🔐 fix: Enhance Message & Image Access Security (#3363)

* chore: slight refactor

* fix: prevent message updates unless explicitly owned

* refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests

* fix: Add path normalization and validation to image request middleware

* fix: image validation path security

api/server/routes/ask/askChatGPTBrowser.js

@@ -51,7 +51,7 @@ router.post('/', setHeaders, async (req, res) => {
   });
 
   if (!overrideParentMessageId) {
-    await saveMessage({ ...userMessage, user: req.user.id });
+    await saveMessage(req, { ...userMessage, user: req.user.id });
     await saveConvo(req.user.id, {
       ...userMessage,
       ...endpointOption,
@@ -93,7 +93,7 @@ const ask = async ({
         const currentTimestamp = Date.now();
         if (currentTimestamp - lastSavedTimestamp > 500) {
           lastSavedTimestamp = currentTimestamp;
-          saveMessage({
+          saveMessage(req, {
             messageId: responseMessageId,
             sender: endpointOption?.jailbreak ? 'Sydney' : 'BingAI',
             conversationId,
@@ -159,7 +159,7 @@ const ask = async ({
       isCreatedByUser: false,
     };
 
-    await saveMessage({ ...responseMessage, user });
+    await saveMessage(req, { ...responseMessage, user });
     responseMessage.messageId = newResponseMessageId;
 
     // STEP2 update the conversation
@@ -192,7 +192,7 @@ const ask = async ({
 
     // If response has parentMessageId, the fake userMessage.messageId should be updated to the real one.
     if (!overrideParentMessageId) {
-      await saveMessage({
+      await saveMessage(req, {
         ...userMessage,
         user,
         messageId: userMessageId,
@@ -229,7 +229,7 @@ const ask = async ({
       isCreatedByUser: false,
       text: `${getPartialMessage() ?? ''}\n\nError message: "${error.message}"`,
     };
-    await saveMessage({ ...errorMessage, user });
+    await saveMessage(req, { ...errorMessage, user });
     handleError(res, errorMessage);
   }
 };