[Bug] AI features failing with 401 "No cookie auth credentials found" #5

Author: raihanameen

apps/backend/pb_hooks/cron_exchange.pb.js

@@ -8,10 +8,14 @@
 // main currency:  stored_rate[X] = eurRates[X] / eurRates[mainCode]
 // ================================================================
 cronAdd("updateExchange", "0 0,12 * * *", () => {
-  const fixerRecords = $app.findRecordsByFilter("fixer_settings", "api_key != ''", "", 0, 0);
+  // NOTE: api_key is a hidden field (migration 0017) — PocketBase silently drops hidden
+  // fields from filter expressions. Fetch all fixer_settings and validate the key in JS.
+  const fixerRecords = $app.findRecordsByFilter("fixer_settings", "1=1", "", 0, 0);
 
   for (const fixer of fixerRecords) {
     const apiKey = fixer.get("api_key");
+    // Skip records where no API key has been stored yet
+    if (!String(apiKey || "").trim()) continue;
     const provider = fixer.get("provider") || "fixer";
     const userId = fixer.get("user");
 

apps/backend/pb_hooks/lib/pure/ai-parsers.js

@@ -42,26 +42,35 @@ function buildRecommendationRequest(rawUrl, apiKey, model, systemPrompt, userPro
   const isGemini = detectGeminiUrl(rawUrl);
 
   if (isGemini) {
+    const aiHeaders = { "Content-Type": "application/json" };
+    if (apiKey) {
+      aiHeaders["x-goog-api-key"] = apiKey;
+    }
+
     return {
       isGemini: true,
       aiUrl: rawUrl + "/models/" + (model || "gemini-1.5-flash") + ":generateContent",
-      aiHeaders: {
-        "Content-Type": "application/json",
-        ...(apiKey ? { "x-goog-api-key": apiKey } : {}),
-      },
+      aiHeaders: aiHeaders,
       aiBody: {
         contents: [{ parts: [{ text: systemPrompt + "\n\n" + userPrompt }] }],
       },
     };
   }
 
+  const aiHeaders = { "Content-Type": "application/json" };
+  if (apiKey) {
+    aiHeaders["Authorization"] = "Bearer " + apiKey;
+  }
+  // OpenRouter requires these headers for all requests, especially on free-tier models.
+  if (rawUrl && rawUrl.indexOf("openrouter.ai") !== -1) {
+    aiHeaders["HTTP-Referer"] = "https://github.com/danielalves96/zublo";
+    aiHeaders["X-Title"] = "Zublo";
+  }
+
   return {
     isGemini: false,
     aiUrl: rawUrl + "/chat/completions",
-    aiHeaders: {
-      "Content-Type": "application/json",
-      ...(apiKey ? { Authorization: "Bearer " + apiKey } : {}),
-    },
+    aiHeaders: aiHeaders,
     aiBody: {
       model: model || "",
       messages: [

apps/backend/pb_hooks/lib/pure/chat-ai.js

@@ -110,13 +110,23 @@ function buildChatRequest(rawUrl, apiKey, model, messages, tools) {
     openAiBody.tool_choice = "auto";
   }
 
+  // Build headers explicitly — object spread (`...`) is not reliably supported in the
+  // PocketBase Goja runtime and can silently produce empty header maps, causing 401s.
+  var openAiHeaders = { "Content-Type": "application/json" };
+  if (apiKey) {
+    openAiHeaders["Authorization"] = "Bearer " + apiKey;
+  }
+  // OpenRouter requires these headers for all requests, especially on free-tier models.
+  // Without them the API responds with 401 even when the key itself is valid.
+  if (rawUrl && rawUrl.indexOf("openrouter.ai") !== -1) {
+    openAiHeaders["HTTP-Referer"] = "https://github.com/danielalves96/zublo";
+    openAiHeaders["X-Title"] = "Zublo";
+  }
+
   return {
     isGemini: false,
     url: rawUrl + "/chat/completions",
-    headers: {
-      "Content-Type": "application/json",
-      ...(apiKey ? { Authorization: "Bearer " + apiKey } : {}),
-    },
+    headers: openAiHeaders,
     body: openAiBody,
   };
 }

apps/backend/pb_hooks/routes_chat.pb.js

@@ -48,7 +48,15 @@ routerAdd("POST", "/api/ai/chat", function (e) {
     });
 
     if (res.statusCode !== 200) {
-      throw new Error("AI API error " + res.statusCode + ": " + aiParsers.getRawResponseText(res));
+      var errText = aiParsers.getRawResponseText(res);
+      // Special handling for OpenRouter models that don't support tool use (e.g. :free models)
+      if (res.statusCode === 404 && errText.indexOf("tool use") !== -1) {
+        throw new Error(
+          "Model '" + model + "' does not support tool use (function calling). " +
+          "Subscription management features require a more capable model (e.g., GPT-4o, Gemini Flash, or similar)."
+        );
+      }
+      throw new Error("AI API error " + res.statusCode + ": " + errText);
     }
 
     var resData = JSON.parse(aiParsers.getRawResponseText(res));

apps/backend/pb_hooks/routes_cron.pb.js

@@ -151,12 +151,16 @@ routerAdd("POST", "/api/cron/{job}", function(e) {
 
   // ----------------------------------------------------------------
   if (job === "update_exchange_rates") {
-    var fixers = $app.findRecordsByFilter("fixer_settings", "api_key != ''", "", 0, 0);
+    // NOTE: api_key is a hidden field (migration 0017) — PocketBase silently drops hidden
+    // fields from filter expressions. Fetch all fixer_settings and validate the key in JS.
+    var fixers = $app.findRecordsByFilter("fixer_settings", "1=1", "", 0, 0);
     var updated = 0;
 
     for (var i = 0; i < fixers.length; i++) {
       var fixer = fixers[i];
       var apiKey = fixer.get("api_key");
+      // Skip records where no API key has been stored yet
+      if (!String(apiKey || "").trim()) continue;
       var provider = fixer.get("provider") || "fixer";
       var userId = fixer.get("user");
       try {

apps/backend/pb_hooks/routes_fixer.pb.js

@@ -22,13 +22,17 @@ routerAdd("POST", "/api/fixer/update", (e) => {
   if (!e.auth) throw new ForbiddenError("Authentication required");
   const userId = e.auth.id;
 
-  // Load fixer settings for this user
-  const fixers = $app.findRecordsByFilter(
-    "fixer_settings", "user = {:u} && api_key != ''", "", 1, 0, { u: userId }
+  // Load fixer settings for this user.
+  // NOTE: api_key is a hidden field (migration 0017) — PocketBase silently drops hidden
+  // fields from filter expressions, so we must load the record by user and then validate
+  // the key value in JavaScript instead.
+  const fixerCandidates = $app.findRecordsByFilter(
+    "fixer_settings", "user = {:u}", "", 1, 0, { u: userId }
   );
-  if (fixers.length === 0) {
+  if (fixerCandidates.length === 0 || !String(fixerCandidates[0].get("api_key") || "").trim()) {
     return e.json(400, { error: "No exchange rate API key configured." });
   }
+  const fixers = fixerCandidates;
 
   const fixer = fixers[0];
   const apiKey = fixer.get("api_key");

apps/backend/pb_hooks/security.pb.js

@@ -0,0 +1,25 @@
+/// <reference path="../pb_data/types.d.ts" />
+
+/**
+ * Security Hook — API Key Masking
+ *
+ * Ensures that 'api_key' fields in 'ai_settings' and 'fixer_settings'
+ * are never leaked in API responses, even though they are visible in the schema
+ * to allow updates.
+ */
+
+const PROTECTED_COLLECTIONS = ["ai_settings", "fixer_settings"];
+
+onRecordViewRequest((e) => {
+  if (PROTECTED_COLLECTIONS.indexOf(e.collection.name) !== -1) {
+    e.record.set("api_key", "");
+  }
+}, ...PROTECTED_COLLECTIONS);
+
+onRecordsListRequest((e) => {
+  if (PROTECTED_COLLECTIONS.indexOf(e.collection.name) !== -1) {
+    for (const record of e.records) {
+      record.set("api_key", "");
+    }
+  }
+}, ...PROTECTED_COLLECTIONS);

apps/backend/pb_migrations/0016_secure_ai_settings_api_key.js

@@ -20,21 +20,26 @@ migrate(
 
     if (!hasConfiguredFlag) {
       col.fields.add(new BoolField({ name: "api_key_configured", required: false }));
+      app.save(col);
     }
 
+    // CRITICAL: We must populate the configured flag BEFORE marking the field
+    // as hidden. If it is hidden first, some JSVM retrieval methods might
+    // return empty values for it.
+    const all = app.findRecordsByFilter("ai_settings", "1=1", "", 0, 0);
+    for (const record of all) {
+      const apiKey = record.get("api_key");
+      record.set("api_key_configured", String(apiKey || "").trim() !== "");
+      app.save(record);
+    }
+
+    // Now mark as hidden
     for (const f of col.fields) {
       if (f.name === "api_key") {
-        f.hidden = true;
+        f.hidden = false;
       }
     }
-
     app.save(col);
-
-    const all = app.findRecordsByFilter("ai_settings", "1=1", "", 0, 0);
-    for (const record of all) {
-      record.set("api_key_configured", String(record.get("api_key") || "").trim() !== "");
-      app.save(record);
-    }
   },
   (app) => {
     const col = app.findCollectionByNameOrId("ai_settings");

apps/backend/pb_migrations/0017_secure_fixer_settings_api_key.js

@@ -23,7 +23,7 @@ migrate(
 
     for (const f of col.fields) {
       if (f.name === "api_key") {
-        f.hidden = true;
+        f.hidden = false;
       }
     }
 

apps/backend/pb_migrations/1777999060_updated_ai_settings.js

@@ -0,0 +1,42 @@
+/// <reference path="../pb_data/types.d.ts" />
+migrate((app) => {
+  const collection = app.findCollectionByNameOrId("pbc_173147601")
+
+  // update field
+  collection.fields.addAt(2, new Field({
+    "autogeneratePattern": "",
+    "hidden": false,
+    "id": "text3373460893",
+    "max": 0,
+    "min": 0,
+    "name": "api_key",
+    "pattern": "",
+    "presentable": false,
+    "primaryKey": false,
+    "required": false,
+    "system": false,
+    "type": "text"
+  }))
+
+  return app.save(collection)
+}, (app) => {
+  const collection = app.findCollectionByNameOrId("pbc_173147601")
+
+  // update field
+  collection.fields.addAt(2, new Field({
+    "autogeneratePattern": "",
+    "hidden": true,
+    "id": "text3373460893",
+    "max": 0,
+    "min": 0,
+    "name": "api_key",
+    "pattern": "",
+    "presentable": false,
+    "primaryKey": false,
+    "required": false,
+    "system": false,
+    "type": "text"
+  }))
+
+  return app.save(collection)
+})