fix: use array config for apikey-auth keys and basic-auth credentials (#54)

The secret resolution system only resolves JSON object values, not keys.
This meant env:// references used as object keys (e.g. API keys in
apikey-auth) were never resolved at startup.

Change both plugins from map-style configs to array-of-entries:
- apikey-auth: keys map → array with explicit `key` field
- basic-auth: credentials map → array with explicit `username` field

This makes secret references work correctly for all auth config fields
and aligns both plugins with the pattern used by other plugins (oauth2,
s3, etc.).

BREAKING CHANGE: apikey-auth `keys` and basic-auth `credentials` config
fields are now arrays instead of objects.

Author: ndreno

crates/barbacane-test/tests/proxy.rs

@@ -212,7 +212,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -322,7 +322,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -578,7 +578,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -679,7 +679,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -785,7 +785,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -906,7 +906,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -1103,7 +1103,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       x-barbacane-dispatch:

crates/barbacane-test/tests/streaming.rs

@@ -102,7 +102,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              secret-key:
+              - key: secret-key
                 id: key-1
                 name: test
       x-barbacane-dispatch:

crates/barbacane-test/tests/workload.rs

@@ -163,7 +163,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -233,7 +233,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -688,7 +688,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       requestBody:
@@ -808,7 +808,7 @@ paths:
           config:
             header_name: x-api-key
             keys:
-              test-key-123:
+              - key: test-key-123
                 id: key-1
                 name: testuser
       x-barbacane-dispatch:

docs/guide/middlewares.md

@@ -188,24 +188,26 @@ x-barbacane-middlewares:
       header_name: X-API-Key      # when key_location is "header"
       query_param: api_key        # when key_location is "query"
       keys:
-        sk_live_abc123:
+        - key: "env://API_KEY_PRODUCTION"
           id: key-001
           name: Production Key
           scopes: ["read", "write"]
-        sk_test_xyz789:
+        - key: sk_test_xyz789
           id: key-002
           name: Test Key
           scopes: ["read"]
 ```
 
+The `key` field supports secret references (`env://`, `file://`) which are resolved at gateway startup. See [Secrets](secrets.md) for details.
+
 #### Configuration
 
 | Property | Type | Default | Description |
 |----------|------|---------|-------------|
 | `key_location` | string | `header` | Where to find key (`header` or `query`) |
 | `header_name` | string | `X-API-Key` | Header name (when `key_location: header`) |
 | `query_param` | string | `api_key` | Query param name (when `key_location: query`) |
-| `keys` | object | `{}` | Map of valid API keys to metadata |
+| `keys` | array | `[]` | List of API key entries with metadata |
 
 #### Context Headers
 
@@ -336,10 +338,10 @@ x-barbacane-middlewares:
       realm: "My API"
       strip_credentials: true
       credentials:
-        admin:
+        - username: admin
           password: "env://ADMIN_PASSWORD"
           roles: ["admin", "editor"]
-        readonly:
+        - username: readonly
           password: "env://READONLY_PASSWORD"
           roles: ["viewer"]
 ```
@@ -350,12 +352,13 @@ x-barbacane-middlewares:
 |----------|------|---------|-------------|
 | `realm` | string | `api` | Authentication realm shown in `WWW-Authenticate` challenge |
 | `strip_credentials` | boolean | `true` | Remove `Authorization` header before forwarding to upstream |
-| `credentials` | object | `{}` | Map of username to credential entry |
+| `credentials` | array | `[]` | List of credential entries |
 
 Each credential entry:
 
 | Property | Type | Default | Description |
 |----------|------|---------|-------------|
+| `username` | string | **required** | Username for this credential |
 | `password` | string | **required** | Password for this user (supports secret references) |
 | `roles` | array | `[]` | Optional roles for authorization |
 
@@ -394,10 +397,10 @@ x-barbacane-middlewares:
     config:
       realm: "my-api"
       credentials:
-        admin:
+        - username: admin
           password: "env://ADMIN_PASSWORD"
           roles: ["admin", "editor"]
-        viewer:
+        - username: viewer
           password: "env://VIEWER_PASSWORD"
           roles: ["viewer"]
   - name: acl

docs/rulesets/functions/barbacane-validate-middleware-config.js

@@ -22,7 +22,7 @@ const schemas = {
       key_location: { type: "string" },
       header_name: { type: "string" },
       query_param: { type: "string" },
-      keys: { type: "object" },
+      keys: { type: "array" },
     },
     additionalProperties: false,
   },
@@ -32,7 +32,7 @@ const schemas = {
     properties: {
       realm: { type: "string" },
       strip_credentials: { type: "boolean" },
-      credentials: { type: "object" },
+      credentials: { type: "array" },
     },
     additionalProperties: false,
   },

plugins/apikey-auth/config-schema.json

@@ -22,12 +22,16 @@
       "default": "api_key"
     },
     "keys": {
-      "type": "object",
-      "description": "Map of valid API keys to their metadata",
-      "additionalProperties": {
+      "type": "array",
+      "description": "List of valid API keys with their metadata",
+      "items": {
         "type": "object",
-        "required": ["id"],
+        "required": ["key", "id"],
         "properties": {
+          "key": {
+            "type": "string",
+            "description": "The API key value. Supports secret references (e.g. env://MY_API_KEY)."
+          },
           "id": {
             "type": "string",
             "description": "Unique identifier for this key (for logging/auditing)"
@@ -47,7 +51,7 @@
         },
         "additionalProperties": false
       },
-      "default": {}
+      "default": []
     }
   },
   "additionalProperties": false

plugins/apikey-auth/src/lib.rs

@@ -26,16 +26,17 @@ pub struct ApiKeyAuth {
     #[serde(default = "default_query_param")]
     query_param: String,
 
-    /// Map of valid API keys to their metadata.
-    /// Key: the API key string
-    /// Value: key metadata (id, name, optional scopes)
+    /// List of valid API keys with their metadata.
     #[serde(default)]
-    keys: BTreeMap<String, ApiKeyEntry>,
+    keys: Vec<ApiKeyEntry>,
 }
 
-/// Metadata for a single API key.
+/// A single API key entry.
 #[derive(Debug, Clone, Deserialize)]
 struct ApiKeyEntry {
+    /// The API key value. Supports secret references (e.g. `env://MY_API_KEY`).
+    key: String,
+
     /// Unique identifier for this key (for logging/auditing).
     id: String,
 
@@ -179,7 +180,10 @@ impl ApiKeyAuth {
 
     /// Look up the API key in the configured key store.
     fn lookup_key(&self, key: &str) -> Result<&ApiKeyEntry, ApiKeyError> {
-        self.keys.get(key).ok_or(ApiKeyError::InvalidKey)
+        self.keys
+            .iter()
+            .find(|e| e.key == key)
+            .ok_or(ApiKeyError::InvalidKey)
     }
 
     /// Generate 401 Unauthorized response.
@@ -244,11 +248,11 @@ mod tests {
 
     fn test_plugin() -> ApiKeyAuth {
         serde_json::from_value(serde_json::json!({
-            "keys": {
-                "sk-test-123": { "id": "key1", "name": "Test Key", "scopes": ["read", "write"] },
-                "sk-readonly": { "id": "key2", "scopes": ["read"] },
-                "sk-noname": { "id": "key3" }
-            }
+            "keys": [
+                { "key": "sk-test-123", "id": "key1", "name": "Test Key", "scopes": ["read", "write"] },
+                { "key": "sk-readonly", "id": "key2", "scopes": ["read"] },
+                { "key": "sk-noname", "id": "key3" }
+            ]
         }))
         .unwrap()
     }
@@ -417,8 +421,8 @@ mod tests {
         match plugin.on_request(req) {
             Action::Continue(r) => {
                 assert_eq!(r.headers.get("x-auth-key-id").unwrap(), "key3");
-                assert!(r.headers.get("x-auth-key-name").is_none());
-                assert!(r.headers.get("x-auth-key-scopes").is_none());
+                assert!(!r.headers.contains_key("x-auth-key-name"));
+                assert!(!r.headers.contains_key("x-auth-key-scopes"));
                 assert_eq!(r.headers.get("x-auth-consumer").unwrap(), "key3");
                 assert!(!r.headers.contains_key("x-auth-consumer-groups"));
             }
@@ -456,7 +460,7 @@ mod tests {
     fn test_on_request_query_location() {
         let mut plugin: ApiKeyAuth = serde_json::from_value(serde_json::json!({
             "key_location": "query",
-            "keys": { "mykey": { "id": "q1" } }
+            "keys": [{ "key": "mykey", "id": "q1" }]
         }))
         .unwrap();
         let req = request_with_query("api_key=mykey");
@@ -520,7 +524,7 @@ mod tests {
     fn test_config_custom_header() {
         let plugin: ApiKeyAuth = serde_json::from_value(serde_json::json!({
             "header_name": "Authorization",
-            "keys": { "Bearer tok": { "id": "t1" } }
+            "keys": [{ "key": "Bearer tok", "id": "t1" }]
         }))
         .unwrap();
         assert_eq!(plugin.header_name, "Authorization");

plugins/basic-auth/config-schema.json

@@ -16,15 +16,19 @@
       "default": true
     },
     "credentials": {
-      "type": "object",
-      "description": "Map of username to credential entry",
-      "additionalProperties": {
+      "type": "array",
+      "description": "List of credential entries (username, password, and optional roles)",
+      "items": {
         "type": "object",
-        "required": ["password"],
+        "required": ["username", "password"],
         "properties": {
+          "username": {
+            "type": "string",
+            "description": "Username for this credential"
+          },
           "password": {
             "type": "string",
-            "description": "Password for this user"
+            "description": "Password for this user. Supports secret references (e.g. env://MY_PASSWORD)."
           },
           "roles": {
             "type": "array",
@@ -35,7 +39,7 @@
         },
         "additionalProperties": false
       },
-      "default": {}
+      "default": []
     }
   },
   "additionalProperties": false