[Enhancement]: Azure Blob Storage private container support

[anttip1]

What features would you like to see added?

I'd like LibreChat to support a private access mode for Azure Blob Storage containers. Currently, files stored in Azure Blob Storage need to be public and are accessed via direct URLs. This feature would add an option to store files in private containers and serve them through an authenticated proxy endpoint, improving security.

More details

The implementation would need to:

1. Add a proxy endpoint ( e.g. /api/files/proxy/azure/:user_id/:filename) that would authenticate requests before serving files from private containers.
2. Use the existing environment variable AZURE_STORAGE_PUBLIC_ACCESS to indicate "private mode"
   • When set to "true" (default): File URLs are the public blob storage URLs as they are now
   • When set to "false": File URLs are proxy URLs
3. Modify these azure blob file operations to accommodate the private mode:
   • saveBufferToAzure, streamFileToAzure, and getAzureURL now return proxy URLs when in private mode.
   • getAzureFileStream converts proxy URL to Azure Blob URL before downloading in private mode
   • deleteFileFromAzure converts the proxy URL to Azure Blob URL before deletion

The proxy endpoint authentication could work like this:

• Extract the user's JWT refresh token from cookies and verify it against the JWT_REFRESH_SECRET.
• Compare the user ID in the token with the user ID in the URL path
• Query the database to verify the requested file belongs to the authenticated user
• Reject the request if any authorization check fails with appropriate status codes (401, 403, 404)

Which components are impacted by your request?

Other

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

I've thought about this, and it adds some complexity to the project. You would need to make it "provider-agnostic" at least with the route definition and go from there with dependency injection in mind.

I think it would be better as an adapter to the existing methods when creating the URL, and even better as an addition to that, best served as an independent API external to LibreChat, as proxying externally is preferable and gives you the maximum amount of customization for your use case, and necessary code changes to LibreChat would be minimal in this regard.

This won't be on my radar to tackle for a while but PR's are always welcome.

[jerbob92]

@danny-avila would it be an idea to use signed URLs for this for now? This would probably make it way easier to implement (probably can just implement it here.

This will allow people to access the files directly using the Azure URL, without the need of a proxy, but with security.

[ion-elgreco]

Presigned urls is the way to go for this, and is much more simpler