From dad1ba7cd1c4bab2fbc9eaf42bdcccbc44eb0b28 Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Mon, 1 Jun 2026 21:17:34 -0400
Subject: [PATCH] fix: avoid admin route fan-out on denied capabilities

---
 src/hooks/useCapabilities.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/hooks/useCapabilities.ts b/src/hooks/useCapabilities.ts
index 04107fb..c359f46 100644
--- a/src/hooks/useCapabilities.ts
+++ b/src/hooks/useCapabilities.ts
@@ -8,6 +8,8 @@ const Route = getRouteApi('/_app');
 
 /** Status codes that indicate the grants system is not deployed (vs. access denied). */
 const GRANTS_UNAVAILABLE_PATTERN = /\b(404|503)\b|endpoint not found|fetch failed/i;
+const AUTH_DENIED_PATTERN =
+  /\b(401|403)\b|forbidden|unauthorized|authentication required|no admin session token/i;
 
 export function useCapabilities(): {
   capabilities: string[];
@@ -27,6 +29,9 @@ export function useCapabilities(): {
         if (GRANTS_UNAVAILABLE_PATTERN.test(message)) {
           return { available: false, capabilities: [] as string[] };
         }
+        if (AUTH_DENIED_PATTERN.test(message)) {
+          return { available: true, capabilities: [] as string[] };
+        }
         throw err;
       }
     },