mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-31 04:47:19 +02:00
c68066a636
* 🔒 fix: Prevent token leaks to MCP server on OAuth discovery failure When OAuth metadata discovery fails, refresh logic was falling back to POSTing refresh tokens to /token on the MCP resource server URL instead of the authorization server. A malicious MCP server could exploit this by blocking .well-known discovery to harvest refresh tokens. Changes: - Replace unsafe /token fallback with hard error in both refresh paths - Thread stored token_endpoint (SSRF-validated during initial flow) through the refresh chain so legacy servers without .well-known still work after the first successful auth - Fix revokeOAuthToken to always SSRF-validate the revocation URL, including the /revoke fallback path - Redact refresh token and credentials from debug-level log output - Split branch 2 compound condition for consistent error messages * ✅ test: Add stored endpoint fallback tests and improve refresh coverage - Add storedTokenEndpoint fallback tests for both refresh branches - Add missing test for branch 2 metadata-without-token_endpoint case - Rename misleading test name to match actual mock behavior - Split auto-discovered throw test into undefined vs missing-endpoint - Remove redundant afterEach mockFetch.mockClear() calls (already covered by jest.clearAllMocks() in beforeEach) |
||
|---|---|---|
| .. | ||
| __tests__ | ||
| oauth | ||
| registry | ||
| types | ||
| auth.ts | ||
| connection.ts | ||
| ConnectionsRepository.ts | ||
| enum.ts | ||
| errors.ts | ||
| mcpConfig.ts | ||
| MCPConnectionFactory.ts | ||
| MCPManager.ts | ||
| parsers.ts | ||
| UserConnectionManager.ts | ||
| utils.ts | ||
| zod.ts | ||