Skip to content

Handle unversioned OpenAI /responses paths in API proxy sidecar #2080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 4 commits into from
Apr 18, 2026
Merged

Handle unversioned OpenAI /responses paths in API proxy sidecar #2080

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4e8f946
Initial plan
Copilot Apr 18, 2026
11a2ae9
fix(api-proxy): route unversioned openai responses via /v1
Copilot Apr 18, 2026
aeb6845
fix(api-proxy): normalize openai host before default /v1 mapping
Copilot Apr 18, 2026
d4ab433
fix(api-proxy): reject protocol-relative request urls
Copilot Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 28 additions & 4 deletions containers/api-proxy/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,10 +149,12 @@ function normalizeBasePath(rawPath) {

/**
* Build the full upstream path by joining basePath, reqUrl's pathname, and query string.
* Applies provider-safe defaults and avoids duplicate prefixing when the incoming
* path already includes the configured base path.
*
* Examples:
* buildUpstreamPath('/v1/chat/completions', 'api.openai.com', '')
* → '/v1/chat/completions'
* buildUpstreamPath('/responses', 'api.openai.com', '')
* → '/v1/responses'
* buildUpstreamPath('/v1/chat/completions', 'host.databricks.com', '/serving-endpoints')
* → '/serving-endpoints/v1/chat/completions'
* buildUpstreamPath('/v1/messages?stream=true', 'host.com', '/anthropic')
Expand All @@ -165,8 +167,30 @@ function normalizeBasePath(rawPath) {
*/
function buildUpstreamPath(reqUrl, targetHost, basePath) {
const targetUrl = new URL(reqUrl, `https://${targetHost}`);
const prefix = basePath === '/' ? '' : basePath;
return prefix + targetUrl.pathname + targetUrl.search;
const pathname = targetUrl.pathname;
Comment on lines 168 to +174
Copy link

Copilot AI Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

buildUpstreamPath() currently accepts protocol-relative paths (e.g. //host/path). Because new URL() treats //... as a host override, this can drop the first path segment and produce surprising upstream paths. Consider rejecting reqUrl values that start with // (or normalizing them) before calling new URL() to ensure only origin-form paths are forwarded.

See below for a potential fix:

 * @param {string} reqUrl - The incoming request URL (must start with '/' and not '//')
 * @param {string} targetHost - The upstream hostname (used only to parse the URL)
 * @param {string} basePath - Normalized base path prefix (e.g. '/serving-endpoints' or '')
 * @returns {string} Full upstream path including query string
 */
function buildUpstreamPath(reqUrl, targetHost, basePath) {
  if (reqUrl.startsWith('//')) {
    throw new Error('Protocol-relative request URLs are not supported');
  }

Copilot uses AI. Check for mistakes.
let prefix = basePath === '/' ? '' : basePath;

// OpenAI's canonical API paths are versioned under /v1, while some newer
// clients (for example Codex CLI with OPENAI_BASE_URL pointing at the sidecar)
// send unversioned paths like /responses. Add /v1 only for the default
// OpenAI host when no explicit base path is configured.
if (!prefix) {
let normalizedTargetHost = targetHost;
try {
normalizedTargetHost = new URL(`https://${targetHost}`).hostname;
} catch {
// Fall back to the raw host value if parsing fails.
}
if (normalizedTargetHost === 'api.openai.com') {
prefix = '/v1';
}
Copy link

Copilot AI Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

buildUpstreamPath() parses targetHost a second time to normalize the hostname for the OpenAI check. Since you already constructed targetUrl with new URL(reqUrl, ...), you can use targetUrl.hostname (or normalize once upstream) to avoid redundant parsing/try-catch and keep the logic simpler.

Suggested change
if (!prefix) {
let normalizedTargetHost = targetHost;
try {
normalizedTargetHost = new URL(`https://${targetHost}`).hostname;
} catch {
// Fall back to the raw host value if parsing fails.
}
if (normalizedTargetHost === 'api.openai.com') {
prefix = '/v1';
}
if (!prefix && targetUrl.hostname === 'api.openai.com') {
prefix = '/v1';

Copilot uses AI. Check for mistakes.
}

if (prefix && (pathname === prefix || pathname.startsWith(`${prefix}/`))) {
return pathname + targetUrl.search;
}

return prefix + pathname + targetUrl.search;
}

/**
Expand Down
22 changes: 21 additions & 1 deletion containers/api-proxy/server.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,21 @@ describe('buildUpstreamPath', () => {
.toBe('/v1/chat/completions');
});

it('should map unversioned /responses to /v1/responses for api.openai.com', () => {
expect(buildUpstreamPath('/responses', 'api.openai.com', ''))
.toBe('/v1/responses');
});

it('should preserve already-versioned OpenAI responses path', () => {
expect(buildUpstreamPath('/v1/responses', 'api.openai.com', ''))
.toBe('/v1/responses');
});

it('should map unversioned /responses to /v1/responses when OpenAI host includes port', () => {
expect(buildUpstreamPath('/responses', 'api.openai.com:443', ''))
.toBe('/v1/responses');
});

it('should preserve /v1/messages exactly (Anthropic standard path)', () => {
expect(buildUpstreamPath('/v1/messages', 'api.anthropic.com', ''))
.toBe('/v1/messages');
Expand Down Expand Up @@ -438,6 +453,12 @@ describe('buildUpstreamPath', () => {
.toBe('/v1/messages');
});

it('should not force /v1 for non-OpenAI custom targets', () => {
const target = 'my-gateway.example.com';
expect(buildUpstreamPath('/responses', target, ''))
.toBe('/responses');
});

it('should produce wrong hostname if scheme is NOT stripped (demonstrating the bug)', () => {
// Without normalizeApiTarget, the scheme-prefixed value causes
// new URL() to parse 'https' as the hostname instead of the real host
Expand Down Expand Up @@ -946,4 +967,3 @@ describe('resolveOpenCodeRoute', () => {
expect(route.headers['x-api-key']).toBeUndefined();
});
});

Loading