gh-aw-firewall/containers/api-proxy/server.auth.test.js at fca49e9b11bbf5c47905a6e88495251a23d21fca · github/gh-aw-firewall · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
/**
 * Tests for auth & credential handling.
 *
 * Extracted from server.test.js lines 491–523, 886–1064.
 */

const { shouldStripHeader } = require('./proxy-utils');
const {
  _testing: { resolveCopilotAuthToken, resolveApiKey, stripBearerPrefix, COPILOT_PLACEHOLDER_TOKEN },
  createCopilotAdapter,
} = require('./providers/copilot');
const { sanitizeNullToolCallTypes } = require('./body-transform');

describe('shouldStripHeader', () => {
  it('should strip authorization header', () => {
    expect(shouldStripHeader('authorization')).toBe(true);
    expect(shouldStripHeader('Authorization')).toBe(true);
  });

  it('should strip x-api-key header', () => {
    expect(shouldStripHeader('x-api-key')).toBe(true);
    expect(shouldStripHeader('X-Api-Key')).toBe(true);
  });

  it('should strip x-goog-api-key header (Gemini placeholder must be stripped)', () => {
    expect(shouldStripHeader('x-goog-api-key')).toBe(true);
    expect(shouldStripHeader('X-Goog-Api-Key')).toBe(true);
  });

  it('should strip proxy-authorization header', () => {
    expect(shouldStripHeader('proxy-authorization')).toBe(true);
  });

  it('should strip x-forwarded-* headers', () => {
    expect(shouldStripHeader('x-forwarded-for')).toBe(true);
    expect(shouldStripHeader('x-forwarded-host')).toBe(true);
  });

  it('should not strip content-type header', () => {
    expect(shouldStripHeader('content-type')).toBe(false);
  });

  it('should not strip anthropic-version header', () => {
    expect(shouldStripHeader('anthropic-version')).toBe(false);
  });
});

describe('stripBearerPrefix', () => {
  it('strips "Bearer " prefix from a token value', () => {
    expect(stripBearerPrefix('Bearer sk-or-v1-abc')).toBe('sk-or-v1-abc');
  });

  it('strips "Bearer " prefix case-insensitively', () => {
    expect(stripBearerPrefix('bearer sk-or-v1-abc')).toBe('sk-or-v1-abc');
    expect(stripBearerPrefix('BEARER sk-or-v1-abc')).toBe('sk-or-v1-abc');
  });

  it('strips leading whitespace before "Bearer "', () => {
    expect(stripBearerPrefix('  Bearer sk-or-v1-abc')).toBe('sk-or-v1-abc');
  });

  it('returns value unchanged when no "Bearer " prefix is present', () => {
    expect(stripBearerPrefix('sk-or-v1-abc')).toBe('sk-or-v1-abc');
    expect(stripBearerPrefix('gho_abc123')).toBe('gho_abc123');
  });

  it('does not strip "Bearer" without a following space', () => {
    expect(stripBearerPrefix('BearerToken123')).toBe('BearerToken123');
  });

  it('returns undefined when value is only "Bearer " (nothing after prefix)', () => {
    expect(stripBearerPrefix('Bearer ')).toBeUndefined();
    expect(stripBearerPrefix('Bearer   ')).toBeUndefined();
  });

  it('returns undefined for empty or whitespace-only input', () => {
    expect(stripBearerPrefix('')).toBeUndefined();
    expect(stripBearerPrefix('   ')).toBeUndefined();
    expect(stripBearerPrefix(undefined)).toBeUndefined();
  });

  it('trims surrounding whitespace from the token', () => {
    expect(stripBearerPrefix('  sk-or-v1-abc  ')).toBe('sk-or-v1-abc');
  });
});

describe('resolveCopilotAuthToken', () => {
  it('should return COPILOT_GITHUB_TOKEN when only it is set', () => {
    expect(resolveCopilotAuthToken({ COPILOT_GITHUB_TOKEN: 'gho_abc123' })).toBe('gho_abc123');
  });

  it('should return COPILOT_API_KEY when only it is set', () => {
    expect(resolveCopilotAuthToken({ COPILOT_API_KEY: 'sk-byok-key' })).toBe('sk-byok-key');
  });

  it('should prefer COPILOT_API_KEY over COPILOT_GITHUB_TOKEN when both are set', () => {
    expect(resolveCopilotAuthToken({
      COPILOT_GITHUB_TOKEN: 'gho_abc123',
      COPILOT_API_KEY: 'sk-byok-key',
    })).toBe('sk-byok-key');
  });

  it('should return undefined when neither is set', () => {
    expect(resolveCopilotAuthToken({})).toBeUndefined();
  });

  it('should return undefined for empty strings', () => {
    expect(resolveCopilotAuthToken({ COPILOT_GITHUB_TOKEN: '', COPILOT_API_KEY: '' })).toBeUndefined();
  });

  it('should return undefined for whitespace-only values', () => {
    expect(resolveCopilotAuthToken({ COPILOT_GITHUB_TOKEN: '  ', COPILOT_API_KEY: '  \n' })).toBeUndefined();
  });

  it('should trim whitespace from token values', () => {
    expect(resolveCopilotAuthToken({ COPILOT_API_KEY: '  sk-byok-key  ' })).toBe('sk-byok-key');
  });

  it('should use COPILOT_API_KEY when COPILOT_GITHUB_TOKEN is whitespace-only', () => {
    expect(resolveCopilotAuthToken({
      COPILOT_GITHUB_TOKEN: '  ',
      COPILOT_API_KEY: 'sk-byok-key',
    })).toBe('sk-byok-key');
  });

  it('should fall back to COPILOT_GITHUB_TOKEN when COPILOT_API_KEY is whitespace-only', () => {
    expect(resolveCopilotAuthToken({
      COPILOT_GITHUB_TOKEN: 'gho_abc123',
      COPILOT_API_KEY: '  ',
    })).toBe('gho_abc123');
  });

  it('strips "Bearer " prefix from COPILOT_API_KEY when resolving', () => {
    expect(resolveCopilotAuthToken({ COPILOT_API_KEY: 'Bearer sk-or-v1-abc' })).toBe('sk-or-v1-abc');
  });

  it('strips "Bearer " prefix from COPILOT_GITHUB_TOKEN when resolving', () => {
    expect(resolveCopilotAuthToken({ COPILOT_GITHUB_TOKEN: 'Bearer gho_abc123' })).toBe('gho_abc123');
  });

  it('prefers stripped COPILOT_API_KEY over stripped COPILOT_GITHUB_TOKEN', () => {
    expect(resolveCopilotAuthToken({
      COPILOT_GITHUB_TOKEN: 'Bearer gho_abc123',
      COPILOT_API_KEY: 'Bearer sk-byok-key',
    })).toBe('sk-byok-key');
  });

  it('treats AWF placeholder COPILOT_API_KEY as absent when no COPILOT_GITHUB_TOKEN is set', () => {
    expect(resolveCopilotAuthToken({ COPILOT_API_KEY: COPILOT_PLACEHOLDER_TOKEN })).toBeUndefined();
  });

  it('uses COPILOT_GITHUB_TOKEN when COPILOT_API_KEY is the AWF placeholder', () => {
    expect(resolveCopilotAuthToken({
      COPILOT_GITHUB_TOKEN: 'gho_real_token',
      COPILOT_API_KEY: COPILOT_PLACEHOLDER_TOKEN,
    })).toBe('gho_real_token');
  });
});

describe('resolveApiKey', () => {
  it('returns the API key when it is a real credential', () => {
    expect(resolveApiKey({ COPILOT_API_KEY: 'sk-byok-key' })).toBe('sk-byok-key');
  });

  it('returns undefined when COPILOT_API_KEY is the AWF placeholder', () => {
    expect(resolveApiKey({ COPILOT_API_KEY: COPILOT_PLACEHOLDER_TOKEN })).toBeUndefined();
  });

  it('returns undefined when COPILOT_API_KEY is not set', () => {
    expect(resolveApiKey({})).toBeUndefined();
  });
});

describe('sanitizeNullToolCallTypes (via copilot body transform)', () => {
  it('normalizes null tool_call type to "function" in outgoing message history', () => {
    const input = Buffer.from(JSON.stringify({
      model: 'gpt-5.4',
      messages: [
        {
          role: 'assistant',
          tool_calls: [
            {
              id: 'call_1',
              type: null,
              function: { name: 'edit', arguments: '{"path":"a.txt"}' },
            },
          ],
        },
      ],
    }));

    const result = sanitizeNullToolCallTypes(input);
    expect(result).not.toBeNull();
    const parsed = JSON.parse(result.body.toString('utf8'));
    expect(parsed.messages[0].tool_calls[0].type).toBe('function');
  });

  it('returns null when no tool_call type normalization is needed', () => {
    const input = Buffer.from(JSON.stringify({
      messages: [
        {
          role: 'assistant',
          tool_calls: [
            {
              id: 'call_1',
              type: 'function',
              function: { name: 'edit', arguments: '{}' },
            },
          ],
        },
      ],
    }));

    expect(sanitizeNullToolCallTypes(input)).toBeNull();
  });
});

// ── createCopilotAdapter — BYOK auth header format ───────────────────────────
//
// These tests guard against the "badly formatted Authorization header" bug in
// BYOK mode where the sidecar is configured with COPILOT_API_KEY (the real key
// held by the sidecar) and could produce "Authorization: Bearer Bearer <key>"
// if the COPILOT_API_KEY value already contained the "Bearer " prefix.
// They also verify that the header injected for inference requests is exactly
// "Bearer <key>" and that the Copilot-Integration-Id header is present.

describe('createCopilotAdapter — BYOK getAuthHeaders', () => {
  const fakeReq = { url: '/v1/chat/completions', method: 'POST', headers: {} };
  const fakeModelsReq = { url: '/models', method: 'GET', headers: {} };

  it('injects Authorization: Bearer <key> for BYOK inference request', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'sk-or-v1-abc123' });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Authorization']).toBe('Bearer sk-or-v1-abc123');
  });

  it('injects Copilot-Integration-Id header for BYOK inference request', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'sk-or-v1-abc123' });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Copilot-Integration-Id']).toBe('copilot-developer-cli');
  });

  it('prevents double "Bearer " prefix when API key already contains "Bearer " prefix (BYOK bug fix)', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'Bearer sk-or-v1-abc123' });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Authorization']).toBe('Bearer sk-or-v1-abc123');
    expect(headers['Authorization']).not.toContain('Bearer Bearer');
  });

  it('strips "Bearer " prefix case-insensitively from API key', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'BEARER sk-or-v1-abc123' });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Authorization']).toBe('Bearer sk-or-v1-abc123');
  });

  it('uses COPILOT_GITHUB_TOKEN (not COPILOT_API_KEY) for /models GET in BYOK+token mode', () => {
    const adapter = createCopilotAdapter({
      COPILOT_GITHUB_TOKEN: 'gho_oauth_token',
      COPILOT_API_KEY: 'sk-or-v1-abc123',
    });
    const headers = adapter.getAuthHeaders(fakeModelsReq);
    expect(headers['Authorization']).toBe('Bearer gho_oauth_token');
  });

  it('uses COPILOT_API_KEY (not COPILOT_GITHUB_TOKEN) for inference in BYOK+token mode', () => {
    const adapter = createCopilotAdapter({
      COPILOT_GITHUB_TOKEN: 'gho_oauth_token',
      COPILOT_API_KEY: 'sk-or-v1-abc123',
    });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Authorization']).toBe('Bearer sk-or-v1-abc123');
  });

  it('uses API key for /models GET when no COPILOT_GITHUB_TOKEN is set (BYOK-only mode)', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'sk-or-v1-abc123' });
    const headers = adapter.getAuthHeaders(fakeModelsReq);
    expect(headers['Authorization']).toBe('Bearer sk-or-v1-abc123');
  });

  it('is enabled when only COPILOT_API_KEY is set', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'sk-or-v1-abc123' });
    expect(adapter.isEnabled()).toBe(true);
  });

  it('is disabled when COPILOT_API_KEY is the AWF placeholder and no COPILOT_GITHUB_TOKEN is set', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: COPILOT_PLACEHOLDER_TOKEN });
    expect(adapter.isEnabled()).toBe(false);
  });

  it('is enabled when COPILOT_API_KEY is the AWF placeholder but COPILOT_GITHUB_TOKEN is set', () => {
    const adapter = createCopilotAdapter({
      COPILOT_GITHUB_TOKEN: 'gho_real_token',
      COPILOT_API_KEY: COPILOT_PLACEHOLDER_TOKEN,
    });
    expect(adapter.isEnabled()).toBe(true);
  });

  it('uses COPILOT_GITHUB_TOKEN for inference when COPILOT_API_KEY is the AWF placeholder', () => {
    const adapter = createCopilotAdapter({
      COPILOT_GITHUB_TOKEN: 'gho_real_token',
      COPILOT_API_KEY: COPILOT_PLACEHOLDER_TOKEN,
    });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Authorization']).toBe('Bearer gho_real_token');
  });

  it('uses custom COPILOT_INTEGRATION_ID when set', () => {
    const adapter = createCopilotAdapter({
      COPILOT_API_KEY: 'sk-or-v1-abc123',
      COPILOT_INTEGRATION_ID: 'my-custom-integration',
    });
    const headers = adapter.getAuthHeaders(fakeReq);
    expect(headers['Copilot-Integration-Id']).toBe('my-custom-integration');
  });

  it('uses COPILOT_API_BASE_PATH when configured', () => {
    const adapter = createCopilotAdapter({
      COPILOT_API_KEY: 'sk-or-v1-abc123',
      COPILOT_API_BASE_PATH: '/api/v1/',
    });
    expect(adapter.getBasePath()).toBe('/api/v1');
  });

  it('defaults to empty base path when COPILOT_API_BASE_PATH is not set', () => {
    const adapter = createCopilotAdapter({ COPILOT_API_KEY: 'sk-or-v1-abc123' });
    expect(adapter.getBasePath()).toBe('');
  });
});