Fail free request with non-free model

Author: jahooma

web/src/app/api/v1/chat/completions/__tests__/completions.test.ts

@@ -135,6 +135,13 @@ describe('/api/v1/chat/completions POST endpoint', () => {
           status: 'running',
         }
       }
+      if (runId === 'run-free') {
+        return {
+          // Real free-mode allowlisted agent (see FREE_MODE_AGENT_MODELS).
+          agent_id: 'base2-free',
+          status: 'running',
+        }
+      }
       if (runId === 'run-completed') {
         return {
           agent_id: 'agent-123',
@@ -529,10 +536,10 @@ describe('/api/v1/chat/completions POST endpoint', () => {
           method: 'POST',
           headers: { Authorization: 'Bearer test-api-key-new-free' },
           body: JSON.stringify({
-            model: 'test/test-model',
+            model: 'z-ai/glm-5.1',
             stream: false,
             codebuff_metadata: {
-              run_id: 'run-123',
+              run_id: 'run-free',
               client_id: 'test-client-id-123',
               cost_mode: 'free',
             },
@@ -562,10 +569,10 @@ describe('/api/v1/chat/completions POST endpoint', () => {
           method: 'POST',
           headers: { Authorization: 'Bearer test-api-key-no-credits' },
           body: JSON.stringify({
-            model: 'test/test-model',
+            model: 'z-ai/glm-5.1',
             stream: false,
             codebuff_metadata: {
-              run_id: 'run-123',
+              run_id: 'run-free',
               client_id: 'test-client-id-123',
               cost_mode: 'free',
             },
@@ -587,6 +594,116 @@ describe('/api/v1/chat/completions POST endpoint', () => {
 
       expect(response.status).toBe(200)
     })
+
+    it('rejects free-mode requests using a non-allowlisted model (e.g. Opus)', async () => {
+      const req = new NextRequest(
+        'http://localhost:3000/api/v1/chat/completions',
+        {
+          method: 'POST',
+          headers: { Authorization: 'Bearer test-api-key-new-free' },
+          body: JSON.stringify({
+            // Expensive model the attacker wants for free.
+            model: 'anthropic/claude-4.7-opus',
+            stream: true,
+            codebuff_metadata: {
+              run_id: 'run-free',
+              client_id: 'test-client-id-123',
+              cost_mode: 'free',
+            },
+          }),
+        },
+      )
+
+      const response = await postChatCompletions({
+        req,
+        getUserInfoFromApiKey: mockGetUserInfoFromApiKey,
+        logger: mockLogger,
+        trackEvent: mockTrackEvent,
+        getUserUsageData: mockGetUserUsageData,
+        getAgentRunFromId: mockGetAgentRunFromId,
+        fetch: mockFetch,
+        insertMessageBigquery: mockInsertMessageBigquery,
+        loggerWithContext: mockLoggerWithContext,
+      })
+
+      expect(response.status).toBe(403)
+      const body = await response.json()
+      expect(body.error).toBe('free_mode_invalid_agent_model')
+    })
+
+    it('rejects free-mode requests with an allowlisted agent but a model outside its allowed set', async () => {
+      // agent=base2-free is allowlisted, but Opus is not in its allowed
+      // model set. This is the spoofing variant of the attack where the
+      // caller picks a real free-mode agentId to try to sneak past the gate.
+      const req = new NextRequest(
+        'http://localhost:3000/api/v1/chat/completions',
+        {
+          method: 'POST',
+          headers: { Authorization: 'Bearer test-api-key-new-free' },
+          body: JSON.stringify({
+            model: 'anthropic/claude-4.7-opus',
+            stream: true,
+            codebuff_metadata: {
+              run_id: 'run-free',
+              client_id: 'test-client-id-123',
+              cost_mode: 'free',
+            },
+          }),
+        },
+      )
+
+      const response = await postChatCompletions({
+        req,
+        getUserInfoFromApiKey: mockGetUserInfoFromApiKey,
+        logger: mockLogger,
+        trackEvent: mockTrackEvent,
+        getUserUsageData: mockGetUserUsageData,
+        getAgentRunFromId: mockGetAgentRunFromId,
+        fetch: mockFetch,
+        insertMessageBigquery: mockInsertMessageBigquery,
+        loggerWithContext: mockLoggerWithContext,
+      })
+
+      expect(response.status).toBe(403)
+      const body = await response.json()
+      expect(body.error).toBe('free_mode_invalid_agent_model')
+    })
+
+    it('rejects free-mode requests where agentId is not in the allowlist at all', async () => {
+      // run-123 points to agent-123, which is not a free-mode agent.
+      const req = new NextRequest(
+        'http://localhost:3000/api/v1/chat/completions',
+        {
+          method: 'POST',
+          headers: { Authorization: 'Bearer test-api-key-new-free' },
+          body: JSON.stringify({
+            model: 'z-ai/glm-5.1',
+            stream: true,
+            codebuff_metadata: {
+              run_id: 'run-123',
+              client_id: 'test-client-id-123',
+              cost_mode: 'free',
+            },
+          }),
+        },
+      )
+
+      const response = await postChatCompletions({
+        req,
+        getUserInfoFromApiKey: mockGetUserInfoFromApiKey,
+        logger: mockLogger,
+        trackEvent: mockTrackEvent,
+        getUserUsageData: mockGetUserUsageData,
+        getAgentRunFromId: mockGetAgentRunFromId,
+        fetch: mockFetch,
+        insertMessageBigquery: mockInsertMessageBigquery,
+        loggerWithContext: mockLoggerWithContext,
+      })
+
+      expect(response.status).toBe(403)
+      const body = await response.json()
+      expect(body.error).toBe('free_mode_invalid_agent_model')
+    })
   })
 
   describe('Successful responses', () => {
@@ -734,10 +851,10 @@ describe('/api/v1/chat/completions POST endpoint', () => {
           method: 'POST',
           headers: { Authorization: 'Bearer test-api-key-123' },
           body: JSON.stringify({
-            model: 'test/test-model',
+            model: 'z-ai/glm-5.1',
             stream: false,
             codebuff_metadata: {
-              run_id: 'run-123',
+              run_id: 'run-free',
               client_id: 'test-client-id-123',
               cost_mode: 'free',
             },

web/src/app/api/v1/chat/completions/_post.ts

@@ -1,6 +1,9 @@
 import { AnalyticsEvent } from '@codebuff/common/constants/analytics-events'
 import { BYOK_OPENROUTER_HEADER } from '@codebuff/common/constants/byok'
-import { isFreeMode } from '@codebuff/common/constants/free-agents'
+import {
+  isFreeMode,
+  isFreeModeAllowedAgentModel,
+} from '@codebuff/common/constants/free-agents'
 import { getErrorObject } from '@codebuff/common/util/error'
 import { pluralize } from '@codebuff/common/util/string'
 import { env } from '@codebuff/internal/env'
@@ -359,6 +362,38 @@ export async function postChatCompletions(params: {
       )
     }
 
+    // Free-mode requests must use an allowlisted agent+model combination.
+    // Without this gate, an attacker on a brand-new unpaid account can set
+    // cost_mode='free' to bypass both the paid-account check and the balance
+    // check, then request an expensive model (Opus, etc). Our OpenRouter key
+    // pays for the call; the downstream credit-consumption step records an
+    // audit row but can't actually deduct from a user who has no grants —
+    // net result is free Opus for the attacker, real dollars for us. Check
+    // must happen here, before any call to OpenRouter.
+    if (
+      isFreeModeRequest &&
+      !isFreeModeAllowedAgentModel(agentId, typedBody.model)
+    ) {
+      trackEvent({
+        event: AnalyticsEvent.CHAT_COMPLETIONS_VALIDATION_ERROR,
+        userId,
+        properties: {
+          error: 'free_mode_invalid_agent_model',
+          agentId,
+          model: typedBody.model,
+        },
+        logger,
+      })
+      return NextResponse.json(
+        {
+          error: 'free_mode_invalid_agent_model',
+          message:
+            'Free mode is only available for specific agent and model combinations.',
+        },
+        { status: 403 },
+      )
+    }
+
     // Rate limit free mode requests (after validation so invalid requests don't consume quota)
     if (isFreeModeRequest) {
       const rateLimitResult = checkFreeModeRateLimit(userId)