proxy: add support for basic authorization

[mostlygeek]

Fixes #444 where the UI with api keys did not work. The choice to use http basic authorization is for simple, automatic browser support. No changes to the UI were necessary. Just use an API key as the password, no user name is required.

Summary by CodeRabbit

Release Notes

• New Features
  • HTTP Basic authentication is now supported for API authentication
  • Updated authentication method precedence: Basic takes priority over Bearer tokens and x-api-key headers
  • Enhanced authentication failure responses with additional headers for improved error handling

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request adds HTTP Basic authentication support to the proxy's API key authentication mechanism. Basic credentials are decoded from base64 to extract the password as the API key. Basic auth is prioritized over Bearer and x-api-key headers. Authentication failures now include a WWW-Authenticate header response. Comprehensive test coverage validates these scenarios.

Changes

Cohort / File(s)	Summary
Implementation proxy/proxymanager.go	Adds Basic authentication with base64 decoding; introduces key precedence (Basic > Bearer > x-api-key); replaces strict cross-header comparison with ordered key lookup; adds WWW-Authenticate header on auth failure; imports encoding/base64
Test coverage proxy/proxymanager_test.go	Removes closeClient helper method; expands auth test cases for valid/invalid Basic Auth, combined x-api-key and Basic scenarios; adds verification for WWW-Authenticate header in 401 responses; uses base64 import in tests

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• proxy: add API key support #436: Introduces the initial API key authentication mechanism that this PR extends with HTTP Basic support and modified key precedence logic.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'proxy: add support for basic authorization' directly and clearly describes the main change in the pull request, which is adding HTTP Basic Authorization support to the proxy.
Linked Issues check	✅ Passed	The PR implements HTTP Basic Auth support to resolve issue #444 by allowing Web UI access when API keys are enabled, using the API key as the password in Basic Auth credentials.
Out of Scope Changes check	✅ Passed	All code changes are directly related to implementing Basic Auth support for the proxy to address the Web UI accessibility issue, with no unrelated modifications detected.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

proxy/proxymanager_test.go (1)

1297-1307: Consider adding a priority conflict test.

This test validates the happy path where both headers have valid keys. To fully verify the documented priority (Basic > Bearer > x-api-key), consider adding a test where Basic auth has a valid key but x-api-key has an invalid key, confirming Basic takes precedence.

🔎 Suggested additional test case

t.Run("Basic Auth takes priority over invalid x-api-key", func(t *testing.T) {
	reqBody := `{"model":"model1"}`
	req := httptest.NewRequest("POST", "/v1/chat/completions", bytes.NewBufferString(reqBody))
	req.Header.Set("x-api-key", "invalid-key")
	credentials := base64.StdEncoding.EncodeToString([]byte("user:valid-key-1"))
	req.Header.Set("Authorization", "Basic "+credentials)
	w := CreateTestResponseRecorder()

	proxy.ServeHTTP(w, req)
	assert.Equal(t, http.StatusOK, w.Code) // Basic auth valid key takes priority
})

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 37d74ef and 6428837.

📒 Files selected for processing (2)

• proxy/proxymanager.go
• proxy/proxymanager_test.go

🧰 Additional context used

📓 Path-based instructions (1)

proxy/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Run make test-dev when making iterative changes to code under the proxy/ directory - this runs go test and staticcheck, and all static checking errors must be fixed

Files:

• proxy/proxymanager_test.go
• proxy/proxymanager.go

🧠 Learnings (1)

📚 Learning: 2025-11-25T05:40:06.444Z

Learnt from: CR
Repo: mostlygeek/llama-swap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T05:40:06.444Z
Learning: Applies to proxy/**/*.go : Run `make test-dev` when making iterative changes to code under the `proxy/` directory - this runs `go test` and `staticcheck`, and all static checking errors must be fixed

Applied to files:

• proxy/proxymanager_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: run-tests
• GitHub Check: run-tests

🔇 Additional comments (9)

proxy/proxymanager.go (3)

6-6: LGTM!

Standard library import for base64 decoding added correctly.

---

829-853: LGTM! Basic auth implementation is correct.

The implementation correctly handles edge cases:

• SplitN(_, ":", 2) preserves passwords containing colons
• Invalid base64 silently falls through to other auth methods
• Key priority (Basic > Bearer > x-api-key) aligns with PR description

---

864-869: LGTM! WWW-Authenticate header enables browser auth prompt.

Adding the WWW-Authenticate: Basic realm="llama-swap" header on 401 responses correctly triggers the browser's native authentication dialog, which fulfills the PR objective of making the Web UI accessible when API keys are enabled.

proxy/proxymanager_test.go (6)

6-6: LGTM!

Standard library import added for encoding Basic auth credentials in tests.

---

1253-1262: LGTM!

Test correctly validates that an invalid API key returns 401 with an "unauthorized" message.

---

1264-1271: LGTM!

Test correctly validates that missing authentication returns 401 Unauthorized.

---

1273-1283: LGTM!

Test correctly validates Basic auth with the API key as password. Using "anyuser" demonstrates that only the password (API key) is validated, which matches the implementation.

---

1285-1295: LGTM!

Test correctly validates that an invalid API key in Basic auth returns 401 Unauthorized.

---

1309-1317: LGTM!

Test correctly validates that 401 responses include the WWW-Authenticate: Basic realm="llama-swap" header, which is essential for browser authentication prompts.