LibreChat/packages
Dustin Healy 0f14dcce62 🔒 fix: Add ban check and fix domain allowlist on admin OAuth refresh
Two gaps in the /api/admin/oauth/refresh route:

Add middleware.checkBan to the route chain before preAuthTenantMiddleware,
matching the gate that /login/local and createOAuthHandler already apply.
Without it a banned admin could keep minting JWTs until their IdP refresh
token expired.

Replace getAppConfig({ baseOnly: true }) in the non-tenant isEmailAllowed
closure with getAppConfig({ role: user.role }), which includes DB-layer
overrides from the admin panel. baseOnly returns only YAML-derived config,
so any allowedDomains list maintained entirely through the admin panel was
silently inert on this path. Extract isEmailAllowedForUser as a shared
helper, move it into buildAdminRefreshClosures so both Google and OpenID
refresh paths enforce domain policy consistently, and add isEmailAllowed
to AdminRefreshDeps in the TS package so applyAdminRefresh can invoke it.
2026-06-22 10:10:59 -07:00
..
api 🔒 fix: Add ban check and fix domain allowlist on admin OAuth refresh 2026-06-22 10:10:59 -07:00
client 🎛️ feat: Redesign Settings with Registry-Driven Dialog, Search, and Mobile Drill-In (#13722) 2026-06-18 08:51:07 -04:00
data-provider 🕰️ feat: Resolve Agent Prompt Time Variables in User's Timezone (#13815) 2026-06-18 08:39:56 -04:00
data-schemas 🔖 fix: Decrement Bookmark Counts When Deleting Conversations (#13830) 2026-06-18 08:37:08 -04:00