Skip to content

opt: allow invalid api key if allow no auth, close #1201#1208

Merged
looplj merged 1 commit intorelease/v0.9.xfrom
dev-tmp
Mar 28, 2026
Merged

opt: allow invalid api key if allow no auth, close #1201#1208
looplj merged 1 commit intorelease/v0.9.xfrom
dev-tmp

Conversation

@looplj
Copy link
Copy Markdown
Owner

@looplj looplj commented Mar 28, 2026
edited by devin-ai-integration bot
Loading

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request simplifies the API key authentication middleware by consolidating the fallback logic and updates error messaging in the AuthService. It also removes tests for malformed authorization headers. A review comment suggests refactoring the middleware's error handling to improve readability and avoid subtle variable mutations.

internal/server/middleware/auth.go
Comment on lines +35 to 40
if err == nil {
apiKey, err = auth.AuthenticateAPIKey(c.Request.Context(), key)
}
if err != nil {
if !errors.Is(err, ErrAPIKeyRequired) {
AbortWithError(c, http.StatusUnauthorized, err)
return
}

apiKey, err = auth.AuthenticateNoAuth(c.Request.Context())
} else {
apiKey, err = auth.AuthenticateAPIKey(c.Request.Context(), key)
}
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The authentication logic here is correct, but its reliance on the sequential mutation of the err variable can be a bit subtle and hard to follow. For better readability and maintainability, I suggest making the authentication flow more explicit. This refactoring clarifies that AuthenticateNoAuth is a fallback for any failure in the API key authentication path (either key extraction or validation), without changing the logic.

		authErr := err
		if authErr == nil {
			apiKey, authErr = auth.AuthenticateAPIKey(c.Request.Context(), key)
		}

		if authErr != nil {
			apiKey, err = auth.AuthenticateNoAuth(c.Request.Context())
		} else {
			err = nil
		}

devin-ai-integration[bot]
devin-ai-integration bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

@looplj looplj merged commit e65189c into release/v0.9.x Mar 28, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@looplj