fix(ai-proxy): clean client Authorization header for api-key providers (#3956)

Signed-off-by: DENG <33118163+XinhhD@users.noreply.github.com> Co-authored-by: woody <yaodiwu618@gmail.com>
2026-06-26 02:35:02 +08:00 · 2026-06-16 16:19:37 +08:00
parent d1f95f6e54
commit 7abf27a2a3
4 changed files with 15 additions and 3 deletions
--- a/plugins/wasm-go/extensions/ai-proxy/provider/azure.go
+++ b/plugins/wasm-go/extensions/ai-proxy/provider/azure.go
@@ -359,6 +359,7 @@ func (m *azureProvider) TransformRequestHeaders(ctx wrapper.HttpContext, apiName
 	}
 	util.OverwriteRequestHostHeader(headers, m.serviceUrl.Host)
 	headers.Set("api-key", m.config.GetApiTokenInUse(ctx))
+	headers.Del(util.HeaderAuthorization)
 	headers.Del("Content-Length")

 	supportedAPI := m.config.isSupportedAPI(apiName)
--- a/plugins/wasm-go/extensions/ai-proxy/provider/claude.go
+++ b/plugins/wasm-go/extensions/ai-proxy/provider/claude.go
@@ -372,6 +372,7 @@ func (c *claudeProvider) TransformRequestHeaders(ctx wrapper.HttpContext, apiNam
 	} else {
 		// Standard mode: use x-api-key
 		headers.Set("x-api-key", c.config.GetApiTokenInUse(ctx))
+		headers.Del(util.HeaderAuthorization)
 	}
 }

--- a/plugins/wasm-go/extensions/ai-proxy/test/azure.go
+++ b/plugins/wasm-go/extensions/ai-proxy/test/azure.go
@@ -490,6 +490,7 @@ func RunAzureOnHttpRequestHeadersTests(t *testing.T) {
 				{":path", "/v1/chat/completions"},
 				{":method", "POST"},
 				{"Content-Type", "application/json"},
+				{"Authorization", "Bearer gateway-token"},
 			})

 			// 应该返回HeaderStopIteration，因为需要处理请求体
@@ -509,6 +510,12 @@ func RunAzureOnHttpRequestHeadersTests(t *testing.T) {
 			require.True(t, hasApiKey, "api-key header should exist")
 			require.Equal(t, "sk-azure-test123456789", apiKeyValue, "api-key should contain Azure API token")

+			// 验证Authorization是否被删除
+			_, hasAuthLower := test.GetHeaderValue(requestHeaders, "authorization")
+			require.False(t, hasAuthLower, "Authorization header should be deleted")
+			_, hasAuthUpper := test.GetHeaderValue(requestHeaders, "Authorization")
+			require.False(t, hasAuthUpper, "Authorization header should be deleted")
+
 			// 验证Path是否被正确处理
 			pathValue, hasPath := test.GetHeaderValue(requestHeaders, ":path")
 			require.True(t, hasPath, "Path header should exist")
--- a/plugins/wasm-go/extensions/ai-proxy/test/claude.go
+++ b/plugins/wasm-go/extensions/ai-proxy/test/claude.go
@@ -97,6 +97,7 @@ func RunClaudeOnHttpRequestHeadersTests(t *testing.T) {
 				{":path", "/v1/chat/completions"},
 				{":method", "POST"},
 				{"Content-Type", "application/json"},
+				{"Authorization", "Bearer gateway-token"},
 			})
 			require.Equal(t, types.HeaderStopIteration, action)

@@ -104,9 +105,11 @@ func RunClaudeOnHttpRequestHeadersTests(t *testing.T) {
 			require.True(t, test.HasHeaderWithValue(requestHeaders, "x-api-key", "sk-ant-api-key-123"))
 			require.True(t, test.HasHeaderWithValue(requestHeaders, "anthropic-version", "2023-06-01"))

-			// Should NOT have Claude Code specific headers
-			_, hasAuth := test.GetHeaderValue(requestHeaders, "authorization")
-			require.False(t, hasAuth, "standard mode should not have authorization header")
+			// Should NOT have Claude Code specific headers or leaked Authorization header
+			_, hasAuthLower := test.GetHeaderValue(requestHeaders, "authorization")
+			require.False(t, hasAuthLower, "standard mode should not have authorization header")
+			_, hasAuthUpper := test.GetHeaderValue(requestHeaders, "Authorization")
+			require.False(t, hasAuthUpper, "standard mode should not have Authorization header")

 			_, hasXApp := test.GetHeaderValue(requestHeaders, "x-app")
 			require.False(t, hasXApp, "standard mode should not have x-app header")