fix for copilot token#2491
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
🦋 Changeset detectedLatest commit: a2f83e5 The changes in this PR will be included in the next version bump. This PR includes changesets to release 10 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Switches copilot token authentication from a server-side API key (
|
There was a problem hiding this comment.
The auth approach switch — from a static API key to session-cookie-based auth via x-forwarded-cookie — is correct and consistent with the established pattern in manageAuth.ts/sessionAuth.ts. One security issue: unlike api-config.ts, this forwards all cookies unfiltered rather than scoping to better-auth cookies only.
| try { | ||
| const cookieStore = await cookies(); | ||
| const allCookies = cookieStore.getAll(); | ||
| const cookieHeader = allCookies.map((c) => `${c.name}=${c.value}`).join('; '); |
There was a problem hiding this comment.
Security: Forward only auth cookies, not all cookies. The established pattern in api-config.ts (lines 46, 55) filters to only better-auth cookies before forwarding — e.g. allCookies.filter((c) => c.name.includes('better-auth')). This forwards every cookie (analytics, preferences, third-party trackers, etc.) to the API and then back to the client via the response. Filter to auth cookies only:
| const cookieHeader = allCookies.map((c) => `${c.name}=${c.value}`).join('; '); | |
| const cookieHeader = allCookies.filter((c) => c.name.includes('better-auth')).map((c) => `${c.name}=${c.value}`).join('; '); |
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This PR changes the copilot token authentication mechanism from a static API key approach (INKEEP_COPILOT_API_KEY with Bearer header) to session-based authentication via the x-forwarded-cookie header pattern already established throughout the codebase.
Key Observations
✅ Authentication pattern alignment — The x-forwarded-cookie header is already used in sessionAuth.ts, manageAuth.ts, and A2A handlers. This PR correctly adopts the same pattern.
✅ Security improvement — Session-based auth is more secure than static API keys:
- Sessions are tied to specific users with time limits
- Sessions can be revoked at logout
- Static API keys have broader exposure and longer lifespans
✅ Correct middleware flow — The manageBearerOrSessionAuth middleware falls back to sessionAuth() when no Bearer header is present, which reads x-forwarded-cookie and validates the session. This flow is correct.
✅ Proper error handling — The empty cookie check (if (!cookieHeader)) correctly detects missing sessions since getAll().map().join() on an empty array produces an empty string.
✅ Clean code — Moving cookie reading before the fetch (rather than after) is a cleaner approach for authentication-first validation.
✅ APPROVE
Summary: Clean, minimal change that correctly adopts an established authentication pattern in the codebase. The shift from static API key to session-based auth is a security improvement. Ship it! 🚀
Reviewers (2)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-standards |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-security-iam |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
No description provided.