fix sst/tts api key forwarding

Author: 0xGingi

api-docs.md

@@ -44,6 +44,10 @@ Generates a response from an AI model. This is the core endpoint for chat functi
 
 **Authentication**: Session or API Key
 
+Notes:
+- If you authenticate with a NanoChat API key (`Authorization: Bearer nc_...`) or a session cookie, the server will use your stored NanoGPT key or the server `NANOGPT_API_KEY`.
+- To pass a NanoGPT key directly, send it via `x-api-key` or `Authorization: Bearer <nanogpt_key>` (non-`nc_`).
+
 **Request Body**:
 ```json
 {
@@ -106,6 +110,10 @@ Proxies requests to NanoGPT TTS API for speech synthesis.
 
 **Authentication**: Session or API Key
 
+Notes:
+- If you authenticate with a NanoChat API key (`Authorization: Bearer nc_...`) or a session cookie, the server will use your stored NanoGPT key or the server `NANOGPT_API_KEY`.
+- To pass a NanoGPT key directly, send it via `x-api-key` or `Authorization: Bearer <nanogpt_key>` (non-`nc_`).
+
 **Request Body**:
 ```json
 {
@@ -134,6 +142,10 @@ Polls the status of an asynchronous TTS request.
 
 **Authentication**: Session or API Key
 
+Notes:
+- If you authenticate with a NanoChat API key (`Authorization: Bearer nc_...`) or a session cookie, the server will use your stored NanoGPT key or the server `NANOGPT_API_KEY`.
+- To pass a NanoGPT key directly, send it via `x-api-key` or `Authorization: Bearer <nanogpt_key>` (non-`nc_`).
+
 **Query Parameters**:
 - `runId`: (Required) The run ID returned by `/api/tts`.
 - `model`: (Required) The TTS model ID.
@@ -167,6 +179,10 @@ Proxies audio files to NanoGPT STT API for transcription.
 
 **Authentication**: Session or API Key
 
+Notes:
+- If you authenticate with a NanoChat API key (`Authorization: Bearer nc_...`) or a session cookie, the server will use your stored NanoGPT key or the server `NANOGPT_API_KEY`.
+- To pass a NanoGPT key directly, send it via `x-api-key` or `Authorization: Bearer <nanogpt_key>` (non-`nc_`).
+
 **Request Body** (FormData):
 - `audio`: Binary audio file (webm, mp4, etc).
 - `model`: "string (optional, default: 'Whisper-Large-V3')"

src/routes/api/stt/+server.ts

@@ -5,23 +5,39 @@ import { db } from '$lib/db';
 import { modelPerformanceStats } from '$lib/db/schema';
 import { eq, and, sql } from 'drizzle-orm';
 import { tryGetAuthenticatedUserId } from '$lib/backend/auth-utils';
+import { getUserKey } from '$lib/db/queries';
 
 const COST_PER_MINUTE: Record<string, number> = {
 	'Whisper-Large-V3': 0.01,
 	Wizper: 0.01,
 	'Elevenlabs-STT': 0.03,
 };
 
-const getApiKey = (request: Request): string | null => {
+const getExplicitNanoGPTKey = (request: Request): string | null => {
+	const headerKey = request.headers.get('x-api-key');
+	if (headerKey && !headerKey.startsWith('nc_')) {
+		return headerKey;
+	}
+
 	const authHeader = request.headers.get('Authorization');
 	if (authHeader?.startsWith('Bearer ')) {
 		const token = authHeader.slice(7).trim();
-		if (token.length > 0) {
+		if (token.length > 0 && !token.startsWith('nc_')) {
 			return token;
 		}
 	}
 
-	return request.headers.get('x-api-key') || env.NANOGPT_API_KEY || null;
+	return null;
+};
+
+const resolveNanoGPTKey = async (request: Request, userId?: string): Promise<string | null> => {
+	const explicitKey = getExplicitNanoGPTKey(request);
+	if (explicitKey) return explicitKey;
+
+	if (!userId) return null;
+
+	const userKey = await getUserKey(userId, 'nanogpt');
+	return userKey || env.NANOGPT_API_KEY || null;
 };
 
 export const POST: RequestHandler = async ({ request, fetch }) => {
@@ -43,10 +59,11 @@ export const POST: RequestHandler = async ({ request, fetch }) => {
 			formData.set('language', language);
 		}
 
-		const apiKey = getApiKey(request);
+		const userId = await tryGetAuthenticatedUserId(request);
+		const apiKey = await resolveNanoGPTKey(request, userId);
 
 		if (!apiKey) {
-			return json({ error: 'API key is required' }, { status: 401 });
+			return json({ error: 'Authentication required or NanoGPT API key missing' }, { status: 401 });
 		}
 
 		const start = Date.now();
@@ -82,7 +99,6 @@ export const POST: RequestHandler = async ({ request, fetch }) => {
 		// Track analytics asynchronously
 		(async () => {
 			try {
-				const userId = await tryGetAuthenticatedUserId(request);
 				if (userId) {
 					const durationMs = Date.now() - start;
 

src/routes/api/tts/+server.ts

@@ -5,6 +5,7 @@ import { db } from '$lib/db';
 import { modelPerformanceStats } from '$lib/db/schema';
 import { eq, and, sql } from 'drizzle-orm';
 import { tryGetAuthenticatedUserId } from '$lib/backend/auth-utils';
+import { getUserKey } from '$lib/db/queries';
 
 const COST_PER_1K_CHARS: Record<string, number> = {
 	'gpt-4o-mini-tts': 0.0125,
@@ -17,16 +18,31 @@ const COST_PER_1K_CHARS: Record<string, number> = {
 // Default to standard price if unknown
 const DEFAULT_COST = 0.015;
 
-const getApiKey = (request: Request): string | null => {
+const getExplicitNanoGPTKey = (request: Request): string | null => {
+	const headerKey = request.headers.get('x-api-key');
+	if (headerKey && !headerKey.startsWith('nc_')) {
+		return headerKey;
+	}
+
 	const authHeader = request.headers.get('Authorization');
 	if (authHeader?.startsWith('Bearer ')) {
 		const token = authHeader.slice(7).trim();
-		if (token.length > 0) {
+		if (token.length > 0 && !token.startsWith('nc_')) {
 			return token;
 		}
 	}
 
-	return request.headers.get('x-api-key') || env.NANOGPT_API_KEY || null;
+	return null;
+};
+
+const resolveNanoGPTKey = async (request: Request, userId?: string): Promise<string | null> => {
+	const explicitKey = getExplicitNanoGPTKey(request);
+	if (explicitKey) return explicitKey;
+
+	if (!userId) return null;
+
+	const userKey = await getUserKey(userId, 'nanogpt');
+	return userKey || env.NANOGPT_API_KEY || null;
 };
 
 export const POST: RequestHandler = async ({ request, fetch }) => {
@@ -43,10 +59,11 @@ export const POST: RequestHandler = async ({ request, fetch }) => {
 			return json({ error: 'Text is required' }, { status: 400 });
 		}
 
-		const apiKey = getApiKey(request);
+		const userId = await tryGetAuthenticatedUserId(request);
+		const apiKey = await resolveNanoGPTKey(request, userId);
 
 		if (!apiKey) {
-			return json({ error: 'API key is required' }, { status: 401 });
+			return json({ error: 'Authentication required or NanoGPT API key missing' }, { status: 401 });
 		}
 
 		const start = Date.now();
@@ -89,7 +106,6 @@ export const POST: RequestHandler = async ({ request, fetch }) => {
 		// Track analytics asynchronously
 		(async () => {
 			try {
-				const userId = await tryGetAuthenticatedUserId(request);
 				if (userId) {
 					console.log(`[TTS] Tracking analytics for user: ${userId}, model: ${model}`);
 					const duration = Date.now() - start;

src/routes/api/tts/status/+server.ts

@@ -1,23 +1,42 @@
+import { env } from '$env/dynamic/private';
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
+import { tryGetAuthenticatedUserId } from '$lib/backend/auth-utils';
+import { getUserKey } from '$lib/db/queries';
+
+const getExplicitNanoGPTKey = (request: Request): string | null => {
+	const headerKey = request.headers.get('x-api-key');
+	if (headerKey && !headerKey.startsWith('nc_')) {
+		return headerKey;
+	}
 
-const getApiKey = (request: Request): string | null => {
 	const authHeader = request.headers.get('Authorization');
 	if (authHeader?.startsWith('Bearer ')) {
 		const token = authHeader.slice(7).trim();
-		if (token.length > 0) {
+		if (token.length > 0 && !token.startsWith('nc_')) {
 			return token;
 		}
 	}
 
-	return request.headers.get('x-api-key') || env.NANOGPT_API_KEY || null;
+	return null;
+};
+
+const resolveNanoGPTKey = async (request: Request, userId?: string): Promise<string | null> => {
+	const explicitKey = getExplicitNanoGPTKey(request);
+	if (explicitKey) return explicitKey;
+
+	if (!userId) return null;
+
+	const userKey = await getUserKey(userId, 'nanogpt');
+	return userKey || env.NANOGPT_API_KEY || null;
 };
 
 export const GET: RequestHandler = async ({ request, fetch, url }) => {
-	const apiKey = getApiKey(request);
+	const userId = await tryGetAuthenticatedUserId(request);
+	const apiKey = await resolveNanoGPTKey(request, userId);
 
 	if (!apiKey) {
-		return json({ error: 'API key is required' }, { status: 401 });
+		return json({ error: 'Authentication required or NanoGPT API key missing' }, { status: 401 });
 	}
 
 	const runId = url.searchParams.get('runId');