refactor: removes legacy format for auth in provider-proxy

[stalniy]

Why

cleanup

Summary by CodeRabbit

• Bug Fixes

  • WebSocket and proxy logging now record the authentication type (e.g., "mtls", "jwt") instead of a boolean flag.

• Chores

  • Request format for MTLS credentials moved from top-level fields to a nested auth object; clients should supply MTLS credentials under auth.
  • Internal config typing adjusted (no runtime behavior changes).

• Tests

  • Test cases updated to use the nested auth format for MTLS.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Replaces legacy top-level MTLS fields with a nested auth structure, records authenticationType from incoming websocket messages, and introduces an AppConfigInput type alias used in some function signatures; tests and schema updated to use auth for MTLS credentials.

Changes

Cohort / File(s)	Summary
WebSocket message attributes apps/provider-proxy/src/services/WebsocketServer.ts	Set attributes.authenticationType from message.auth?.type instead of composing a boolean-only authentication attribute; no other control flow changes.
Config types apps/provider-proxy/src/config/env.config.ts, apps/provider-proxy/src/app.ts, apps/provider-proxy/test/setup/proxyServer.ts	Add/export AppConfigInput = z.input<typeof appConfigSchema> and replace AppConfig with AppConfigInput in public import and startAppServer/startServer parameter types.
Request schema & validation apps/provider-proxy/src/utils/schema.ts	Remove top-level certPem/keyPem from providerRequestSchema; ProviderRequestSchema type omits those fields; migrate preprocessing to a no-op (no automatic legacy migration).
Proxy request logging apps/provider-proxy/src/routes/proxyProviderRequest.ts	Add authenticationType: auth?.type to PROXY_REQUEST log payload; no request/timeout/control-flow changes.
Tests apps/provider-proxy/test/functional/provider-proxy-http.spec.ts	Replace flat certPem/keyPem usages with nested auth: { type: "mtls", certPem, keyPem } across affected test cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to downstream consumers of websocket attributes who may expect the previous authenticated representation.
• Verify type compatibility where AppConfig → AppConfigInput changes were applied (start functions and test harness).
• Confirm schema removal of top-level cert/key won't break any remaining callers or external clients; ensure tests fully cover the new auth shape.

Possibly related PRs

• feat: adds support for jwt auth to provider-proxy #1963 — Related refactor adding provider auth (mtls/jwt) and corresponding WebsocketServer/schema edits.
• refactor: improves certificate validation on provider-proxy #1739 — Changes to provider-proxy schema/validation and WebsocketServer/proxy handling for client certificates.
• feat: adds error logger to provider-proxy #1511 — Related modifications to PROXY_REQUEST logging behavior.

Suggested reviewers

• baktun14
• ygrishajev

Poem

🐰 I hopped through code with nimble feet,

Nesting certs where types now meet,
A tiny type, a tidy name,
Authentication marked the same,
Hop, patch, deploy — the changes sweet.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main refactoring objective: removing legacy auth format (certPem/keyPem fields) from provider-proxy and migrating to the nested auth object structure.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/auth-type

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.27%. Comparing base (c91d57d) to head (66811d5).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2283      +/-   ##
==========================================
- Coverage   47.62%   47.27%   -0.35%     
==========================================
  Files        1036     1026      -10     
  Lines       29361    29007     -354     
  Branches     7625     7580      -45     
==========================================
- Hits        13982    13714     -268     
+ Misses      14988    14900      -88     
- Partials      391      393       +2     

Flag	Coverage Δ		*Carryforward flag
api	81.81% <ø> (ø)		Carriedforward from c91d57d
deploy-web	26.43% <ø> (ø)		Carriedforward from c91d57d
log-collector	?
notifications	87.94% <ø> (ø)		Carriedforward from c91d57d
provider-console	81.48% <ø> (ø)		Carriedforward from c91d57d
provider-proxy	84.35% <100.00%> (-0.13%)	⬇️

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines	Coverage Δ
apps/provider-proxy/src/app.ts	90.69% <100.00%> (ø)
apps/provider-proxy/src/config/env.config.ts	100.00% <ø> (ø)
.../provider-proxy/src/routes/proxyProviderRequest.ts	86.76% <ø> (ø)
...pps/provider-proxy/src/services/WebsocketServer.ts	85.63% <100.00%> (-0.08%)	⬇️
apps/provider-proxy/src/utils/schema.ts	91.66% <100.00%> (-1.20%)	⬇️

... and 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c91d57d and 45bb656.

📒 Files selected for processing (1)

• apps/provider-proxy/src/services/WebsocketServer.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/provider-proxy/src/services/WebsocketServer.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test-build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

apps/provider-proxy/src/services/WebsocketServer.ts (1)

136-138: LGTM! Good improvement for type safety.

Wrapping the authentication check in Boolean() ensures the attribute value is always a proper boolean instead of a truthy/falsy value, which improves consistency for OpenTelemetry attributes.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

apps/provider-proxy/src/services/WebsocketServer.ts (1)

127-136: Guard against undefined authenticationType in OpenTelemetry attributes.

message.auth is optional, so message.auth?.type can be undefined. OpenTelemetry attributes do not support undefined values; passing one into span.setAttributes(attributes) is invalid and was already flagged in a previous review.

Set authenticationType only when it’s defined:

             const message = parsedMessage.data as WsMessage;
             const attributes: Attributes = {
               type: message.type
             };
             if (message.type === "websocket") {
               attributes.providerUrl = message.url;
               attributes.providerAddress = message.providerAddress;
               attributes.function = getWebSocketUsage(message);
-              attributes.authenticationType = message.auth?.type;
+              if (message.auth?.type) {
+                attributes.authenticationType = message.auth.type;
+              }
             }

🧹 Nitpick comments (1)

apps/provider-proxy/src/utils/schema.ts (1)

33-36: Consider removing the now no-op preprocess wrapper.

z.preprocess(data => data, schema) is effectively a no-op now that legacy flat certPem/keyPem mapping is gone; you could simplify this to just attach superRefine to schema:

export function addProviderAuthValidation<T extends z.ZodTypeAny>(schema: T): z.ZodEffects<T> {
  return schema
    .superRefine((data, ctx) => {
      // existing mtls/jwt validation
    }) as unknown as z.ZodEffects<T>;
}

This keeps behavior the same while shaving off an unnecessary preprocessing step.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 45bb656 and 66811d5.

📒 Files selected for processing (7)

• apps/provider-proxy/src/app.ts (2 hunks)
• apps/provider-proxy/src/config/env.config.ts (1 hunks)
• apps/provider-proxy/src/routes/proxyProviderRequest.ts (1 hunks)
• apps/provider-proxy/src/services/WebsocketServer.ts (1 hunks)
• apps/provider-proxy/src/utils/schema.ts (1 hunks)
• apps/provider-proxy/test/functional/provider-proxy-http.spec.ts (4 hunks)
• apps/provider-proxy/test/setup/proxyServer.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/provider-proxy/src/app.ts
• apps/provider-proxy/test/functional/provider-proxy-http.spec.ts
• apps/provider-proxy/test/setup/proxyServer.ts
• apps/provider-proxy/src/config/env.config.ts
• apps/provider-proxy/src/routes/proxyProviderRequest.ts
• apps/provider-proxy/src/utils/schema.ts
• apps/provider-proxy/src/services/WebsocketServer.ts

**/*.spec.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/no-jest-mock.mdc)

Don't use jest.mock() in test files. Instead, use jest-mock-extended to create mocks and pass mocks as dependencies to the service under test

Use setup function instead of beforeEach in test files. The setup function must be at the bottom of the root describe block, should create an object under test and return it, accept a single parameter with inline type definition, avoid shared state, and not have a specified return type.

**/*.spec.{ts,tsx}: Use <Subject>.name in the root describe suite description instead of hardcoded class/service name strings to enable automated refactoring tools to find all references
Use either a method name or a condition starting with 'when' for nested suite descriptions in tests
Use present simple, 3rd person singular for test descriptions without prepending 'should'

Files:

• apps/provider-proxy/test/functional/provider-proxy-http.spec.ts

🧠 Learnings (2)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

📚 Learning: 2025-09-04T04:27:40.858Z

Learnt from: stalniy
Repo: akash-network/console PR: 1868
File: apps/api/src/billing/services/managed-signer/managed-signer.service.ts:98-107
Timestamp: 2025-09-04T04:27:40.858Z
Learning: In the Akash protocol, when processing MsgCreateLease messages, the bidId.dseq field is always required and guaranteed to be present at runtime, even though TypeScript types may suggest it could be undefined. The non-null assertion operator (!) is appropriate to use in this context.

Applied to files:

• apps/provider-proxy/src/services/WebsocketServer.ts

🧬 Code graph analysis (3)

apps/provider-proxy/src/app.ts (1)

apps/provider-proxy/src/config/env.config.ts (1)

• AppConfigInput (9-9)

apps/provider-proxy/test/setup/proxyServer.ts (2)

apps/provider-proxy/src/app.ts (1)

• AppServer (88-92)

apps/provider-proxy/src/config/env.config.ts (1)

• AppConfigInput (9-9)

apps/provider-proxy/src/routes/proxyProviderRequest.ts (1)

apps/api/src/auth/services/auth.interceptor.ts (1)

• auth (88-96)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: codecov/project/provider-proxy
• GitHub Check: test-build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (5)

apps/provider-proxy/src/routes/proxyProviderRequest.ts (1)

58-65: Logging timeout and authenticationType looks good and avoids leaking secrets.

Including timeout and auth?.type in PROXY_REQUEST logs improves observability while keeping credential material out of logs.

apps/provider-proxy/src/config/env.config.ts (1)

8-9: AppConfigInput alias is consistent with schema usage.

Exposing AppConfigInput = z.input<typeof appConfigSchema> matches how you’re now typing untrusted config and keeps the input/output types explicit.

apps/provider-proxy/src/app.ts (1)

10-53: startAppServer now correctly advertises the config input type.

Switching to AppConfigInput in the import and startAppServer parameter makes the expected config shape explicit while keeping compatibility with the generic Record<string, unknown> path.

apps/provider-proxy/test/setup/proxyServer.ts (1)

3-9: Test server setup now matches the new config input type.

Updating startServer to take AppConfigInput and passing it through to startAppServer with PORT: 0 keeps test setup aligned with the runtime API and avoids relying on the inferred AppConfig output type.

apps/provider-proxy/test/functional/provider-proxy-http.spec.ts (1)

201-205: Tests correctly exercise the new nested auth format.

Updating the HTTP proxy tests to send auth: { type: "mtls" | "jwt", ... } keeps them aligned with providerRequestSchema and the new validation paths (["auth","certPem"], ["auth","token"]), while continuing to cover invalid/expired cert and JWT error scenarios.

Also applies to: 497-501, 560-564, 609-613