Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-02-13 21:14:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/api/server/services
History
Danny Avila 599f4a11f1
Some checks are pending
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run
Details
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run
Details
🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) 
* 🔧 fix: Update OAuth error message for clarity

- Changed the default error message in the OAuth error route from 'Unknown error' to 'Unknown OAuth error' to provide clearer context during authentication failures.

* 🔒 feat: Enhance OAuth flow with CSRF protection and session management

- Implemented CSRF protection for OAuth flows by introducing `generateOAuthCsrfToken`, `setOAuthCsrfCookie`, and `validateOAuthCsrf` functions.
- Added session management for OAuth with `setOAuthSession` and `validateOAuthSession` middleware.
- Updated routes to bind CSRF tokens for MCP and action OAuth flows, ensuring secure authentication.
- Enhanced tests to validate CSRF handling and session management in OAuth processes.

* 🔧 refactor: Invalidate cached tools after user plugin disconnection

- Added a call to `invalidateCachedTools` in the `updateUserPluginsController` to ensure that cached tools are refreshed when a user disconnects from an MCP server after a plugin authentication update. This change improves the accuracy of tool data for users.

* chore: imports order

* fix: domain separator regex usage in ToolService

- Moved the declaration of `domainSeparatorRegex` to avoid redundancy in the `loadActionToolsForExecution` function, improving code clarity and performance.

* chore: OAuth flow error handling and CSRF token generation

- Enhanced the OAuth callback route to validate the flow ID format, ensuring proper error handling for invalid states.
- Updated the CSRF token generation function to require a JWT secret, throwing an error if not provided, which improves security and clarity in token generation.
- Adjusted tests to reflect changes in flow ID handling and ensure robust validation across various scenarios.
2026-02-12 14:22:05 -05:00
..
__tests__ 🦥 feat: Add Deferred Tools as Agents Capability (#11295) 2026-01-28 17:44:30 -05:00
Artifacts 🪄 fix: Code Block handling in Artifact Updates (#11417) 2026-01-20 08:45:43 -05:00
Config 🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738) 2026-02-11 22:20:43 -05:00
Endpoints ⚠️ chore: Remove Deprecated forcePrompt setting (#11622) 2026-02-04 11:02:27 +01:00
Files 🆔 fix: Atomic File Dedupe, Bedrock Tokens Fix, and Allowed MIME Types (#11675) 2026-02-07 13:26:18 -05:00
Runs 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
start 🦥 refactor: Event-Driven Lazy Tool Loading (#11588) 2026-02-01 08:50:57 -05:00
Threads 🔧 chore: Update ESLint Config & Run Linter (#10986) 2025-12-15 17:55:25 -05:00
Tools 🔐 fix: MCP OAuth Tool Discovery and Event Emission (#11599) 2026-02-01 19:37:04 -05:00
ActionService.js 🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722) 2026-02-11 22:09:58 -05:00
ActionService.spec.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
AssistantService.js 🪦 refactor: Remove Legacy Code (#10533) 2025-12-11 16:36:12 -05:00
AuthService.js 🍪 refactor: Move OpenID Tokens from Cookies to Server-Side Sessions (#11236) 2026-01-06 15:22:10 -05:00
cleanup.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
createRunBody.js feat: Add Current Datetime to Assistants (v1/v2) (#4952) 2024-12-11 15:26:18 -05:00
GraphApiService.js 👫 fix: Update Entra ID group retrieval to use getMemberGroups and add pagination support (#10199) 2025-10-26 21:58:29 -04:00
GraphApiService.spec.js 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00
GraphTokenService.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
initializeMCPs.js 🧰 fix: Allow UI-based MCP Management without Configured Servers (#11158) 2025-12-30 18:55:11 -05:00
initializeMCPs.spec.js 🚦 refactor: Concurrent Request Limiter for Resumable Streams (#11167) 2026-01-01 11:10:56 -05:00
initializeOAuthReconnectManager.js 💫 feat: MCP OAuth Auto-Reconnect (#9646) 2025-09-17 16:49:36 -04:00
MCP.js 🔄 refactor: Sequential Event Ordering in Redis Streaming Mode (#11650) 2026-02-05 17:57:33 +01:00
MCP.spec.js 🦥 refactor: Event-Driven Lazy Tool Loading (#11588) 2026-02-01 08:50:57 -05:00
PermissionService.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
PermissionService.spec.js 🏗️ feat: Dynamic MCP Server Infrastructure with Access Control (#10787) 2025-12-11 16:38:37 -05:00
PluginService.js 🔌 feat: MCP Reinitialization and OAuth in UI (#8598) 2025-07-22 22:52:45 -04:00
ToolService.js 🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) 2026-02-12 14:22:05 -05:00
twoFactorService.js 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00