feat: add Authorization header support

[JounQin]

close IDP-1291

Summary by CodeRabbit

• New Features

  • Automatically adds Authorization and origin headers to AI Assistant requests.

• Bug Fixes

  • Auto-logout on expired/unauthorized sessions for a smoother auth experience.
  • Prevents error display when no active session.

• Refactor

  • Simplified cloud origin options to Global and China only.
  • Improved internationalization by using translated labels for all origins.

• Chores

  • Updated release metadata to document Authorization header support.
  • Removed an API proxy route from dev configuration.

[changeset-bot]

🦋 Changeset detected

Latest commit: cf694c9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@alauda/doom	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Warning

Rate limit exceeded

@JounQin has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 16 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a7977fe and cf694c9.

📒 Files selected for processing (7)

• .changeset/metal-adults-greet.md (1 hunks)
• packages/doom/src/cli/load-config.ts (0 hunks)
• packages/doom/src/global/Intelligence/AIAssistant/Preamble/LoginForm/index.tsx (1 hunks)
• packages/doom/src/global/Intelligence/AIAssistant/index.tsx (3 hunks)
• packages/doom/src/global/Intelligence/constants.ts (0 hunks)
• packages/doom/src/global/Intelligence/context.tsx (2 hunks)
• packages/doom/src/global/Intelligence/types.ts (1 hunks)

Walkthrough

Adds a release changeset, removes a dev proxy route, localizes a radio label, removes a non-prod "local" auth origin, adds optional cloud auth token, and implements an x-fetch interceptor that injects Authorization and CLOUD_AUTH_ORIGIN for /smart/* requests and logs out on 401; adjusts session creation and error handling.

Changes

Cohort / File(s)	Summary
Release metadata .changeset/metal-adults-greet.md	Adds a changeset to bump @alauda/doom patch and document Authorization header support; no code changes.
Dev server proxy packages/doom/src/cli/load-config.ts	Removes /api/v1 → https://cloud.alauda.cn proxy mapping; keeps /smart/api → https://docs-dev.alauda.cn.
AIAssistant: interceptor & session flow packages/doom/src/global/Intelligence/AIAssistant/index.tsx	Registers an x-fetch ApiInterceptor for /smart/* that injects Authorization: Bearer {token} and CLOUD_AUTH_ORIGIN when absent, calls onLogout() on 401, removes manual auth headers from /smart/api/new_session call, and suppresses NetworkError UI when no active session; interceptor lifecycle managed with useEffect.
AIAssistant: login form localization packages/doom/src/global/Intelligence/AIAssistant/Preamble/LoginForm/index.tsx	Replaces hard-coded "Local" label with t(\customer_portal_${name}`)` for all origins and changes a Radio to self-closing JSX.
Cloud auth models & constants packages/doom/src/global/Intelligence/constants.ts, packages/doom/src/global/Intelligence/types.ts, packages/doom/src/global/Intelligence/context.tsx	Removes non-prod insertion of 'local' from CLOUD_AUTH_ORIGINS; narrows CloudAuthRegion.name to `'global'

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant UI as AIAssistant UI
  participant Hook as Auth useEffect
  participant XF as x-fetch (interceptors)
  participant API as /smart/api

  rect rgba(230,245,255,0.6)
  note over Hook: on authInfo / onLogout change
  Hook->>XF: interceptors.use(ApiInterceptor)
  note over XF: If request -> /smart/*\n• ensure Authorization: Bearer {token}\n• ensure CLOUD_AUTH_ORIGIN
  end

  UI->>API: POST /smart/api/new_session (no manual auth headers)
  XF-->>API: Request (headers injected)
  API-->>XF: 200 {sessionId} / 401
  alt 200 OK
    XF-->>UI: sessionId
  else 401 Unauthorized
    XF->>Hook: throw ResponseError(401)
    Hook->>UI: onLogout()
  end

Loading

sequenceDiagram
  autonumber
  participant UI as AIAssistant UI
  participant XF as x-fetch
  participant API as /smart/*

  UI->>API: Any /smart/* request
  XF-->>API: Adds auth/origin headers if missing
  API-->>XF: Error (network / 4xx / 5xx)
  alt No active session
    XF-->>UI: Error (suppressed NetworkError UI)
  else Active session
    XF-->>UI: Error surfaced to UI
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• alauda/doom#166 — modifies packages/doom/src/cli/load-config.ts (related proxy/config changes).

Suggested labels

feature

Poem

A rabbit taps keys with a whisker-wide grin,
Tokens now hop into headers — let auth begin! 🐇
The local burrow has closed its lid,
Two skies remain where tokens skid.
Interceptors guard and logout sings,
Patch bumped — onward, flappy wings!

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/auth_token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR adds Authorization header support to the Intelligence AI Assistant by integrating authentication tokens into API requests. It removes local development environment support and consolidates cloud-based authentication.

• Adds interceptor to automatically include Authorization and CLOUD_AUTH_ORIGIN headers for API requests
• Removes local development environment configuration and related proxy settings
• Updates CloudAuth interface to include optional token field

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
types.ts	Removes 'local' from CloudAuthRegion name union type
context.tsx	Adds optional token field to CloudAuth interface and returns token in getCloudAuth
constants.ts	Removes local development environment configuration and imports
AIAssistant/index.tsx	Adds API interceptor for Authorization headers and error handling
LoginForm/index.tsx	Removes local-specific label handling and fixes JSX formatting
load-config.ts	Removes local API proxy configuration

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[pkg-pr-new]

Open in StackBlitz

yarn add https://pkg.pr.new/@alauda/doom@170.tgz

yarn add https://pkg.pr.new/@alauda/doom-export@170.tgz

commit: cf694c9

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

packages/doom/src/global/Intelligence/AIAssistant/index.tsx (1)

63-88: Fix TS error on err.response.status and remove unsafe non-null assertions in interceptor.

• Pipeline shows a TS error at Line 77; response can be undefined.
• Using authInfo! risks Bearer undefined and crashes when unauthenticated. This was raised previously; apply safe guards.

Apply this diff:

     const interceptor: ApiInterceptor = async (req, next) => {
       if (!req.url.startsWith('/smart/')) {
         return next(req)
       }
-      if (!req.headers.has('Authorization')) {
-        req.headers.set('Authorization', `Bearer ${authInfo!.token}`)
-      }
-      if (!req.headers.has('CLOUD_AUTH_ORIGIN')) {
-        req.headers.set('CLOUD_AUTH_ORIGIN', authInfo!.origin)
-      }
+      if (!req.headers.has('Authorization') && authInfo?.token) {
+        req.headers.set('Authorization', `Bearer ${authInfo.token}`)
+      }
+      if (!req.headers.has('CLOUD_AUTH_ORIGIN') && authInfo?.origin) {
+        req.headers.set('CLOUD_AUTH_ORIGIN', authInfo.origin)
+      }
       try {
         return await next(req)
       } catch (err) {
-        if (err instanceof ResponseError && err.response.status === 401) {
+        if (err instanceof ResponseError && err.response?.status === 401) {
           onLogout()
         }
         throw err
       }
     }

Optional: also treat 403 as logout depending on backend semantics.

🧹 Nitpick comments (1)

packages/doom/src/global/Intelligence/types.ts (1)

36-39: Derive region name type from the source of truth to avoid drift.

Hardcoding 'global' | 'china' can desync from CLOUD_AUTH_ORIGINS. Consider deriving the union from the constant.

-import interface CloudAuthRegion {
-  name: 'global' | 'china'
+export interface CloudAuthRegion {
+  name: typeof CLOUD_AUTH_ORIGINS[number]['name']
   value: string
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b5d07fd and 597355a.

📒 Files selected for processing (7)

• .changeset/metal-adults-greet.md (1 hunks)
• packages/doom/src/cli/load-config.ts (0 hunks)
• packages/doom/src/global/Intelligence/AIAssistant/Preamble/LoginForm/index.tsx (1 hunks)
• packages/doom/src/global/Intelligence/AIAssistant/index.tsx (3 hunks)
• packages/doom/src/global/Intelligence/constants.ts (0 hunks)
• packages/doom/src/global/Intelligence/context.tsx (2 hunks)
• packages/doom/src/global/Intelligence/types.ts (1 hunks)

💤 Files with no reviewable changes (2)

• packages/doom/src/cli/load-config.ts
• packages/doom/src/global/Intelligence/constants.ts

🧰 Additional context used

🧬 Code graph analysis (1)

packages/doom/src/global/Intelligence/context.tsx (1)

packages/doom/src/global/Intelligence/utils.ts (1)

• getAuthInfoFromToken (13-39)

🪛 GitHub Actions: CI

packages/doom/src/global/Intelligence/AIAssistant/index.tsx

[error] 77-77: TypeScript error reported at AIAssistant/index.tsx:77:45.

🔇 Additional comments (5)

.changeset/metal-adults-greet.md (1)

1-6: Changeset looks good.

Patch bump with concise note is fine. Optionally add “Closes IDP-1291” in the body for cross-linking.

packages/doom/src/global/Intelligence/context.tsx (1)

9-11: Token removal semantics verified
setLocalStorage already calls localStorage.removeItem(key) when value is null or undefined, so the token is cleared on logout as intended.

packages/doom/src/global/Intelligence/AIAssistant/Preamble/LoginForm/index.tsx (1)

147-153: i18n keys verified – customer_portal_global and customer_portal_china are defined in packages/doom/src/runtime/translation.ts (lines 28–29, 95–96, 155–156).

packages/doom/src/global/Intelligence/AIAssistant/index.tsx (2)

2-10: Imports update is appropriate.

---

186-188: Good guard to suppress spurious network error messaging.

Skipping the error message when no active session avoids confusing UX.