LibreChat/api/server/routes/admin
Dustin Healy fcdb66bb6b 🔒 fix: Apply brutal-review hardening to Google admin refresh
Tighten the Google OAuth refresh flow against all outstanding code review
findings: enforce JWT aud claim verification against the configured clientId
(ISSUER_MISMATCH on mismatch), reject ambiguous googleId matches (limit:2 in
findUsers, USER_ID_MISMATCH when multiple rows match), scope the authInfo
refresh-token carrier to the Google provider only, add TOCTOU re-read defense
after the admin googleId migration write in socialLogin, deduplicate
canAccessAdmin/mintToken closures via buildAdminRefreshClosures shared by both
OpenID and Google refresh paths, document rotation semantics on
AdminExchangeResponse.refreshToken, standardise all log prefixes to
[admin/oauth/refresh], and expand test coverage for all new paths.
2026-06-22 09:34:41 -07:00
..
auth.js 🔒 fix: Apply brutal-review hardening to Google admin refresh 2026-06-22 09:34:41 -07:00
auth.refresh.test.js 🔒 fix: Apply brutal-review hardening to Google admin refresh 2026-06-22 09:34:41 -07:00
config.js 🪦 fix: Add Durable MCP Config Tombstones (#13534) 2026-06-05 15:05:40 -04:00
grants.js ⛩️ feat: Admin Grants API Endpoints (#12438) 2026-03-30 16:49:23 -04:00
groups.js 🛡️ fix: Restrict System Grants to Role Principals (#12491) 2026-03-31 19:25:14 -04:00
roles.js ⛩️ feat: Admin Grants API Endpoints (#12438) 2026-03-30 16:49:23 -04:00
skills.js 🧬 feat: Add GitHub Skill Sync (#13293) 2026-06-10 21:05:54 -04:00
skills.test.js 🧬 feat: Add GitHub Skill Sync (#13293) 2026-06-10 21:05:54 -04:00
users.js 🛡️ fix: Restrict System Grants to Role Principals (#12491) 2026-03-31 19:25:14 -04:00