Hugging Face's logo

Spaces:
AZILS
/
app
Paused

App Files Community
app
File size: 2,290 Bytes
852e525
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Proxy authorization (auth modes)

## What we wanted
- Allow running the proxy **open** for local-only workflows.
- Allow enabling **request authentication** when exposing the proxy more widely (LAN, shared host, etc.).
- Keep behavior predictable for tools that cannot add auth headers by providing a mode that keeps health checks open.
- Apply changes **without restart** (hot reload).

## What we got
The proxy supports `proxy.auth_mode` with four modes:
- `off` — no auth required.
- `strict` — auth required for all routes.
- `all_except_health` — auth required for all routes except `GET /healthz`.
- `auto` — derived policy: if `proxy.allow_lan_access=true` then `all_except_health`, otherwise `off`.

Implementation:
- Config enum and serialization: [`src-tauri/src/proxy/config.rs`](../../src-tauri/src/proxy/config.rs)
  - `ProxyAuthMode` in [`src-tauri/src/proxy/config.rs`](../../src-tauri/src/proxy/config.rs)
- Policy resolver (“effective mode”): [`src-tauri/src/proxy/security.rs`](../../src-tauri/src/proxy/security.rs)
  - `ProxySecurityConfig::from_proxy_config(...)` in [`src-tauri/src/proxy/security.rs`](../../src-tauri/src/proxy/security.rs)
- Request middleware enforcement: [`src-tauri/src/proxy/middleware/auth.rs`](../../src-tauri/src/proxy/middleware/auth.rs)
  - `auth_middleware(...)` validates `Authorization: Bearer <proxy.api_key>`
  - `OPTIONS` requests are allowed (CORS preflight)
  - In `all_except_health`, `GET /healthz` bypasses auth

Hot reload:
- Config save triggers running server updates in [`src-tauri/src/commands/mod.rs`](../../src-tauri/src/commands/mod.rs)
  - `save_config(...)` calls `axum_server.update_security(&config.proxy).await`

## Client contract
When auth is enabled, clients should send:
- `Authorization: Bearer <proxy.api_key>`

Notes:
- The proxy API key is **not** forwarded upstream to providers.
- Health may remain open depending on the selected mode.

## Validation
1) Set `proxy.auth_mode=all_except_health` and `proxy.api_key` in the UI (`src/pages/ApiProxy.tsx`).
   - UI: [`src/pages/ApiProxy.tsx`](../../src/pages/ApiProxy.tsx)
2) Start the proxy.
3) Verify:
   - `GET /healthz` succeeds without auth.
   - Other endpoints (e.g. `POST /v1/messages`) return 401 without auth and succeed with the header.