• Stefy Lanza (nextime / spora )'s avatar
    broker: don't require an end-user Bearer token for AISBF-relayed requests · 6e111277
    Stefy Lanza (nextime / spora ) authored
    Broker (AISBF) chat requests were rejected by the engine with 401 "Invalid API
    key" — they're authenticated at the aisbf layer (registration token) and carry no
    end-user Bearer, but the engine's BearerAuthMiddleware still demanded one, so every
    brokered request came back as a constant ~472-byte error and never ran inference.
    
    Fix (token auto-managed, secure):
    - Front marks broker-relayed requests with x-coderai-broker-authed = the internal
      shared token (which the engine already trusts via CODERAI_INTERNAL_TOKEN). Added
      that header to _DROP_REQ so a client-supplied copy is always stripped first —
      unforgeable from outside.
    - Engine BearerAuthMiddleware skips the Bearer check when x-coderai-broker-authed
      matches CODERAI_INTERNAL_TOKEN. This is NOT the plain internal token (which rides
      on every front→engine request, direct included), so DIRECT API requests still
      require a real Bearer token.
    Co-Authored-By: 's avatarClaude Opus 4.8 <noreply@anthropic.com>
    6e111277
Name
Last commit
Last update
..
admin Loading commit data...
api Loading commit data...
backends Loading commit data...
broker Loading commit data...
frontproxy Loading commit data...
models Loading commit data...
openai Loading commit data...
pydantic Loading commit data...
queue Loading commit data...
tasks Loading commit data...
__init__.py Loading commit data...
cli.py Loading commit data...
config.py Loading commit data...
main.py Loading commit data...
platform_paths.py Loading commit data...