From 2540ba990e9ea7ec2f18331b37319a85f6ecde2c Mon Sep 17 00:00:00 2001
From: Marcelo Trylesinski <marcelotryle@gmail.com>
Date: Tue, 4 Nov 2025 09:39:26 +0100
Subject: [PATCH] Check if header starts with paig on both headers

---
 gateway/src/auth.ts | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/gateway/src/auth.ts b/gateway/src/auth.ts
index e83a348..3eeca3c 100644
--- a/gateway/src/auth.ts
+++ b/gateway/src/auth.ts
@@ -12,12 +12,19 @@ export async function apiKeyAuth(
   const authorization = request.headers.get('authorization')
   const xApiKey = request.headers.get('x-api-key')
 
+  let authHeader: string | null = null
   if (authorization && xApiKey) {
-    throw new ResponseError(401, 'Unauthorized - Both Authorization and X-API-Key headers are present, use only one')
+    if (startsWithPaig(authorization) && !startsWithPaig(xApiKey)) {
+      authHeader = authorization
+    } else if (!startsWithPaig(authorization) && startsWithPaig(xApiKey)) {
+      authHeader = xApiKey
+    } else {
+      throw new ResponseError(401, 'Unauthorized - Both Authorization and X-API-Key headers are present, use only one')
+    }
+  } else {
+    authHeader = authorization || xApiKey
   }
 
-  const authHeader = authorization || xApiKey
-
   let key: string
   if (authHeader) {
     if (authHeader.toLowerCase().startsWith('bearer ')) {
@@ -84,3 +91,6 @@ export async function changeProjectState(project: number, options: Pick<GatewayO
 
 const apiKeyCacheKey = (key: string, kvVersion: string) => `apiKeyAuth:${kvVersion}:${key}`
 const projectStateCacheKey = (project: number, kvVersion: string) => `projectState:${kvVersion}:${project}`
+
+const startsWithPaig = (headerValue: string | null): headerValue is 'Bearer paig' | 'paig' =>
+  headerValue?.startsWith('Bearer paig') || headerValue?.startsWith('paig') || false