feature: Support getting the API key from the request header when provider.apiTokens is not configured. (#3394)

Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>
2026-06-08 20:27:31 +08:00 · 2026-01-28 14:03:24 +08:00
parent cbcc3ecf43
commit f2fcd68ef8
2 changed files with 60 additions and 1 deletions
--- a/plugins/wasm-go/extensions/ai-proxy/provider/openai.go
+++ b/plugins/wasm-go/extensions/ai-proxy/provider/openai.go
@@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/alibaba/higress/plugins/wasm-go/extensions/ai-proxy/util"
+	"github.com/higress-group/proxy-wasm-go-sdk/proxywasm"
 	"github.com/higress-group/proxy-wasm-go-sdk/proxywasm/types"
 	"github.com/higress-group/wasm-go/pkg/log"
 	"github.com/higress-group/wasm-go/pkg/wrapper"
@@ -134,8 +135,63 @@ func (m *openaiProvider) TransformRequestHeaders(ctx wrapper.HttpContext, apiNam
 	} else {
 		util.OverwriteRequestHostHeader(headers, defaultOpenaiDomain)
 	}
+
+	var token string
+
+	// 1. If apiTokens is configured, use it first
 	if len(m.config.apiTokens) > 0 {
-		util.OverwriteRequestAuthorizationHeader(headers, "Bearer "+m.config.GetApiTokenInUse(ctx))
+		token = m.config.GetApiTokenInUse(ctx)
+		if token == "" {
+			log.Warnf("[openaiProvider.TransformRequestHeaders] apiTokens count > 0 but GetApiTokenInUse returned empty")
+		}
+	} else {
+		// If no apiToken is configured, try to extract from original request headers
+
+		// 2. If authHeaderKey is configured, use the specified header
+		if m.config.authHeaderKey != "" {
+			if apiKey, err := proxywasm.GetHttpRequestHeader(m.config.authHeaderKey); err == nil && apiKey != "" {
+				token = apiKey
+				log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from configured header: %s", m.config.authHeaderKey)
+			}
+		}
+
+		// 3. If authHeaderKey is not configured, check default headers in priority order
+		if token == "" {
+			defaultHeaders := []string{"x-api-key", "x-authorization"}
+			for _, headerName := range defaultHeaders {
+				if apiKey, err := proxywasm.GetHttpRequestHeader(headerName); err == nil && apiKey != "" {
+					token = apiKey
+					log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from %s header", headerName)
+					break
+				}
+			}
+		}
+
+		// 4. Finally check Authorization header
+		if token == "" {
+			if auth, err := proxywasm.GetHttpRequestHeader("Authorization"); err == nil && auth != "" {
+				// Extract token from "Bearer <token>" format
+				if strings.HasPrefix(auth, "Bearer ") {
+					token = strings.TrimPrefix(auth, "Bearer ")
+					log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from Authorization header (Bearer format)")
+				} else {
+					token = auth
+					log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from Authorization header (no Bearer prefix)")
+				}
+			}
+		}
+	}
+
+	// 5. Set Authorization header (avoid duplicate Bearer prefix)
+	if token != "" {
+		// Check if token already contains Bearer prefix
+		if !strings.HasPrefix(token, "Bearer ") {
+			token = "Bearer " + token
+		}
+		util.OverwriteRequestAuthorizationHeader(headers, token)
+		log.Debugf("[openaiProvider.TransformRequestHeaders] Set Authorization header successfully")
+	} else {
+		log.Warnf("[openaiProvider.TransformRequestHeaders] No auth token available - neither configured in apiTokens nor in request headers")
 	}
 	headers.Del("Content-Length")
 }