AI Bridge Proxy: handle plain HTTP proxy requests instead of rejecting with 407 #1351
Description
Problem
AI Bridge Proxy rejects plain HTTP requests that go through it with a 407 (Proxy Authentication Required). This happens because HTTP requests are sent directly to the proxy without a CONNECT handshake, so they reach handleRequest without a requestContext (which is only set during the CONNECT phase by authMiddleware).
While the proxy should primarily be configured as HTTPS_PROXY (since all supported AI provider domains use HTTPS), users or tools may also set HTTP_PROXY pointing to the same address. When this happens, plain HTTP traffic is routed through the proxy and rejected.
How to reproduce
- Send a plain HTTP request through the proxy:
curl -x http://coder:testtoken@localhost:8888 http://example.com/test - Logs show:
[API] 2026-02-12 08:50:21.409 [warn] coderd.aibridgeproxyd: rejecting request with missing context host=example.com method=GET path=/test
[API] 2026-02-12 08:50:21.409 [warn] coderd.aibridgeproxyd: received error response from aibridged connect_id=00000000-0000-0000-0000-000000000000 request_id=00000000-0000-0000-0000-000000000000 provider="" status=407
Proposal
Update handleRequest so that when reqCtx is nil and the request is plain HTTP (not a decrypted MITM'd HTTPS request), forward it directly to the destination, the same way non-allowlisted CONNECT requests are tunneled via tunneledMiddleware.
Note: Authentication for tunneled traffic (both HTTP and non-allowlisted HTTPS) is tracked in issue: #1352.