feat: add passthrough_auth option for forwarding client Authorization header (#687)

* feat: add passthrough_auth option for forwarding client Authorization header * fix tests * Update comment to reflect upstream forwarding * Apply suggestions from code review --------- Co-authored-by: Adil Hafeez <adil.hafeez@gmail.com> Co-authored-by: Adil Hafeez <adil@katanemo.com>
2026-05-08 07:12:42 +02:00 · 2026-01-15 00:06:28 +01:00 · 2026-01-15 00:06:28 +01:00 · 4d53297c17
commit 4d53297c17
parent ba1f783adf
8 changed files with 177 additions and 26 deletions
--- a/crates/llm_gateway/src/stream_context.rs
+++ b/crates/llm_gateway/src/stream_context.rs
@ -149,6 +149,23 @@ impl StreamContext {
    }

    fn modify_auth_headers(&mut self) -> Result<(), ServerError> {
+        if self.llm_provider().passthrough_auth == Some(true) {
+            // Check if client provided an Authorization header
+            if self.get_http_request_header("Authorization").is_none() {
+                warn!(
+                    "[PLANO_REQ_ID:{}] AUTH_PASSTHROUGH: passthrough_auth enabled but no Authorization header present in client request",
+                    self.request_identifier()
+                );
+            } else {
+                debug!(
+                    "[PLANO_REQ_ID:{}] AUTH_PASSTHROUGH: preserving client Authorization header for provider '{}'",
+                    self.request_identifier(),
+                    self.llm_provider().name
+                );
+            }
+            return Ok(());
+        }
+
        let llm_provider_api_key_value =
            self.llm_provider()
                .access_key
@ -778,16 +795,11 @@ impl HttpContext for StreamContext {
            //We need to update the upstream path if there is a variation for a provider like Gemini/Groq, etc.
            self.update_upstream_path(&request_path);

-            if self.llm_provider().endpoint.is_some() {
-                self.add_http_request_header(
-                    ARCH_ROUTING_HEADER,
-                    &self
-                        .llm_provider()
-                        .cluster_name
-                        .as_ref()
-                        .unwrap()
-                        .to_string(),
-                );
+            // Clone cluster_name to avoid borrowing self while calling add_http_request_header (which requires mut self)
+            let cluster_name_opt = self.llm_provider().cluster_name.clone();
+
+            if let Some(cluster_name) = cluster_name_opt {
+                self.add_http_request_header(ARCH_ROUTING_HEADER, &cluster_name);
            } else {
                self.add_http_request_header(
                    ARCH_ROUTING_HEADER,