Description
Same pattern as the chat route — request.headers.get("Authorization")?.split(" ")[1] passes undefined apiKey when the Bearer token is missing.
Steps to reproduce
- Send a request to
/api/copilot-stream-response/{streamId} with header Authorization: Bearer (no token)
- Undefined apiKey passes into the controller
Expected behavior
Return 401 if the token is missing or empty.
Actual behavior
Undefined apiKey is forwarded without validation.
Description
Same pattern as the chat route —
request.headers.get("Authorization")?.split(" ")[1]passes undefined apiKey when the Bearer token is missing.Steps to reproduce
/api/copilot-stream-response/{streamId}with headerAuthorization: Bearer(no token)Expected behavior
Return 401 if the token is missing or empty.
Actual behavior
Undefined apiKey is forwarded without validation.