Vadim_Malanov/LegacyHUB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a407f1f0944fab84b88ffcece5d5c9428306ee3
LegacyHUB/docker-compose.prod.yml
Vadim Malanov 24282d1279 feat(api): optional API-key auth middleware 
Adds defence-in-depth shared-secret auth that activates when API_KEY
is set. Behaviour:

- empty API_KEY (dev default): every request allowed, middleware is
  not even installed;
- non-empty API_KEY: every request under APP_API_PREFIX except
  /health must carry X-API-Key: <value> or
  Authorization: Bearer <value>. /, /docs, /redoc, /openapi.json and
  CORS preflight stay open. hmac.compare_digest is used for the
  constant-time comparison.

The middleware resolves settings lazily so test fixtures can reload
app.config and have the new API_KEY take effect on the next install.

Tests (tests/test_api_security.py, 5 cases):
- /health remains open;
- protected route rejects missing key (401);
- protected route accepts X-API-Key header;
- protected route accepts Authorization: Bearer header;
- protected route rejects a wrong key.

Frontend:
- VITE_API_KEY env reads the key and Axios injects it on every
  request, falling back to no header when empty so SSO/reverse-proxy
  deployments stay unchanged.
- vite-env.d.ts adds the new env entry.

Docs/ops:
- .env.example documents the dev-default empty key;
- .env.prod.example marks API_KEY as a required rotation point;
- docker-compose.yml forwards API_KEY (defaults to empty);
- docker-compose.prod.yml fails the stack with ?:required when API_KEY
  is missing;
- RUNBOOK gains an API authentication section with header examples
  and the reverse-proxy + key layering recommendation.

pytest -q: 33 passed (5 new security + 28 prior).
npx tsc --noEmit: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 17:17:27 +03:00

103 lines
3.6 KiB
YAML
Raw Blame History

# Production overlay for LegacyHUB.
#
# Usage:
# cp .env.prod.example .env.prod
# $EDITOR .env.prod # rotate every credential
# docker compose \
# -f docker-compose.yml -f docker-compose.prod.yml \
# --env-file .env.prod \
# up -d --build --force-recreate
#
# This overlay narrows the dev-friendly defaults:
# - removes published ports from data services (only api stays public);
# - turns on the OpenSearch security plugin and forces an admin password;
# - requires CORS_ALLOWED_ORIGINS to be set (no localhost fallback);
# - bumps Java + worker concurrency for real workloads;
# - drops the MinIO console.
services:
postgres:
ports: !reset []
environment:
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
restart: always
minio:
command: server /data
ports: !reset []
environment:
MINIO_ROOT_USER: ${MINIO_ACCESS_KEY:?MINIO_ACCESS_KEY must be set}
MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY:?MINIO_SECRET_KEY must be set}
restart: always
opensearch:
ports: !reset []
environment:
- discovery.type=single-node
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
- DISABLE_INSTALL_DEMO_CONFIG=true
- plugins.security.disabled=false
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:?OPENSEARCH_ADMIN_PASSWORD must be set}
restart: always
qdrant:
ports: !reset []
environment:
QDRANT__SERVICE__API_KEY: ${QDRANT_API_KEY:?QDRANT_API_KEY must be set}
restart: always
redis:
ports: !reset []
restart: always
api:
environment:
<<: &prod-env
POSTGRES_HOST: ${POSTGRES_HOST}
POSTGRES_PORT: ${POSTGRES_PORT}
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
MINIO_ENDPOINT: ${MINIO_ENDPOINT}
MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
MINIO_BUCKET_ORIGINALS: ${MINIO_BUCKET_ORIGINALS}
MINIO_BUCKET_DERIVED: ${MINIO_BUCKET_DERIVED}
MINIO_SECURE: "true"
OPENSEARCH_HOST: ${OPENSEARCH_HOST}
OPENSEARCH_PORT: ${OPENSEARCH_PORT}
OPENSEARCH_USE_SSL: "true"
OPENSEARCH_VERIFY_CERTS: "true"
OPENSEARCH_USER: ${OPENSEARCH_USER}
OPENSEARCH_PASSWORD: ${OPENSEARCH_PASSWORD}
OPENSEARCH_INDEX_CHUNKS: ${OPENSEARCH_INDEX_CHUNKS}
QDRANT_HOST: ${QDRANT_HOST}
QDRANT_PORT: ${QDRANT_PORT}
QDRANT_API_KEY: ${QDRANT_API_KEY}
QDRANT_COLLECTION_CHUNKS: ${QDRANT_COLLECTION_CHUNKS}
REDIS_URL: ${REDIS_URL}
OCR_LANGUAGES: ${OCR_LANGUAGES}
OCR_ENABLED: ${OCR_ENABLED}
DOCLING_OCR_ENABLED: ${DOCLING_OCR_ENABLED}
MAX_DOCUMENT_TIMEOUT_SECONDS: ${MAX_DOCUMENT_TIMEOUT_SECONDS}
EMBEDDING_MODEL: ${EMBEDDING_MODEL}
EMBEDDING_DEVICE: ${EMBEDDING_DEVICE}
RERANKER_MODEL: ${RERANKER_MODEL}
RERANKER_DEVICE: ${RERANKER_DEVICE}
RERANKER_ENABLED: ${RERANKER_ENABLED}
APP_LOG_LEVEL: ${APP_LOG_LEVEL}
APP_INPUT_DIR: /data/input
APP_WORK_DIR: /data/work
CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:?CORS_ALLOWED_ORIGINS must be set (no * in production)}
API_KEY: ${API_KEY:?API_KEY must be set in production}
restart: always
worker:
command: ["celery", "-A", "app.workers.celery_app", "worker", "--loglevel=INFO", "--concurrency=4"]
environment:
<<: *prod-env
restart: always
Reference in New Issue View Git Blame Copy Permalink