-
Notifications
You must be signed in to change notification settings - Fork 59.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compatible for getting auth token from client #5904
base: main
Are you sure you want to change the base?
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
@timqi is attempting to deploy a commit to the NextChat Team on Vercel. A member of the Team first needs to authorize it. |
WalkthroughThe changes in this pull request involve updates to the Changes
Possibly related PRs
Suggested reviewers
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
🧹 Outside diff range and nitpick comments (3)
app/api/anthropic.ts (3)
63-63
: Move header name to constantsThe 'x-api-key' header name is hardcoded. Consider moving it to the Anthropic constants for better maintainability and consistency.
+ // In app/constant.ts + export const Anthropic = { + // ... existing constants + AuthHeader: "x-api-key" as const, + }; - let authHeaderName = "x-api-key"; + let authHeaderName = Anthropic.AuthHeader;
Line range hint
107-108
: Consider using consistent header name in request headersThe code uses the dynamic
authHeaderName
for setting the header but hardcodes 'anthropic-version' in the next line. Consider using constants for all Anthropic-specific headers.+ // In app/constant.ts + export const Anthropic = { + // ... existing constants + VersionHeader: "anthropic-version" as const, + }; - [authHeaderName]: authValue, - "anthropic-version": + [Anthropic.AuthHeader]: authValue, + [Anthropic.VersionHeader]:
Line range hint
121-149
: Improve error handling for model validationThe model validation code has several issues:
- It swallows all parsing errors silently
- The cloned request body is used even when parsing fails
- The type assertion for ServiceProvider could be made safer
if (serverConfig.customModels && req.body) { + let parsedBody: { model?: string } | null = null; try { const clonedBody = await req.text(); - fetchOptions.body = clonedBody; - - const jsonBody = JSON.parse(clonedBody) as { model?: string }; + parsedBody = JSON.parse(clonedBody); + fetchOptions.body = clonedBody; } catch (e) { - console.error(`[Anthropic] filter`, e); + console.error(`[Anthropic] Failed to parse request body:`, e); + return NextResponse.json( + { error: true, message: 'Invalid request body' }, + { status: 400 } + ); } - // not undefined and is false - if ( + if (parsedBody && isModelAvailableInServer( serverConfig.customModels, - jsonBody?.model as string, - ServiceProvider.Anthropic as string, + parsedBody.model ?? '', + ServiceProvider.Anthropic, ) ) {
const authToken = | ||
req.headers.get("Authorization") ?? req.headers.get("x-api-key") ?? ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider reversing the header precedence order
The current implementation prioritizes the 'Authorization' header over 'x-api-key'. While this maintains backward compatibility, it could potentially allow an attacker to bypass intended 'x-api-key' authentication by providing an 'Authorization' header. Consider reversing the order if 'x-api-key' should take precedence for certain clients (e.g., Anthropic services).
- const authToken =
- req.headers.get("Authorization") ?? req.headers.get("x-api-key") ?? "";
+ const authToken =
+ req.headers.get("x-api-key") ?? req.headers.get("Authorization") ?? "";
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
const authToken = | |
req.headers.get("Authorization") ?? req.headers.get("x-api-key") ?? ""; | |
const authToken = | |
req.headers.get("x-api-key") ?? req.headers.get("Authorization") ?? ""; |
let authValue = | ||
req.headers.get(authHeaderName) || | ||
req.headers.get("Authorization")?.replaceAll("Bearer ", "").trim() || | ||
req.headers.get(authHeaderName) || | ||
serverConfig.anthropicApiKey || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Align authentication header precedence with auth.ts
The authentication header precedence here differs from auth.ts, which could lead to inconsistent behavior. Additionally, the Bearer token stripping is only applied to the 'Authorization' header, not to 'x-api-key'.
- let authValue =
- req.headers.get("Authorization")?.replaceAll("Bearer ", "").trim() ||
- req.headers.get(authHeaderName) ||
- serverConfig.anthropicApiKey ||
- "";
+ const stripBearer = (token: string | null) =>
+ token?.replaceAll("Bearer ", "").trim() ?? null;
+ let authValue =
+ stripBearer(req.headers.get(authHeaderName)) ??
+ stripBearer(req.headers.get("Authorization")) ??
+ serverConfig.anthropicApiKey ??
+ "";
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
let authValue = | |
req.headers.get(authHeaderName) || | |
req.headers.get("Authorization")?.replaceAll("Bearer ", "").trim() || | |
req.headers.get(authHeaderName) || | |
serverConfig.anthropicApiKey || | |
const stripBearer = (token: string | null) => | |
token?.replaceAll("Bearer ", "").trim() ?? null; | |
let authValue = | |
stripBearer(req.headers.get(authHeaderName)) ?? | |
stripBearer(req.headers.get("Authorization")) ?? | |
serverConfig.anthropicApiKey ?? | |
""; |
💻 变更类型 | Change Type
🔀 变更说明 | Description of Change
注意到一些客户端尤其是 anthropic 相关的,使用
x-api-key
头来传递服务的 auth token,所以做此修改用来兼容这一种情况Summary by CodeRabbit
New Features
Bug Fixes
Documentation