Skip to content

feat(api-proxy): enforce per-request ephemeral token validation on all proxy endpoints#1455

Closed
Copilot wants to merge 3 commits intomainfrom
copilot/add-credential-validation-to-api-proxy
Closed

feat(api-proxy): enforce per-request ephemeral token validation on all proxy endpoints#1455
Copilot wants to merge 3 commits intomainfrom
copilot/add-credential-validation-to-api-proxy

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 26, 2026
edited
Loading

The api-proxy sidecar forwarded all requests to upstream LLM APIs regardless of inbound credentials — any process on the 172.30.0.0/24 subnet could invoke real Anthropic/OpenAI/Copilot credentials with no x-api-key or a fabricated key.

Approach

Generate a cryptographically random 32-byte token (AWF_PROXY_TOKEN) per AWF invocation and validate it on every non-/health request. The proxy rejects unauthenticated callers with HTTP 401; if AWF_PROXY_TOKEN is not configured at all, all non-health requests are rejected.

Changes

  • src/cli.ts: Generate crypto.randomBytes(32).toString('hex') as config.proxyToken when --enable-api-proxy is active.
  • src/types.ts: Add proxyToken?: string to WrapperConfig.
  • src/docker-manager.ts:
    • Pass AWF_PROXY_TOKEN to both the api-proxy and agent container environments.
    • Replace hardcoded 'placeholder-token-for-credential-isolation' strings with config.proxyToken for ANTHROPIC_AUTH_TOKEN, COPILOT_TOKEN, and COPILOT_GITHUB_TOKEN.
  • containers/agent/get-claude-key.sh: Output $AWF_PROXY_TOKEN instead of a static placeholder, so Claude Code's apiKeyHelper sends the real ephemeral token.
  • containers/api-proxy/server.js:
    • extractInboundToken(req) — extracts token from x-api-key or Authorization: Bearer.
    • validateProxyAuth(req) — timing-safe comparison against process.env.AWF_PROXY_TOKEN; returns false if token absent, wrong, or env var unset.
    • rejectUnauthorized(res, provider) — emits HTTP 401 with WWW-Authenticate: ******"awf-api-proxy".
    • Auth check wired before rate-limiting on all four endpoints (OpenAI :10000, Anthropic :10001, Copilot :10002, OpenCode :10004); /health paths are exempt.

Token flow

AWF CLI  →  crypto.randomBytes(32)  →  AWF_PROXY_TOKEN
              ↓                              ↓
         agent container              api-proxy container
    (ANTHROPIC_AUTH_TOKEN,           (validates every non-
     COPILOT_TOKEN, etc.)             /health request)

The real LLM API keys remain exclusively in the api-proxy container. The ephemeral token only authorises access to the proxy itself — not to the upstream provider.

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

Copilot AI linked an issue Mar 26, 2026 that may be closed by this pull request
Anthropic API proxy must enforce per-request credential validation #1454
Closed
Copilot AI added 2 commits March 26, 2026 17:37
feat: add ephemeral per-job token validation to api-proxy
ee7aecb 
Generate a cryptographically random AWF_PROXY_TOKEN on each awf invocation
when --enable-api-proxy is active. The token is shared with both the
api-proxy sidecar (AWF_PROXY_TOKEN env var) and the agent container
(AWF_PROXY_TOKEN, ANTHROPIC_AUTH_TOKEN, COPILOT_TOKEN, COPILOT_GITHUB_TOKEN).

The api-proxy now validates AWF_PROXY_TOKEN on every non-health request via
x-api-key or Authorization: Bearer headers, returning HTTP 401 for missing
or invalid credentials. Timing-safe comparison prevents oracle attacks.

The get-claude-key.sh helper is updated to output $AWF_PROXY_TOKEN instead
of the hardcoded placeholder string, so Claude Code's apiKeyHelper returns
the actual ephemeral token that the proxy validates.

Fixes: Anthropic API proxy enforces per-request credential validation

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/433801b7-5ab7-41d2-a32f-97171bcc2c6e
refactor: move requestId generation into rejectUnauthorized
942a28e 
Addresses code review feedback: requestId is now generated inside
rejectUnauthorized() rather than before the auth check, avoiding
unnecessary ID generation on the happy path.

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/433801b7-5ab7-41d2-a32f-97171bcc2c6e
Copilot AI changed the title [WIP] Add credential validation for Anthropic API proxy feat(api-proxy): enforce per-request ephemeral token validation on all proxy endpoints Mar 26, 2026
Copilot AI requested a review from lpcox March 26, 2026 17:41
@lpcox lpcox closed this Mar 26, 2026
@github-actions github-actions Bot mentioned this pull request Mar 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lpcox lpcox Awaiting requested review from lpcox

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka will be requested when the pull request is marked ready for review Mossaka is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Anthropic API proxy must enforce per-request credential validation

2 participants

@lpcox