🧭 fix: Subdirectory Deployment Auth Redirect Path Doubling (#12077)

* fix: subdirectory redirects

* fix: use path-segment boundary check when stripping BASE_URL prefix

A bare `startsWith(BASE_URL)` matches on character prefix, not path
segments. With BASE_URL="/chat", a path like "/chatroom/c/abc" would
incorrectly strip to "room/c/abc" (no leading slash). Guard with an
exact-match-or-slash check: `p === BASE_URL || p.startsWith(BASE_URL + '/')`.

Also removes the dead `BASE_URL !== '/'` guard — module init already
converts '/' to ''.

* test: add path-segment boundary tests and clarify subdirectory coverage

- Add /chatroom, /chatbot, /app/chatroom regression tests to verify
  BASE_URL stripping only matches on segment boundaries
- Clarify useAuthRedirect subdirectory test documents React Router
  basename behavior (BASE_URL stripping tested in api-endpoints-subdir)
- Use `delete proc.browser` instead of undefined assignment for cleanup
- Add rationale to eslint-disable comment for isolateModules require

* fix: use relative path and correct instructions in subdirectory test script

- Replace hardcoded /home/danny/LibreChat/.env with repo-root-relative
  path so the script works from any checkout location
- Update instructions to use production build (npm run build && npm run
  backend) since nginx proxies to :3080 which only serves the SPA after
  a full build, not during frontend:dev on :3090

* fix: skip pointless redirect_to=/ for root path and fix jsdom 26+ compat

buildLoginRedirectUrl now returns plain /login when the resolved path
is root — redirect_to=/ adds no value since / immediately redirects
to /c/new after login anyway.

Also rewrites api-endpoints.spec.ts to use window.history.replaceState
instead of Object.defineProperty(window, 'location', ...) which jsdom
26+ no longer allows.

* test: fix request-interceptor.spec.ts for jsdom 26+ compatibility

Switch from jsdom to happy-dom environment which allows
Object.defineProperty on window.location. jsdom 26+ made
location non-configurable, breaking all 8 tests in this file.

* chore: update browser property handling in api-endpoints-subdir test

Changed the handling of the `proc.browser` property from deletion to setting it to false, ensuring compatibility with the current testing environment.

* chore: update backend restart instructions in test subdirectory setup script

Changed the instruction for restarting the backend from "npm run backend:dev" to "npm run backend" to reflect the correct command for the current setup.

* refactor: ensure proper cleanup in loadModuleWithBase function

Wrapped the module loading logic in a try-finally block to guarantee that the `proc.browser` property is reset to false and the base element is removed, improving reliability in the testing environment.

* refactor: improve browser property handling in loadModuleWithBase function

Revised the management of the `proc.browser` property to store the original value before modification, ensuring it is restored correctly after module loading. This enhances the reliability of the testing environment.

packages/data-provider/specs/api-endpoints-subdir.spec.ts

@@ -0,0 +1,140 @@
+/**
+ * @jest-environment jsdom
+ */
+
+/**
+ * Tests for buildLoginRedirectUrl and apiBaseUrl under subdirectory deployments.
+ *
+ * Uses jest.isolateModules to re-import api-endpoints with a <base href="/chat/">
+ * element present, simulating a subdirectory deployment where BASE_URL = '/chat'.
+ *
+ * Tests that need to override window.location use explicit function arguments
+ * instead of mocking the global, since jsdom 26+ does not allow redefining it.
+ */
+
+function loadModuleWithBase(baseHref: string) {
+  const base = document.createElement('base');
+  base.setAttribute('href', baseHref);
+  document.head.appendChild(base);
+
+  const proc = process as typeof process & { browser?: boolean };
+  const originalBrowser = proc.browser;
+
+  let mod: typeof import('../src/api-endpoints');
+  try {
+    proc.browser = true;
+    jest.isolateModules(() => {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports -- static import not usable inside isolateModules
+      mod = require('../src/api-endpoints');
+    });
+    return mod!;
+  } finally {
+    proc.browser = originalBrowser;
+    document.head.removeChild(base);
+  }
+}
+
+describe('buildLoginRedirectUrl — subdirectory deployment (BASE_URL = /chat)', () => {
+  let buildLoginRedirectUrl: typeof import('../src/api-endpoints').buildLoginRedirectUrl;
+  let apiBaseUrl: typeof import('../src/api-endpoints').apiBaseUrl;
+
+  beforeAll(() => {
+    const mod = loadModuleWithBase('/chat/');
+    buildLoginRedirectUrl = mod.buildLoginRedirectUrl;
+    apiBaseUrl = mod.apiBaseUrl;
+  });
+
+  it('sets BASE_URL to "/chat" (trailing slash stripped)', () => {
+    expect(apiBaseUrl()).toBe('/chat');
+  });
+
+  it('returns "/login" without base prefix (compatible with React Router navigate)', () => {
+    const result = buildLoginRedirectUrl('/chat/c/new', '', '');
+    expect(result).toMatch(/^\/login/);
+    expect(result).not.toMatch(/^\/chat/);
+  });
+
+  it('strips base prefix from redirect_to when pathname includes base', () => {
+    const result = buildLoginRedirectUrl('/chat/c/abc123', '?model=gpt-4', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/abc123?model=gpt-4');
+    expect(redirectTo).not.toContain('/chat/');
+  });
+
+  it('works with pathnames that do not include the base prefix', () => {
+    const result = buildLoginRedirectUrl('/c/new', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/new');
+  });
+
+  it('returns plain /login for base-prefixed login path', () => {
+    expect(buildLoginRedirectUrl('/chat/login', '', '')).toBe('/login');
+  });
+
+  it('returns plain /login for base-prefixed login sub-path', () => {
+    expect(buildLoginRedirectUrl('/chat/login/2fa', '', '')).toBe('/login');
+  });
+
+  it('returns plain /login when stripped path is root (no pointless redirect_to=/)', () => {
+    const result = buildLoginRedirectUrl('/chat', '', '');
+    expect(result).toBe('/login');
+    expect(result).not.toContain('redirect_to');
+  });
+
+  it('composes correct full URL for window.location.href (apiBaseUrl + buildLoginRedirectUrl)', () => {
+    const fullUrl = apiBaseUrl() + buildLoginRedirectUrl('/chat/c/abc123', '', '');
+    expect(fullUrl).toBe('/chat/login?redirect_to=%2Fc%2Fabc123');
+    expect(fullUrl).not.toContain('/chat/chat/');
+  });
+
+  it('encodes query params and hash correctly after stripping base', () => {
+    const result = buildLoginRedirectUrl('/chat/c/deep', '?q=hello&submit=true', '#section');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/deep?q=hello&submit=true#section');
+  });
+
+  it('does not strip base when path shares a prefix but is not a segment match', () => {
+    const result = buildLoginRedirectUrl('/chatroom/c/abc123', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/chatroom/c/abc123');
+  });
+
+  it('does not strip base from /chatbot path', () => {
+    const result = buildLoginRedirectUrl('/chatbot', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/chatbot');
+  });
+});
+
+describe('buildLoginRedirectUrl — deep subdirectory (BASE_URL = /app/chat)', () => {
+  let buildLoginRedirectUrl: typeof import('../src/api-endpoints').buildLoginRedirectUrl;
+  let apiBaseUrl: typeof import('../src/api-endpoints').apiBaseUrl;
+
+  beforeAll(() => {
+    const mod = loadModuleWithBase('/app/chat/');
+    buildLoginRedirectUrl = mod.buildLoginRedirectUrl;
+    apiBaseUrl = mod.apiBaseUrl;
+  });
+
+  it('sets BASE_URL to "/app/chat"', () => {
+    expect(apiBaseUrl()).toBe('/app/chat');
+  });
+
+  it('strips deep base prefix from redirect_to', () => {
+    const result = buildLoginRedirectUrl('/app/chat/c/abc123', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/abc123');
+  });
+
+  it('full URL does not double the base prefix', () => {
+    const fullUrl = apiBaseUrl() + buildLoginRedirectUrl('/app/chat/c/abc123', '', '');
+    expect(fullUrl).toBe('/app/chat/login?redirect_to=%2Fc%2Fabc123');
+    expect(fullUrl).not.toContain('/app/chat/app/chat/');
+  });
+
+  it('does not strip from /app/chatroom (segment boundary check)', () => {
+    const result = buildLoginRedirectUrl('/app/chatroom/page', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/app/chatroom/page');
+  });
+});

packages/data-provider/specs/api-endpoints.spec.ts

@@ -4,18 +4,8 @@
 import { buildLoginRedirectUrl } from '../src/api-endpoints';
 
 describe('buildLoginRedirectUrl', () => {
-  let savedLocation: Location;
-
-  beforeEach(() => {
-    savedLocation = window.location;
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/c/abc123', search: '?model=gpt-4', hash: '#msg-5' },
-      writable: true,
-    });
-  });
-
   afterEach(() => {
-    Object.defineProperty(window, 'location', { value: savedLocation, writable: true });
+    window.history.replaceState({}, '', '/');
   });
 
   it('builds a login URL from explicit args', () => {
@@ -31,18 +21,16 @@ describe('buildLoginRedirectUrl', () => {
   });
 
   it('falls back to window.location when no args provided', () => {
+    window.history.replaceState({}, '', '/c/abc123?model=gpt-4#msg-5');
     const result = buildLoginRedirectUrl();
     const encoded = result.split('redirect_to=')[1];
     expect(decodeURIComponent(encoded)).toBe('/c/abc123?model=gpt-4#msg-5');
   });
 
-  it('falls back to "/" when all location parts are empty', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '', search: '', hash: '' },
-      writable: true,
-    });
+  it('returns plain /login when all location parts are empty (root)', () => {
+    window.history.replaceState({}, '', '/');
     const result = buildLoginRedirectUrl();
-    expect(result).toBe('/login?redirect_to=%2F');
+    expect(result).toBe('/login');
   });
 
   it('returns plain /login when pathname is /login (prevents recursive redirect)', () => {
@@ -51,10 +39,7 @@ describe('buildLoginRedirectUrl', () => {
   });
 
   it('returns plain /login when window.location is already /login', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' },
-      writable: true,
-    });
+    window.history.replaceState({}, '', '/login?redirect_to=%2Fc%2Fabc');
     const result = buildLoginRedirectUrl();
     expect(result).toBe('/login');
   });
@@ -65,10 +50,7 @@ describe('buildLoginRedirectUrl', () => {
   });
 
   it('returns plain /login for basename-prefixed /login (e.g. /librechat/login)', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/librechat/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' },
-      writable: true,
-    });
+    window.history.replaceState({}, '', '/librechat/login?redirect_to=%2Fc%2Fabc');
     const result = buildLoginRedirectUrl();
     expect(result).toBe('/login');
   });
@@ -78,6 +60,12 @@ describe('buildLoginRedirectUrl', () => {
     expect(result).toBe('/login');
   });
 
+  it('returns plain /login for root path (no pointless redirect_to=/)', () => {
+    const result = buildLoginRedirectUrl('/', '', '');
+    expect(result).toBe('/login');
+    expect(result).not.toContain('redirect_to');
+  });
+
   it('does NOT match paths where "login" is a substring of a segment', () => {
     const result = buildLoginRedirectUrl('/c/loginhistory', '', '');
     expect(result).toContain('redirect_to=');

packages/data-provider/specs/request-interceptor.spec.ts

@@ -1,16 +1,19 @@
 /**
- * @jest-environment jsdom
+ * @jest-environment @happy-dom/jest-environment
  */
 import axios from 'axios';
 import { setTokenHeader } from '../src/headers-helpers';
 
 /**
  * The response interceptor in request.ts registers at import time when
- * `typeof window !== 'undefined'` (jsdom provides window).
+ * `typeof window !== 'undefined'` (happy-dom provides window).
  *
  * We use axios's built-in request adapter mock to avoid real HTTP calls,
  * and verify the interceptor's behavior by observing whether a 401 triggers
  * a refresh POST or is immediately rejected.
+ *
+ * happy-dom is used instead of jsdom because it allows overriding
+ * window.location via Object.defineProperty, which jsdom 26+ blocks.
  */
 
 const mockAdapter = jest.fn();
@@ -38,6 +41,7 @@ afterEach(() => {
   Object.defineProperty(window, 'location', {
     value: savedLocation,
     writable: true,
+    configurable: true,
   });
 });
 
@@ -45,6 +49,7 @@ function setWindowLocation(overrides: Partial<Location>) {
   Object.defineProperty(window, 'location', {
     value: { ...window.location, ...overrides },
     writable: true,
+    configurable: true,
   });
 }
 

packages/data-provider/src/api-endpoints.ts

@@ -174,13 +174,20 @@ const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/;
 export function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string {
   const p = pathname ?? window.location.pathname;
   if (LOGIN_PATH_RE.test(p)) {
-    return `${BASE_URL}/login`;
+    return '/login';
   }
   const s = search ?? window.location.search;
   const h = hash ?? window.location.hash;
-  const currentPath = `${p}${s}${h}`;
-  const encoded = encodeURIComponent(currentPath || '/');
-  return `${BASE_URL}/login?${REDIRECT_PARAM}=${encoded}`;
+
+  const stripped =
+    BASE_URL && (p === BASE_URL || p.startsWith(BASE_URL + '/'))
+      ? p.slice(BASE_URL.length) || '/'
+      : p;
+  const currentPath = `${stripped}${s}${h}`;
+  if (!currentPath || currentPath === '/') {
+    return '/login';
+  }
+  return `/login?${REDIRECT_PARAM}=${encodeURIComponent(currentPath)}`;
 }
 
 export const resendVerificationEmail = () => `${BASE_URL}/api/user/verify/resend`;

packages/data-provider/src/request.ts

@@ -141,7 +141,7 @@ if (typeof window !== 'undefined') {
             return await axios(originalRequest);
           } else {
             processQueue(error, null);
-            window.location.href = endpoints.buildLoginRedirectUrl();
+            window.location.href = endpoints.apiBaseUrl() + endpoints.buildLoginRedirectUrl();
           }
         } catch (err) {
           processQueue(err as AxiosError, null);