mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-10 16:23:44 +00:00
* 🔑 fix: Honor User-Provided MCP API Key Instead of Forcing OAuth OAuth auto-detection probes the server without credentials and treats a `WWW-Authenticate: Bearer` 401 as an OAuth requirement. A static bearer API-key server answers an unauthenticated probe with the same challenge, so servers configured with "API Key / each user provides their own / Bearer" were misclassified as `requiresOAuth: true` and connected via the OAuth path, ignoring the user's saved key (status stuck yellow, tool calls demand OAuth). The API-key exemption in detection was scoped to `source === 'admin'` only. Broaden it to any `apiKey` config in both detection sites (inspector startup detection and runtime placeholder-URL detection), since API-key and OAuth auth are mutually exclusive in the schema. * 🔒 fix: Skip inspection probe for user API keys; honor explicit OAuth Addresses two Codex findings on the API-key OAuth-detection fix: - Skip the capability probe during inspection when apiKey.source is 'user'. The user's key is supplied per-user at connect time, so an unauthenticated probe at create/update would 401 against a bearer server and fail the save (servers are inspected on the raw, pre-transform config with no auth header). Same treatment already applied to customUserVars/obo/OAuth servers. - Only short-circuit detection to non-OAuth when no explicit 'oauth' block is configured, so an explicit OAuth config takes precedence if both are set. Applied to both detection sites for consistency. |
||
|---|---|---|
| .. | ||
| src | ||
| types | ||
| .gitignore | ||
| babel.config.cjs | ||
| jest.config.mjs | ||
| jest.setup.cjs | ||
| package.json | ||
| tsconfig-paths-bootstrap.mjs | ||
| tsconfig.build.json | ||
| tsconfig.json | ||
| tsconfig.spec.json | ||
| tsdown.config.mjs | ||