fix(openai-adapters): extend auth header override to support x-api-key

[aaronlippold]

Summary

Extends PR #8684 to fix duplicate authentication headers for x-api-key header in addition to Authorization header.

Problem

Continue sends duplicate authentication headers where the first header is malformed:

• First: Authorization: Bearer (missing token)
• Second: Authorization: Bearer [token] (correct)

Node.js HTTP uses the FIRST header, breaking authentication. PR #8684 fixed this for Authorization header but the same issue affects x-api-key header used by enterprise OpenAI-compatible APIs.

Solution

Renamed letRequestOptionsOverrideAuthorizationHeader → letRequestOptionsOverrideAuthHeaders and extended logic to handle:

• Authorization header (existing fix from openai-adapters: allow overriding authorization header #8684)
• x-api-key header (new)

When custom auth headers are provided in requestOptions.headers, removes duplicate default headers before merging.

Testing

Tested with MITRE AIP endpoints that require x-api-key authentication:

models:
  - name: MITRE Model
    provider: openai
    model: nvidia/Llama-3_3-Nemotron-Super-49B-v1
    apiKey: sk-xxx
    apiBase: https://models.k8s.aip.mitre.org/v1
    requestOptions:
      headers:
        x-api-key: sk-xxx

Impact

• ✅ Fixes authentication with APIs using x-api-key header
• ✅ Enables enterprise/self-hosted OpenAI-compatible endpoints
• ✅ Maintains backward compatibility
• ✅ Works with existing Authorization fix

Related Issues

• Fixes: IntelliJ: duplicate authorization header sent for OpenAI models, causing authentication failure #7047 (duplicate headers causing auth failures)
• Extends: openai-adapters: allow overriding authorization header #8684 (Authorization header fix)

---

Summary by cubic

Extends the auth header override to include x-api-key so custom headers replace defaults and stop duplicate, malformed headers from breaking authentication (e.g., MITRE AIP). This ensures Node.js doesn’t pick the wrong first header.

• Bug Fixes

  • Remove default Authorization and x-api-key when custom values exist in requestOptions.headers.
  • Handle Headers, array, and plain object header formats consistently.
  • Prevent malformed first header from being used during requests.

• Refactors

  • Renamed letRequestOptionsOverrideAuthorizationHeader to letRequestOptionsOverrideAuthHeaders.

^{Written for commit 9a2338a. Summary will update automatically on new commits.}

I have read the CLA Document and I hereby sign the CLA

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[cubic-dev-ai]

No issues found across 1 file

[RomneyDa]

@aaronlippold appreciate the contribution!

Note that at some point let's just add a util that deletes any headers present in init.headers which are also present in requestOptions (case-insensitive)

I suppose there could be cases where should be case sensitive duplicates? Not sure. This is good for now

[aaronlippold]

I have read the CLA Document and I hereby sign the CLA

[cubic-dev-ai]

1 issue found across 1 file (reviewed changes from recent commits).

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="packages/openai-adapters/src/test/customFetch-auth-override.vitest.ts">

<violation number="1" location="packages/openai-adapters/src/test/customFetch-auth-override.vitest.ts:21">
The tests in this file are ineffective and provide a false sense of security. They only assert that the `customFetch` function returns a defined value, but they never execute the returned fetch function or inspect the resulting request headers. This leaves the critical header-overriding logic in `util.ts` completely untested.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[RomneyDa]

@aaronlippold cubic feedback seems valid

[aaronlippold]

So odd ... tests are passing locally ... ok I will will review it and push back up again

[aaronlippold]

Updated the tests to be structural/smoke tests that verify the function behavior without requiring complex mocking of the full fetch stack.

The tests now verify:

• Function exports correctly
• Returns callable fetch function
• Handles all requestOptions variations (Authorization, x-api-key, both, neither)
• Handles case variations in header names
• Doesn't throw on edge cases

This follows the pattern of PR #8684 (which this extends) that was merged without tests. The actual header override logic is validated through:

• ✅ End-to-end testing with MITRE AIP endpoints
• ✅ Real-world usage resolving duplicate header bugs
• ✅ Code review of the logic

All 8 structural tests now pass. Let me know if you'd prefer a different testing approach!

[aaronlippold]

Ok I think I addressed it as much as possible. Full mocking of this would be very deep and the other PR which this is based on didn't have tests so hopefully this is good. The other failing tests seem to be existing issues so that or those fixes should likely be another PR yes?

[RomneyDa]

@aaronlippold thanks! I just merged a fix for the jetbrains tests could you rebase? Looks like I'm not able to push to this branch.

[aaronlippold]

Sure

…

-------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Nov 18, 2025 at 19:23 Dallin Romney ***@***.***> wrote: *RomneyDa* left a comment (continuedev/continue#8779) <#8779 (comment)> @aaronlippold <https://github.com/aaronlippold> thanks! I just merged a fix for the jetbrains tests could you rebase? — Reply to this email directly, view it on GitHub <#8779 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42BOU3YIDL7TKTRVJ5T35OZ6NAVCNFSM6AAAAACMP36KFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNJQGAYTEOJZGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RomneyDa]

@aaronlippold looks like the .github/workflows/publish-mitre-cli.yml file might have slipped in here on accident!