Files
diegosouzapw--omniroute/tests/unit/provider-validation-specialty.test.ts
2026-07-13 13:39:12 +08:00

2856 lines
104 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
const {
validateProviderApiKey,
validateClaudeCodeCompatibleProvider,
validateCommandCodeProvider,
isSecurityBlockError,
} = await import("../../src/lib/providers/validation.ts");
const { SafeOutboundFetchError } = await import("../../src/shared/network/safeOutboundFetch.ts");
const { __setTlsFetchOverrideForTesting: __setPplxTlsFetchOverride } =
await import("../../open-sse/services/perplexityTlsClient.ts");
const { __setTlsFetchOverrideForTesting: __setGrokTlsFetchOverride } =
await import("../../open-sse/services/grokTlsClient.ts");
const { COMMAND_CODE_VERSION } = await import("../../open-sse/executors/commandCode.ts");
const originalFetch = globalThis.fetch;
test.afterEach(() => {
globalThis.fetch = originalFetch;
__setPplxTlsFetchOverride(null);
__setGrokTlsFetchOverride(null);
});
function toPlainHeaders(headers: any) {
if (headers instanceof Headers) return Object.fromEntries(headers.entries());
return Object.fromEntries(
Object.entries(headers || {}).map(([key, value]) => [key, String(value)])
);
}
function metaAiSseText(content: string, streamingState = "DONE") {
return `event: next
data: ${JSON.stringify({
data: {
sendMessageStream: {
__typename: "AssistantMessage",
id: "meta-msg-1",
content,
streamingState,
error:
streamingState === "ERROR"
? { message: content, code: null, stack: "Error: " + content }
: null,
contentRenderer: { __typename: "TextContentRenderer", text: content },
},
},
})}
event: complete
data:
`;
}
test("specialty provider validators cover Deepgram, AssemblyAI, ElevenLabs and Inworld branches", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
const headers = init.headers || {};
if (target.match(/deepgram/i)) {
assert.equal(headers.Authorization, "Token dg-key");
return new Response(JSON.stringify({ ok: true }), { status: 200 });
}
if (target.match(/assemblyai/i)) {
assert.equal(headers.Authorization, "aa-key");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 403 });
}
if (target.match(/elevenlabs/i)) {
return new Response(JSON.stringify({ voices: [] }), { status: 200 });
}
if (target.match(/inworld/i)) {
return new Response(JSON.stringify({ error: "bad request" }), { status: 400 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const deepgram = await validateProviderApiKey({ provider: "deepgram", apiKey: "dg-key" });
const assembly = await validateProviderApiKey({ provider: "assemblyai", apiKey: "aa-key" });
const eleven = await validateProviderApiKey({ provider: "elevenlabs", apiKey: "el-key" });
const inworld = await validateProviderApiKey({ provider: "inworld", apiKey: "iw-key" });
assert.equal(deepgram.valid, true);
assert.equal(assembly.error, "Invalid API key");
assert.equal(eleven.valid, true);
assert.equal(inworld.valid, true);
});
test("validateCommandCodeProvider ignores caller baseUrl and chatPath overrides", async () => {
globalThis.fetch = async (url, init = {}) => {
assert.equal(String(url), "https://api.commandcode.ai/alpha/generate");
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer cc-key");
const body = JSON.parse(String(init.body));
assert.equal(body.params.model, "command-code-validation-model");
return new Response(JSON.stringify({ ok: true }), { status: 200 });
};
const result = await validateCommandCodeProvider({
apiKey: "cc-key",
providerSpecificData: {
baseUrl: "https://evil.example/api",
chatPath: "/v1/chat/completions",
validationModelId: "command-code-validation-model",
},
});
assert.equal(result.valid, true);
});
test("validateCommandCodeProvider defaults probe model to DeepSeek flash", async () => {
globalThis.fetch = async (_url, init = {}) => {
const body = JSON.parse(String(init.body));
assert.equal(body.params.model, "deepseek/deepseek-v4-flash");
return new Response("", { status: 400 });
};
const result = await validateCommandCodeProvider({ apiKey: "cc-key" });
assert.deepEqual(result, { valid: true, error: null });
});
test("specialty providers surface network failures and non-auth upstream failures", async () => {
globalThis.fetch = async (url) => {
const target = String(url);
if (target.match(/deepgram/i)) {
throw new Error("deepgram offline");
}
if (target.match(/elevenlabs/i)) {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (target.match(/inworld/i)) {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
if (target.match(/longcat/i)) {
throw new Error("longcat offline");
}
throw new Error(`unexpected fetch: ${target}`);
};
const deepgram = await validateProviderApiKey({ provider: "deepgram", apiKey: "dg-key" });
const eleven = await validateProviderApiKey({ provider: "elevenlabs", apiKey: "el-key" });
const inworld = await validateProviderApiKey({ provider: "inworld", apiKey: "iw-key" });
const longcat = await validateProviderApiKey({ provider: "longcat", apiKey: "lc-key" });
assert.equal(deepgram.error, "deepgram offline");
assert.equal(eleven.error, "Validation failed: 500");
assert.equal(inworld.error, "Invalid API key");
assert.equal(longcat.error, "longcat offline");
});
test("embedding and rerank specialty validators cover Voyage AI and Jina AI", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.voyageai.com/v1/embeddings") {
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer voyage-key");
const body = JSON.parse(String(init.body));
assert.equal(body.model, "voyage-4-large");
return new Response(JSON.stringify({ data: [{ embedding: [0.1, 0.2] }] }), { status: 200 });
}
if (target === "https://api.jina.ai/v1/rerank") {
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer jina-key");
const body = JSON.parse(String(init.body));
assert.equal(body.model, "jina-reranker-v3");
return new Response(JSON.stringify({ results: [{ index: 0, relevance_score: 0.99 }] }), {
status: 200,
});
}
throw new Error(`unexpected fetch: ${target}`);
};
const voyage = await validateProviderApiKey({ provider: "voyage-ai", apiKey: "voyage-key" });
const jina = await validateProviderApiKey({ provider: "jina-ai", apiKey: "jina-key" });
assert.equal(voyage.valid, true);
assert.equal(jina.valid, true);
});
test("AWS Polly specialty validator signs DescribeVoices with SigV4", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
const headers = init.headers as Record<string, string>;
assert.equal(target, "https://polly.us-east-2.amazonaws.com/v1/voices?Engine=standard");
assert.match(
headers.Authorization,
/^AWS4-HMAC-SHA256 Credential=AKIA_POLLY\/\d{8}\/us-east-2\/polly\/aws4_request,/
);
assert.equal(headers.host, "polly.us-east-2.amazonaws.com");
assert.equal(headers["x-amz-content-sha256"].length, 64);
return new Response(JSON.stringify({ Voices: [] }), { status: 200 });
};
const result = await validateProviderApiKey({
provider: "aws-polly",
apiKey: "aws-secret",
providerSpecificData: {
accessKeyId: "AKIA_POLLY",
region: "us-east-2",
},
});
assert.equal(result.valid, true);
});
test("AWS Polly specialty validator requires an access key id", async () => {
const result = await validateProviderApiKey({
provider: "aws-polly",
apiKey: "aws-secret",
providerSpecificData: {
region: "us-east-2",
},
});
assert.equal(result.error, "Missing AWS accessKeyId");
});
test("embedding and rerank specialty validators surface auth failures for Voyage AI and Jina AI", async () => {
globalThis.fetch = async (url) => {
const target = String(url);
if (target === "https://api.voyageai.com/v1/embeddings") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
if (target === "https://api.jina.ai/v1/rerank") {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const voyage = await validateProviderApiKey({ provider: "voyage-ai", apiKey: "voyage-key" });
const jina = await validateProviderApiKey({ provider: "jina-ai", apiKey: "jina-key" });
assert.equal(voyage.error, "Invalid API key");
assert.equal(jina.error, "Invalid API key");
});
test("v0-vercel specialty validator checks the Platform API chats endpoint", async () => {
globalThis.fetch = async (url, init = {}) => {
assert.equal(String(url), "https://api.v0.dev/v1/chats?limit=1");
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer v0-key");
return new Response(JSON.stringify({ object: "list", data: [] }), { status: 200 });
};
const result = await validateProviderApiKey({
provider: "v0-vercel",
apiKey: "v0-key",
providerSpecificData: {
baseUrl: "https://api.v0.dev/v1/chat/completions",
},
});
assert.deepEqual(result, {
valid: true,
error: null,
method: "v0_platform_chats_list",
});
});
test("v0-vercel specialty validator treats auth failures as invalid API key", async () => {
globalThis.fetch = async (url, init = {}) => {
assert.equal(String(url), "https://api.v0.dev/v1/chats?limit=1");
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer bad-v0-key");
return new Response(JSON.stringify({ error: { type: "unauthorized_error" } }), {
status: 401,
});
};
const result = await validateProviderApiKey({
provider: "v0-vercel",
apiKey: "bad-v0-key",
providerSpecificData: {
baseUrl: "https://api.v0.dev/v1",
},
});
assert.equal(result.error, "Invalid API key");
});
test("gitlab specialty validator accepts PAT auth on the direct access endpoint", async () => {
globalThis.fetch = async (url, init = {}) => {
assert.equal(String(url), "https://gitlab.com/api/v4/code_suggestions/direct_access");
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer glpat-test");
return new Response(JSON.stringify({ token: "short-lived" }), { status: 200 });
};
const result = await validateProviderApiKey({ provider: "gitlab", apiKey: "glpat-test" });
assert.equal(result.valid, true);
});
test("gitlab specialty validator treats 401 as invalid PAT", async () => {
globalThis.fetch = async () =>
new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
const result = await validateProviderApiKey({ provider: "gitlab", apiKey: "glpat-bad" });
assert.equal(result.error, "Invalid API key");
});
test("web-cookie provider validators accept valid Grok, Perplexity, Blackbox and Muse Spark session cookies", async () => {
const calls = [];
// Grok now uses tlsFetchGrok (TLS-impersonating client) to bypass Cloudflare Enterprise.
let grokTlsCall: { url: string; options: Record<string, unknown> } | null = null;
__setGrokTlsFetchOverride(async (url, options) => {
grokTlsCall = { url, options };
return { status: 200, headers: new Headers(), text: null, body: null };
});
// Perplexity now uses tlsFetchPerplexity (TLS-impersonating client) instead of globalThis.fetch
// to bypass Cloudflare Enterprise. Use the test-only override hook to intercept calls.
let pplxTlsCall: { url: string; options: Record<string, unknown> } | null = null;
__setPplxTlsFetchOverride(async (url, options) => {
pplxTlsCall = { url, options };
return { status: 200, headers: new Headers(), text: null, body: null };
});
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
calls.push({ url: target, init });
if (target.includes("app.blackbox.ai/api/auth/session")) {
return new Response(
JSON.stringify({
user: { id: "bb-user-1", email: "premium@example.com" },
}),
{ status: 200 }
);
}
if (target.includes("app.blackbox.ai/api/check-subscription")) {
return new Response(
JSON.stringify({
hasActiveSubscription: true,
isTrialSubscription: false,
plan: "pro",
}),
{ status: 200 }
);
}
if (target.includes("meta.ai/api/graphql")) {
return new Response(metaAiSseText("Muse Spark says hello"), {
status: 200,
headers: { "Content-Type": "text/event-stream" },
});
}
throw new Error(`unexpected fetch: ${target}`);
};
const grok = await validateProviderApiKey({ provider: "grok-web", apiKey: "sso=grok-cookie" });
const perplexity = await validateProviderApiKey({
provider: "perplexity-web",
apiKey: "__Secure-next-auth.session-token=pplx-cookie",
});
const blackbox = await validateProviderApiKey({
provider: "blackbox-web",
apiKey: "__Secure-authjs.session-token=bb-cookie",
});
const museSpark = await validateProviderApiKey({
provider: "muse-spark-web",
apiKey: "abra_sess=meta-cookie",
});
assert.equal(grok.valid, true);
assert.equal(perplexity.valid, true);
assert.equal(blackbox.valid, true);
assert.equal(museSpark.valid, true);
const blackboxSessionCall = calls.find((call) =>
call.url.includes("app.blackbox.ai/api/auth/session")
);
const blackboxSubscriptionCall = calls.find((call) =>
call.url.includes("app.blackbox.ai/api/check-subscription")
);
const museSparkCall = calls.find((call) => call.url.includes("meta.ai/api/graphql"));
// Grok goes through tlsFetchGrok (TLS override), not globalThis.fetch.
assert.ok(grokTlsCall, "grok TLS override was called");
assert.ok(grokTlsCall!.url.includes("grok.com/rest/app-chat/conversations/new"));
assert.equal(
(grokTlsCall!.options.headers as Record<string, string>)["Cookie"],
"sso=grok-cookie"
);
const grokBody = JSON.parse(String(grokTlsCall!.options.body || "{}"));
assert.equal(grokBody.modeId, "fast");
assert.equal("modelName" in grokBody, false);
assert.equal("modelMode" in grokBody, false);
// Perplexity goes through tlsFetchPerplexity (TLS override), not globalThis.fetch.
// options.headers is a plain object; the validator sets Cookie from the session token.
assert.ok(pplxTlsCall, "perplexity TLS override was called");
assert.ok(pplxTlsCall!.url.includes("perplexity.ai/rest/sse/perplexity_ask"));
assert.equal(
(pplxTlsCall!.options.headers as Record<string, string>)["Cookie"],
"__Secure-next-auth.session-token=pplx-cookie"
);
assert.equal(blackboxSessionCall?.init.headers.Cookie, "__Secure-authjs.session-token=bb-cookie");
assert.equal(
blackboxSubscriptionCall?.init.headers.Cookie,
"__Secure-authjs.session-token=bb-cookie"
);
assert.equal(museSparkCall?.init.headers.Cookie, "abra_sess=meta-cookie");
assert.equal(museSparkCall?.init.headers["X-FB-Friendly-Name"], "useEctoSendMessageSubscription");
});
test("web-cookie provider validators surface auth and subscription failures", async () => {
// Perplexity uses tlsFetchPerplexity (TLS-impersonating client). Return 403 to simulate
// an invalid session cookie so the validator emits the expected error message.
__setPplxTlsFetchOverride(async () => {
return { status: 403, headers: new Headers(), text: null, body: null };
});
__setGrokTlsFetchOverride(async () => {
return { status: 401, headers: new Headers(), text: "Unauthorized", body: null };
});
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target.includes("app.blackbox.ai/api/auth/session")) {
const cookie = (init.headers as Record<string, string>)?.Cookie || "";
if (cookie.includes("expired-cookie")) {
return new Response("null", { status: 200 });
}
return new Response(
JSON.stringify({
user: { id: "bb-user-2", email: "free@example.com" },
}),
{ status: 200 }
);
}
if (target.includes("app.blackbox.ai/api/check-subscription")) {
return new Response(
JSON.stringify({
hasActiveSubscription: false,
isTrialSubscription: false,
previouslySubscribed: true,
plan: "free",
}),
{ status: 200 }
);
}
if (target.includes("meta.ai/api/graphql")) {
return new Response(metaAiSseText("Authentication required to send messages", "ERROR"), {
status: 200,
headers: { "Content-Type": "text/event-stream" },
});
}
throw new Error(`unexpected fetch: ${target}`);
};
const grok = await validateProviderApiKey({ provider: "grok-web", apiKey: "grok-cookie" });
const perplexity = await validateProviderApiKey({
provider: "perplexity-web",
apiKey: "pplx-cookie",
});
const blackboxExpired = await validateProviderApiKey({
provider: "blackbox-web",
apiKey: "expired-cookie",
});
const blackboxNoSubscription = await validateProviderApiKey({
provider: "blackbox-web",
apiKey: "free-account-cookie",
});
const museSpark = await validateProviderApiKey({
provider: "muse-spark-web",
apiKey: "meta-cookie",
});
assert.match(grok.error || "", /Invalid SSO cookie/i);
assert.match(perplexity.error || "", /Invalid Perplexity session cookie/i);
assert.match(blackboxExpired.error || "", /Invalid Blackbox session cookie/i);
assert.match(blackboxNoSubscription.error || "", /no active paid subscription/i);
assert.match(museSpark.error || "", /Invalid Meta AI session cookie/i);
});
test("grok-web validator: full DevTools cookie blob is parsed for the sso value", async () => {
let capturedCookie = "";
__setGrokTlsFetchOverride(async (_url, options) => {
capturedCookie = ((options.headers as Record<string, string>) || {}).Cookie || "";
return { status: 200, headers: new Headers(), text: null, body: null };
});
const blob = "i18nextLng=en; stblid=foo; __cf_bm=bar; sso=eyJTARGET.abc.def; cf_clearance=baz;";
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: blob });
assert.equal(result.valid, true);
// #5350 — the outbound cookie now forwards the Cloudflare cookies too.
assert.match(capturedCookie, /(?:^|;\s*)sso=eyJTARGET\.abc\.def(?:;|$)/);
assert.match(capturedCookie, /(?:^|;\s*)cf_clearance=baz(?:;|$)/);
assert.match(capturedCookie, /(?:^|;\s*)__cf_bm=bar(?:;|$)/);
});
test("grok-web validator: empty/missing sso in input returns 'Missing sso cookie'", async () => {
__setGrokTlsFetchOverride(async () => {
throw new Error("validator should short-circuit before fetching");
});
const result = await validateProviderApiKey({
provider: "grok-web",
apiKey: "foo=1; bar=2;",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Missing sso cookie/i);
});
test("grok-web validator: non-auth 403 is reported as failure with upstream body, not silently passed", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: JSON.stringify({ error: { code: 7, message: "Model is not found", details: [] } }),
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "good-cookie" });
assert.equal(result.valid, false);
assert.match(result.error || "", /Grok rejected validation \(403\)/);
assert.match(result.error || "", /Model is not found/);
});
test("grok-web validator: generic non-auth 403 maps to IP-reputation guidance, not 'invalid cookie' (#3474)", async () => {
__setGrokTlsFetchOverride(async () => {
return { status: 403, headers: new Headers(), text: "Forbidden", body: null };
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "any-cookie" });
assert.equal(result.valid, false);
// A bare/non-auth 403 from grok.com is almost always an anti-bot/IP-reputation
// block — the cookie itself is likely fine. The message must point the user to a
// residential IP or proxy, NOT tell them the cookie is invalid.
assert.match(result.error || "", /residential IP|proxy/i);
assert.doesNotMatch(result.error || "", /invalid SSO cookie/i);
});
test("grok-web validator: anti-bot 'Request rejected' 403 maps to IP-reputation guidance (#3474)", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: "Request rejected by anti-bot rules.",
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "good-cookie" });
assert.equal(result.valid, false);
assert.match(result.error || "", /residential IP|proxy/i);
// Cookie may be fine — must not claim it is invalid/expired.
assert.doesNotMatch(result.error || "", /invalid SSO cookie|expired/i);
});
test("grok-web validator: Cloudflare challenge returned with a 403 status maps to IP guidance (#3474)", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: "<html><title>Just a moment...</title><script>window._cf_chl_opt</script></html>",
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "sso=abc" });
assert.equal(result.valid, false);
assert.match(result.error || "", /residential IP|proxy/i);
});
test("grok-web validator: IP-reputation 403 message does not leak a stack/raw error (Hard Rule #12) (#3474)", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: "Request rejected by anti-bot rules.\n at GrokWeb.validate (/app/secret/path.ts:42:13)",
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "good-cookie" });
assert.equal(result.valid, false);
assert.match(result.error || "", /residential IP|proxy/i);
assert.ok(!(result.error || "").includes("at GrokWeb.validate"));
assert.ok(!(result.error || "").includes("/app/secret/path.ts"));
assert.ok(!(result.error || "").includes(" at "));
});
test("grok-web validator: structured non-auth 403 (resource error) still surfaces upstream body for maintainers (#3474)", async () => {
// Distinct from an anti-bot block: a genuine upstream API error (e.g. the probe
// model was renamed) carries a structured error.message and must NOT be masked
// by the IP-reputation guidance — the maintainer needs to see the real cause.
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: JSON.stringify({ error: { code: 7, message: "Model is not found", details: [] } }),
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "good-cookie" });
assert.equal(result.valid, false);
assert.match(result.error || "", /Grok rejected validation \(403\)/);
assert.match(result.error || "", /Model is not found/);
assert.doesNotMatch(result.error || "", /residential IP|proxy/i);
});
test("grok-web validator: auth-shaped 401 keeps the re-paste/re-authenticate guidance (no regression) (#3474)", async () => {
__setGrokTlsFetchOverride(async () => {
return { status: 401, headers: new Headers(), text: "Unauthorized", body: null };
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "expired-cookie" });
assert.equal(result.valid, false);
assert.match(result.error || "", /Invalid SSO cookie|re-paste/i);
assert.doesNotMatch(result.error || "", /residential IP|proxy/i);
});
test("grok-web validator: 403 with credential-rejection body is treated as auth-failed", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: JSON.stringify({
error: {
code: 16,
message: "Failed to look up session ID. [WKE=unauthenticated:invalid-credentials]",
details: [],
},
}),
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "bad-cookie" });
assert.equal(result.valid, false);
assert.match(result.error || "", /Invalid SSO cookie/i);
});
// #5350 — when the user DID supply a cf_clearance, an auth-shaped 401 / invalid-credentials 403
// is almost always an IP-reputation block (cf_clearance is IP+TLS+UA-pinned and cannot be
// replayed from a different machine), NOT a bad cookie. Surface the IP guidance instead of the
// misleading "Invalid SSO cookie" verdict.
test("grok-web validator: 401 WITH a cf_clearance maps to IP-reputation guidance, not 'invalid cookie' (#5350)", async () => {
__setGrokTlsFetchOverride(async () => {
return { status: 401, headers: new Headers(), text: "Unauthorized", body: null };
});
const blob = "sso=eyJTARGET.abc.def; sso-rw=RW; cf_clearance=CF; __cf_bm=BM";
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: blob });
assert.equal(result.valid, false);
assert.match(result.error || "", /residential IP|proxy/i);
assert.doesNotMatch(result.error || "", /invalid SSO cookie/i);
});
test("grok-web validator: invalid-credentials 403 WITH a cf_clearance maps to IP-reputation guidance (#5350)", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 403,
headers: new Headers(),
text: JSON.stringify({
error: {
code: 16,
message: "Failed to look up session ID. [WKE=unauthenticated:invalid-credentials]",
details: [],
},
}),
body: null,
};
});
const blob = "sso=eyJTARGET.abc.def; cf_clearance=CF";
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: blob });
assert.equal(result.valid, false);
assert.match(result.error || "", /residential IP|proxy/i);
assert.doesNotMatch(result.error || "", /invalid SSO cookie/i);
});
test("grok-web validator: TLS client unavailable surfaces actionable error", async () => {
__setGrokTlsFetchOverride(async () => {
const { TlsClientUnavailableError } = await import("../../open-sse/services/grokTlsClient.ts");
throw new TlsClientUnavailableError("native binary not found");
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "sso=abc" });
assert.equal(result.valid, false);
assert.match(result.error || "", /TLS impersonation client unavailable/i);
assert.match(result.error || "", /native binary not found/i);
});
test("grok-web validator: Cloudflare challenge page is detected and reported", async () => {
__setGrokTlsFetchOverride(async () => {
return {
status: 200,
headers: new Headers(),
text: "<html><title>Just a moment...</title><script>window._cf_chl_opt</script></html>",
body: null,
};
});
const result = await validateProviderApiKey({ provider: "grok-web", apiKey: "sso=abc" });
assert.equal(result.valid, false);
assert.match(result.error || "", /Cloudflare anti-bot/i);
});
// ─── chatgpt-web validator ──────────────────────────────────────────────────
// Mocks the TLS-impersonating fetch so unit tests don't need the native binding.
const { __setTlsFetchOverrideForTesting } =
await import("../../open-sse/services/chatgptTlsClient.ts");
function makeTlsResponse(status: number, body: string, headers: Record<string, string> = {}): any {
const h = new Headers();
for (const [k, v] of Object.entries(headers)) h.set(k, v);
return { status, headers: h, text: body, body: null };
}
test.afterEach(() => {
__setTlsFetchOverrideForTesting(null);
});
test("chatgpt-web validator: accepts a valid session response with accessToken", async () => {
let captured: { url: string; opts: any } | null = null;
__setTlsFetchOverrideForTesting(async (url, opts) => {
captured = { url, opts };
return makeTlsResponse(
200,
JSON.stringify({ accessToken: "tok-abc", expires: "2030-01-01T00:00:00Z" }),
{ "content-type": "application/json" }
);
});
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "__Secure-next-auth.session-token=eyJSESSION",
});
assert.equal(result.valid, true);
assert.equal(captured?.url, "https://chatgpt.com/api/auth/session");
assert.equal(
(captured?.opts.headers as Record<string, string>).Cookie,
"__Secure-next-auth.session-token=eyJSESSION"
);
});
test("chatgpt-web validator: prepends session-token name to bare values", async () => {
let capturedCookie = "";
__setTlsFetchOverrideForTesting(async (_url, opts) => {
capturedCookie = (opts.headers as Record<string, string>).Cookie || "";
return makeTlsResponse(200, JSON.stringify({ accessToken: "tok" }), {
"content-type": "application/json",
});
});
await validateProviderApiKey({ provider: "chatgpt-web", apiKey: "eyJBARE" });
assert.equal(capturedCookie, "__Secure-next-auth.session-token=eyJBARE");
});
test("chatgpt-web validator: passes full DevTools cookie blob through verbatim", async () => {
let capturedCookie = "";
__setTlsFetchOverrideForTesting(async (_url, opts) => {
capturedCookie = (opts.headers as Record<string, string>).Cookie || "";
return makeTlsResponse(200, JSON.stringify({ accessToken: "tok" }), {
"content-type": "application/json",
});
});
const blob =
"Cookie: oai-did=foo; __Secure-next-auth.session-token.0=eyJchunk0; __Secure-next-auth.session-token.1=eyJchunk1; cf_clearance=cf123;";
await validateProviderApiKey({ provider: "chatgpt-web", apiKey: blob });
assert.equal(
capturedCookie,
"oai-did=foo; __Secure-next-auth.session-token.0=eyJchunk0; __Secure-next-auth.session-token.1=eyJchunk1; cf_clearance=cf123;"
);
});
test("chatgpt-web validator: 401 without cf-mitigated → invalid session cookie", async () => {
__setTlsFetchOverrideForTesting(async () =>
makeTlsResponse(401, JSON.stringify({ error: "unauthorized" }), {
"content-type": "application/json",
})
);
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "stale-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Invalid ChatGPT session cookie/i);
});
test("chatgpt-web validator: 403 with cf-mitigated header → Cloudflare hint", async () => {
__setTlsFetchOverrideForTesting(async () =>
makeTlsResponse(403, "<html>Just a moment...</html>", {
"content-type": "text/html",
"cf-mitigated": "challenge",
})
);
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "good-but-no-cf-cookies",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Cloudflare blocked the validator/i);
});
test("chatgpt-web validator: 200 without accessToken → session expired", async () => {
__setTlsFetchOverrideForTesting(async () =>
makeTlsResponse(200, JSON.stringify({}), { "content-type": "application/json" })
);
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "expired-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /session expired/i);
});
test("chatgpt-web validator: 5xx → ChatGPT unavailable", async () => {
__setTlsFetchOverrideForTesting(async () =>
makeTlsResponse(503, "service unavailable", { "content-type": "text/plain" })
);
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "any-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /ChatGPT unavailable \(503\)/);
});
test("chatgpt-web validator: 200 non-JSON content-type surfaces a cookie hint", async () => {
__setTlsFetchOverrideForTesting(async () =>
makeTlsResponse(200, "<html>blocked</html>", {
"content-type": "text/html",
"cf-ray": "ray-123",
})
);
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "any-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /non-JSON.*text\/html.*cf-ray=ray-123/i);
});
test("chatgpt-web validator: TlsClientUnavailableError surfaces a clear message", async () => {
const { TlsClientUnavailableError } = await import("../../open-sse/services/chatgptTlsClient.ts");
__setTlsFetchOverrideForTesting(async () => {
throw new TlsClientUnavailableError("native binding failed to load");
});
const result = await validateProviderApiKey({
provider: "chatgpt-web",
apiKey: "any-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /chatgpt-web requires this/i);
});
test("search provider validators cover success, client errors, server errors and custom user agent injection", async () => {
const calls = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), init });
const target = String(url);
if (target.match(/search\.brave\.com/i)) {
return new Response(JSON.stringify({ results: [] }), { status: 200 });
}
if (target.match(/api\.exa\.ai/i)) {
return new Response(JSON.stringify({ error: "bad key" }), { status: 403 });
}
if (target.match(/api\.tavily\.com/i)) {
return new Response(JSON.stringify({ error: "server" }), { status: 503 });
}
if (target.match(/api\.perplexity\.ai/i)) {
throw new Error("perplexity offline");
}
throw new Error(`unexpected fetch: ${target}`);
};
const brave = await validateProviderApiKey({
provider: "brave-search",
apiKey: "brave-key",
providerSpecificData: { customUserAgent: "SearchSuite/1.0" },
});
const exa = await validateProviderApiKey({ provider: "exa-search", apiKey: "exa-key" });
const tavily = await validateProviderApiKey({ provider: "tavily-search", apiKey: "tv-key" });
const perplexity = await validateProviderApiKey({
provider: "perplexity-search",
apiKey: "px-key",
});
assert.equal(brave.valid, true);
assert.equal(exa.error, "Invalid API key");
assert.equal(tavily.error, "Validation failed: 503");
assert.equal(perplexity.error, "perplexity offline");
assert.equal(calls[0].init.headers["User-Agent"], "SearchSuite/1.0");
});
test("extended search provider validators cover Google PSE, Linkup, SearchAPI, You.com and SearXNG", async () => {
const originalAllowPrivateProviderUrls = process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS;
process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS = "true";
const calls = [];
try {
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), init });
const target = String(url);
if (target.startsWith("https://www.googleapis.com/customsearch/v1")) {
return new Response(JSON.stringify({ items: [] }), { status: 200 });
}
if (target.startsWith("https://api.linkup.so/v1/search")) {
return new Response(JSON.stringify({ error: "bad request" }), { status: 400 });
}
if (target.startsWith("https://www.searchapi.io/api/v1/search")) {
return new Response(JSON.stringify({ organic_results: [] }), { status: 200 });
}
if (target.startsWith("https://ydc-index.io/v1/search")) {
return new Response(JSON.stringify({ results: { web: [] } }), { status: 200 });
}
if (target.startsWith("http://localhost:9999/search")) {
return new Response(JSON.stringify({ results: [] }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const google = await validateProviderApiKey({
provider: "google-pse-search",
apiKey: "google-key",
providerSpecificData: { cx: "engine-id" },
});
const linkup = await validateProviderApiKey({
provider: "linkup-search",
apiKey: "linkup-key",
});
const searchapi = await validateProviderApiKey({
provider: "searchapi-search",
apiKey: "searchapi-key",
});
const youcom = await validateProviderApiKey({
provider: "youcom-search",
apiKey: "you-key",
});
const searxng = await validateProviderApiKey({
provider: "searxng-search",
providerSpecificData: { baseUrl: "http://localhost:9999/search" },
});
assert.equal(google.valid, true);
assert.equal(linkup.valid, true);
assert.equal(searchapi.valid, true);
assert.equal(youcom.valid, true);
assert.equal(searxng.valid, true);
assert.match(calls[0].url, /cx=engine-id/);
assert.equal(calls[1].init.headers.Authorization, "Bearer linkup-key");
assert.match(calls[2].url, /api_key=searchapi-key/);
assert.equal(calls[3].init.headers["X-API-Key"], "you-key");
} finally {
if (originalAllowPrivateProviderUrls === undefined) {
delete process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS;
} else {
process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS = originalAllowPrivateProviderUrls;
}
}
});
test("google PSE validator requires cx", async () => {
const result = await validateProviderApiKey({
provider: "google-pse-search",
apiKey: "google-key",
});
assert.equal(result.valid, false);
assert.equal(result.error, "Programmable Search Engine ID (cx) is required");
});
test("Maritalk validates with Key auth against the models endpoint", async () => {
const calls = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), init });
assert.equal(String(url), "https://chat.maritaca.ai/api/models");
assert.equal(init.headers.Authorization, "Key maritalk-key");
return new Response(JSON.stringify({ data: [{ id: "sabia-4" }] }), {
status: 200,
});
};
const result = await validateProviderApiKey({
provider: "maritalk",
apiKey: "maritalk-key",
});
assert.equal(result.valid, true);
assert.equal(result.method, "maritalk_models");
assert.equal(calls.length, 1);
});
test("Maritalk falls back to chat probe when the models endpoint is unreachable", async () => {
const calls = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), init });
if (String(url) === "https://chat.maritaca.ai/api/models") {
return new Response(JSON.stringify({ error: "not found" }), { status: 404 });
}
assert.equal(String(url), "https://chat.maritaca.ai/api/chat/completions");
assert.equal(init.headers.Authorization, "Key maritalk-key");
const body = JSON.parse(String(init.body));
assert.equal(body.model, "sabia-4");
return new Response(JSON.stringify({ choices: [{ message: { content: "ok" } }] }), {
status: 200,
});
};
const result = await validateProviderApiKey({
provider: "maritalk",
apiKey: "maritalk-key",
});
assert.equal(result.valid, true);
assert.equal(calls.length, 2);
});
test("Maritalk treats a rate-limited models probe as valid credentials", async () => {
const calls = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), init });
assert.equal(String(url), "https://chat.maritaca.ai/api/models");
assert.equal(init.headers.Authorization, "Key maritalk-key");
return new Response(JSON.stringify({ error: "rate limited" }), {
status: 429,
});
};
const result = await validateProviderApiKey({
provider: "maritalk",
apiKey: "maritalk-key",
});
assert.equal(result.valid, true);
assert.equal(result.warning, "Rate limited, but credentials are valid");
assert.equal(calls.length, 1);
});
test("local OpenAI-style providers validate without sending Authorization when apiKey is blank", async () => {
const originalAllowPrivateProviderUrls = process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS;
process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS = "true";
const calls = [];
try {
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), headers: init.headers || {} });
return new Response(JSON.stringify({ data: [{ id: "local-model" }] }), { status: 200 });
};
const lmStudio = await validateProviderApiKey({
provider: "lm-studio",
providerSpecificData: { baseUrl: "http://localhost:1234/v1" },
});
const vllm = await validateProviderApiKey({
provider: "vllm",
providerSpecificData: { baseUrl: "http://localhost:8000/v1" },
});
const lemonade = await validateProviderApiKey({
provider: "lemonade",
providerSpecificData: { baseUrl: "http://localhost:13305/api/v1" },
});
const llamaCpp = await validateProviderApiKey({
provider: "llama-cpp",
providerSpecificData: { baseUrl: "http://127.0.0.1:8080/v1" },
});
assert.equal(lmStudio.valid, true);
assert.equal(vllm.valid, true);
assert.equal(lemonade.valid, true);
assert.equal(llamaCpp.valid, true);
assert.deepEqual(
calls.map((call) => call.url),
[
"http://localhost:1234/v1/models",
"http://localhost:8000/v1/models",
"http://localhost:13305/api/v1/models",
"http://127.0.0.1:8080/v1/models",
]
);
assert.equal(calls[0].headers.Authorization, undefined);
assert.equal(calls[1].headers.Authorization, undefined);
assert.equal(calls[2].headers.Authorization, undefined);
assert.equal(calls[3].headers.Authorization, undefined);
} finally {
if (originalAllowPrivateProviderUrls === undefined) {
delete process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS;
} else {
process.env.OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS = originalAllowPrivateProviderUrls;
}
}
});
test("OpenAI-compatible validator covers /responses mode and final ping fallback", async () => {
const calls = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), method: init.method || "GET" });
if (String(url).endsWith("/models")) {
return new Response(JSON.stringify({ error: "no models" }), { status: 500 });
}
if (String(url).endsWith("/responses")) {
return new Response(JSON.stringify({ id: "resp_123" }), { status: 200 });
}
if (String(url) === "https://openai-like.example.com/v1") {
return new Response("ok", { status: 418 });
}
throw new Error(`unexpected fetch: ${url}`);
};
const responsesResult = await validateProviderApiKey({
provider: "openai-compatible-responses",
apiKey: "sk-test",
providerSpecificData: {
baseUrl: "https://openai-like.example.com/v1",
apiType: "responses",
validationModelId: "gpt-test",
},
});
globalThis.fetch = async (url) => {
if (String(url).endsWith("/models")) {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (String(url).endsWith("/chat/completions")) {
throw new Error("chat probe offline");
}
return new Response("teapot", { status: 418 });
};
const pingFallback = await validateProviderApiKey({
provider: "openai-compatible-ping-fallback",
apiKey: "sk-test",
providerSpecificData: {
baseUrl: "https://openai-like.example.com/v1",
validationModelId: "gpt-test",
},
});
assert.equal(responsesResult.valid, true);
assert.equal(responsesResult.method, "chat_completions");
assert.deepEqual(
calls.map((call) => call.url),
["https://openai-like.example.com/v1/models", "https://openai-like.example.com/v1/responses"]
);
assert.equal(pingFallback.valid, true);
assert.equal(pingFallback.error, null);
});
test("Anthropic-compatible and Claude Code compatible validators cover direct success and bridge fallbacks", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target.match(/anthropic-compatible\.example\.com/i) && init.method === "GET") {
return new Response(JSON.stringify({ data: [] }), { status: 200 });
}
if (target.match(/cc-compatible\.example\.com/i) && init.method === "GET") {
return new Response(JSON.stringify({ error: "bridge unavailable" }), { status: 500 });
}
if (target.match(/cc-compatible\.example\.com/i) && init.method === "POST") {
return new Response(JSON.stringify({ error: "rate limited" }), { status: 429 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const anthropic = await validateProviderApiKey({
provider: "anthropic-compatible-direct",
apiKey: "sk-anthropic",
providerSpecificData: {
baseUrl: "https://anthropic-compatible.example.com/v1/messages",
modelsPath: "/custom-models",
},
});
const ccRateLimited = await validateClaudeCodeCompatibleProvider({
apiKey: "sk-cc",
providerSpecificData: {
baseUrl: "https://cc-compatible.example.com/v1/messages",
validationModelId: "claude-bridge-test",
},
});
globalThis.fetch = async (url, init = {}) => {
if (init.method === "GET") {
return new Response(JSON.stringify({ error: "bridge unavailable" }), { status: 500 });
}
return new Response(JSON.stringify({ error: "bad gateway" }), { status: 502 });
};
const ccFailure = await validateClaudeCodeCompatibleProvider({
apiKey: "sk-cc",
providerSpecificData: {
baseUrl: "https://cc-compatible.example.com/v1/messages",
},
});
assert.equal(anthropic.valid, true);
assert.equal(ccRateLimited.valid, true);
assert.equal(ccRateLimited.method, "cc_bridge_request");
assert.match(ccRateLimited.warning, /Rate limited/i);
assert.equal(ccFailure.valid, false);
assert.equal(ccFailure.error, "Validation failed: 502");
});
test("Claude Code compatible validator rejects missing base URL and bridge auth failures", async () => {
const missingBase = await validateClaudeCodeCompatibleProvider({
apiKey: "sk-cc",
providerSpecificData: {},
});
globalThis.fetch = async (url, init = {}) => {
if (init.method === "GET") {
throw new Error("models offline");
}
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
};
const invalidKey = await validateClaudeCodeCompatibleProvider({
apiKey: "sk-cc",
providerSpecificData: {
baseUrl: "https://cc-compatible.example.com/v1/messages",
},
});
assert.equal(missingBase.error, "No base URL configured for CC Compatible provider");
assert.equal(invalidKey.error, "Invalid API key");
});
test("registry providers cover remaining OpenAI-like and Claude-like validation branches", async () => {
const calls = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), method: init.method || "GET", headers: init.headers || {} });
const target = String(url);
if (target === "https://api.openai.com/v1/models") {
return new Response(JSON.stringify({ data: [{ id: "gpt-4o-mini" }] }), { status: 200 });
}
if (target === "https://api.anthropic.com/v1/messages?beta=true") {
return new Response(JSON.stringify({ id: "msg_123" }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const openaiModels = await validateProviderApiKey({ provider: "openai", apiKey: "sk-openai" });
const claudeSuccess = await validateProviderApiKey({ provider: "claude", apiKey: "sk-claude" });
globalThis.fetch = async (url) => {
if (String(url) === "https://api.openai.com/v1/models") {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (String(url) === "https://api.openai.com/v1/chat/completions") {
return new Response(JSON.stringify({ error: "method not allowed" }), { status: 405 });
}
throw new Error(`unexpected fetch: ${url}`);
};
const openaiUnsupported = await validateProviderApiKey({
provider: "openai",
apiKey: "sk-openai",
});
globalThis.fetch = async (url) => {
if (String(url) === "https://api.openai.com/v1/models") {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (String(url) === "https://api.openai.com/v1/chat/completions") {
return new Response(JSON.stringify({ error: "unprocessable" }), { status: 422 });
}
throw new Error(`unexpected fetch: ${url}`);
};
const openaiInference = await validateProviderApiKey({ provider: "openai", apiKey: "sk-openai" });
globalThis.fetch = async (url) => {
if (String(url) === "https://api.openai.com/v1/models") {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (String(url) === "https://api.openai.com/v1/chat/completions") {
return new Response(JSON.stringify({ error: "server" }), { status: 502 });
}
throw new Error(`unexpected fetch: ${url}`);
};
const openaiUnavailable = await validateProviderApiKey({
provider: "openai",
apiKey: "sk-openai",
});
globalThis.fetch = async () =>
new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
const claudeInvalid = await validateProviderApiKey({ provider: "claude", apiKey: "sk-claude" });
globalThis.fetch = async () => {
throw new Error("anthropic offline");
};
const claudeOffline = await validateProviderApiKey({ provider: "claude", apiKey: "sk-claude" });
assert.equal(openaiModels.valid, true);
assert.equal(openaiModels.error, null);
assert.equal(claudeSuccess.valid, true);
assert.equal(openaiUnsupported.error, "Provider validation endpoint not supported");
assert.equal(openaiInference.valid, true);
assert.equal(openaiInference.error, null);
assert.equal(openaiUnavailable.error, "Provider unavailable (502)");
assert.equal(claudeInvalid.error, "Invalid API key");
assert.equal(claudeOffline.error, "anthropic offline");
assert.equal(calls[1].headers["x-api-key"], "sk-claude");
});
test("specialty validators cover remaining status branches for Deepgram, AssemblyAI, ElevenLabs, Inworld, Bailian and LongCat", async () => {
globalThis.fetch = async (url) => {
const target = String(url);
if (target.match(/deepgram/i)) {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (target.match(/assemblyai/i)) {
return new Response(JSON.stringify({ transcripts: [] }), { status: 200 });
}
if (target.match(/elevenlabs/i)) {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
if (target.match(/inworld/i)) {
throw new Error("inworld offline");
}
if (target.match(/dashscope\.aliyuncs\.com/i)) {
return new Response(JSON.stringify({ error: "server" }), { status: 500 });
}
if (target.match(/longcat/i)) {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const deepgram = await validateProviderApiKey({ provider: "deepgram", apiKey: "dg-key" });
const assembly = await validateProviderApiKey({ provider: "assemblyai", apiKey: "aa-key" });
const eleven = await validateProviderApiKey({ provider: "elevenlabs", apiKey: "el-key" });
const inworld = await validateProviderApiKey({ provider: "inworld", apiKey: "iw-key" });
const bailian = await validateProviderApiKey({
provider: "bailian-coding-plan",
apiKey: "bailian-key",
providerSpecificData: {
baseUrl: "https://coding-intl.dashscope.aliyuncs.com/apps/anthropic/v1/messages",
},
});
const longcatInvalid = await validateProviderApiKey({ provider: "longcat", apiKey: "lc-key" });
globalThis.fetch = async (url) => {
if (String(url).match(/elevenlabs/i)) {
throw new Error("elevenlabs offline");
}
if (String(url).match(/longcat/i)) {
return new Response(JSON.stringify({ error: "unprocessable" }), { status: 422 });
}
throw new Error(`unexpected fetch: ${url}`);
};
const elevenOffline = await validateProviderApiKey({ provider: "elevenlabs", apiKey: "el-key" });
const longcatValid = await validateProviderApiKey({ provider: "longcat", apiKey: "lc-key" });
assert.equal(deepgram.error, "Validation failed: 500");
assert.equal(assembly.valid, true);
assert.equal(eleven.error, "Invalid API key");
assert.equal(inworld.error, "inworld offline");
assert.equal(bailian.error, "Validation failed: 500");
assert.equal(longcatInvalid.error, "Invalid API key");
assert.equal(elevenOffline.error, "elevenlabs offline");
assert.equal(longcatValid.valid, true);
});
test("specialty validators cover Heroku, Databricks, Snowflake and GigaChat success paths", async () => {
const seen = [];
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
seen.push({ url: target, headers: init.headers || {} });
if (target === "https://ngw.devices.sberbank.ru:9443/api/v2/oauth") {
assert.equal(init.headers.Authorization, "Basic gigachat-basic-creds");
return new Response(
JSON.stringify({
tok: "gigachat-access-token",
exp: Date.now() + 60 * 60 * 1000,
}),
{ status: 200 }
);
}
if (target === "https://us.inference.heroku.com/v1/chat/completions") {
assert.equal(init.headers.Authorization, "Bearer heroku-key");
return new Response(JSON.stringify({ error: "bad request" }), { status: 400 });
}
if (
target ===
"https://adb-1234567890123456.7.azuredatabricks.net/serving-endpoints/chat/completions"
) {
assert.equal(init.headers.Authorization, "Bearer databricks-key");
return new Response(JSON.stringify({ error: "unprocessable" }), { status: 422 });
}
if (target === "https://account.snowflakecomputing.com/api/v2/cortex/inference:complete") {
assert.equal(init.headers.Authorization, "Bearer snowflake-token");
assert.equal(
init.headers["X-Snowflake-Authorization-Token-Type"],
"PROGRAMMATIC_ACCESS_TOKEN"
);
return new Response(JSON.stringify({ error: "bad request" }), { status: 400 });
}
if (target === "https://gigachat.devices.sberbank.ru/api/v1/chat/completions") {
assert.equal(init.headers.Authorization, "Bearer gigachat-access-token");
return new Response(JSON.stringify({ error: "bad request" }), { status: 400 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const heroku = await validateProviderApiKey({
provider: "heroku",
apiKey: "heroku-key",
providerSpecificData: { baseUrl: "https://us.inference.heroku.com" },
});
const databricks = await validateProviderApiKey({
provider: "databricks",
apiKey: "databricks-key",
providerSpecificData: {
baseUrl: "https://adb-1234567890123456.7.azuredatabricks.net/serving-endpoints",
},
});
const snowflake = await validateProviderApiKey({
provider: "snowflake",
apiKey: "pat/snowflake-token",
providerSpecificData: { baseUrl: "https://account.snowflakecomputing.com" },
});
const gigachat = await validateProviderApiKey({
provider: "gigachat",
apiKey: "gigachat-basic-creds",
});
assert.equal(heroku.valid, true);
assert.equal(databricks.valid, true);
assert.equal(snowflake.valid, true);
assert.equal(gigachat.valid, true);
assert.equal(
seen.some((call) => call.url === "https://ngw.devices.sberbank.ru:9443/api/v2/oauth"),
true
);
});
test("specialty validators surface missing base URLs and invalid auth for Heroku, Databricks, Snowflake and GigaChat", async () => {
const missingHerokuBase = await validateProviderApiKey({
provider: "heroku",
apiKey: "heroku-key",
providerSpecificData: {},
});
const missingDatabricksBase = await validateProviderApiKey({
provider: "databricks",
apiKey: "databricks-key",
providerSpecificData: {},
});
const missingSnowflakeBase = await validateProviderApiKey({
provider: "snowflake",
apiKey: "snowflake-key",
providerSpecificData: {},
});
globalThis.fetch = async (url) => {
const target = String(url);
if (target === "https://ngw.devices.sberbank.ru:9443/api/v2/oauth") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
if (target === "https://us.inference.heroku.com/v1/chat/completions") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
if (
target ===
"https://adb-1234567890123456.7.azuredatabricks.net/serving-endpoints/chat/completions"
) {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
if (target === "https://account.snowflakecomputing.com/api/v2/cortex/inference:complete") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const herokuInvalid = await validateProviderApiKey({
provider: "heroku",
apiKey: "heroku-key",
providerSpecificData: { baseUrl: "https://us.inference.heroku.com" },
});
const databricksInvalid = await validateProviderApiKey({
provider: "databricks",
apiKey: "databricks-key",
providerSpecificData: {
baseUrl: "https://adb-1234567890123456.7.azuredatabricks.net/serving-endpoints",
},
});
const snowflakeInvalid = await validateProviderApiKey({
provider: "snowflake",
apiKey: "snowflake-key",
providerSpecificData: { baseUrl: "https://account.snowflakecomputing.com" },
});
const gigachatInvalid = await validateProviderApiKey({
provider: "gigachat",
apiKey: "gigachat-basic-creds-invalid",
});
assert.equal(missingHerokuBase.error, "Missing base URL");
assert.equal(missingDatabricksBase.error, "Missing base URL");
assert.equal(missingSnowflakeBase.error, "Missing base URL");
assert.equal(herokuInvalid.error, "Invalid API key");
assert.equal(databricksInvalid.error, "Invalid API key");
assert.equal(snowflakeInvalid.error, "Invalid API key");
assert.equal(gigachatInvalid.error, "Invalid API key");
});
test("specialty validator accepts DataRobot gateway and deployment credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://app.datarobot.com/genai/llmgw/catalog/") {
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer dr-key");
return new Response(
JSON.stringify({
data: [{ model: "azure/gpt-5-mini-2025-08-07", isActive: true }],
}),
{ status: 200 }
);
}
if (
target ===
"https://app.datarobot.com/api/v2/deployments/65f5b2b7c8f8c4b257e0d123/chat/completions"
) {
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer dr-deploy-key");
const body = JSON.parse(String(init.body));
assert.equal(body.model, "datarobot-deployed-llm");
return new Response(JSON.stringify({ error: "bad request" }), { status: 400 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const gateway = await validateProviderApiKey({
provider: "datarobot",
apiKey: "dr-key",
});
const deployment = await validateProviderApiKey({
provider: "datarobot",
apiKey: "dr-deploy-key",
providerSpecificData: {
baseUrl: "https://app.datarobot.com/api/v2/deployments/65f5b2b7c8f8c4b257e0d123",
},
});
assert.equal(gateway.valid, true);
assert.equal(deployment.valid, true);
});
test("specialty validator rejects invalid DataRobot credentials", async () => {
globalThis.fetch = async (url) => {
const target = String(url);
if (target === "https://app.datarobot.com/genai/llmgw/catalog/") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
if (
target ===
"https://app.datarobot.com/api/v2/deployments/65f5b2b7c8f8c4b257e0d123/chat/completions"
) {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const gateway = await validateProviderApiKey({
provider: "datarobot",
apiKey: "dr-key",
});
const deployment = await validateProviderApiKey({
provider: "datarobot",
apiKey: "dr-deploy-key",
providerSpecificData: {
baseUrl: "https://app.datarobot.com/api/v2/deployments/65f5b2b7c8f8c4b257e0d123",
},
});
assert.equal(gateway.error, "Invalid API key");
assert.equal(deployment.error, "Invalid API key");
});
test("specialty validators accept watsonx, OCI and SAP enterprise gateways", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://ca-tor.ml.cloud.ibm.com/ml/gateway/v1/models") {
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer watsonx-key");
return new Response(JSON.stringify({ data: [] }), { status: 200 });
}
if (
target === "https://inference.generativeai.us-chicago-1.oci.oraclecloud.com/openai/v1/models"
) {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer oci-key");
assert.equal(headers["OpenAI-Project"], "ocid1.generativeaiproject.oc1.us-chicago-1.demo");
return new Response(JSON.stringify({ data: [] }), { status: 200 });
}
if (target === "https://sap.example.com/v2/lm/scenarios/foundation-models/models") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer sap-key");
assert.equal(headers["AI-Resource-Group"], "shared");
return new Response(JSON.stringify({ resources: [] }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const watsonx = await validateProviderApiKey({
provider: "watsonx",
apiKey: "watsonx-key",
providerSpecificData: { baseUrl: "https://ca-tor.ml.cloud.ibm.com" },
});
const oci = await validateProviderApiKey({
provider: "oci",
apiKey: "oci-key",
providerSpecificData: {
baseUrl: "https://inference.generativeai.us-chicago-1.oci.oraclecloud.com",
projectId: "ocid1.generativeaiproject.oc1.us-chicago-1.demo",
},
});
const sap = await validateProviderApiKey({
provider: "sap",
apiKey: "sap-key",
providerSpecificData: {
baseUrl: "https://sap.example.com/v2/lm/deployments/demo-deployment",
resourceGroup: "shared",
},
});
assert.equal(watsonx.valid, true);
assert.equal(watsonx.method, "watsonx_models");
assert.equal(oci.valid, true);
assert.equal(oci.method, "oci_models");
assert.equal(sap.valid, true);
assert.equal(sap.method, "sap_models");
});
test("specialty validator accepts native Bedrock model discovery with a configured region", async () => {
const seenUrls: string[] = [];
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
seenUrls.push(target);
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer bedrock-key");
if (
target === "https://bedrock.eu-west-2.amazonaws.com/foundation-models?byOutputModality=TEXT"
) {
return new Response(
JSON.stringify({
modelSummaries: [
{
modelId: "anthropic.claude-sonnet-4-6",
modelName: "Claude Sonnet 4.6",
providerName: "Anthropic",
inputModalities: ["TEXT", "IMAGE"],
outputModalities: ["TEXT"],
responseStreamingSupported: true,
},
],
}),
{ status: 200 }
);
}
if (
target ===
"https://bedrock.eu-west-2.amazonaws.com/inference-profiles?maxResults=100&typeEquals=SYSTEM_DEFINED"
) {
return new Response(
JSON.stringify({
inferenceProfileSummaries: [
{
inferenceProfileId: "eu.anthropic.claude-sonnet-4-6",
inferenceProfileName: "EU Claude Sonnet 4.6",
models: [
{
modelArn:
"arn:aws:bedrock:eu-west-2::foundation-model/anthropic.claude-sonnet-4-6",
},
],
},
],
}),
{ status: 200 }
);
}
throw new Error("unexpected fetch: " + target);
};
const bedrock = await validateProviderApiKey({
provider: "bedrock",
apiKey: "bedrock-key",
providerSpecificData: { region: "eu-west-2" },
});
assert.equal(bedrock.valid, true);
assert.equal(bedrock.method, "bedrock_native_models");
assert.deepEqual(seenUrls, [
"https://bedrock.eu-west-2.amazonaws.com/foundation-models?byOutputModality=TEXT",
"https://bedrock.eu-west-2.amazonaws.com/inference-profiles?maxResults=100&typeEquals=SYSTEM_DEFINED",
]);
});
test("specialty validator rejects invalid native Bedrock credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (
target === "https://bedrock.eu-west-2.amazonaws.com/foundation-models?byOutputModality=TEXT"
) {
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer bedrock-key");
return new Response(JSON.stringify({ message: "forbidden" }), { status: 403 });
}
throw new Error("unexpected fetch: " + target);
};
const bedrock = await validateProviderApiKey({
provider: "bedrock",
apiKey: "bedrock-key",
providerSpecificData: { region: "eu-west-2" },
});
assert.equal(bedrock.error, "Invalid API key");
});
test("specialty validators reject invalid watsonx, OCI and SAP credentials", async () => {
globalThis.fetch = async (url) => {
const target = String(url);
if (target === "https://ca-tor.ml.cloud.ibm.com/ml/gateway/v1/models") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
if (
target === "https://inference.generativeai.us-chicago-1.oci.oraclecloud.com/openai/v1/models"
) {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
if (target === "https://sap.example.com/v2/lm/scenarios/foundation-models/models") {
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const watsonx = await validateProviderApiKey({
provider: "watsonx",
apiKey: "watsonx-key",
providerSpecificData: { baseUrl: "https://ca-tor.ml.cloud.ibm.com" },
});
const oci = await validateProviderApiKey({
provider: "oci",
apiKey: "oci-key",
providerSpecificData: {
baseUrl: "https://inference.generativeai.us-chicago-1.oci.oraclecloud.com",
},
});
const sap = await validateProviderApiKey({
provider: "sap",
apiKey: "sap-key",
providerSpecificData: {
baseUrl: "https://sap.example.com/v2/lm/deployments/demo-deployment",
},
});
assert.equal(watsonx.error, "Invalid API key");
assert.equal(oci.error, "Invalid API key");
assert.equal(sap.error, "Invalid API key");
});
test("specialty validator accepts Modal OpenAI-compatible deployments", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://alice--demo.modal.run/v1/models") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer modal-key");
return new Response(JSON.stringify({ data: [] }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const modal = await validateProviderApiKey({
provider: "modal",
apiKey: "modal-key",
providerSpecificData: {
baseUrl: "https://alice--demo.modal.run/v1",
},
});
assert.equal(modal.valid, true);
});
test("specialty validator rejects invalid Modal credentials", async () => {
globalThis.fetch = async (url) => {
const target = String(url);
if (target === "https://alice--demo.modal.run/v1/models") {
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const modal = await validateProviderApiKey({
provider: "modal",
apiKey: "modal-key",
providerSpecificData: {
baseUrl: "https://alice--demo.modal.run/v1",
},
});
assert.equal(modal.error, "Invalid API key");
});
test("specialty validator accepts Poe credentials on the current balance endpoint", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.poe.com/usage/current_balance") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer poe-key");
return new Response(JSON.stringify({ current_point_balance: 123456 }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const poe = await validateProviderApiKey({
provider: "poe",
apiKey: "poe-key",
});
assert.equal(poe.valid, true);
assert.equal(poe.method, "poe_current_balance");
});
test("specialty validator accepts Nous Research credentials on chat completions", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://inference-api.nousresearch.com/v1/chat/completions") {
const headers = init.headers as Record<string, string>;
const body = JSON.parse(String(init.body));
assert.equal(headers.Authorization, "Bearer nous-key");
assert.equal(body.model, "Hermes-4-70B");
return new Response(
JSON.stringify({
id: "chatcmpl-nous",
choices: [{ message: { role: "assistant", content: "ok" } }],
}),
{ status: 200 }
);
}
throw new Error(`unexpected fetch: ${target}`);
};
const nous = await validateProviderApiKey({
provider: "nous-research",
apiKey: "nous-key",
});
assert.equal(nous.valid, true);
assert.equal(nous.method, "nous_chat_completions");
});
test("BytePlus key validation reaches the Ark endpoint instead of 'not supported' (#3877)", async () => {
// #3877: byteplus was in APIKEY_PROVIDERS but never registered in the routing
// registry, so validation returned {unsupported:true} → UI showed "invalid" for any
// key. With the registry entry, a valid ark-... key probes the Ark /models endpoint
// with Bearer auth and validates.
let probedModelsUrl: string | null = null;
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://ark.ap-southeast.bytepluses.com/api/v3/models") {
probedModelsUrl = target;
const headers = toPlainHeaders(init.headers);
assert.equal(headers.Authorization, "Bearer ark-test-key");
return new Response(JSON.stringify({ data: [{ id: "kimi-k2-thinking" }] }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const result = await validateProviderApiKey({
provider: "byteplus",
apiKey: "ark-test-key",
});
assert.equal(result.unsupported, undefined, "byteplus must not be 'validation not supported'");
assert.equal(result.valid, true);
assert.equal(probedModelsUrl, "https://ark.ap-southeast.bytepluses.com/api/v3/models");
});
test("specialty validator rejects invalid Nous Research credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://inference-api.nousresearch.com/v1/chat/completions") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer nous-bad");
return new Response(JSON.stringify({ message: "invalid" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const nous = await validateProviderApiKey({
provider: "nous-research",
apiKey: "nous-bad",
});
assert.equal(nous.error, "Invalid API key");
});
test("specialty validator accepts Nous Research key when probe model is rejected (400)", async () => {
// #3881: a valid key whose probe model is rejected (model-not-found / bad request)
// must still validate — the 4xx proves auth was accepted, only the request shape
// was wrong. Mirrors the longcat/nvidia validators.
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://inference-api.nousresearch.com/v1/chat/completions") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer nous-key");
return new Response(
JSON.stringify({ error: { message: "model not found", type: "invalid_request_error" } }),
{ status: 400 }
);
}
throw new Error(`unexpected fetch: ${target}`);
};
const nous = await validateProviderApiKey({
provider: "nous-research",
apiKey: "nous-key",
});
assert.equal(nous.valid, true);
assert.equal(nous.method, "nous_chat_completions");
});
test("specialty validator rejects invalid Poe credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.poe.com/usage/current_balance") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer poe-bad");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const poe = await validateProviderApiKey({
provider: "poe",
apiKey: "poe-bad",
});
assert.equal(poe.error, "Invalid API key");
});
test("specialty validator accepts Clarifai credentials through the OpenAI-compatible models probe", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.clarifai.com/v2/ext/openai/v1/models") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Key clarifai-pat");
return new Response(
JSON.stringify({ data: [{ id: "openai/chat-completion/models/gpt-oss-120b" }] }),
{ status: 200 }
);
}
throw new Error(`unexpected fetch: ${target}`);
};
const clarifai = await validateProviderApiKey({
provider: "clarifai",
apiKey: "clarifai-pat",
});
assert.equal(clarifai.valid, true);
assert.equal(clarifai.method, "clarifai_models");
});
test("specialty validator rejects invalid Clarifai credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.clarifai.com/v2/ext/openai/v1/models") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Key clarifai-bad");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const clarifai = await validateProviderApiKey({
provider: "clarifai",
apiKey: "clarifai-bad",
});
assert.equal(clarifai.error, "Invalid API key");
});
test("specialty validator accepts Reka credentials through the models probe with dual auth headers", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.reka.ai/v1/models") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer reka-key");
assert.equal(headers["X-Api-Key"], "reka-key");
return new Response(JSON.stringify([{ id: "reka-core" }]), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const reka = await validateProviderApiKey({
provider: "reka",
apiKey: "reka-key",
});
assert.equal(reka.valid, true);
assert.equal(reka.method, "reka_models");
});
test("specialty validator rejects invalid Reka credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.reka.ai/v1/models") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer reka-bad");
assert.equal(headers["X-Api-Key"], "reka-bad");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const reka = await validateProviderApiKey({
provider: "reka",
apiKey: "reka-bad",
});
assert.equal(reka.error, "Invalid API key");
});
test("specialty validator accepts NLP Cloud credentials on the chatbot endpoint", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.nlpcloud.io/v1/gpu/chatdolphin/chatbot") {
const headers = init.headers as Record<string, string>;
const body = JSON.parse(String(init.body));
assert.equal(headers.Authorization, "Token nlpc-key");
assert.equal(body.input, "test");
return new Response(JSON.stringify({ response: "ok" }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const nlpCloud = await validateProviderApiKey({
provider: "nlpcloud",
apiKey: "nlpc-key",
});
assert.equal(nlpCloud.valid, true);
assert.equal(nlpCloud.method, "nlpcloud_chatbot");
});
test("specialty validator rejects invalid NLP Cloud credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.nlpcloud.io/v1/gpu/chatdolphin/chatbot") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Token nlpc-bad");
return new Response(JSON.stringify({ detail: "forbidden" }), { status: 403 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const nlpCloud = await validateProviderApiKey({
provider: "nlpcloud",
apiKey: "nlpc-bad",
});
assert.equal(nlpCloud.error, "Invalid API key");
});
test("specialty validator accepts Runway credentials on the organization endpoint", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.dev.runwayml.com/v1/organization") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer runway-key");
assert.equal(headers["X-Runway-Version"], "2024-11-06");
return new Response(JSON.stringify({ id: "org_demo" }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const runway = await validateProviderApiKey({
provider: "runwayml",
apiKey: "runway-key",
});
assert.equal(runway.valid, true);
assert.equal(runway.method, "runway_organization");
});
test("specialty validator rejects invalid Runway credentials", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target === "https://api.dev.runwayml.com/v1/organization") {
const headers = init.headers as Record<string, string>;
assert.equal(headers.Authorization, "Bearer runway-bad");
assert.equal(headers["X-Runway-Version"], "2024-11-06");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const runway = await validateProviderApiKey({
provider: "runwayml",
apiKey: "runway-bad",
});
assert.equal(runway.error, "Invalid API key");
});
test("validateCommandCodeProvider sends Command Code probe URL, headers, and wrapper body", async () => {
const calls: any[] = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({
url: String(url),
method: init.method,
headers: toPlainHeaders(init.headers),
body: JSON.parse(String(init.body)),
});
return new Response("", { status: 400 });
};
const result = await validateCommandCodeProvider({
apiKey: "cc_test_key",
providerSpecificData: { validationModelId: "gpt-5.4-mini" },
});
assert.deepEqual(result, { valid: true, error: null });
assert.equal(calls.length, 1);
assert.equal(calls[0].url, "https://api.commandcode.ai/alpha/generate");
assert.equal(calls[0].method, "POST");
assert.equal(calls[0].headers.Authorization, "Bearer cc_test_key");
assert.equal(calls[0].headers["Content-Type"], "application/json");
assert.equal(calls[0].headers["x-command-code-version"], COMMAND_CODE_VERSION);
assert.equal(calls[0].headers["x-cli-environment"], "external");
assert.equal(calls[0].headers["x-project-slug"], "pi-cc");
assert.equal(calls[0].headers["x-taste-learning"], "false");
assert.equal(calls[0].headers["x-co-flag"], "false");
assert.equal(typeof calls[0].headers["x-session-id"], "string");
assert.equal(calls[0].body.config.environment, "external");
assert.equal(calls[0].body.permissionMode, "standard");
assert.equal(calls[0].body.skills, "");
assert.equal(calls[0].body.params.model, "gpt-5.4-mini");
assert.equal(calls[0].body.params.stream, true);
assert.equal(calls[0].body.params.max_tokens, 1);
});
for (const status of [400, 422, 429]) {
test(`validateCommandCodeProvider accepts ${status} as direct validator auth success`, async () => {
globalThis.fetch = async () => new Response("", { status });
assert.deepEqual(await validateCommandCodeProvider({ apiKey: "cc_test_key" }), {
valid: true,
error: null,
});
});
}
test("validateCommandCodeProvider rejects auth failures and provider outages", async () => {
globalThis.fetch = async () => new Response("unauthorized", { status: 401 });
assert.deepEqual(await validateCommandCodeProvider({ apiKey: "bad" }), {
valid: false,
error: "Invalid API key",
});
globalThis.fetch = async () => new Response("server down", { status: 500 });
assert.deepEqual(await validateCommandCodeProvider({ apiKey: "cc_test_key" }), {
valid: false,
error: "Provider unavailable (500)",
});
});
// ─── claude-web validator ────────────────────────────────────────────────────
const { __setTlsFetchOverrideForTesting: __setClaudeTlsFetchOverride } =
await import("../../open-sse/services/claudeTlsClient.ts");
function makeClaudeTlsResponse(
status: number,
body: string,
headers: Record<string, string> = {}
): any {
const h = new Headers();
for (const [k, v] of Object.entries(headers)) h.set(k, v);
return { status, ok: status >= 200 && status < 300, headers: h, text: body, body: null };
}
test("claude-web validator: 200 from /api/organizations → valid", async () => {
let captured: { url: string; opts: any } | null = null;
__setClaudeTlsFetchOverride(async (url, opts) => {
captured = { url, opts };
return makeClaudeTlsResponse(200, JSON.stringify({ orgs: [] }));
});
const result = await validateProviderApiKey({
provider: "claude-web",
apiKey: "sessionKey=sk-ant-sid02-test-session-key",
});
assert.equal(result.valid, true);
assert.equal(result.error, null);
assert.equal(captured?.url, "https://claude.ai/api/organizations");
assert.match(
(captured?.opts.headers as Record<string, string>).Cookie || "",
/sessionKey=sk-ant-sid02-test-session-key/
);
__setClaudeTlsFetchOverride(null);
});
test("claude-web validator: full cookie blob passes through verbatim", async () => {
let capturedCookie = "";
__setClaudeTlsFetchOverride(async (_url, opts) => {
capturedCookie = (opts.headers as Record<string, string>).Cookie || "";
return makeClaudeTlsResponse(200, JSON.stringify({ orgs: [] }));
});
const blob =
"__cf_bm=abc123; sessionKey=sk-ant-sid02-test; intercom-device-id-lupk8zyo=xyz; __stripe_mid=stripe123";
await validateProviderApiKey({ provider: "claude-web", apiKey: blob });
assert.equal(capturedCookie, blob);
__setClaudeTlsFetchOverride(null);
});
test("claude-web validator: 401 → invalid session cookie", async () => {
__setClaudeTlsFetchOverride(async () =>
makeClaudeTlsResponse(401, JSON.stringify({ error: "unauthorized" }))
);
const result = await validateProviderApiKey({
provider: "claude-web",
apiKey: "sessionKey=expired-key",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Invalid or expired session cookie/i);
__setClaudeTlsFetchOverride(null);
});
test("claude-web validator: 429 → valid (rate limited means auth passed)", async () => {
__setClaudeTlsFetchOverride(async () =>
makeClaudeTlsResponse(429, JSON.stringify({ error: "rate limited" }))
);
const result = await validateProviderApiKey({
provider: "claude-web",
apiKey: "sessionKey=sk-ant-sid02-good-key",
});
assert.equal(result.valid, true);
__setClaudeTlsFetchOverride(null);
});
test("claude-web validator: 500 → Claude.ai unavailable", async () => {
__setClaudeTlsFetchOverride(async () => makeClaudeTlsResponse(500, "internal server error"));
const result = await validateProviderApiKey({
provider: "claude-web",
apiKey: "sessionKey=sk-ant-sid02-any-key",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Claude\.ai unavailable \(500\)/i);
__setClaudeTlsFetchOverride(null);
});
test("claude-web validator: TLS client unavailable → clear error", async () => {
const { TlsClientUnavailableError } = await import("../../open-sse/services/claudeTlsClient.ts");
__setClaudeTlsFetchOverride(async () => {
throw new TlsClientUnavailableError("tls-client-node not installed");
});
const result = await validateProviderApiKey({
provider: "claude-web",
apiKey: "sessionKey=sk-ant-sid02-any-key",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /tls-client-node not installed/i);
__setClaudeTlsFetchOverride(null);
});
test("claude-web validator: bare sessionKey value gets prefixed", async () => {
let capturedCookie = "";
__setClaudeTlsFetchOverride(async (_url, opts) => {
capturedCookie = (opts.headers as Record<string, string>).Cookie || "";
return makeClaudeTlsResponse(200, JSON.stringify({ orgs: [] }));
});
await validateProviderApiKey({
provider: "claude-web",
apiKey: "sk-ant-sid02-bare-value",
});
assert.equal(capturedCookie, "sessionKey=sk-ant-sid02-bare-value");
__setClaudeTlsFetchOverride(null);
});
// ─── gemini-web validator ────────────────────────────────────────────────────
test("gemini-web validator: 200 from gemini.google.com → valid", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
const headers = init.headers || {};
if (target.includes("gemini.google.com/app")) {
assert.match((headers as Record<string, string>).Cookie || "", /__Secure-1PSID=eyJPSID/);
return new Response("ok", { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const result = await validateProviderApiKey({
provider: "gemini-web",
apiKey: "__Secure-1PSID=eyJPSID",
});
assert.equal(result.valid, true);
assert.equal(result.error, null);
});
test("gemini-web validator: bare value gets __Secure-1PSID prefix", async () => {
let capturedCookie = "";
globalThis.fetch = async (url, init = {}) => {
if (String(url).includes("gemini.google.com")) {
capturedCookie = ((init.headers as Record<string, string>) || {}).Cookie || "";
return new Response("ok", { status: 200 });
}
throw new Error(`unexpected fetch: ${String(url)}`);
};
await validateProviderApiKey({ provider: "gemini-web", apiKey: "eyJbarevalue" });
assert.equal(capturedCookie, "__Secure-1PSID=eyJbarevalue");
});
test("gemini-web validator: 401 → invalid cookie", async () => {
globalThis.fetch = async () => new Response("unauthorized", { status: 401 });
const result = await validateProviderApiKey({
provider: "gemini-web",
apiKey: "__Secure-1PSID=expired",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Invalid or expired __Secure-1PSID/i);
});
test("gemini-web validator: 500 → unavailable", async () => {
globalThis.fetch = async () => new Response("down", { status: 500 });
const result = await validateProviderApiKey({
provider: "gemini-web",
apiKey: "__Secure-1PSID=eyJany",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Gemini validation failed \(500\)/i);
});
// ─── copilot-web validator ───────────────────────────────────────────────────
test("copilot-web validator: valid access_token → 200", async () => {
globalThis.fetch = async (url, init = {}) => {
const target = String(url);
if (target.includes("copilot.microsoft.com/c/api/conversations")) {
assert.match(
((init.headers as Record<string, string>) || {}).Authorization || "",
/Bearer eyJhbGci/
);
return new Response(JSON.stringify({ conversations: [] }), { status: 200 });
}
throw new Error(`unexpected fetch: ${target}`);
};
const result = await validateProviderApiKey({
provider: "copilot-web",
apiKey: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.test",
});
assert.equal(result.valid, true);
assert.equal(result.error, null);
});
test("copilot-web validator: cookie with access_token= is extracted", async () => {
let capturedAuth = "";
globalThis.fetch = async (url, init = {}) => {
if (String(url).includes("copilot.microsoft.com")) {
capturedAuth = ((init.headers as Record<string, string>) || {}).Authorization || "";
return new Response(JSON.stringify({}), { status: 200 });
}
throw new Error(`unexpected fetch: ${String(url)}`);
};
await validateProviderApiKey({
provider: "copilot-web",
apiKey: "access_token=eyJhbGciOiJIUzI1NiJ9.payload.sig; other_cookie=foo",
});
assert.equal(capturedAuth, "Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig");
});
test("copilot-web validator: 401 → invalid token", async () => {
globalThis.fetch = async () => new Response("unauthorized", { status: 401 });
const result = await validateProviderApiKey({
provider: "copilot-web",
apiKey: "bad-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Invalid or expired access_token/i);
});
test("copilot-web validator: 500 → unavailable", async () => {
globalThis.fetch = async () => new Response("down", { status: 500 });
const result = await validateProviderApiKey({
provider: "copilot-web",
apiKey: "any-token",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Copilot unavailable \(500\)/i);
});
test("copilot-web validator: empty input → paste prompt", async () => {
globalThis.fetch = async () => {
throw new Error("should not fetch");
};
const result = await validateProviderApiKey({ provider: "copilot-web", apiKey: "" });
assert.equal(result.valid, false);
assert.match(result.error || "", /Paste your access_token/i);
});
// ─── copilot-m365-web validator ──────────────────────────────────────────────
test("copilot-m365-web validator: accepts pasted OmniRoute credential without /models probe", async () => {
globalThis.fetch = async () => {
throw new Error("should not fetch");
};
const result = await validateProviderApiKey({
provider: "copilot-m365-web",
apiKey: "access_token=tok; chathubPath=redacted-account@redacted-tenant",
});
assert.equal(result.valid, true);
assert.equal(result.error, null);
assert.match(result.warning || "", /verified when the provider sends a chat/i);
});
test("copilot-m365-web validator: requires chathubPath", async () => {
globalThis.fetch = async () => {
throw new Error("should not fetch");
};
const result = await validateProviderApiKey({
provider: "copilot-m365-web",
apiKey: "access_token=tok",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /Chathub path/i);
});
// ─── t3-web validator ────────────────────────────────────────────────────────
test("t3-web validator: valid cookies → valid", async () => {
globalThis.fetch = async (url, init = {}) => {
if (String(url).includes("t3.chat")) {
return new Response("ok", { status: 200 });
}
throw new Error(`unexpected fetch: ${String(url)}`);
};
const result = await validateProviderApiKey({
provider: "t3-web",
apiKey: "cookies=__session=abc123; convexSessionId=def456",
});
assert.equal(result.valid, true);
assert.equal(result.error, null);
});
test("t3-web validator: 500 → unavailable", async () => {
globalThis.fetch = async () => new Response("down", { status: 500 });
const result = await validateProviderApiKey({
provider: "t3-web",
apiKey: "cookies=__session=abc",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /t3\.chat unavailable \(500\)/i);
});
test("t3-web validator: valid cookies → passes through", async () => {
globalThis.fetch = async (url, init = {}) => {
if (String(url).includes("t3.chat")) {
return new Response("ok", { status: 200 });
}
throw new Error(`unexpected fetch: ${String(url)}`);
};
const result = await validateProviderApiKey({
provider: "t3-web",
apiKey: "__session=abc123; convex-session-id=def456",
});
assert.equal(result.valid, true);
assert.equal(result.error, null);
});
test("llama-cpp is classified as a self-hosted chat provider", async () => {
const { isSelfHostedChatProvider, isLocalProvider, providerAllowsOptionalApiKey } =
await import("../../src/shared/constants/providers.ts");
assert.equal(isSelfHostedChatProvider("llama-cpp"), true);
assert.equal(isLocalProvider("llama-cpp"), true);
assert.equal(providerAllowsOptionalApiKey("llama-cpp"), true);
});
// ─── Gitlawb Opengateway specialty validators ──────────────────────────────
test("gitlawb validator: accepts valid API key via chat/completions probe", async () => {
const calls: any[] = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), headers: init.headers || {}, body: init.body });
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/xiaomi-mimo/chat/completions");
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer glb-valid-key");
const body = JSON.parse(String(init.body));
assert.equal(body.model, "mimo-v2.5-pro");
assert.equal(body.messages[0].content, "test");
assert.equal(body.max_tokens, 1);
return new Response(JSON.stringify({ choices: [{ message: { content: "ok" } }] }), {
status: 200,
});
};
const result = await validateProviderApiKey({ provider: "gitlawb", apiKey: "glb-valid-key" });
assert.equal(result.valid, true);
assert.equal(calls.length, 1);
});
test("gitlawb validator: 400/422/429 treated as auth success", async () => {
for (const status of [400, 422, 429]) {
globalThis.fetch = async (url) => {
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/xiaomi-mimo/chat/completions");
return new Response(JSON.stringify({ error: "bad request" }), { status });
};
const result = await validateProviderApiKey({ provider: "gitlawb", apiKey: "glb-key" });
assert.equal(result.valid, true, `status ${status} should pass auth`);
assert.equal(result.error, null, `status ${status} should not return error`);
}
});
test("gitlawb validator: rejects invalid API key (401)", async () => {
globalThis.fetch = async (url) => {
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/xiaomi-mimo/chat/completions");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
};
const result = await validateProviderApiKey({ provider: "gitlawb", apiKey: "glb-bad-key" });
assert.equal(result.valid, false);
assert.equal(result.error, "Invalid API key");
});
test("gitlawb validator: rejects invalid API key (403)", async () => {
globalThis.fetch = async (url) => {
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/xiaomi-mimo/chat/completions");
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
};
const result = await validateProviderApiKey({ provider: "gitlawb", apiKey: "glb-bad-key" });
assert.equal(result.valid, false);
assert.equal(result.error, "Invalid API key");
});
test("gitlawb validator: surfaces network failures", async () => {
globalThis.fetch = async () => {
throw new Error("gitlawb opengateway offline");
};
const result = await validateProviderApiKey({ provider: "gitlawb", apiKey: "glb-key" });
assert.equal(result.valid, false);
assert.match(result.error || "", /gitlawb opengateway offline/i);
});
test("gitlawb validator: accepts custom baseUrl override", async () => {
globalThis.fetch = async (url, init = {}) => {
assert.equal(String(url), "https://custom-gateway.example.com/v1/xiaomi-mimo/chat/completions");
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer glb-key");
return new Response(JSON.stringify({ choices: [{ message: { content: "ok" } }] }), {
status: 200,
});
};
const result = await validateProviderApiKey({
provider: "gitlawb",
apiKey: "glb-key",
providerSpecificData: {
baseUrl: "https://custom-gateway.example.com/v1/xiaomi-mimo",
},
});
assert.equal(result.valid, true);
});
// ─── Gitlawb-GMI (GMI Cloud) ─────────────────────────────────────────────
test("gitlawb-gmi validator: accepts valid API key via chat/completions probe", async () => {
const calls: any[] = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), headers: init.headers || {} });
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/gmi-cloud/chat/completions");
assert.equal(
(init.headers as Record<string, string>).Authorization,
"Bearer glb-gmi-valid-key"
);
const body = JSON.parse(String(init.body));
assert.equal(body.model, "XiaomiMiMo/MiMo-V2.5-Pro");
assert.equal(body.messages[0].content, "test");
assert.equal(body.max_tokens, 1);
return new Response(JSON.stringify({ choices: [{ message: { content: "ok" } }] }), {
status: 200,
});
};
const result = await validateProviderApiKey({
provider: "gitlawb-gmi",
apiKey: "glb-gmi-valid-key",
});
assert.equal(result.valid, true);
assert.equal(calls.length, 1);
});
test("gitlawb-gmi validator: accepts 400/422/429 as auth success", async () => {
for (const status of [400, 422, 429]) {
globalThis.fetch = async (url) => {
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/gmi-cloud/chat/completions");
return new Response(JSON.stringify({ error: "bad request" }), { status });
};
const result = await validateProviderApiKey({
provider: "gitlawb-gmi",
apiKey: "glb-gmi-key",
});
assert.equal(result.valid, true, `status ${status} should pass auth`);
}
});
test("gitlawb-gmi validator: rejects invalid API key (401)", async () => {
globalThis.fetch = async (url) => {
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/gmi-cloud/chat/completions");
return new Response(JSON.stringify({ error: "unauthorized" }), { status: 401 });
};
const result = await validateProviderApiKey({
provider: "gitlawb-gmi",
apiKey: "glb-gmi-bad-key",
});
assert.equal(result.valid, false);
assert.equal(result.error, "Invalid API key");
});
test("gitlawb-gmi validator: rejects invalid API key (403)", async () => {
globalThis.fetch = async (url) => {
assert.equal(String(url), "https://opengateway.gitlawb.com/v1/gmi-cloud/chat/completions");
return new Response(JSON.stringify({ error: "forbidden" }), { status: 403 });
};
const result = await validateProviderApiKey({
provider: "gitlawb-gmi",
apiKey: "glb-gmi-bad-key",
});
assert.equal(result.valid, false);
assert.equal(result.error, "Invalid API key");
});
test("gitlawb-gmi validator: surfaces network failures", async () => {
globalThis.fetch = async () => {
throw new Error("gitlawb-gmi opengateway offline");
};
const result = await validateProviderApiKey({
provider: "gitlawb-gmi",
apiKey: "glb-gmi-key",
});
assert.equal(result.valid, false);
assert.match(result.error || "", /gitlawb-gmi opengateway offline/i);
});
test("gitlawb-gmi validator: accepts custom baseUrl override", async () => {
globalThis.fetch = async (url, init = {}) => {
assert.equal(String(url), "https://custom-gateway.example.com/v1/gmi-cloud/chat/completions");
assert.equal((init.headers as Record<string, string>).Authorization, "Bearer glb-gmi-key");
return new Response(JSON.stringify({ choices: [{ message: { content: "ok" } }] }), {
status: 200,
});
};
const result = await validateProviderApiKey({
provider: "gitlawb-gmi",
apiKey: "glb-gmi-key",
providerSpecificData: {
baseUrl: "https://custom-gateway.example.com/v1/gmi-cloud",
},
});
assert.equal(result.valid, true);
});
// #3288 / #3758: a blocked redirect (REDIRECT_BLOCKED) to a PUBLIC host is benign — the
// redirect was never followed, so it must NOT be mislabeled as an SSRF security block.
// Only a redirect whose target is a private/internal host is a genuine security event.
test("isSecurityBlockError: public-host redirect block is NOT a security block", () => {
const publicRedirect = new SafeOutboundFetchError("Redirect blocked", {
code: "REDIRECT_BLOCKED",
url: "https://chat.qwen.ai/api/v2/models",
method: "GET",
attempts: 1,
status: 307,
location: "https://chat.qwen.ai/login",
isRetryable: false,
});
assert.equal(isSecurityBlockError(publicRedirect), false);
});
test("isSecurityBlockError: private-host redirect block IS a security block", () => {
const privateRedirect = new SafeOutboundFetchError("Redirect blocked", {
code: "REDIRECT_BLOCKED",
url: "https://api.example.com/probe",
method: "GET",
attempts: 1,
status: 302,
location: "http://169.254.169.254/latest/meta-data/",
isRetryable: false,
});
assert.equal(isSecurityBlockError(privateRedirect), true);
});
test("isSecurityBlockError: a URL-guard block remains a security block", () => {
const guardBlock = new SafeOutboundFetchError("Blocked private host", {
code: "URL_GUARD_BLOCKED",
url: "http://10.0.0.5/internal",
method: "GET",
attempts: 1,
isRetryable: false,
});
assert.equal(isSecurityBlockError(guardBlock), true);
});
// ─── huggingface validator (whoami-v2 auth probe) ────────────────────────────
// Fine-grained HF Inference-Provider tokens are valid even when model/task
// endpoints reject them. The validator must probe whoami-v2 as a pure auth
// check: only 401/403 is invalid; any other non-OK status is transient.
test("huggingface validator accepts a token whoami-v2 recognizes", async () => {
const calls: { url: string; headers: Record<string, string> }[] = [];
globalThis.fetch = async (url, init = {}) => {
calls.push({ url: String(url), headers: toPlainHeaders(init.headers) });
return new Response(JSON.stringify({ name: "hf-user", auth: { type: "access_token" } }), {
status: 200,
});
};
const result = await validateProviderApiKey({ provider: "huggingface", apiKey: "hf_validtoken" });
assert.equal(result.valid, true);
assert.equal(result.error, null);
assert.equal(result.method, "huggingface_whoami");
assert.equal(calls.length, 1);
assert.equal(calls[0].url, "https://huggingface.co/api/whoami-v2");
assert.equal(calls[0].headers.Authorization, "Bearer hf_validtoken");
});
test("huggingface validator treats 401/403 as an invalid token", async () => {
globalThis.fetch = async () =>
new Response(JSON.stringify({ error: "Unauthorized" }), { status: 401 });
const unauthorized = await validateProviderApiKey({ provider: "huggingface", apiKey: "hf_bad" });
assert.equal(unauthorized.valid, false);
assert.equal(unauthorized.error, "Invalid API key");
globalThis.fetch = async () =>
new Response(JSON.stringify({ error: "Forbidden" }), { status: 403 });
const forbidden = await validateProviderApiKey({ provider: "huggingface", apiKey: "hf_bad" });
assert.equal(forbidden.valid, false);
assert.equal(forbidden.error, "Invalid API key");
});
test("huggingface validator does NOT mark a fine-grained token invalid on a non-auth status", async () => {
// This is the false-negative the port fixes: a 503/404 from a model/task
// probe used to read as "invalid key". whoami-v2 returning a non-auth,
// non-OK status must surface as a transient error, never "Invalid API key".
globalThis.fetch = async () => new Response("upstream down", { status: 503 });
const result = await validateProviderApiKey({
provider: "huggingface",
apiKey: "hf_finegrained",
});
assert.equal(result.valid, false);
assert.notEqual(result.error, "Invalid API key");
assert.match(result.error || "", /HuggingFace token check returned 503/);
});