diff --git a/plugins/wasm-go/extensions/ai-proxy/provider/azure.go b/plugins/wasm-go/extensions/ai-proxy/provider/azure.go index 0766a7125..b2f2d7d6b 100644 --- a/plugins/wasm-go/extensions/ai-proxy/provider/azure.go +++ b/plugins/wasm-go/extensions/ai-proxy/provider/azure.go @@ -359,6 +359,7 @@ func (m *azureProvider) TransformRequestHeaders(ctx wrapper.HttpContext, apiName } util.OverwriteRequestHostHeader(headers, m.serviceUrl.Host) headers.Set("api-key", m.config.GetApiTokenInUse(ctx)) + headers.Del(util.HeaderAuthorization) headers.Del("Content-Length") supportedAPI := m.config.isSupportedAPI(apiName) diff --git a/plugins/wasm-go/extensions/ai-proxy/provider/claude.go b/plugins/wasm-go/extensions/ai-proxy/provider/claude.go index 402918e92..b79f56b83 100644 --- a/plugins/wasm-go/extensions/ai-proxy/provider/claude.go +++ b/plugins/wasm-go/extensions/ai-proxy/provider/claude.go @@ -372,6 +372,7 @@ func (c *claudeProvider) TransformRequestHeaders(ctx wrapper.HttpContext, apiNam } else { // Standard mode: use x-api-key headers.Set("x-api-key", c.config.GetApiTokenInUse(ctx)) + headers.Del(util.HeaderAuthorization) } } diff --git a/plugins/wasm-go/extensions/ai-proxy/test/azure.go b/plugins/wasm-go/extensions/ai-proxy/test/azure.go index 4dd8f3d8f..dac688d0c 100644 --- a/plugins/wasm-go/extensions/ai-proxy/test/azure.go +++ b/plugins/wasm-go/extensions/ai-proxy/test/azure.go @@ -490,6 +490,7 @@ func RunAzureOnHttpRequestHeadersTests(t *testing.T) { {":path", "/v1/chat/completions"}, {":method", "POST"}, {"Content-Type", "application/json"}, + {"Authorization", "Bearer gateway-token"}, }) // 应该返回HeaderStopIteration,因为需要处理请求体 @@ -509,6 +510,12 @@ func RunAzureOnHttpRequestHeadersTests(t *testing.T) { require.True(t, hasApiKey, "api-key header should exist") require.Equal(t, "sk-azure-test123456789", apiKeyValue, "api-key should contain Azure API token") + // 验证Authorization是否被删除 + _, hasAuthLower := test.GetHeaderValue(requestHeaders, "authorization") + require.False(t, hasAuthLower, "Authorization header should be deleted") + _, hasAuthUpper := test.GetHeaderValue(requestHeaders, "Authorization") + require.False(t, hasAuthUpper, "Authorization header should be deleted") + // 验证Path是否被正确处理 pathValue, hasPath := test.GetHeaderValue(requestHeaders, ":path") require.True(t, hasPath, "Path header should exist") diff --git a/plugins/wasm-go/extensions/ai-proxy/test/claude.go b/plugins/wasm-go/extensions/ai-proxy/test/claude.go index 3c4347726..c31c45fab 100644 --- a/plugins/wasm-go/extensions/ai-proxy/test/claude.go +++ b/plugins/wasm-go/extensions/ai-proxy/test/claude.go @@ -97,6 +97,7 @@ func RunClaudeOnHttpRequestHeadersTests(t *testing.T) { {":path", "/v1/chat/completions"}, {":method", "POST"}, {"Content-Type", "application/json"}, + {"Authorization", "Bearer gateway-token"}, }) require.Equal(t, types.HeaderStopIteration, action) @@ -104,9 +105,11 @@ func RunClaudeOnHttpRequestHeadersTests(t *testing.T) { require.True(t, test.HasHeaderWithValue(requestHeaders, "x-api-key", "sk-ant-api-key-123")) require.True(t, test.HasHeaderWithValue(requestHeaders, "anthropic-version", "2023-06-01")) - // Should NOT have Claude Code specific headers - _, hasAuth := test.GetHeaderValue(requestHeaders, "authorization") - require.False(t, hasAuth, "standard mode should not have authorization header") + // Should NOT have Claude Code specific headers or leaked Authorization header + _, hasAuthLower := test.GetHeaderValue(requestHeaders, "authorization") + require.False(t, hasAuthLower, "standard mode should not have authorization header") + _, hasAuthUpper := test.GetHeaderValue(requestHeaders, "Authorization") + require.False(t, hasAuthUpper, "standard mode should not have Authorization header") _, hasXApp := test.GetHeaderValue(requestHeaders, "x-app") require.False(t, hasXApp, "standard mode should not have x-app header")