Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-01-24 03:06:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 fix: Access Check for User-Specific Job Metadata in Streaming Endpoint (#11487)
Some checks are pending
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run
Details
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run
Details

Browse source 
* Implemented a check to ensure that only the user associated with a job can access its chat stream, returning a 403 Unauthorized response for mismatched user IDs.
* This enhancement improves security by preventing unauthorized access to user-specific job data.
This commit is contained in:
Danny Avila 2026-01-23 09:06:48 -05:00 committed by GitHub
parent ee44c6344d
commit 8be0047a80
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
api/server/routes/agents/index.js
View file

@ -47,6 +47,10 @@ router.get('/chat/stream/:streamId', async (req, res) => {
});
}
if (job.metadata?.userId && job.metadata.userId !== req.user.id) {
return res.status(403).json({ error: 'Unauthorized' });
}
res.setHeader('Content-Encoding', 'identity');
res.setHeader('Content-Type', 'text/event-stream');
res.setHeader('Cache-Control', 'no-cache, no-transform');