From a5b7e074347cf35f4925121e77522c3927cd933b Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Tue, 12 May 2026 15:17:50 -0400
Subject: [PATCH] fix: validate shared link refresh payload

---
 api/server/routes/share.js          | 4 ++++
 packages/data-provider/src/types.ts | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/server/routes/share.js b/api/server/routes/share.js
index 237e99fab4..4c0427f197 100644
--- a/api/server/routes/share.js
+++ b/api/server/routes/share.js
@@ -114,6 +114,10 @@ router.post('/:conversationId', requireJwtAuth, async (req, res) => {
 router.patch('/:shareId', requireJwtAuth, async (req, res) => {
   try {
     const { targetMessageId } = req.body ?? {};
+    if (targetMessageId !== undefined && typeof targetMessageId !== 'string') {
+      return res.status(400).json({ message: 'targetMessageId must be a string' });
+    }
+
     const updatedShare = await updateSharedLink(req.user.id, req.params.shareId, targetMessageId);
     if (updatedShare) {
       res.status(200).json(updatedShare);
diff --git a/packages/data-provider/src/types.ts b/packages/data-provider/src/types.ts
index 96c37478a3..0cfb826819 100644
--- a/packages/data-provider/src/types.ts
+++ b/packages/data-provider/src/types.ts
@@ -319,7 +319,8 @@ export type TSharedLinkResponse = Pick<TSharedLink, 'shareId'> &
   Pick<TSharedLink, 'targetMessageId'> &
   Pick<TConversation, 'conversationId'>;
 
-export type TSharedLinkGetResponse = TSharedLinkResponse & {
+export type TSharedLinkGetResponse = Omit<TSharedLinkResponse, 'shareId'> & {
+  shareId: string | null;
   success: boolean;
 };