✨feat: OAuth for Actions (#5693)

* ✨feat: OAuth for Actions

* WIP: PoC flow state manager

* refactor: Add identifier field to token model from action schema

* chore: fix potential file type issues

* ci: fix type issue with action metadata auth

* fix: ensure FlowManagerOptions has a default ttl value

* WIP: OAUTH actions

* WIP: first pass OAuth Action

* fix: standardize identifier usage in OAuth flow handling

* fix: update token retrieval to include userId in query and use correct identifier

* refacotr: update token retrieval to use userId for OAuth token query

* feat: Tool Call Auth styling

* fix: streamline token creation and add type field to token schema

* refactor: cleanup OAuth flow by encrypting client credentials and ensuring oauth operations only run under condition

* refactor: use encrypted credentials in OAuth callback

* fix: update Token collection indexes to use expiresAt TTL index and not createdAt legacy index

* refactor: enhance Token index cleanup by improving logging and removing redundant index creation logic

* refactor: remove unused OAuth login route and related logic for improved clarity

* refactor: replace fetch with axios for OAuth token exchange and improve error handling

* refactor: better UX after authentication before oauth tool execution

* refactor: implement cleanup handlers for FlowStateManager intervals to enhance resource management

* refactor: encrypt OAuth tokens before storing and decrypt upon retrieval for enhanced security

* refactor: enhance authentication success page with improved styling and countdown feature

* refactor: add response_type parameter to OAuth redirect URI for improved compatibility

* chore: update translation.json new localizations

* chore: remove unused OGDialog import from OGDialogTemplate component

* refactor: Actions Auth using new Dialog styling, use same component with Agents/Assistants

* refactor: update removeNullishValues function to support removal of empty strings and adjust transform usage in schemas

* chore: bump version of librechat-data-provider to 0.7.6991

* refactor: integrate removeNullishValues function to clean metadata before encryption in agent and assistant routes

* refactor: update OAuth input fields to use 'password' type for better security

* refactor: update localization placeholders for sign-in message to use double curly braces

* refactor: add access_type parameter for offline access in createActionTool function

* refactor: implement handleOAuthToken function for token management and encryption

* feat: refresh token support

* refactor: add default expiration for access token and error handling for missing token

* feat: localizations for ActionAuth

* refactor: set refresh token expiration to null to not expire if expiry never given

* fix: prevent crash fromerror within async handleAbortError in AskController, EditController, and AgentController

* feat: Action Callback URL

* 🌍 i18n: Update translation.json with latest translations

* refactor: handle errors in flow state checking to prevent unhandled promise rejections

* fix: improve flow state concurrency to prevent multiple token creation calls

* refactor: RequestExecutor to use separate axios instance

* refactor: improve concurrency flows by keeping completed state until TTL expiry

* refactor: increase TTL for flow state management and adjust monitoring interval

* ci: mock axios instance creation in actions spec

* feat: add Babel and Jest configuration files; implement FlowStateManager tests with concurrency handling

* chore: add disableOAuth prop to ActionsAuth (not implemented for Assistants yet)

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

packages/data-provider/package.json

@@ -1,6 +1,6 @@
 {
   "name": "librechat-data-provider",
-  "version": "0.7.699",
+  "version": "0.7.6991",
   "description": "data services for librechat apps",
   "main": "dist/index.js",
   "module": "dist/index.es.js",

packages/data-provider/specs/actions.spec.ts

@@ -21,6 +21,7 @@ import type { ParametersSchema } from '../src/actions';
 
 jest.mock('axios');
 const mockedAxios = axios as jest.Mocked<typeof axios>;
+mockedAxios.create.mockReturnValue(mockedAxios);
 
 describe('FunctionSignature', () => {
   it('creates a function signature and converts to JSON tool', () => {

packages/data-provider/src/actions.ts

@@ -1,9 +1,15 @@
 import { z } from 'zod';
-import axios from 'axios';
+import _axios from 'axios';
 import { URL } from 'url';
 import crypto from 'crypto';
 import { load } from 'js-yaml';
-import type { FunctionTool, Schema, Reference, ActionMetadata } from './types/assistants';
+import type {
+  FunctionTool,
+  Schema,
+  Reference,
+  ActionMetadata,
+  ActionMetadataRuntime,
+} from './types/assistants';
 import type { OpenAPIV3 } from 'openapi-types';
 import { Tools, AuthTypeEnum, AuthorizationTypeEnum } from './types/assistants';
 
@@ -176,7 +182,7 @@ class RequestExecutor {
     return this;
   }
 
-  async setAuth(metadata: ActionMetadata) {
+  async setAuth(metadata: ActionMetadataRuntime) {
     if (!metadata.auth) {
       return this;
     }
@@ -199,6 +205,8 @@ class RequestExecutor {
       /* OAuth */
       oauth_client_id,
       oauth_client_secret,
+      oauth_token_expires_at,
+      oauth_access_token = '',
     } = metadata;
 
     const isApiKey = api_key != null && api_key.length > 0 && type === AuthTypeEnum.ServiceHttp;
@@ -230,22 +238,23 @@ class RequestExecutor {
     ) {
       this.authHeaders[custom_auth_header] = api_key;
     } else if (isOAuth) {
-      const authToken = this.authToken ?? '';
-      if (!authToken) {
-        const tokenResponse = await axios.post(
-          client_url,
-          {
-            client_id: oauth_client_id,
-            client_secret: oauth_client_secret,
-            scope: scope,
-            grant_type: 'client_credentials',
-          },
-          {
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-          },
-        );
-        this.authToken = tokenResponse.data.access_token;
+      // TODO: maybe doing it in a different way later on. but we want that the user needs to folllow the oauth flow.
+      // If we do not have a valid token, bail or ask user to sign in
+      const now = new Date();
+
+      // 1. Check if token is set
+      if (!oauth_access_token) {
+        throw new Error('No access token found. Please log in first.');
       }
+
+      // 2. Check if token is expired
+      if (oauth_token_expires_at && now >= new Date(oauth_token_expires_at)) {
+        // Optionally check refresh_token logic, or just prompt user to re-login
+        throw new Error('Access token is expired. Please re-login.');
+      }
+
+      // If valid, use it
+      this.authToken = oauth_access_token;
       this.authHeaders['Authorization'] = `Bearer ${this.authToken}`;
     }
     return this;
@@ -259,7 +268,7 @@ class RequestExecutor {
     };
 
     const method = this.config.method.toLowerCase();
-
+    const axios = _axios.create();
     if (method === 'get') {
       return axios.get(url, { headers, params: this.params });
     } else if (method === 'post') {
@@ -511,6 +520,7 @@ export function validateAndParseOpenAPISpec(specString: string): ValidationResul
       spec: parsedSpec,
     };
   } catch (error) {
+    console.error(error);
     return { status: false, message: 'Error parsing OpenAPI spec.' };
   }
 }

packages/data-provider/src/bedrock.ts

@@ -25,7 +25,7 @@ export const bedrockInputSchema = s.tConversationSchema
     topK: true,
     additionalModelRequestFields: true,
   })
-  .transform(s.removeNullishValues)
+  .transform((obj) => s.removeNullishValues(obj))
   .catch(() => ({}));
 
 export type BedrockConverseInput = z.infer<typeof bedrockInputSchema>;

packages/data-provider/src/config.ts

@@ -932,6 +932,10 @@ export enum CacheKeys {
    * Key for in-progress messages.
    */
   MESSAGES = 'messages',
+  /**
+   * Key for in-progress flow states.
+   */
+  FLOWS = 'flows',
 }
 
 /**

packages/data-provider/src/schemas.ts

@@ -877,7 +877,10 @@ export const gptPluginsSchema = tConversationSchema
     maxContextTokens: undefined,
   }));
 
-export function removeNullishValues<T extends Record<string, unknown>>(obj: T): Partial<T> {
+export function removeNullishValues<T extends Record<string, unknown>>(
+  obj: T,
+  removeEmptyStrings?: boolean,
+): Partial<T> {
   const newObj: Partial<T> = { ...obj };
 
   (Object.keys(newObj) as Array<keyof T>).forEach((key) => {
@@ -885,6 +888,9 @@ export function removeNullishValues<T extends Record<string, unknown>>(obj: T):
     if (value === undefined || value === null) {
       delete newObj[key];
     }
+    if (removeEmptyStrings && typeof value === 'string' && value === '') {
+      delete newObj[key];
+    }
   });
 
   return newObj;
@@ -935,8 +941,7 @@ export const compactAssistantSchema = tConversationSchema
     greeting: true,
     spec: true,
   })
-  // will change after adding temperature
-  .transform(removeNullishValues)
+  .transform((obj) => removeNullishValues(obj))
   .catch(() => ({}));
 
 export const agentsSchema = tConversationSchema
@@ -1138,7 +1143,7 @@ export const compactPluginsSchema = tConversationSchema
   })
   .catch(() => ({}));
 
-const tBannerSchema = z.object({
+export const tBannerSchema = z.object({
   bannerId: z.string(),
   message: z.string(),
   displayFrom: z.string(),
@@ -1160,5 +1165,5 @@ export const compactAgentsSchema = tConversationSchema
     instructions: true,
     additional_instructions: true,
   })
-  .transform(removeNullishValues)
+  .transform((obj) => removeNullishValues(obj))
   .catch(() => ({}));

packages/data-provider/src/types/agents.ts

@@ -52,6 +52,10 @@ export namespace Agents {
     id?: string;
     /** If provided, the output of the tool call */
     output?: string;
+    /** Auth URL */
+    auth?: string;
+    /** Expiration time */
+    expires_at?: number;
   };
 
   export type ToolEndEvent = {
@@ -190,6 +194,8 @@ export namespace Agents {
   export type ToolCallDelta = {
     type: StepTypes.TOOL_CALLS | string;
     tool_calls?: ToolCallChunk[];
+    auth?: string;
+    expires_at?: number;
   };
   export type AgentToolCall = FunctionToolCall | ToolCall;
   export interface ExtendedMessageContent {

packages/data-provider/src/types/assistants.ts

@@ -417,6 +417,8 @@ export type PartMetadata = {
   asset_pointer?: string;
   status?: string;
   action?: boolean;
+  auth?: string;
+  expires_at?: number;
 };
 
 export type ContentPart = (
@@ -506,6 +508,12 @@ export type ActionMetadata = {
   oauth_client_secret?: string;
 };
 
+export type ActionMetadataRuntime = ActionMetadata & {
+  oauth_access_token?: string;
+  oauth_refresh_token?: string;
+  oauth_token_expires_at?: Date;
+};
+
 /* Assistant types */
 
 export type Action = {

packages/data-provider/tsconfig.json

@@ -18,9 +18,8 @@
     "isolatedModules": true,
     "noEmit": true,
     "sourceMap": true,
-    "baseUrl": ".", // This should be the root of your package
+    "baseUrl": ".",
     "paths": {
-      // Add path mappings
       "librechat-data-provider/react-query": ["./src/react-query/index.ts"]
     }
   },