feat(auth): add downstream api key support (#2)

* feat(auth): add downstream api key support

* feat(auth): harden api key security

* fix(auth): refine api key parsing

* chore(responses): align review feedback

Author: Lumysia

README.md

@@ -13,6 +13,7 @@ Compared with the original upstream project, this fork keeps the README intentio
 
 - OpenAI-compatible endpoints for chat, models, embeddings, and responses
 - Anthropic-compatible messages endpoint
+- Optional downstream API key protection from CLI arg or environment variable
 - Usage and token inspection endpoints
 - Optional rate limit control and manual approval flow
 - Support for individual, business, and enterprise Copilot accounts
@@ -44,6 +45,26 @@ bun run start
 - Test: `bun test`
 - Start: `bun run start`
 
+## API Key Protection
+
+You can require clients to send an API key for all incoming requests.
+
+Priority order:
+
+- CLI arg `--api-key`
+- env `API_KEY`
+- env `COPILOT_API_KEY`
+- default empty, meaning disabled
+
+Example:
+
+`bun run start -- --port 3000 --api-key my-secret-key`
+
+Then call the API with either header:
+
+- `Authorization: Bearer my-secret-key`
+- `x-api-key: my-secret-key`
+
 ## API Endpoints
 
 ### OpenAI-compatible

src/lib/api-key.ts

@@ -0,0 +1,137 @@
+import type { Context, Next } from "hono"
+
+import consola from "consola"
+
+import { state } from "~/lib/state"
+
+const AUTH_WINDOW_MS = 5 * 60 * 1000
+const AUTH_MAX_FAILURES = 10
+const AUTH_BLOCK_MS = 15 * 60 * 1000
+
+function getBearerToken(
+  authorizationHeader: string | undefined,
+): string | undefined {
+  if (!authorizationHeader) return undefined
+
+  const [scheme, token] = authorizationHeader.trim().split(/\s+/, 2)
+  if (scheme.toLowerCase() !== "bearer" || !token) return undefined
+
+  return token
+}
+
+function getForwardedIp(
+  forwardedHeader: string | undefined,
+): string | undefined {
+  if (!forwardedHeader) return undefined
+
+  const match = forwardedHeader.match(/for="?\[?([^;,"]+)/i)
+  return match?.[1]?.trim()
+}
+
+function getClientAddress(c: Context): string {
+  const candidates = [
+    c.req.header("cf-connecting-ip"),
+    c.req.header("x-real-ip"),
+    c.req.header("x-client-ip"),
+    c.req.header("x-forwarded-for")?.split(",")[0]?.trim(),
+    getForwardedIp(c.req.header("forwarded")),
+    c.req.header("fly-client-ip"),
+  ]
+
+  return candidates.find((value) => value && value.length > 0) ?? "unknown"
+}
+
+function getRequestTarget(c: Context): string {
+  try {
+    const url = new URL(c.req.url)
+    return `${c.req.method} ${url.pathname}`
+  } catch {
+    return `${c.req.method} unknown`
+  }
+}
+
+function isClientBlocked(clientAddress: string, now: number): boolean {
+  const entry = state.authFailures.get(clientAddress)
+  if (!entry?.blockedUntil) return false
+
+  if (entry.blockedUntil <= now) {
+    state.authFailures.delete(clientAddress)
+    return false
+  }
+
+  return true
+}
+
+function recordAuthFailure(clientAddress: string, now: number): void {
+  const entry = state.authFailures.get(clientAddress)
+
+  if (!entry || entry.resetAt <= now) {
+    state.authFailures.set(clientAddress, {
+      blockedUntil: undefined,
+      count: 1,
+      resetAt: now + AUTH_WINDOW_MS,
+    })
+    return
+  }
+
+  entry.count += 1
+  if (entry.count >= AUTH_MAX_FAILURES) {
+    entry.blockedUntil = now + AUTH_BLOCK_MS
+  }
+}
+
+function clearAuthFailures(clientAddress: string): void {
+  state.authFailures.delete(clientAddress)
+}
+
+function rejectUnauthorized() {
+  return {
+    error: {
+      message: "Invalid API key",
+      type: "authentication_error",
+    },
+  }
+}
+
+export async function safeRequestLogger(c: Context, next: Next) {
+  const startedAt = Date.now()
+  const target = getRequestTarget(c)
+
+  consola.info(`<-- ${target}`)
+  await next()
+  consola.info(`--> ${target} ${c.res.status} ${Date.now() - startedAt}ms`)
+}
+
+export async function requireApiKey(c: Context, next: Next) {
+  if (!state.apiKey) {
+    await next()
+    return
+  }
+
+  const now = Date.now()
+  const clientAddress = getClientAddress(c)
+
+  if (isClientBlocked(clientAddress, now)) {
+    consola.warn(
+      `Blocked API key request from ${clientAddress} to ${getRequestTarget(c)}`,
+    )
+    return c.json(rejectUnauthorized(), 429)
+  }
+
+  const authorization = c.req.header("authorization")
+  const bearerToken = getBearerToken(authorization)
+  const xApiKey = c.req.header("x-api-key")
+
+  if (bearerToken === state.apiKey || xApiKey === state.apiKey) {
+    clearAuthFailures(clientAddress)
+    await next()
+    return
+  }
+
+  recordAuthFailure(clientAddress, now)
+  consola.warn(
+    `Rejected API key request from ${clientAddress} to ${getRequestTarget(c)}`,
+  )
+
+  return c.json(rejectUnauthorized(), 401)
+}

src/lib/state.ts

@@ -3,6 +3,7 @@ import type { ModelsResponse } from "~/services/copilot/get-models"
 export interface State {
   githubToken?: string
   copilotToken?: string
+  apiKey?: string
 
   accountType: string
   models?: ModelsResponse
@@ -15,10 +16,16 @@ export interface State {
   // Rate limiting configuration
   rateLimitSeconds?: number
   lastRequestTimestamp?: number
+
+  authFailures: Map<
+    string,
+    { count: number; resetAt: number; blockedUntil?: number }
+  >
 }
 
 export const state: State = {
   accountType: "individual",
+  authFailures: new Map(),
   manualApprove: false,
   rateLimitWait: false,
   showToken: false,

src/server.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono"
 import { cors } from "hono/cors"
-import { logger } from "hono/logger"
 
+import { requireApiKey, safeRequestLogger } from "./lib/api-key"
 import { completionRoutes } from "./routes/chat-completions/route"
 import { embeddingRoutes } from "./routes/embeddings/route"
 import { messageRoutes } from "./routes/messages/route"
@@ -12,8 +12,9 @@ import { usageRoute } from "./routes/usage/route"
 
 export const server = new Hono()
 
-server.use(logger())
+server.use(safeRequestLogger)
 server.use(cors())
+server.use("*", requireApiKey)
 
 server.get("/", (c) => c.text("Server running"))
 

src/services/copilot/create-responses.ts

@@ -1,5 +1,3 @@
-/// <reference lib="dom" />
-
 import { copilotHeaders, copilotBaseUrl } from "~/lib/api-config"
 import { HTTPError } from "~/lib/error"
 import { state } from "~/lib/state"
@@ -19,7 +17,7 @@ export const createResponses = async (payload: ResponsesPayload) => {
     body: JSON.stringify(payload),
   })
 
-  if (!response.ok) throw new HTTPError("Failed to create response", response)
+  if (!response.ok) throw new HTTPError("Failed to create responses", response)
 
   return response
 }

src/start.ts

@@ -18,6 +18,7 @@ interface RunServerOptions {
   port: number
   verbose: boolean
   accountType: string
+  apiKey?: string
   manual: boolean
   rateLimit?: number
   rateLimitWait: boolean
@@ -38,6 +39,8 @@ export async function runServer(options: RunServerOptions): Promise<void> {
   }
 
   state.accountType = options.accountType
+  state.apiKey =
+    options.apiKey ?? process.env.API_KEY ?? process.env.COPILOT_API_KEY ?? ""
   if (options.accountType !== "individual") {
     consola.info(`Using ${options.accountType} plan GitHub account`)
   }
@@ -144,6 +147,12 @@ export const start = defineCommand({
       default: "individual",
       description: "Account type to use (individual, business, enterprise)",
     },
+    "api-key": {
+      alias: "k",
+      type: "string",
+      description:
+        "API key required by downstream clients. Falls back to API_KEY or COPILOT_API_KEY env vars",
+    },
     manual: {
       type: "boolean",
       default: false,
@@ -195,6 +204,7 @@ export const start = defineCommand({
       port: Number.parseInt(args.port, 10),
       verbose: args.verbose,
       accountType: args["account-type"],
+      apiKey: args["api-key"],
       manual: args.manual,
       rateLimit,
       rateLimitWait: args.wait,

tests/api-key.test.ts

@@ -0,0 +1,99 @@
+import { afterEach, beforeEach, expect, test } from "bun:test"
+
+import { state } from "../src/lib/state"
+import { server } from "../src/server"
+
+const originalApiKey = state.apiKey
+
+beforeEach(() => {
+  state.authFailures.clear()
+  state.apiKey = "test-key"
+})
+
+afterEach(() => {
+  state.authFailures.clear()
+  state.apiKey = originalApiKey
+})
+
+test("rejects request without presenting an API key", async () => {
+  const response = await server.request("http://localhost/v1/models")
+
+  expect(response.status).toBe(401)
+  expect(await response.json()).toEqual({
+    error: {
+      message: "Invalid API key",
+      type: "authentication_error",
+    },
+  })
+})
+
+test("accepts bearer token authentication", async () => {
+  const response = await server.request("http://localhost/", {
+    headers: {
+      Authorization: "Bearer test-key",
+    },
+  })
+
+  expect(response.status).toBe(200)
+  expect(await response.text()).toBe("Server running")
+})
+
+test("accepts x-api-key authentication", async () => {
+  const response = await server.request("http://localhost/", {
+    headers: {
+      "x-api-key": "test-key",
+    },
+  })
+
+  expect(response.status).toBe(200)
+  expect(await response.text()).toBe("Server running")
+})
+
+test("allows requests when API key protection is disabled", async () => {
+  state.apiKey = ""
+
+  const response = await server.request("http://localhost/")
+
+  expect(response.status).toBe(200)
+  expect(await response.text()).toBe("Server running")
+})
+
+test("uses proxy headers for auth failure rate limiting", async () => {
+  for (let index = 0; index < 10; index += 1) {
+    const response = await server.request("http://localhost/v1/models", {
+      headers: {
+        "x-forwarded-for": "203.0.113.10, 127.0.0.1",
+      },
+    })
+
+    expect(response.status).toBe(401)
+  }
+
+  const blockedResponse = await server.request("http://localhost/v1/models", {
+    headers: {
+      "x-forwarded-for": "203.0.113.10, 127.0.0.1",
+    },
+  })
+
+  expect(blockedResponse.status).toBe(429)
+})
+
+test("successful authentication clears previous auth failures", async () => {
+  const failedResponse = await server.request("http://localhost/v1/models", {
+    headers: {
+      "x-real-ip": "198.51.100.1",
+    },
+  })
+
+  expect(failedResponse.status).toBe(401)
+
+  const successResponse = await server.request("http://localhost/", {
+    headers: {
+      Authorization: "Bearer test-key",
+      "x-real-ip": "198.51.100.1",
+    },
+  })
+
+  expect(successResponse.status).toBe(200)
+  expect(state.authFailures.has("198.51.100.1")).toBe(false)
+})