broker: don't require an end-user Bearer token for AISBF-relayed requests
Broker (AISBF) chat requests were rejected by the engine with 401 "Invalid API
key" — they're authenticated at the aisbf layer (registration token) and carry no
end-user Bearer, but the engine's BearerAuthMiddleware still demanded one, so every
brokered request came back as a constant ~472-byte error and never ran inference.
Fix (token auto-managed, secure):
- Front marks broker-relayed requests with x-coderai-broker-authed = the internal
shared token (which the engine already trusts via CODERAI_INTERNAL_TOKEN). Added
that header to _DROP_REQ so a client-supplied copy is always stripped first —
unforgeable from outside.
- Engine BearerAuthMiddleware skips the Bearer check when x-coderai-broker-authed
matches CODERAI_INTERNAL_TOKEN. This is NOT the plain internal token (which rides
on every front→engine request, direct included), so DIRECT API requests still
require a real Bearer token.
Co-Authored-By:
Claude Opus 4.8 <noreply@anthropic.com>
Showing
Please
register
or
sign in
to comment