LibreChat/packages
Dustin Healy fcdb66bb6b 🔒 fix: Apply brutal-review hardening to Google admin refresh
Tighten the Google OAuth refresh flow against all outstanding code review
findings: enforce JWT aud claim verification against the configured clientId
(ISSUER_MISMATCH on mismatch), reject ambiguous googleId matches (limit:2 in
findUsers, USER_ID_MISMATCH when multiple rows match), scope the authInfo
refresh-token carrier to the Google provider only, add TOCTOU re-read defense
after the admin googleId migration write in socialLogin, deduplicate
canAccessAdmin/mintToken closures via buildAdminRefreshClosures shared by both
OpenID and Google refresh paths, document rotation semantics on
AdminExchangeResponse.refreshToken, standardise all log prefixes to
[admin/oauth/refresh], and expand test coverage for all new paths.
2026-06-22 09:34:41 -07:00
..
api 🔒 fix: Apply brutal-review hardening to Google admin refresh 2026-06-22 09:34:41 -07:00
client 🎛️ feat: Redesign Settings with Registry-Driven Dialog, Search, and Mobile Drill-In (#13722) 2026-06-18 08:51:07 -04:00
data-provider 🕰️ feat: Resolve Agent Prompt Time Variables in User's Timezone (#13815) 2026-06-18 08:39:56 -04:00
data-schemas 🔖 fix: Decrement Bookmark Counts When Deleting Conversations (#13830) 2026-06-18 08:37:08 -04:00