Skip to content

refactor: move virtual key validation and context attachment before passthrough check #3213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Pratham-Mishra04 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

refactor: move virtual key validation and context attachment before passthrough check #3213

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 33 additions & 33 deletions plugins/governance/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,12 +346,42 @@ func (p *GovernancePlugin) HTTPTransportPreHook(ctx *schemas.BifrostContext, req
virtualKeyValue := parseVirtualKeyFromHTTPRequest(req)
hasRoutingRules := p.store.HasRoutingRules(ctx)

if strings.Contains(req.Path, "passthrough") {
// If no virtual key and no routing rules configured, skip all processing
if virtualKeyValue == nil && !hasRoutingRules {
return nil, nil
}

// If no virtual key and no routing rules configured, skip all processing
if virtualKeyValue == nil && !hasRoutingRules {
// Only unmarshal if we have VK or routing rules
var payload map[string]any
var virtualKey *configstoreTables.TableVirtualKey
var ok bool
var needsMarshal bool

// Process virtual key if provided
if virtualKeyValue != nil {
virtualKey, ok = p.store.GetVirtualKey(ctx, *virtualKeyValue)
if !ok || virtualKey == nil || !virtualKey.IsActive {
return nil, nil
}
}

// Attaching team and customer based on the virtual key
if virtualKey != nil {
if virtualKey.TeamID != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceTeamID, *virtualKey.TeamID)
}
if virtualKey.Team != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceTeamName, virtualKey.Team.Name)
}
if virtualKey.CustomerID != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceCustomerID, *virtualKey.CustomerID)
}
if virtualKey.Customer != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceCustomerName, virtualKey.Customer.Name)
}
}

if strings.Contains(req.Path, "passthrough") {
return nil, nil
}

Expand All @@ -364,12 +394,6 @@ func (p *GovernancePlugin) HTTPTransportPreHook(ctx *schemas.BifrostContext, req
return p.governLargePayload(ctx, req, virtualKeyValue, hasRoutingRules)
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Redundant VK lookup in governLargePayload

HTTPTransportPreHook now validates the virtual key and attaches team/customer context before reaching this call site, but governLargePayload re-runs the same p.store.GetVirtualKey lookup and re-sets the identical context values unconditionally. Because governLargePayload is only ever called from this path, both the store roundtrip and the ctx.SetValue calls are now no-ops in the happy path. If the key happens to be deactivated between the two lookups, the context will already carry stale team/customer metadata from the first lookup even though governLargePayload returns early without applying governance — a subtle inconsistency. Consider passing the already-resolved *configstoreTables.TableVirtualKey directly to governLargePayload to eliminate the double lookup and the staleness window.

}

// Only unmarshal if we have VK or routing rules
var payload map[string]any
var virtualKey *configstoreTables.TableVirtualKey
var ok bool
var needsMarshal bool

contentType := req.CaseInsensitiveHeaderLookup("Content-Type")
lowerCT := strings.ToLower(contentType)
// Strip parameters (e.g., "; charset=utf-8") for clean media type comparison
Expand Down Expand Up @@ -400,30 +424,6 @@ func (p *GovernancePlugin) HTTPTransportPreHook(ctx *schemas.BifrostContext, req
}
}

// Process virtual key if provided
if virtualKeyValue != nil {
virtualKey, ok = p.store.GetVirtualKey(ctx, *virtualKeyValue)
if !ok || virtualKey == nil || !virtualKey.IsActive {
return nil, nil
}
}

// Attaching team and customer based on the virtual key
if virtualKey != nil {
if virtualKey.TeamID != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceTeamID, *virtualKey.TeamID)
}
if virtualKey.Team != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceTeamName, virtualKey.Team.Name)
}
if virtualKey.CustomerID != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceCustomerID, *virtualKey.CustomerID)
}
if virtualKey.Customer != nil {
ctx.SetValue(schemas.BifrostContextKeyGovernanceCustomerName, virtualKey.Customer.Name)
}
}

//1. Apply routing rules only if we have rules or matched decision
var routingDecision *RoutingDecision
if hasRoutingRules {
Expand Down
Loading