Skip to content

🍪 fix: Validate Shared-File Cookie Auth Against the Live Refresh Session#13908

Merged
danny-avila merged 2 commits into
devfrom
codex/fix-shared-file-routes-authorization
Jun 23, 2026
Merged

🍪 fix: Validate Shared-File Cookie Auth Against the Live Refresh Session#13908
danny-avila merged 2 commits into
devfrom
codex/fix-shared-file-routes-authorization

Conversation

@danny-avila

Copy link
Copy Markdown
Owner

Motivation

  • Prevent revoked or rotated refresh tokens (and stale OpenID helper cookies) from authenticating requests to shared-link file routes, which could let a previously-logged-out user still access non-public snapshot attachments.
  • Harden the cookie-based fallback used by image/anchor loads so it mirrors the normal refresh flow's revocation checks while preserving the non-blocking behavior for anonymous/public shares.

Description

  • Update api/server/middleware/optionalShareFileAuth.js to verify that a refreshToken cookie resolves to a live session via findSession before setting req.user, and rename/clarify helpers (verifySignedUserId, getRefreshTokenUserId, getOpenIdUserId).
  • Restrict the OpenID openid_user_id fallback so it only applies when an active server-side OpenID session refresh token matches the request, preventing the signed cookie alone from granting access.
  • Preserve the middleware's non-blocking semantics (fall through to canAccessSharedLink on failure) and load the resolved user with getUserById under runAsSystem to respect tenant isolation.
  • Add and update unit tests in api/server/middleware/optionalShareFileAuth.spec.js to cover live-session acceptance, revoked-session rejection, active OpenID fallback acceptance, and stale OpenID rejection.

Testing

  • Ran the middleware unit tests with npm --prefix api test -- optionalShareFileAuth.spec.js --runInBand, and all tests passed (8 passed).
  • Ran repository checks with git diff --check (no issues reported) to validate formatting/whitespace.

Codex Task

@danny-avila

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce98bc9fac

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

return null;
}

const session = await findSession({ userId, refreshToken: token });

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Run the session lookup in system tenant context

In strict tenant-isolation deployments, image/anchor requests to shared-file routes reach this fallback without a bearer token, so optionalJwtAuth has not established tenant ALS before optionalShareFileAuth runs. Session is tenant-isolated (packages/data-schemas/src/models/session.ts) and its query middleware throws when TENANT_ISOLATION_STRICT=true with no tenant context, so this new findSession call is caught, leaves req.user unset, and valid refresh-token viewers are rejected by canAccessSharedLink for non-public shared files. Wrap the session lookup in runAsSystem (as the user lookup below already does) or otherwise establish the tenant context first.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 01fd69134 by wrapping the refresh-token findSession lookup in runAsSystem, matching the user lookup that already had system tenant context. I also updated optionalShareFileAuth.spec.js to assert the session lookup path enters runAsSystem for both live and revoked refresh-token sessions.

Verified with:

  • npm --prefix api test -- optionalShareFileAuth.spec.js --runInBand
  • git diff --check

@danny-avila

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Another round soon, please!

Reviewed commit: 01fd691343

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@danny-avila danny-avila changed the title fix: validate shared file cookie sessions 🍪 fix: Validate Shared-File Cookie Auth Against the Live Refresh Session Jun 23, 2026
@danny-avila
danny-avila changed the base branch from main to dev June 23, 2026 12:31
@danny-avila
danny-avila marked this pull request as ready for review June 23, 2026 12:32
@danny-avila
danny-avila merged commit ddc7635 into dev Jun 23, 2026
18 checks passed
@danny-avila
danny-avila deleted the codex/fix-shared-file-routes-authorization branch June 23, 2026 12:32
fuuuzzy pushed a commit to fuuuzzy/LibreChat that referenced this pull request Jul 7, 2026
…ion (danny-avila#13908)

* fix: validate shared file cookie sessions

* fix: run shared file session lookup as system
ThomasVuNguyen pushed a commit to ThomasVuNguyen/LibreChat that referenced this pull request Jul 15, 2026
…ion (danny-avila#13908)

* fix: validate shared file cookie sessions

* fix: run shared file session lookup as system
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant