LibreChat/api/server
Dustin Healy fc3189b718
🔐 fix: Restore Tenant Context in MCP OAuth Callback (#12782)
* fix: restore tenant context in MCP OAuth callback for multi-tenant deployments

The MCP OAuth callback is a cross-origin redirect from the OAuth
provider. SameSite=Strict cookies (including the JWT) are not sent,
leaving the callback with no tenant context. With
TENANT_ISOLATION_STRICT=true, all DB writes fail.

Stores tenantId in flow metadata at OAuth initiation time (when
the user is authenticated), then restores it via tenantStorage.run
in the callback, wrapping the entire post-validation body.

* test: address review findings for tenant context tests

- Assert tenantId flows through to initFlow in MCPConnectionFactory test
- Add beforeEach to tenant context tests to reset mocks independently
2026-04-22 14:05:51 -07:00
..
controllers 🧹 fix: Clean Up Orphaned Agent File Stubs After Deletion (#12781) 2026-04-22 11:35:48 -07:00
middleware refactor: Short-Circuit Config Override Resolution (#12553) 2026-04-07 22:38:08 -04:00
routes 🔐 fix: Restore Tenant Context in MCP OAuth Callback (#12782) 2026-04-22 14:05:51 -07:00
services 🧹 fix: Clean Up Orphaned Agent File Stubs After Deletion (#12781) 2026-04-22 11:35:48 -07:00
utils 🏗️ refactor: Remove Redundant Caching, Migrate Config Services to TypeScript (#12466) 2026-03-30 16:49:48 -04:00
cleanup.js 🧹 refactor: Tighten Config Schema Typing and Remove Deprecated Fields (#12452) 2026-03-29 01:10:57 -04:00
experimental.js ⚖️ refactor: Split Config Route into Unauthenticated and Authenticated Paths (#12490) 2026-03-31 19:22:51 -04:00
index.js ⚖️ refactor: Split Config Route into Unauthenticated and Authenticated Paths (#12490) 2026-03-31 19:22:51 -04:00
index.spec.js 🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976) 2026-02-27 22:49:54 -05:00
socialLogins.js 🔐 feat: Admin Auth Support for SAML and Social OAuth Providers (#12472) 2026-03-30 22:49:44 -04:00