🔒 fix: Request interceptor for Shared Link Page Scenarios (#12036)

* ♻️ refactor: Centralize `buildLoginRedirectUrl` in data-provider

Move `buildLoginRedirectUrl` from `client/src/utils/redirect.ts` into
`packages/data-provider/src/api-endpoints.ts` so the axios 401
interceptor (and any other data-provider consumer) can use the canonical
implementation with the LOGIN_PATH_RE guard and BASE_URL awareness.

The client module now re-exports from `librechat-data-provider`, keeping
all existing imports working unchanged.

* 🔒 fix: Shared link 401 interceptor bypass and redirect loop (#12033)

Fixes three issues in the axios 401 response interceptor that prevented
private shared links (ALLOW_SHARED_LINKS_PUBLIC=false) from working:

1. `window.location.href.includes('share/')` matched the full URL
   (including query params and hash), causing false positives. Changed
   to `window.location.pathname.startsWith('/share/')`.

2. When token refresh returned no token on a share page, the
   interceptor logged and fell through without redirecting, causing an
   infinite retry loop via React Query. Now redirects to login using
   `buildLoginRedirectUrl()` which preserves the share URL for
   post-login navigation.

3. `processQueue` was never called in the no-token branch, leaving
   queued requests with dangling promise callbacks. Added
   `processQueue(error, null)` before the redirect.

* ✅ test: Comprehensive 401 interceptor tests for shared link auth flow

Rewrite interceptor test suite to cover all shared link auth scenarios:

- Unauthenticated user on share page with failed refresh → redirect
- Authenticated user on share page with failed refresh → redirect
- share/ in query params does NOT bypass the auth header guard
- Login path guard: redirect to plain /login (no redirect_to loop)
- Refresh success: assert exact call count (toBe(3) vs toBeGreaterThan)

Test reliability improvements:
- window.location teardown moved to afterEach (no state leak on failure)
- expect.assertions(N) on all tests (catch silent false passes)
- Shared setWindowLocation helper for consistent location mocking

* ♻️ refactor: Import `buildLoginRedirectUrl` directly from data-provider

Update `AuthContext.tsx` and `useAuthRedirect.ts` to import
`buildLoginRedirectUrl` from `librechat-data-provider` instead of
re-exporting through `~/utils/redirect.ts`.

Convert `redirect.ts` to ESM-style inline exports and remove the
re-export of `buildLoginRedirectUrl`.

* ✅ test: Move `buildLoginRedirectUrl` tests to data-provider

Tests for `buildLoginRedirectUrl` now live alongside the implementation
in `packages/data-provider/specs/api-endpoints.spec.ts`.

Removed the duplicate describe block from the client redirect test file
since it no longer owns that function.

client/src/hooks/AuthContext.tsx

@@ -10,7 +10,7 @@ import {
 import { debounce } from 'lodash';
 import { useRecoilState } from 'recoil';
 import { useNavigate } from 'react-router-dom';
-import { setTokenHeader, SystemRoles } from 'librechat-data-provider';
+import { setTokenHeader, SystemRoles, buildLoginRedirectUrl } from 'librechat-data-provider';
 import type * as t from 'librechat-data-provider';
 import type { ReactNode } from 'react';
 import {
@@ -20,8 +20,8 @@ import {
   useLogoutUserMutation,
   useRefreshTokenMutation,
 } from '~/data-provider';
-import { SESSION_KEY, isSafeRedirect, buildLoginRedirectUrl, getPostLoginRedirect } from '~/utils';
 import { TAuthConfig, TUserContext, TAuthContext, TResError } from '~/common';
+import { SESSION_KEY, isSafeRedirect, getPostLoginRedirect } from '~/utils';
 import useTimeout from './useTimeout';
 import store from '~/store';
 

client/src/routes/useAuthRedirect.ts

@@ -1,6 +1,6 @@
 import { useEffect } from 'react';
 import { useLocation, useNavigate } from 'react-router-dom';
-import { buildLoginRedirectUrl } from '~/utils';
+import { buildLoginRedirectUrl } from 'librechat-data-provider';
 import { useAuthContext } from '~/hooks';
 
 export default function useAuthRedirect() {

client/src/utils/__tests__/redirect.test.ts

@@ -1,8 +1,7 @@
 import {
-  isSafeRedirect,
-  buildLoginRedirectUrl,
-  getPostLoginRedirect,
   persistRedirectToSession,
+  getPostLoginRedirect,
+  isSafeRedirect,
   SESSION_KEY,
 } from '../redirect';
 
@@ -60,87 +59,6 @@ describe('isSafeRedirect', () => {
   });
 });
 
-describe('buildLoginRedirectUrl', () => {
-  const originalLocation = window.location;
-
-  beforeEach(() => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/c/abc123', search: '?model=gpt-4', hash: '#msg-5' },
-      writable: true,
-    });
-  });
-
-  afterEach(() => {
-    Object.defineProperty(window, 'location', { value: originalLocation, writable: true });
-  });
-
-  it('builds a login URL from explicit args', () => {
-    const result = buildLoginRedirectUrl('/c/new', '?q=hello', '');
-    expect(result).toBe('/login?redirect_to=%2Fc%2Fnew%3Fq%3Dhello');
-  });
-
-  it('encodes complex paths with query and hash', () => {
-    const result = buildLoginRedirectUrl('/c/new', '?q=hello&submit=true', '#section');
-    expect(result).toContain('redirect_to=');
-    const encoded = result.split('redirect_to=')[1];
-    expect(decodeURIComponent(encoded)).toBe('/c/new?q=hello&submit=true#section');
-  });
-
-  it('falls back to window.location when no args provided', () => {
-    const result = buildLoginRedirectUrl();
-    const encoded = result.split('redirect_to=')[1];
-    expect(decodeURIComponent(encoded)).toBe('/c/abc123?model=gpt-4#msg-5');
-  });
-
-  it('falls back to "/" when all location parts are empty', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '', search: '', hash: '' },
-      writable: true,
-    });
-    const result = buildLoginRedirectUrl();
-    expect(result).toBe('/login?redirect_to=%2F');
-  });
-
-  it('returns plain /login when pathname is /login (prevents recursive redirect)', () => {
-    const result = buildLoginRedirectUrl('/login', '?redirect_to=%2Fc%2Fnew', '');
-    expect(result).toBe('/login');
-  });
-
-  it('returns plain /login when window.location is already /login', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' },
-      writable: true,
-    });
-    const result = buildLoginRedirectUrl();
-    expect(result).toBe('/login');
-  });
-
-  it('returns plain /login for /login sub-paths', () => {
-    const result = buildLoginRedirectUrl('/login/2fa', '', '');
-    expect(result).toBe('/login');
-  });
-
-  it('returns plain /login for basename-prefixed /login (e.g. /librechat/login)', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/librechat/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' },
-      writable: true,
-    });
-    const result = buildLoginRedirectUrl();
-    expect(result).toBe('/login');
-  });
-
-  it('returns plain /login for basename-prefixed /login sub-paths', () => {
-    const result = buildLoginRedirectUrl('/librechat/login/2fa', '', '');
-    expect(result).toBe('/login');
-  });
-
-  it('does NOT match paths where "login" is a substring of a segment', () => {
-    const result = buildLoginRedirectUrl('/c/loginhistory', '', '');
-    expect(result).toContain('redirect_to=');
-    expect(decodeURIComponent(result.split('redirect_to=')[1])).toBe('/c/loginhistory');
-  });
-});
-
 describe('getPostLoginRedirect', () => {
   beforeEach(() => {
     sessionStorage.clear();

client/src/utils/redirect.ts

@@ -1,11 +1,11 @@
-const REDIRECT_PARAM = 'redirect_to';
-const SESSION_KEY = 'post_login_redirect_to';
+export const REDIRECT_PARAM = 'redirect_to';
+export const SESSION_KEY = 'post_login_redirect_to';
 
 /** Matches `/login` as a full path segment, with optional basename prefix (e.g. `/librechat/login/2fa`) */
 const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/;
 
 /** Validates that a redirect target is a safe relative path (not an absolute or protocol-relative URL) */
-function isSafeRedirect(url: string): boolean {
+export function isSafeRedirect(url: string): boolean {
   if (!url.startsWith('/') || url.startsWith('//')) {
     return false;
   }
@@ -13,27 +13,11 @@ function isSafeRedirect(url: string): boolean {
   return !LOGIN_PATH_RE.test(path);
 }
 
-/**
- * Builds a `/login?redirect_to=...` URL from the given or current location.
- * Returns plain `/login` (no param) when already on a login route to prevent recursive nesting.
- */
-function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string {
-  const p = pathname ?? window.location.pathname;
-  if (LOGIN_PATH_RE.test(p)) {
-    return '/login';
-  }
-  const s = search ?? window.location.search;
-  const h = hash ?? window.location.hash;
-  const currentPath = `${p}${s}${h}`;
-  const encoded = encodeURIComponent(currentPath || '/');
-  return `/login?${REDIRECT_PARAM}=${encoded}`;
-}
-
 /**
  * Resolves the post-login redirect from URL params and sessionStorage,
  * cleans up both sources, and returns the validated target (or null).
  */
-function getPostLoginRedirect(searchParams: URLSearchParams): string | null {
+export function getPostLoginRedirect(searchParams: URLSearchParams): string | null {
   const urlRedirect = searchParams.get(REDIRECT_PARAM);
   const storedRedirect = sessionStorage.getItem(SESSION_KEY);
 
@@ -50,17 +34,8 @@ function getPostLoginRedirect(searchParams: URLSearchParams): string | null {
   return target;
 }
 
-function persistRedirectToSession(value: string): void {
+export function persistRedirectToSession(value: string): void {
   if (isSafeRedirect(value)) {
     sessionStorage.setItem(SESSION_KEY, value);
   }
 }
-
-export {
-  SESSION_KEY,
-  REDIRECT_PARAM,
-  isSafeRedirect,
-  persistRedirectToSession,
-  buildLoginRedirectUrl,
-  getPostLoginRedirect,
-};