Skip to content

🤐 fix: Withhold Custom Endpoint Headers for User URLs#13917

Merged
danny-avila merged 4 commits into
devfrom
danny-avila/security-custom-endpoint-headers
Jun 23, 2026
Merged

🤐 fix: Withhold Custom Endpoint Headers for User URLs#13917
danny-avila merged 4 commits into
devfrom
danny-avila/security-custom-endpoint-headers

Conversation

@danny-avila

@danny-avila danny-avila commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Summary

I fixed the custom OpenAI-compatible endpoint path so configured secrets do not reach user-controlled custom endpoint URLs.

  • Added a header-forwarding guard so getOpenAIConfig receives configured headers only for admin-trusted/static base URLs.
  • Required user-stored API keys whenever a custom endpoint base URL is user-provided, preventing static configured API keys from being sent to user-controlled destinations.
  • Applied the same user-key rule to model/token-config fetch resolution so fetchModels cannot send a static configured key to a user-provided base URL.
  • Updated custom endpoint config metadata so URL-provided custom endpoints prompt users for an API key before the backend requires one.
  • Added regression coverage for static Authorization, env-secret, {{LIBRECHAT_*}} placeholder headers, static API key withholding, model fetch behavior, native Anthropic custom endpoints, and endpoint credential prompts.

Change Type

  • Bug fix (non-breaking change which fixes an issue)

Testing

  • Ran npx jest src/endpoints/custom/config.spec.ts src/endpoints/custom/initialize.spec.ts src/endpoints/config/models.spec.ts --runInBand --coverage=false from packages/api
  • Ran npx tsc --noEmit -p packages/api/tsconfig.json from the repo root
  • Ran npm run build:api from the repo root
  • Started the Codex review cycle and addressed both findings; latest Codex review found no major issues

Test Configuration:

  • Node.js/Jest workspace dependencies installed locally with npm for this worktree

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 97d7a1434b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/api/src/endpoints/custom/initialize.ts

Copy link
Copy Markdown
Owner Author

@codex review

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f92b3a291c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/api/src/endpoints/custom/initialize.ts

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

Reviewed commit: fbe630d9a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@danny-avila danny-avila changed the title 🛡️ fix: Withhold Custom Endpoint Headers for User URLs 🤐 fix: Withhold Custom Endpoint Headers for User URLs Jun 23, 2026
@danny-avila
danny-avila changed the base branch from main to dev June 23, 2026 19:05
@danny-avila
danny-avila marked this pull request as ready for review June 23, 2026 19:05
@danny-avila
danny-avila merged commit 606292c into dev Jun 23, 2026
17 checks passed
@danny-avila
danny-avila deleted the danny-avila/security-custom-endpoint-headers branch June 23, 2026 19:49
fuuuzzy pushed a commit to fuuuzzy/LibreChat that referenced this pull request Jul 7, 2026
)

* fix: withhold custom endpoint headers for user URLs

* fix: require user key for user custom URLs

* test: type custom endpoint header cases

* fix: prompt for keys on user custom URLs
ThomasVuNguyen pushed a commit to ThomasVuNguyen/LibreChat that referenced this pull request Jul 15, 2026
)

* fix: withhold custom endpoint headers for user URLs

* fix: require user key for user custom URLs

* test: type custom endpoint header cases

* fix: prompt for keys on user custom URLs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant