Skip to content

feat(runtime): add optional API token guard#856

Closed
axobase001 wants to merge 1 commit into
Hmbown:mainfrom
axobase001:feat/runtime-api-token-guard
Closed

feat(runtime): add optional API token guard#856
axobase001 wants to merge 1 commit into
Hmbown:mainfrom
axobase001:feat/runtime-api-token-guard

Conversation

@axobase001
Copy link
Copy Markdown
Contributor

@axobase001 axobase001 commented May 6, 2026

Summary

Adds a narrow optional token guard for the existing HTTP/SSE runtime API.

This is intentionally smaller than #852:

  • no mobile UI
  • no new serving mode
  • no approval endpoints
  • no thread-control UI changes

Behavior:

  • Default deepseek serve --http behavior is unchanged.
  • Passing --auth-token TOKEN or setting DEEPSEEK_RUNTIME_TOKEN=TOKEN requires a matching token for /v1/* routes.
  • /health remains public for local readiness checks.
  • Clients may pass the token via Authorization: Bearer TOKEN, X-DeepSeek-Runtime-Token: TOKEN, or ?token=TOKEN for EventSource-style clients.

Verification

  • cargo fmt --all
  • cargo check -p deepseek-tui --locked
  • cargo test -p deepseek-tui runtime_token_guard_protects_v1_routes --locked

This PR is meant as a small mergeable slice toward the larger local/remote runtime control direction discussed in #852.

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented May 6, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@Hmbown Hmbown closed this May 6, 2026
@Hmbown Hmbown reopened this May 6, 2026
@Hmbown Hmbown mentioned this pull request May 6, 2026
Merged
Hmbown added a commit that referenced this pull request May 6, 2026
@Hmbown @axobase001
feat(runtime): add optional API token guard
9406855 
Integrates #856 as a focused runtime API security slice. Default local behavior remains unchanged; /v1/* routes require a token only when --auth-token or DEEPSEEK_RUNTIME_TOKEN is set.

Co-authored-by: Zhuoran Deng <dengzhuoran9@gmail.com>
Hmbown added a commit that referenced this pull request May 6, 2026
@Hmbown @axobase001
feat(runtime): add optional API token guard (#916)
afe99f2 
Integrates #856 as a focused runtime API security slice.

Default local behavior remains unchanged. `/v1/*` routes require a token only when `--auth-token` or `DEEPSEEK_RUNTIME_TOKEN` is set, and `/health` remains public for readiness checks.

Co-authored-by: Zhuoran Deng <dengzhuoran9@gmail.com>
@Hmbown
Copy link
Copy Markdown
Owner

Hmbown commented May 6, 2026

Integrated this in #916 and merged it to main as afe99f2. Thank you for carving the runtime auth work down into a focused default-off security slice.

The merged commit preserves contributor credit with Co-authored-by: Zhuoran Deng <dengzhuoran9@gmail.com>. Closing this PR as integrated.

@Hmbown Hmbown closed this May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@axobase001 @Hmbown