LibreChat/api/server/middleware
Marco Beretta 84ab681adf
fix: enforce forced retention on message edits, feedback, and error saves
Two more message-write paths bypassed ephemeral enforcement:

- The edit and feedback endpoints call updateMessage directly, without loading
  retention config, so editing an older permanent message after a switch to
  ephemeral left the message and its conversation non-temporary and visible.
  Load config on those routes and run a new applyForcedRetention helper after the
  update, which stamps the message and cascades the conversation/messages.

- The sendError and denyRequest middleware save messages with retention config
  but never call saveConvo, so a validation/model error or denied-request message
  could outlive its conversation. Pass capExpiryToConversation like the other
  message-only paths.

Extract the conversation cascade into a shared cascadeForcedConversationRetention
helper used by both saveMessage and applyForcedRetention.
2026-07-01 19:38:01 +02:00
..
__tests__
accessResources
assistants
config
limiters
roles
spec
validate
abortMiddleware.js
abortMiddleware.spec.js
abortRun.js
buildEndpointOption.js
buildEndpointOption.spec.js
canAccessSharedLink.js
canDeleteAccount.js
canDeleteAccount.spec.js
checkBan.js
checkDomainAllowed.js
checkInviteUser.js
checkPeoplePickerAccess.js
checkPeoplePickerAccess.spec.js
checkSharePublicAccess.js
checkSharePublicAccess.spec.js
denyRequest.js
error.js
index.js
logHeaders.js
moderateText.js
noIndex.js
optionalJwtAuth.js
optionalShareFileAuth.js
optionalShareFileAuth.spec.js
requireJwtAuth.js
requireLdapAuth.js
requireLocalAuth.js
setHeaders.js
setTwoFactorTempUser.js
uaParser.js
validateImageRequest.js
validateMessageReq.js
validateModel.js
validatePasswordReset.js
validateRegistration.js