-
Notifications
You must be signed in to change notification settings - Fork 7
feat(llm): apikey_header auth scheme for Kong AI Gateway key-auth #303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| package providers | ||
|
|
||
| import ( | ||
| "net/http" | ||
| "strings" | ||
|
|
||
| "github.com/initializ/forge/forge-core/llm" | ||
| ) | ||
|
|
||
| // setGatewayAPIKeyHeader implements the "apikey_header" outbound auth | ||
| // scheme (issue #302). When selected it sends the API key in a gateway | ||
| // header IN ADDITION TO the provider-native header, so an API gateway | ||
| // whose auth plugin reads a fixed header — e.g. Kong AI Gateway's | ||
| // key-auth, which reads `apikey` and ignores Authorization / x-api-key — | ||
| // authenticates the request while the upstream provider still receives | ||
| // (or has Kong inject) its native header. | ||
| // | ||
| // The header name defaults to llm.DefaultAPIKeyHeaderName ("apikey") and | ||
| // is overridable via ModelRef.auth_header_name for gateways with custom | ||
| // key_names. No-op for every other scheme, and when apiKey is empty. | ||
| func setGatewayAPIKeyHeader(req *http.Request, authScheme, headerName, apiKey string) { | ||
| if authScheme != llm.AuthSchemeAPIKeyHeader || apiKey == "" { | ||
| return | ||
| } | ||
| if headerName == "" { | ||
| headerName = llm.DefaultAPIKeyHeaderName | ||
| } | ||
| // Defense-in-depth: never clobber a native auth header with the raw key. | ||
| // `forge validate` rejects such a config, but guard the programmatic | ||
| // path too so a misconfigured ClientConfig can't silently overwrite the | ||
| // provider's Bearer / x-api-key (#303 review). | ||
| switch strings.ToLower(headerName) { | ||
| case "authorization", "x-api-key": | ||
| return | ||
| } | ||
| req.Header.Set(headerName, apiKey) | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor (security): guard against This runs AFTER the provider's native header set and uses |
||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor (docs): worth one sentence on upstream key transit — Kong
key-authdefaults tohide_credentials: false, meaning the gateway forwards theapikeyheader upstream, so the credential transits in a header conventional redaction tooling (which knowsAuthorization/x-api-key) won't scrub. Recommendhide_credentials: trueon the Kong plugin here. (Forge's own tracing redactor matches key values by shape, so opt-in content capture is already covered.)