Harden replay matching and Gemini models auth handling

SantiagoDePolonia · SantiagoDePolonia · commit 412c9b844b8e · 2026-02-28T20:13:15.000+01:00
diff --git a/internal/providers/gemini/gemini.go b/internal/providers/gemini/gemini.go
@@ -165,13 +165,8 @@ func (p *Provider) ListModels(ctx context.Context) (*core.ModelsResponse, error)
 	modelsCfg.BaseURL = p.modelsURL
 	modelsCfg.Hooks = p.hooks
 	headers := func(req *http.Request) {
-		// Add API key as query parameter.
-		// NOTE: Passing the API key in the URL query parameter is required by Google's native Gemini API for the models endpoint.
-		// This may be a security concern, as the API key can be logged in server access logs, proxy logs, and browser history.
-		// See: https://cloud.google.com/vertex-ai/docs/generative-ai/model-parameters#api-key
-		q := req.URL.Query()
-		q.Set("key", p.apiKey)
-		req.URL.RawQuery = q.Encode()
+		// Use header-based API key auth for models requests.
+		req.Header.Set("x-goog-api-key", p.apiKey)
 
 		// Preserve request tracing across list-models requests.
 		requestID := req.Header.Get("X-Request-Id")
diff --git a/internal/providers/gemini/gemini_test.go b/internal/providers/gemini/gemini_test.go
@@ -333,9 +333,9 @@ func TestListModels(t *testing.T) {
 					t.Errorf("Path = %q, want %q", r.URL.Path, "/models")
 				}
 
-				apiKey := r.URL.Query().Get("key")
+				apiKey := r.Header.Get("x-goog-api-key")
 				if apiKey == "" {
-					t.Error("API key should be in query parameter 'key'")
+					t.Error("API key should be in x-goog-api-key header")
 				}
 
 				w.WriteHeader(tt.statusCode)
diff --git a/tests/contract/gemini_test.go b/tests/contract/gemini_test.go
@@ -81,6 +81,10 @@ func TestGeminiReplayListModels(t *testing.T) {
 }
 
 func TestGeminiReplayResponses(t *testing.T) {
+	if !goldenFileExists(t, "golden/gemini/responses.golden.json") {
+		t.Fatalf("missing golden file golden/gemini/responses.golden.json; run `make record-api` then `RECORD=1 go test -v -tags=contract -timeout=5m ./tests/contract/...`")
+	}
+
 	provider := newGeminiReplayProvider(t, map[string]replayRoute{
 		replayKey(http.MethodPost, "/chat/completions"): jsonFixtureRoute(t, "gemini/chat_completion.json"),
 	})
diff --git a/tests/contract/replay_harness_test.go b/tests/contract/replay_harness_test.go
@@ -35,11 +35,6 @@ func (rt *replayTransport) RoundTrip(req *http.Request) (*http.Response, error)
 
 	key := replayKey(req.Method, req.URL.RequestURI())
 	route, ok := rt.routes[key]
-	if !ok && req.URL.RawQuery != "" {
-		// Allow path-only route keys to match requests with query params.
-		key = replayKey(req.Method, req.URL.Path)
-		route, ok = rt.routes[key]
-	}
 	if !ok {
 		notFoundBody := []byte(fmt.Sprintf(`{"error":{"message":"missing replay route: %s"}}`, key))
 		return &http.Response{
@@ -140,7 +135,12 @@ func parseSSEEvents(t *testing.T, raw []byte) []sseEvent {
 		case strings.HasPrefix(line, "event:"):
 			currentName = strings.TrimSpace(strings.TrimPrefix(line, "event:"))
 		case strings.HasPrefix(line, "data:"):
-			dataLines = append(dataLines, strings.TrimSpace(strings.TrimPrefix(line, "data:")))
+			data := strings.TrimPrefix(line, "data:")
+			if strings.HasPrefix(data, " ") {
+				// Per SSE format, a single optional space may follow the colon.
+				data = data[1:]
+			}
+			dataLines = append(dataLines, data)
 		}
 	}
 	require.NoError(t, scanner.Err())

Original file line number	Diff line number	Diff line change
`@@ -333,9 +333,9 @@ func TestListModels(t *testing.T) {`
`333`	`333`	`t.Errorf("Path = %q, want %q", r.URL.Path, "/models")`
`334`	`334`	`}`
`335`	`335`
`336`		`- apiKey := r.URL.Query().Get("key")`
	`336`	`+ apiKey := r.Header.Get("x-goog-api-key")`
`337`	`337`	`if apiKey == "" {`
`338`		`- t.Error("API key should be in query parameter 'key'")`
	`338`	`+ t.Error("API key should be in x-goog-api-key header")`
`339`	`339`	`}`
`340`	`340`
`341`	`341`	`w.WriteHeader(tt.statusCode)`