/** * Issue #2257 — clientApi policy behavior when an invalid Bearer is sent and * REQUIRE_API_KEY=false. * * The existing `client-api-policy.test.ts` shares a DB-backed setup via * `resetStorage()` and `apiKeysDb` that has SQLite migration races on this * branch. This standalone file mocks `validateApiKey` to test the policy's * fallback branch in isolation — no DB, no migration runner. */ import test from "node:test"; import assert from "node:assert/strict"; import Module from "node:module"; // ─── Mock validateApiKey via require interception (so the dynamic import in // the policy module returns our stub instead of hitting the real DB module) ─ type ValidateFn = (key: string) => boolean | Promise; let mockValidateApiKey: ValidateFn = () => false; const originalResolve = (Module as unknown as { _resolveFilename: typeof Module._resolveFilename }) ._resolveFilename; // Intercept require() / import() resolution for the apiKeys DB module and // substitute it for our stub. This runs only for the exact path the policy // imports — production code paths are unaffected. const POLICY_IMPORT_TARGET = "src/lib/db/apiKeys"; (Module as unknown as { _resolveFilename: typeof Module._resolveFilename })._resolveFilename = function patched(this: unknown, request: string, ...rest: unknown[]) { if (request.includes(POLICY_IMPORT_TARGET)) { // Resolve to a stub file we create below const stubPath = new URL("./__stub_apiKeys.mjs", import.meta.url).pathname; // @ts-expect-error - rest spread to original return originalResolve.call(this, stubPath, ...rest); } // @ts-expect-error - rest spread to original return originalResolve.call(this, request, ...rest); }; // Write the stub file ad-hoc (Node's loader needs a real file) import fs from "node:fs"; import os from "node:os"; import path from "node:path"; import { fileURLToPath } from "node:url"; const ORIGINAL_DATA_DIR = process.env.DATA_DIR; const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omr-clientapi-policy-fallback-")); process.env.DATA_DIR = TEST_DATA_DIR; const __dirname = path.dirname(fileURLToPath(import.meta.url)); const STUB_PATH = path.join(__dirname, "__stub_apiKeys.mjs"); fs.writeFileSync( STUB_PATH, `export const validateApiKey = (key) => globalThis.__mockValidateApiKey(key);\n` ); // Wire the stub to our local variable (globalThis as unknown as { __mockValidateApiKey: ValidateFn }).__mockValidateApiKey = (key) => mockValidateApiKey(key); test.after(() => { try { fs.unlinkSync(STUB_PATH); } catch { /* ignore */ } fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true }); if (ORIGINAL_DATA_DIR === undefined) delete process.env.DATA_DIR; else process.env.DATA_DIR = ORIGINAL_DATA_DIR; }); // ─── Load policy fresh (after the interceptor is in place) ──────────────── async function loadPolicy() { const mod = await import(`../../../src/server/authz/policies/clientApi.ts?ts=${Date.now()}`); return mod.clientApiPolicy; } function ctx(headers: Headers, normalizedPath = "/api/v1/chat/completions") { return { request: { method: "POST", headers, url: `http://localhost${normalizedPath}` }, classification: { routeClass: "CLIENT_API" as const, reason: "client_api_v1" as const, normalizedPath, }, requestId: "req_test", }; } // ─── Tests ──────────────────────────────────────────────────────────────── test.beforeEach(() => { // Default to "every key fails" — individual tests override as needed. mockValidateApiKey = () => false; delete process.env.REQUIRE_API_KEY; }); test("#2257 — invalid bearer + REQUIRE_API_KEY=true → 401", async () => { process.env.REQUIRE_API_KEY = "true"; const policy = await loadPolicy(); const headers = new Headers({ authorization: "Bearer sk-stub-bogus" }); const out = await policy.evaluate(ctx(headers)); assert.equal(out.allow, false); if (!out.allow) { assert.equal(out.status, 401); assert.equal(out.code, "AUTH_002"); } }); test("#2257 — invalid bearer + REQUIRE_API_KEY=false → anonymous (with warning log)", async () => { const originalWarn = console.warn; const warnings: string[] = []; console.warn = (msg: string) => warnings.push(String(msg)); try { const policy = await loadPolicy(); const headers = new Headers({ authorization: "Bearer sk-stub-bogus" }); const out = await policy.evaluate(ctx(headers)); assert.equal(out.allow, true); if (out.allow) { assert.equal(out.subject.kind, "anonymous"); assert.equal(out.subject.id, "local"); } assert.ok( warnings.some((w) => w.includes("[clientApiPolicy]") && w.includes("REQUIRE_API_KEY=false")), "expected a warning about the fallback" ); } finally { console.warn = originalWarn; } }); test("#2257 — invalid x-api-key + REQUIRE_API_KEY=false → anonymous (with warning log)", async () => { const originalWarn = console.warn; const warnings: string[] = []; console.warn = (msg: string) => warnings.push(String(msg)); try { const policy = await loadPolicy(); const headers = new Headers({ "x-api-key": "sk-stub-bogus" }); const out = await policy.evaluate(ctx(headers)); assert.equal(out.allow, true); if (out.allow) { assert.equal(out.subject.kind, "anonymous"); assert.equal(out.subject.id, "local"); } assert.ok( warnings.some((w) => w.includes("[clientApiPolicy]") && w.includes("REQUIRE_API_KEY=false")), "expected a warning about the fallback" ); } finally { console.warn = originalWarn; } }); test("#2257 — fallback warning masks the x-api-key (only last-4 in log)", async () => { const originalWarn = console.warn; const warnings: string[] = []; console.warn = (msg: string) => warnings.push(String(msg)); try { const policy = await loadPolicy(); const headers = new Headers({ "x-api-key": "sk-secretprefix-secretmiddle-XYZW" }); const out = await policy.evaluate(ctx(headers)); assert.equal(out.allow, true); assert.ok( warnings.every((w) => !w.includes("secretprefix") && !w.includes("secretmiddle")), "warning leaked the full bearer; only masked key id should be logged" ); assert.ok( warnings.some((w) => w.includes("key_XYZW")), "expected masked key id (last-4) in the warning" ); } finally { console.warn = originalWarn; } }); test("#2257 — fallback warning masks the bearer (only last-4 in log)", async () => { const originalWarn = console.warn; const warnings: string[] = []; console.warn = (msg: string) => warnings.push(String(msg)); try { const policy = await loadPolicy(); const headers = new Headers({ authorization: "Bearer sk-secretprefix-secretmiddle-XYZW" }); const out = await policy.evaluate(ctx(headers)); assert.equal(out.allow, true); assert.ok( warnings.every((w) => !w.includes("secretprefix") && !w.includes("secretmiddle")), "warning leaked the full bearer; only masked key id should be logged" ); assert.ok( warnings.some((w) => w.includes("key_XYZW")), "expected masked key id (last-4) in the warning" ); } finally { console.warn = originalWarn; } }); test("#2257 — no bearer + REQUIRE_API_KEY=false → anonymous (unchanged, no fallback warning)", async () => { const originalWarn = console.warn; const warnings: string[] = []; console.warn = (msg: string) => warnings.push(String(msg)); try { const policy = await loadPolicy(); const out = await policy.evaluate(ctx(new Headers())); assert.equal(out.allow, true); if (out.allow) { assert.equal(out.subject.kind, "anonymous"); } // No warning should fire when no bearer is sent in the first place — // the warning is specifically for the "invalid-bearer-fell-through" case. assert.ok( warnings.every((w) => !w.includes("[clientApiPolicy]")), "no fallback warning expected when no bearer was sent" ); } finally { console.warn = originalWarn; } }); // ─── #3504 — non-usable Authorization must NOT short-circuit the URL path token ─ // VS Code Copilot sends its own (empty / non-OmniRoute) Authorization header even // when the OmniRoute key lives in the URL path of a /vscode tokenized endpoint. // A non-"Bearer " Authorization must fall through to the URL token instead // of returning null and 401'ing under REQUIRE_API_KEY=true. // validateApiKey is the real (no-DB → always-false) implementation here, so we // distinguish "URL token was extracted" from "no token found" by the rejection // MESSAGE: an extracted-but-unknown token → "Invalid API key"; nothing extracted // → "Authentication required". On the pre-fix code a non-Bearer Authorization // returned null, so these would all 401 with "Authentication required". test("#3504 — empty 'Bearer ' Authorization falls through to the URL path token", async () => { process.env.REQUIRE_API_KEY = "true"; const policy = await loadPolicy(); const headers = new Headers({ authorization: "Bearer " }); const out = await policy.evaluate( ctx(headers, "/api/v1/vscode/sk-url-token/chat/completions") ); assert.equal(out.allow, false); if (!out.allow) { assert.equal(out.status, 401); assert.equal( out.message, "Invalid API key", "URL token must be extracted (→ 'Invalid API key'), not skipped (→ 'Authentication required')" ); } }); test("#3504 — a non-Bearer scheme (Basic) also falls through to the URL token", async () => { process.env.REQUIRE_API_KEY = "true"; const policy = await loadPolicy(); const headers = new Headers({ authorization: "Basic Zm9vOmJhcg==" }); const out = await policy.evaluate( ctx(headers, "/api/v1/vscode/sk-url-token/chat/completions") ); assert.equal(out.allow, false); if (!out.allow) assert.equal(out.message, "Invalid API key"); }); test("#3504 — non-Bearer Authorization with NO URL token still rejects as unauthenticated", async () => { process.env.REQUIRE_API_KEY = "true"; const policy = await loadPolicy(); const headers = new Headers({ authorization: "Bearer " }); const out = await policy.evaluate(ctx(headers, "/api/v1/chat/completions")); assert.equal(out.allow, false); if (!out.allow) assert.equal(out.message, "Authentication required"); });