🧑‍💻 fix: Agents Config Defaults and Avatar Uploads Across File Strategies (#7814)

* fix: avatar processing across storage services, uniqueness by agent ID, prevent overwriting user avatar * fix: sanitize file paths in deleteLocalFile function to prevent invalid path errors * fix: correct spelling of 'agentsEndpointSchema' in agents.js and config.ts * fix: default app.locals agents configuration setup and add agent endpoint schema default
2026-01-06 10:38:50 +01:00 · 2025-06-10 09:53:15 -04:00 · 2025-06-10 09:53:15 -04:00 · a57224c1d5
commit a57224c1d5
parent 118ad943c9
13 changed files with 192 additions and 55 deletions
--- a/api/server/services/Files/Azure/images.js
+++ b/api/server/services/Files/Azure/images.js
@ -91,15 +91,28 @@ async function prepareAzureImageURL(req, file) {
 * @param {Buffer} params.buffer - The avatar image buffer.
 * @param {string} params.userId - The user's id.
 * @param {string} params.manual - Flag to indicate manual update.
+ * @param {string} [params.agentId] - Optional agent ID if this is an agent avatar.
 * @param {string} [params.basePath='images'] - The base folder within the container.
 * @param {string} [params.containerName] - The Azure Blob container name.
 * @returns {Promise<string>} The URL of the avatar.
 */
-async function processAzureAvatar({ buffer, userId, manual, basePath = 'images', containerName }) {
+async function processAzureAvatar({
+  buffer,
+  userId,
+  manual,
+  agentId,
+  basePath = 'images',
+  containerName,
+}) {
  try {
    const metadata = await sharp(buffer).metadata();
    const extension = metadata.format === 'gif' ? 'gif' : 'png';
-    const fileName = `avatar.${extension}`;
+    const timestamp = new Date().getTime();
+
+    /** Unique filename with timestamp and optional agent ID */
+    const fileName = agentId
+      ? `agent-${agentId}-avatar-${timestamp}.${extension}`
+      : `avatar-${timestamp}.${extension}`;

    const downloadURL = await saveBufferToAzure({
      userId,
@ -110,9 +123,12 @@ async function processAzureAvatar({ buffer, userId, manual, basePath = 'images',
    });
    const isManual = manual === 'true';
    const url = `${downloadURL}?manual=${isManual}`;
-    if (isManual) {
+
+    // Only update user record if this is a user avatar (manual === 'true')
+    if (isManual && !agentId) {
      await updateUser(userId, { avatar: url });
    }
+
    return url;
  } catch (error) {
    logger.error('[processAzureAvatar] Error uploading profile picture to Azure:', error);
--- a/api/server/services/Files/Firebase/images.js
+++ b/api/server/services/Files/Firebase/images.js
@ -82,14 +82,20 @@ async function prepareImageURL(req, file) {
 * @param {Buffer} params.buffer - The Buffer containing the avatar image.
 * @param {string} params.userId - The user ID.
 * @param {string} params.manual - A string flag indicating whether the update is manual ('true' or 'false').
+ * @param {string} [params.agentId] - Optional agent ID if this is an agent avatar.
 * @returns {Promise<string>} - A promise that resolves with the URL of the uploaded avatar.
 * @throws {Error} - Throws an error if Firebase is not initialized or if there is an error in uploading.
 */
-async function processFirebaseAvatar({ buffer, userId, manual }) {
+async function processFirebaseAvatar({ buffer, userId, manual, agentId }) {
  try {
    const metadata = await sharp(buffer).metadata();
    const extension = metadata.format === 'gif' ? 'gif' : 'png';
-    const fileName = `avatar.${extension}`;
+    const timestamp = new Date().getTime();
+
+    /** Unique filename with timestamp and optional agent ID */
+    const fileName = agentId
+      ? `agent-${agentId}-avatar-${timestamp}.${extension}`
+      : `avatar-${timestamp}.${extension}`;

    const downloadURL = await saveBufferToFirebase({
      userId,
@ -98,10 +104,10 @@ async function processFirebaseAvatar({ buffer, userId, manual }) {
    });

    const isManual = manual === 'true';
-
    const url = `${downloadURL}?manual=${isManual}`;

-    if (isManual) {
+    // Only update user record if this is a user avatar (manual === 'true')
+    if (isManual && !agentId) {
      await updateUser(userId, { avatar: url });
    }

--- a/api/server/services/Files/Local/crud.js
+++ b/api/server/services/Files/Local/crud.js
@ -201,6 +201,10 @@ const unlinkFile = async (filepath) => {
 */
 const deleteLocalFile = async (req, file) => {
  const { publicPath, uploads } = req.app.locals.paths;
+
+  /** Filepath stripped of query parameters (e.g., ?manual=true) */
+  const cleanFilepath = file.filepath.split('?')[0];
+
  if (file.embedded && process.env.RAG_API_URL) {
    const jwtToken = req.headers.authorization.split(' ')[1];
    axios.delete(`${process.env.RAG_API_URL}/documents`, {
@ -213,32 +217,32 @@ const deleteLocalFile = async (req, file) => {
    });
  }

-  if (file.filepath.startsWith(`/uploads/${req.user.id}`)) {
+  if (cleanFilepath.startsWith(`/uploads/${req.user.id}`)) {
    const userUploadDir = path.join(uploads, req.user.id);
-    const basePath = file.filepath.split(`/uploads/${req.user.id}/`)[1];
+    const basePath = cleanFilepath.split(`/uploads/${req.user.id}/`)[1];

    if (!basePath) {
-      throw new Error(`Invalid file path: ${file.filepath}`);
+      throw new Error(`Invalid file path: ${cleanFilepath}`);
    }

    const filepath = path.join(userUploadDir, basePath);

    const rel = path.relative(userUploadDir, filepath);
    if (rel.startsWith('..') || path.isAbsolute(rel) || rel.includes(`..${path.sep}`)) {
-      throw new Error(`Invalid file path: ${file.filepath}`);
+      throw new Error(`Invalid file path: ${cleanFilepath}`);
    }

    await unlinkFile(filepath);
    return;
  }

-  const parts = file.filepath.split(path.sep);
+  const parts = cleanFilepath.split(path.sep);
  const subfolder = parts[1];
  if (!subfolder && parts[0] === EModelEndpoint.agents) {
    logger.warn(`Agent File ${file.file_id} is missing filepath, may have been deleted already`);
    return;
  }
-  const filepath = path.join(publicPath, file.filepath);
+  const filepath = path.join(publicPath, cleanFilepath);

  if (!isValidPath(req, publicPath, subfolder, filepath)) {
    throw new Error('Invalid file path');
--- a/api/server/services/Files/Local/images.js
+++ b/api/server/services/Files/Local/images.js
@ -112,10 +112,11 @@ async function prepareImagesLocal(req, file) {
 * @param {Buffer} params.buffer - The Buffer containing the avatar image.
 * @param {string} params.userId - The user ID.
 * @param {string} params.manual - A string flag indicating whether the update is manual ('true' or 'false').
+ * @param {string} [params.agentId] - Optional agent ID if this is an agent avatar.
 * @returns {Promise<string>} - A promise that resolves with the URL of the uploaded avatar.
 * @throws {Error} - Throws an error if Firebase is not initialized or if there is an error in uploading.
 */
-async function processLocalAvatar({ buffer, userId, manual }) {
+async function processLocalAvatar({ buffer, userId, manual, agentId }) {
  const userDir = path.resolve(
    __dirname,
    '..',
@ -132,7 +133,11 @@ async function processLocalAvatar({ buffer, userId, manual }) {
  const metadata = await sharp(buffer).metadata();
  const extension = metadata.format === 'gif' ? 'gif' : 'png';

-  const fileName = `avatar-${new Date().getTime()}.${extension}`;
+  const timestamp = new Date().getTime();
+  /** Unique filename with timestamp and optional agent ID */
+  const fileName = agentId
+    ? `agent-${agentId}-avatar-${timestamp}.${extension}`
+    : `avatar-${timestamp}.${extension}`;
  const urlRoute = `/images/${userId}/${fileName}`;
  const avatarPath = path.join(userDir, fileName);

@ -142,7 +147,8 @@ async function processLocalAvatar({ buffer, userId, manual }) {
  const isManual = manual === 'true';
  let url = `${urlRoute}?manual=${isManual}`;

-  if (isManual) {
+  // Only update user record if this is a user avatar (manual === 'true')
+  if (isManual && !agentId) {
    await updateUser(userId, { avatar: url });
  }

--- a/api/server/services/Files/S3/images.js
+++ b/api/server/services/Files/S3/images.js
@ -94,19 +94,28 @@ async function prepareImageURLS3(req, file) {
 * @param {Buffer} params.buffer - Avatar image buffer.
 * @param {string} params.userId - User's unique identifier.
 * @param {string} params.manual - 'true' or 'false' flag for manual update.
+ * @param {string} [params.agentId] - Optional agent ID if this is an agent avatar.
 * @param {string} [params.basePath='images'] - Base path in the bucket.
 * @returns {Promise<string>} Signed URL of the uploaded avatar.
 */
-async function processS3Avatar({ buffer, userId, manual, basePath = defaultBasePath }) {
+async function processS3Avatar({ buffer, userId, manual, agentId, basePath = defaultBasePath }) {
  try {
    const metadata = await sharp(buffer).metadata();
    const extension = metadata.format === 'gif' ? 'gif' : 'png';
-    const fileName = `avatar.${extension}`;
+    const timestamp = new Date().getTime();
+
+    /** Unique filename with timestamp and optional agent ID */
+    const fileName = agentId
+      ? `agent-${agentId}-avatar-${timestamp}.${extension}`
+      : `avatar-${timestamp}.${extension}`;

    const downloadURL = await saveBufferToS3({ userId, buffer, fileName, basePath });
-    if (manual === 'true') {
+
+    // Only update user record if this is a user avatar (manual === 'true')
+    if (manual === 'true' && !agentId) {
      await updateUser(userId, { avatar: downloadURL });
    }
+
    return downloadURL;
  } catch (error) {
    logger.error('[processS3Avatar] Error processing S3 avatar:', error.message);