LibreChat/packages/api/src
Danny Avila d1573a8493
🔒 fix: Validate MCP OAuth Protected Resource Metadata binding (#12755)
* 🔒 fix: Validate MCP OAuth Protected Resource Metadata binding (GHSA-gvpj-vm2f-2m23)

RFC 9728 §3.3/§7.3 requires clients to verify that the `resource` identifier
advertised by an OAuth Protected Resource Metadata document matches the URL
used to fetch it. Without this check, a malicious MCP server can serve
metadata pointing at a legitimate server's `authorization_servers`, causing
LibreChat to obtain an access token for the real server and send it to the
attacker in subsequent API calls.

Validation happens at discovery time so the entire metadata document is
discarded on mismatch — `authorization_servers` on a spoofed document is
equally untrustworthy and is the primary theft vector in the PoC.

Uses the MCP SDK's own `checkResourceAllowed` (origin + path-prefix) for
semantic parity with `selectResourceURL`, a SDK code path LibreChat bypasses.
This is looser than RFC-strict equality (handles common cases like
`/mcp/sse` server vs `/mcp` advertised resource, or trailing-slash
normalization) while still rejecting cross-origin spoofs and same-origin
sibling-path confusion.

* 🛡️ fix: Re-validate Resource Binding at MCP OAuth Token Exchange

Adds a defense-in-depth re-assertion of the RFC 9728 §3.3 resource/server
binding inside `completeOAuthFlow`. Flows have a 10-minute TTL, so a flow
initiated under pre-fix (vulnerable) code could still be in-flight at upgrade
time carrying unvalidated resource metadata. Re-checking here closes that
window without requiring operators to flush flow state on deploy.

Also guards against future regressions that might re-introduce unvalidated
paths into the flow-metadata pipeline (GHSA-gvpj-vm2f-2m23).

*  test: Address Review Findings on MCP OAuth Resource Validation

Follow-up to GHSA-gvpj-vm2f-2m23 fix. Resolves three reviewer findings:

- Assert `failFlow` is called when `completeOAuthFlow` rejects at
  re-validation — locks in the "no stuck PENDING entry" guarantee that the
  catch block already provides in production code.
- Update the "no resource metadata" warning in `initiateOAuthFlow`: post-fix,
  that branch is only reachable when PRM discovery returned nothing (404,
  network error, server without RFC 9728). A document with a missing
  `resource` field now throws earlier in `assertResourceBoundToServer`, so
  the old "missing 'resource' property" phrasing described a case that can
  no longer reach this branch.
- Add a test for an unparseable `resource` string triggering the
  error-wrapping path in `assertResourceBoundToServer` (verifies the wrapper
  surfaces a descriptive message instead of leaking a raw `TypeError:
  Invalid URL` from the SDK's `new URL()` call).
2026-04-21 05:44:09 -07:00
..
acl 🪐 fix: Replace $bitsAllSet ACL Queries for Azure Cosmos DB Compatibility (#12736) 2026-04-19 22:28:48 -04:00
admin 🧹 chore: Clean Up Config Fields (#12537) 2026-04-03 12:22:58 -04:00
agents 🗺️ fix: Resolve Custom-Endpoint Providers for Summarization (#12739) 2026-04-20 12:00:46 -04:00
apiKeys 🪐 fix: Replace $bitsAllSet ACL Queries for Azure Cosmos DB Compatibility (#12736) 2026-04-19 22:28:48 -04:00
app refactor: Short-Circuit Config Override Resolution (#12553) 2026-04-07 22:38:08 -04:00
auth 🔐 fix: Strip code_challenge from Admin OAuth requests before Passport (#12534) 2026-04-02 21:03:44 -04:00
cache 🧊 fix: In-Memory Endpoint Token Config Cache Isolation (#12673) 2026-04-15 09:41:42 -04:00
cdn 🗂️ refactor: Migrate S3 Storage to TypeScript in packages/api (#11947) 2026-03-21 14:28:55 -04:00
cluster 🪪 fix: MCP API Responses and OAuth Validation (#12217) 2026-03-13 23:18:56 -04:00
crypto 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00
db 🔧 refactor: Centralize Collection Checks for Permissions Migration (#9565) 2025-09-10 20:40:58 -04:00
endpoints 🫧 feat: Claude Opus 4.7 Reasoning Visibility (#12701) 2026-04-16 21:56:52 -04:00
files 📝 fix: Preserve Raw Markdown Formatting on Upload as Text (#12734) 2026-04-19 19:31:39 -07:00
flow 🏗️ feat: bulkWrite isolation, pre-auth context, strict-mode fixes (#12445) 2026-03-28 16:43:50 -04:00
mcp 🔒 fix: Validate MCP OAuth Protected Resource Metadata binding (#12755) 2026-04-21 05:44:09 -07:00
memory 🛂 feat: Payload limits and Validation for User-created Memories (#8974) 2025-08-10 14:46:16 -04:00
middleware 👨‍👨‍👦‍👦 feat: Admin Users API Endpoints (#12446) 2026-03-30 23:06:50 -04:00
oauth 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782) 2026-02-13 10:35:51 -05:00
prompts 📁 refactor: Prompts UI (#11570) 2026-03-22 16:56:22 -04:00
storage 🗂️ refactor: Migrate S3 Storage to TypeScript in packages/api (#11947) 2026-03-21 14:28:55 -04:00
stream ⏱️ refactor: User Job Tracking TTL and Proactive Cleanup to Redis Job Store (#12595) 2026-04-09 17:42:54 -04:00
tools 🎯 fix: MCP Tool Misclassification from Action Delimiter Collision (#12512) 2026-04-01 22:36:21 -04:00
types 🫧 feat: Claude Opus 4.7 Reasoning Visibility (#12701) 2026-04-16 21:56:52 -04:00
utils 🦉 feat: Claude Opus 4.7 Model Support (#12698) 2026-04-16 14:51:00 -04:00
web 🛡️ fix: Validate User-provided URLs for Web Search (#12247) 2026-03-15 18:05:08 -04:00
index.ts 🏗️ refactor: Remove Redundant Caching, Migrate Config Services to TypeScript (#12466) 2026-03-30 16:49:48 -04:00