feat: support specifying multiple API keys for authentication

Add API key authentication middleware with:
- Support for OpenAI format (Authorization: Bearer token)
- Support for Anthropic format (x-api-key: token)
- Constant time comparison for security
- Multiple API keys via --api-key flag

When API keys are configured, all API endpoints require authentication.
The root endpoint / remains accessible without authentication.

PR: ericc-ch#144

Author: jackson-cooper-serv

README.md

@@ -166,6 +166,7 @@ The following command line options are available for the `start` command:
 | --claude-code  | Generate a command to launch Claude Code with Copilot API config              | false      | -c    |
 | --show-token   | Show GitHub and Copilot tokens on fetch and refresh                           | false      | none  |
 | --proxy-env    | Initialize proxy from environment variables                                   | false      | none  |
+| --api-key      | API keys for authentication. Can be specified multiple times                  | none       | none  |
 
 #### Usage examples with --host
 
@@ -233,6 +234,44 @@ New endpoints for monitoring your Copilot usage and quotas.
 | `GET /usage` | `GET`  | Get detailed Copilot usage statistics and quota information. |
 | `GET /token` | `GET`  | Get the current Copilot token being used by the API.         |
 
+## API Key Authentication
+
+The proxy supports API key authentication to restrict access to the endpoints. When API keys are configured, all API endpoints require authentication.
+
+### Authentication Methods
+
+The proxy supports both OpenAI and Anthropic authentication formats:
+
+- **OpenAI format**: Include the API key in the `Authorization` header with `Bearer` prefix:
+
+  ```bash
+  curl -H "Authorization: Bearer your_api_key_here" http://localhost:4141/v1/models
+  ```
+
+- **Anthropic format**: Include the API key in the `x-api-key` header:
+
+  ```bash
+  curl -H "x-api-key: your_api_key_here" http://localhost:4141/v1/messages
+  ```
+
+### Configuration
+
+Use the `--api-key` flag to enable API key authentication. You can specify multiple keys for different clients:
+
+```bash
+# Single API key
+npx copilot-api@latest start --api-key your_secret_key
+
+# Multiple API keys
+npx copilot-api@latest start --api-key key1 --api-key key2 --api-key key3
+```
+
+When API keys are configured:
+
+- All API endpoints (`/v1/chat/completions`, `/v1/models`, `/v1/embeddings`, `/v1/messages`, `/usage`, `/token`) require authentication
+- Requests without valid API keys will receive a 401 Unauthorized response
+- The root endpoint `/` remains accessible without authentication
+
 ## Example Usage
 
 Using with npx:
@@ -262,6 +301,12 @@ npx copilot-api@latest start --rate-limit 30 --wait
 # Provide GitHub token directly
 npx copilot-api@latest start --github-token ghp_YOUR_TOKEN_HERE
 
+# Enable API key authentication with a single key
+npx copilot-api@latest start --api-key your_secret_key_here
+
+# Enable API key authentication with multiple keys
+npx copilot-api@latest start --api-key key1 --api-key key2 --api-key key3
+
 # Run only the auth flow
 npx copilot-api@latest auth
 

src/lib/api-key-auth.ts

@@ -0,0 +1,47 @@
+import type { Context, MiddlewareHandler } from "hono"
+
+import { HTTPException } from "hono/http-exception"
+
+import { state } from "./state"
+import { constantTimeEqual } from "./utils"
+
+function extractApiKey(c: Context): string | undefined {
+  const authHeader = c.req.header("authorization")
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7)
+  }
+
+  const anthropicKey = c.req.header("x-api-key")
+  if (anthropicKey) {
+    return anthropicKey
+  }
+
+  return undefined
+}
+
+export const apiKeyAuthMiddleware: MiddlewareHandler = async (c, next) => {
+  if (!state.apiKeys || state.apiKeys.length === 0) {
+    await next()
+    return
+  }
+
+  const providedKey = extractApiKey(c)
+
+  if (!providedKey) {
+    throw new HTTPException(401, {
+      message: "Missing API key",
+    })
+  }
+
+  const isValidKey = state.apiKeys.some((key) =>
+    constantTimeEqual(key, providedKey),
+  )
+
+  if (!isValidKey) {
+    throw new HTTPException(401, {
+      message: "Invalid API key",
+    })
+  }
+
+  await next()
+}

src/lib/state.ts

@@ -15,6 +15,9 @@ export interface State {
   // Rate limiting configuration
   rateLimitSeconds?: number
   lastRequestTimestamp?: number
+
+  // API key validation
+  apiKeys?: Array<string>
 }
 
 export const state: State = {

src/lib/utils.ts

@@ -24,3 +24,14 @@ export const cacheVSCodeVersion = async () => {
 
   consola.info(`Using VSCode version: ${response}`)
 }
+
+export const constantTimeEqual = (a: string, b: string): boolean => {
+  if (a.length !== b.length) {
+    return false
+  }
+  let result = 0
+  for (let i = 0; i < a.length; i++) {
+    result |= (a.codePointAt(i) ?? 0) ^ (b.codePointAt(i) ?? 0)
+  }
+  return result === 0
+}

src/server.ts

@@ -2,6 +2,7 @@ import { Hono } from "hono"
 import { cors } from "hono/cors"
 import { logger } from "hono/logger"
 
+import { apiKeyAuthMiddleware } from "./lib/api-key-auth"
 import { completionRoutes } from "./routes/chat-completions/route"
 import { embeddingRoutes } from "./routes/embeddings/route"
 import { eventLoggingRoutes } from "./routes/event-logging/route"
@@ -15,6 +16,16 @@ export const server = new Hono()
 server.use(logger())
 server.use(cors())
 
+server.use("/chat/completions", apiKeyAuthMiddleware)
+server.use("/models", apiKeyAuthMiddleware)
+server.use("/embeddings", apiKeyAuthMiddleware)
+server.use("/usage", apiKeyAuthMiddleware)
+server.use("/token", apiKeyAuthMiddleware)
+server.use("/v1/chat/completions", apiKeyAuthMiddleware)
+server.use("/v1/models", apiKeyAuthMiddleware)
+server.use("/v1/embeddings", apiKeyAuthMiddleware)
+server.use("/v1/messages", apiKeyAuthMiddleware)
+
 server.get("/", (c) => c.text("Server running"))
 
 server.route("/chat/completions", completionRoutes)

src/start.ts

@@ -26,6 +26,7 @@ interface RunServerOptions {
   claudeCode: boolean
   showToken: boolean
   proxyEnv: boolean
+  apiKeys?: Array<string>
 }
 
 export async function runServer(options: RunServerOptions): Promise<void> {
@@ -47,6 +48,13 @@ export async function runServer(options: RunServerOptions): Promise<void> {
   state.rateLimitSeconds = options.rateLimit
   state.rateLimitWait = options.rateLimitWait
   state.showToken = options.showToken
+  state.apiKeys = options.apiKeys
+
+  if (state.apiKeys && state.apiKeys.length > 0) {
+    consola.info(
+      `API key authentication enabled with ${state.apiKeys.length} key(s)`,
+    )
+  }
 
   await ensurePaths()
   await cacheVSCodeVersion()
@@ -192,13 +200,23 @@ export const start = defineCommand({
       default: false,
       description: "Initialize proxy from environment variables",
     },
+    "api-key": {
+      type: "string",
+      description: "API keys for authentication",
+    },
   },
   run({ args }) {
     const rateLimitRaw = args["rate-limit"]
     const rateLimit =
       // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
       rateLimitRaw === undefined ? undefined : Number.parseInt(rateLimitRaw, 10)
 
+    const apiKeyRaw = args["api-key"]
+    let apiKeys: Array<string> | undefined
+    if (apiKeyRaw) {
+      apiKeys = Array.isArray(apiKeyRaw) ? apiKeyRaw : [apiKeyRaw]
+    }
+
     return runServer({
       port: Number.parseInt(args.port, 10),
       host: args.host,
@@ -211,6 +229,7 @@ export const start = defineCommand({
       claudeCode: args["claude-code"],
       showToken: args["show-token"],
       proxyEnv: args["proxy-env"],
+      apiKeys,
     })
   },
 })