Files
wehub-resource-sync e115934061
Publish `@librechat/data-schemas` to NPM / pack (push) Failing after 8s
Publish `@librechat/client` to NPM / pack (push) Failing after 0s
GitNexus Index / index (push) Failing after 1s
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Has been skipped
Sync Helm Chart Tags / Sync chart tags (push) Failing after 2s
Publish `librechat-data-provider` to NPM / pack (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Failing after 0s
Sync Helm Chart Tags / Ignore non-main push (push) Has been skipped
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Failing after 1s
Publish `@librechat/client` to NPM / publish-npm (push) Has been cancelled
Publish `librechat-data-provider` to NPM / publish-npm (push) Has been cancelled
GitNexus Index / post-index (push) Has been cancelled
Publish `@librechat/data-schemas` to NPM / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:08:12 +08:00

44 lines
1.4 KiB
JavaScript

const { isOboConfigStillTrusted } = require('@librechat/api');
const db = require('~/models');
/**
* Checks whether a parsed MCP server config is DB-sourced (user-created) using
* the same `isUserSourced` heuristics as the rest of the MCP layer: an explicit
* `source` is authoritative when present; otherwise `dbId` presence is used.
*/
function isDbSourced({ source, dbId }) {
if (source != null) {
return source === 'user';
}
return !!dbId;
}
/**
* Builds the predicate the MCP runtime calls before performing an OBO token exchange.
*
* YAML/Config-sourced configs (admin-defined) bypass the check — admins are
* already trusted at the deployment level. DB-sourced configs (created via the
* UI) are gated on the original author still holding `MCP_SERVERS.CONFIGURE_OBO`,
* so retained configs fail closed when an author's role is downgraded.
*/
function createOboTrustChecker() {
return async ({ source, author, dbId }) => {
if (!isDbSourced({ source, dbId })) {
return true;
}
return isOboConfigStillTrusted({
authorId: author,
getUserRoleByAuthorId: async (userId) => {
const user = await db.findUser({ _id: userId }, 'role');
return user?.role;
},
getRolePermissions: async (roleName) => {
const role = await db.getRoleByName(roleName);
return role?.permissions;
},
});
};
}
module.exports = { createOboTrustChecker };