e115934061
Publish `@librechat/data-schemas` to NPM / pack (push) Failing after 8s
Publish `@librechat/client` to NPM / pack (push) Failing after 0s
GitNexus Index / index (push) Failing after 1s
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Has been skipped
Sync Helm Chart Tags / Sync chart tags (push) Failing after 2s
Publish `librechat-data-provider` to NPM / pack (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Failing after 0s
Sync Helm Chart Tags / Ignore non-main push (push) Has been skipped
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Failing after 1s
Publish `@librechat/client` to NPM / publish-npm (push) Has been cancelled
Publish `librechat-data-provider` to NPM / publish-npm (push) Has been cancelled
GitNexus Index / post-index (push) Has been cancelled
Publish `@librechat/data-schemas` to NPM / publish-npm (push) Has been cancelled
44 lines
1.4 KiB
JavaScript
44 lines
1.4 KiB
JavaScript
const { isOboConfigStillTrusted } = require('@librechat/api');
|
|
const db = require('~/models');
|
|
|
|
/**
|
|
* Checks whether a parsed MCP server config is DB-sourced (user-created) using
|
|
* the same `isUserSourced` heuristics as the rest of the MCP layer: an explicit
|
|
* `source` is authoritative when present; otherwise `dbId` presence is used.
|
|
*/
|
|
function isDbSourced({ source, dbId }) {
|
|
if (source != null) {
|
|
return source === 'user';
|
|
}
|
|
return !!dbId;
|
|
}
|
|
|
|
/**
|
|
* Builds the predicate the MCP runtime calls before performing an OBO token exchange.
|
|
*
|
|
* YAML/Config-sourced configs (admin-defined) bypass the check — admins are
|
|
* already trusted at the deployment level. DB-sourced configs (created via the
|
|
* UI) are gated on the original author still holding `MCP_SERVERS.CONFIGURE_OBO`,
|
|
* so retained configs fail closed when an author's role is downgraded.
|
|
*/
|
|
function createOboTrustChecker() {
|
|
return async ({ source, author, dbId }) => {
|
|
if (!isDbSourced({ source, dbId })) {
|
|
return true;
|
|
}
|
|
return isOboConfigStillTrusted({
|
|
authorId: author,
|
|
getUserRoleByAuthorId: async (userId) => {
|
|
const user = await db.findUser({ _id: userId }, 'role');
|
|
return user?.role;
|
|
},
|
|
getRolePermissions: async (roleName) => {
|
|
const role = await db.getRoleByName(roleName);
|
|
return role?.permissions;
|
|
},
|
|
});
|
|
};
|
|
}
|
|
|
|
module.exports = { createOboTrustChecker };
|