LibreChat/api
Dustin Healy 0f14dcce62 🔒 fix: Add ban check and fix domain allowlist on admin OAuth refresh
Two gaps in the /api/admin/oauth/refresh route:

Add middleware.checkBan to the route chain before preAuthTenantMiddleware,
matching the gate that /login/local and createOAuthHandler already apply.
Without it a banned admin could keep minting JWTs until their IdP refresh
token expired.

Replace getAppConfig({ baseOnly: true }) in the non-tenant isEmailAllowed
closure with getAppConfig({ role: user.role }), which includes DB-layer
overrides from the admin panel. baseOnly returns only YAML-derived config,
so any allowedDomains list maintained entirely through the admin panel was
silently inert on this path. Extract isEmailAllowedForUser as a shared
helper, move it into buildAdminRefreshClosures so both Google and OpenID
refresh paths enforce domain policy consistently, and add isEmailAllowed
to AdminRefreshDeps in the TS package so applyAdminRefresh can invoke it.
2026-06-22 10:10:59 -07:00
..
app 🌐 fix: Centralize Outbound Proxy Handling (#13726) 2026-06-14 10:47:49 -04:00
cache 🪂 feat: Graceful HTTP shutdown on SIGTERM/SIGINT (#13211) 2026-05-20 13:33:53 -04:00
config 🪵 refactor: Bound Log Traversal And Remove Legacy api/config Logger (#13813) 2026-06-17 12:31:32 -04:00
db ⚖️ feat: Add Operational Prometheus Metrics (#13265) 2026-05-22 20:47:41 -04:00
models 🗑️ chore: Remove Action Test Suite and Update Mock Implementations (#12268) 2026-03-21 14:28:55 -04:00
server 🔒 fix: Add ban check and fix domain allowlist on admin OAuth refresh 2026-06-22 10:10:59 -07:00
strategies 🔒 fix: Apply brutal-review hardening to Google admin refresh 2026-06-22 09:34:41 -07:00
test 🪵 refactor: Bound Log Traversal And Remove Legacy api/config Logger (#13813) 2026-06-17 12:31:32 -04:00
utils 📖 feat: Add Claude Fable 5 Support (#13628) 2026-06-09 16:22:39 -04:00
jest.config.js 📦 chore: npm audit fix (#13828) 2026-06-17 21:54:04 -04:00
jsconfig.json
package.json 📦 chore: npm audit fix (#13828) 2026-06-17 21:54:04 -04:00
typedefs.js 🧬 chore: Align LibreChat With Agents LangChain Upgrade (#12922) 2026-05-03 12:46:01 -04:00