fix(security): Gemini API key header + Mutex safety + Agent validation
Some checks failed
CI / Build Frontend (push) Has been cancelled
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
Some checks failed
CI / Build Frontend (push) Has been cancelled
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
M1-01: Move Gemini API key from URL query param to x-goog-api-key header,
preventing key leakage in logs/proxy/telemetry (matches Anthropic/OpenAI pattern)
M1-03/M1-04: Replace Mutex .unwrap() with .unwrap_or_else(|e| e.into_inner())
in MemoryMiddleware and LoopGuardMiddleware — recovers from poison
instead of panicking async runtime
M2-08: Add input validation to agent_create — reject empty names,
out-of-range temperature (0-2), and zero max_tokens
M11-06: Replace Date.now() message ID with crypto.randomUUID()
to prevent collisions in classroom chat
This commit is contained in:
iven
@@ -68,10 +68,9 @@ impl LlmDriver for GeminiDriver {
|
||||
async fn complete(&self, request: CompletionRequest) -> Result<CompletionResponse> {
|
||||
let api_request = self.build_api_request(&request);
|
||||
let url = format!(
|
||||
"{}/models/{}:generateContent?key={}",
|
||||
"{}/models/{}:generateContent",
|
||||
self.base_url,
|
||||
request.model,
|
||||
self.api_key.expose_secret()
|
||||
);
|
||||
|
||||
tracing::debug!(target: "gemini_driver", "Sending request to: {}", url);
|
||||
@@ -79,6 +78,7 @@ impl LlmDriver for GeminiDriver {
|
||||
let response = self.client
|
||||
.post(&url)
|
||||
.header("content-type", "application/json")
|
||||
.header("x-goog-api-key", self.api_key.expose_secret())
|
||||
.json(&api_request)
|
||||
.send()
|
||||
.await
|
||||
@@ -105,10 +105,9 @@ impl LlmDriver for GeminiDriver {
|
||||
) -> Pin<Box<dyn Stream<Item = Result<StreamChunk>> + Send + '_>> {
|
||||
let api_request = self.build_api_request(&request);
|
||||
let url = format!(
|
||||
"{}/models/{}:streamGenerateContent?alt=sse&key={}",
|
||||
"{}/models/{}:streamGenerateContent?alt=sse",
|
||||
self.base_url,
|
||||
request.model,
|
||||
self.api_key.expose_secret()
|
||||
);
|
||||
|
||||
tracing::debug!(target: "gemini_driver", "Starting stream request to: {}", url);
|
||||
@@ -117,6 +116,7 @@ impl LlmDriver for GeminiDriver {
|
||||
let response = match self.client
|
||||
.post(&url)
|
||||
.header("content-type", "application/json")
|
||||
.header("x-goog-api-key", self.api_key.expose_secret())
|
||||
.timeout(std::time::Duration::from_secs(120))
|
||||
.json(&api_request)
|
||||
.send()
|
||||
|
||||
Reference in New Issue
Block a user