You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Email domain restriction has recently been implemented.
But, if ownership of an email address is not verified by e.g. sending a "24h valid token"-link to it, this mechanism can be bypassed by simply entering a random email from the correct domain. There is a high likelihood that the permitted domain will be the 2nd level domain of LibreChat itself and can hence be guessed easily (e.g. gpt.smallbusiness.com -> @smallbusiness.com).
As LibreChat already has mailing functionality for the password reset, maybe it makes sense to add a simple token-based verification to the registration process (1 line email).
Adding this will improve security and allow usage of LibreChat in business environments. Employees with a business email address, that are allowed to register, can not bypass e.g. the daily token limit by creating multiple accounts for bogus email addresses. It also ensures that employees will not find their own email already registered, when they didn't register that account themselves.
There are also legal considerations, as images/files can be uploaded. Files that are illegal to possess/distribute exist. So it should be possible to trace back such cases to the individual user.
More details
Maybe using an env var MAIL_CONF_REQUIRED or similar could make sense, as some people might not need confirmed accounts, or don't have (/ don't want to add) SMTP credentials to their LibreChat instance.
What features would you like to see added?
Email domain restriction has recently been implemented.
But, if ownership of an email address is not verified by e.g. sending a "24h valid token"-link to it, this mechanism can be bypassed by simply entering a random email from the correct domain. There is a high likelihood that the permitted domain will be the 2nd level domain of LibreChat itself and can hence be guessed easily (e.g.
gpt.smallbusiness.com
->@smallbusiness.com
).As LibreChat already has mailing functionality for the password reset, maybe it makes sense to add a simple token-based verification to the registration process (1 line email).
Adding this will improve security and allow usage of LibreChat in business environments. Employees with a business email address, that are allowed to register, can not bypass e.g. the daily token limit by creating multiple accounts for bogus email addresses. It also ensures that employees will not find their own email already registered, when they didn't register that account themselves.
There are also legal considerations, as images/files can be uploaded. Files that are illegal to possess/distribute exist. So it should be possible to trace back such cases to the individual user.
More details
Maybe using an env var
MAIL_CONF_REQUIRED
or similar could make sense, as some people might not need confirmed accounts, or don't have (/ don't want to add) SMTP credentials to their LibreChat instance.cf. https://blog.bitsrc.io/email-confirmation-with-react-257e5d9de725
Which components are impacted by your request?
General
Pictures
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: