LibreChat/packages/api/src
Dustin Healy fc3189b718
🔐 fix: Restore Tenant Context in MCP OAuth Callback (#12782)
* fix: restore tenant context in MCP OAuth callback for multi-tenant deployments

The MCP OAuth callback is a cross-origin redirect from the OAuth
provider. SameSite=Strict cookies (including the JWT) are not sent,
leaving the callback with no tenant context. With
TENANT_ISOLATION_STRICT=true, all DB writes fail.

Stores tenantId in flow metadata at OAuth initiation time (when
the user is authenticated), then restores it via tenantStorage.run
in the callback, wrapping the entire post-validation body.

* test: address review findings for tenant context tests

- Assert tenantId flows through to initFlow in MCPConnectionFactory test
- Add beforeEach to tenant context tests to reset mocks independently
2026-04-22 14:05:51 -07:00
..
acl 🪐 fix: Replace $bitsAllSet ACL Queries for Azure Cosmos DB Compatibility (#12736) 2026-04-19 22:28:48 -04:00
admin 🧹 chore: Clean Up Config Fields (#12537) 2026-04-03 12:22:58 -04:00
agents 🧹 fix: Clean Up Orphaned Agent File Stubs After Deletion (#12781) 2026-04-22 11:35:48 -07:00
apiKeys 🪐 fix: Replace $bitsAllSet ACL Queries for Azure Cosmos DB Compatibility (#12736) 2026-04-19 22:28:48 -04:00
app refactor: Short-Circuit Config Override Resolution (#12553) 2026-04-07 22:38:08 -04:00
auth 🔐 fix: Strip code_challenge from Admin OAuth requests before Passport (#12534) 2026-04-02 21:03:44 -04:00
cache 🧊 fix: In-Memory Endpoint Token Config Cache Isolation (#12673) 2026-04-15 09:41:42 -04:00
cdn 🗂️ refactor: Migrate S3 Storage to TypeScript in packages/api (#11947) 2026-03-21 14:28:55 -04:00
cluster 🪪 fix: MCP API Responses and OAuth Validation (#12217) 2026-03-13 23:18:56 -04:00
crypto 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00
db 🔧 refactor: Centralize Collection Checks for Permissions Migration (#9565) 2025-09-10 20:40:58 -04:00
endpoints 🫧 feat: Claude Opus 4.7 Reasoning Visibility (#12701) 2026-04-16 21:56:52 -04:00
files 📝 fix: Preserve Raw Markdown Formatting on Upload as Text (#12734) 2026-04-19 19:31:39 -07:00
flow 🏗️ feat: bulkWrite isolation, pre-auth context, strict-mode fixes (#12445) 2026-03-28 16:43:50 -04:00
mcp 🔐 fix: Restore Tenant Context in MCP OAuth Callback (#12782) 2026-04-22 14:05:51 -07:00
memory 🛂 feat: Payload limits and Validation for User-created Memories (#8974) 2025-08-10 14:46:16 -04:00
middleware 👨‍👨‍👦‍👦 feat: Admin Users API Endpoints (#12446) 2026-03-30 23:06:50 -04:00
oauth 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782) 2026-02-13 10:35:51 -05:00
prompts 📁 refactor: Prompts UI (#11570) 2026-03-22 16:56:22 -04:00
storage 🗂️ refactor: Migrate S3 Storage to TypeScript in packages/api (#11947) 2026-03-21 14:28:55 -04:00
stream ⏱️ refactor: User Job Tracking TTL and Proactive Cleanup to Redis Job Store (#12595) 2026-04-09 17:42:54 -04:00
tools 🎯 fix: MCP Tool Misclassification from Action Delimiter Collision (#12512) 2026-04-01 22:36:21 -04:00
types 🫧 feat: Claude Opus 4.7 Reasoning Visibility (#12701) 2026-04-16 21:56:52 -04:00
utils 🦉 feat: Claude Opus 4.7 Model Support (#12698) 2026-04-16 14:51:00 -04:00
web 🛡️ fix: Validate User-provided URLs for Web Search (#12247) 2026-03-15 18:05:08 -04:00
index.ts 🏗️ refactor: Remove Redundant Caching, Migrate Config Services to TypeScript (#12466) 2026-03-30 16:49:48 -04:00