Vadim_Malanov/LegacyHUB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a407f1f0944fab84b88ffcece5d5c9428306ee3
LegacyHUB/app/main.py
Vadim Malanov 24282d1279 feat(api): optional API-key auth middleware 
Adds defence-in-depth shared-secret auth that activates when API_KEY
is set. Behaviour:

- empty API_KEY (dev default): every request allowed, middleware is
  not even installed;
- non-empty API_KEY: every request under APP_API_PREFIX except
  /health must carry X-API-Key: <value> or
  Authorization: Bearer <value>. /, /docs, /redoc, /openapi.json and
  CORS preflight stay open. hmac.compare_digest is used for the
  constant-time comparison.

The middleware resolves settings lazily so test fixtures can reload
app.config and have the new API_KEY take effect on the next install.

Tests (tests/test_api_security.py, 5 cases):
- /health remains open;
- protected route rejects missing key (401);
- protected route accepts X-API-Key header;
- protected route accepts Authorization: Bearer header;
- protected route rejects a wrong key.

Frontend:
- VITE_API_KEY env reads the key and Axios injects it on every
  request, falling back to no header when empty so SSO/reverse-proxy
  deployments stay unchanged.
- vite-env.d.ts adds the new env entry.

Docs/ops:
- .env.example documents the dev-default empty key;
- .env.prod.example marks API_KEY as a required rotation point;
- docker-compose.yml forwards API_KEY (defaults to empty);
- docker-compose.prod.yml fails the stack with ?:required when API_KEY
  is missing;
- RUNBOOK gains an API authentication section with header examples
  and the reverse-proxy + key layering recommendation.

pytest -q: 33 passed (5 new security + 28 prior).
npx tsc --noEmit: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 17:17:27 +03:00

65 lines
1.9 KiB
Python
Raw Blame History

"""FastAPI entrypoint."""
from __future__ import annotations
from contextlib import asynccontextmanager
from typing import AsyncIterator
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from app import __version__
from app.api import routes_health, routes_ingestion, routes_search
from app.api.security import install_api_key_auth
from app.config import settings
from app.logging_config import configure_logging, get_logger
configure_logging()
logger = get_logger(__name__)
@asynccontextmanager
async def lifespan(app: FastAPI) -> AsyncIterator[None]:
logger.info("api.startup", version=__version__, prefix=settings.app_api_prefix)
# Best-effort bootstrap of MinIO buckets - non-fatal if it fails (health will reflect).
try:
from app.storage.minio_client import get_storage
get_storage().ensure_buckets()
except Exception as exc: # noqa: BLE001
logger.warning("api.startup.minio_bootstrap_failed", error=str(exc))
yield
logger.info("api.shutdown")
app = FastAPI(
title="LegacyHUB",
description="Hybrid lexical + semantic search over legacy PDF archives",
version=__version__,
lifespan=lifespan,
)
app.add_middleware(
CORSMiddleware,
allow_origins=settings.cors_origins,
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
allow_headers=["*", "X-API-Key", "Authorization"],
max_age=3600,
)
install_api_key_auth(app)
app.include_router(routes_health.router, prefix=settings.app_api_prefix)
app.include_router(routes_ingestion.router, prefix=settings.app_api_prefix)
app.include_router(routes_search.router, prefix=settings.app_api_prefix)
@app.get("/")
def root() -> dict[str, str]:
return {
"service": "LegacyHUB",
"version": __version__,
"api": settings.app_api_prefix,
"docs": "/docs",
}
Reference in New Issue View Git Blame Copy Permalink