LibreChat/api/server/routes/agents/openai.js
Artyom Bogachenko 5683706af5
🔐 feat: OIDC Bearer Token Authentication for Remote Agent API (#12450)
* Remote Agent Auth middleware

* consider migration and update user

* fix eslint errors

* add scope validation

* fix codex review errors

* add filter for use: sig

* add jwks-rsa deps

* Fix remote agent OIDC auth review findings

* Polish remote agent OIDC timeout coverage

* Reject remote OIDC tokens without subject

* Use tenant context for remote agent auth config

* Harden remote agent OIDC scope handling

* Polish remote agent OIDC cache and scope tests

* Resolve remote agent auth review comments

* Reuse OpenID email claim resolver for remote auth

* Skip empty OpenID email fallback claims

* Use pre-auth tenant context for remote auth config

* Downgrade expected OIDC fallback logging

* Require secure remote OIDC endpoints

* Polish remote agent auth edge cases

* Enforce unique balance records

* Bind remote OpenID users to issuer

* Fix issuer-scoped OpenID indexes

* Avoid unique balance index requirement

* Fix remote OpenID issuer normalization boundaries

* Require issuer-bound OpenID lookups

* Enforce tenant API key policy after auth

* Fix remote auth tenant policy types

* Normalize remote OIDC discovery issuer

* Allow normalized remote OIDC issuer validation

* Enforce resolved tenant OIDC policy

* Polish OpenID issuer and scope validation

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
2026-05-04 17:06:35 -04:00

91 lines
2.4 KiB
JavaScript

/**
* OpenAI-compatible API routes for LibreChat agents.
*
* Provides a /v1/chat/completions compatible interface for
* interacting with LibreChat agents remotely via API.
*
* Usage:
* POST /v1/chat/completions - Chat with an agent
* GET /v1/models - List available agents
* GET /v1/models/:model - Get agent details
*
* Request format:
* {
* "model": "agent_id_here",
* "messages": [{"role": "user", "content": "Hello!"}],
* "stream": true
* }
*/
const express = require('express');
const {
OpenAIChatCompletionController,
ListModelsController,
GetModelController,
} = require('~/server/controllers/agents/openai');
const { configMiddleware } = require('~/server/middleware');
const {
checkAgentPermission,
preAuthTenantMiddleware,
requireRemoteAgentAuth,
checkRemoteAgentsFeature,
} = require('./middleware');
const router = express.Router();
router.use(preAuthTenantMiddleware);
router.use(requireRemoteAgentAuth);
router.use(configMiddleware);
router.use(checkRemoteAgentsFeature);
/**
* @route POST /v1/chat/completions
* @desc OpenAI-compatible chat completions with agents
* @access Private (API key auth required)
*
* Request body:
* {
* "model": "agent_id", // Required: The agent ID to use
* "messages": [...], // Required: Array of chat messages
* "stream": true, // Optional: Whether to stream (default: false)
* "conversation_id": "...", // Optional: Conversation ID for context
* "parent_message_id": "..." // Optional: Parent message for threading
* }
*
* Response (streaming):
* - SSE stream with OpenAI chat.completion.chunk format
* - Includes delta.reasoning for thinking/reasoning content
*
* Response (non-streaming):
* - Standard OpenAI chat.completion format
*/
router.post('/chat/completions', checkAgentPermission, OpenAIChatCompletionController);
/**
* @route GET /v1/models
* @desc List available agents as models
* @access Private (API key auth required)
*
* Response:
* {
* "object": "list",
* "data": [
* {
* "id": "agent_id",
* "object": "model",
* "name": "Agent Name",
* "provider": "openai",
* ...
* }
* ]
* }
*/
router.get('/models', ListModelsController);
/**
* @route GET /v1/models/:model
* @desc Get details for a specific agent/model
* @access Private (API key auth required)
*/
router.get('/models/:model', GetModelController);
module.exports = router;