AI Bridge Proxy: authenticate tunneled traffic

[ssncferreira]

Problem

AI Bridge Proxy does not perform any authentication on tunneled traffic. This applies to:

• Non-allowlisted HTTPS CONNECT requests: tunneled via tunneledMiddleware without any credential check
• Plain HTTP proxy requests: forwarded without any credential check (related to bug AI Bridge Proxy: handle plain HTTP proxy requests instead of rejecting with 407 #1351)

For allowlisted domains (AI providers), the proxy extracts the Coder session token from Proxy-Authorization and forwards it to AI Bridge, which validates it. However, for tunneled traffic there is no AI Bridge in the path, so no authentication happens at all.

This means anyone who can reach the proxy can tunnel traffic through it to any non-allowlisted destination without credentials. This is a known limitation documented in Security Considerations.

Proposal

Validate authentication for all tunneled traffic before forwarding. The proxy should check the Proxy-Authorization header on both non-allowlisted CONNECT requests and plain HTTP proxy requests.

Open Questions

The proxy currently does not validate tokens itself, for allowlisted domains, it passes the token to AI Bridge which validates it against Coder. For tunneled traffic there is no AI Bridge in the path, so the proxy would need to validate the token directly.

Options:

• Check header exists only: verify that Proxy-Authorization is present but don't validate the token. Simple but weak, any string would pass.
• Validate against Coder API: make a request to Coder to verify the token. Correct but expensive, every tunneled request would hit the Coder API.
• Validate with caching: validate the token against Coder API on first use and cache the result for a period. Balances correctness with performance.

[jdomeracki-coder]

Strongly prefer option no. 3 ie.:

Validate with caching: validate the token against Coder API on first use and cache the result for a period. Balances correctness with performance.