LibreChat/packages/data-provider/src/api-endpoints.ts
Danny Avila e515063ffe
Some checks are pending
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run
GitNexus Index / index (push) Waiting to run
GitNexus Index / post-index (push) Blocked by required conditions
🔗 feat: Snapshot Files for Shared-Link Attachments (#13740)
* 🔗 feat: Snapshot Files for Shared-Link Attachments

Shared-link viewers could read a shared conversation snapshot but not its
attachments: file preview/download still went through the owner-scoped file
ACL (the /api/files router sits behind requireJwtAuth + owner/agent checks),
so anonymous viewers got 401s and authenticated non-owners got 403s — the
repeated `[fileAccess] denied` warnings seen for the preview poller.

Capture an immutable per-share file snapshot (embedded on the SharedLink
document, referencing the original stored object — no byte copy) at share
create/update, and serve those files through new share-scoped routes
authorized by the existing shared-link view permission (public/ACL) plus
snapshot membership, never the owner's live file ACL.

- data-schemas: fileSnapshots on the share doc; capture in create/update;
  read-time rewrite of filepath/preview to /api/share/:id/files/:fileId;
  getSharedLinkFile + lazy backfillSharedLinkFiles for legacy links
- api: GET /api/share/:shareId/files/:file_id[/download|/preview]; route
  context added to fileAccess denial logs
- packages/api: isFileSnapshotEnabled resolver (env + yaml)
- data-provider: interface.sharedLinks.snapshotFiles (default on) + client
  endpoints/services
- client: ShareContext.shareId wired to Image, preview hook, and downloads
- config: SHARED_LINKS_SNAPSHOT_FILES env override (default on)

* 🔒 fix: Address Codex review on shared-link file snapshots

Triage of the Codex review on PR #13740 (2 P1, 7 P2 — all valid):

- P1 (cross-user access): scope the snapshot lookup to the sharing user's own
  files so a message referencing another user's file_id can't widen access.
- P1 (stored XSS): the inline share-file route now serves only safe preview
  types inline (raster images/pdf); everything else is forced to attachment with
  X-Content-Type-Options: nosniff.
- Stream shared downloads by default; redirect to a signed URL only on
  ?direct=true (blob/XHR callers work without bucket CORS).
- Read preview status live from the file record (always current for deferred
  previews) and stop embedding extracted text in the share doc (16MB-limit risk).
- Only lazily backfill when the fileSnapshots field is absent (legacy), not on
  every snapshot miss.
- Backfill legacy shares before rewriting message URLs, and gate URL rewriting
  to public shares so non-public (ACL) shares keep prior behavior (img/anchor
  can't carry the bearer token).
- Frontend: only route a download through the share path when the file was
  actually snapshotted (rewritten href / filepath), else fall back.

* 🔑 feat: Authorize shared-link files for non-public shares via cookie

Extends shared-link file access to non-public (ACL) shares (Codex finding 5).
`<img>`/anchor requests can't carry the bearer access token, so non-public
shares previously 401'd on file loads. Add an optional cookie-auth fallback on
the share file routes that resolves the viewer from the `refreshToken` cookie
(or signed `openid_user_id` cookie) — the same mechanism secure image links use
(validateImageRequest) — then let canAccessSharedLink run the viewer's ACL check.

- new middleware optionalShareFileAuth (+ unit spec); applied to the three
  share file routes after optionalJwtAuth
- URL rewriting in getSharedMessages is no longer gated to public shares (the
  route now authorizes header-less requests), so files work uniformly across
  public and non-public shares; revert the now-unused req.sharePublic plumbing

* 🔒 fix: Second Codex pass on shared-link file snapshots

Addresses the follow-up Codex findings on PR #13740:

- Don't snapshot transient text-source files: FileSources.text filepaths are
  Multer temp paths the upload route deletes, so they can't be streamed —
  removed from the streamable allowlist.
- Unset stale snapshots on a disabled-feature update: updateSharedLink now
  $unsets fileSnapshots when snapshotFiles is false, so an opted-out update
  can't keep serving file ids the update dropped.
- Load tenant config after share resolution: configMiddleware now runs after
  canAccessSharedLink (which enters the share's tenant ALS context), so
  per-tenant interface.sharedLinks.snapshotFiles overrides apply to anonymous
  public views.
- Return a clean 404 when the snapshotted object is gone: resolveShareFile now
  requires the live file record and 404s if it's been deleted/expired, instead
  of letting the stream error after headers are sent (ENOENT / 500).

(The re-flagged P1 about private-viewer rewriting was already fixed in the prior
commit's cookie-auth change.)

* 🔒 fix: Third Codex pass on shared-link file snapshots

Addresses the third Codex review pass on PR #13740:

- P1: keep shared previews/files pinned to the snapshotted version. Snapshot the
  small previewRevision; resolveShareFile 404s when the live file's revision no
  longer matches (file_id reused/overwritten by a later turn), so old links can't
  surface post-share content — covers both preview text and streamed bytes.
- Honor the toggle as a kill switch: resolveShareFile 404s when snapshotFiles is
  disabled, instead of only skipping backfill, so disabling stops serving
  already-snapshotted file URLs.
- Lazy-sweep orphaned 'pending' previews to 'failed' in the share preview route
  (mirrors the owner route) so the client poller reaches a terminal state.
- Resolve the cookie-fallback user in runAsSystem so strict tenant isolation
  doesn't throw before canAccessSharedLink establishes the share tenant context.

*  feat: Per-link "share files" checkbox for shared links

Add a checkbox to the share-link dialog (checked by default) letting the user
choose whether to include the conversation's files in the shared link, with
copy explaining images/files won't be visible to viewers otherwise. Opting out
skips snapshot creation/serving for that link.

- client: ShareButton renders the checkbox gated on the new
  startupConfig.sharedLinksSnapshotFilesEnabled flag; state threads through
  SharedLinkButton into the create/update mutations as `snapshotFiles`.
- data-provider: createSharedLink/updateSharedLink send `snapshotFiles` in the
  body; TStartupConfig gains `sharedLinksSnapshotFilesEnabled`.
- api: POST/PATCH /api/share compute snapshotFiles as
  isFileSnapshotEnabled(req.config) && body.snapshotFiles !== false (admin gate
  AND per-link opt-out); config.js exposes the effective enabled flag to clients.
- en locale: com_ui_share_files (+ _description).

* 🐛 fix: Make the "share files" opt-out actually hide files

Unchecking "share files" at creation didn't hide anything: the shared message
JSON still carried each file's original (e.g. static-served) path, and because
opting out only meant "no fileSnapshots field" — indistinguishable from a legacy
link — getSharedMessages would backfill snapshots on first view whenever the
admin feature was on, re-enabling files entirely.

Fix by persisting and honoring the per-link choice:
- Store `snapshotFiles` (boolean) on the SharedLink so opt-out is distinct from a
  legacy link; set it on create and update.
- getSharedMessages computes includeFiles = adminEnabled && link not opted out;
  when excluded it strips files/attachments from the payload (no original-path
  leak) and never backfills the opted-out link.
- Surface the stored choice via getSharedLink so the dialog checkbox reflects an
  existing link's actual setting instead of always defaulting to checked.

Note: changing the checkbox on an already-created link still applies only when
the link is refreshed (which regenerates the URL) — a UX follow-up.

* 🔒 fix: Close remaining shared-link file opt-out leaks (Codex)

Follow-up to the per-link opt-out, addressing the third Codex pass:

- Honor the opt-out on the file route too: getSharedLinkFile now returns the
  link's `optedOut` choice; resolveShareFile 404s (and never backfills) an
  opted-out link, so a direct /files/:id request can't re-create snapshots.
- Make read/serve viewer-independent: the gate no longer uses the viewer's
  resolved config (isFileSnapshotEnabled(req.config)) — it uses the link's stored
  choice plus a global env-only kill switch (isFileSnapshotKillSwitchActive). A
  viewer's own interface.sharedLinks.snapshotFiles can no longer hide a link's
  files. Create/update still use the creator's config to set the per-link choice.
- Neutralize render URLs for non-snapshotted files: applyShareFileRoute now
  strips filepath/preview for any file/attachment not in the snapshot, so the
  owner's original (e.g. static) path can't be loaded through the share.

* 🔒 fix: Harden shared-file version pinning and local path handling (Codex)

- Refuse reused/overwritten file snapshots more broadly: resolveShareFile now
  refuses to serve when either previewRevision OR `bytes` changed vs the
  snapshot. `bytes` catches non-office reused outputs (e.g. code-exec
  same-filename images that lack previewRevision) and is stable across S3 URL
  refresh and the pending->ready transition. Same-size content swaps remain a
  best-effort gap inherent to the no-byte-copy design.
- Strip cache-busting query strings before local streaming: code-output images
  add `?v=...` to filepath; the share route now splits it off so getLocalFileStream
  resolves the real filename instead of a literal `*.png?v=...` path.

* 💬 fix: Clarify that file-sharing changes apply on link refresh

For an already-created shared link, changing the "share files" checkbox only
takes effect when the link is refreshed (which regenerates the snapshot). Add a
note under the checkbox, shown only when a link already exists, so the behavior
isn't surprising: "Refresh the link to apply this change — files are snapshotted
when the link is refreshed."
2026-06-20 23:05:13 -04:00

523 lines
18 KiB
TypeScript

import type { StartupConfigContext } from './config';
import type { AssistantsEndpoint } from './schemas';
import { ResourceType } from './accessPermissions';
import * as q from './types/queries';
let BASE_URL = '';
if (
typeof process === 'undefined' ||
(process as typeof process & { browser?: boolean }).browser === true
) {
// process is only available in node context, or process.browser is true in client-side code
// This is to ensure that the BASE_URL is set correctly based on the <base>
// element in the HTML document, if it exists.
const baseEl = document.querySelector('base');
BASE_URL = baseEl?.getAttribute('href') || '/';
}
if (BASE_URL && BASE_URL.endsWith('/')) {
BASE_URL = BASE_URL.slice(0, -1);
}
export const apiBaseUrl = () => BASE_URL;
// Testing this buildQuery function
const buildQuery = (params: Record<string, unknown>): string => {
const query = Object.entries(params)
.filter(([, value]) => {
if (Array.isArray(value)) {
return value.length > 0;
}
return value !== undefined && value !== null && value !== '';
})
.map(([key, value]) => {
if (Array.isArray(value)) {
return value.map((v) => `${key}=${encodeURIComponent(v)}`).join('&');
}
return `${key}=${encodeURIComponent(String(value))}`;
})
.join('&');
return query ? `?${query}` : '';
};
export const health = () => `${BASE_URL}/health`;
export const user = () => `${BASE_URL}/api/user`;
export const balance = () => `${BASE_URL}/api/balance`;
export const userPlugins = () => `${BASE_URL}/api/user/plugins`;
export const deleteUser = () => `${BASE_URL}/api/user/delete`;
const messagesRoot = `${BASE_URL}/api/messages`;
export const messages = (params: q.MessagesListParams) => {
const { conversationId, messageId, ...rest } = params;
if (conversationId && messageId) {
return `${messagesRoot}/${conversationId}/${messageId}`;
}
if (conversationId) {
return `${messagesRoot}/${conversationId}`;
}
return `${messagesRoot}${buildQuery(rest)}`;
};
export const messagesArtifacts = (messageId: string) => `${messagesRoot}/artifact/${messageId}`;
export const messagesBranch = () => `${messagesRoot}/branch`;
const shareRoot = `${BASE_URL}/api/share`;
export const shareMessages = (shareId: string) => `${shareRoot}/${shareId}`;
export const getSharedLink = (conversationId: string) => `${shareRoot}/link/${conversationId}`;
export const getSharedLinks = (
pageSize: number,
sortBy: 'title' | 'createdAt',
sortDirection: 'asc' | 'desc',
search?: string,
cursor?: string,
) =>
`${shareRoot}?pageSize=${pageSize}&sortBy=${sortBy}&sortDirection=${sortDirection}${
search ? `&search=${search}` : ''
}${cursor ? `&cursor=${cursor}` : ''}`;
export const createSharedLink = (conversationId: string) => `${shareRoot}/${conversationId}`;
export const updateSharedLink = (shareId: string) => `${shareRoot}/${shareId}`;
/** Share-scoped file routes: serve snapshotted files via shared-link permission. */
export const sharedFile = (shareId: string, fileId: string) =>
`${shareRoot}/${shareId}/files/${encodeURIComponent(fileId)}`;
export const sharedFileDownload = (shareId: string, fileId: string) =>
`${sharedFile(shareId, fileId)}/download`;
export const sharedFilePreview = (shareId: string, fileId: string) =>
`${sharedFile(shareId, fileId)}/preview`;
const keysEndpoint = `${BASE_URL}/api/keys`;
export const keys = () => keysEndpoint;
export const userKeyQuery = (name: string) => `${keysEndpoint}?name=${name}`;
export const revokeUserKey = (name: string) => `${keysEndpoint}/${name}`;
export const revokeAllUserKeys = () => `${keysEndpoint}?all=true`;
const apiKeysEndpoint = `${BASE_URL}/api/api-keys`;
export const apiKeys = () => apiKeysEndpoint;
export const apiKeyById = (id: string) => `${apiKeysEndpoint}/${id}`;
export const conversationsRoot = `${BASE_URL}/api/convos`;
export const conversations = (params: q.ConversationListParams) => {
return `${conversationsRoot}${buildQuery(params)}`;
};
export const conversationById = (id: string) => `${conversationsRoot}/${id}`;
export const genTitle = (conversationId: string) =>
`${conversationsRoot}/gen_title/${encodeURIComponent(conversationId)}`;
export const updateConversation = () => `${conversationsRoot}/update`;
export const archiveConversation = () => `${conversationsRoot}/archive`;
export const pinConversation = () => `${conversationsRoot}/pin`;
export const deleteConversation = () => `${conversationsRoot}`;
export const deleteAllConversation = () => `${conversationsRoot}/all`;
export const importConversation = () => `${conversationsRoot}/import`;
export const forkConversation = () => `${conversationsRoot}/fork`;
export const duplicateConversation = () => `${conversationsRoot}/duplicate`;
export const projectsRoot = `${BASE_URL}/api/projects`;
export const projects = (params: q.ProjectListParams = {}) => {
return `${projectsRoot}${buildQuery(params)}`;
};
export const projectById = (id: string) => `${projectsRoot}/${encodeURIComponent(id)}`;
export const projectConversation = (conversationId: string) =>
`${projectsRoot}/conversations/${encodeURIComponent(conversationId)}`;
export const search = (q: string, cursor?: string | null) =>
`${BASE_URL}/api/search?q=${q}${cursor ? `&cursor=${cursor}` : ''}`;
export const searchEnabled = () => `${BASE_URL}/api/search/enable`;
export const presets = () => `${BASE_URL}/api/presets`;
export const deletePreset = () => `${BASE_URL}/api/presets/delete`;
export const aiEndpoints = () => `${BASE_URL}/api/endpoints`;
export const tokenConfig = () => `${BASE_URL}/api/endpoints/token-config`;
export const contextProjection = () => `${BASE_URL}/api/endpoints/context-projection`;
export const models = () => `${BASE_URL}/api/models`;
export const tokenizer = () => `${BASE_URL}/api/tokenizer`;
export const login = () => `${BASE_URL}/api/auth/login`;
export const logout = () => `${BASE_URL}/api/auth/logout`;
export const register = () => `${BASE_URL}/api/auth/register`;
export const loginFacebook = () => `${BASE_URL}/api/auth/facebook`;
export const loginGoogle = () => `${BASE_URL}/api/auth/google`;
export const refreshToken = (retry?: boolean) =>
`${BASE_URL}/api/auth/refresh${retry === true ? '?retry=true' : ''}`;
export const requestPasswordReset = () => `${BASE_URL}/api/auth/requestPasswordReset`;
export const resetPassword = () => `${BASE_URL}/api/auth/resetPassword`;
export const verifyEmail = () => `${BASE_URL}/api/user/verify`;
// Auth page URLs (for client-side navigation and redirects)
export const loginPage = () => `${BASE_URL}/login`;
export const registerPage = () => `${BASE_URL}/register`;
const REDIRECT_PARAM = 'redirect_to';
const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/;
/**
* Builds a `/login?redirect_to=...` URL from the given or current location.
* Returns plain `/login` (no param) when already on a login route to prevent recursive nesting.
*/
export function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string {
const p = pathname ?? window.location.pathname;
if (LOGIN_PATH_RE.test(p)) {
return '/login';
}
const s = search ?? window.location.search;
const h = hash ?? window.location.hash;
const stripped =
BASE_URL && (p === BASE_URL || p.startsWith(BASE_URL + '/'))
? p.slice(BASE_URL.length) || '/'
: p;
const currentPath = `${stripped}${s}${h}`;
if (!currentPath || currentPath === '/') {
return '/login';
}
return `/login?${REDIRECT_PARAM}=${encodeURIComponent(currentPath)}`;
}
export const resendVerificationEmail = () => `${BASE_URL}/api/user/verify/resend`;
export const plugins = () => `${BASE_URL}/api/plugins`;
export const mcpReinitialize = (serverName: string) =>
`${BASE_URL}/api/mcp/${serverName}/reinitialize`;
export const mcpConnectionStatus = () => `${BASE_URL}/api/mcp/connection/status`;
export const mcpServerConnectionStatus = (serverName: string) =>
`${BASE_URL}/api/mcp/connection/status/${serverName}`;
export const mcpAuthValues = (serverName: string) => {
return `${BASE_URL}/api/mcp/${serverName}/auth-values`;
};
export const cancelMCPOAuth = (serverName: string) => {
return `${BASE_URL}/api/mcp/oauth/cancel/${serverName}`;
};
export const mcpOAuthBind = (serverName: string) => `${BASE_URL}/api/mcp/${serverName}/oauth/bind`;
export const actionOAuthBind = (actionId: string) =>
`${BASE_URL}/api/actions/${actionId}/oauth/bind`;
export const config = (context?: StartupConfigContext) =>
`${BASE_URL}/api/config${buildQuery({ context })}`;
export const prompts = () => `${BASE_URL}/api/prompts`;
export const addPromptToGroup = (groupId: string) =>
`${BASE_URL}/api/prompts/groups/${groupId}/prompts`;
export const assistants = ({
path = '',
options,
version,
endpoint,
isAvatar,
}: {
path?: string;
options?: object;
endpoint?: AssistantsEndpoint;
version: number | string;
isAvatar?: boolean;
}) => {
let url = isAvatar === true ? `${images()}/assistants` : `${BASE_URL}/api/assistants/v${version}`;
if (path && path !== '') {
url += `/${path}`;
}
if (endpoint) {
options = {
...(options ?? {}),
endpoint,
};
}
if (options && Object.keys(options).length > 0) {
const queryParams = new URLSearchParams(options as Record<string, string>).toString();
url += `?${queryParams}`;
}
return url;
};
export const agents = ({ path = '', options }: { path?: string; options?: object }) => {
let url = `${BASE_URL}/api/agents`;
if (path && path !== '') {
url += `/${path}`;
}
if (options && Object.keys(options).length > 0) {
const queryParams = new URLSearchParams(options as Record<string, string>).toString();
url += `?${queryParams}`;
}
return url;
};
export const activeJobs = () => `${BASE_URL}/api/agents/chat/active`;
export const mcp = {
tools: `${BASE_URL}/api/mcp/tools`,
servers: `${BASE_URL}/api/mcp/servers`,
};
export const mcpServer = (serverName: string) => `${BASE_URL}/api/mcp/servers/${serverName}`;
export const revertAgentVersion = (agent_id: string) => `${agents({ path: `${agent_id}/revert` })}`;
export const files = () => `${BASE_URL}/api/files`;
export const fileUpload = () => `${BASE_URL}/api/files`;
export const fileDelete = () => `${BASE_URL}/api/files`;
export const fileDownload = (userId: string, fileId: string) =>
`${BASE_URL}/api/files/download/${userId}/${fileId}`;
/* Deferred-preview lifecycle endpoint. Returns
* `{ status, text?, textFormat?, previewError? }` so the frontend can
* poll while background HTML extraction is in flight. See PR #12957. */
export const filePreview = (fileId: string) =>
`${BASE_URL}/api/files/${encodeURIComponent(fileId)}/preview`;
export const fileConfig = () => `${BASE_URL}/api/files/config`;
export const agentFiles = (agentId: string) => `${BASE_URL}/api/files/agent/${agentId}`;
export const images = () => `${files()}/images`;
export const avatar = () => `${images()}/avatar`;
export const speech = () => `${files()}/speech`;
export const speechToText = () => `${speech()}/stt`;
export const textToSpeech = () => `${speech()}/tts`;
export const textToSpeechManual = () => `${textToSpeech()}/manual`;
export const textToSpeechVoices = () => `${textToSpeech()}/voices`;
export const getCustomConfigSpeech = () => `${speech()}/config/get`;
export const getPromptGroup = (_id: string) => `${prompts()}/groups/${_id}`;
export const getPromptGroupsWithFilters = (filter: object) => {
let url = `${prompts()}/groups`;
// Filter out undefined/null values
const cleanedFilter = Object.entries(filter).reduce(
(acc, [key, value]) => {
if (value !== undefined && value !== null && value !== '') {
acc[key] = value;
}
return acc;
},
{} as Record<string, string>,
);
if (Object.keys(cleanedFilter).length > 0) {
const queryParams = new URLSearchParams(cleanedFilter).toString();
url += `?${queryParams}`;
}
return url;
};
export const getPromptsWithFilters = (filter: object) => {
let url = prompts();
if (Object.keys(filter).length > 0) {
const queryParams = new URLSearchParams(filter as Record<string, string>).toString();
url += `?${queryParams}`;
}
return url;
};
export const getPrompt = (_id: string) => `${prompts()}/${_id}`;
export const getRandomPrompts = (limit: number, skip: number) =>
`${prompts()}/random?limit=${limit}&skip=${skip}`;
export const postPrompt = prompts;
export const updatePromptGroup = getPromptGroup;
export const recordPromptGroupUsage = (groupId: string) => `${prompts()}/groups/${groupId}/use`;
export const updatePromptLabels = (_id: string) => `${getPrompt(_id)}/labels`;
export const updatePromptTag = (_id: string) => `${getPrompt(_id)}/tags/production`;
export const deletePromptGroup = getPromptGroup;
export const deletePrompt = ({ _id, groupId }: { _id: string; groupId: string }) => {
return `${prompts()}/${_id}?groupId=${groupId}`;
};
export const getCategories = () => `${BASE_URL}/api/categories`;
export const getAllPromptGroups = () => `${prompts()}/all`;
/* Skills */
export const skills = () => `${BASE_URL}/api/skills`;
export const importSkill = () => `${skills()}/import`;
export const getSkill = (id: string) => `${skills()}/${encodeURIComponent(id)}`;
export const listSkillsWithFilters = (
filter: Record<string, string | number | undefined | null>,
) => {
const cleaned = Object.entries(filter).reduce(
(acc, [key, value]) => {
if (value !== undefined && value !== null && value !== '') {
acc[key] = String(value);
}
return acc;
},
{} as Record<string, string>,
);
const query =
Object.keys(cleaned).length > 0 ? `?${new URLSearchParams(cleaned).toString()}` : '';
return `${skills()}${query}`;
};
export const skillFiles = (id: string) => `${getSkill(id)}/files`;
export const skillFile = (id: string, relativePath: string) =>
`${skillFiles(id)}/${encodeURIComponent(relativePath)}`;
export const adminSkillsSync = () => `${BASE_URL}/api/admin/skills/sync`;
export const adminSkillsSyncStatus = () => `${adminSkillsSync()}/status`;
export const adminSkillsSyncRun = () => `${adminSkillsSync()}/run`;
export const adminSkillsSyncCredential = (credentialKey: string) =>
`${adminSkillsSync()}/credentials/${encodeURIComponent(credentialKey)}`;
/**
* Skill filesystem tree (phase 2). URL shape mirrors the original UI PR so
* the tree hooks keep their call surface. `path` is pre-encoded by the
* caller (e.g. `${nodeId}/content`).
*/
export const skillTree = ({ skillId, path = '' }: { skillId: string; path?: string }) => {
let url = `${BASE_URL}/api/skills/${encodeURIComponent(skillId)}/tree`;
if (path) {
url += `/${path}`;
}
return url;
};
/* Skill active states (per-user overrides) */
export const skillStates = () => `${BASE_URL}/api/user/settings/skills/active`;
/* Roles */
export const roles = () => `${BASE_URL}/api/roles`;
export const adminRoles = () => `${BASE_URL}/api/admin/roles`;
export const getRole = (roleName: string) => `${roles()}/${encodeURIComponent(roleName)}`;
export const updatePromptPermissions = (roleName: string) => `${getRole(roleName)}/prompts`;
export const updateMemoryPermissions = (roleName: string) => `${getRole(roleName)}/memories`;
export const updateAgentPermissions = (roleName: string) => `${getRole(roleName)}/agents`;
export const updatePeoplePickerPermissions = (roleName: string) =>
`${getRole(roleName)}/people-picker`;
export const updateMCPServersPermissions = (roleName: string) => `${getRole(roleName)}/mcp-servers`;
export const updateRemoteAgentsPermissions = (roleName: string) =>
`${getRole(roleName)}/remote-agents`;
export const updateMarketplacePermissions = (roleName: string) =>
`${getRole(roleName)}/marketplace`;
export const updateSkillPermissions = (roleName: string) => `${getRole(roleName)}/skills`;
/* Conversation Tags */
export const conversationTags = (tag?: string) =>
`${BASE_URL}/api/tags${tag != null && tag ? `/${encodeURIComponent(tag)}` : ''}`;
export const conversationTagsList = (pageNumber: string, sort?: string, order?: string) =>
`${conversationTags()}/list?pageNumber=${pageNumber}${sort ? `&sort=${sort}` : ''}${
order ? `&order=${order}` : ''
}`;
export const addTagToConversation = (conversationId: string) =>
`${conversationTags()}/convo/${conversationId}`;
export const userTerms = () => `${BASE_URL}/api/user/terms`;
export const acceptUserTerms = () => `${BASE_URL}/api/user/terms/accept`;
export const banner = () => `${BASE_URL}/api/banner`;
// Message Feedback
export const feedback = (conversationId: string, messageId: string) =>
`${BASE_URL}/api/messages/${conversationId}/${messageId}/feedback`;
// Two-Factor Endpoints
export const enableTwoFactor = () => `${BASE_URL}/api/auth/2fa/enable`;
export const verifyTwoFactor = () => `${BASE_URL}/api/auth/2fa/verify`;
export const confirmTwoFactor = () => `${BASE_URL}/api/auth/2fa/confirm`;
export const disableTwoFactor = () => `${BASE_URL}/api/auth/2fa/disable`;
export const regenerateBackupCodes = () => `${BASE_URL}/api/auth/2fa/backup/regenerate`;
export const verifyTwoFactorTemp = () => `${BASE_URL}/api/auth/2fa/verify-temp`;
/* Memories */
export const memories = () => `${BASE_URL}/api/memories`;
export const memory = (key: string) => `${memories()}/${encodeURIComponent(key)}`;
export const memoryPreferences = () => `${memories()}/preferences`;
export const searchPrincipals = (params: q.PrincipalSearchParams) => {
const { q: query, limit, types } = params;
let url = `${BASE_URL}/api/permissions/search-principals?q=${encodeURIComponent(query)}`;
if (limit !== undefined) {
url += `&limit=${limit}`;
}
if (types && types.length > 0) {
url += `&types=${types.join(',')}`;
}
return url;
};
export const getAccessRoles = (resourceType: ResourceType) =>
`${BASE_URL}/api/permissions/${resourceType}/roles`;
export const getResourcePermissions = (resourceType: ResourceType, resourceId: string) =>
`${BASE_URL}/api/permissions/${resourceType}/${resourceId}`;
export const updateResourcePermissions = (resourceType: ResourceType, resourceId: string) =>
`${BASE_URL}/api/permissions/${resourceType}/${resourceId}`;
export const getEffectivePermissions = (resourceType: ResourceType, resourceId: string) =>
`${BASE_URL}/api/permissions/${resourceType}/${resourceId}/effective`;
export const getAllEffectivePermissions = (resourceType: ResourceType) =>
`${BASE_URL}/api/permissions/${resourceType}/effective/all`;
// SharePoint Graph API Token
export const graphToken = (scopes: string) =>
`${BASE_URL}/api/auth/graph-token?scopes=${encodeURIComponent(scopes)}`;