这是indexloc提供的服务,不要输入任何密码
Skip to content

[Enhancement]: Temporary Downloadable File Links for MCP Integration [#8060] #8301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

[Enhancement]: Temporary Downloadable File Links for MCP Integration [#8060] #8301

wants to merge 14 commits into from
+10,302 −50

Conversation

icariantk
Copy link

@icariantk icariantk commented Jul 7, 2025
edited
Loading

Summary

Allow uploaded files in LibreChat to generate temporary download links so external tools such as MCP server can retrieve the files via a secure HTTP request.

LIBRECHAT_CHAT_URL_FILE_Implementation_Analysis.md

Change Type

Please delete any irrelevant options.

  • New feature (non-breaking change which adds functionality)
  • This change requires a documentation update

Testing

Used both implementation, URL generation in message and headers in the HTTP Stream MCP

Test Configuration:

librechat.yaml:

mcpServers:
  mcprag:
    type: streamable-http
    url: "http://127.0.0.1:8000/mcp/"
    timeout: 1800000
    customUserVars:
      token_id:
        title: "Token Identification"
        description: "Enter your personal Identification Token (use ABC for testing)"
    headers:
      X-User-ID: "{{LIBRECHAT_USER_ID}}"
      x-Thread-ID: "0"
      x-Token-ID: "{{token_id}}"
      X-File-URL: "{{LIBRECHAT_CHAT_URL_FILE}}"

.env:

# ===========================================
# LibreChat Temporary Downloads Configuration
# ===========================================
# This file contains environment variables for the temporary downloadable files feature.
# Copy this file to your main .env file and adjust values as needed.

# ===========================================
# Core Download Settings
# ===========================================

# Secret key for signing download tokens (REQUIRED)
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# SECURITY: Use different keys for each environment and store securely
TEMP_DOWNLOAD_SECRET_KEY=your-256-bit-secret-key-here

# Default TTL for download tokens in seconds (default: 600 = 10 minutes)
# Range: 60 (1 minute) to 86400 (24 hours)
TEMP_DOWNLOAD_DEFAULT_TTL=600

# Maximum allowed TTL for download tokens in seconds (default: 3600 = 1 hour)
# This prevents users from creating tokens with excessive lifetimes
TEMP_DOWNLOAD_MAX_TTL=3600

# Minimum allowed TTL for download tokens in seconds (default: 60 = 1 minute)
TEMP_DOWNLOAD_MIN_TTL=60

# Enable/disable the temporary downloads feature globally (default: true)
TEMP_DOWNLOAD_ENABLED=true

# ===========================================
# Rate Limiting Configuration
# ===========================================

# Rate limiting window in seconds (default: 3600 = 1 hour)
TEMP_DOWNLOAD_RATE_WINDOW=3600

# Maximum download requests per IP per window (default: 100)
TEMP_DOWNLOAD_RATE_LIMIT_IP=100

# Maximum download requests per user per window (default: 50)
TEMP_DOWNLOAD_RATE_LIMIT_USER=50

# Maximum download requests per file per window (default: 10)
TEMP_DOWNLOAD_RATE_LIMIT_FILE=10

# Global maximum download requests per window (default: 1000)
TEMP_DOWNLOAD_RATE_LIMIT_GLOBAL=1000

# ===========================================
# Security Settings
# ===========================================

# IP whitelist for download access (comma-separated, optional)
# Supports single IPs, CIDR notation, and IP ranges
# Example: 192.168.1.100,10.0.0.0/8,172.16.1.1-172.16.1.100
# Leave empty to allow all IPs
TEMP_DOWNLOAD_ALLOWED_IPS=

# Enable IP whitelist enforcement (default: false)
TEMP_DOWNLOAD_ENFORCE_IP_WHITELIST=false

# Maximum file size for temporary downloads in bytes (default: 100MB)
TEMP_DOWNLOAD_MAX_FILE_SIZE=104857600

# Allowed file types for temporary downloads (comma-separated, optional)
# Example: pdf,doc,docx,txt,jpg,png
# Leave empty to allow all file types
TEMP_DOWNLOAD_ALLOWED_TYPES=

# ===========================================
# MCP Integration Settings
# ===========================================

# Enable MCP integration for temporary downloads (default: true)
TEMP_DOWNLOAD_MCP_ENABLED=true

# Default TTL for MCP client downloads in seconds (default: 900 = 15 minutes)
TEMP_DOWNLOAD_MCP_DEFAULT_TTL=900

# Maximum TTL for MCP client downloads in seconds (default: 1800 = 30 minutes)
TEMP_DOWNLOAD_MCP_MAX_TTL=1800

# MCP client rate limit per hour (default: 200)
TEMP_DOWNLOAD_MCP_RATE_LIMIT=200

# ===========================================
# Cleanup and Maintenance
# ===========================================

# Cleanup interval for expired tokens in seconds (default: 300 = 5 minutes)
TEMP_DOWNLOAD_CLEANUP_INTERVAL=300

# Audit log retention period in seconds (default: 7776000 = 90 days)
TEMP_DOWNLOAD_AUDIT_RETENTION=7776000

# Rate limit data retention period in seconds (default: 86400 = 24 hours)
TEMP_DOWNLOAD_RATE_LIMIT_RETENTION=86400

# Enable automatic cleanup of expired data (default: true)
TEMP_DOWNLOAD_AUTO_CLEANUP=true

# ===========================================
# Monitoring and Logging
# ===========================================

# Enable detailed download logging (default: true)
TEMP_DOWNLOAD_DETAILED_LOGGING=true

# Log download attempts (success and failure) (default: true)
TEMP_DOWNLOAD_LOG_ATTEMPTS=true

# Log security events (rate limiting, invalid tokens, etc.) (default: true)
TEMP_DOWNLOAD_LOG_SECURITY_EVENTS=true

# Enable performance metrics collection (default: false)
TEMP_DOWNLOAD_METRICS_ENABLED=false

# ===========================================
# Redis Configuration (Optional)
# ===========================================

# Redis URL for caching and distributed rate limiting (optional)
# If not provided, will use in-memory storage
# Example: redis://localhost:6379
TEMP_DOWNLOAD_REDIS_URL=

# Redis key prefix for download-related data (default: librechat:downloads:)
TEMP_DOWNLOAD_REDIS_PREFIX=librechat:downloads:

# Redis connection timeout in milliseconds (default: 5000)
TEMP_DOWNLOAD_REDIS_TIMEOUT=5000

# ===========================================
# Development Settings
# ===========================================

# Enable debug mode for additional logging (default: false)
TEMP_DOWNLOAD_DEBUG=false

# Bypass rate limiting in development (default: false)
# WARNING: Never enable this in production
TEMP_DOWNLOAD_DEV_BYPASS_RATE_LIMIT=false

# Allow insecure tokens in development (default: false)
# WARNING: Never enable this in production
TEMP_DOWNLOAD_DEV_ALLOW_INSECURE=false

# ===========================================
# Integration with Existing LibreChat Settings
# ===========================================

# These settings integrate with existing LibreChat configuration:
# - MONGO_URI: Used for database connection
# - REDIS_URL: Used as fallback if TEMP_DOWNLOAD_REDIS_URL not set
# - NODE_ENV: Affects default security settings
# - DEBUG_LOGGING: Affects download logging verbosity

# ===========================================
# Production Recommendations
# ===========================================

# For production environments, consider these settings:
# - Use a strong, unique TEMP_DOWNLOAD_SECRET_KEY
# - Set conservative rate limits based on your usage patterns
# - Enable IP whitelisting if you have known client IPs
# - Set appropriate file size and type restrictions
# - Enable Redis for better performance and distributed rate limiting
# - Set TEMP_DOWNLOAD_DEBUG=false
# - Monitor logs for security events and performance issues

# ===========================================
# Security Notes
# ===========================================

# 1. The secret key should be at least 256 bits (32 bytes) long
# 2. Use different secret keys for different environments
# 3. Rotate secret keys periodically (quarterly recommended)
# 4. Monitor rate limiting logs for potential abuse
# 5. Consider implementing additional security measures for sensitive files
# 6. Regularly review and update IP whitelists
# 7. Monitor file download patterns for anomalies

Checklist

Please delete any irrelevant options.

  • [ X ] My code adheres to this project's style guidelines
  • [ X ] I have performed a self-review of my own code
  • [ X ] I have commented in any complex areas of my code
  • [ ? ] My changes do not introduce new warnings
  • [ X ] Local unit tests pass with my changes

** NOTES **
Newest commits coudnt merge, used the last release LibreChat v0.7.9-rc1 for merging and it works.
If this is a "NO GO" just discard it immediatly, no problem at all.

@danny-avila danny-avila marked this pull request as draft July 7, 2025 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@icariantk @RicardoOM-AC