feat: implement AuthProviderManager for multi-provider support #1021

[jhawpetoss6-collab]

This PR introduces the AuthProviderManager to MassGen, enabling robust management of API credentials across different model providers (#1021).

Changes:

• Added AuthProviderManager in massgen/auth/.
• Support for dynamic credential retrieval based on provider type.
• Infrastructure for session-based authentication.

/claim #1021

Summary by CodeRabbit

• New Features
  • Enhanced authentication infrastructure to support managing API credentials securely across multiple authentication providers through environment configuration
  • Introduced session token validation mechanism to strengthen security verification and enable proper user session management across the platform

[coderabbitai]

📝 Walkthrough

Walkthrough

A new authentication manager module is introduced with a static class providing two entry points: one for retrieving provider API credentials from environment variables and another for session token validation.

Changes

Cohort / File(s)	Summary
Auth Provider Manager massgen/auth/AuthProviderManager.py	New AuthProviderManager class with get_credentials() method that retrieves API keys from environment variables using the pattern {PROVIDER}_API_KEY, and validate_session() method that performs basic token validation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes a brief summary and change list, but lacks required sections like Type of change, Checklist, Pre-commit status, How to Test, and Expected Results from the template.	Add missing template sections: mark the Type of change checkbox, complete the Checklist, provide Pre-commit status output, and include How to Test with test commands and Expected Results.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Documentation Updated	⚠️ Warning	PR introduces AuthProviderManager without required Google-style docstrings, return type hints, design documentation, or user-facing configuration guidance.	Add Google-style docstrings and return type hints to methods. Create design document in docs/dev_notes/. Update user documentation for authentication configuration.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: implementing AuthProviderManager for multi-provider support, which aligns well with the added module and its purpose.
Capabilities Registry Check	✅ Passed	AuthProviderManager addition is authentication infrastructure, not a backend or model capability change requiring capabilities registry updates.
Config Parameter Sync	✅ Passed	The custom check for "Config Parameter Sync" is not applicable to this pull request. This PR only adds Python code with no new YAML parameters or configuration files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

massgen/auth/AuthProviderManager.py (1)

3-12: Consider integration strategy with existing backends.

The relevant code snippets show that oai.py, gemini.py, and claude_computer_use_tool.py already read their respective API keys directly via os.getenv(). This new manager duplicates that pattern but won't be used by existing code paths until those backends are refactored.

Consider documenting the migration plan or updating at least one backend to use AuthProviderManager.get_credentials() as a reference implementation. Otherwise, callers may be confused about which approach to use.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@massgen/auth/AuthProviderManager.py` around lines 3 - 12,
AuthProviderManager.get_credentials currently duplicates existing
direct-os.getenv usage and won't be picked up unless backends are refactored;
add a short migration note in the class docstring describing the intended
migration plan (replace direct os.getenv in oai.py, gemini.py,
claude_computer_use_tool.py) and update one backend (preferably oai.py) to call
AuthProviderManager.get_credentials("openai") instead of reading os.getenv
directly so there is a concrete reference implementation; ensure the backend
removes its direct env var access and uses the returned value (and logs a clear
message if missing) to demonstrate the new integration path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@massgen/auth/AuthProviderManager.py`:
- Around line 14-17: The validate_session method currently always returns True
which is unsafe; change its signature to include a return type hint (-> bool),
add a Google-style docstring describing expected behavior and parameters, and
instead of returning True either raise NotImplementedError to prevent accidental
use (preferred) or add a prominent TODO/warning and ensure callers won't use it;
update the function body in AuthProviderManager.validate_session to raise
NotImplementedError with a clear message until a real implementation is
provided.
- Around line 8-12: The get_credentials static method is missing a Google-style
docstring, a return type hint, and uses print() instead of logging; update the
function signature to include a return type hint (-> Optional[str]), add a
Google-style docstring describing parameters and return value, replace the
print(f"Retrieving credentials for provider: {provider}") with
logging.debug(...) and ensure typing.Optional is imported (or referenced) and
logging is configured/imported so get_credentials(provider: str) returns
Optional[str] and logs at debug level.

---

Nitpick comments:
In `@massgen/auth/AuthProviderManager.py`:
- Around line 3-12: AuthProviderManager.get_credentials currently duplicates
existing direct-os.getenv usage and won't be picked up unless backends are
refactored; add a short migration note in the class docstring describing the
intended migration plan (replace direct os.getenv in oai.py, gemini.py,
claude_computer_use_tool.py) and update one backend (preferably oai.py) to call
AuthProviderManager.get_credentials("openai") instead of reading os.getenv
directly so there is a concrete reference implementation; ensure the backend
removes its direct env var access and uses the returned value (and logs a clear
message if missing) to demonstrate the new integration path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9460b769-1ef7-4943-bbe3-39f8071042f4

📥 Commits

Reviewing files that changed from the base of the PR and between 2a8dea7 and 78e407f.

📒 Files selected for processing (1)

• massgen/auth/AuthProviderManager.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing docstring, return type hint, and inappropriate print() statement.

Per coding guidelines, new functions require Google-style docstrings. Additionally:

• Missing return type hint (-> Optional[str])
• print() should be replaced with proper logging (e.g., logging.debug()) to avoid polluting stdout in production and to respect log level configuration

Proposed fix

+import logging
 import os
 
+logger = logging.getLogger(__name__)
+
 class AuthProviderManager:
     """
     Manager for multi-provider authentication.
     Handles credential retrieval for Anthropic, OpenAI, and Gemini.
     """
     `@staticmethod`
-    def get_credentials(provider: str):
-        print(f"Retrieving credentials for provider: {provider}")
+    def get_credentials(provider: str) -> str | None:
+        """Retrieve API credentials for the specified provider.
+
+        Args:
+            provider: The provider name (e.g., "openai", "anthropic", "gemini").
+
+        Returns:
+            The API key from the environment variable, or None if not set.
+        """
+        logger.debug("Retrieving credentials for provider: %s", provider)
         env_var = f"{provider.upper()}_API_KEY"
         return os.getenv(env_var)

As per coding guidelines: "For new or changed functions, include Google-style docstrings" and "Type hints where appropriate".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@staticmethod
	def get_credentials(provider: str):
	print(f"Retrieving credentials for provider: {provider}")
	env_var = f"{provider.upper()}_API_KEY"
	return os.getenv(env_var)
	import logging
	import os
	logger = logging.getLogger(__name__)
	class AuthProviderManager:
	"""
	Manager for multi-provider authentication.
	Handles credential retrieval for Anthropic, OpenAI, and Gemini.
	"""
	`@staticmethod`
	def get_credentials(provider: str) -> str | None:
	"""Retrieve API credentials for the specified provider.
	Args:
	provider: The provider name (e.g., "openai", "anthropic", "gemini").
	Returns:
	The API key from the environment variable, or None if not set.
	"""
	logger.debug("Retrieving credentials for provider: %s", provider)
	env_var = f"{provider.upper()}_API_KEY"
	return os.getenv(env_var)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@massgen/auth/AuthProviderManager.py` around lines 8 - 12, The get_credentials
static method is missing a Google-style docstring, a return type hint, and uses
print() instead of logging; update the function signature to include a return
type hint (-> Optional[str]), add a Google-style docstring describing parameters
and return value, replace the print(f"Retrieving credentials for provider:
{provider}") with logging.debug(...) and ensure typing.Optional is imported (or
referenced) and logging is configured/imported so get_credentials(provider: str)
returns Optional[str] and logs at debug level.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security risk: stub always returns True; also missing docstring and return type.

This method unconditionally returns True, which is dangerous if called in production—it would accept any token as valid. Consider either:

1. Raising NotImplementedError to prevent accidental use until implemented
2. Adding a prominent warning/TODO and ensuring this isn't wired into any auth flow yet

Also missing Google-style docstring and return type hint (-> bool).

Proposed fix (raise until implemented)

     `@staticmethod`
-    def validate_session(token: str):
-        # Logic to validate session-based auth
-        return True
+    def validate_session(token: str) -> bool:
+        """Validate a session-based authentication token.
+
+        Args:
+            token: The session token to validate.
+
+        Returns:
+            True if the token is valid, False otherwise.
+
+        Raises:
+            NotImplementedError: Session validation is not yet implemented.
+        """
+        # TODO: Implement actual session validation logic
+        raise NotImplementedError("Session validation is not yet implemented")

As per coding guidelines: "For new or changed functions, include Google-style docstrings".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@staticmethod
	def validate_session(token: str):
	# Logic to validate session-based auth
	return True
	`@staticmethod`
	def validate_session(token: str) -> bool:
	"""Validate a session-based authentication token.
	Args:
	token: The session token to validate.
	Returns:
	True if the token is valid, False otherwise.
	Raises:
	NotImplementedError: Session validation is not yet implemented.
	"""
	# TODO: Implement actual session validation logic
	raise NotImplementedError("Session validation is not yet implemented")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@massgen/auth/AuthProviderManager.py` around lines 14 - 17, The
validate_session method currently always returns True which is unsafe; change
its signature to include a return type hint (-> bool), add a Google-style
docstring describing expected behavior and parameters, and instead of returning
True either raise NotImplementedError to prevent accidental use (preferred) or
add a prominent TODO/warning and ensure callers won't use it; update the
function body in AuthProviderManager.validate_session to raise
NotImplementedError with a clear message until a real implementation is
provided.