diff --git a/sdk/cliproxy/auth/conductor.go b/sdk/cliproxy/auth/conductor.go index d16fc1ae8..ada400632 100644 --- a/sdk/cliproxy/auth/conductor.go +++ b/sdk/cliproxy/auth/conductor.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "net/http" + "path/filepath" "strconv" "strings" "sync" @@ -385,22 +386,8 @@ func (m *Manager) executeWithProvider(ctx context.Context, provider string, req return cliproxyexecutor.Response{}, errPick } - accountType, accountInfo := auth.AccountInfo() - proxyInfo := auth.ProxyInfo() entry := logEntryWithRequestID(ctx) - if accountType == "api_key" { - if proxyInfo != "" { - entry.Debugf("Use API key %s for model %s %s", util.HideAPIKey(accountInfo), req.Model, proxyInfo) - } else { - entry.Debugf("Use API key %s for model %s", util.HideAPIKey(accountInfo), req.Model) - } - } else if accountType == "oauth" { - if proxyInfo != "" { - entry.Debugf("Use OAuth %s for model %s %s", accountInfo, req.Model, proxyInfo) - } else { - entry.Debugf("Use OAuth %s for model %s", accountInfo, req.Model) - } - } + debugLogAuthSelection(entry, auth, provider, req.Model) tried[auth.ID] = struct{}{} execCtx := ctx @@ -446,22 +433,8 @@ func (m *Manager) executeCountWithProvider(ctx context.Context, provider string, return cliproxyexecutor.Response{}, errPick } - accountType, accountInfo := auth.AccountInfo() - proxyInfo := auth.ProxyInfo() entry := logEntryWithRequestID(ctx) - if accountType == "api_key" { - if proxyInfo != "" { - entry.Debugf("Use API key %s for model %s %s", util.HideAPIKey(accountInfo), req.Model, proxyInfo) - } else { - entry.Debugf("Use API key %s for model %s", util.HideAPIKey(accountInfo), req.Model) - } - } else if accountType == "oauth" { - if proxyInfo != "" { - entry.Debugf("Use OAuth %s for model %s %s", accountInfo, req.Model, proxyInfo) - } else { - entry.Debugf("Use OAuth %s for model %s", accountInfo, req.Model) - } - } + debugLogAuthSelection(entry, auth, provider, req.Model) tried[auth.ID] = struct{}{} execCtx := ctx @@ -507,22 +480,8 @@ func (m *Manager) executeStreamWithProvider(ctx context.Context, provider string return nil, errPick } - accountType, accountInfo := auth.AccountInfo() - proxyInfo := auth.ProxyInfo() entry := logEntryWithRequestID(ctx) - if accountType == "api_key" { - if proxyInfo != "" { - entry.Debugf("Use API key %s for model %s %s", util.HideAPIKey(accountInfo), req.Model, proxyInfo) - } else { - entry.Debugf("Use API key %s for model %s", util.HideAPIKey(accountInfo), req.Model) - } - } else if accountType == "oauth" { - if proxyInfo != "" { - entry.Debugf("Use OAuth %s for model %s %s", accountInfo, req.Model, proxyInfo) - } else { - entry.Debugf("Use OAuth %s for model %s", accountInfo, req.Model) - } - } + debugLogAuthSelection(entry, auth, provider, req.Model) tried[auth.ID] = struct{}{} execCtx := ctx @@ -1610,6 +1569,66 @@ func logEntryWithRequestID(ctx context.Context) *log.Entry { return log.NewEntry(log.StandardLogger()) } +func debugLogAuthSelection(entry *log.Entry, auth *Auth, provider string, model string) { + if !log.IsLevelEnabled(log.DebugLevel) { + return + } + if entry == nil || auth == nil { + return + } + accountType, accountInfo := auth.AccountInfo() + proxyInfo := auth.ProxyInfo() + suffix := "" + if proxyInfo != "" { + suffix = " " + proxyInfo + } + switch accountType { + case "api_key": + entry.Debugf("Use API key %s for model %s%s", util.HideAPIKey(accountInfo), model, suffix) + case "oauth": + ident := formatOauthIdentity(auth, provider, accountInfo) + entry.Debugf("Use OAuth %s for model %s%s", ident, model, suffix) + } +} + +func formatOauthIdentity(auth *Auth, provider string, accountInfo string) string { + if auth == nil { + return "" + } + authIndex := auth.EnsureIndex() + // Prefer the auth's provider when available. + providerName := strings.TrimSpace(auth.Provider) + if providerName == "" { + providerName = strings.TrimSpace(provider) + } + // Only log the basename to avoid leaking host paths. + // FileName may be unset for some auth backends; fall back to ID. + authFile := strings.TrimSpace(auth.FileName) + if authFile == "" { + authFile = strings.TrimSpace(auth.ID) + } + if authFile != "" { + authFile = filepath.Base(authFile) + } + parts := make([]string, 0, 3) + if providerName != "" { + parts = append(parts, "provider="+providerName) + } + if authFile != "" { + parts = append(parts, "auth_file="+authFile) + } + if authIndex != "" { + parts = append(parts, "auth_index="+authIndex) + } + if len(parts) == 0 { + return accountInfo + } + if accountInfo == "" { + return strings.Join(parts, " ") + } + return strings.Join(parts, " ") + " account=" + strconv.Quote(accountInfo) +} + // InjectCredentials delegates per-provider HTTP request preparation when supported. // If the registered executor for the auth provider implements RequestPreparer, // it will be invoked to modify the request (e.g., add headers).