Skip to content

Implement HTTP Authentication via admin-key. #540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Implement HTTP Authentication via admin-key. #540

wants to merge 1 commit into from

Conversation

@anilgulecha
Copy link

@anilgulecha anilgulecha commented Oct 2, 2025

  • Implement Authorization header (HTTP basic authentication)
  • Is additive. App remains open as is if not set.
  • This protects the /, UI pages and API endpoints.
  • /v1 are as is (Governance API keys for those)
  • Metrics endpoint is left as is.
  • Documentation page added in.

Fixes #518

@anilgulecha
Implement HTTP Authentication via admin-key.
560d566 
 - Implement Authorization header (HTTP basic authentication)
 - Is additive. App remains open as is if not set.
 - This protects the /, UI pages and API endpoints.
 - /v1 are as is (Governance API keys for those)
 - Metrics endpoint is left as is.
 - Documentation page added in.
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 2, 2025
edited
Loading

📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Optional admin authentication for the web UI and admin APIs using HTTP Basic Auth when an Admin Key is set.
    • Admin Key configurable via CLI flag, environment variable, or config file; unauthenticated requests receive 401 with browser prompt.
  • Documentation
    • Added comprehensive guide for admin authentication, including setup, examples, security tips, Docker usage, and troubleshooting.
  • Chores
    • New build option for backend-only; standard build now explicitly includes the UI.

Walkthrough

Adds optional admin authentication using HTTP Basic Auth to the bifrost-http UI and admin API endpoints, configurable via CLI flag, environment variable, or config file. Extends client configuration with an AdminKey field and sets its default. Updates Makefile targets to split UI-inclusive build and Go-only build. Adds admin auth documentation.

Changes

Cohort / File(s) Summary
Build targets
Makefile		 Adds build-go target to build without UI. Updates build target description to clarify UI-inclusive build. Both produce tmp/bifrost-http.
Admin auth docs
docs/features/admin-authentication.mdx		 New documentation describing optional HTTP Basic Authentication for admin endpoints and UI, configuration precedence, protected/public routes, examples, docker notes, and troubleshooting.
Client config schema
framework/configstore/clientconfig.go		 Adds AdminKey field to ClientConfig with JSON tag admin_key,omitempty.
Default client config
transports/bifrost-http/lib/config.go		 Initializes DefaultClientConfig with AdminKey: "" comment-added placeholder.
Server auth + routing
transports/bifrost-http/main.go		 Introduces adminAuthMiddleware enforcing Basic Auth when AdminKey is set. Adds --adminkey flag and ADMIN_KEY env override applied on startup. Wraps UI and /api/* routes with admin middleware. Adds protected MCP tool execution route and reorganizes admin/public routing.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User/Browser
  participant S as bifrost-http Server
  participant M as adminAuthMiddleware
  participant H as Admin/UI Handlers
  participant C as Config (CLI/ENV/File)

  rect rgb(245,248,255)
    note over S,C: Startup configuration
    S->>C: Load config.json
    S->>C: Read ENV ADMIN_KEY
    S->>C: Parse --adminkey flag
    C-->>S: Effective AdminKey (flag > env > file)
    S->>S: Register routes (UI, /api/*) via M
  end

  rect rgb(240,255,245)
    note over U,S: Request to admin/UI endpoint
    U->>S: HTTP GET /ui or /api/...
    S->>M: Pass request
    alt AdminKey configured
      M->>M: Validate Authorization: Basic
      alt Valid (user=admin, pass=AdminKey)
        M-->>H: Next handler
        H-->>U: 200 OK
      else Invalid/missing
        M-->>U: 401 Unauthorized + WWW-Authenticate
      end
    else No AdminKey configured
      M-->>H: Next handler
      H-->>U: 200 OK
    end
  end
Loading 
sequenceDiagram
  autonumber
  participant U as Client
  participant S as bifrost-http
  participant M as adminAuthMiddleware
  participant T as MCP Tool Exec (/v1/mcp/tool/execute)

  U->>S: POST /v1/mcp/tool/execute
  S->>M: Check admin auth
  alt Authorized or no AdminKey
    M-->>T: Execute tool
    T-->>U: 200/Result
  else Unauthorized
    M-->>U: 401 Unauthorized
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

I set my keys beneath the moon, 🗝️
Guarding logs where secrets swoon.
With whiskers twitch and headers right,
I challenge, nibble, grant you sight.
Build hops split: UI or Go—
Now onward, safe, the packets flow. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Out of Scope Changes Check ⚠️ Warning The addition of new Makefile targets and modifications to the build workflow are unrelated to implementing HTTP authentication, introducing a separate go-only build process that falls outside the scope of the linked authentication feature. Remove or isolate the Makefile changes into a separate PR focused on build process improvements, ensuring this feature PR only contains authentication-related modifications.
Description Check ⚠️ Warning The PR description does not follow the repository’s required template and is missing most sections including a structured summary, detailed change list, type of change, affected areas, testing steps, and the checklist. Please update the description to follow the repository template by adding sections for Summary, Changes, Type of change, Affected areas, How to test with commands, Breaking changes, Related issues, Security considerations, and the contribution checklist.
✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title succinctly and accurately summarizes the primary change—adding HTTP basic authentication via an admin key—without extraneous details or vagueness. It directly reflects the main feature implemented in this PR.
Linked Issues Check ✅ Passed The changes fully implement HTTP basic authentication for admin endpoints and UI routes using a configurable admin key, apply the middleware selectively, and introduce command-line and environment configuration, thus meeting the objectives specified in issue #518.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot requested changes Oct 2, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c5be99f and 560d566.

📒 Files selected for processing (5)
  • Makefile (1 hunks)
  • docs/features/admin-authentication.mdx (1 hunks)
  • framework/configstore/clientconfig.go (1 hunks)
  • transports/bifrost-http/lib/config.go (1 hunks)
  • transports/bifrost-http/main.go (6 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
transports/bifrost-http/main.go (3)
transports/bifrost-http/lib/config.go (1)
  • Config (114-137)
framework/configstore/clientconfig.go (1)
  • ClientConfig (28-39)
transports/bifrost-http/handlers/utils.go (1)
  • SendError (27-36)
🪛 Gitleaks (8.28.0)
docs/features/admin-authentication.mdx

[high] 126-132: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

[high] 120-122: Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.

(curl-auth-user)

[high] 175-178: Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.

(curl-auth-user)

[high] 182-186: Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.

(curl-auth-user)

transports/bifrost-http/main.go
Comment on lines +575 to +612
// Register public endpoints (no auth required)
completionHandler.RegisterRoutes(r)
mcpHandler.RegisterRoutes(r)
integrationHandler.RegisterRoutes(r)
configHandler.RegisterRoutes(r)
pluginsHandler.RegisterRoutes(r)
if cacheHandler != nil {
cacheHandler.RegisterRoutes(r)
}
if governanceHandler != nil {
governanceHandler.RegisterRoutes(r)
}
if loggingHandler != nil {
loggingHandler.RegisterRoutes(r)
}
if wsHandler != nil {
wsHandler.RegisterRoutes(r)
}

// Register MCP tool execution endpoint (public) - this needs to be separate from admin routes
r.POST("/v1/mcp/tool/execute", func(ctx *fasthttp.RequestCtx) {
// Create a temporary router just for this handler
tempRouter := router.New()
mcpHandler.RegisterRoutes(tempRouter)
tempRouter.Handler(ctx)
})

// Apply admin authentication middleware to all /api/* routes
r.ANY("/api/{path:*}", adminAuthMiddleware(config, func(ctx *fasthttp.RequestCtx) {
// Create admin router and register all admin handlers
adminRouter := router.New()

providerHandler.RegisterRoutes(adminRouter)
configHandler.RegisterRoutes(adminRouter)
pluginsHandler.RegisterRoutes(adminRouter)
mcpHandler.RegisterRoutes(adminRouter) // This includes the admin MCP routes

if cacheHandler != nil {
cacheHandler.RegisterRoutes(adminRouter)
}
if governanceHandler != nil {
governanceHandler.RegisterRoutes(adminRouter)
}
if loggingHandler != nil {
loggingHandler.RegisterRoutes(adminRouter)
}
if wsHandler != nil {
wsHandler.RegisterRoutes(adminRouter)
}

// Handle the request with the admin router
adminRouter.Handler(ctx)
}))
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid rebuilding routers on every request
The /api/{path:*} handler instantiates a fresh router.New() and re-registers every admin route for each incoming call. That alloc/allocation/reg path is O(number of handlers) per request and will hammer latency/CPU under load. Please register the admin router once during startup, wrap it with adminAuthMiddleware, and reuse the resulting handler instead of reconstructing the routing tree on every request.

@akshaydeo
Copy link
Contributor

akshaydeo commented Oct 2, 2025

thanks for pr @anilgulecha ❤️ . Can you check the code rabbit comments. Ill review it today

akshaydeo
akshaydeo requested changes Oct 2, 2025
View reviewed changes
transports/bifrost-http/main.go
flag.StringVar(&port, "port", DefaultPort, "Port to run the server on")
flag.StringVar(&host, "host", defaultHost, "Host to bind the server to (default: localhost, override with BIFROST_HOST env var)")
flag.StringVar(&appDir, "app-dir", DefaultAppDir, "Application data directory (contains config.json and logs)")
flag.StringVar(&adminKey, "adminkey", "", "Admin authentication key for protected endpoints (can also be set via ADMIN_KEY env var)")
Copy link
Contributor

@akshaydeo akshaydeo Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are discouraging adding more command line flags (as it could pollute overall init command). can we remove it please

Copy link
Author

@anilgulecha anilgulecha Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. will remove it.

Makefile
@rm -rf ui/.next
@cd ui && npm run build && npm run copy-build

build: build-ui ## Build bifrost-http binary
Copy link
Contributor

@akshaydeo akshaydeo Oct 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason to add this as a separate recipe?

Copy link
Author

@anilgulecha anilgulecha Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every build was unnecessarily taking longer (the UI build would occur, with 0 changes in code). Was getting a bit annoying so make a golang build only subcommand.

Copy link
Contributor

@akshaydeo akshaydeo Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

during development you can just use

make dev

that runs both UI and Go code in dev mode.

This is used in our CI/CD pipeline (make build). We cant remove this

@akshaydeo
Copy link
Contributor

akshaydeo commented Oct 10, 2025

@anilgulecha would you be able to pick these feedback pointers?

@akshaydeo
Copy link
Contributor

akshaydeo commented Nov 1, 2025

closing this due to inactivity - core team has picked it up #726

@akshaydeo akshaydeo closed this Nov 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akshaydeo akshaydeo akshaydeo requested changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature]: Authentication for Web UI and admin APIs

2 participants

@anilgulecha @akshaydeo