From c5d85f1722136da53f935b4383e764975f88b436 Mon Sep 17 00:00:00 2001
From: Grant Linville <grant@acorn.io>
Date: Wed, 4 Dec 2024 13:45:35 -0500
Subject: [PATCH] chore: openapi: remove https restriction (#916)

Signed-off-by: Grant Linville <grant@acorn.io>
---
 docs/docs/03-tools/03-openapi.md |  6 ------
 pkg/engine/openapi.go            | 20 +++++++++-----------
 pkg/openapi/run.go               | 23 +++++++++--------------
 3 files changed, 18 insertions(+), 31 deletions(-)

diff --git a/docs/docs/03-tools/03-openapi.md b/docs/docs/03-tools/03-openapi.md
index 0b0f4961..e99172eb 100644
--- a/docs/docs/03-tools/03-openapi.md
+++ b/docs/docs/03-tools/03-openapi.md
@@ -41,12 +41,6 @@ Will be resolved as `https://api.example.com/v1`.
 
 ## Authentication
 
-:::warning
-All authentication options will be completely ignored if the server uses HTTP and not HTTPS, unless the request is for `localhost` or 127.0.0.1.
-This is to protect users from accidentally sending credentials in plain text.
-HTTP is only OK, if it's on localhost/127.0.0.1.
-:::
-
 ### 1. Security Schemes
 
 GPTScript will read the defined [security schemes](https://swagger.io/docs/specification/authentication/) in the OpenAPI definition. The currently supported types are `apiKey` and `http`.
diff --git a/pkg/engine/openapi.go b/pkg/engine/openapi.go
index a951bd37..a9a1a644 100644
--- a/pkg/engine/openapi.go
+++ b/pkg/engine/openapi.go
@@ -197,19 +197,17 @@ func (e *Engine) runOpenAPI(tool types.Tool, input string) (*Return, error) {
 		return nil, fmt.Errorf("failed to create request: %w", err)
 	}
 
-	// Check for authentication (only if using HTTPS or localhost)
-	if u.Scheme == "https" || u.Hostname() == "localhost" || u.Hostname() == "127.0.0.1" {
-		if len(instructions.SecurityInfos) > 0 {
-			if err := openapi.HandleAuths(req, envMap, instructions.SecurityInfos); err != nil {
-				return nil, fmt.Errorf("error setting up authentication: %w", err)
-			}
+	// Check for authentication
+	if len(instructions.SecurityInfos) > 0 {
+		if err := openapi.HandleAuths(req, envMap, instructions.SecurityInfos); err != nil {
+			return nil, fmt.Errorf("error setting up authentication: %w", err)
 		}
+	}
 
-		// If there is a bearer token set for the whole server, and no Authorization header has been defined, use it.
-		if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok {
-			if req.Header.Get("Authorization") == "" {
-				req.Header.Set("Authorization", "Bearer "+token)
-			}
+	// If there is a bearer token set for the whole server, and no Authorization header has been defined, use it.
+	if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok {
+		if req.Header.Get("Authorization") == "" {
+			req.Header.Set("Authorization", "Bearer "+token)
 		}
 	}
 
diff --git a/pkg/openapi/run.go b/pkg/openapi/run.go
index ac1ec660..237d8b57 100644
--- a/pkg/openapi/run.go
+++ b/pkg/openapi/run.go
@@ -8,7 +8,6 @@ import (
 	"mime/multipart"
 	"net/http"
 	"net/url"
-	"os"
 	"strings"
 
 	"github.com/getkin/kin-openapi/openapi3"
@@ -69,22 +68,18 @@ func Run(operationID, defaultHost, args string, t *openapi3.T, envs []string) (s
 		return "", false, fmt.Errorf("failed to create request: %w", err)
 	}
 
-	// Check for authentication (only if using HTTPS or localhost)
-	if u.Scheme == "https" || u.Hostname() == "localhost" || u.Hostname() == "127.0.0.1" {
-		if len(opInfo.SecurityInfos) > 0 {
-			if err := HandleAuths(req, envMap, opInfo.SecurityInfos); err != nil {
-				return "", false, fmt.Errorf("error setting up authentication: %w", err)
-			}
+	// Check for authentication
+	if len(opInfo.SecurityInfos) > 0 {
+		if err := HandleAuths(req, envMap, opInfo.SecurityInfos); err != nil {
+			return "", false, fmt.Errorf("error setting up authentication: %w", err)
 		}
+	}
 
-		// If there is a bearer token set for the whole server, and no Authorization header has been defined, use it.
-		if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok {
-			if req.Header.Get("Authorization") == "" {
-				req.Header.Set("Authorization", "Bearer "+token)
-			}
+	// If there is a bearer token set for the whole server, and no Authorization header has been defined, use it.
+	if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok {
+		if req.Header.Get("Authorization") == "" {
+			req.Header.Set("Authorization", "Bearer "+token)
 		}
-	} else {
-		fmt.Fprintf(os.Stderr, "no auth")
 	}
 
 	// Handle query parameters