feat: add --host option and API key authentication

kubaeror · berilevi · ZiuChen · kubaeror · commit 72e9cc8bb150 · 2026-03-28T22:56:01.000+01:00
- Add --host/-H option to bind server to specific interface (PR ericc-ch#157) - Add --api-key/-k option for securing proxy endpoints (PR ericc-ch#144) - Support both OpenAI Bearer and Anthropic x-api-key formats Co-authored-by: berilevi <berilevi@users.noreply.github.com> Co-authored-by: ZiuChen <ZiuChen@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/src/lib/api-key-auth.ts b/src/lib/api-key-auth.ts
@@ -0,0 +1,78 @@
+/**
+ * API Key Authentication Middleware
+ * PR #144: Support specifying multiple API keys (@ZiuChen)
+ *
+ * This middleware provides API key authentication for securing proxy endpoints.
+ * It supports both OpenAI (Authorization: Bearer <token>) and Anthropic (x-api-key: <token>) formats.
+ */
+
+import type { Context, Next } from "hono"
+
+import { state } from "./state"
+
+/**
+ * Extracts the API key from the request headers.
+ * Supports both OpenAI Bearer token and Anthropic x-api-key formats.
+ */
+function extractApiKey(c: Context): string | undefined {
+  // Try OpenAI format: Authorization: Bearer <token>
+  const authHeader = c.req.header("Authorization")
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7)
+  }
+
+  // Try Anthropic format: x-api-key: <token>
+  const xApiKey = c.req.header("x-api-key")
+  if (xApiKey) {
+    return xApiKey
+  }
+
+  return undefined
+}
+
+/**
+ * Middleware that validates API key authentication.
+ * If no API keys are configured, all requests are allowed.
+ * If API keys are configured, requests must provide a valid key.
+ */
+export async function apiKeyAuth(
+  c: Context,
+  next: Next,
+): Promise<Response | undefined> {
+  // If no API keys are configured, allow all requests
+  if (!state.apiKeys || state.apiKeys.length === 0) {
+    return next()
+  }
+
+  const providedKey = extractApiKey(c)
+
+  // No key provided
+  if (!providedKey) {
+    return c.json(
+      {
+        error: {
+          message:
+            "API key required. Provide via 'Authorization: Bearer <key>' or 'x-api-key: <key>' header.",
+          type: "authentication_error",
+        },
+      },
+      401,
+    )
+  }
+
+  // Invalid key
+  if (!state.apiKeys.includes(providedKey)) {
+    return c.json(
+      {
+        error: {
+          message: "Invalid API key",
+          type: "authentication_error",
+        },
+      },
+      401,
+    )
+  }
+
+  // Valid key, proceed
+  return next()
+}
diff --git a/src/lib/state.ts b/src/lib/state.ts
@@ -15,6 +15,9 @@ export interface State {
   // Rate limiting configuration
   rateLimitSeconds?: number
   lastRequestTimestamp?: number
+
+  // PR #144: API key authentication (@ZiuChen)
+  apiKeys?: Array<string>
 }
 
 export const state: State = {
diff --git a/src/server.ts b/src/server.ts
@@ -2,6 +2,7 @@ import { Hono } from "hono"
 import { cors } from "hono/cors"
 import { logger } from "hono/logger"
 
+import { apiKeyAuth } from "./lib/api-key-auth"
 import { completionRoutes } from "./routes/chat-completions/route"
 import { embeddingRoutes } from "./routes/embeddings/route"
 import { messageRoutes } from "./routes/messages/route"
@@ -14,8 +15,15 @@ export const server = new Hono()
 server.use(logger())
 server.use(cors())
 
+// Root endpoint is public (no API key required)
 server.get("/", (c) => c.text("Server running"))
 
+// PR #144: Apply API key auth to all API routes (@ZiuChen)
+server.use("/chat/*", apiKeyAuth)
+server.use("/models/*", apiKeyAuth)
+server.use("/embeddings/*", apiKeyAuth)
+server.use("/v1/*", apiKeyAuth)
+
 server.route("/chat/completions", completionRoutes)
 server.route("/models", modelRoutes)
 server.route("/embeddings", embeddingRoutes)
diff --git a/src/start.ts b/src/start.ts
@@ -16,6 +16,7 @@ import { server } from "./server"
 
 interface RunServerOptions {
   port: number
+  host?: string
   verbose: boolean
   accountType: string
   manual: boolean
@@ -25,13 +26,22 @@ interface RunServerOptions {
   claudeCode: boolean
   showToken: boolean
   proxyEnv: boolean
+  apiKeys?: Array<string>
 }
 
 export async function runServer(options: RunServerOptions): Promise<void> {
   if (options.proxyEnv) {
     initProxyFromEnv()
   }
 
+  // PR #144: Configure API keys (@ZiuChen)
+  if (options.apiKeys && options.apiKeys.length > 0) {
+    state.apiKeys = options.apiKeys
+    consola.info(
+      `API key authentication enabled with ${options.apiKeys.length} key(s)`,
+    )
+  }
+
   if (options.verbose) {
     consola.level = 5
     consola.info("Verbose logging enabled")
@@ -64,7 +74,9 @@ export async function runServer(options: RunServerOptions): Promise<void> {
     `Available models: \n${state.models?.data.map((model) => `- ${model.id}`).join("\n")}`,
   )
 
-  const serverUrl = `http://localhost:${options.port}`
+  // PR #157: Build server URL with host option (@berilevi)
+  const host = options.host ?? "localhost"
+  const serverUrl = `http://${host}:${options.port}`
 
   if (options.claudeCode) {
     invariant(state.models, "Models should be loaded by now")
@@ -117,6 +129,7 @@ export async function runServer(options: RunServerOptions): Promise<void> {
   serve({
     fetch: server.fetch as ServerHandler,
     port: options.port,
+    hostname: options.host,
   })
 }
 
@@ -132,6 +145,13 @@ export const start = defineCommand({
       default: "4141",
       description: "Port to listen on",
     },
+    // PR #157: Add --host option (@berilevi)
+    host: {
+      alias: "H",
+      type: "string",
+      description:
+        "Host/interface to bind to (e.g., 127.0.0.1 for localhost only)",
+    },
     verbose: {
       alias: "v",
       type: "boolean",
@@ -184,15 +204,30 @@ export const start = defineCommand({
       default: false,
       description: "Initialize proxy from environment variables",
     },
+    // PR #144: Support specifying multiple API keys (@ZiuChen)
+    "api-key": {
+      alias: "k",
+      type: "string",
+      description:
+        "API key(s) for authentication. Can be specified multiple times for multiple keys",
+    },
   },
   run({ args }) {
     const rateLimitRaw = args["rate-limit"]
     const rateLimit =
       // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
       rateLimitRaw === undefined ? undefined : Number.parseInt(rateLimitRaw, 10)
 
+    // Parse API keys (can be a single string or array)
+    const apiKeyArg = args["api-key"]
+    let apiKeys: Array<string> | undefined
+    if (apiKeyArg) {
+      apiKeys = Array.isArray(apiKeyArg) ? apiKeyArg : [apiKeyArg]
+    }
+
     return runServer({
       port: Number.parseInt(args.port, 10),
+      host: args.host,
       verbose: args.verbose,
       accountType: args["account-type"],
       manual: args.manual,
@@ -202,6 +237,7 @@ export const start = defineCommand({
       claudeCode: args["claude-code"],
       showToken: args["show-token"],
       proxyEnv: args["proxy-env"],
+      apiKeys,
     })
   },
 })

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,9 @@ export interface State {`
`15`	`15`	`// Rate limiting configuration`
`16`	`16`	`rateLimitSeconds?: number`
`17`	`17`	`lastRequestTimestamp?: number`
	`18`	`+`
	`19`	`+ // PR #144: API key authentication (@ZiuChen)`
	`20`	`+ apiKeys?: Array<string>`
`18`	`21`	`}`
`19`	`22`
`20`	`23`	`export const state: State = {`