• Stefy Lanza (nextime / spora )'s avatar
    broker: don't require an end-user Bearer token for AISBF-relayed requests · 6e111277
    Stefy Lanza (nextime / spora ) authored
    Broker (AISBF) chat requests were rejected by the engine with 401 "Invalid API
    key" — they're authenticated at the aisbf layer (registration token) and carry no
    end-user Bearer, but the engine's BearerAuthMiddleware still demanded one, so every
    brokered request came back as a constant ~472-byte error and never ran inference.
    
    Fix (token auto-managed, secure):
    - Front marks broker-relayed requests with x-coderai-broker-authed = the internal
      shared token (which the engine already trusts via CODERAI_INTERNAL_TOKEN). Added
      that header to _DROP_REQ so a client-supplied copy is always stripped first —
      unforgeable from outside.
    - Engine BearerAuthMiddleware skips the Bearer check when x-coderai-broker-authed
      matches CODERAI_INTERNAL_TOKEN. This is NOT the plain internal token (which rides
      on every front→engine request, direct included), so DIRECT API requests still
      require a real Bearer token.
    Co-Authored-By: 's avatarClaude Opus 4.8 <noreply@anthropic.com>
    6e111277
ratelimit.py 8.16 KB