🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) · 599f4a11f1 - Andreas/LibreChat

mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-01 22:00:18 +01:00

🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756)

Some checks are pending

Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run

Details

Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run

Details

* 🔧 fix: Update OAuth error message for clarity

- Changed the default error message in the OAuth error route from 'Unknown error' to 'Unknown OAuth error' to provide clearer context during authentication failures.

* 🔒 feat: Enhance OAuth flow with CSRF protection and session management

- Implemented CSRF protection for OAuth flows by introducing `generateOAuthCsrfToken`, `setOAuthCsrfCookie`, and `validateOAuthCsrf` functions.
- Added session management for OAuth with `setOAuthSession` and `validateOAuthSession` middleware.
- Updated routes to bind CSRF tokens for MCP and action OAuth flows, ensuring secure authentication.
- Enhanced tests to validate CSRF handling and session management in OAuth processes.

* 🔧 refactor: Invalidate cached tools after user plugin disconnection

- Added a call to `invalidateCachedTools` in the `updateUserPluginsController` to ensure that cached tools are refreshed when a user disconnects from an MCP server after a plugin authentication update. This change improves the accuracy of tool data for users.

* chore: imports order

* fix: domain separator regex usage in ToolService

- Moved the declaration of `domainSeparatorRegex` to avoid redundancy in the `loadActionToolsForExecution` function, improving code clarity and performance.

* chore: OAuth flow error handling and CSRF token generation

- Enhanced the OAuth callback route to validate the flow ID format, ensuring proper error handling for invalid states.
- Updated the CSRF token generation function to require a JWT secret, throwing an error if not provided, which improves security and clarity in token generation.
- Adjusted tests to reflect changes in flow ID handling and ensure robust validation across various scenarios.

This commit is contained in:

Danny Avila

2026-02-12 14:22:05 -05:00

• committed by

GitHub

parent 72a30cd9c4

commit 599f4a11f1

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

14 changed files with 523 additions and 141 deletions

									
										2

api/server/routes/oauth.js
									
										View file
										
				@ -29,7 +29,7 @@ const oauthHandler = createOAuthHandler();

				router.get('/error', (req, res) => {

				  /** A single error message is pushed by passport when authentication fails. */

				  const errorMessage = req.session?.messages?.pop() || 'Unknown error';

				  const errorMessage = req.session?.messages?.pop() || 'Unknown OAuth error';

				  logger.error('Error in OAuth authentication:', {

				    message: errorMessage,

				  });

Rows
Columns

2 api/server/routes/oauth.js Unescape Escape View file

2

api/server/routes/oauth.js

View file