[router] add auth middleware for api key auth (#10826)

2025-09-23 16:07:34 -07:00
parent f4e3ebeb05
commit ee704e6265
6 changed files with 186 additions and 16 deletions
--- a/sgl-router/py_test/e2e/test_regular_router.py
+++ b/sgl-router/py_test/e2e/test_regular_router.py
@@ -131,31 +131,29 @@ def test_dp_aware_worker_expansion_and_api_key(
    r = requests.post(
        f"{router_url}/add_worker",
        params={"url": worker_url, "api_key": api_key},
+        headers={"Authorization": f"Bearer {api_key}"},
        timeout=180,
    )
    r.raise_for_status()

-    r = requests.get(f"{router_url}/list_workers", timeout=30)
+    r = requests.get(
+        f"{router_url}/list_workers",
+        headers={"Authorization": f"Bearer {api_key}"},
+        timeout=30,
+    )
    r.raise_for_status()
    urls = r.json().get("urls", [])
    assert len(urls) == 2
    assert set(urls) == {f"{worker_url}@0", f"{worker_url}@1"}

-    # TODO: Router currently doesn't enforce API key authentication on incoming requests.
-    # It only adds the API key to outgoing requests to workers.
-    # Need to implement auth middleware to properly protect router endpoints.
-    # For now, both requests succeed (200) regardless of client authentication.
-
-    # Verify API key enforcement path-through
-    # 1) Without Authorization -> Currently 200 (should be 401 after auth middleware added)
+    # Verify API key enforcement
+    # 1) Without Authorization -> Should get 401 Unauthorized
    r = requests.post(
        f"{router_url}/v1/completions",
        json={"model": e2e_model, "prompt": "hi", "max_tokens": 1},
        timeout=60,
    )
-    assert (
-        r.status_code == 200
-    )  # TODO: Change to 401 after auth middleware implementation
+    assert r.status_code == 401

    # 2) With correct Authorization -> 200
    r = requests.post(