proxy: add API key support

[mostlygeek]

Add Support for llama-swap level API keys

Updates: #433, #50 and #251

Summary by CodeRabbit

• New Features

  • API key authentication is now available. When configured, API keys are required to access API endpoints. Keys can be provided via the x-api-key header or Authorization Bearer token.

• Documentation

  • Updated configuration documentation with API key setup instructions and examples.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The PR introduces API key authentication across the proxy service. It adds a RequiredAPIKeys configuration field with validation, implements an apiKeyAuth middleware that validates API keys from headers, and applies it to all API routes. When configured, requests require valid API keys; when unconfigured, authentication is bypassed.

Changes

Cohort / File(s)	Summary
Documentation & Configuration Files README.md, config.example.yaml, docs/configuration.md	Added feature bullet and documentation for new apiKeys configuration section. Includes example keys and guidance on non-empty string requirement.
Configuration Logic & Validation proxy/config/config.go, proxy/config/config_test.go	Added RequiredAPIKeys field to Config struct with YAML tag. Introduced validation in LoadConfigFromReader to reject empty keys or keys containing spaces. Added table-driven test suite covering invalid key scenarios.
Proxy Middleware & Routes proxy/proxymanager.go, proxy/proxymanager_api.go	Introduced apiKeyAuth() middleware that validates x-api-key header or Bearer token from Authorization header, enforces matching if both provided, and strips authentication headers before forwarding. Applied middleware to /api route group and protected endpoints (chat/completions, embeddings, models, logs, etc.). Middleware acts as no-op pass-through when no keys configured.
Proxy Integration Tests proxy/proxymanager_test.go	Added TestProxyManager_APIKeyAuth to validate middleware behavior with valid/invalid/missing keys and header combinations. Added TestProxyManager_APIKeyAuth_Disabled to verify authentication bypass when keys unconfigured.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ProxyManager
    participant apiKeyAuth
    participant Config
    participant UpstreamAPI

    rect rgb(200, 220, 255)
    Note over Client,UpstreamAPI: Scenario 1: Valid API Key
    Client->>ProxyManager: POST /api/chat/completions<br/>x-api-key: valid-key
    ProxyManager->>apiKeyAuth: Check authentication
    apiKeyAuth->>Config: Load RequiredAPIKeys
    Config-->>apiKeyAuth: [key1, key2, ...]
    apiKeyAuth->>apiKeyAuth: Validate x-api-key<br/>against configured keys
    apiKeyAuth->>apiKeyAuth: Strip auth headers
    apiKeyAuth-->>ProxyManager: Pass through (authenticated)
    ProxyManager->>UpstreamAPI: Forward request<br/>(no auth headers)
    UpstreamAPI-->>ProxyManager: 200 OK
    ProxyManager-->>Client: 200 OK
    end

    rect rgb(255, 220, 200)
    Note over Client,UpstreamAPI: Scenario 2: Invalid/Missing API Key
    Client->>ProxyManager: POST /api/chat/completions<br/>(no key)
    ProxyManager->>apiKeyAuth: Check authentication
    apiKeyAuth->>Config: Load RequiredAPIKeys
    Config-->>apiKeyAuth: [key1, key2, ...]
    apiKeyAuth->>apiKeyAuth: No valid key found
    apiKeyAuth-->>ProxyManager: 401 Unauthorized
    ProxyManager-->>Client: 401 Unauthorized
    end

    rect rgb(220, 255, 220)
    Note over Client,UpstreamAPI: Scenario 3: Keys Not Configured
    Client->>ProxyManager: POST /api/chat/completions
    ProxyManager->>apiKeyAuth: Check authentication
    apiKeyAuth->>Config: Load RequiredAPIKeys
    Config-->>apiKeyAuth: [] (empty)
    apiKeyAuth-->>ProxyManager: Pass through (no-op)
    ProxyManager->>UpstreamAPI: Forward request
    UpstreamAPI-->>ProxyManager: 200 OK
    ProxyManager-->>Client: 200 OK
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: config hot-reload #106 — Refactored setupGinEngine and ServeHTTP, affecting the same proxy manager routing code where apiKeyAuth middleware is integrated.
• proxy/config: create config package and migrate configuration #329 — Refactored config package structure; changes interact with RequiredAPIKeys field and Config struct modifications in this PR.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch api-keys-issue433

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 565c447 and 701d2ab.

📒 Files selected for processing (8)

• README.md
• config.example.yaml
• docs/configuration.md
• proxy/config/config.go
• proxy/config/config_test.go
• proxy/proxymanager.go
• proxy/proxymanager_api.go
• proxy/proxymanager_test.go

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}