Description
The chat API route extracts the API key with req.headers.get("Authorization")?.split(" ")[1]. If a client sends Authorization: Bearer (no token) or just Authorization: Bearer , split(" ")[1] is undefined or empty string. This undefined value gets passed as apiKey into the controller without any validation.
Steps to reproduce
- Send a POST to
/api/v1/{projectId}/chat with header Authorization: Bearer (no token after the space)
- The request proceeds with
apiKey: undefined
Expected behavior
Return 401 if the token is missing or empty.
Actual behavior
Undefined apiKey is passed to runTurnController.execute(), which may cause a cryptic downstream error or silently bypass validation.
Description
The chat API route extracts the API key with
req.headers.get("Authorization")?.split(" ")[1]. If a client sendsAuthorization: Bearer(no token) or justAuthorization: Bearer,split(" ")[1]is undefined or empty string. This undefined value gets passed asapiKeyinto the controller without any validation.Steps to reproduce
/api/v1/{projectId}/chatwith headerAuthorization: Bearer(no token after the space)apiKey: undefinedExpected behavior
Return 401 if the token is missing or empty.
Actual behavior
Undefined apiKey is passed to
runTurnController.execute(), which may cause a cryptic downstream error or silently bypass validation.