Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-13 13:04:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

🔒 fix: Update Token Deletion To Prevent Undefined Field Queries (#9477)

Browse source 
* Refactor deleteTokens to use an array of conditions for querying, ensuring only specified fields are considered for deletion.
* Add error handling to prevent accidental deletion when no query parameters are provided.
* Update AuthService to match the new deleteTokens signature by passing an object instead of a string for email.
This commit is contained in:
Danny Avila 2025-09-05 17:26:02 -04:00 committed by GitHub
parent 1869854d70
commit fff1f1cf27
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 453 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

29
packages/data-schemas/src/methods/token.ts
View file

@ -47,13 +47,30 @@ export function createTokenMethods(mongoose: typeof import('mongoose')) {
async function deleteTokens(query: TokenQuery): Promise<TokenDeleteResult> {
try {
const Token = mongoose.models.Token;
const conditions = [];
if (query.userId !== undefined) {
conditions.push({ userId: query.userId });
}
if (query.token !== undefined) {
conditions.push({ token: query.token });
}
if (query.email !== undefined) {
conditions.push({ email: query.email });
}
if (query.identifier !== undefined) {
conditions.push({ identifier: query.identifier });
}
/**
* If no conditions are specified, throw an error to prevent accidental deletion of all tokens
*/
if (conditions.length === 0) {
throw new Error('At least one query parameter must be provided');
}
return await Token.deleteMany({
$or: [
{ userId: query.userId },
{ token: query.token },
{ email: query.email },
{ identifier: query.identifier },
],
$or: conditions,
});
} catch (error) {
logger.debug('An error occurred while deleting tokens:', error);