Deduplicate provider auth header construction across runtime, validation, and model fetch paths#5836
Conversation
There was a problem hiding this comment.
Pull request overview
This PR reduces drift risk in security-sensitive provider authentication by centralizing and reusing auth header construction across runtime forwarding, startup validation, and model-fetch paths for the API proxy providers.
Changes:
- OpenAI: Introduces a shared token/static header builder and reuses it for validation, models fetch, and runtime fallback selection (including
AWF_OPENAI_AUTH_HEADERbehavior). - Gemini: Extracts a single
buildAuthHeaders()factory and reuses it across validation, models fetch, and runtime auth headers. - Anthropic: Factors OIDC/static header builders and a shared “resolve with fallback” helper to keep validation/model fetch aligned with runtime behavior.
Show a summary per file
| File | Description |
|---|---|
| containers/api-proxy/providers/openai.js | Deduplicates token/static auth header construction and reuses the same factories across validation, model fetch, and runtime auth. |
| containers/api-proxy/providers/gemini.js | Extracts a single Gemini header factory and reuses it across all adapter paths. |
| containers/api-proxy/providers/anthropic.js | Centralizes OIDC/static header building and shared fallback resolution for validation/models while preserving request-time Anthropic header additions. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
- Review effort level: Low
|
✅ Copilot review passed with no inline comments. @copilot Add the |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
🔌 Smoke Services — All services reachable! ✅ |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
❌ Security Guard failed. Please review the logs for details. |
|
✅ Build Test Suite completed successfully! |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Smoke Claude passed |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Contribution Check completed successfully! PR #5836 appears to follow the applicable contribution guidelines based on the prefetched metadata, diff, and CONTRIBUTING.md. The changes are a refactor with clear description, appropriate file placement under containers/, and no new user-facing functionality requiring documentation or tests. |
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
|
Smoke Test: Copilot BYOK (Direct) Mode - PASS ✅ GitHub.com connectivity (HTTP 200) Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Claude Engine Validation
Overall Result: PASS ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall: PASS PR author: Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN) cc Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Smoke Test: Copilot BYOK (Direct) Mode — Azure OpenAI (Foundry, api-key) ✅ MCP connectivity Overall: PASS
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results (Gemini)
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Smoke Test: API Proxy OpenTelemetry Tracing
Overall: All scenarios pass. ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
✅ MCP connectivity Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
refactor(api-proxy): dedupe provider auth headers ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Provider adapters were rebuilding security-sensitive auth headers in separate code paths (request forwarding, startup validation, and model fetch), creating drift risk between OIDC and static-key behavior. This change centralizes header construction per provider and reuses the same factories across those paths.
Anthropic: unify OIDC/static auth header building
getAuthHeadersto reuse the same builders instead of rebuilding inline.anthropic-version,content-type,anthropic-betabehavior) unchanged.OpenAI: collapse duplicated token/static header factories
buildTokenAuthHeaders) used for both static-key and OIDC token shapes.validationHeaders,modelsFetchHeaders, and runtime fallback.AWF_OPENAI_AUTH_HEADER) and ****** intact.Gemini: single header factory for all paths
buildAuthHeaders()and reused it in runtime auth, validation headers, and model fetch headers.x-goog-api-keyliterals without changing behavior.Example of the new shared-pattern direction: