✍️ fix: Validation for Conversation Title Updates (#11099)

* ✍️ fix: Validation for Conversation Title Updates * fix: Add validateConvoAccess middleware mock in tests
2026-01-04 17:48:50 +01:00 · 2025-12-25 12:59:48 -05:00 · 2025-12-25 12:59:48 -05:00 · bfc981d736
commit bfc981d736
parent b7ea340769
3 changed files with 40 additions and 7 deletions
--- a/api/server/routes/tests/convos.spec.js
+++ b/api/server/routes/tests/convos.spec.js
@ -59,6 +59,7 @@ jest.mock('~/server/middleware', () => ({
    forkUserLimiter: (req, res, next) => next(),
  })),
  configMiddleware: (req, res, next) => next(),
+  validateConvoAccess: (req, res, next) => next(),
 }));

 jest.mock('~/server/utils/import/fork', () => ({
--- a/api/server/routes/convos.js
+++ b/api/server/routes/convos.js
@ -6,6 +6,7 @@ const { logger } = require('@librechat/data-schemas');
 const { CacheKeys, EModelEndpoint } = require('librechat-data-provider');
 const {
  createImportLimiters,
+  validateConvoAccess,
  createForkLimiters,
  configMiddleware,
 } = require('~/server/middleware');
@ -151,17 +152,39 @@ router.delete('/all', async (req, res) => {
  }
 });

-router.post('/update', async (req, res) => {
-  const update = req.body.arg;
+/** Maximum allowed length for conversation titles */
+const MAX_CONVO_TITLE_LENGTH = 1024;

-  if (!update.conversationId) {
+/**
+ * Updates a conversation's title.
+ * @route POST /update
+ * @param {string} req.body.arg.conversationId - The conversation ID to update.
+ * @param {string} req.body.arg.title - The new title for the conversation.
+ * @returns {object} 201 - The updated conversation object.
+ */
+router.post('/update', validateConvoAccess, async (req, res) => {
+  const { conversationId, title } = req.body.arg ?? {};
+
+  if (!conversationId) {
    return res.status(400).json({ error: 'conversationId is required' });
  }

+  if (title === undefined) {
+    return res.status(400).json({ error: 'title is required' });
+  }
+
+  if (typeof title !== 'string') {
+    return res.status(400).json({ error: 'title must be a string' });
+  }
+
+  const sanitizedTitle = title.trim().slice(0, MAX_CONVO_TITLE_LENGTH);
+
  try {
-    const dbResponse = await saveConvo(req, update, {
-      context: `POST /api/convos/update ${update.conversationId}`,
-    });
+    const dbResponse = await saveConvo(
+      req,
+      { conversationId, title: sanitizedTitle },
+      { context: `POST /api/convos/update ${conversationId}` },
+    );
    res.status(201).json(dbResponse);
  } catch (error) {
    logger.error('Error updating conversation', error);