add files

R/asa_api_helpers.R

@@ -265,20 +265,46 @@ asa_api_bootstrap <- function() {
 
 asa_api_get_header <- function(req, key) {
   headers <- req$HEADERS %||% list()
-  value <- headers[[key]] %||% headers[[toupper(key)]] %||% ""
+  header_names <- names(headers) %||% character(0)
+  value <- ""
+
+  if (length(header_names)) {
+    header_match <- which(tolower(header_names) == tolower(asa_api_scalar_chr(key, default = "")))
+    if (length(header_match)) {
+      value <- headers[[header_match[[1]]]]
+    }
+  }
+
+  if (!nzchar(asa_api_scalar_chr(value, default = ""))) {
+    value <- headers[[key]] %||% headers[[toupper(key)]] %||% ""
+  }
+
   asa_api_scalar_chr(value, default = "")
 }
 
-asa_api_extract_api_token <- function(req) {
-  auth_header <- asa_api_get_header(req, "authorization")
-  x_api_key <- asa_api_get_header(req, "x-api-key")
+asa_api_required_bearer_token <- function() {
+  "999"
+}
+
+asa_api_path_requires_bearer_auth <- function(path) {
+  startsWith(asa_api_scalar_chr(path, default = ""), "/v1/")
+}
 
+asa_api_extract_bearer_token <- function(req) {
+  auth_header <- asa_api_get_header(req, "authorization")
   bearer <- sub("^Bearer\\s+", "", auth_header, ignore.case = TRUE)
   if (nzchar(trimws(bearer)) && !identical(trimws(bearer), trimws(auth_header))) {
     return(trimws(bearer))
   }
 
-  trimws(x_api_key)
+  ""
+}
+
+asa_api_has_required_bearer_token <- function(req) {
+  identical(
+    asa_api_extract_bearer_token(req),
+    asa_api_required_bearer_token()
+  )
 }
 
 asa_api_require_prompt <- function(payload) {

R/plumber.R

@@ -59,7 +59,7 @@ function(req, res) {
   allow_origin <- trimws(Sys.getenv("CORS_ALLOW_ORIGIN", unset = "*"))
   res$setHeader("Access-Control-Allow-Origin", if (nzchar(allow_origin)) allow_origin else "*")
   res$setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS")
-  res$setHeader("Access-Control-Allow-Headers", "Authorization,Content-Type,x-api-key")
+  res$setHeader("Access-Control-Allow-Headers", "Authorization,Content-Type")
 
   if (identical(req$REQUEST_METHOD, "OPTIONS")) {
     res$status <- 200L
@@ -72,18 +72,12 @@ function(req, res) {
 #* @filter auth
 function(req, res) {
   path <- asa_api_scalar_chr(req$PATH_INFO, default = "")
-  if (!startsWith(path, "/v1/")) {
+  if (!asa_api_path_requires_bearer_auth(path)) {
     return(plumber::forward())
   }
 
-  api_key <- trimws(Sys.getenv("ASA_API_KEY", unset = ""))
-  if (!nzchar(api_key)) {
-    return(plumber::forward())
-  }
-
-  supplied <- asa_api_extract_api_token(req)
-  if (!nzchar(supplied) || !identical(supplied, api_key)) {
-    return(asa_api_error_payload(res, 401L, "Unauthorized: missing or invalid API key."))
+  if (!asa_api_has_required_bearer_token(req)) {
+    return(asa_api_error_payload(res, 401L, "Unauthorized: submit Authorization: Bearer 999."))
   }
 
   plumber::forward()

README.md

@@ -28,11 +28,8 @@ It uses:
 
 ## Security Model
 
-- API key auth is optional:
-  - If `ASA_API_KEY` is set, `/v1/*` requires:
-    - `Authorization: Bearer <key>` or
-    - `x-api-key: <key>`
-  - If `ASA_API_KEY` is not set, `/v1/*` is public.
+- API bearer auth is required for `/v1/*`:
+  - Include `Authorization: Bearer 999`
 - GUI auth is password-based:
   - `/gui/query` checks `GUI_PASSWORD` 
 
@@ -45,7 +42,6 @@ Set these when running the container:
 
 Optional secrets / vars:
 
-- `ASA_API_KEY` (enables API token auth for `/v1/*`)
 - `ASA_DEFAULT_BACKEND` (defaults to `gemini` if unset; examples: `openai`, `groq`, `anthropic`, `gemini`, `openrouter`)
 - `ASA_DEFAULT_MODEL` (example: `gemini-2.5-flash`)
 - `ASA_CONDA_ENV` (default: `asa_env`)
@@ -74,7 +70,7 @@ curl -s http://localhost:7860/healthz
 ```bash
 curl -s http://localhost:7860/v1/run \
   -H "Content-Type: application/json" \
-  -H "Authorization: Bearer $ASA_API_KEY" \
+  -H "Authorization: Bearer 999" \
   -d '{
     "prompt": "What is the population of Tokyo?",
     "config": {
@@ -92,6 +88,7 @@ curl -s http://localhost:7860/v1/run \
 
 ```bash
 curl -s http://localhost:7860/v1/run \
+  -H "Authorization: Bearer 999" \
   -H "Content-Type: application/json" \
   -d '{
     "prompt": "Find Marie Curie birth year and nationality. Return JSON.",
@@ -105,6 +102,7 @@ curl -s http://localhost:7860/v1/run \
 
 ```bash
 curl -s http://localhost:7860/v1/batch \
+  -H "Authorization: Bearer 999" \
   -H "Content-Type: application/json" \
   -d '{
     "prompts": [
@@ -211,7 +209,6 @@ Local run:
 docker run --rm -p 7860:7860 \
   -e GOOGLE_API_KEY=... \
   -e GUI_PASSWORD=XXX \
-  -e ASA_API_KEY=optional_token \
   asa-api
 ```
 

Tests/api_contract_smoke.R

@@ -110,6 +110,72 @@ assert_true(
   "Direct-provider capability checks should agree on run_direct_task availability."
 )
 
+mock_request <- function(path = "/v1/run", authorization = NULL, x_api_key = NULL) {
+  headers <- list()
+  if (!is.null(authorization)) {
+    headers$authorization <- authorization
+  }
+  if (!is.null(x_api_key)) {
+    headers[["x-api-key"]] <- x_api_key
+  }
+
+  list(
+    PATH_INFO = path,
+    HEADERS = headers
+  )
+}
+
+assert_true(
+  isTRUE(asa_api_path_requires_bearer_auth("/v1/run")) &&
+    isTRUE(asa_api_path_requires_bearer_auth("/v1/batch")),
+  "`/v1/*` routes should require bearer auth."
+)
+assert_true(
+  !isTRUE(asa_api_path_requires_bearer_auth("/healthz")) &&
+    !isTRUE(asa_api_path_requires_bearer_auth("/gui/query")),
+  "Health and GUI routes should remain outside bearer auth scope."
+)
+assert_true(
+  identical(asa_api_required_bearer_token(), "999"),
+  "Bearer auth should require the fixed token 999."
+)
+assert_true(
+  identical(
+    asa_api_extract_bearer_token(mock_request(authorization = "Bearer 999")),
+    "999"
+  ),
+  "Bearer extraction should accept the required token."
+)
+assert_true(
+  identical(
+    asa_api_extract_bearer_token(list(
+      PATH_INFO = "/v1/run",
+      HEADERS = list(Authorization = "Bearer 999")
+    )),
+    "999"
+  ),
+  "Bearer extraction should match Authorization headers case-insensitively."
+)
+assert_true(
+  identical(
+    asa_api_extract_bearer_token(mock_request(authorization = "Basic 999")),
+    ""
+  ),
+  "Non-bearer Authorization schemes should not be accepted."
+)
+assert_true(
+  isTRUE(asa_api_has_required_bearer_token(mock_request(authorization = "Bearer 999"))),
+  "Bearer auth should accept Authorization: Bearer 999."
+)
+assert_true(
+  !isTRUE(asa_api_has_required_bearer_token(mock_request(authorization = "Bearer wrong"))),
+  "Bearer auth should reject the wrong token."
+)
+assert_true(
+  !isTRUE(asa_api_has_required_bearer_token(mock_request(x_api_key = "999"))),
+  "Legacy x-api-key auth should no longer be accepted."
+)
+
 health_payload <- asa_api_health_payload()
 assert_true(
   identical(isTRUE(health_payload$direct_provider_available), isTRUE(asa_api_has_run_direct_task())),

Tests/example_API_call.R

@@ -5,9 +5,10 @@ library(jsonlite)
 base_url <- "http://localhost:7860"
 
 resp <- request(paste0(base_url, "/v1/run")) |>
-  req_headers(`Content-Type` = "application/json") |>
-  # If you enabled ASA_API_KEY, add:
-  # req_headers(Authorization = paste("Bearer", Sys.getenv("ASA_API_KEY"))) |>
+  req_headers(
+    `Content-Type` = "application/json",
+    Authorization = "Bearer 999"
+  ) |>
   req_body_json(list(prompt = "Return the single word OK."), auto_unbox = TRUE) |>
   req_perform()
 

www/index.html

@@ -353,15 +353,15 @@
       </div>
 
       <p class="hint">
-        API key auth does not apply to this GUI endpoint. Password is checked against <code>GUI_PASSWORD</code>, and provider selection remains server-side.
+        API bearer auth does not apply to this GUI endpoint. Password is checked against <code>GUI_PASSWORD</code>, and provider selection remains server-side.
       </p>
       <div class="hint api-guide" aria-label="API quickstart instructions">
         <p><strong>API quickstart</strong></p>
         <p><strong>Base URL:</strong> <code>https://asa.aidevlab.org</code></p>
         <p><strong>Health:</strong> <code>GET /healthz</code> and <code>curl -s https://asa.aidevlab.org/healthz</code></p>
-        <p><strong>Run one prompt:</strong> <code>POST /v1/run</code> with JSON and <code>curl -s https://asa.aidevlab.org/v1/run -H "Content-Type: application/json" -d '{"prompt":"Hello","run":{"output_format":"text"}}'</code></p>
-        <p><strong>Run batch prompts:</strong> <code>POST /v1/batch</code> with a plain string array for <code>prompts</code> and <code>curl -s https://asa.aidevlab.org/v1/batch -H "Content-Type: application/json" -d '{"prompts":["Hello","World"],"run":{"output_format":"text"}}'</code></p>
-        <p><strong>Auth (optional):</strong> If <code>ASA_API_KEY</code> is set, include <code>Authorization: Bearer &lt;key&gt;</code> or <code>x-api-key: &lt;key&gt;</code>.</p>
+        <p><strong>Run one prompt:</strong> <code>POST /v1/run</code> with JSON and <code>curl -s https://asa.aidevlab.org/v1/run -H "Authorization: Bearer 999" -H "Content-Type: application/json" -d '{"prompt":"Hello","run":{"output_format":"text"}}'</code></p>
+        <p><strong>Run batch prompts:</strong> <code>POST /v1/batch</code> with a plain string array for <code>prompts</code> and <code>curl -s https://asa.aidevlab.org/v1/batch -H "Authorization: Bearer 999" -H "Content-Type: application/json" -d '{"prompts":["Hello","World"],"run":{"output_format":"text"}}'</code></p>
+        <p><strong>Auth:</strong> Include <code>Authorization: Bearer 999</code> on every <code>/v1/*</code> request.</p>
       </div>
     </section>
   </main>