LibreChat/api/server/middleware
Marco Beretta 84ab681adf
fix: enforce forced retention on message edits, feedback, and error saves
Two more message-write paths bypassed ephemeral enforcement:

- The edit and feedback endpoints call updateMessage directly, without loading
  retention config, so editing an older permanent message after a switch to
  ephemeral left the message and its conversation non-temporary and visible.
  Load config on those routes and run a new applyForcedRetention helper after the
  update, which stamps the message and cascades the conversation/messages.

- The sendError and denyRequest middleware save messages with retention config
  but never call saveConvo, so a validation/model error or denied-request message
  could outlive its conversation. Pass capExpiryToConversation like the other
  message-only paths.

Extract the conversation cascade into a shared cascadeForcedConversationRetention
helper used by both saveMessage and applyForcedRetention.
2026-07-01 19:38:01 +02:00
..
__tests__
accessResources
assistants
config
limiters 🪣 refactor: Rate-Limit Token Routes and Cap Remote File Downloads (#13978) 2026-06-26 12:19:03 -04:00
roles
spec
validate
abortMiddleware.js fix: only cap message expiry to the parent on message-only saves 2026-06-30 04:54:43 +02:00
abortMiddleware.spec.js
abortRun.js
buildEndpointOption.js 🧾 fix: Harden Historical File Authorization (#13918) 2026-06-23 15:49:57 -04:00
buildEndpointOption.spec.js 🧾 fix: Harden Historical File Authorization (#13918) 2026-06-23 15:49:57 -04:00
canAccessSharedLink.js
canDeleteAccount.js
canDeleteAccount.spec.js
checkBan.js
checkDomainAllowed.js
checkInviteUser.js
checkPeoplePickerAccess.js
checkPeoplePickerAccess.spec.js
checkSharePublicAccess.js
checkSharePublicAccess.spec.js
denyRequest.js fix: enforce forced retention on message edits, feedback, and error saves 2026-07-01 19:38:01 +02:00
error.js fix: enforce forced retention on message edits, feedback, and error saves 2026-07-01 19:38:01 +02:00
index.js
logHeaders.js
moderateText.js 🪝 feat: Human-in-the-Loop Runtime - Tool Approval + Ask-User-Question (Slice B) (#13942) 2026-06-29 16:56:41 -04:00
noIndex.js
optionalJwtAuth.js
optionalShareFileAuth.js
optionalShareFileAuth.spec.js
requireJwtAuth.js
requireLdapAuth.js
requireLocalAuth.js
setHeaders.js
setTwoFactorTempUser.js
uaParser.js
validateImageRequest.js
validateMessageReq.js 🪝 feat: HITL Tool Approval Scaffolding (Slice A) (#12938) 2026-06-24 16:47:16 -04:00
validateModel.js
validatePasswordReset.js
validateRegistration.js