CERBERUS/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-05-13 16:07:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
LibreChat/api/server/middleware
History
Danny Avila 2f09d29c71
🛂 fix: Validate types Query Param in People Picker Access Middleware (#12276) 
* 🛂 fix: Validate `types` query param in people picker access middleware

checkPeoplePickerAccess only inspected `req.query.type` (singular),
allowing callers to bypass type-specific permission checks by using
the `types` (plural) parameter accepted by the controller. Now both
`type` and `types` are collected and each requested principal type is
validated against the caller's role permissions.

* 🛂 refactor: Hoist valid types constant, improve logging, and add edge-case tests

- Hoist VALID_PRINCIPAL_TYPES to module-level Set to avoid per-request allocation
- Include both `type` and `types` in error log for debuggability
- Restore detailed JSDoc documenting per-type permission requirements
- Add missing .json() assertion on partial-denial test
- Add edge-case tests: all-invalid types, empty string types, PrincipalType.PUBLIC

* 🏷️ fix: Align TPrincipalSearchParams with actual controller API

The stale type used `type` (singular) but the controller and all callers
use `types` (plural array). Aligns with PrincipalSearchParams in
types/queries.ts.
2026-03-17 02:46:11 -04:00
..
accessResources 🛡️ fix: Enforce MULTI_CONVO and agent ACL checks on addedConvo (#12243) 2026-03-15 17:12:45 -04:00
assistants 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
config 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
limiters 🚦 fix: Add Rate Limiting to Conversation Duplicate Endpoint (#12218) 2026-03-13 23:40:44 -04:00
roles 🔧 refactor: Permission handling for Resource Sharing (#11283) 2026-01-10 14:02:56 -05:00
spec 🧭 fix: Add Base Path Support for Login/Register and Image Paths (#10116) 2025-11-21 11:25:14 -05:00
validate ✍️ fix: Validation for Conversation Title Updates (#11099) 2025-12-25 12:59:48 -05:00
abortMiddleware.js 🧮 refactor: Bulk Transactions & Balance Updates for Token Spending (#11996) 2026-03-01 12:26:36 -05:00
abortMiddleware.spec.js 🧮 refactor: Bulk Transactions & Balance Updates for Token Spending (#11996) 2026-03-01 12:26:36 -05:00
abortRun.js 📦 chore: Bump Express.js to v5 (#10671) 2025-12-11 16:36:15 -05:00
buildEndpointOption.js 🎭 feat: Override Custom Endpoint Schema with Specified Params Endpoint (#11788) 2026-02-13 23:04:51 -05:00
buildEndpointOption.spec.js 🎭 feat: Override Custom Endpoint Schema with Specified Params Endpoint (#11788) 2026-02-13 23:04:51 -05:00
canDeleteAccount.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
checkBan.js 🪦 refactor: Remove Legacy Code (#10533) 2025-12-11 16:36:12 -05:00
checkDomainAllowed.js 📧 fix: Case-Insensitive Domain Matching (#9868) 2025-09-27 21:20:19 -04:00
checkInviteUser.js
checkPeoplePickerAccess.js 🛂 fix: Validate types Query Param in People Picker Access Middleware (#12276) 2026-03-17 02:46:11 -04:00
checkPeoplePickerAccess.spec.js 🛂 fix: Validate types Query Param in People Picker Access Middleware (#12276) 2026-03-17 02:46:11 -04:00
checkSharePublicAccess.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
checkSharePublicAccess.spec.js 🔧 refactor: Permission handling for Resource Sharing (#11283) 2026-01-10 14:02:56 -05:00
denyRequest.js 🕐 feat: Configurable Retention Period for Temporary Chats (#8056) 2025-06-25 17:16:26 -04:00
error.js 📦 refactor: Request Message Sanitization for Smaller Final Response (#10792) 2025-12-03 14:26:49 -05:00
index.js 🚦 refactor: Concurrent Request Limiter for Resumable Streams (#11167) 2026-01-01 11:10:56 -05:00
logHeaders.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
moderateText.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
noIndex.js
optionalJwtAuth.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
requireJwtAuth.js 🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) 2026-02-12 14:22:05 -05:00
requireLdapAuth.js
requireLocalAuth.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
setHeaders.js
uaParser.js 🏦 refactor: Centralize Caching & Redis Key Prefixing (#8457) 2025-07-15 18:24:31 -04:00
validateImageRequest.js 🍪 refactor: Move OpenID Tokens from Cookies to Server-Side Sessions (#11236) 2026-01-06 15:22:10 -05:00
validateMessageReq.js
validateModel.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
validatePasswordReset.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
validateRegistration.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00