIL_CLAIM', 'email');
+}
+
+function getUserName(profile) {
+  return getSamlClaim(profile, 'SAML_USERNAME_CLAIM', 'username');
+}
+
+function getGivenName(profile) {
+  return getSamlClaim(profile, 'SAML_GIVEN_NAME_CLAIM', 'given_name');
+}
+
+function getFamilyName(profile) {
+  return getSamlClaim(profile, 'SAML_FAMILY_NAME_CLAIM', 'family_name');
+}
+
+function getPicture(profile) {
+  return getSamlClaim(profile, 'SAML_PICTURE_CLAIM', 'picture');
+}
+
+/**
+ * Downloads an image from a URL using an access token.
+ * @param {string} url
+ * @returns {Promise<Buffer>}
+ */
+const downloadImage = async (url) => {
+  try {
+    const response = await fetch(url);
+    if (response.ok) {
+      return await response.buffer();
+    } else {
+      throw new Error(`${response.statusText} (HTTP ${response.status})`);
+    }
+  } catch (error) {
+    logger.error(`[samlStrategy] Error downloading image at URL "${url}": ${error}`);
+    return null;
+  }
+};
+
+/**
+ * Determines the full name of a user based on SAML profile and environment configuration.
+ *
+ * @param {Object} profile - The user profile object from SAML Connect
+ * @returns {string} The determined full name of the user
+ */
+function getFullName(profile) {
+  if (process.env.SAML_NAME_CLAIM) {
+    logger.info(
+      `[samlStrategy] Using SAML_NAME_CLAIM: ${process.env.SAML_NAME_CLAIM}, profile: ${profile[process.env.SAML_NAME_CLAIM]}`,
+    );
+    return profile[process.env.SAML_NAME_CLAIM];
+  }
+
+  const givenName = getGivenName(profile);
+  const familyName = getFamilyName(profile);
+
+  if (givenName && familyName) {
+    return `${givenName} ${familyName}`;
+  }
+
+  if (givenName) {
+    return givenName;
+  }
+  if (familyName) {
+    return familyName;
+  }
+
+  return getUserName(profile) || getEmail(profile);
+}
+
+/**
+ * Converts an input into a string suitable for a username.
+ * If the input is a string, it will be returned as is.
+ * If the input is an array, elements will be joined with underscores.
+ * In case of undefined or other falsy values, a default value will be returned.
+ *
+ * @param {string | string[] | undefined} input - The input value to be converted into a username.
+ * @param {string} [defaultValue=''] - The default value to return if the input is falsy.
+ * @returns {string} The processed input as a string suitable for a username.
+ */
+function convertToUsername(input, defaultValue = '') {
+  if (typeof input === 'string') {
+    return input;
+  } else if (Array.isArray(input)) {
+    return input.join('_');
+  }
+
+  return defaultValue;
+}
+
+async function setupSaml() {
+  try {
+    const samlConfig = {
+      entryPoint: process.env.SAML_ENTRY_POINT,
+      issuer: process.env.SAML_ISSUER,
+      callbackUrl: process.env.SAML_CALLBACK_URL,
+      idpCert: getCertificateContent(process.env.SAML_CERT),
+      wantAssertionsSigned: process.env.SAML_USE_AUTHN_RESPONSE_SIGNED === 'true' ? false : true,
+      wantAuthnResponseSigned: process.env.SAML_USE_AUTHN_RESPONSE_SIGNED === 'true' ? true : false,
+    };
+
+    passport.use(
+      'saml',
+      new SamlStrategy(samlConfig, async (profile, done) => {
+        try {
+          logger.info(`[samlStrategy] SAML authentication received for NameID: ${profile.nameID}`);
+          logger.debug('[samlStrategy] SAML profile:', profile);
+
+          let user = await findUser({ samlId: profile.nameID });
+          logger.info(
+            `[samlStrategy] User ${user ? 'found' : 'not found'} with SAML ID: ${profile.nameID}`,
+          );
+
+          if (!user) {
+            const email = getEmail(profile) || '';
+            user = await findUser({ email });
+            logger.info(
+              `[samlStrategy] User ${user ? 'found' : 'not found'} with email: ${profile.email}`,
+            );
+          }
+
+          const fullName = getFullName(profile);
+
+          const username = convertToUsername(
+            getUserName(profile) || getGivenName(profile) || getEmail(profile),
+          );
+
+          if (!user) {
+            user = {
+              provider: 'saml',
+              samlId: profile.nameID,
+              username,
+              email: getEmail(profile) || '',
+              emailVerified: true,
+              name: fullName,
+            };
+            const balanceConfig = await getBalanceConfig();
+            user = await createUser(user, balanceConfig, true, true);
+          } else {
+            user.provider = 'saml';
+            user.samlId = profile.nameID;
+            user.username = username;
+            user.name = fullName;
+          }
+
+          const picture = getPicture(profile);
+          if (picture && !user.avatar?.includes('manual=true')) {
+            const imageBuffer = await downloadImage(profile.picture);
+            if (imageBuffer) {
+              let fileName;
+              if (crypto) {
+                fileName = (await hashToken(profile.nameID)) + '.png';
+              } else {
+                fileName = profile.nameID + '.png';
+              }
+
+              const { saveBuffer } = getStrategyFunctions(process.env.CDN_PROVIDER);
+              const imagePath = await saveBuffer({
+                fileName,
+                userId: user._id.toString(),
+                buffer: imageBuffer,
+              });
+              user.avatar = imagePath ?? '';
+            }
+          }
+
+          user = await updateUser(user._id, user);
+
+          logger.info(
+            `[samlStrategy] Login success SAML ID: ${user.samlId} | email: ${user.email} | username: ${user.username}`,
+            {
+              user: {
+                samlId: user.samlId,
+                username: user.username,
+                email: user.email,
+                name: user.name,
+              },
+            },
+          );
+
+          done(null, user);
+        } catch (err) {
+          logger.error('[samlStrategy] Login failed', err);
+          done(err);
+        }
+      }),
+    );
+  } catch (err) {
+    logger.error('[samlStrategy]', err);
+  }
+}
+
+module.exports = { setupSaml, getCertificateContent };

api/strategies/samlStrategy.spec.js

@@ -0,0 +1,428 @@
+const fs = require('fs');
+const path = require('path');
+const fetch = require('node-fetch');
+const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
+const { findUser, createUser, updateUser } = require('~/models/userMethods');
+const { setupSaml, getCertificateContent } = require('./samlStrategy');
+
+// --- Mocks ---
+jest.mock('fs');
+jest.mock('path');
+jest.mock('node-fetch');
+jest.mock('@node-saml/passport-saml');
+jest.mock('~/models/userMethods', () => ({
+  findUser: jest.fn(),
+  createUser: jest.fn(),
+  updateUser: jest.fn(),
+}));
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(() => ({
+    saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
+  })),
+}));
+jest.mock('~/server/utils/crypto', () => ({
+  hashToken: jest.fn().mockResolvedValue('hashed-token'),
+}));
+jest.mock('~/server/utils', () => ({
+  isEnabled: jest.fn(() => false),
+}));
+jest.mock('~/config', () => ({
+  logger: {
+    info: jest.fn(),
+    debug: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+// To capture the verify callback from the strategy, we grab it from the mock constructor
+let verifyCallback;
+SamlStrategy.mockImplementation((options, verify) => {
+  verifyCallback = verify;
+  return { name: 'saml', options, verify };
+});
+
+describe('getCertificateContent', () => {
+  const certWithHeader = `-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUKhXaFJGJJPx466rlwYORIsqCq7MwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTAzMDQwODUxNTJaFw0yNjAz
+MDQwODUxNTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCWP09NZg0xaRiLpNygCVgV3M+4RFW2S0c5X/fg/uFT
+O5MfaVYzG5GxzhXzWRB8RtNPsxX/nlbPsoUroeHbz+SABkOsNEv6JuKRH4VXRH34
+VzjazVkPAwj+N4WqsC/Wo4EGGpKIGeGi8Zed4yvMqoTyE3mrS19fY0nMHT62wUwS
+GMm2pAQdAQePZ9WY7A5XOA1IoxW2Zh2Oxaf1p59epBkZDhoxSMu8GoSkvK27Km4A
+4UXftzdg/wHNPrNirmcYouioHdmrOtYxPjrhUBQ74AmE1/QK45B6wEgirKH1A1AW
+6C+ApLwpBMvy9+8Gbyvc8G18W3CjdEVKmAeWb9JUedSXAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRxpaqBx8VDLLc8IkHATujj8IOs6jAfBgNVHSMEGDAWgBRxpaqBx8VDLLc8
+IkHATujj8IOs6jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc
+Puk6i+yowwGccB3LhfxZ+Fz6s6/Lfx6bP/Hy4NYOxmx2/awGBgyfp1tmotjaS9Cf
+FWd67LuEru4TYtz12RNMDBF5ypcEfibvb3I8O6igOSQX/Jl5D2pMChesZxhmCift
+Qp09T41MA8PmHf1G9oMG0A3ZnjKDG5ebaJNRFImJhMHsgh/TP7V3uZy7YHTgopKX
+Hv63V3Uo3Oihav29Q7urwmf7Ly7X7J2WE86/w3vRHi5dhaWWqEqxmnAXl+H+sG4V
+meeVRI332bg1Nuy8KnnX8v3ZeJzMBkAhzvSr6Ri96R0/Un/oEFwVC5jDTq8sXVn6
+u7wlOSk+oFzDIO/UILIA
+-----END CERTIFICATE-----`;
+
+  const certWithoutHeader = certWithHeader
+    .replace(/-----BEGIN CERTIFICATE-----/g, '')
+    .replace(/-----END CERTIFICATE-----/g, '')
+    .replace(/\s+/g, '');
+
+  it('should throw an error if SAML_CERT is not set', () => {
+    process.env.SAML_CERT;
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid input: SAML_CERT must be a string.',
+    );
+  });
+
+  it('should throw an error if SAML_CERT is empty', () => {
+    process.env.SAML_CERT = '';
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid cert: SAML_CERT must be a valid file path or certificate string.',
+    );
+  });
+
+  it('should load cert from an environment variable if it is a single-line string(with header)', () => {
+    process.env.SAML_CERT = certWithHeader;
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithHeader);
+  });
+
+  it('should load cert from an environment variable if it is a single-line string(with no header)', () => {
+    process.env.SAML_CERT = certWithoutHeader;
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithoutHeader);
+  });
+
+  it('should throw an error if SAML_CERT is a single-line string (with header, no newline characters)', () => {
+    process.env.SAML_CERT = certWithHeader.replace(/\n/g, '');
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid cert: SAML_CERT must be a valid file path or certificate string.',
+    );
+  });
+
+  it('should load cert from a relative file path if SAML_CERT is valid', () => {
+    process.env.SAML_CERT = 'test.pem';
+    const resolvedPath = '/absolute/path/to/test.pem';
+
+    path.isAbsolute.mockReturnValue(false);
+    path.join.mockReturnValue(resolvedPath);
+    path.normalize.mockReturnValue(resolvedPath);
+
+    fs.existsSync.mockReturnValue(true);
+    fs.statSync.mockReturnValue({ isFile: () => true });
+    fs.readFileSync.mockReturnValue(certWithHeader);
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithHeader);
+  });
+
+  it('should load cert from an absolute file path if SAML_CERT is valid', () => {
+    process.env.SAML_CERT = '/absolute/path/to/test.pem';
+
+    path.isAbsolute.mockReturnValue(true);
+    path.normalize.mockReturnValue(process.env.SAML_CERT);
+
+    fs.existsSync.mockReturnValue(true);
+    fs.statSync.mockReturnValue({ isFile: () => true });
+    fs.readFileSync.mockReturnValue(certWithHeader);
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithHeader);
+  });
+
+  it('should throw an error if the file does not exist', () => {
+    process.env.SAML_CERT = 'missing.pem';
+    const resolvedPath = '/absolute/path/to/missing.pem';
+
+    path.isAbsolute.mockReturnValue(false);
+    path.join.mockReturnValue(resolvedPath);
+    path.normalize.mockReturnValue(resolvedPath);
+
+    fs.existsSync.mockReturnValue(false);
+
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid cert: SAML_CERT must be a valid file path or certificate string.',
+    );
+  });
+
+  it('should throw an error if the file is not readable', () => {
+    process.env.SAML_CERT = 'unreadable.pem';
+    const resolvedPath = '/absolute/path/to/unreadable.pem';
+
+    path.isAbsolute.mockReturnValue(false);
+    path.join.mockReturnValue(resolvedPath);
+    path.normalize.mockReturnValue(resolvedPath);
+
+    fs.existsSync.mockReturnValue(true);
+    fs.statSync.mockReturnValue({ isFile: () => true });
+    fs.readFileSync.mockImplementation(() => {
+      throw new Error('Permission denied');
+    });
+
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Error reading certificate file: Permission denied',
+    );
+  });
+});
+
+describe('setupSaml', () => {
+  // Helper to wrap the verify callback in a promise
+  const validate = (profile) =>
+    new Promise((resolve, reject) => {
+      verifyCallback(profile, (err, user, details) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve({ user, details });
+        }
+      });
+    });
+
+  const baseProfile = {
+    nameID: 'saml-1234',
+    email: 'test@example.com',
+    given_name: 'First',
+    family_name: 'Last',
+    name: 'My Full Name',
+    username: 'flast',
+    picture: 'https://example.com/avatar.png',
+    custom_name: 'custom',
+  };
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+
+    const cert = `
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUKhXaFJGJJPx466rlwYORIsqCq7MwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTAzMDQwODUxNTJaFw0yNjAz
+MDQwODUxNTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCWP09NZg0xaRiLpNygCVgV3M+4RFW2S0c5X/fg/uFT
+O5MfaVYzG5GxzhXzWRB8RtNPsxX/nlbPsoUroeHbz+SABkOsNEv6JuKRH4VXRH34
+VzjazVkPAwj+N4WqsC/Wo4EGGpKIGeGi8Zed4yvMqoTyE3mrS19fY0nMHT62wUwS
+GMm2pAQdAQePZ9WY7A5XOA1IoxW2Zh2Oxaf1p59epBkZDhoxSMu8GoSkvK27Km4A
+4UXftzdg/wHNPrNirmcYouioHdmrOtYxPjrhUBQ74AmE1/QK45B6wEgirKH1A1AW
+6C+ApLwpBMvy9+8Gbyvc8G18W3CjdEVKmAeWb9JUedSXAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRxpaqBx8VDLLc8IkHATujj8IOs6jAfBgNVHSMEGDAWgBRxpaqBx8VDLLc8
+IkHATujj8IOs6jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc
+Puk6i+yowwGccB3LhfxZ+Fz6s6/Lfx6bP/Hy4NYOxmx2/awGBgyfp1tmotjaS9Cf
+FWd67LuEru4TYtz12RNMDBF5ypcEfibvb3I8O6igOSQX/Jl5D2pMChesZxhmCift
+Qp09T41MA8PmHf1G9oMG0A3ZnjKDG5ebaJNRFImJhMHsgh/TP7V3uZy7YHTgopKX
+Hv63V3Uo3Oihav29Q7urwmf7Ly7X7J2WE86/w3vRHi5dhaWWqEqxmnAXl+H+sG4V
+meeVRI332bg1Nuy8KnnX8v3ZeJzMBkAhzvSr6Ri96R0/Un/oEFwVC5jDTq8sXVn6
+u7wlOSk+oFzDIO/UILIA
+-----END CERTIFICATE-----
+    `;
+
+    // Reset environment variables
+    process.env.SAML_ENTRY_POINT = 'https://example.com/saml';
+    process.env.SAML_ISSUER = 'saml-issuer';
+    process.env.SAML_CERT = cert;
+    process.env.SAML_CALLBACK_URL = '/oauth/saml/callback';
+    delete process.env.SAML_EMAIL_CLAIM;
+    delete process.env.SAML_USERNAME_CLAIM;
+    delete process.env.SAML_GIVEN_NAME_CLAIM;
+    delete process.env.SAML_FAMILY_NAME_CLAIM;
+    delete process.env.SAML_PICTURE_CLAIM;
+    delete process.env.SAML_NAME_CLAIM;
+
+    findUser.mockResolvedValue(null);
+    createUser.mockImplementation(async (userData) => ({
+      _id: 'newUserId',
+      ...userData,
+    }));
+    updateUser.mockImplementation(async (id, userData) => ({
+      _id: id,
+      ...userData,
+    }));
+
+    // Simulate image download
+    const fakeBuffer = Buffer.from('fake image');
+    fetch.mockResolvedValue({
+      ok: true,
+      buffer: jest.fn().mockResolvedValue(fakeBuffer),
+    });
+
+    await setupSaml();
+  });
+
+  it('should create a new user with correct username when username claim exists', async () => {
+    const profile = { ...baseProfile };
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(profile.username);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({
+        provider: 'saml',
+        samlId: profile.nameID,
+        username: profile.username,
+        email: profile.email,
+        name: `${profile.given_name} ${profile.family_name}`,
+      }),
+      true,
+      true,
+    );
+  });
+
+  it('should use given_name as username when username claim is missing', async () => {
+    const profile = { ...baseProfile };
+    delete profile.username;
+    const expectUsername = profile.given_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(expectUsername);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({ username: expectUsername }),
+      true,
+      true,
+    );
+  });
+
+  it('should use email as username when username and given_name are missing', async () => {
+    const profile = { ...baseProfile };
+    delete profile.username;
+    delete profile.given_name;
+    const expectUsername = profile.email;
+
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(expectUsername);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({ username: expectUsername }),
+      true,
+      true,
+    );
+  });
+
+  it('should override username with SAML_USERNAME_CLAIM when set', async () => {
+    process.env.SAML_USERNAME_CLAIM = 'nameID';
+    const profile = { ...baseProfile };
+
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(profile.nameID);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({ username: profile.nameID }),
+      true,
+      true,
+    );
+  });
+
+  it('should set the full name correctly when given_name and family_name exist', async () => {
+    const profile = { ...baseProfile };
+    const expectedFullName = `${profile.given_name} ${profile.family_name}`;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when given_name exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.family_name;
+    const expectedFullName = profile.given_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when family_name exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.given_name;
+    const expectedFullName = profile.family_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when username exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.family_name;
+    delete profile.given_name;
+    const expectedFullName = profile.username;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when email only exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.family_name;
+    delete profile.given_name;
+    delete profile.username;
+    const expectedFullName = profile.email;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly with SAML_NAME_CLAIM when set', async () => {
+    process.env.SAML_NAME_CLAIM = 'custom_name';
+    const profile = { ...baseProfile };
+    const expectedFullName = profile.custom_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should update an existing user on login', async () => {
+    const existingUser = {
+      _id: 'existingUserId',
+      provider: 'local',
+      email: baseProfile.email,
+      samlId: '',
+      username: '',
+      name: '',
+    };
+
+    findUser.mockImplementation(async (query) => {
+      if (query.samlId === baseProfile.nameID || query.email === baseProfile.email) {
+        return existingUser;
+      }
+      return null;
+    });
+
+    const profile = { ...baseProfile };
+    await validate(profile);
+
+    expect(updateUser).toHaveBeenCalledWith(
+      existingUser._id,
+      expect.objectContaining({
+        provider: 'saml',
+        samlId: baseProfile.nameID,
+        username: baseProfile.username,
+        name: `${baseProfile.given_name} ${baseProfile.family_name}`,
+      }),
+    );
+  });
+
+  it('should attempt to download and save the avatar if picture is provided', async () => {
+    const profile = { ...baseProfile };
+
+    const { user } = await validate(profile);
+
+    expect(fetch).toHaveBeenCalled();
+    expect(user.avatar).toBe('/fake/path/to/avatar.png');
+  });
+
+  it('should not attempt to download avatar if picture is not provided', async () => {
+    const profile = { ...baseProfile };
+    delete profile.picture;
+
+    await validate(profile);
+
+    expect(fetch).not.toHaveBeenCalled();
+  });
+});