Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-04-07 00:15:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix: require browser binding (CSRF/session) for failFlow on OAuth error

Browse source 
hasActiveFlow only proves a PENDING flow exists, not that the caller
is the same browser that initiated it. An attacker with a leaked state
could force-fail the flow without any user binding. Require hasCsrf or
hasSession before calling failFlow on the oauthError path.
This commit is contained in:
Danny Avila 2026-04-03 20:39:40 -04:00
parent 6fcb0f57eb
commit 2b09879faf
1 changed files with 1 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

10
api/server/routes/mcp.js
View file

@ -160,15 +160,7 @@ router.get('/:serverName/oauth/callback', async (req, res) => {
const [flowUserId] = flowParts;
const hasCsrf = validateOAuthCsrf(req, res, flowId, OAUTH_CSRF_COOKIE_PATH);
const hasSession = !hasCsrf && validateOAuthSession(req, flowUserId);
let hasActiveFlow = false;
if (!hasCsrf && !hasSession) {
const pendingFlow = await flowManager.getFlowState(flowId, 'mcp_oauth');
const pendingAge = pendingFlow?.createdAt
? Date.now() - pendingFlow.createdAt
: Infinity;
hasActiveFlow = pendingFlow?.status === 'PENDING' && pendingAge < PENDING_STALE_MS;
}
if (hasCsrf || hasSession || hasActiveFlow) {
if (hasCsrf || hasSession) {
await flowManager.failFlow(flowId, 'mcp_oauth', String(oauthError));
logger.debug('[MCP OAuth] Marked flow as FAILED with OAuth error', {
flowId,