feat(backend/external-api): Make API key auth work in Swagger UI (#10783)

![Swagger UI API key auth
dialog](https://github.com/user-attachments/assets/02026802-51f9-410d-bdb8-53840d5eb17b)

- Resolves #10782

### Changes 🏗️

- Use `Security(..)` for security dependencies
- Minor tweaks to auth mechanism (similar to #10720)

### Checklist 📋

#### For code changes:
- [x] I have clearly listed my changes in the PR description
- [x] I have made a test plan
- [x] I have tested my changes according to the test plan:
  - [x] API key auth feature appears in Swagger UI
  - [ ] API key auth *works* in Swagger UI (@ntindle wanna test this?)

autogpt_platform/backend/backend/server/external/middleware.py

@@ -1,16 +1,14 @@
-from fastapi import Depends, HTTPException, Request
+from fastapi import HTTPException, Security
 from fastapi.security import APIKeyHeader
 from prisma.enums import APIKeyPermission
 
-from backend.data.api_key import has_permission, validate_api_key
+from backend.data.api_key import APIKey, has_permission, validate_api_key
 
-api_key_header = APIKeyHeader(name="X-API-Key")
+api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
 
 
-async def require_api_key(request: Request):
+async def require_api_key(api_key: str | None = Security(api_key_header)) -> APIKey:
     """Base middleware for API key authentication"""
-    api_key = await api_key_header(request)
-
     if api_key is None:
         raise HTTPException(status_code=401, detail="Missing API key")
 
@@ -19,18 +17,17 @@ async def require_api_key(request: Request):
     if not api_key_obj:
         raise HTTPException(status_code=401, detail="Invalid API key")
 
-    request.state.api_key = api_key_obj
     return api_key_obj
 
 
 def require_permission(permission: APIKeyPermission):
     """Dependency function for checking specific permissions"""
 
-    async def check_permission(api_key=Depends(require_api_key)):
+    async def check_permission(api_key: APIKey = Security(require_api_key)):
         if not has_permission(api_key, permission):
             raise HTTPException(
                 status_code=403,
-                detail=f"API key missing required permission: {permission}",
+                detail=f"API key lacks the required permission '{permission}'",
             )
         return api_key
 

autogpt_platform/backend/backend/server/external/routes/v1.py

@@ -2,7 +2,7 @@ import logging
 from collections import defaultdict
 from typing import Annotated, Any, Optional, Sequence
 
-from fastapi import APIRouter, Body, Depends, HTTPException
+from fastapi import APIRouter, Body, HTTPException, Security
 from prisma.enums import AgentExecutionStatus, APIKeyPermission
 from typing_extensions import TypedDict
 
@@ -47,7 +47,7 @@ class GraphExecutionResult(TypedDict):
 @v1_router.get(
     path="/blocks",
     tags=["blocks"],
-    dependencies=[Depends(require_permission(APIKeyPermission.READ_BLOCK))],
+    dependencies=[Security(require_permission(APIKeyPermission.READ_BLOCK))],
 )
 def get_graph_blocks() -> Sequence[dict[Any, Any]]:
     blocks = [block() for block in backend.data.block.get_blocks().values()]
@@ -57,12 +57,12 @@ def get_graph_blocks() -> Sequence[dict[Any, Any]]:
 @v1_router.post(
     path="/blocks/{block_id}/execute",
     tags=["blocks"],
-    dependencies=[Depends(require_permission(APIKeyPermission.EXECUTE_BLOCK))],
+    dependencies=[Security(require_permission(APIKeyPermission.EXECUTE_BLOCK))],
 )
 async def execute_graph_block(
     block_id: str,
     data: BlockInput,
-    api_key: APIKey = Depends(require_permission(APIKeyPermission.EXECUTE_BLOCK)),
+    api_key: APIKey = Security(require_permission(APIKeyPermission.EXECUTE_BLOCK)),
 ) -> CompletedBlockOutput:
     obj = backend.data.block.get_block(block_id)
     if not obj:
@@ -82,7 +82,7 @@ async def execute_graph(
     graph_id: str,
     graph_version: int,
     node_input: Annotated[dict[str, Any], Body(..., embed=True, default_factory=dict)],
-    api_key: APIKey = Depends(require_permission(APIKeyPermission.EXECUTE_GRAPH)),
+    api_key: APIKey = Security(require_permission(APIKeyPermission.EXECUTE_GRAPH)),
 ) -> dict[str, Any]:
     try:
         graph_exec = await add_graph_execution(
@@ -104,7 +104,7 @@ async def execute_graph(
 async def get_graph_execution_results(
     graph_id: str,
     graph_exec_id: str,
-    api_key: APIKey = Depends(require_permission(APIKeyPermission.READ_GRAPH)),
+    api_key: APIKey = Security(require_permission(APIKeyPermission.READ_GRAPH)),
 ) -> GraphExecutionResult:
     graph = await graph_db.get_graph(graph_id, user_id=api_key.user_id)
     if not graph: