add api-key parameter

[dtrawins]

🛠 Summary

CVS-174477
Enable client authorization using API key passed in authorization header.
API key can be set using --api_key_file parameter or using API_KEY env variable
Key verification is enabled only for generative endpoints /v3

🧪 Checklist

• Unit tests added.
• The documentation updated.
• Change follows security best practices.
  ``

[mzegla]

Suggested change

	if (request_components.headers.at("authorization") != "Bearer " + api_key) {
	if (request_components.headers.at("authorization") != "Bearer " + apiKey) {

Is exact match safe here? No risk of some additional whitespaces?

[mzegla]

Suggested change

	SPDLOG_DEBUG("Unauthorized request - invalid API key {} instead of {}", request_components.headers.at("authorization"), api_key);
	SPDLOG_DEBUG("Unauthorized request - invalid API key {} instead of {}", request_components.headers.at("authorization"), apiKey);

[mzegla]

Suggested change

	}
	}

[Copilot]

Pull Request Overview

This PR adds API key authentication support for generative endpoints in the HTTP REST API. The implementation introduces an optional authentication mechanism that validates Bearer tokens against a configured API key.

• Adds API key configuration parameter and server-level storage
• Implements Bearer token validation in V3 HTTP endpoints
• Adds unauthorized status code for invalid authentication attempts

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/status.hpp	Adds UNAUTHORIZED status code enum
src/status.cpp	Adds status message mapping for unauthorized requests
src/server.hpp	Adds API key storage and getter method
src/server.cpp	Implements API key initialization and getter
src/http_rest_api_handler.hpp	Updates processV3 signature to accept API key parameter
src/http_rest_api_handler.cpp	Implements Bearer token validation logic
src/config.hpp	Adds API key getter method to Config class
src/config.cpp	Implements API key getter method
src/cli_parser.cpp	Adds API key command line parameter parsing
src/capi_frontend/server_settings.hpp	Adds API key field to server settings

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The setAPIKey method is declared but never implemented. Either implement this method or remove the declaration if API key modification after initialization is not intended.

Suggested change

	std::string setAPIKey(const std::string& newApiKey);
	std::string setAPIKey(const std::string& newApiKey) {
	std::unique_lock<std::shared_mutex> lock(modulesMtx);
	std::string oldApiKey = apiKey;
	apiKey = newApiKey;
	return oldApiKey;
	}

[atobiszei]

HttpServerModule has access to ovms::config in HTTPServerModule::start(ovms::Config)
Either extend ovms::createAndStartDrogonHttpServer() with additional parameter or wrap
apiKey together with restBindAddress,restPort, workersCount in helper struct nested inside server settings (HTTPServerConfig?)

[atobiszei]

Bump

[Copilot]

The loop converts header keys to lowercase but doesn't store the results anywhere. The lowercaseKey variable is not used, so the header lookup will still be case-sensitive. Either store the lowercase headers in a new map or perform case-insensitive lookup directly.

[Copilot]

Header lookup uses exact case 'authorization' but HTTP headers are case-insensitive. This will fail if the client sends 'Authorization' (capitalized). Use case-insensitive header lookup or convert the headers map to lowercase keys.

[atobiszei]

Can't we just cerr here & exit, instead of throw & instant catch?

[mzegla]

Suggested change

	The `api_key_file` should contains a path to the file containing the value of API key. The content of the file first line is used. If parameter api_key_file and variable API_KEY are not set, the server will not require any authorization. The client should send the API key inside the `Authorization` header as `Bearer <api_key>`.
	The `api_key_file` should contain a path to the file containing the value of API key. The content of the file first line is used. If parameter api_key_file and variable API_KEY are not set, the server will not require any authorization. The client should send the API key inside the `Authorization` header as `Bearer <api_key>`.

[mzegla]

Is parameter name correct? grpc_rest_workers

[mzegla]

Suggested change

	std::filesystem::path api_key_file = result->operator[]("api_key_file").as<std::string>();
	std::filesystem::path apiKeyFile= result->operator[]("api_key_file").as<std::string>();

[mzegla]

Use find(...) != end? It would better explain the intent

[mzegla]

invalid or missing

[mzegla]

Suggested change

	{StatusCode::UNAUTHORIZED, "Unauthorized request due to invalid api-key"},
	{StatusCode::UNAUTHORIZED, "Unauthorized request due to invalid or missing api-key"},

[mzegla]

invalid or missing

[mzegla]

Suggested change

	UNAUTHORIZED, /*!< Unauthorized request due to invalid api-key*/
	UNAUTHORIZED, /*!< Unauthorized request due to invalid or missing api-key*/

[mzegla]

Non-okay status - might be tricky if at some point order of operations is changed and ovms::StatusCode::MEDIAPIPE_DEFINITION_NAME_MISSING gets returned before authorization check. In such case we would not know if authorization works as it will be covered by this status.

[atobiszei]

If we enable authorization for each http request we will create new map of headers for each request. Then we use count, and at so we double search the map.

Maybe sth like this would be more efficient:

bool caseInsensitiveEquals(std::string_view a, std::string_view b) noexcept {
    if (a.size() != b.size()) return false;
    for (size_t i = 0; i < a.size(); ++i) {
        unsigned char ca = static_cast<unsigned char>(a[i]);
        unsigned char cb = static_cast<unsigned char>(b[i]);
        if (std::tolower(ca) != std::tolower(cb))
            return false;
    }
    return true;
}

const std::string* findCaseInsensitive(
    const std::unordered_map<std::string, std::string>& map,
    std::string_view key) noexcept
{
    auto it = std::find_if(map.begin(), map.end(),
                           [&](const auto& kv) {
                               return iequals(kv.first, key);
                           });
    return (it != map.end()) ? &it->second : nullptr;
}

Then we check if there's key in the map (!=nullptr) we compare with expected key

[atobiszei]

what about v1/v2?

[atobiszei]

Suggested change

	SetEnvironmentVar("API_KEY", "ABCD");
	EnvGuard envGuard;
	envGuard.set("API_KEY", "ABCD");

[atobiszei]

Suggested change

UnSetEnvironmentVar("API_KEY");

This won't unset if we exit with error in L1938

[atobiszei]

This is not static and we have access to member in processV3. Inside processV3 we could just use
this->apiKey.

[atobiszei]

if we use member of handler in processV3 method instead of passing argument we could just leave this code as on main branch