6704: Azure Blob Storage URL Signing and Refresh Support by adamfisher · Pull Request #11137 · danny-avila/LibreChat

adamfisher · 2025-12-29T14:27:13Z

Summary

This PR adds signed URL (SAS token) support for Azure Blob Storage, bringing feature parity with the existing S3 implementation. When AZURE_STORAGE_PUBLIC_ACCESS=false, files are served via time-limited signed URLs that are automatically refreshed before expiration.

See: [Enhancement]: Azure Blob Storage private container support

Documentation PR: LibreChat-AI/librechat.ai#474

Features

Automatic URL signing when AZURE_STORAGE_PUBLIC_ACCESS=false
Two signing methods automatically selected based on configuration:
- Account Key signing - when AZURE_STORAGE_CONNECTION_STRING is set
- User Delegation SAS - when only AZURE_STORAGE_ACCOUNT_NAME is set (Managed Identity)
Automatic URL refresh for files and avatars before expiration
Dynamic refresh cache duration based on URL expiry time (fixes issue where 30-minute cache caused 2-minute URLs to expire)
Access mode transitions - handles switching between public/private access gracefully

Files Changed

Core Implementation

api/server/services/Files/Azure/crud.js
- Added getSignedAzureURL() - generates SAS tokens via Account Key or User Delegation
- Added getUserDelegationKey() - obtains and caches delegation keys (7-day lifespan, refreshed 5 min before expiry)
- Added needsRefreshAzure() - checks if URL needs refresh based on expiry or access mode change
- Added extractBlobPathFromAzureUrl() - extracts blob path from Azure URL
- Added getNewAzureURL() - generates fresh signed or plain URL based on current access mode
- Added refreshAzureFileUrls() - batch refresh for file arrays
- Added refreshAzureUrl() - single file URL refresh
- Modified saveBufferToAzure() - returns signed URL when private access enabled
- Modified streamFileToAzure() - returns signed URL when private access enabled
api/server/services/Files/Azure/images.js
- Fixed processAzureAvatar() - removed erroneous ?manual=true suffix that broke signed URLs

Route Integration

api/server/routes/files/files.js
- Added Azure file URL refresh support parallel to S3
- Added getRefreshCacheTime() helper for dynamic cache duration based on URL expiry
- Uses separate cache key (AZURE_EXPIRY_INTERVAL) from S3

Controller Integration

api/server/controllers/UserController.js
- Added Azure avatar refresh in getUserController() parallel to existing S3 logic
api/server/controllers/agents/v1.js
- Added Azure avatar refresh for agent avatars in refreshListAvatars() and getAgentHandler()

Cache Configuration

packages/data-provider/src/config.ts
- Added CacheKeys.AZURE_EXPIRY_INTERVAL enum value
api/cache/getLogStores.js
- Added AZURE_EXPIRY_INTERVAL cache store with 30-minute TTL

Tests

api/test/server/services/Files/Azure/crud.test.js
- Tests for needsRefreshAzure() with various URL states
- Tests for extractBlobPathFromAzureUrl()

Documentation

pages/docs/configuration/cdn/azure.mdx
- Added URL Signing Configuration section
- Documented AZURE_URL_EXPIRY_SECONDS environment variable
- Explained automatic signing method selection
- Added Managed Identity role requirements
- Added local testing instructions for signed URLs

Environment Variables

Variable	Default	Description
`AZURE_URL_EXPIRY_SECONDS`	120	SAS token validity period in seconds (max: 7 days). Recommended: 3600
`AZURE_STORAGE_PUBLIC_ACCESS`	-	`false` enables URL signing, `true` uses plain URLs
`AZURE_STORAGE_CONNECTION_STRING`	-	Triggers Account Key signing when present
`AZURE_STORAGE_ACCOUNT_NAME`	-	Triggers User Delegation signing when no connection string

Breaking Changes

None. Existing deployments with AZURE_STORAGE_PUBLIC_ACCESS=true continue to work unchanged.

Testing Steps

Prerequisites

Azure Storage Account with a container named files
LibreChat application with Azure Blob Storage configured

Test 1: Account Key Signing (Connection String)

Setup

# .env
AZURE_STORAGE_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=yourAccount;AccountKey=yourKey;EndpointSuffix=core.windows.net
AZURE_STORAGE_PUBLIC_ACCESS=false
AZURE_CONTAINER_NAME=files
AZURE_URL_EXPIRY_SECONDS=120

Steps

Start LibreChat
Upload an image in a chat conversation
Inspect the image URL in browser dev tools - should contain SAS parameters (sv=, se=, sig=)
Verify image displays correctly
Wait for URL to approach expiry (or set AZURE_URL_EXPIRY_SECONDS=60 for faster testing)
Refresh the file list or navigate away and back
Verify the URL is refreshed with new expiry time

Expected Results

✅ Image URL contains SAS token parameters
✅ Image loads successfully
✅ URL refreshes before expiration

Test 2: User Delegation SAS (Managed Identity)

Setup

Deploy to Azure Container Apps, App Service, or VM with:

# .env (NO connection string)
AZURE_STORAGE_ACCOUNT_NAME=yourAccount
AZURE_STORAGE_PUBLIC_ACCESS=false
AZURE_CONTAINER_NAME=files
AZURE_URL_EXPIRY_SECONDS=300

Azure Role Assignments

Assign to the Managed Identity:

Storage Blob Data Contributor
Storage Blob Delegator

# Example for Azure Container Apps
PRINCIPAL_ID=$(az containerapp show --name your-app --resource-group your-rg --query identity.principalId -o tsv)
STORAGE_SCOPE="/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account}"

az role assignment create --assignee $PRINCIPAL_ID --role "Storage Blob Data Contributor" --scope $STORAGE_SCOPE
az role assignment create --assignee $PRINCIPAL_ID --role "Storage Blob Delegator" --scope $STORAGE_SCOPE

Steps

Deploy application to Azure
Upload an image in a chat conversation
Inspect the image URL - should contain User Delegation SAS parameters (skoid=, sktid=, skt=, ske=)
Verify image displays correctly
Check logs for "User delegation key obtained" message
Wait for URL to approach expiry
Verify URL refresh works

Expected Results

✅ Image URL contains User Delegation SAS parameters
✅ Image loads successfully
✅ Logs show delegation key caching
✅ URL refreshes before expiration

Test 3: User Avatar Upload and Refresh

Steps

Go to Settings → Account → Profile Picture
Upload a new avatar image
Verify avatar displays in the UI
Inspect avatar URL - should be signed (when AZURE_STORAGE_PUBLIC_ACCESS=false)
Verify URL does NOT contain ?manual=true suffix
Log out and log back in
Verify avatar URL is refreshed if near expiry

Expected Results

✅ Avatar uploads successfully
✅ Avatar URL is properly signed (no ?manual=true)
✅ Avatar displays correctly
✅ Avatar URL refreshes on user data fetch

Test 4: Agent Avatar Refresh

Steps

Create an agent with a custom avatar
Verify agent avatar displays in agent list
Inspect avatar URL - should be signed
Wait for URL to approach expiry
Refresh agent list
Verify avatar URL is refreshed

Expected Results

✅ Agent avatar is signed
✅ Agent avatar refreshes before expiration

Test 5: Public Access Mode

Setup

AZURE_STORAGE_PUBLIC_ACCESS=true

Steps

Upload an image
Inspect URL - should be plain (no SAS parameters)
Verify image loads

Expected Results

✅ URL has no SAS token
✅ Image loads (container must allow public access)

Test 6: Access Mode Transition (Public → Private)

Steps

With AZURE_STORAGE_PUBLIC_ACCESS=true, upload an image
Note the plain URL
Change to AZURE_STORAGE_PUBLIC_ACCESS=false and restart
Navigate to the conversation with the image
Refresh or wait for refresh cycle

Expected Results

✅ Plain URL is detected as needing signing
✅ URL is updated to signed version
✅ Image continues to display

Test 7: Dynamic Cache Duration

Setup

AZURE_URL_EXPIRY_SECONDS=120  # 2 minutes

Steps

Upload a file
Check server logs for refresh activity
Verify refresh happens within ~1 minute (half of expiry time)

Setup 2

AZURE_URL_EXPIRY_SECONDS=7200  # 2 hours

Steps

Upload a file
Verify refresh check is cached for ~30 minutes (half of expiry, but capped internally)

Expected Results

✅ Short expiry = more frequent refresh checks
✅ Long expiry = less frequent refresh checks

Test 8: Local Development with Azurite

Setup

AZURE_STORAGE_CONNECTION_STRING="DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;"
AZURE_STORAGE_PUBLIC_ACCESS=false
AZURE_URL_EXPIRY_SECONDS=300

Steps

Start Azurite (VS Code extension, Docker, or npm)
Start LibreChat
Upload an image
Verify signed URL works with local Azurite

Expected Results

✅ Signed URLs work with Azurite emulator

Test 9: Unit Tests

cd api
npm test -- test/server/services/Files/Azure/crud.test.js

Expected Results

✅ All tests pass
✅ needsRefreshAzure correctly identifies expired URLs
✅ needsRefreshAzure correctly identifies valid URLs
✅ extractBlobPathFromAzureUrl extracts paths correctly

Rollback Plan

If issues occur, revert to public access:

AZURE_STORAGE_PUBLIC_ACCESS=true

Or revert to connection string if Managed Identity issues:

AZURE_STORAGE_CONNECTION_STRING=your-connection-string

…ainer

sidanaabhi · 2026-01-04T11:42:09Z

BUMP

ronniekolk · 2026-01-25T13:35:00Z

@adamfisher Thats very cool and exactly what we are looking for, regarding some Security Risks Wokring with "Public" Azure Blob Storage. Any Timeline Idea on this ?

adamfisher · 2026-01-25T13:48:49Z

I'm not sure when they will get to reviewing this PR. I've brought it up many times on discord in two different channels asking for an ETA. It might help if others are asking about it too on discord.

Copilot

Pull request overview

This PR implements signed URL (SAS token) support for Azure Blob Storage to enable private container access, achieving feature parity with the existing S3 implementation. When AZURE_STORAGE_PUBLIC_ACCESS=false, files are served via time-limited signed URLs that automatically refresh before expiration. The implementation supports two signing methods that are automatically selected based on configuration: Account Key signing (when connection string is set) and User Delegation SAS (when using Managed Identity).

Changes:

Added Azure Blob Storage URL signing with automatic refresh functionality
Implemented dynamic cache duration based on URL expiry time to prevent premature expiration
Fixed avatar URL generation to remove erroneous ?manual=true suffix that broke signed URLs
Integrated Azure URL refresh logic into file routes, user controller, and agent controllers parallel to existing S3 implementation

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 19 comments.

Show a summary per file

File	Description
`api/server/services/Files/Azure/crud.js`	Core implementation: added URL signing, refresh logic, and helper functions for SAS token generation
`api/server/services/Files/Azure/images.js`	Fixed avatar processing to return clean URLs without manual flag suffix
`api/server/routes/files/files.js`	Added Azure file URL refresh support with dynamic cache time calculation
`api/server/controllers/UserController.js`	Integrated Azure avatar URL refresh for user profile pictures
`api/server/controllers/agents/v1.js`	Added Azure avatar refresh for agent avatars in list and detail views
`packages/data-provider/src/config.ts`	Added `AZURE_EXPIRY_INTERVAL` cache key enum
`api/cache/getLogStores.js`	Configured Azure expiry interval cache store with 30-minute TTL
`api/test/server/services/Files/Azure/crud.test.js`	Added unit tests for URL refresh and blob path extraction logic

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

…ainer # Conflicts: # api/server/controllers/agents/v1.js # api/server/services/Files/Azure/crud.js

adamfisher · 2026-02-25T17:59:15Z

danny-avila's CHANGES_REQUESTED (the critical ones):

Helper in dedicated module (files.js route → utils/getFileStrategy.js)
- Moved getFileUrlRefreshCacheTime to api/server/utils/getFileStrategy.js, renamed to getFileURLRefreshCacheTime (consistent URL capitalization), added JSDoc explaining the * 500 half-expiry logic
- Route now imports it; Time import removed from route since it's no longer needed there
- Error log now includes the strategy name for better debugging
Dependency injection pattern (v1.js and UserController.js)
- v1.js: Added urlRefreshersBySource map; getAgentHandler now dispatches via urlRefreshersBySource[source] instead of an if/else chain; getListAgentsHandler now passes refreshAzureUrl to refreshListAvatars and applies the urlCache for all signed sources (not just S3)
- UserController.js: Replaced duplicated if/else S3/Azure blocks with avatarNeedsRefreshBySource and getNewAvatarUrlBySource dispatch maps
packages/api/src/agents/avatars.ts: Added optional refreshAzureUrl param (backward-compatible); filter and refresh logic now handle both S3 and Azure blob sources via the injected functions

Copilot actionable comments:

Redundant dynamic imports (crud.js): BlobSASPermissions, generateBlobSASQueryParameters, StorageSharedKeyCredential removed from the dynamic import() inside getSignedAzureURL — only BlobServiceClient is dynamically imported now
Missing JSDoc: Added complete JSDoc for getUserDelegationKey, getSignedAzureURL, needsRefreshAzure, extractBlobPathFromAzureUrl, getNewAzureURL, refreshAzureFileUrls, and refreshAzureUrl
config.ts: Fixed indentation and capitalization of the AZURE_EXPIRY_INTERVAL comment
Tests: Added test suite for getNewAzureURL (invalid URL and public-access path) and a dedicated needsRefreshAzure public→private transition test

sidanaabhi · 2026-05-03T06:45:01Z

@danny-avila Are we going to merge this?

rahepler2 · 2026-05-04T12:34:23Z

Would love to see this implemented.

adamfisher added 3 commits December 22, 2025 12:34

Adding Azure blob storage private URL signing support with account key

04aed14

Added support for azure blob storage managed identity URL signing files

0a02b29

Merge branch 'main' into new/feature/6704-add-azure-blob-private-cont…

6f90185

…ainer

danny-avila requested a review from Copilot February 25, 2026 14:42

Copilot started reviewing on behalf of danny-avila February 25, 2026 14:43 View session

danny-avila requested changes Feb 25, 2026

View reviewed changes

Comment thread api/server/routes/files/files.js Outdated

Comment thread api/server/services/Files/Azure/crud.js

Comment thread api/server/controllers/agents/v1.js Outdated

Copilot AI reviewed Feb 25, 2026

View reviewed changes

adamfisher added 2 commits February 25, 2026 12:39

Merge branch 'main' into new/feature/6704-add-azure-blob-private-cont…

86f7dd0

…ainer # Conflicts: # api/server/controllers/agents/v1.js # api/server/services/Files/Azure/crud.js

Revisions based on PR comments

b61659e

adamfisher requested a review from danny-avila February 25, 2026 17:59

Uh oh!

Conversation

adamfisher commented Dec 29, 2025

Summary

Features

Files Changed

Core Implementation

Route Integration

Controller Integration

Cache Configuration

Tests

Documentation

Environment Variables

Breaking Changes

Testing Steps

Prerequisites

Test 1: Account Key Signing (Connection String)

Setup

Steps

Expected Results

Test 2: User Delegation SAS (Managed Identity)

Setup

Azure Role Assignments

Steps

Expected Results

Test 3: User Avatar Upload and Refresh

Steps

Expected Results

Test 4: Agent Avatar Refresh

Steps

Expected Results

Test 5: Public Access Mode

Setup

Steps

Expected Results

Test 6: Access Mode Transition (Public → Private)

Steps

Expected Results

Test 7: Dynamic Cache Duration

Setup

Steps

Setup 2

Steps

Expected Results

Test 8: Local Development with Azurite

Setup

Steps

Expected Results

Test 9: Unit Tests

Expected Results

Rollback Plan

Uh oh!

sidanaabhi commented Jan 4, 2026

Uh oh!

ronniekolk commented Jan 25, 2026

Uh oh!

adamfisher commented Jan 25, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

adamfisher commented Feb 25, 2026

Uh oh!

sidanaabhi commented May 3, 2026

Uh oh!