LibreChat/api/server/routes/agents/responses.js
Artyom Bogachenko 5683706af5
🔐 feat: OIDC Bearer Token Authentication for Remote Agent API (#12450)
* Remote Agent Auth middleware

* consider migration and update user

* fix eslint errors

* add scope validation

* fix codex review errors

* add filter for use: sig

* add jwks-rsa deps

* Fix remote agent OIDC auth review findings

* Polish remote agent OIDC timeout coverage

* Reject remote OIDC tokens without subject

* Use tenant context for remote agent auth config

* Harden remote agent OIDC scope handling

* Polish remote agent OIDC cache and scope tests

* Resolve remote agent auth review comments

* Reuse OpenID email claim resolver for remote auth

* Skip empty OpenID email fallback claims

* Use pre-auth tenant context for remote auth config

* Downgrade expected OIDC fallback logging

* Require secure remote OIDC endpoints

* Polish remote agent auth edge cases

* Enforce unique balance records

* Bind remote OpenID users to issuer

* Fix issuer-scoped OpenID indexes

* Avoid unique balance index requirement

* Fix remote OpenID issuer normalization boundaries

* Require issuer-bound OpenID lookups

* Enforce tenant API key policy after auth

* Fix remote auth tenant policy types

* Normalize remote OIDC discovery issuer

* Allow normalized remote OIDC issuer validation

* Enforce resolved tenant OIDC policy

* Polish OpenID issuer and scope validation

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
2026-05-04 17:06:35 -04:00

125 lines
3.4 KiB
JavaScript

/**
* Open Responses API routes for LibreChat agents.
*
* Implements the Open Responses specification for a forward-looking,
* agentic API that uses items as the fundamental unit and semantic
* streaming events.
*
* Usage:
* POST /v1/responses - Create a response
* GET /v1/models - List available agents
*
* Request format:
* {
* "model": "agent_id_here",
* "input": "Hello!" or [{ type: "message", role: "user", content: "Hello!" }],
* "stream": true,
* "previous_response_id": "optional_conversation_id"
* }
*
* @see https://openresponses.org/specification
*/
const express = require('express');
const {
createResponse,
getResponse,
listModels,
} = require('~/server/controllers/agents/responses');
const { configMiddleware } = require('~/server/middleware');
const {
checkAgentPermission,
preAuthTenantMiddleware,
requireRemoteAgentAuth,
checkRemoteAgentsFeature,
} = require('./middleware');
const router = express.Router();
router.use(preAuthTenantMiddleware);
router.use(requireRemoteAgentAuth);
router.use(configMiddleware);
router.use(checkRemoteAgentsFeature);
/**
* @route POST /v1/responses
* @desc Create a model response following Open Responses specification
* @access Private (API key auth required)
*
* Request body:
* {
* "model": "agent_id", // Required: The agent ID to use
* "input": "..." | [...], // Required: String or array of input items
* "stream": true, // Optional: Whether to stream (default: false)
* "previous_response_id": "...", // Optional: Previous response for continuation
* "instructions": "...", // Optional: Additional instructions
* "tools": [...], // Optional: Additional tools
* "tool_choice": "auto", // Optional: Tool choice mode
* "max_output_tokens": 4096, // Optional: Max tokens
* "temperature": 0.7 // Optional: Temperature
* }
*
* Response (streaming):
* - SSE stream with semantic events:
* - response.in_progress
* - response.output_item.added
* - response.content_part.added
* - response.output_text.delta
* - response.output_text.done
* - response.function_call_arguments.delta
* - response.output_item.done
* - response.completed
* - [DONE]
*
* Response (non-streaming):
* {
* "id": "resp_xxx",
* "object": "response",
* "created_at": 1234567890,
* "status": "completed",
* "model": "agent_id",
* "output": [...], // Array of output items
* "usage": { ... }
* }
*/
router.post('/', checkAgentPermission, createResponse);
/**
* @route GET /v1/responses/models
* @desc List available agents as models
* @access Private (API key auth required)
*
* Response:
* {
* "object": "list",
* "data": [
* {
* "id": "agent_id",
* "object": "model",
* "name": "Agent Name",
* "provider": "openai",
* ...
* }
* ]
* }
*/
router.get('/models', listModels);
/**
* @route GET /v1/responses/:id
* @desc Retrieve a stored response by ID
* @access Private (API key auth required)
*
* Response:
* {
* "id": "resp_xxx",
* "object": "response",
* "created_at": 1234567890,
* "status": "completed",
* "model": "agent_id",
* "output": [...],
* "usage": { ... }
* }
*/
router.get('/:id', getResponse);
module.exports = router;