1.5 KiB
1.5 KiB
ABE — API Security Specification
Authentication: API Key
All API endpoints require an API key passed in the header:
X-ABE-API-Key: <key>
If missing or invalid → 401 Unauthorized.
Configuration
API key is set via environment variable: ABE_API_KEY
If not set, server logs a warning and runs without auth (dev mode only).
Implementation
Create src/server/middleware/auth.ts:
export function apiKeyAuth(req, res, next) {
const apiKey = process.env.ABE_API_KEY;
if (!apiKey) return next(); // dev mode: no auth
const provided = req.headers['x-abe-api-key'];
if (!provided || provided !== apiKey) {
return res.status(401).json({ error: 'Invalid or missing API key' });
}
next();
}
Apply this middleware to ALL routes EXCEPT:
- GET /health
- GET /ready
CORS
Only allow requests from the frontend origin.
Configure via environment variable: ABE_CORS_ORIGIN (default: http://localhost:5173)
Rate Limiting
Add express-rate-limit:
- Max 20 POST /api/sessions per hour per IP
- Max 200 requests per minute per IP for other endpoints
Environment Variables (full list for .env)
ABE_API_KEY=change-me-in-production
ABE_CORS_ORIGIN=http://localhost:5173
ABE_PORT=3001
ABE_DB_PATH=./data/abe.db
ABE_REPORTS_DIR=./reports
ABE_LOGS_DIR=./logs
NODE_ENV=production
docker-compose update
Add .env file support and environment variables to docker-compose.yml.
Add a volumes entry for data/ directory for SQLite persistence.