Add API Key Authentication for Copilot (#328)

Author: MikeAlhayek

src/Modules/CrestApps.OrchardCore.AI.Chat.Copilot/Drivers/AIProfileCopilotDisplayDriver.cs

@@ -1,5 +1,6 @@
 using CrestApps.OrchardCore.AI.Chat.Copilot.Models;
 using CrestApps.OrchardCore.AI.Chat.Copilot.Services;
+using CrestApps.OrchardCore.AI.Chat.Copilot.Settings;
 using CrestApps.OrchardCore.AI.Chat.Copilot.ViewModels;
 using CrestApps.OrchardCore.AI.Models;
 using Microsoft.AspNetCore.Http;
@@ -9,6 +10,7 @@
 using OrchardCore.DisplayManagement.Handlers;
 using OrchardCore.DisplayManagement.Views;
 using OrchardCore.Entities;
+using OrchardCore.Settings;
 using USR = OrchardCore.Users;
 
 namespace CrestApps.OrchardCore.AI.Chat.Copilot.Drivers;
@@ -18,18 +20,21 @@ internal sealed class AIProfileCopilotDisplayDriver : DisplayDriver<AIProfile>
     private readonly GitHubOAuthService _oauthService;
     private readonly UserManager<USR.IUser> _userManager;
     private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly ISiteService _siteService;
 
     internal readonly IStringLocalizer S;
 
     public AIProfileCopilotDisplayDriver(
         GitHubOAuthService oauthService,
         UserManager<USR.IUser> userManager,
         IHttpContextAccessor httpContextAccessor,
+        ISiteService siteService,
         IStringLocalizer<AIProfileCopilotDisplayDriver> stringLocalizer)
     {
         _oauthService = oauthService;
         _userManager = userManager;
         _httpContextAccessor = httpContextAccessor;
+        _siteService = siteService;
         S = stringLocalizer;
     }
 
@@ -42,29 +47,40 @@ public override IDisplayResult Edit(AIProfile profile, BuildEditorContext contex
             model.CopilotModel = copilotSettings.CopilotModel;
             model.IsAllowAll = copilotSettings.IsAllowAll;
 
-            // Check if current user has authenticated with GitHub
-            var user = await _userManager.GetUserAsync(_httpContextAccessor.HttpContext?.User);
-            if (user != null)
+            // Load site-level settings to determine auth mode.
+            var siteSettings = await _siteService.GetSettingsAsync<CopilotSettings>();
+            model.AuthenticationType = siteSettings.AuthenticationType;
+
+            if (siteSettings.AuthenticationType == CopilotAuthenticationType.ApiKey)
+            {
+                // BYOK mode — no GitHub auth needed; model is a text input.
+                model.AvailableModels = [];
+            }
+            else
             {
-                var userId = await _userManager.GetUserIdAsync(user);
-                model.IsAuthenticated = await _oauthService.IsAuthenticatedAsync(userId);
-                if (model.IsAuthenticated)
+                // GitHub OAuth mode — check auth and load models from GitHub API.
+                var user = await _userManager.GetUserAsync(_httpContextAccessor.HttpContext?.User);
+                if (user != null)
                 {
-                    var credential = await _oauthService.GetCredentialAsync(userId);
-                    model.GitHubUsername = credential?.GitHubUsername;
-
-                    // Load available models dynamically from GitHub API.
-                    var models = await _oauthService.ListModelsAsync(userId);
-                    if (models.Count > 0)
+                    var userId = await _userManager.GetUserIdAsync(user);
+                    model.IsAuthenticated = await _oauthService.IsAuthenticatedAsync(userId);
+                    if (model.IsAuthenticated)
                     {
-                        model.AvailableModels = models
-                            .Select(m => new SelectListItem(m.Name, m.Id))
-                            .ToList();
+                        var credential = await _oauthService.GetCredentialAsync(userId);
+                        model.GitHubUsername = credential?.GitHubUsername;
+
+                        var models = await _oauthService.ListModelsAsync(userId);
+                        if (models.Count > 0)
+                        {
+                            model.AvailableModels = models
+                                .Select(m => new SelectListItem(m.Name, m.Id))
+                                .ToList();
+                        }
                     }
                 }
-            }
 
-            model.AvailableModels ??= [];
+                model.AvailableModels ??= [];
+            }
         }).Location("Content:3.5");
     }
 
@@ -83,20 +99,25 @@ public override async Task<IDisplayResult> UpdateAsync(AIProfile profile, Update
                 IsAllowAll = model.IsAllowAll,
             };
 
-            // Copy the current user's GitHub credential to the profile so
-            // any chat session using this profile can reuse the token.
-            var user = await _userManager.GetUserAsync(_httpContextAccessor.HttpContext?.User);
-            if (user is not null)
-            {
-                var userId = await _userManager.GetUserIdAsync(user);
-                var credentials = await _oauthService.GetProtectedCredentialsAsync(userId);
+            var siteSettings = await _siteService.GetSettingsAsync<CopilotSettings>();
 
-                if (credentials is not null)
+            if (siteSettings.AuthenticationType == CopilotAuthenticationType.GitHubOAuth)
+            {
+                // Copy the current user's GitHub credential to the profile so
+                // any chat session using this profile can reuse the token.
+                var user = await _userManager.GetUserAsync(_httpContextAccessor.HttpContext?.User);
+                if (user is not null)
                 {
-                    copilotSettings.GitHubUsername = credentials.GitHubUsername;
-                    copilotSettings.ProtectedAccessToken = credentials.ProtectedAccessToken;
-                    copilotSettings.ProtectedRefreshToken = credentials.ProtectedRefreshToken;
-                    copilotSettings.ExpiresAt = credentials.ExpiresAt;
+                    var userId = await _userManager.GetUserIdAsync(user);
+                    var credentials = await _oauthService.GetProtectedCredentialsAsync(userId);
+
+                    if (credentials is not null)
+                    {
+                        copilotSettings.GitHubUsername = credentials.GitHubUsername;
+                        copilotSettings.ProtectedAccessToken = credentials.ProtectedAccessToken;
+                        copilotSettings.ProtectedRefreshToken = credentials.ProtectedRefreshToken;
+                        copilotSettings.ExpiresAt = credentials.ExpiresAt;
+                    }
                 }
             }
 

src/Modules/CrestApps.OrchardCore.AI.Chat.Copilot/Drivers/ChatInteractionCopilotDisplayDriver.cs

@@ -1,5 +1,6 @@
 using CrestApps.OrchardCore.AI.Chat.Copilot.Models;
 using CrestApps.OrchardCore.AI.Chat.Copilot.Services;
+using CrestApps.OrchardCore.AI.Chat.Copilot.Settings;
 using CrestApps.OrchardCore.AI.Chat.Copilot.ViewModels;
 using CrestApps.OrchardCore.AI.Models;
 using Microsoft.AspNetCore.Http;
@@ -9,6 +10,7 @@
 using OrchardCore.DisplayManagement.Handlers;
 using OrchardCore.DisplayManagement.Views;
 using OrchardCore.Entities;
+using OrchardCore.Settings;
 using OrchardCore.Users;
 
 namespace CrestApps.OrchardCore.AI.Chat.Copilot.Drivers;
@@ -18,18 +20,21 @@ internal sealed class ChatInteractionCopilotDisplayDriver : DisplayDriver<ChatIn
     private readonly GitHubOAuthService _oauthService;
     private readonly UserManager<IUser> _userManager;
     private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly ISiteService _siteService;
 
     internal readonly IStringLocalizer S;
 
     public ChatInteractionCopilotDisplayDriver(
         GitHubOAuthService oauthService,
         UserManager<IUser> userManager,
         IHttpContextAccessor httpContextAccessor,
+        ISiteService siteService,
         IStringLocalizer<ChatInteractionCopilotDisplayDriver> stringLocalizer)
     {
         _oauthService = oauthService;
         _userManager = userManager;
         _httpContextAccessor = httpContextAccessor;
+        _siteService = siteService;
         S = stringLocalizer;
     }
 
@@ -42,33 +47,45 @@ public override IDisplayResult Edit(ChatInteraction interaction, BuildEditorCont
             model.CopilotModel = copilotSettings.CopilotModel;
             model.IsAllowAll = copilotSettings.IsAllowAll;
 
-            // Only fetch auth/models when the orchestrator is actually Copilot.
-            if (string.Equals(interaction.OrchestratorName, CopilotOrchestrator.OrchestratorName, StringComparison.OrdinalIgnoreCase) &&
-                _httpContextAccessor.HttpContext?.User is not null)
-            {
-                var user = await _userManager.GetUserAsync(_httpContextAccessor.HttpContext.User);
+            // Load site-level settings to determine auth mode.
+            var siteSettings = await _siteService.GetSettingsAsync<CopilotSettings>();
+            model.AuthenticationType = siteSettings.AuthenticationType;
 
-                if (user is not null)
+            if (siteSettings.AuthenticationType == CopilotAuthenticationType.ApiKey)
+            {
+                // BYOK mode — no GitHub auth needed.
+                model.AvailableModels = [];
+            }
+            else
+            {
+                // GitHub OAuth mode — only fetch auth/models when the orchestrator is Copilot.
+                if (string.Equals(interaction.OrchestratorName, CopilotOrchestrator.OrchestratorName, StringComparison.OrdinalIgnoreCase) &&
+                    _httpContextAccessor.HttpContext?.User is not null)
                 {
-                    var userId = await _userManager.GetUserIdAsync(user);
-                    model.IsAuthenticated = await _oauthService.IsAuthenticatedAsync(userId);
-                    if (model.IsAuthenticated)
-                    {
-                        var credential = await _oauthService.GetCredentialAsync(userId);
-                        model.GitHubUsername = credential?.GitHubUsername;
+                    var user = await _userManager.GetUserAsync(_httpContextAccessor.HttpContext.User);
 
-                        var models = await _oauthService.ListModelsAsync(userId);
-                        if (models.Count > 0)
+                    if (user is not null)
+                    {
+                        var userId = await _userManager.GetUserIdAsync(user);
+                        model.IsAuthenticated = await _oauthService.IsAuthenticatedAsync(userId);
+                        if (model.IsAuthenticated)
                         {
-                            model.AvailableModels = models
-                                .Select(m => new SelectListItem(m.Name, m.Id))
-                                .ToList();
+                            var credential = await _oauthService.GetCredentialAsync(userId);
+                            model.GitHubUsername = credential?.GitHubUsername;
+
+                            var models = await _oauthService.ListModelsAsync(userId);
+                            if (models.Count > 0)
+                            {
+                                model.AvailableModels = models
+                                    .Select(m => new SelectListItem(m.Name, m.Id))
+                                    .ToList();
+                            }
                         }
                     }
                 }
-            }
 
-            model.AvailableModels ??= [];
+                model.AvailableModels ??= [];
+            }
         }).Location("Parameters:4#Settings;1");
     }
 }

src/Modules/CrestApps.OrchardCore.AI.Chat.Copilot/Drivers/CopilotSettingsDisplayDriver.cs

@@ -1,10 +1,12 @@
+using CrestApps.OrchardCore.AI.Chat.Copilot.Models;
 using CrestApps.OrchardCore.AI.Chat.Copilot.Settings;
 using CrestApps.OrchardCore.AI.Chat.Copilot.ViewModels;
 using CrestApps.OrchardCore.AI.Core;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Localization;
+using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Localization;
 using OrchardCore.DisplayManagement.Entities;
@@ -48,12 +50,41 @@ public override IDisplayResult Edit(ISite site, CopilotSettings settings, BuildE
     {
         return Initialize<CopilotSettingsViewModel>("CopilotSettings_Edit", model =>
         {
+            model.AuthenticationType = settings.AuthenticationType;
             model.ClientId = settings.ClientId;
             model.HasSecret = !string.IsNullOrWhiteSpace(settings.ProtectedClientSecret);
             model.ComputedCallbackUrl = _linkGenerator.GetUriByAction(_httpContextAccessor.HttpContext, "OAuthCallback", "CopilotAuth", new
             {
                 area = "CrestApps.OrchardCore.AI.Chat.Copilot",
             });
+
+            // BYOK fields
+            model.ProviderType = settings.ProviderType;
+            model.BaseUrl = settings.BaseUrl;
+            model.HasApiKey = !string.IsNullOrWhiteSpace(settings.ProtectedApiKey);
+            model.WireApi = settings.WireApi ?? "completions";
+            model.DefaultModel = settings.DefaultModel;
+            model.AzureApiVersion = settings.AzureApiVersion;
+
+            // Select list options
+            model.AuthenticationTypes =
+            [
+                new SelectListItem(S["GitHub Signed-in User"], nameof(CopilotAuthenticationType.GitHubOAuth)),
+                new SelectListItem(S["API Key (BYOK)"], nameof(CopilotAuthenticationType.ApiKey)),
+            ];
+
+            model.ProviderTypes =
+            [
+                new SelectListItem(S["OpenAI / OpenAI-compatible (Ollama, vLLM, etc.)"], "openai"),
+                new SelectListItem(S["Azure OpenAI"], "azure"),
+                new SelectListItem(S["Anthropic"], "anthropic"),
+            ];
+
+            model.WireApiOptions =
+            [
+                new SelectListItem(S["Chat Completions (default)"], "completions"),
+                new SelectListItem(S["Responses (GPT-5 series)"], "responses"),
+            ];
         })
         .Location("Content:8%Copilot;1")
         .OnGroup(SettingsGroupId)
@@ -66,24 +97,70 @@ public override async Task<IDisplayResult> UpdateAsync(ISite site, CopilotSettin
 
         await context.Updater.TryUpdateModelAsync(model, Prefix);
 
-        settings.ClientId = model.ClientId;
+        settings.AuthenticationType = model.AuthenticationType;
 
-        // Validate that client ID and secret are provided
-        if (string.IsNullOrWhiteSpace(settings.ClientId))
+        if (settings.AuthenticationType == CopilotAuthenticationType.GitHubOAuth)
         {
-            context.Updater.ModelState.AddModelError(nameof(model.ClientId), S["Client ID is required."]);
-        }
+            // GitHub OAuth validation
+            settings.ClientId = model.ClientId;
 
-        // Only update the secret if a new one was provided
-        if (!string.IsNullOrWhiteSpace(model.ClientSecret))
-        {
-            var protector = _dataProtectionProvider.CreateProtector(ProtectorPurpose);
-            settings.ProtectedClientSecret = protector.Protect(model.ClientSecret);
+            if (string.IsNullOrWhiteSpace(settings.ClientId))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.ClientId), S["Client ID is required."]);
+            }
+
+            if (!string.IsNullOrWhiteSpace(model.ClientSecret))
+            {
+                var protector = _dataProtectionProvider.CreateProtector(ProtectorPurpose);
+                settings.ProtectedClientSecret = protector.Protect(model.ClientSecret);
+            }
+            else if (string.IsNullOrWhiteSpace(settings.ProtectedClientSecret))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.ClientSecret), S["Client Secret is required."]);
+            }
         }
-        else if (string.IsNullOrWhiteSpace(settings.ProtectedClientSecret))
+        else
         {
-            // No existing secret and no new secret provided
-            context.Updater.ModelState.AddModelError(nameof(model.ClientSecret), S["Client Secret is required."]);
+            // BYOK (API Key) validation
+            settings.ProviderType = model.ProviderType;
+            settings.BaseUrl = model.BaseUrl;
+            settings.WireApi = model.WireApi;
+            settings.DefaultModel = model.DefaultModel;
+            settings.AzureApiVersion = model.AzureApiVersion;
+
+            if (string.IsNullOrWhiteSpace(settings.ProviderType))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.ProviderType), S["Provider Type is required."]);
+            }
+
+            if (string.IsNullOrWhiteSpace(settings.BaseUrl))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.BaseUrl), S["Base URL is required."]);
+            }
+
+            if (string.IsNullOrWhiteSpace(settings.DefaultModel))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.DefaultModel), S["Default Model is required."]);
+            }
+
+            if (!string.IsNullOrWhiteSpace(model.ApiKey))
+            {
+                var protector = _dataProtectionProvider.CreateProtector(ProtectorPurpose);
+                settings.ProtectedApiKey = protector.Protect(model.ApiKey);
+            }
+
+            if (string.Equals(settings.ProviderType, "azure", StringComparison.OrdinalIgnoreCase)
+                && string.IsNullOrWhiteSpace(settings.AzureApiVersion))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.AzureApiVersion), S["Azure API Version is required for Azure provider."]);
+            }
+
+            if (string.Equals(settings.ProviderType, "azure", StringComparison.OrdinalIgnoreCase)
+                && string.IsNullOrWhiteSpace(model.ApiKey)
+                && string.IsNullOrWhiteSpace(settings.ProtectedApiKey))
+            {
+                context.Updater.ModelState.AddModelError(nameof(model.ApiKey), S["API Key is required for Azure provider."]);
+            }
         }
 
         return await EditAsync(site, settings, context);

src/Modules/CrestApps.OrchardCore.AI.Chat.Copilot/Models/CopilotAuthenticationType.cs

@@ -0,0 +1,19 @@
+namespace CrestApps.OrchardCore.AI.Chat.Copilot.Models;
+
+/// <summary>
+/// Specifies the authentication method used by the Copilot orchestrator.
+/// </summary>
+public enum CopilotAuthenticationType
+{
+    /// <summary>
+    /// Users authenticate via GitHub OAuth.
+    /// Requires a GitHub Copilot subscription.
+    /// </summary>
+    GitHubOAuth,
+
+    /// <summary>
+    /// Bring Your Own Key — uses a provider API key configured by the tenant owner.
+    /// No GitHub Copilot subscription required.
+    /// </summary>
+    ApiKey,
+}