From 8be0047a80cf41070f14b4cc263dc580caf09a8c Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Fri, 23 Jan 2026 09:06:48 -0500
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix:=20Access=20Check=20for=20Us?=
 =?UTF-8?q?er-Specific=20Job=20Metadata=20in=20Streaming=20Endpoint=20(#11?=
 =?UTF-8?q?487)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Implemented a check to ensure that only the user associated with a job can access its chat stream, returning a 403 Unauthorized response for mismatched user IDs.
* This enhancement improves security by preventing unauthorized access to user-specific job data.
---
 api/server/routes/agents/index.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/server/routes/agents/index.js b/api/server/routes/agents/index.js
index b06abe6789..bf790aeee8 100644
--- a/api/server/routes/agents/index.js
+++ b/api/server/routes/agents/index.js
@@ -47,6 +47,10 @@ router.get('/chat/stream/:streamId', async (req, res) => {
     });
   }
 
+  if (job.metadata?.userId && job.metadata.userId !== req.user.id) {
+    return res.status(403).json({ error: 'Unauthorized' });
+  }
+
   res.setHeader('Content-Encoding', 'identity');
   res.setHeader('Content-Type', 'text/event-stream');
   res.setHeader('Cache-Control', 'no-cache, no-transform');