Add API key authentication for proxy endpoints.
Support multiple API keys from config, env, and CLI, enforce auth on non-public endpoints, and pass keys through remote deploy verification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
GitHub Actions
@@ -126,7 +126,7 @@ func NewServer(addr string, svc *service.Service) *Server {
|
||||
|
||||
s.http = &http.Server{
|
||||
Addr: addr,
|
||||
Handler: s.withRecorder(withCORS(mux)),
|
||||
Handler: s.withRecorder(withCORS(s.withAuth(mux))),
|
||||
ReadHeaderTimeout: 10 * time.Second,
|
||||
}
|
||||
return s
|
||||
@@ -1686,6 +1686,65 @@ func writeOpenAIError(w http.ResponseWriter, status int, kind string, message st
|
||||
})
|
||||
}
|
||||
|
||||
func isPublicPath(path string) bool {
|
||||
switch path {
|
||||
case "/", "/health", "/runtime/status", "/v1/runtime/status":
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func isAnthropicPath(path string) bool {
|
||||
switch path {
|
||||
case "/v1/messages", "/v1/messages/count_tokens":
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func extractAPIKey(r *http.Request) string {
|
||||
if value := strings.TrimSpace(r.Header.Get("x-api-key")); value != "" {
|
||||
return value
|
||||
}
|
||||
auth := strings.TrimSpace(r.Header.Get("Authorization"))
|
||||
if auth == "" {
|
||||
return ""
|
||||
}
|
||||
parts := strings.SplitN(auth, " ", 2)
|
||||
if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
|
||||
return ""
|
||||
}
|
||||
return strings.TrimSpace(parts[1])
|
||||
}
|
||||
|
||||
func (s *Server) withAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if isPublicPath(r.URL.Path) {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
keys := s.svc.APIKeys()
|
||||
if len(keys) == 0 {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
provided := extractAPIKey(r)
|
||||
for _, key := range keys {
|
||||
if provided == key {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
if isAnthropicPath(r.URL.Path) {
|
||||
writeAnthropicError(w, http.StatusUnauthorized, "authentication_error", "invalid or missing API key")
|
||||
return
|
||||
}
|
||||
writeOpenAIError(w, http.StatusUnauthorized, "authentication_error", "invalid or missing API key")
|
||||
})
|
||||
}
|
||||
|
||||
func streamingHeaders(w http.ResponseWriter) {
|
||||
w.Header().Set("Content-Type", "text/event-stream")
|
||||
w.Header().Set("Cache-Control", "no-cache")
|
||||
|
||||
@@ -81,6 +81,83 @@ func TestCapabilitiesAdvertiseAgentCompatibility(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthAllowsPublicHealthWithoutAPIKey(t *testing.T) {
|
||||
server := NewServer("", service.New(service.Config{
|
||||
Model: "Qwen3-Coder",
|
||||
Timeout: time.Second,
|
||||
APIKeys: []string{"key-1", "key-2"},
|
||||
}))
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/health", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
server.http.Handler.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("status = %d body = %s", rec.Code, rec.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthRejectsProtectedEndpointWithoutAPIKey(t *testing.T) {
|
||||
server := NewServer("", service.New(service.Config{
|
||||
Model: "Qwen3-Coder",
|
||||
Timeout: time.Second,
|
||||
APIKeys: []string{"key-1", "key-2"},
|
||||
}))
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/capabilities", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
server.http.Handler.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status = %d body = %s", rec.Code, rec.Body.String())
|
||||
}
|
||||
if !strings.Contains(rec.Body.String(), "authentication_error") {
|
||||
t.Fatalf("body = %s", rec.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthAcceptsBearerAndXAPIKey(t *testing.T) {
|
||||
server := NewServer("", service.New(service.Config{
|
||||
Model: "Qwen3-Coder",
|
||||
Timeout: time.Second,
|
||||
APIKeys: []string{"key-1", "key-2"},
|
||||
}))
|
||||
|
||||
bearerReq := httptest.NewRequest(http.MethodGet, "/capabilities", nil)
|
||||
bearerReq.Header.Set("Authorization", "Bearer key-2")
|
||||
bearerRec := httptest.NewRecorder()
|
||||
server.http.Handler.ServeHTTP(bearerRec, bearerReq)
|
||||
if bearerRec.Code != http.StatusOK {
|
||||
t.Fatalf("bearer status = %d body = %s", bearerRec.Code, bearerRec.Body.String())
|
||||
}
|
||||
|
||||
xReq := httptest.NewRequest(http.MethodGet, "/capabilities", nil)
|
||||
xReq.Header.Set("x-api-key", "key-1")
|
||||
xRec := httptest.NewRecorder()
|
||||
server.http.Handler.ServeHTTP(xRec, xReq)
|
||||
if xRec.Code != http.StatusOK {
|
||||
t.Fatalf("x-api-key status = %d body = %s", xRec.Code, xRec.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
func TestAnthropicAuthErrorShape(t *testing.T) {
|
||||
server := NewServer("", service.New(service.Config{
|
||||
Model: "Qwen3-Coder",
|
||||
Timeout: time.Second,
|
||||
APIKeys: []string{"key-1"},
|
||||
}))
|
||||
|
||||
req := httptest.NewRequest(http.MethodPost, "/v1/messages", strings.NewReader(`{"model":"kmodel","messages":[{"role":"user","content":"hello"}],"max_tokens":16}`))
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
rec := httptest.NewRecorder()
|
||||
server.http.Handler.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status = %d body = %s", rec.Code, rec.Body.String())
|
||||
}
|
||||
if !strings.Contains(rec.Body.String(), `"type":"error"`) {
|
||||
t.Fatalf("body = %s", rec.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
func TestNormalizeOpenAIRequestRejectsMissingUserAndAssistantMessages(t *testing.T) {
|
||||
req := openAIChatRequest{
|
||||
Model: "test-model",
|
||||
|
||||
Reference in New Issue
Block a user