[PR] fix(agent-service): authenticate to the LLM proxy as the delegating user [texera]

Wed, 10 Jun 2026 02:15:02 -0700 


bobbai00 opened a new pull request, #5605:
URL: https://github.com/apache/texera/pull/5605

   ### What changes were proposed in this PR?
   
   Since #5421, the access-control-service LiteLLM proxy requires a 
REGULAR/ADMIN-role user JWT and injects `LITELLM_MASTER_KEY` into the 
downstream request itself, but the agent-service still authenticated with the 
static `LLM_API_KEY` default (`"dummy"`), so every agent generation call 
returned 401 Unauthorized. This PR (one line in `agent-service/src/server.ts`) 
uses the delegating user's JWT (`delegateConfig.userToken`) as the LLM client 
credential; an explicitly set non-default `LLM_API_KEY` still takes precedence 
for direct, unproxied LiteLLM deployments.
   
   ```mermaid
   sequenceDiagram
       participant FE as Frontend (user JWT)
       participant AS as agent-service
       participant ACS as access-control-service (LiteLLM proxy)
       participant LLM as LiteLLM
   
       FE->>AS: create agent (userToken = user JWT)
       FE->>AS: send message
       rect rgb(255, 235, 235)
       Note over AS,ACS: before: Authorization: Bearer dummy → 401
       end
       AS->>ACS: POST /api/chat/completions<br/>Authorization: Bearer (user 
JWT) ✅
       ACS->>LLM: forward with Authorization: Bearer (LITELLM_MASTER_KEY)
       LLM-->>AS: completion
       AS-->>FE: agent response
   ```
   
   ### Any related issues, documentation, discussions?
   
   Closes #5604
   
   ### How was this PR tested?
   
   Verified locally: ran the agent-service with `LLM_ENDPOINT` pointed at a 
stub server recording the `Authorization` header — creating an agent with a 
`userToken` and sending a message over the websocket now forwards `Bearer <user 
JWT>` instead of `Bearer dummy`. Also checked against the real 
access-control-service proxy, which rejects `Bearer dummy` with 401 and accepts 
a REGULAR-user JWT. `typecheck` and `format:check` pass.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Fable 5 (1M context)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to