Oliver/librechat-balances
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
librechat-balances/routes/webhooks.js
DJP 5c208d9a0c Add confirmation step to webhook approve/reject to prevent email scanner auto-clicks 
Email security scanners (Microsoft Defender Safe Links, etc.) pre-click
all links in emails. Previously the GET request directly approved the
request. Now GET shows a confirmation page and only POST (clicking the
confirm button) actually processes the approval/rejection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 10:24:32 -04:00

327 lines
16 KiB
JavaScript
Raw Blame History

const { Router } = require('express');
const { MongoClient } = require('mongodb');
const { verifyToken } = require('../services/email');
const requestService = require('../services/requests');
const balanceService = require('../services/balance');
const history = require('../services/history');
const router = Router();
function htmlPage(title, message, success) {
const color = success ? '#4ade80' : '#f87171';
const icon = success ? '✓' : '✗';
return `<!DOCTYPE html>
<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
<title>${title}</title>
<link href="https://fonts.googleapis.com/css2?family=Montserrat:wght@400;600;700&display=swap" rel="stylesheet">
<style>
body{margin:0;padding:0;background:#000;font-family:'Montserrat',Arial,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;color:#f8fafc}
.card{background:#111;border:1px solid rgba(255,196,7,0.15);border-radius:16px;padding:48px;max-width:440px;text-align:center}
.icon{width:64px;height:64px;border-radius:50%;display:flex;align-items:center;justify-content:center;margin:0 auto 20px;font-size:32px;background:${success ? 'rgba(74,222,128,0.15)' : 'rgba(248,113,113,0.15)'}}
h1{font-size:20px;margin:0 0 12px;color:${color}}
p{color:#94a3b8;font-size:14px;line-height:1.6;margin:0}
</style></head>
<body><div class="card"><div class="icon">${icon}</div><h1>${title}</h1><p>${message}</p></div></body></html>`;
}
function confirmPage(title, subtitle, request, actionUrl, token, expires, amount, btnLabel, btnColor) {
return `<!DOCTYPE html>
<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
<title>${title}</title>
<link href="https://fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700;800&display=swap" rel="stylesheet">
<style>
body{margin:0;padding:0;background:#000;font-family:'Montserrat',Arial,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;color:#f8fafc}
.card{background:#111;border:1px solid rgba(255,196,7,0.15);border-radius:16px;padding:40px;width:420px;max-width:90vw;text-align:center}
h2{font-size:20px;margin:0 0 4px;color:#FFC407}
.sub{color:#94a3b8;font-size:13px;margin:0 0 24px}
.info{background:rgba(20,20,20,0.8);border:1px solid rgba(255,196,7,0.1);border-radius:12px;padding:16px;margin-bottom:24px;text-align:left}
.info p{margin:0;font-size:13px}
.info .label{color:#94a3b8;font-size:11px;text-transform:uppercase;letter-spacing:0.5px;margin-bottom:2px}
.info .value{color:#f8fafc;font-weight:600}
.btn{display:inline-block;padding:14px 32px;color:#000;border:none;border-radius:10px;font-family:'Montserrat',sans-serif;font-size:14px;font-weight:700;cursor:pointer;text-decoration:none;background:${btnColor}}
.btn:hover{opacity:0.9}
.cancel{display:inline-block;margin-top:12px;color:#94a3b8;font-size:13px;text-decoration:none}
.cancel:hover{color:#f8fafc}
</style></head>
<body>
<div class="card">
<h2>${title}</h2>
<p class="sub">${subtitle}</p>
<div class="info">
<p class="label">Email</p>
<p class="value">${request.email}</p>
<p class="label" style="margin-top:12px">OMG Job #</p>
<p class="value">${request.omgJobNumber}</p>
${amount !== 'reject' ? `<p class="label" style="margin-top:12px">Amount</p><p class="value">${(parseInt(amount) / 1000000).toFixed(1)}M tokens</p>` : ''}
</div>
<form method="POST" action="${actionUrl}">
<input type="hidden" name="token" value="${token}">
<input type="hidden" name="expires" value="${expires}">
<input type="hidden" name="amount" value="${amount}">
<button type="submit" class="btn">${btnLabel}</button>
</form>
<br><a href="javascript:window.close()" class="cancel">Cancel</a>
</div>
</body></html>`;
}
async function getDbAndUser(email) {
const MONGO_URI = process.env.MONGO_URI || 'mongodb://localhost:27017/LibreChat';
const client = new MongoClient(MONGO_URI);
await client.connect();
const db = client.db();
const user = await db.collection('users').findOne(
{ email: email.toLowerCase() },
{ projection: { _id: 1, email: 1 } },
);
return { client, db, user };
}
async function processApproval(requestId, numAmount) {
const requests = requestService.getAll();
const request = requests.find(r => r.id === requestId);
if (!request) return { error: 'Not Found', message: 'This request could not be found.', status: 404 };
if (request.status !== 'pending') {
return { error: 'Already Processed', message: `This request was already ${request.status}${request.amountApproved ? ' with ' + (request.amountApproved / 1000000).toFixed(1) + 'M tokens' : ''}.`, status: 400 };
}
const { client, db, user } = await getDbAndUser(request.email);
if (!user) {
await client.close();
return { error: 'User Not Found', message: `No LibreChat user found with email: ${request.email}`, status: 404 };
}
const result = await balanceService.addBalance(db, user._id.toString(), numAmount);
await client.close();
history.log({
email: request.email,
action: 'approve',
amount: numAmount,
source: 'email',
omgJobNumber: request.omgJobNumber,
balanceAfter: result.tokenCredits,
});
requestService.updateRequest(requestId, 'approved', numAmount);
const formatted = (numAmount / 1000000).toFixed(1) + 'M';
return { success: true, message: `${formatted} tokens added to ${request.email}. New balance: ${result.tokenCredits.toLocaleString()} tokens.` };
}
// GET approve — shows confirmation page (safe for email link scanners)
router.get('/approve/:requestId', async (req, res) => {
try {
const { token, amount, expires } = req.query;
if (!verifyToken(req.params.requestId, amount, expires, token)) {
return res.status(403).send(htmlPage('Link Expired or Invalid', 'This approval link has expired or is invalid. Please use the admin dashboard to process this request.', false));
}
const requests = requestService.getAll();
const request = requests.find(r => r.id === req.params.requestId);
if (!request) return res.status(404).send(htmlPage('Not Found', 'This request could not be found.', false));
if (request.status !== 'pending') {
return res.status(400).send(htmlPage('Already Processed', `This request was already ${request.status}${request.amountApproved ? ' with ' + (request.amountApproved / 1000000).toFixed(1) + 'M tokens' : ''}.`, false));
}
res.send(confirmPage(
'Confirm Approval',
'Click the button below to approve this credit request.',
request,
'',
token,
expires,
amount,
`Approve ${(parseInt(amount) / 1000000).toFixed(1)}M Tokens`,
'#4ade80',
));
} catch (err) {
console.error('[webhook] Approve page error:', err);
res.status(500).send(htmlPage('Error', 'Something went wrong. Please use the admin dashboard.', false));
}
});
// POST approve — actually processes the approval
router.use('/approve/:requestId', require('express').urlencoded({ extended: false }));
router.post('/approve/:requestId', async (req, res) => {
try {
const { token, amount, expires } = req.body;
if (!verifyToken(req.params.requestId, amount, expires, token)) {
return res.status(403).send(htmlPage('Link Expired or Invalid', 'This approval link has expired or is invalid.', false));
}
const numAmount = parseInt(amount);
if (isNaN(numAmount) || numAmount <= 0) {
return res.status(400).send(htmlPage('Invalid Amount', 'Invalid amount specified.', false));
}
const result = await processApproval(req.params.requestId, numAmount);
if (result.error) return res.status(result.status).send(htmlPage(result.error, result.message, false));
res.send(htmlPage('Request Approved', result.message, true));
} catch (err) {
console.error('[webhook] Approve error:', err);
res.status(500).send(htmlPage('Error', 'Something went wrong processing this approval. Please use the admin dashboard.', false));
}
});
// GET reject — shows confirmation page
router.get('/reject/:requestId', async (req, res) => {
try {
const { token, expires } = req.query;
if (!verifyToken(req.params.requestId, 'reject', expires, token)) {
return res.status(403).send(htmlPage('Link Expired or Invalid', 'This rejection link has expired or is invalid.', false));
}
const requests = requestService.getAll();
const request = requests.find(r => r.id === req.params.requestId);
if (!request) return res.status(404).send(htmlPage('Not Found', 'This request could not be found.', false));
if (request.status !== 'pending') {
return res.status(400).send(htmlPage('Already Processed', `This request was already ${request.status}.`, false));
}
res.send(confirmPage(
'Confirm Rejection',
'Click the button below to reject this credit request.',
request,
'',
token,
expires,
'reject',
'Reject Request',
'#f87171',
));
} catch (err) {
console.error('[webhook] Reject page error:', err);
res.status(500).send(htmlPage('Error', 'Something went wrong. Please use the admin dashboard.', false));
}
});
// POST reject — actually processes the rejection
router.use('/reject/:requestId', require('express').urlencoded({ extended: false }));
router.post('/reject/:requestId', async (req, res) => {
try {
const { token, expires } = req.body;
if (!verifyToken(req.params.requestId, 'reject', expires, token)) {
return res.status(403).send(htmlPage('Link Expired or Invalid', 'This rejection link has expired or is invalid.', false));
}
const requests = requestService.getAll();
const request = requests.find(r => r.id === req.params.requestId);
if (!request) return res.status(404).send(htmlPage('Not Found', 'This request could not be found.', false));
if (request.status !== 'pending') {
return res.status(400).send(htmlPage('Already Processed', `This request was already ${request.status}.`, false));
}
requestService.updateRequest(req.params.requestId, 'rejected', null);
res.send(htmlPage('Request Rejected', `Credit request from ${request.email} (${request.omgJobNumber}) has been rejected.`, true));
} catch (err) {
console.error('[webhook] Reject error:', err);
res.status(500).send(htmlPage('Error', 'Something went wrong. Please use the admin dashboard.', false));
}
});
// GET custom — shows amount input form
router.get('/custom/:requestId', async (req, res) => {
try {
const { token, expires } = req.query;
if (!verifyToken(req.params.requestId, 'custom', expires, token)) {
return res.status(403).send(htmlPage('Link Expired or Invalid', 'This link has expired or is invalid.', false));
}
const requests = requestService.getAll();
const request = requests.find(r => r.id === req.params.requestId);
if (!request) return res.status(404).send(htmlPage('Not Found', 'This request could not be found.', false));
if (request.status !== 'pending') {
return res.status(400).send(htmlPage('Already Processed', `This request was already ${request.status}.`, false));
}
res.send(`<!DOCTYPE html>
<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
<title>Custom Approve - ${request.email}</title>
<link href="https://fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700;800&display=swap" rel="stylesheet">
<style>
body{margin:0;padding:0;background:#000;font-family:'Montserrat',Arial,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;color:#f8fafc}
.card{background:#111;border:1px solid rgba(255,196,7,0.15);border-radius:16px;padding:40px;width:420px;max-width:90vw}
h2{font-size:18px;margin:0 0 4px;color:#FFC407}
.sub{color:#94a3b8;font-size:13px;margin:0 0 24px}
label{display:block;font-size:12px;font-weight:600;text-transform:uppercase;letter-spacing:0.5px;color:#94a3b8;margin-bottom:8px}
input{width:100%;background:rgba(30,30,30,0.8);border:1px solid rgba(255,196,7,0.12);border-radius:10px;padding:14px 16px;color:#f8fafc;font-family:'Montserrat',sans-serif;font-size:16px;outline:none;box-sizing:border-box}
input:focus{border-color:#FFC407}
.presets{display:flex;gap:8px;flex-wrap:wrap;margin:12px 0 24px}
.preset{background:rgba(30,30,30,0.8);border:1px solid rgba(255,196,7,0.12);color:#94a3b8;padding:8px 16px;border-radius:8px;cursor:pointer;font-family:'Montserrat',sans-serif;font-size:13px;font-weight:600}
.preset:hover{border-color:#FFC407;color:#FFC407}
.btn{width:100%;padding:14px;background:#4ade80;color:#000;border:none;border-radius:10px;font-family:'Montserrat',sans-serif;font-size:14px;font-weight:700;cursor:pointer}
.btn:hover{background:#22c55e}
.info{background:rgba(20,20,20,0.8);border:1px solid rgba(255,196,7,0.1);border-radius:12px;padding:16px;margin-bottom:24px}
.info p{margin:0;font-size:13px}
.info .label{color:#94a3b8;font-size:11px;text-transform:uppercase;letter-spacing:0.5px;margin-bottom:2px}
.info .value{color:#f8fafc;font-weight:600}
</style></head>
<body>
<div class="card">
<h2>Custom Approve</h2>
<p class="sub">Choose an amount to approve for this request</p>
<div class="info">
<p class="label">Email</p>
<p class="value">${request.email}</p>
<p class="label" style="margin-top:12px">OMG Job #</p>
<p class="value">${request.omgJobNumber}</p>
</div>
<form method="POST" action="">
<input type="hidden" name="token" value="${token}">
<input type="hidden" name="expires" value="${expires}">
<label>Amount (tokens)</label>
<input type="number" name="amount" id="amt" placeholder="e.g. 12000000" required autofocus>
<div class="presets">
<span class="preset" onclick="document.getElementById('amt').value=1000000">1M</span>
<span class="preset" onclick="document.getElementById('amt').value=5000000">5M</span>
<span class="preset" onclick="document.getElementById('amt').value=10000000">10M</span>
<span class="preset" onclick="document.getElementById('amt').value=12000000">12M</span>
<span class="preset" onclick="document.getElementById('amt').value=20000000">20M</span>
<span class="preset" onclick="document.getElementById('amt').value=50000000">50M</span>
</div>
<button type="submit" class="btn">Approve & Top Up</button>
</form>
</div>
</body></html>`);
} catch (err) {
console.error('[webhook] Custom page error:', err);
res.status(500).send(htmlPage('Error', 'Something went wrong. Please use the admin dashboard.', false));
}
});
// POST custom — processes custom amount approval
router.use('/custom/:requestId', require('express').urlencoded({ extended: false }));
router.post('/custom/:requestId', async (req, res) => {
try {
const { token, expires, amount } = req.body;
if (!verifyToken(req.params.requestId, 'custom', expires, token)) {
return res.status(403).send(htmlPage('Link Expired or Invalid', 'This link has expired or is invalid.', false));
}
const numAmount = parseInt(amount);
if (isNaN(numAmount) || numAmount <= 0) {
return res.status(400).send(htmlPage('Invalid Amount', 'Please enter a valid positive number.', false));
}
const result = await processApproval(req.params.requestId, numAmount);
if (result.error) return res.status(result.status).send(htmlPage(result.error, result.message, false));
res.send(htmlPage('Request Approved', result.message, true));
} catch (err) {
console.error('[webhook] Custom approve error:', err);
res.status(500).send(htmlPage('Error', 'Something went wrong. Please use the admin dashboard.', false));
}
});
module.exports = router;
Reference in a new issue View git blame Copy permalink