From 619d35360d1e01f05b8745e2d9e6d666685e527a Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Tue, 3 Mar 2026 12:03:33 -0500 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix:=20Request=20interceptor=20f?= =?UTF-8?q?or=20Shared=20Link=20Page=20Scenarios=20(#12036)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ♻️ refactor: Centralize `buildLoginRedirectUrl` in data-provider Move `buildLoginRedirectUrl` from `client/src/utils/redirect.ts` into `packages/data-provider/src/api-endpoints.ts` so the axios 401 interceptor (and any other data-provider consumer) can use the canonical implementation with the LOGIN_PATH_RE guard and BASE_URL awareness. The client module now re-exports from `librechat-data-provider`, keeping all existing imports working unchanged. * 🔒 fix: Shared link 401 interceptor bypass and redirect loop (#12033) Fixes three issues in the axios 401 response interceptor that prevented private shared links (ALLOW_SHARED_LINKS_PUBLIC=false) from working: 1. `window.location.href.includes('share/')` matched the full URL (including query params and hash), causing false positives. Changed to `window.location.pathname.startsWith('/share/')`. 2. When token refresh returned no token on a share page, the interceptor logged and fell through without redirecting, causing an infinite retry loop via React Query. Now redirects to login using `buildLoginRedirectUrl()` which preserves the share URL for post-login navigation. 3. `processQueue` was never called in the no-token branch, leaving queued requests with dangling promise callbacks. Added `processQueue(error, null)` before the redirect. * ✅ test: Comprehensive 401 interceptor tests for shared link auth flow Rewrite interceptor test suite to cover all shared link auth scenarios: - Unauthenticated user on share page with failed refresh → redirect - Authenticated user on share page with failed refresh → redirect - share/ in query params does NOT bypass the auth header guard - Login path guard: redirect to plain /login (no redirect_to loop) - Refresh success: assert exact call count (toBe(3) vs toBeGreaterThan) Test reliability improvements: - window.location teardown moved to afterEach (no state leak on failure) - expect.assertions(N) on all tests (catch silent false passes) - Shared setWindowLocation helper for consistent location mocking * ♻️ refactor: Import `buildLoginRedirectUrl` directly from data-provider Update `AuthContext.tsx` and `useAuthRedirect.ts` to import `buildLoginRedirectUrl` from `librechat-data-provider` instead of re-exporting through `~/utils/redirect.ts`. Convert `redirect.ts` to ESM-style inline exports and remove the re-export of `buildLoginRedirectUrl`. * ✅ test: Move `buildLoginRedirectUrl` tests to data-provider Tests for `buildLoginRedirectUrl` now live alongside the implementation in `packages/data-provider/specs/api-endpoints.spec.ts`. Removed the duplicate describe block from the client redirect test file since it no longer owns that function. --- client/src/hooks/AuthContext.tsx | 4 +- client/src/routes/useAuthRedirect.ts | 2 +- client/src/utils/__tests__/redirect.test.ts | 86 +------ client/src/utils/redirect.ts | 35 +-- .../data-provider/specs/api-endpoints.spec.ts | 86 +++++++ .../specs/request-interceptor.spec.ts | 231 ++++++++++++++++-- packages/data-provider/src/api-endpoints.ts | 19 ++ packages/data-provider/src/index.ts | 2 +- packages/data-provider/src/request.ts | 17 +- 9 files changed, 339 insertions(+), 143 deletions(-) create mode 100644 packages/data-provider/specs/api-endpoints.spec.ts diff --git a/client/src/hooks/AuthContext.tsx b/client/src/hooks/AuthContext.tsx index 2dcdf9c903..f65479afcc 100644 --- a/client/src/hooks/AuthContext.tsx +++ b/client/src/hooks/AuthContext.tsx @@ -10,7 +10,7 @@ import { import { debounce } from 'lodash'; import { useRecoilState } from 'recoil'; import { useNavigate } from 'react-router-dom'; -import { setTokenHeader, SystemRoles } from 'librechat-data-provider'; +import { setTokenHeader, SystemRoles, buildLoginRedirectUrl } from 'librechat-data-provider'; import type * as t from 'librechat-data-provider'; import type { ReactNode } from 'react'; import { @@ -20,8 +20,8 @@ import { useLogoutUserMutation, useRefreshTokenMutation, } from '~/data-provider'; -import { SESSION_KEY, isSafeRedirect, buildLoginRedirectUrl, getPostLoginRedirect } from '~/utils'; import { TAuthConfig, TUserContext, TAuthContext, TResError } from '~/common'; +import { SESSION_KEY, isSafeRedirect, getPostLoginRedirect } from '~/utils'; import useTimeout from './useTimeout'; import store from '~/store'; diff --git a/client/src/routes/useAuthRedirect.ts b/client/src/routes/useAuthRedirect.ts index 5508162543..cc277cd74e 100644 --- a/client/src/routes/useAuthRedirect.ts +++ b/client/src/routes/useAuthRedirect.ts @@ -1,6 +1,6 @@ import { useEffect } from 'react'; import { useLocation, useNavigate } from 'react-router-dom'; -import { buildLoginRedirectUrl } from '~/utils'; +import { buildLoginRedirectUrl } from 'librechat-data-provider'; import { useAuthContext } from '~/hooks'; export default function useAuthRedirect() { diff --git a/client/src/utils/__tests__/redirect.test.ts b/client/src/utils/__tests__/redirect.test.ts index 1d402d2025..6715608c0c 100644 --- a/client/src/utils/__tests__/redirect.test.ts +++ b/client/src/utils/__tests__/redirect.test.ts @@ -1,8 +1,7 @@ import { - isSafeRedirect, - buildLoginRedirectUrl, - getPostLoginRedirect, persistRedirectToSession, + getPostLoginRedirect, + isSafeRedirect, SESSION_KEY, } from '../redirect'; @@ -60,87 +59,6 @@ describe('isSafeRedirect', () => { }); }); -describe('buildLoginRedirectUrl', () => { - const originalLocation = window.location; - - beforeEach(() => { - Object.defineProperty(window, 'location', { - value: { pathname: '/c/abc123', search: '?model=gpt-4', hash: '#msg-5' }, - writable: true, - }); - }); - - afterEach(() => { - Object.defineProperty(window, 'location', { value: originalLocation, writable: true }); - }); - - it('builds a login URL from explicit args', () => { - const result = buildLoginRedirectUrl('/c/new', '?q=hello', ''); - expect(result).toBe('/login?redirect_to=%2Fc%2Fnew%3Fq%3Dhello'); - }); - - it('encodes complex paths with query and hash', () => { - const result = buildLoginRedirectUrl('/c/new', '?q=hello&submit=true', '#section'); - expect(result).toContain('redirect_to='); - const encoded = result.split('redirect_to=')[1]; - expect(decodeURIComponent(encoded)).toBe('/c/new?q=hello&submit=true#section'); - }); - - it('falls back to window.location when no args provided', () => { - const result = buildLoginRedirectUrl(); - const encoded = result.split('redirect_to=')[1]; - expect(decodeURIComponent(encoded)).toBe('/c/abc123?model=gpt-4#msg-5'); - }); - - it('falls back to "/" when all location parts are empty', () => { - Object.defineProperty(window, 'location', { - value: { pathname: '', search: '', hash: '' }, - writable: true, - }); - const result = buildLoginRedirectUrl(); - expect(result).toBe('/login?redirect_to=%2F'); - }); - - it('returns plain /login when pathname is /login (prevents recursive redirect)', () => { - const result = buildLoginRedirectUrl('/login', '?redirect_to=%2Fc%2Fnew', ''); - expect(result).toBe('/login'); - }); - - it('returns plain /login when window.location is already /login', () => { - Object.defineProperty(window, 'location', { - value: { pathname: '/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' }, - writable: true, - }); - const result = buildLoginRedirectUrl(); - expect(result).toBe('/login'); - }); - - it('returns plain /login for /login sub-paths', () => { - const result = buildLoginRedirectUrl('/login/2fa', '', ''); - expect(result).toBe('/login'); - }); - - it('returns plain /login for basename-prefixed /login (e.g. /librechat/login)', () => { - Object.defineProperty(window, 'location', { - value: { pathname: '/librechat/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' }, - writable: true, - }); - const result = buildLoginRedirectUrl(); - expect(result).toBe('/login'); - }); - - it('returns plain /login for basename-prefixed /login sub-paths', () => { - const result = buildLoginRedirectUrl('/librechat/login/2fa', '', ''); - expect(result).toBe('/login'); - }); - - it('does NOT match paths where "login" is a substring of a segment', () => { - const result = buildLoginRedirectUrl('/c/loginhistory', '', ''); - expect(result).toContain('redirect_to='); - expect(decodeURIComponent(result.split('redirect_to=')[1])).toBe('/c/loginhistory'); - }); -}); - describe('getPostLoginRedirect', () => { beforeEach(() => { sessionStorage.clear(); diff --git a/client/src/utils/redirect.ts b/client/src/utils/redirect.ts index 1fb4e66d41..22b28d8a15 100644 --- a/client/src/utils/redirect.ts +++ b/client/src/utils/redirect.ts @@ -1,11 +1,11 @@ -const REDIRECT_PARAM = 'redirect_to'; -const SESSION_KEY = 'post_login_redirect_to'; +export const REDIRECT_PARAM = 'redirect_to'; +export const SESSION_KEY = 'post_login_redirect_to'; /** Matches `/login` as a full path segment, with optional basename prefix (e.g. `/librechat/login/2fa`) */ const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/; /** Validates that a redirect target is a safe relative path (not an absolute or protocol-relative URL) */ -function isSafeRedirect(url: string): boolean { +export function isSafeRedirect(url: string): boolean { if (!url.startsWith('/') || url.startsWith('//')) { return false; } @@ -13,27 +13,11 @@ function isSafeRedirect(url: string): boolean { return !LOGIN_PATH_RE.test(path); } -/** - * Builds a `/login?redirect_to=...` URL from the given or current location. - * Returns plain `/login` (no param) when already on a login route to prevent recursive nesting. - */ -function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string { - const p = pathname ?? window.location.pathname; - if (LOGIN_PATH_RE.test(p)) { - return '/login'; - } - const s = search ?? window.location.search; - const h = hash ?? window.location.hash; - const currentPath = `${p}${s}${h}`; - const encoded = encodeURIComponent(currentPath || '/'); - return `/login?${REDIRECT_PARAM}=${encoded}`; -} - /** * Resolves the post-login redirect from URL params and sessionStorage, * cleans up both sources, and returns the validated target (or null). */ -function getPostLoginRedirect(searchParams: URLSearchParams): string | null { +export function getPostLoginRedirect(searchParams: URLSearchParams): string | null { const urlRedirect = searchParams.get(REDIRECT_PARAM); const storedRedirect = sessionStorage.getItem(SESSION_KEY); @@ -50,17 +34,8 @@ function getPostLoginRedirect(searchParams: URLSearchParams): string | null { return target; } -function persistRedirectToSession(value: string): void { +export function persistRedirectToSession(value: string): void { if (isSafeRedirect(value)) { sessionStorage.setItem(SESSION_KEY, value); } } - -export { - SESSION_KEY, - REDIRECT_PARAM, - isSafeRedirect, - persistRedirectToSession, - buildLoginRedirectUrl, - getPostLoginRedirect, -}; diff --git a/packages/data-provider/specs/api-endpoints.spec.ts b/packages/data-provider/specs/api-endpoints.spec.ts new file mode 100644 index 0000000000..47257d9b33 --- /dev/null +++ b/packages/data-provider/specs/api-endpoints.spec.ts @@ -0,0 +1,86 @@ +/** + * @jest-environment jsdom + */ +import { buildLoginRedirectUrl } from '../src/api-endpoints'; + +describe('buildLoginRedirectUrl', () => { + let savedLocation: Location; + + beforeEach(() => { + savedLocation = window.location; + Object.defineProperty(window, 'location', { + value: { pathname: '/c/abc123', search: '?model=gpt-4', hash: '#msg-5' }, + writable: true, + }); + }); + + afterEach(() => { + Object.defineProperty(window, 'location', { value: savedLocation, writable: true }); + }); + + it('builds a login URL from explicit args', () => { + const result = buildLoginRedirectUrl('/c/new', '?q=hello', ''); + expect(result).toBe('/login?redirect_to=%2Fc%2Fnew%3Fq%3Dhello'); + }); + + it('encodes complex paths with query and hash', () => { + const result = buildLoginRedirectUrl('/c/new', '?q=hello&submit=true', '#section'); + expect(result).toContain('redirect_to='); + const encoded = result.split('redirect_to=')[1]; + expect(decodeURIComponent(encoded)).toBe('/c/new?q=hello&submit=true#section'); + }); + + it('falls back to window.location when no args provided', () => { + const result = buildLoginRedirectUrl(); + const encoded = result.split('redirect_to=')[1]; + expect(decodeURIComponent(encoded)).toBe('/c/abc123?model=gpt-4#msg-5'); + }); + + it('falls back to "/" when all location parts are empty', () => { + Object.defineProperty(window, 'location', { + value: { pathname: '', search: '', hash: '' }, + writable: true, + }); + const result = buildLoginRedirectUrl(); + expect(result).toBe('/login?redirect_to=%2F'); + }); + + it('returns plain /login when pathname is /login (prevents recursive redirect)', () => { + const result = buildLoginRedirectUrl('/login', '?redirect_to=%2Fc%2Fnew', ''); + expect(result).toBe('/login'); + }); + + it('returns plain /login when window.location is already /login', () => { + Object.defineProperty(window, 'location', { + value: { pathname: '/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' }, + writable: true, + }); + const result = buildLoginRedirectUrl(); + expect(result).toBe('/login'); + }); + + it('returns plain /login for /login sub-paths', () => { + const result = buildLoginRedirectUrl('/login/2fa', '', ''); + expect(result).toBe('/login'); + }); + + it('returns plain /login for basename-prefixed /login (e.g. /librechat/login)', () => { + Object.defineProperty(window, 'location', { + value: { pathname: '/librechat/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' }, + writable: true, + }); + const result = buildLoginRedirectUrl(); + expect(result).toBe('/login'); + }); + + it('returns plain /login for basename-prefixed /login sub-paths', () => { + const result = buildLoginRedirectUrl('/librechat/login/2fa', '', ''); + expect(result).toBe('/login'); + }); + + it('does NOT match paths where "login" is a substring of a segment', () => { + const result = buildLoginRedirectUrl('/c/loginhistory', '', ''); + expect(result).toContain('redirect_to='); + expect(decodeURIComponent(result.split('redirect_to=')[1])).toBe('/c/loginhistory'); + }); +}); diff --git a/packages/data-provider/specs/request-interceptor.spec.ts b/packages/data-provider/specs/request-interceptor.spec.ts index 872f2a9f67..a36d5592aa 100644 --- a/packages/data-provider/specs/request-interceptor.spec.ts +++ b/packages/data-provider/specs/request-interceptor.spec.ts @@ -13,20 +13,20 @@ import { setTokenHeader } from '../src/headers-helpers'; * a refresh POST or is immediately rejected. */ -/** Mock the axios adapter to simulate responses without HTTP */ const mockAdapter = jest.fn(); let originalAdapter: typeof axios.defaults.adapter; +let savedLocation: Location; beforeAll(async () => { originalAdapter = axios.defaults.adapter; axios.defaults.adapter = mockAdapter; - /** Import triggers interceptor registration */ await import('../src/request'); }); beforeEach(() => { mockAdapter.mockReset(); + savedLocation = window.location; }); afterAll(() => { @@ -35,14 +35,24 @@ afterAll(() => { afterEach(() => { delete axios.defaults.headers.common['Authorization']; + Object.defineProperty(window, 'location', { + value: savedLocation, + writable: true, + }); }); +function setWindowLocation(overrides: Partial) { + Object.defineProperty(window, 'location', { + value: { ...window.location, ...overrides }, + writable: true, + }); +} + describe('axios 401 interceptor — Authorization header guard', () => { it('skips refresh and rejects when Authorization header is cleared', async () => { - /** Simulate a cleared header (as done by setTokenHeader(undefined) during logout) */ + expect.assertions(1); setTokenHeader(undefined); - /** Set up adapter: first call returns 401, second would be the refresh */ mockAdapter.mockRejectedValueOnce({ response: { status: 401 }, config: { url: '/api/messages', headers: {} }, @@ -54,23 +64,213 @@ describe('axios 401 interceptor — Authorization header guard', () => { // expected rejection } - /** - * If the interceptor skipped refresh, only 1 call was made (the original). - * If it attempted refresh, there would be 2+ calls (original + refresh POST). - */ expect(mockAdapter).toHaveBeenCalledTimes(1); }); - it('attempts refresh when Authorization header is present', async () => { - setTokenHeader('valid-token'); + it('attempts refresh on shared link page even without Authorization header', async () => { + expect.assertions(2); + setTokenHeader(undefined); + + setWindowLocation({ + href: 'http://localhost/share/abc123', + pathname: '/share/abc123', + search: '', + hash: '', + } as Partial); - /** First call: 401 on the original request */ mockAdapter.mockRejectedValueOnce({ response: { status: 401 }, - config: { url: '/api/messages', headers: {}, _retry: false }, + config: { url: '/api/share/abc123', headers: {} }, + }); + + mockAdapter.mockResolvedValueOnce({ + data: { token: 'new-token' }, + status: 200, + headers: {}, + config: {}, + }); + + mockAdapter.mockResolvedValueOnce({ + data: { sharedLink: {} }, + status: 200, + headers: {}, + config: {}, + }); + + try { + await axios.get('/api/share/abc123'); + } catch { + // may reject depending on exact flow + } + + expect(mockAdapter.mock.calls.length).toBe(3); + + const refreshCall = mockAdapter.mock.calls[1]; + expect(refreshCall[0].url).toContain('api/auth/refresh'); + }); + + it('does not bypass guard when share/ appears only in query params', async () => { + expect.assertions(1); + setTokenHeader(undefined); + + setWindowLocation({ + href: 'http://localhost/c/chat?ref=share/token', + pathname: '/c/chat', + search: '?ref=share/token', + hash: '', + } as Partial); + + mockAdapter.mockRejectedValueOnce({ + response: { status: 401 }, + config: { url: '/api/messages', headers: {} }, + }); + + try { + await axios.get('/api/messages'); + } catch { + // expected rejection + } + + expect(mockAdapter).toHaveBeenCalledTimes(1); + }); + + it('redirects to login with redirect_to when unauthenticated on share page and refresh fails', async () => { + expect.assertions(1); + setTokenHeader(undefined); + + setWindowLocation({ + href: 'http://localhost/share/abc123', + pathname: '/share/abc123', + search: '', + hash: '', + } as Partial); + + mockAdapter.mockRejectedValueOnce({ + response: { status: 401 }, + config: { url: '/api/share/abc123', headers: {} }, + }); + + mockAdapter.mockResolvedValueOnce({ + data: { token: '' }, + status: 200, + headers: {}, + config: {}, + }); + + try { + await axios.get('/api/share/abc123'); + } catch { + // expected rejection + } + + expect(window.location.href).toBe('/login?redirect_to=%2Fshare%2Fabc123'); + }); + + it('redirects to login with redirect_to when authenticated and refresh returns no token on share page', async () => { + expect.assertions(1); + setTokenHeader('some-token'); + + setWindowLocation({ + href: 'http://localhost/share/abc123', + pathname: '/share/abc123', + search: '', + hash: '', + } as Partial); + + mockAdapter.mockRejectedValueOnce({ + response: { status: 401 }, + config: { url: '/api/share/abc123', headers: {} }, + }); + + mockAdapter.mockResolvedValueOnce({ + data: { token: '' }, + status: 200, + headers: {}, + config: {}, + }); + + try { + await axios.get('/api/share/abc123'); + } catch { + // expected rejection + } + + expect(window.location.href).toBe('/login?redirect_to=%2Fshare%2Fabc123'); + }); + + it('redirects to login with redirect_to when refresh returns no token on regular page', async () => { + expect.assertions(1); + setTokenHeader('some-token'); + + setWindowLocation({ + href: 'http://localhost/c/some-conversation', + pathname: '/c/some-conversation', + search: '', + hash: '', + } as Partial); + + mockAdapter.mockRejectedValueOnce({ + response: { status: 401 }, + config: { url: '/api/messages', headers: {} }, + }); + + mockAdapter.mockResolvedValueOnce({ + data: { token: '' }, + status: 200, + headers: {}, + config: {}, + }); + + try { + await axios.get('/api/messages'); + } catch { + // expected rejection + } + + expect(window.location.href).toBe('/login?redirect_to=%2Fc%2Fsome-conversation'); + }); + + it('redirects to plain /login without redirect_to when already on a login path', async () => { + expect.assertions(1); + setTokenHeader('some-token'); + + setWindowLocation({ + href: 'http://localhost/login/2fa', + pathname: '/login/2fa', + search: '', + hash: '', + } as Partial); + + mockAdapter.mockRejectedValueOnce({ + response: { status: 401 }, + config: { url: '/api/messages', headers: {} }, + }); + + mockAdapter.mockResolvedValueOnce({ + data: { token: '' }, + status: 200, + headers: {}, + config: {}, + }); + + try { + await axios.get('/api/messages'); + } catch { + // expected rejection + } + + expect(window.location.href).toBe('/login'); + }); + + it('attempts refresh when Authorization header is present', async () => { + expect.assertions(2); + setTokenHeader('valid-token'); + + mockAdapter.mockRejectedValueOnce({ + response: { status: 401 }, + config: { url: '/api/messages', headers: {}, _retry: false }, }); - /** Second call: the refresh endpoint succeeds */ mockAdapter.mockResolvedValueOnce({ data: { token: 'new-token' }, status: 200, @@ -78,7 +278,6 @@ describe('axios 401 interceptor — Authorization header guard', () => { config: {}, }); - /** Third call: retried original request succeeds */ mockAdapter.mockResolvedValueOnce({ data: { messages: [] }, status: 200, @@ -92,10 +291,8 @@ describe('axios 401 interceptor — Authorization header guard', () => { // may reject depending on exact flow } - /** More than 1 call means the interceptor attempted refresh */ - expect(mockAdapter.mock.calls.length).toBeGreaterThan(1); + expect(mockAdapter.mock.calls.length).toBe(3); - /** Verify the second call targeted the refresh endpoint */ const refreshCall = mockAdapter.mock.calls[1]; expect(refreshCall[0].url).toContain('api/auth/refresh'); }); diff --git a/packages/data-provider/src/api-endpoints.ts b/packages/data-provider/src/api-endpoints.ts index db6df32015..f70237edee 100644 --- a/packages/data-provider/src/api-endpoints.ts +++ b/packages/data-provider/src/api-endpoints.ts @@ -164,6 +164,25 @@ export const verifyEmail = () => `${BASE_URL}/api/user/verify`; export const loginPage = () => `${BASE_URL}/login`; export const registerPage = () => `${BASE_URL}/register`; +const REDIRECT_PARAM = 'redirect_to'; +const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/; + +/** + * Builds a `/login?redirect_to=...` URL from the given or current location. + * Returns plain `/login` (no param) when already on a login route to prevent recursive nesting. + */ +export function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string { + const p = pathname ?? window.location.pathname; + if (LOGIN_PATH_RE.test(p)) { + return `${BASE_URL}/login`; + } + const s = search ?? window.location.search; + const h = hash ?? window.location.hash; + const currentPath = `${p}${s}${h}`; + const encoded = encodeURIComponent(currentPath || '/'); + return `${BASE_URL}/login?${REDIRECT_PARAM}=${encoded}`; +} + export const resendVerificationEmail = () => `${BASE_URL}/api/user/verify/resend`; export const plugins = () => `${BASE_URL}/api/plugins`; diff --git a/packages/data-provider/src/index.ts b/packages/data-provider/src/index.ts index c57ca82845..2867bd1ec5 100644 --- a/packages/data-provider/src/index.ts +++ b/packages/data-provider/src/index.ts @@ -34,7 +34,7 @@ export * from './accessPermissions'; export * from './keys'; /* api call helpers */ export * from './headers-helpers'; -export { loginPage, registerPage, apiBaseUrl } from './api-endpoints'; +export { loginPage, registerPage, apiBaseUrl, buildLoginRedirectUrl } from './api-endpoints'; export { default as request } from './request'; export { dataService }; import * as dataService from './data-service'; diff --git a/packages/data-provider/src/request.ts b/packages/data-provider/src/request.ts index 8b316731fb..566d808e63 100644 --- a/packages/data-provider/src/request.ts +++ b/packages/data-provider/src/request.ts @@ -1,7 +1,7 @@ /* eslint-disable @typescript-eslint/no-explicit-any */ import axios, { AxiosError, AxiosRequestConfig } from 'axios'; -import * as endpoints from './api-endpoints'; import { setTokenHeader } from './headers-helpers'; +import * as endpoints from './api-endpoints'; import type * as t from './types'; async function _get(url: string, options?: AxiosRequestConfig): Promise { @@ -99,8 +99,12 @@ if (typeof window !== 'undefined') { return Promise.reject(error); } - /** Skip refresh when the Authorization header has been cleared (e.g. during logout) */ - if (!axios.defaults.headers.common['Authorization']) { + /** Skip refresh when the Authorization header has been cleared (e.g. during logout), + * but allow shared link requests to proceed so auth recovery/redirect can happen */ + if ( + !axios.defaults.headers.common['Authorization'] && + !window.location.pathname.startsWith('/share/') + ) { return Promise.reject(error); } @@ -135,12 +139,9 @@ if (typeof window !== 'undefined') { dispatchTokenUpdatedEvent(token); processQueue(null, token); return await axios(originalRequest); - } else if (window.location.href.includes('share/')) { - console.log( - `Refresh token failed from shared link, attempting request to ${originalRequest.url}`, - ); } else { - window.location.href = endpoints.loginPage(); + processQueue(error, null); + window.location.href = endpoints.buildLoginRedirectUrl(); } } catch (err) { processQueue(err as AxiosError, null);