🔒 fix: Request interceptor for Shared Link Page Scenarios (#12036)

* ♻️ refactor: Centralize `buildLoginRedirectUrl` in data-provider

Move `buildLoginRedirectUrl` from `client/src/utils/redirect.ts` into
`packages/data-provider/src/api-endpoints.ts` so the axios 401
interceptor (and any other data-provider consumer) can use the canonical
implementation with the LOGIN_PATH_RE guard and BASE_URL awareness.

The client module now re-exports from `librechat-data-provider`, keeping
all existing imports working unchanged.

* 🔒 fix: Shared link 401 interceptor bypass and redirect loop (#12033)

Fixes three issues in the axios 401 response interceptor that prevented
private shared links (ALLOW_SHARED_LINKS_PUBLIC=false) from working:

1. `window.location.href.includes('share/')` matched the full URL
   (including query params and hash), causing false positives. Changed
   to `window.location.pathname.startsWith('/share/')`.

2. When token refresh returned no token on a share page, the
   interceptor logged and fell through without redirecting, causing an
   infinite retry loop via React Query. Now redirects to login using
   `buildLoginRedirectUrl()` which preserves the share URL for
   post-login navigation.

3. `processQueue` was never called in the no-token branch, leaving
   queued requests with dangling promise callbacks. Added
   `processQueue(error, null)` before the redirect.

* ✅ test: Comprehensive 401 interceptor tests for shared link auth flow

Rewrite interceptor test suite to cover all shared link auth scenarios:

- Unauthenticated user on share page with failed refresh → redirect
- Authenticated user on share page with failed refresh → redirect
- share/ in query params does NOT bypass the auth header guard
- Login path guard: redirect to plain /login (no redirect_to loop)
- Refresh success: assert exact call count (toBe(3) vs toBeGreaterThan)

Test reliability improvements:
- window.location teardown moved to afterEach (no state leak on failure)
- expect.assertions(N) on all tests (catch silent false passes)
- Shared setWindowLocation helper for consistent location mocking

* ♻️ refactor: Import `buildLoginRedirectUrl` directly from data-provider

Update `AuthContext.tsx` and `useAuthRedirect.ts` to import
`buildLoginRedirectUrl` from `librechat-data-provider` instead of
re-exporting through `~/utils/redirect.ts`.

Convert `redirect.ts` to ESM-style inline exports and remove the
re-export of `buildLoginRedirectUrl`.

* ✅ test: Move `buildLoginRedirectUrl` tests to data-provider

Tests for `buildLoginRedirectUrl` now live alongside the implementation
in `packages/data-provider/specs/api-endpoints.spec.ts`.

Removed the duplicate describe block from the client redirect test file
since it no longer owns that function.

packages/data-provider/src/api-endpoints.ts

@@ -164,6 +164,25 @@ export const verifyEmail = () => `${BASE_URL}/api/user/verify`;
 export const loginPage = () => `${BASE_URL}/login`;
 export const registerPage = () => `${BASE_URL}/register`;
 
+const REDIRECT_PARAM = 'redirect_to';
+const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/;
+
+/**
+ * Builds a `/login?redirect_to=...` URL from the given or current location.
+ * Returns plain `/login` (no param) when already on a login route to prevent recursive nesting.
+ */
+export function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string {
+  const p = pathname ?? window.location.pathname;
+  if (LOGIN_PATH_RE.test(p)) {
+    return `${BASE_URL}/login`;
+  }
+  const s = search ?? window.location.search;
+  const h = hash ?? window.location.hash;
+  const currentPath = `${p}${s}${h}`;
+  const encoded = encodeURIComponent(currentPath || '/');
+  return `${BASE_URL}/login?${REDIRECT_PARAM}=${encoded}`;
+}
+
 export const resendVerificationEmail = () => `${BASE_URL}/api/user/verify/resend`;
 
 export const plugins = () => `${BASE_URL}/api/plugins`;

packages/data-provider/src/index.ts

@@ -34,7 +34,7 @@ export * from './accessPermissions';
 export * from './keys';
 /* api call helpers */
 export * from './headers-helpers';
-export { loginPage, registerPage, apiBaseUrl } from './api-endpoints';
+export { loginPage, registerPage, apiBaseUrl, buildLoginRedirectUrl } from './api-endpoints';
 export { default as request } from './request';
 export { dataService };
 import * as dataService from './data-service';

packages/data-provider/src/request.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import axios, { AxiosError, AxiosRequestConfig } from 'axios';
-import * as endpoints from './api-endpoints';
 import { setTokenHeader } from './headers-helpers';
+import * as endpoints from './api-endpoints';
 import type * as t from './types';
 
 async function _get<T>(url: string, options?: AxiosRequestConfig): Promise<T> {
@@ -99,8 +99,12 @@ if (typeof window !== 'undefined') {
         return Promise.reject(error);
       }
 
-      /** Skip refresh when the Authorization header has been cleared (e.g. during logout) */
-      if (!axios.defaults.headers.common['Authorization']) {
+      /** Skip refresh when the Authorization header has been cleared (e.g. during logout),
+       *  but allow shared link requests to proceed so auth recovery/redirect can happen */
+      if (
+        !axios.defaults.headers.common['Authorization'] &&
+        !window.location.pathname.startsWith('/share/')
+      ) {
         return Promise.reject(error);
       }
 
@@ -135,12 +139,9 @@ if (typeof window !== 'undefined') {
             dispatchTokenUpdatedEvent(token);
             processQueue(null, token);
             return await axios(originalRequest);
-          } else if (window.location.href.includes('share/')) {
-            console.log(
-              `Refresh token failed from shared link, attempting request to ${originalRequest.url}`,
-            );
           } else {
-            window.location.href = endpoints.loginPage();
+            processQueue(error, null);
+            window.location.href = endpoints.buildLoginRedirectUrl();
           }
         } catch (err) {
           processQueue(err as AxiosError, null);