You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When deploying OpenMAIC on Vercel for a class or research group, deployers need a way to restrict site access without exposing their LLM API keys. Currently, the codebase does not implement CODE / ACCESS_CODE / HIDE_USER_API_KEY — the environment variables are silently ignored, leaving deployments open to anyone with the URL.
A teacher in #287 is trying to share a deployment with 700 students(——wow!) while keeping their DOUBAO_API_KEY safe. Without access control, anyone can consume their API quota.
Proposed Solution
A zero-dependency, purely additive access-code gate using Next.js 16's proxy.ts:
Architecture
User → proxy.ts → Has valid cookie? → Yes → App
→ No → /auth (password page)
→ POST /api/auth/login
→ Set HttpOnly signed cookie → App
New files (no changes to existing code)
File
Purpose
proxy.ts
Intercept all requests; redirect unauthenticated users to /auth; return 401 for API calls
lib/server/access-auth.ts
HMAC cookie signing/verification via Web Crypto (no deps)
app/api/auth/login/route.ts
Verify access code, set HttpOnly cookie
app/api/auth/logout/route.ts
Clear cookie
app/auth/page.tsx
Simple password input page
Environment variables
Variable
Required
Description
ACCESS_CODE
Yes
The password users must enter (CODE also supported as alias)
AUTH_SECRET
Yes
Random string (≥32 chars) for HMAC cookie signing
AUTH_TTL_HOURS
No
Cookie lifetime, default 12h
Key design decisions
Purely additive — zero modifications to existing files; if ACCESS_CODE is not set, behavior is identical to today
No dependencies — uses Web Crypto API (available in Vercel Edge Runtime)
HttpOnly + HMAC-signed cookie — prevents tampering, not accessible to client JS
Separation of concerns — the access code never touches the API key flow; it's a site-level gate only
What this does NOT solve (yet)
The deeper issue from #287 — when HIDE_USER_API_KEY=true and a server-side provider key is configured, client-submitted apiKey should be ignored in resolve-model.ts. This requires changes to existing code and is a separate concern. Happy to tackle it as a follow-up if maintainers agree on the approach.
Questions for Maintainers
[MAJOR]Does this align with the project's roadmap? We'd love to hear whether site-level access control is something the team considers worth supporting, or if shared deployments are out of scope for now.
Is this the right scope? Or would you prefer a more comprehensive auth system (e.g., multi-user, token-based)?
i18n: The auth page needs user-facing strings — should I add them to the existing messages/ structure? Which locales are required at minimum?
Cookie name: I'm using openmaic_auth — any naming convention to follow?
Follow-up PR for API key isolation: Should I file a separate issue for the resolve-model.ts changes?
Happy to implement this if the approach looks good.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Motivation
Ref: #287
When deploying OpenMAIC on Vercel for a class or research group, deployers need a way to restrict site access without exposing their LLM API keys. Currently, the codebase does not implement
CODE/ACCESS_CODE/HIDE_USER_API_KEY— the environment variables are silently ignored, leaving deployments open to anyone with the URL.A teacher in #287 is trying to share a deployment with 700 students(——wow!) while keeping their
DOUBAO_API_KEYsafe. Without access control, anyone can consume their API quota.Proposed Solution
A zero-dependency, purely additive access-code gate using Next.js 16's
proxy.ts:Architecture
New files (no changes to existing code)
proxy.ts/auth; return 401 for API callslib/server/access-auth.tsapp/api/auth/login/route.tsHttpOnlycookieapp/api/auth/logout/route.tsapp/auth/page.tsxEnvironment variables
ACCESS_CODECODEalso supported as alias)AUTH_SECRETAUTH_TTL_HOURSKey design decisions
ACCESS_CODEis not set, behavior is identical to todayWhat this does NOT solve (yet)
The deeper issue from #287 — when
HIDE_USER_API_KEY=trueand a server-side provider key is configured, client-submittedapiKeyshould be ignored inresolve-model.ts. This requires changes to existing code and is a separate concern. Happy to tackle it as a follow-up if maintainers agree on the approach.Questions for Maintainers
messages/structure? Which locales are required at minimum?openmaic_auth— any naming convention to follow?resolve-model.tschanges?Happy to implement this if the approach looks good.
Related: #287
Beta Was this translation helpful? Give feedback.
All reactions