🔐 fix: Image Validation when Reusing OpenID Token (#9458)

* 🔧 fix: Enhance OpenID token handling with user ID for image path validation * 🔧 fix: Change logger level to error for user info fetch failure and remove redundant info log in OpenID user lookup * 🔧 refactor: Remove validateImageRequest from middleware exports and enhance validation logic in validateImageRequest.js * Removed validateImageRequest from the middleware index. * Improved error handling and validation checks in validateImageRequest.js, including handling of OpenID tokens, URL length, and malformed URLs. * Updated tests in validateImages.spec.js to cover new validation scenarios and edge cases.
2025-12-17 08:50:15 +01:00 · 2025-09-05 03:12:17 -04:00 · 2025-09-05 03:12:17 -04:00 · cd73cb0b3e
commit cd73cb0b3e
parent e705b09280
9 changed files with 401 additions and 152 deletions
--- a/api/server/index.js
+++ b/api/server/index.js
@ -12,7 +12,7 @@ const { logger } = require('@librechat/data-schemas');
 const mongoSanitize = require('express-mongo-sanitize');
 const { isEnabled, ErrorController } = require('@librechat/api');
 const { connectDb, indexSync } = require('~/db');
-const validateImageRequest = require('./middleware/validateImageRequest');
+const createValidateImageRequest = require('./middleware/validateImageRequest');
 const { jwtLogin, ldapLogin, passportLogin } = require('~/strategies');
 const { updateInterfacePermissions } = require('~/models/interface');
 const { checkMigrations } = require('./services/start/migration');
@ -126,7 +126,7 @@ const startServer = async () => {
  app.use('/api/config', routes.config);
  app.use('/api/assistants', routes.assistants);
  app.use('/api/files', await routes.files.initialize());
-  app.use('/images/', validateImageRequest, routes.staticRoute);
+  app.use('/images/', createValidateImageRequest(appConfig.secureImageLinks), routes.staticRoute);
  app.use('/api/share', routes.share);
  app.use('/api/roles', routes.roles);
  app.use('/api/agents', routes.agents);