From 6ad933052d590a6237cf878e9851ee45df18631b Mon Sep 17 00:00:00 2001
From: Visa de Bruijn <visa.de.bruijn@reaktor.com>
Date: Fri, 7 Nov 2025 16:44:03 +0200
Subject: [PATCH] openai-adapters: allow overriding authorization header

Enable overriding OpenAI client's Authorization header by removing it if
the user provides a custom authorization header with `requestOptions: {
headers: { Authorization: Basic ... } }`

OpenAI client will always send an `Authorization: Bearer` header since
`apiKey` is a mandatory parameter. Previously, both the OpenAI header
and the custom header were sent, breaking at least vLLM set up with
basic auth. And it seems like multiple Authorization headers is a breach
of the HTTP RFC specs, so there should be no justifiable use case to
send more than one.
---
 packages/openai-adapters/src/util.ts | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/packages/openai-adapters/src/util.ts b/packages/openai-adapters/src/util.ts
index 0cc79d42e18..3b33dfb799c 100644
--- a/packages/openai-adapters/src/util.ts
+++ b/packages/openai-adapters/src/util.ts
@@ -158,7 +158,35 @@ export function customFetch(
   if (process.env.FEATURE_FLAG_DISABLE_CUSTOM_FETCH) {
     return patchedFetch;
   }
+
+  function letRequestOptionsOverrideAuthorizationHeader(init: any): any {
+    if (
+      !init ||
+      !init.headers ||
+      !requestOptions ||
+      !requestOptions.headers ||
+      (!requestOptions.headers["Authorization"] &&
+        !requestOptions.headers["authorization"])
+    ) {
+      return init;
+    }
+
+    if (init.headers instanceof Headers) {
+      init.headers.delete("Authorization");
+    } else if (Array.isArray(init.headers)) {
+      init.headers = init.headers.filter(
+        (header: [string, string]) =>
+          (header[0] ?? "").toLowerCase() !== "authorization",
+      );
+    } else if (typeof init.headers === "object") {
+      delete init.headers["Authorization"];
+      delete init.headers["authorization"];
+    }
+    return init;
+  }
+
   return (req: URL | string | Request, init?: any) => {
+    init = letRequestOptionsOverrideAuthorizationHeader(init);
     if (typeof req === "string" || req instanceof URL) {
       return fetchwithRequestOptions(req, init, requestOptions);
     } else {