feature: Support getting the API key from the request header when provider.apiTokens is not configured. (#3394)

Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>

plugins/wasm-go/extensions/ai-proxy/provider/openai.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/alibaba/higress/plugins/wasm-go/extensions/ai-proxy/util"
+	"github.com/higress-group/proxy-wasm-go-sdk/proxywasm"
 	"github.com/higress-group/proxy-wasm-go-sdk/proxywasm/types"
 	"github.com/higress-group/wasm-go/pkg/log"
 	"github.com/higress-group/wasm-go/pkg/wrapper"
@@ -134,8 +135,63 @@ func (m *openaiProvider) TransformRequestHeaders(ctx wrapper.HttpContext, apiNam
 	} else {
 		util.OverwriteRequestHostHeader(headers, defaultOpenaiDomain)
 	}
+
+	var token string
+
+	// 1. If apiTokens is configured, use it first
 	if len(m.config.apiTokens) > 0 {
-		util.OverwriteRequestAuthorizationHeader(headers, "Bearer "+m.config.GetApiTokenInUse(ctx))
+		token = m.config.GetApiTokenInUse(ctx)
+		if token == "" {
+			log.Warnf("[openaiProvider.TransformRequestHeaders] apiTokens count > 0 but GetApiTokenInUse returned empty")
+		}
+	} else {
+		// If no apiToken is configured, try to extract from original request headers
+
+		// 2. If authHeaderKey is configured, use the specified header
+		if m.config.authHeaderKey != "" {
+			if apiKey, err := proxywasm.GetHttpRequestHeader(m.config.authHeaderKey); err == nil && apiKey != "" {
+				token = apiKey
+				log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from configured header: %s", m.config.authHeaderKey)
+			}
+		}
+
+		// 3. If authHeaderKey is not configured, check default headers in priority order
+		if token == "" {
+			defaultHeaders := []string{"x-api-key", "x-authorization"}
+			for _, headerName := range defaultHeaders {
+				if apiKey, err := proxywasm.GetHttpRequestHeader(headerName); err == nil && apiKey != "" {
+					token = apiKey
+					log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from %s header", headerName)
+					break
+				}
+			}
+		}
+
+		// 4. Finally check Authorization header
+		if token == "" {
+			if auth, err := proxywasm.GetHttpRequestHeader("Authorization"); err == nil && auth != "" {
+				// Extract token from "Bearer <token>" format
+				if strings.HasPrefix(auth, "Bearer ") {
+					token = strings.TrimPrefix(auth, "Bearer ")
+					log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from Authorization header (Bearer format)")
+				} else {
+					token = auth
+					log.Debugf("[openaiProvider.TransformRequestHeaders] Using token from Authorization header (no Bearer prefix)")
+				}
+			}
+		}
+	}
+
+	// 5. Set Authorization header (avoid duplicate Bearer prefix)
+	if token != "" {
+		// Check if token already contains Bearer prefix
+		if !strings.HasPrefix(token, "Bearer ") {
+			token = "Bearer " + token
+		}
+		util.OverwriteRequestAuthorizationHeader(headers, token)
+		log.Debugf("[openaiProvider.TransformRequestHeaders] Set Authorization header successfully")
+	} else {
+		log.Warnf("[openaiProvider.TransformRequestHeaders] No auth token available - neither configured in apiTokens nor in request headers")
 	}
 	headers.Del("Content-Length")
 }

plugins/wasm-go/extensions/ai-proxy/provider/provider.go

@@ -397,6 +397,9 @@ type ProviderConfig struct {
 	// @Title zh-CN  指定服务返回的响应需满足的JSON Schema
 	// @Description zh-CN 目前仅适用于OpenAI部分模型服务。参考：https://platform.openai.com/docs/guides/structured-outputs
 	responseJsonSchema map[string]interface{} `required:"false" yaml:"responseJsonSchema" json:"responseJsonSchema"`
+	// @Title zh-CN 自定义认证Header名称
+	// @Description zh-CN 用于从请求中提取认证token的自定义header名称。如不配置，则按默认优先级检查 x-api-key、x-authorization、anthropic-api-key 和 Authorization header。
+	authHeaderKey string `required:"false" yaml:"authHeaderKey" json:"authHeaderKey"`
 	// @Title zh-CN 自定义大模型参数配置
 	// @Description zh-CN 用于填充或者覆盖大模型调用时的参数
 	customSettings []CustomSetting

plugins/wasm-go/extensions/model-mapper/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/json"
 	"errors"
 	"sort"
 	"strings"
@@ -136,11 +137,8 @@ func onHttpRequestHeaders(ctx wrapper.HttpContext, config Config) types.Action {
 			break
 		}
 	}
-	if !matched {
-		return types.ActionContinue
-	}
 
-	if !ctx.HasRequestBody() {
+	if !matched || !ctx.HasRequestBody() {
 		ctx.DontReadRequestBody()
 		return types.ActionContinue
 	}
@@ -158,6 +156,11 @@ func onHttpRequestBody(ctx wrapper.HttpContext, config Config, body []byte) type
 		return types.ActionContinue
 	}
 
+	if !json.Valid(body) {
+		log.Error("invalid json body")
+		return types.ActionContinue
+	}
+
 	oldModel := gjson.GetBytes(body, config.modelKey).String()
 
 	newModel := config.defaultModel

plugins/wasm-go/extensions/model-router/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"encoding/json"
 	"io"
 	"mime"
 	"mime/multipart"
@@ -91,15 +92,11 @@ func onHttpRequestHeaders(ctx wrapper.HttpContext, config ModelRouterConfig) typ
 		}
 	}
 
-	if !enable {
+	if !enable || !ctx.HasRequestBody() {
 		ctx.DontReadRequestBody()
 		return types.ActionContinue
 	}
 
-	if !ctx.HasRequestBody() {
-		return types.ActionContinue
-	}
-
 	// Prepare for body processing
 	proxywasm.RemoveHttpRequestHeader("content-length")
 	// 100MB buffer limit
@@ -124,7 +121,10 @@ func onHttpRequestBody(ctx wrapper.HttpContext, config ModelRouterConfig, body [
 }
 
 func handleJsonBody(ctx wrapper.HttpContext, config ModelRouterConfig, body []byte) types.Action {
-
+	if !json.Valid(body) {
+		log.Error("invalid json body")
+		return types.ActionContinue
+	}
 	modelValue := gjson.GetBytes(body, config.modelKey).String()
 	if modelValue == "" {
 		return types.ActionContinue