🔐 fix: Enhance Message & Image Access Security (#3363)

* chore: slight refactor

* fix: prevent message updates unless explicitly owned

* refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests

* fix: Add path normalization and validation to image request middleware

* fix: image validation path security

api/server/routes/ask/gptPlugins.js

@@ -85,7 +85,7 @@ router.post(
           clearTimeout(timer);
         }
 
-        throttledSaveMessage({
+        throttledSaveMessage(req, {
           messageId: responseMessageId,
           sender,
           conversationId,
@@ -170,7 +170,7 @@ router.post(
 
       const onChainEnd = () => {
         if (!client.skipSaveUserMessage) {
-          saveMessage({ ...userMessage, user });
+          saveMessage(req, { ...userMessage, user });
         }
         sendIntermediateMessage(res, {
           plugins,
@@ -208,7 +208,7 @@ router.post(
       logger.debug('[/ask/gptPlugins]', response);
 
       response.plugins = plugins.map((p) => ({ ...p, loading: false }));
-      await saveMessage({ ...response, user });
+      await saveMessage(req, { ...response, user });
 
       const { conversation = {} } = await client.responsePromise;
       conversation.title =