Vadim_Malanov/LegacyHUB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a407f1f0944fab84b88ffcece5d5c9428306ee3
LegacyHUB/app/api/security.py
Vadim Malanov 24282d1279 feat(api): optional API-key auth middleware 
Adds defence-in-depth shared-secret auth that activates when API_KEY
is set. Behaviour:

- empty API_KEY (dev default): every request allowed, middleware is
  not even installed;
- non-empty API_KEY: every request under APP_API_PREFIX except
  /health must carry X-API-Key: <value> or
  Authorization: Bearer <value>. /, /docs, /redoc, /openapi.json and
  CORS preflight stay open. hmac.compare_digest is used for the
  constant-time comparison.

The middleware resolves settings lazily so test fixtures can reload
app.config and have the new API_KEY take effect on the next install.

Tests (tests/test_api_security.py, 5 cases):
- /health remains open;
- protected route rejects missing key (401);
- protected route accepts X-API-Key header;
- protected route accepts Authorization: Bearer header;
- protected route rejects a wrong key.

Frontend:
- VITE_API_KEY env reads the key and Axios injects it on every
  request, falling back to no header when empty so SSO/reverse-proxy
  deployments stay unchanged.
- vite-env.d.ts adds the new env entry.

Docs/ops:
- .env.example documents the dev-default empty key;
- .env.prod.example marks API_KEY as a required rotation point;
- docker-compose.yml forwards API_KEY (defaults to empty);
- docker-compose.prod.yml fails the stack with ?:required when API_KEY
  is missing;
- RUNBOOK gains an API authentication section with header examples
  and the reverse-proxy + key layering recommendation.

pytest -q: 33 passed (5 new security + 28 prior).
npx tsc --noEmit: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 17:17:27 +03:00

84 lines
2.9 KiB
Python
Raw Blame History

"""Optional API-key auth.
Behaviour:
- If ``API_KEY`` is empty (default) every request is allowed - matches the
original dev configuration.
- If ``API_KEY`` is set, every request to a route under ``app_api_prefix``
must carry either ``X-API-Key: <value>`` or ``Authorization: Bearer <value>``.
- ``/health`` is intentionally exempt so external probes (compose healthcheck,
reverse proxy, monitoring) keep working without leaking the key.
- The root ``/`` page stays open so the OpenAPI banner and docs links remain
reachable.
This is a defence-in-depth layer behind whatever reverse proxy / OAuth gateway
runs in production - not a replacement.
"""
from __future__ import annotations
import hmac
from typing import Awaitable, Callable
from fastapi import FastAPI, Request, Response
from fastapi.responses import JSONResponse
from starlette.types import ASGIApp
from app.config import settings as _module_settings
EXEMPT_PATHS: tuple[str, ...] = ("/", "/docs", "/redoc", "/openapi.json")
EXEMPT_SUFFIXES: tuple[str, ...] = ("/health",)
def _extract_token(request: Request) -> str | None:
header = request.headers.get("x-api-key")
if header:
return header.strip()
auth = request.headers.get("authorization") or ""
if auth.lower().startswith("bearer "):
return auth[7:].strip()
return None
def install_api_key_auth(app: FastAPI) -> None:
"""Attach the middleware. Always safe to call; becomes a no-op when no key
is configured.
Reads ``app.config.settings`` lazily so test fixtures can reload the config
module and have the new ``API_KEY`` value take effect on the next install.
"""
from app.config import settings as fresh_settings # re-resolve after reloads
settings = fresh_settings
expected = settings.api_key.strip() if settings.api_key else ""
if not expected:
return
@app.middleware("http")
async def _api_key_middleware( # type: ignore[no-redef]
request: Request,
call_next: Callable[[Request], Awaitable[Response]],
) -> Response:
path = request.url.path
if request.method == "OPTIONS":
return await call_next(request)
if path in EXEMPT_PATHS:
return await call_next(request)
if any(path.endswith(s) for s in EXEMPT_SUFFIXES):
return await call_next(request)
if not path.startswith(settings.app_api_prefix):
return await call_next(request)
token = _extract_token(request)
if not token or not hmac.compare_digest(token, expected):
return JSONResponse(
status_code=401,
content={"detail": "invalid or missing api key"},
headers={"WWW-Authenticate": "Bearer"},
)
return await call_next(request)
__all__ = ["install_api_key_auth"]
_ = ASGIApp # re-export hint to keep mypy happy on older Starlette versions
Reference in New Issue View Git Blame Copy Permalink