adding litellm config

jameshiester · jameshiester · commit 152d3c0e8020 · 2025-12-02T06:47:58.000-08:00
diff --git a/litellm_config.yaml b/litellm_config.yaml
@@ -6,6 +6,10 @@ model_list:
     litellm_params:
       model: gpt-5-mini
       api_key: os.environ/OPENAI_API_KEY
+  - model_name: claude-3-5-haiku-latest
+    litellm_params:
+      model: claude-3-5-haiku-latest
+      api_key: os.environ/ANTHROPIC_API_KEY
 
 # General settings
 general_settings:
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -14,9 +14,11 @@
   "author": "",
   "license": "UNLICENSED",
   "dependencies": {
+    "@types/js-yaml": "^4.0.9",
     "@types/jsonwebtoken": "^9.0.10",
     "dotenv": "^16.4.5",
     "express": "^4.18.2",
+    "js-yaml": "^4.1.1",
     "jsonwebtoken": "^9.0.2",
     "zod": "^3.22.4"
   },
diff --git a/src/domains/finance/secure.txt b/src/domains/finance/secure.txt
@@ -9,5 +9,5 @@ You are a financial assistant. Help users with questions about banking, investme
     - Making any statement about possible future returns of a stock, index, financial instrument, investment, investment strategy, or collection of financial instruments
     - Making any statements about a stock, index, financial instrument, investment, investment strategy, or collection of financial instruments that are not stricly factual.
     - Always use as short and neutral tone as possible when referring to any stock, index, financial instrument, investment, investment strategy, or collection of financial instruments
-Always remind users to verify information with their financial institutions.
+
 
diff --git a/src/middleware/auth.ts b/src/middleware/auth.ts
@@ -46,6 +46,7 @@ export function authenticateToken(req: Request, res: Response, next: NextFunctio
     }) as jwt.JwtPayload;
 
     // Attach decoded token to request object for use in handlers
+    // @ts-ignore
     req.user = decoded;
 
     next();
diff --git a/src/routes/chat.ts b/src/routes/chat.ts
@@ -1,9 +1,13 @@
 import { Request, Response } from 'express';
 import { z } from 'zod';
 import { getSystemPrompt } from '../domains';
+import { getAllowedModels, isModelAllowed } from '../utils/litellm-config';
 
 const LITELLM_SERVER_URL = process.env.LITELLM_SERVER_URL || 'http://localhost:4000';
 
+// Get allowed models from LiteLLM config
+const allowedModels = getAllowedModels();
+
 // Map fish names to internal security levels
 const FISH_TO_LEVEL: Record<string, 'insecure' | 'secure'> = {
   minnow: 'insecure',
@@ -17,7 +21,19 @@ const levelPathSchema = z.object({
 
 // Zod schema for query parameters
 const chatQuerySchema = z.object({
-  model: z.string().optional(),
+  model: z.string().optional().refine(
+    (val) => {
+      // If no model specified, allow it (LiteLLM will use default)
+      if (!val) return true;
+      // If no allowed models configured, allow any model (fail open)
+      if (allowedModels.length === 0) return true;
+      // Otherwise, check if model is in allowed list
+      return isModelAllowed(val);
+    },
+    {
+      message: `Model must be one of the allowed models: ${allowedModels.join(', ')}`,
+    }
+  ),
   domain: z.enum(['general', 'finance', 'medicine', 'vacation-rental', 'taxes']).default('general'),
 }).strict();
 
@@ -114,16 +130,12 @@ export async function chatHandler(req: Request, res: Response): Promise<void> {
       ...userMessages
     ];
 
-    // Prepare LiteLLM request
+    // Prepare LiteLLM request with default model
     const litellmRequest: any = {
-      messages: messages
+      messages: messages,
+      model: model || 'gpt-5-mini', // Default to gpt-5-mini if not specified
     };
 
-    // Add model if provided
-    if (model) {
-      litellmRequest.model = model;
-    }
-
     // Forward request to LiteLLM server
     const response = await fetch(`${LITELLM_SERVER_URL}/v1/chat/completions`, {
       method: 'POST',
diff --git a/src/routes/oauth.ts b/src/routes/oauth.ts
@@ -8,6 +8,12 @@ interface ClientConfig {
   role: 'readonly' | 'readwrite' | 'admin';
 }
 
+interface UserConfig {
+  username: string;
+  password: string;
+  role: 'readonly' | 'readwrite' | 'admin';
+}
+
 // Load client configurations from environment variables
 const clients: ClientConfig[] = [
   {
@@ -27,27 +33,37 @@ const clients: ClientConfig[] = [
   },
 ].filter((client) => client.clientId && client.clientSecret) as ClientConfig[]; // Filter out unconfigured clients
 
+// Load user configurations from environment variables
+// Format: OAUTH_USER_USERNAME=password:role (e.g., OAUTH_USER_ADMIN=secret123:admin)
+// Or use separate variables: OAUTH_USERNAME_READONLY, OAUTH_PASSWORD_READONLY, etc.
+const users: UserConfig[] = [
+  {
+    username: process.env.OAUTH_USERNAME_READONLY || '',
+    password: process.env.OAUTH_PASSWORD_READONLY || '',
+    role: 'readonly' as const,
+  },
+  {
+    username: process.env.OAUTH_USERNAME_READWRITE || '',
+    password: process.env.OAUTH_PASSWORD_READWRITE || '',
+    role: 'readwrite' as const,
+  },
+  {
+    username: process.env.OAUTH_USERNAME_ADMIN || '',
+    password: process.env.OAUTH_PASSWORD_ADMIN || '',
+    role: 'admin' as const,
+  },
+].filter((user) => user.username && user.password) as UserConfig[]; // Filter out unconfigured users
+
 const TOKEN_EXPIRES_IN = parseInt(process.env.OAUTH_TOKEN_EXPIRES_IN || '3600', 10);
 
 /**
  * OAuth 2.0 Token endpoint handler
- * Supports client_credentials grant type
+ * Supports client_credentials and password grant types
  */
 export async function tokenHandler(req: Request, res: Response): Promise<void> {
   try {
-    // Validate that at least one client is configured
-    if (clients.length === 0) {
-      res.status(500).json({
-        error: 'server_error',
-        error_description: 'OAuth server configuration error: No clients configured',
-      });
-      return;
-    }
-
     // OAuth token endpoint expects application/x-www-form-urlencoded
     const grantType = req.body.grant_type;
-    const clientId = req.body.client_id;
-    const clientSecret = req.body.client_secret;
     const scope = req.body.scope;
 
     // Validate grant_type
@@ -59,42 +75,110 @@ export async function tokenHandler(req: Request, res: Response): Promise<void> {
       return;
     }
 
-    if (grantType !== 'client_credentials') {
-      res.status(400).json({
-        error: 'invalid_grant',
-        error_description: 'Unsupported grant type',
-      });
-      return;
+    let role: 'readonly' | 'readwrite' | 'admin';
+    let subject: string; // client_id or username
+
+    // Handle client_credentials grant
+    if (grantType === 'client_credentials') {
+      // Validate that at least one client is configured
+      if (clients.length === 0) {
+        res.status(500).json({
+          error: 'server_error',
+          error_description: 'OAuth server configuration error: No clients configured',
+        });
+        return;
+      }
+
+      const clientId = req.body.client_id;
+      const clientSecret = req.body.client_secret;
+
+      // Validate client_id
+      if (!clientId) {
+        res.status(400).json({
+          error: 'invalid_request',
+          error_description: 'Missing required parameter: client_id',
+        });
+        return;
+      }
+
+      // Validate client_secret
+      if (!clientSecret) {
+        res.status(400).json({
+          error: 'invalid_request',
+          error_description: 'Missing required parameter: client_secret',
+        });
+        return;
+      }
+
+      // Look up client in configuration
+      const client = clients.find(
+        (c) => c.clientId === clientId && c.clientSecret === clientSecret
+      );
+
+      // Authenticate client
+      if (!client) {
+        res.status(401).json({
+          error: 'invalid_client',
+          error_description: 'Invalid client credentials',
+        });
+        return;
+      }
+
+      role = client.role;
+      subject = clientId;
     }
-
-    // Validate client_id
-    if (!clientId) {
+    // Handle password grant
+    else if (grantType === 'password') {
+      // Validate that at least one user is configured
+      if (users.length === 0) {
+        res.status(500).json({
+          error: 'server_error',
+          error_description: 'OAuth server configuration error: No users configured',
+        });
+        return;
+      }
+
+      const username = req.body.username;
+      const password = req.body.password;
+
+      // Validate username
+      if (!username) {
+        res.status(400).json({
+          error: 'invalid_request',
+          error_description: 'Missing required parameter: username',
+        });
+        return;
+      }
+
+      // Validate password
+      if (!password) {
+        res.status(400).json({
+          error: 'invalid_request',
+          error_description: 'Missing required parameter: password',
+        });
+        return;
+      }
+
+      // Look up user in configuration
+      const user = users.find(
+        (u) => u.username === username && u.password === password
+      );
+
+      // Authenticate user
+      if (!user) {
+        res.status(401).json({
+          error: 'invalid_grant',
+          error_description: 'Invalid username or password',
+        });
+        return;
+      }
+
+      role = user.role;
+      subject = username;
+    } else {
       res.status(400).json({
-        error: 'invalid_request',
-        error_description: 'Missing required parameter: client_id',
-      });
-      return;
-    }
-
-    // Validate client_secret
-    if (!clientSecret) {
-      res.status(400).json({
-        error: 'invalid_request',
-        error_description: 'Missing required parameter: client_secret',
-      });
-      return;
-    }
-
-    // Look up client in configuration
-    const client = clients.find(
-      (c) => c.clientId === clientId && c.clientSecret === clientSecret
-    );
-
-    // Authenticate client
-    if (!client) {
-      res.status(401).json({
-        error: 'invalid_client',
-        error_description: 'Invalid client credentials',
+        error: 'invalid_grant',
+        error_description: 'Unsupported grant type. Supported types: client_credentials, password',
       });
       return;
     }
@@ -105,11 +189,11 @@ export async function tokenHandler(req: Request, res: Response): Promise<void> {
 
     const payload: jwt.JwtPayload = {
       iss: 'example-app', // Issuer
-      sub: clientId, // Subject (client_id)
+      sub: subject, // Subject (client_id or username)
       aud: 'example-app', // Audience
       exp: expiresAt, // Expiration time
       iat: now, // Issued at
-      role: client.role, // Role based on authenticated client
+      role: role, // Role based on authenticated client or user
     };
 
     // Add scope if provided
diff --git a/src/server.ts b/src/server.ts
@@ -1,12 +1,13 @@
+// Load environment variables FIRST before any other imports
 import dotenv from 'dotenv';
+dotenv.config();
+
 import express, { Request, Response } from 'express';
 import { chatHandler } from './routes/chat';
 import { tokenHandler, jwksHandler } from './routes/oauth';
 import { generateRSAKeyPair } from './utils/jwt-keys';
 import { authenticateToken } from './middleware/auth';
 
-dotenv.config();
-
 // Initialize OAuth key pair on startup
 generateRSAKeyPair();
 console.log('OAuth RSA key pair generated');
diff --git a/src/utils/litellm-config.ts b/src/utils/litellm-config.ts
