LegacyHUB

Vadim_Malanov/LegacyHUB

Fork 0

Commit Graph

Author	SHA1	Message	Date
Vadim Malanov	24282d1279	feat(api): optional API-key auth middleware Adds defence-in-depth shared-secret auth that activates when API_KEY is set. Behaviour: - empty API_KEY (dev default): every request allowed, middleware is not even installed; - non-empty API_KEY: every request under APP_API_PREFIX except /health must carry X-API-Key: <value> or Authorization: Bearer <value>. /, /docs, /redoc, /openapi.json and CORS preflight stay open. hmac.compare_digest is used for the constant-time comparison. The middleware resolves settings lazily so test fixtures can reload app.config and have the new API_KEY take effect on the next install. Tests (tests/test_api_security.py, 5 cases): - /health remains open; - protected route rejects missing key (401); - protected route accepts X-API-Key header; - protected route accepts Authorization: Bearer header; - protected route rejects a wrong key. Frontend: - VITE_API_KEY env reads the key and Axios injects it on every request, falling back to no header when empty so SSO/reverse-proxy deployments stay unchanged. - vite-env.d.ts adds the new env entry. Docs/ops: - .env.example documents the dev-default empty key; - .env.prod.example marks API_KEY as a required rotation point; - docker-compose.yml forwards API_KEY (defaults to empty); - docker-compose.prod.yml fails the stack with ?:required when API_KEY is missing; - RUNBOOK gains an API authentication section with header examples and the reverse-proxy + key layering recommendation. pytest -q: 33 passed (5 new security + 28 prior). npx tsc --noEmit: clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-13 17:17:27 +03:00
Vadim Malanov	d3c96161b0	ops: add docker-compose.prod.yml overlay Production overlay narrows the dev defaults: - removes published ports from postgres, minio, opensearch, qdrant, redis - only the api container stays externally reachable; - enables the OpenSearch security plugin and requires OPENSEARCH_ADMIN_PASSWORD via ?:required interpolation; - requires Qdrant API key, MinIO root credentials, postgres password, and CORS_ALLOWED_ORIGINS to be set (no localhost fallback); - doubles OpenSearch heap (-Xms2g -Xmx2g) and worker concurrency to 4; - drops the MinIO management console. Validated with: set -a; . .env.prod.example; CORS_ALLOWED_ORIGINS=https://example.com docker compose -f docker-compose.yml -f docker-compose.prod.yml config The RUNBOOK was updated in the initial commit and already documents the overlay invocation and credential rotation workflow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-13 16:52:57 +03:00

Author

SHA1

Message

Date

Vadim Malanov

24282d1279

feat(api): optional API-key auth middleware

Adds defence-in-depth shared-secret auth that activates when API_KEY
is set. Behaviour:

- empty API_KEY (dev default): every request allowed, middleware is
  not even installed;
- non-empty API_KEY: every request under APP_API_PREFIX except
  /health must carry X-API-Key: <value> or
  Authorization: Bearer <value>. /, /docs, /redoc, /openapi.json and
  CORS preflight stay open. hmac.compare_digest is used for the
  constant-time comparison.

The middleware resolves settings lazily so test fixtures can reload
app.config and have the new API_KEY take effect on the next install.

Tests (tests/test_api_security.py, 5 cases):
- /health remains open;
- protected route rejects missing key (401);
- protected route accepts X-API-Key header;
- protected route accepts Authorization: Bearer header;
- protected route rejects a wrong key.

Frontend:
- VITE_API_KEY env reads the key and Axios injects it on every
  request, falling back to no header when empty so SSO/reverse-proxy
  deployments stay unchanged.
- vite-env.d.ts adds the new env entry.

Docs/ops:
- .env.example documents the dev-default empty key;
- .env.prod.example marks API_KEY as a required rotation point;
- docker-compose.yml forwards API_KEY (defaults to empty);
- docker-compose.prod.yml fails the stack with ?:required when API_KEY
  is missing;
- RUNBOOK gains an API authentication section with header examples
  and the reverse-proxy + key layering recommendation.

pytest -q: 33 passed (5 new security + 28 prior).
npx tsc --noEmit: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-13 17:17:27 +03:00

Vadim Malanov

d3c96161b0

ops: add docker-compose.prod.yml overlay

Production overlay narrows the dev defaults:
- removes published ports from postgres, minio, opensearch, qdrant,
  redis - only the api container stays externally reachable;
- enables the OpenSearch security plugin and requires
  OPENSEARCH_ADMIN_PASSWORD via ?:required interpolation;
- requires Qdrant API key, MinIO root credentials, postgres password,
  and CORS_ALLOWED_ORIGINS to be set (no localhost fallback);
- doubles OpenSearch heap (-Xms2g -Xmx2g) and worker concurrency to 4;
- drops the MinIO management console.

Validated with:
  set -a; . .env.prod.example; CORS_ALLOWED_ORIGINS=https://example.com
  docker compose -f docker-compose.yml -f docker-compose.prod.yml config

The RUNBOOK was updated in the initial commit and already documents
the overlay invocation and credential rotation workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-13 16:52:57 +03:00

2 Commits