LibreChat
ConfigurationMongoDB

MongoDB Authentication

Setup authentication on your docker mongodb with the docker-compose.override.yml file

This guide will demonstrate how to use the docker-compose.override.yml file to allows us to enable explicit authentication for MongoDB.

For more info about the override file, please consult: Docker Compose Override

Notes:

  • The default configuration is secure by blocking external port access, but we can take it a step further with access credentials.
  • As noted by the developers of MongoDB themselves, authentication in MongoDB is fairly complex. We will be taking a simple approach that will be good enough for most cases, especially for existing configurations of LibreChat. To learn more about how mongodb authentication works with docker, see here: https://hub.docker.com/_/mongo/
  • This guide focuses exclusively on terminal-based setup procedures.
  • While the steps outlined may also be applicable to Docker Desktop environments, or with non-Docker, local MongoDB, or other container setups, details specific to those scenarios are not provided.

There are 3 basic steps:

  • Create an admin user within your mongodb container
  • Enable authentication and create a "readWrite" user for "LibreChat"
  • Configure the MONGO_URI with newly created user

TL;DR

These are all the necessary commands if you'd like to run through these quickly or for reference:

Example

Example docker-compose.override.yml file using the librechat.yaml config file, MongoDB Authentication, and mongo-express for managing your MongoDB database:

Step 1: Creating an Admin User

First, we must stop the default containers from running, and only run the mongodb container.

docker compose down
docker compose up -d mongodb

Note: The -d flag detaches the current terminal instance as the container runs in the background. If you would like to see the mongodb log outputs, omit it and continue in a separate terminal.

Once running, we will enter the container's terminal and execute mongosh:

docker exec -it chat-mongodb mongosh

You should see the following output:

~/LibreChat$ docker exec -it chat-mongodb mongosh
Current Mongosh Log ID: 65bfed36f7d7e3c2b01bcc3d
Connecting to:          mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Using MongoDB:          7.0.4
Using Mongosh:          2.1.1
 
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
 
test>

Optional: While we're here, we can disable telemetry for mongodb if desired, which is anonymous usage data collected and sent to MongoDB periodically:

Execute the command below.

Notes:

  • All subsequent commands should be run in the current terminal session, regardless of the environment (Docker, Linux, mongosh, etc.)
  • I will represent the actual terminal view with # example input/output or simply showing the output in some cases

Command:

disableTelemetry()

Example input/output:

test> disableTelemetry()
Telemetry is now disabled.

Now, we must access the admin database, which mongodb creates by default to create our admin user:

use admin

switched to db admin

Replace the credentials as desired and keep in your secure records for the rest of the guide.

Run command to create the admin user:

db.createUser({ user: "adminUser", pwd: "securePassword", roles: ["userAdminAnyDatabase", "readWriteAnyDatabase"] })

You should see an "ok" output.

You can also confirm the admin was created by running show users:

admin> show users
[
  {
    _id: 'admin.adminUser',
    userId: UUID('86e90441-b5b7-4043-9662-305540dfa6cf'),
    user: 'adminUser',
    db: 'admin',
    roles: [
      { role: 'userAdminAnyDatabase', db: 'admin' },
      { role: 'readWriteAnyDatabase', db: 'admin' }
    ],
    mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
  }
]

:warning: Important: if you are using mongo-express to manage your database (guide here), you need the additional permissions for the mongo-express service to run correctly:

db.grantRolesToUser("adminUser", ["clusterAdmin", "readAnyDatabase"])

Exit the Mongosh/Container Terminal by running exit:

admin> exit

And shut down the running container:

docker compose down

Step 2: Enabling Authentication and Creating a User with readWrite Access

We must now create/edit the docker-compose.override.yml file to enable authentication for our mongodb container. You can use this configuration to start or reference:

version: '3.4'
 
services:
  api:
    volumes:
      - ./librechat.yaml:/app/librechat.yaml # Optional for using the librechat config file.
  mongodb:
    command: mongod --auth # <--- Add this to enable authentication

After configuring the override file as above, run the mongodb container again:

docker compose up -d mongodb

And access mongosh as the admin user:

docker exec -it chat-mongodb mongosh -u adminUser -p securePassword --authenticationDatabase admin

Confirm you are authenticated:

db.runCommand({ connectionStatus: 1 })
test> db.runCommand({ connectionStatus: 1 })
{
  authInfo: {
    authenticatedUsers: [ { user: 'adminUser', db: 'admin' } ],
    authenticatedUserRoles: [
      { role: 'readWriteAnyDatabase', db: 'admin' },
      { role: 'userAdminAnyDatabase', db: 'admin' }
    ]
  },
  ok: 1
}
test>

Switch to the "LibreChat" database

Note: This the default database unless you changed it via the MONGO_URI; default URI: MONGO_URI=mongodb://mongodb:27017/LibreChat

use LibreChat

Now we'll create the actual credentials to be used by our Mongo connection string, which will be limited to read/write access of the "LibreChat" database. As before, replace the example with your desired credentials:

db.createUser({ user: 'user', pwd: 'userpasswd', roles: [ { role: "readWrite", db: "LibreChat" } ] });

You should see an "ok" output again.

You can verify the user creation with the show users command.

Exit the Mongosh/Container Terminal again with exit, and bring the container down:

exit
docker compose down

I had an issue where the newly created user would not persist after creating it. To solve this, I simply repeated the steps to ensure it was created. Here they are for your convenience:

docker compose down
docker compose up -d mongodb
docker exec -it chat-mongodb mongosh -u adminUser -p securePassword --authenticationDatabase admin
use LibreChat
show users
db.createUser({ user: 'user', pwd: 'userpasswd', roles: [ { role: "readWrite", db: "LibreChat" } ] });

If it's still not persisting, you can try running the commands with all containers running, but note that the LibreChat container will be in an error/retrying state.

Step 3: Update the MONGO_URI to Use the New Credentials

Finally, we add the new connection string with our newly created credentials to our docker-compose.override.yml file under the api service:

    environment:
      - MONGO_URI=mongodb://user:userpasswd@mongodb:27017/LibreChat

So our override file looks like this now:

version: '3.4'
 
services:
  api:
    volumes:
      - ./librechat.yaml:/app/librechat.yaml
    environment:
      - MONGO_URI=mongodb://user:userpasswd@mongodb:27017/LibreChat
  mongodb:
    command: mongod --auth

You should now run docker compose up successfully authenticated with read/write access to the LibreChat database

Example successful connection:

LibreChat         | 2024-02-04 20:59:43 info: Server listening on all interfaces at port 3080. Use http://localhost:3080 to access it
chat-mongodb      | {"t":{"$date":"2024-02-04T20:59:53.880+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.160.4:58114","uuid":{"uuid":{"$uuid":"027bdc7b-a3f4-429a-80ee-36cd172058ec"}},"connectionId":17,"connectionCount":10}}

If you're having Authentication errors, run the last part of Step 2 again. I'm not sure why it's finicky but it will work after a few tries.

How is this guide?

Edit on GitHub

Previous

MongoDB Atlas

Next

MongoDB Community Server

On this page