📌 fix: Populate userMessage.files Before First DB Save (#11939)

* fix: populate userMessage.files before first DB save * fix: ESLint error fixed * fix: deduplicate file-population logic and add test coverage Extract `buildMessageFiles` helper into `packages/api/src/utils/message` to replace three near-identical loops in BaseClient and both agent controllers. Fixes set poisoning from undefined file_id entries, moves file population inside the skipSaveUserMessage guard to avoid wasted work, and adds full unit test coverage for the new behavior. * chore: reorder import statements in openIdJwtStrategy.js for consistency --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2026-02-27 21:04:08 +01:00 · 2026-02-26 15:16:45 +01:00 · 2026-02-26 15:16:45 +01:00 · 3a079b980a
commit 3a079b980a
parent 13df8ed67c
6 changed files with 258 additions and 48 deletions
--- a/packages/api/src/utils/message.spec.ts
+++ b/packages/api/src/utils/message.spec.ts
@ -1,5 +1,10 @@
 import { Constants } from 'librechat-data-provider';
-import { sanitizeFileForTransmit, sanitizeMessageForTransmit, getThreadData } from './message';
+import {
+  sanitizeMessageForTransmit,
+  sanitizeFileForTransmit,
+  buildMessageFiles,
+  getThreadData,
+} from './message';

 /** Cast to string for type compatibility with ThreadMessage */
 const NO_PARENT = Constants.NO_PARENT as string;
@ -125,47 +130,107 @@ describe('sanitizeMessageForTransmit', () => {
  });
 });

+describe('buildMessageFiles', () => {
+  const baseAttachment = {
+    file_id: 'file-1',
+    filename: 'test.png',
+    filepath: '/uploads/test.png',
+    type: 'image/png',
+    bytes: 512,
+    object: 'file' as const,
+    user: 'user-1',
+    embedded: false,
+    usage: 0,
+    text: 'big ocr text',
+    _id: 'mongo-id',
+  };
+
+  it('returns sanitized files matching request file IDs', () => {
+    const result = buildMessageFiles([{ file_id: 'file-1' }], [baseAttachment]);
+    expect(result).toHaveLength(1);
+    expect(result?.[0].file_id).toBe('file-1');
+    expect(result?.[0]).not.toHaveProperty('text');
+    expect(result?.[0]).not.toHaveProperty('_id');
+  });
+
+  it('returns undefined when no attachments match request IDs', () => {
+    const result = buildMessageFiles([{ file_id: 'file-nomatch' }], [baseAttachment]);
+    expect(result).toEqual([]);
+  });
+
+  it('returns undefined for empty attachments array', () => {
+    const result = buildMessageFiles([{ file_id: 'file-1' }], []);
+    expect(result).toEqual([]);
+  });
+
+  it('returns undefined for empty request files array', () => {
+    const result = buildMessageFiles([], [baseAttachment]);
+    expect(result).toEqual([]);
+  });
+
+  it('filters out undefined file_id entries in request files (no set poisoning)', () => {
+    const undefinedAttachment = { ...baseAttachment, file_id: undefined as unknown as string };
+    const result = buildMessageFiles(
+      [{ file_id: undefined }, { file_id: 'file-1' }],
+      [undefinedAttachment, baseAttachment],
+    );
+    expect(result).toHaveLength(1);
+    expect(result?.[0].file_id).toBe('file-1');
+  });
+
+  it('returns only attachments whose file_id is in the request set', () => {
+    const attachment2 = { ...baseAttachment, file_id: 'file-2', filename: 'b.png' };
+    const result = buildMessageFiles([{ file_id: 'file-1' }], [baseAttachment, attachment2]);
+    expect(result).toHaveLength(1);
+    expect(result?.[0].file_id).toBe('file-1');
+  });
+
+  it('does not mutate original attachment objects', () => {
+    buildMessageFiles([{ file_id: 'file-1' }], [baseAttachment]);
+    expect(baseAttachment.text).toBe('big ocr text');
+    expect(baseAttachment._id).toBe('mongo-id');
+  });
+});
+
 describe('getThreadData', () => {
-  describe('edge cases - empty and null inputs', () => {
-    it('should return empty result for empty messages array', () => {
-      const result = getThreadData([], 'parent-123');
+  it('should return empty result for empty messages array', () => {
+    const result = getThreadData([], 'parent-123');

-      expect(result.messageIds).toEqual([]);
-      expect(result.fileIds).toEqual([]);
-    });
+    expect(result.messageIds).toEqual([]);
+    expect(result.fileIds).toEqual([]);
+  });

-    it('should return empty result for null parentMessageId', () => {
-      const messages = [
-        { messageId: 'msg-1', parentMessageId: null },
-        { messageId: 'msg-2', parentMessageId: 'msg-1' },
-      ];
+  it('should return empty result for null parentMessageId', () => {
+    const messages = [
+      { messageId: 'msg-1', parentMessageId: null },
+      { messageId: 'msg-2', parentMessageId: 'msg-1' },
+    ];

-      const result = getThreadData(messages, null);
+    const result = getThreadData(messages, null);

-      expect(result.messageIds).toEqual([]);
-      expect(result.fileIds).toEqual([]);
-    });
+    expect(result.messageIds).toEqual([]);
+    expect(result.fileIds).toEqual([]);
+  });

-    it('should return empty result for undefined parentMessageId', () => {
-      const messages = [{ messageId: 'msg-1', parentMessageId: null }];
+  it('should return empty result for undefined parentMessageId', () => {
+    const messages = [{ messageId: 'msg-1', parentMessageId: null }];

-      const result = getThreadData(messages, undefined);
+    const result = getThreadData(messages, undefined);

-      expect(result.messageIds).toEqual([]);
-      expect(result.fileIds).toEqual([]);
-    });
+    expect(result.messageIds).toEqual([]);
+    expect(result.fileIds).toEqual([]);
+  });

-    it('should return empty result when parentMessageId not found in messages', () => {
-      const messages = [
-        { messageId: 'msg-1', parentMessageId: null },
-        { messageId: 'msg-2', parentMessageId: 'msg-1' },
-      ];
+  it('should return empty result when parentMessageId not found in messages', () => {
+    const messages = [
+      { messageId: 'msg-1', parentMessageId: null },
+      { messageId: 'msg-2', parentMessageId: 'msg-1' },
+    ];

-      const result = getThreadData(messages, 'non-existent');
+    const result = getThreadData(messages, 'non-existent');

-      expect(result.messageIds).toEqual([]);
-      expect(result.fileIds).toEqual([]);
-    });
+    expect(result.messageIds).toEqual([]);
+    expect(result.fileIds).toEqual([]);
  });

  describe('thread traversal', () => {
--- a/packages/api/src/utils/message.ts
+++ b/packages/api/src/utils/message.ts
@ -1,6 +1,9 @@
 import { Constants } from 'librechat-data-provider';
 import type { TFile, TMessage } from 'librechat-data-provider';

+/** Minimal shape for request file entries (from `req.body.files`) */
+type RequestFile = { file_id?: string };
+
 /** Fields to strip from files before client transmission */
 const FILE_STRIP_FIELDS = ['text', '_id', '__v'] as const;

@ -32,6 +35,27 @@ export function sanitizeFileForTransmit<T extends Partial<TFile>>(
  return sanitized;
 }

+/** Filters attachments to those whose `file_id` appears in `requestFiles`, then sanitizes each. */
+export function buildMessageFiles<T extends Partial<TFile>>(
+  requestFiles: RequestFile[],
+  attachments: T[],
+): Omit<T, (typeof FILE_STRIP_FIELDS)[number]>[] {
+  const requestFileIds = new Set<string>();
+  for (const f of requestFiles) {
+    if (f.file_id) {
+      requestFileIds.add(f.file_id);
+    }
+  }
+
+  const files: Omit<T, (typeof FILE_STRIP_FIELDS)[number]>[] = [];
+  for (const attachment of attachments) {
+    if (attachment.file_id != null && requestFileIds.has(attachment.file_id)) {
+      files.push(sanitizeFileForTransmit(attachment));
+    }
+  }
+  return files;
+}
+
 /**
 * Sanitizes a message object before transmitting to client.
 * Removes large fields like `fileContext` and strips `text` from embedded files.