Support "other" and "none" upstream auth types for LLM Providers and proxies#2731
Support "other" and "none" upstream auth types for LLM Providers and proxies#2731thivindu wants to merge 2 commits into
Conversation
|
Warning Review limit reached
Next review available in: 23 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughAdds ChangesLLM upstream authentication
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Workspace
participant PlatformAPI
participant GatewayController
participant Deployment
Workspace->>PlatformAPI: Submit upstream auth type
PlatformAPI->>PlatformAPI: Normalize type and credentials
PlatformAPI->>Deployment: Generate type-only auth for other or none
Deployment->>GatewayController: Apply provider configuration
GatewayController->>GatewayController: Omit API-key policy
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
platform-api/resources/openapi.yaml (1)
6714-6721: 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy liftDo not widen the MCP authentication contract through the shared schema.
UpstreamAuthis also referenced byMCPProxyandMCPServerInfoFetchRequest. Addingnonehere advertises it as valid for MCP requests, while the PR explicitly leaves MCP validation unchanged.Use an LLM-specific auth schema containing
api-key,other, andnone, or otherwise retain the existing MCP enum.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@platform-api/resources/openapi.yaml` around lines 6714 - 6721, The shared UpstreamAuth enum must not add none because MCPProxy and MCPServerInfoFetchRequest reuse it. Preserve the existing MCP authentication enum and introduce a separate LLM-specific authentication schema containing api-key, other, and none, then update only the LLM-related references to use it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@gateway/gateway-controller/pkg/utils/llm_transformer_test.go`:
- Around line 2180-2184: Update the test around transformer.Transform to require
that result.Spec.Operations is not empty before iterating over it. Keep the
existing error and result assertions, and ensure the no-policy validation only
runs when the transformation actually produced operations.
In `@platform-api/internal/service/llm.go`:
- Around line 1153-1158: Update the upstream auth preservation logic around
defaultUpstreamAuthToNone so empty credentials are retained only when the update
explicitly provides a credential-bearing auth object, covering both Main and
Sandbox endpoints. Do not substitute omitted auth with existing auth; leave it
nil so defaultUpstreamAuthToNone converts it to none. Apply the same behavior to
proxy auth and update the proxy regression test to establish API-key auth before
submitting an update with omitted auth.
---
Outside diff comments:
In `@platform-api/resources/openapi.yaml`:
- Around line 6714-6721: The shared UpstreamAuth enum must not add none because
MCPProxy and MCPServerInfoFetchRequest reuse it. Preserve the existing MCP
authentication enum and introduce a separate LLM-specific authentication schema
containing api-key, other, and none, then update only the LLM-related references
to use it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 8935df10-b468-4b1b-af54-5c4cc6c47280
📒 Files selected for processing (25)
docs/rest-apis/gateway/README.mddocs/rest-apis/gateway/llm-provider-management.mddocs/rest-apis/gateway/llm-proxy-management.mddocs/rest-apis/gateway/mcp-proxy-management.mddocs/rest-apis/gateway/rest-api-management.mddocs/rest-apis/gateway/schemas.mdgateway/gateway-controller/api/management-openapi.yamlgateway/gateway-controller/pkg/api/management/generated.gogateway/gateway-controller/pkg/config/llm_validator.gogateway/gateway-controller/pkg/config/llm_validator_test.gogateway/gateway-controller/pkg/utils/llm_provider_transformer_test.gogateway/gateway-controller/pkg/utils/llm_transformer.gogateway/gateway-controller/pkg/utils/llm_transformer_test.goplatform-api/api/generated.goplatform-api/internal/service/artifact_cross_origin_test.goplatform-api/internal/service/artifact_import_llm_provider.goplatform-api/internal/service/artifact_import_llm_proxy.goplatform-api/internal/service/llm.goplatform-api/internal/service/llm_deployment.goplatform-api/internal/service/llm_deployment_test.goplatform-api/internal/service/llm_test.goplatform-api/resources/openapi.yamlportals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/AddNewProvider/ProviderTemplateFormFields.tsxportals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/ServiceProviderConnectionTab.tsxportals/ai-workspace/src/utils/types.ts
💤 Files with no reviewable changes (1)
- docs/rest-apis/gateway/README.md
Purpose
Support none, other, and api-key as upstream authentication types for LLM Providers and LLM Proxies across the gateway, the platform API, and the AI Workspace.
otherbackend authentication type to LLM Provider #2706 (which added other for the top-down/CP path only)Background
Previously the gateway controller accepted only api-key as
spec.upstream.auth.type— a bottom-up (gateway-first) LLM provider with any other type failed validation (Auth type must be 'api-key'), and one with no auth block at all surfaced in the AI Workspace as api-key (misleading). This PR makes the full set of types work end-to-end and standardizes "no upstream credentials" as an explicit none.Agreed model
spec.upstream.auth.type: api-key, other, none.none/ absentotherapi-keyauth: {type: none}auth: {type: other}auth: {type: api-key, header, value}{type: none}{type: other}{type: api-key, …}api-key+ header + masked credsApproach
Gateway controller
Platform API
AI Workspace
Docs: regenerated gateway REST API docs from the OpenAPI change.
Notable decisions