From 4e43b19d4e144e2852c63f5743cc8872a829fd58 Mon Sep 17 00:00:00 2001
From: Narendranath Gogineni <narenrockstar1@gmail.com>
Date: Tue, 19 May 2026 16:17:31 +0530
Subject: [PATCH 1/5] add auth validation for public routes

---
 CLAUDE.md                          |   3 +
 conf.example.json                  |   1 +
 conf.json                          |   3 +-
 src/middlewares/adminAuth/index.ts | 161 ++++++++++++++++++++++++
 src/public/index.html              | 188 ++++++++++++++++++++++++++++-
 src/start-server.ts                |   9 +-
 6 files changed, 359 insertions(+), 6 deletions(-)
 create mode 100644 src/middlewares/adminAuth/index.ts

diff --git a/CLAUDE.md b/CLAUDE.md
index 9d16a34fc..c9346bfe1 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -48,6 +48,7 @@ This is the **Portkey AI Gateway** - a fast, reliable AI gateway that routes req
 - `hooks` - Pre/post request hooks
 - `memoryCache` - Response caching
 - `logger` - Request/response logging
+- `adminAuth` - Node-only local UI session auth for `/public/*` login endpoints and `/log/stream`
 - `portkey` - Core Portkey-specific middleware for routing, guardrails, etc.
 
 **Plugin System (`plugins/`)**
@@ -89,4 +90,6 @@ Tests are organized by component:
 
 The gateway uses `conf.json` for runtime configuration. Sample config available in `conf_sample.json`.
 
+For local UI hardening, set `admin_token` in `conf.json`. The `/public` UI uses this token to establish an in-memory admin session, and `/log/stream` requires that session.
+
 Key environment variables and configuration handled through Hono's adapter system for multi-environment deployment.
\ No newline at end of file
diff --git a/conf.example.json b/conf.example.json
index e4c72f33a..865c8113a 100644
--- a/conf.example.json
+++ b/conf.example.json
@@ -1,4 +1,5 @@
 {
+  "admin_token": "set-a-strong-local-admin-token",
   "plugins_enabled": [
     "default",
     "portkey",
diff --git a/conf.json b/conf.json
index 940c8bdd6..75aa9b680 100644
--- a/conf.json
+++ b/conf.json
@@ -17,5 +17,6 @@
       "apiKey": "..."
     }
   },
-  "cache": false
+  "cache": false,
+  "admin_token": "test-token"
 }
diff --git a/src/middlewares/adminAuth/index.ts b/src/middlewares/adminAuth/index.ts
new file mode 100644
index 000000000..8855b79f2
--- /dev/null
+++ b/src/middlewares/adminAuth/index.ts
@@ -0,0 +1,161 @@
+import { Context, Next } from 'hono';
+import conf from '../../../conf.json';
+
+const SESSION_COOKIE_NAME = 'portkey_admin_session';
+const SESSION_MAX_AGE_SECONDS = 60 * 60 * 12; // 12 hours
+const adminSessions = new Map<string, number>();
+
+const getConfiguredAdminToken = (): string => {
+  const adminToken = conf?.admin_token;
+  if (
+    !adminToken ||
+    typeof adminToken !== 'string' ||
+    adminToken.trim() === ''
+  ) {
+    throw new Error(
+      'Admin UI auth requires conf.json.admin_token. Set admin_token or start the gateway with --headless.'
+    );
+  }
+  return adminToken;
+};
+
+const parseCookies = (cookieHeader?: string): Record<string, string> => {
+  if (!cookieHeader) return {};
+
+  return cookieHeader.split(';').reduce(
+    (acc, cookiePart) => {
+      const [rawKey, ...valueParts] = cookiePart.trim().split('=');
+      if (!rawKey) return acc;
+      acc[rawKey] = decodeURIComponent(valueParts.join('='));
+      return acc;
+    },
+    {} as Record<string, string>
+  );
+};
+
+const getSessionId = (c: Context): string | undefined => {
+  const cookies = parseCookies(c.req.header('cookie'));
+  return cookies[SESSION_COOKIE_NAME];
+};
+
+const getBearerToken = (c: Context): string | undefined => {
+  const authHeader = c.req.header('authorization');
+  if (!authHeader) return undefined;
+
+  const [scheme, token] = authHeader.trim().split(/\s+/, 2);
+  if (!scheme || !token) return undefined;
+  if (scheme.toLowerCase() !== 'bearer') return undefined;
+
+  return token;
+};
+
+const isSessionActive = (sessionId?: string): boolean => {
+  if (!sessionId) return false;
+
+  const expiresAt = adminSessions.get(sessionId);
+  if (!expiresAt) return false;
+
+  if (expiresAt < Date.now()) {
+    adminSessions.delete(sessionId);
+    return false;
+  }
+
+  return true;
+};
+
+const createSession = (): string => {
+  const sessionId = crypto.randomUUID();
+  const expiresAt = Date.now() + SESSION_MAX_AGE_SECONDS * 1000;
+  adminSessions.set(sessionId, expiresAt);
+  return sessionId;
+};
+
+const setSessionCookie = (c: Context, sessionId: string) => {
+  c.header(
+    'Set-Cookie',
+    `${SESSION_COOKIE_NAME}=${encodeURIComponent(sessionId)}; Path=/; HttpOnly; SameSite=Strict; Max-Age=${SESSION_MAX_AGE_SECONDS}`
+  );
+};
+
+export const adminAuthMiddleware = async (c: Context, next: Next) => {
+  let configuredToken: string;
+  try {
+    configuredToken = getConfiguredAdminToken();
+  } catch (error) {
+    const message =
+      error instanceof Error
+        ? error.message
+        : 'Admin UI auth is misconfigured.';
+    return c.json({ status: 'failure', message }, 500);
+  }
+
+  const hasValidSession = isSessionActive(getSessionId(c));
+  const hasValidBearerToken = getBearerToken(c) === configuredToken;
+
+  if (!hasValidSession && !hasValidBearerToken) {
+    return c.json(
+      {
+        status: 'failure',
+        message:
+          'Admin authentication required. Use a valid admin session cookie or Authorization: Bearer <admin_token>.',
+      },
+      401
+    );
+  }
+
+  await next();
+};
+
+export const adminAuthSessionStatusHandler = (c: Context) => {
+  try {
+    getConfiguredAdminToken();
+  } catch (error) {
+    const message =
+      error instanceof Error
+        ? error.message
+        : 'Admin UI auth is misconfigured.';
+    return c.json({ status: 'failure', message }, 500);
+  }
+
+  return c.json({ authenticated: isSessionActive(getSessionId(c)) });
+};
+
+export const adminAuthLoginHandler = async (c: Context) => {
+  let configuredToken: string;
+  try {
+    configuredToken = getConfiguredAdminToken();
+  } catch (error) {
+    const message =
+      error instanceof Error
+        ? error.message
+        : 'Admin UI auth is misconfigured.';
+    return c.json({ status: 'failure', message }, 500);
+  }
+
+  let body: { admin_token?: string } = {};
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json(
+      {
+        status: 'failure',
+        message: 'Invalid request body. Expected JSON with admin_token.',
+      },
+      400
+    );
+  }
+
+  if (!body.admin_token || body.admin_token !== configuredToken) {
+    return c.json(
+      {
+        status: 'failure',
+        message: 'Invalid admin token.',
+      },
+      401
+    );
+  }
+
+  const sessionId = createSession();
+  setSessionCookie(c, sessionId);
+  return c.json({ authenticated: true });
+};
diff --git a/src/public/index.html b/src/public/index.html
index 9bd7e77e2..014ff42b1 100644
--- a/src/public/index.html
+++ b/src/public/index.html
@@ -851,6 +851,54 @@
       border-bottom-color: #3b82f6;
       font-weight: bold;
     }
+
+    body.admin-auth-pending header,
+    body.admin-auth-pending .main-content {
+      display: none;
+    }
+
+    .admin-auth-modal {
+      position: fixed;
+      inset: 0;
+      z-index: 3000;
+      display: none;
+      align-items: center;
+      justify-content: center;
+      background-color: rgba(0, 0, 0, 0.6);
+      padding: 1rem;
+    }
+
+    body.admin-auth-pending .admin-auth-modal {
+      display: flex;
+    }
+
+    .admin-auth-card {
+      width: 100%;
+      max-width: 420px;
+      background: white;
+      border-radius: 0.75rem;
+      padding: 1.25rem;
+      box-shadow: 0 12px 32px rgba(0, 0, 0, 0.25);
+    }
+
+    .admin-auth-title {
+      margin: 0 0 0.4rem;
+      font-size: 1.2rem;
+      font-weight: 700;
+    }
+
+    .admin-auth-subtitle {
+      margin: 0 0 0.9rem;
+      font-size: 0.875rem;
+      color: #6b7280;
+    }
+
+    .admin-auth-error {
+      margin-top: 0.6rem;
+      color: #dc2626;
+      font-size: 0.8rem;
+      min-height: 1.1rem;
+    }
   </style>
 
   <!-- Google Tag Manager -->
@@ -867,11 +915,29 @@
   <script src="https://cdn.jsdelivr.net/npm/canvas-confetti@1.9.3/dist/confetti.browser.min.js"></script>
 </head>
 
-<body>
+<body class="admin-auth-pending">
   <!-- Google Tag Manager (noscript) -->
 <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KX3PMNVR"
   height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
   <!-- End Google Tag Manager (noscript) -->
+  <div class="admin-auth-modal" id="adminAuthModal">
+    <div class="admin-auth-card">
+      <h2 class="admin-auth-title">Admin token required</h2>
+      <p class="admin-auth-subtitle">Enter your <code>admin_token</code> stored in <code>conf.json</code> to access the local gateway UI. see <a href="https://github.com/Portkey-AI/gateway/discussions/1656">github discussion</a> for more details.</p>
+      <form id="adminAuthForm">
+        <input
+          id="adminAuthTokenInput"
+          class="input"
+          type="password"
+          placeholder="Enter admin token"
+          autocomplete="off"
+          required
+        />
+        <button type="submit" class="btn">Unlock UI</button>
+      </form>
+      <div class="admin-auth-error" id="adminAuthError"></div>
+    </div>
+  </div>
   <header>
     <div class="container">
       <div class="logo">
@@ -1624,6 +1690,88 @@ <h3>Enter API Key</h3>
       const saveApiDetailsBtn = document.getElementById('saveApiDetailsBtn');
       const languageSelect = document.getElementById('languageSelect');
       const copyConfigBtn = document.getElementById('copyConfigBtn');
+      const adminAuthModal = document.getElementById('adminAuthModal');
+      const adminAuthForm = document.getElementById('adminAuthForm');
+      const adminAuthTokenInput = document.getElementById('adminAuthTokenInput');
+      const adminAuthError = document.getElementById('adminAuthError');
+
+      let isAdminAuthenticated = false;
+      let hasStartedLogSource = false;
+
+      function setAdminAuthError(message = '') {
+        adminAuthError.textContent = message;
+      }
+
+      function lockUi() {
+        document.body.classList.add('admin-auth-pending');
+      }
+
+      function unlockUi() {
+        document.body.classList.remove('admin-auth-pending');
+      }
+
+      async function checkAdminSession() {
+        try {
+          const response = await fetch('/public/auth/session', {
+            credentials: 'same-origin',
+          });
+
+          if (!response.ok) {
+            const payload = await response.json();
+            setAdminAuthError(payload.message || 'Unable to validate admin session.');
+            lockUi();
+            return false;
+          }
+
+          const payload = await response.json();
+          return Boolean(payload.authenticated);
+        } catch (error) {
+          setAdminAuthError('Unable to connect to gateway auth endpoint.');
+          lockUi();
+          return false;
+        }
+      }
+
+      async function unlockUiWithToken(adminToken) {
+        try {
+          const response = await fetch('/public/auth', {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            credentials: 'same-origin',
+            body: JSON.stringify({ admin_token: adminToken }),
+          });
+
+          const payload = await response.json();
+          if (!response.ok) {
+            setAdminAuthError(payload.message || 'Invalid admin token.');
+            return false;
+          }
+
+          setAdminAuthError('');
+          adminAuthTokenInput.value = '';
+          return true;
+        } catch (error) {
+          setAdminAuthError('Authentication request failed. Please try again.');
+          return false;
+        }
+      }
+
+      async function ensureAdminAuth() {
+        const isAuthenticated = await checkAdminSession();
+        if (isAuthenticated) {
+          isAdminAuthenticated = true;
+          unlockUi();
+          if (!hasStartedLogSource) {
+            setupLogSource();
+            hasStartedLogSource = true;
+          }
+        } else {
+          isAdminAuthenticated = false;
+          lockUi();
+        }
+      }
 
       const camelToSnakeCase = str => str.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);
       const camelToKebabCase = str => str.replace(/[A-Z]/g, letter => `-${letter.toLowerCase()}`);
@@ -1800,6 +1948,28 @@ <h3>Enter API Key</h3>
 
       // Event Listeners
       testRequestBtn.addEventListener('click', dummyTestRequest);
+      adminAuthForm.addEventListener('submit', async (event) => {
+          event.preventDefault();
+          setAdminAuthError('');
+
+          const token = adminAuthTokenInput.value.trim();
+          if (!token) {
+            setAdminAuthError('Admin token is required.');
+            return;
+          }
+
+          const unlocked = await unlockUiWithToken(token);
+          if (!unlocked) {
+            return;
+          }
+
+          isAdminAuthenticated = true;
+          unlockUi();
+          if (!hasStartedLogSource) {
+            setupLogSource();
+            hasStartedLogSource = true;
+          }
+      });
 
       document.querySelectorAll('.tabs').forEach(tabsContainer => {
           tabsContainer.querySelectorAll('.tab').forEach(tab => {
@@ -1922,6 +2092,7 @@ <h3>Enter API Key</h3>
       });
 
       managePage()
+      ensureAdminAuth();
 
       // Logs functionality
       const logsTableBody = document.getElementById('logsTableBody');
@@ -1934,6 +2105,10 @@ <h3>Enter API Key</h3>
       let logSource;
 
       function setupLogSource() {
+        if (!isAdminAuthenticated) {
+          return;
+        }
+
         logSource = new EventSource('/log/stream');
 
         logSource.addEventListener('connected', (event) => {
@@ -1965,18 +2140,23 @@ <h3>Enter API Key</h3>
         }
       }
 
-      function reconnectLogSource() {
+      async function reconnectLogSource() {
         if (logSource) {
             logSource.close();
         }
+        const stillAuthenticated = await checkAdminSession();
+        if (!stillAuthenticated) {
+          isAdminAuthenticated = false;
+          lockUi();
+          return;
+        }
+
         console.log('Attempting to reconnect to log stream...');
         setTimeout(() => {
             setupLogSource();
         }, 5000); // Wait 5 seconds before attempting to reconnect
       }
 
-      setupLogSource();
-
       function addLogEntry(time, method, endpoint, status, duration, requestOptions) {
           const tr = document.createElement('tr');
           tr.classList.add('new-row');
diff --git a/src/start-server.ts b/src/start-server.ts
index 5c9cc0b15..0da80923e 100644
--- a/src/start-server.ts
+++ b/src/start-server.ts
@@ -8,6 +8,11 @@ import { Context } from 'hono';
 import { createNodeWebSocket } from '@hono/node-ws';
 import { realTimeHandlerNode } from './handlers/realtimeHandlerNode';
 import { requestValidator } from './middlewares/requestValidator';
+import {
+  adminAuthLoginHandler,
+  adminAuthMiddleware,
+  adminAuthSessionStatusHandler,
+} from './middlewares/adminAuth';
 
 // Extract the port number from the command line arguments
 const defaultPort = 8787;
@@ -41,6 +46,8 @@ if (
     };
 
     // Set up routes
+    app.post('/public/auth', adminAuthLoginHandler);
+    app.get('/public/auth/session', adminAuthSessionStatusHandler);
     app.get('/public/logs', serveIndex);
     app.get('/public/', serveIndex);
 
@@ -69,7 +76,7 @@ if (
     return Promise.race([fn(), timeoutPromise]);
   }
 
-  app.get('/log/stream', (c: Context) => {
+  app.get('/log/stream', adminAuthMiddleware, (c: Context) => {
     const clientId = Date.now().toString();
 
     // Set headers to prevent caching

From e4570228c28818b66817772539054c2e5b9223aa Mon Sep 17 00:00:00 2001
From: Narendranath Gogineni <narenrockstar1@gmail.com>
Date: Tue, 19 May 2026 16:31:01 +0530
Subject: [PATCH 2/5] remove admin token default

---
 conf.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/conf.json b/conf.json
index 75aa9b680..940c8bdd6 100644
--- a/conf.json
+++ b/conf.json
@@ -17,6 +17,5 @@
       "apiKey": "..."
     }
   },
-  "cache": false,
-  "admin_token": "test-token"
+  "cache": false
 }

From 9bcaee4d6f34b7a6d6b80a0ca282b0740fd475ea Mon Sep 17 00:00:00 2001
From: Narendranath Gogineni <narenrockstar1@gmail.com>
Date: Tue, 19 May 2026 16:42:15 +0530
Subject: [PATCH 3/5] disable logs when admin token not set

---
 src/middlewares/adminAuth/index.ts |  2 +-
 src/start-server.ts                | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/middlewares/adminAuth/index.ts b/src/middlewares/adminAuth/index.ts
index 8855b79f2..9c9da9592 100644
--- a/src/middlewares/adminAuth/index.ts
+++ b/src/middlewares/adminAuth/index.ts
@@ -6,7 +6,7 @@ const SESSION_MAX_AGE_SECONDS = 60 * 60 * 12; // 12 hours
 const adminSessions = new Map<string, number>();
 
 const getConfiguredAdminToken = (): string => {
-  const adminToken = conf?.admin_token;
+  const adminToken = (conf as Record<string, unknown>)?.admin_token;
   if (
     !adminToken ||
     typeof adminToken !== 'string' ||
diff --git a/src/start-server.ts b/src/start-server.ts
index 0da80923e..853ec1202 100644
--- a/src/start-server.ts
+++ b/src/start-server.ts
@@ -8,6 +8,7 @@ import { Context } from 'hono';
 import { createNodeWebSocket } from '@hono/node-ws';
 import { realTimeHandlerNode } from './handlers/realtimeHandlerNode';
 import { requestValidator } from './middlewares/requestValidator';
+import conf from '../conf.json';
 import {
   adminAuthLoginHandler,
   adminAuthMiddleware,
@@ -21,6 +22,10 @@ const portArg = args.find((arg) => arg.startsWith('--port='));
 const port = portArg ? parseInt(portArg.split('=')[1]) : defaultPort;
 
 const isHeadless = args.includes('--headless');
+const hasAdminTokenKey = Object.prototype.hasOwnProperty.call(
+  conf || {},
+  'admin_token'
+);
 
 // Setup static file serving only if not in headless mode
 if (
@@ -42,6 +47,11 @@ if (
     const indexContent = readFileSync(indexPath, 'utf-8');
 
     const serveIndex = (c: Context) => {
+      if (!hasAdminTokenKey) {
+        return c.html(
+          'Admin token is required to access the local gateway UI. Please set admin_token in conf.json. see <a href="https://github.com/Portkey-AI/gateway/discussions/1656">github discussion</a> for more details.'
+        );
+      }
       return c.html(indexContent);
     };
 

From c9ee943637580781c3990c112dc18d6ead101536 Mon Sep 17 00:00:00 2001
From: Narendranath Gogineni <narenrockstar1@gmail.com>
Date: Tue, 19 May 2026 17:20:23 +0530
Subject: [PATCH 4/5] redact provider options in logs

---
 src/middlewares/log/index.ts | 60 +++++++++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/src/middlewares/log/index.ts b/src/middlewares/log/index.ts
index 5d5319e44..ab299e497 100644
--- a/src/middlewares/log/index.ts
+++ b/src/middlewares/log/index.ts
@@ -15,6 +15,64 @@ const removeLogClient = (clientId: any) => {
   logClients.delete(clientId);
 };
 
+const sanitizeHeaders = (headers: Record<string, unknown> = {}) =>
+  Object.fromEntries(Object.keys(headers).map((key) => [key, '[REDACTED]']));
+
+const ALLOWED_PROVIDER_OPTION_KEYS = new Set([
+  'provider',
+  'overrideParams',
+  'retry',
+  'cache',
+  'requestURL',
+  'rubeusURL',
+]);
+
+const sanitizeProviderOptions = (providerOptions: Record<string, unknown> = {}) =>
+  Object.fromEntries(
+    Object.entries(providerOptions).map(([key, value]) => [
+      key,
+      ALLOWED_PROVIDER_OPTION_KEYS.has(key) ? value : '[REDACTED]',
+    ])
+  );
+
+const sanitizeRequestOption = (requestOption: any) => {
+  if (!requestOption || typeof requestOption !== 'object') return requestOption;
+
+  const sanitizedOption = { ...requestOption };
+
+  if (
+    sanitizedOption.providerOptions &&
+    typeof sanitizedOption.providerOptions === 'object'
+  ) {
+    sanitizedOption.providerOptions = sanitizeProviderOptions(
+      sanitizedOption.providerOptions as Record<string, unknown>
+    );
+  }
+
+  if (
+    sanitizedOption.transformedRequest &&
+    typeof sanitizedOption.transformedRequest === 'object'
+  ) {
+    sanitizedOption.transformedRequest = { ...sanitizedOption.transformedRequest };
+    if (sanitizedOption.transformedRequest.headers) {
+      sanitizedOption.transformedRequest.headers = sanitizeHeaders(
+        sanitizedOption.transformedRequest.headers as Record<string, unknown>
+      );
+    }
+  }
+
+  if (
+    sanitizedOption.responseHeaders &&
+    typeof sanitizedOption.responseHeaders === 'object'
+  ) {
+    sanitizedOption.responseHeaders = sanitizeHeaders(
+      sanitizedOption.responseHeaders as Record<string, unknown>
+    );
+  }
+
+  return sanitizedOption;
+};
+
 const broadcastLog = async (log: any) => {
   const message = {
     data: log,
@@ -79,7 +137,7 @@ async function processLog(c: Context, start: number) {
       endpoint: c.req.url.split(':8787')[1],
       status: c.res.status,
       duration: ms,
-      requestOptions: requestOptionsArray,
+      requestOptions: requestOptionsArray.map(sanitizeRequestOption),
     })
   );
 }

From 55d653ec89d856f5905b5663e65b89ea19edd1a7 Mon Sep 17 00:00:00 2001
From: Narendranath Gogineni <narenrockstar1@gmail.com>
Date: Tue, 19 May 2026 17:21:50 +0530
Subject: [PATCH 5/5] formatting

---
 src/middlewares/log/index.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/middlewares/log/index.ts b/src/middlewares/log/index.ts
index ab299e497..474334832 100644
--- a/src/middlewares/log/index.ts
+++ b/src/middlewares/log/index.ts
@@ -27,7 +27,9 @@ const ALLOWED_PROVIDER_OPTION_KEYS = new Set([
   'rubeusURL',
 ]);
 
-const sanitizeProviderOptions = (providerOptions: Record<string, unknown> = {}) =>
+const sanitizeProviderOptions = (
+  providerOptions: Record<string, unknown> = {}
+) =>
   Object.fromEntries(
     Object.entries(providerOptions).map(([key, value]) => [
       key,
@@ -53,7 +55,9 @@ const sanitizeRequestOption = (requestOption: any) => {
     sanitizedOption.transformedRequest &&
     typeof sanitizedOption.transformedRequest === 'object'
   ) {
-    sanitizedOption.transformedRequest = { ...sanitizedOption.transformedRequest };
+    sanitizedOption.transformedRequest = {
+      ...sanitizedOption.transformedRequest,
+    };
     if (sanitizedOption.transformedRequest.headers) {
       sanitizedOption.transformedRequest.headers = sanitizeHeaders(
         sanitizedOption.transformedRequest.headers as Record<string, unknown>