60 lines
1.5 KiB
Markdown
60 lines
1.5 KiB
Markdown
# ABE — API Security Specification
|
|
|
|
## Authentication: API Key
|
|
|
|
All API endpoints require an API key passed in the header:
|
|
`X-ABE-API-Key: <key>`
|
|
|
|
If missing or invalid → 401 Unauthorized.
|
|
|
|
## Configuration
|
|
|
|
API key is set via environment variable: `ABE_API_KEY`
|
|
If not set, server logs a warning and runs without auth (dev mode only).
|
|
|
|
## Implementation
|
|
|
|
Create `src/server/middleware/auth.ts`:
|
|
```typescript
|
|
export function apiKeyAuth(req, res, next) {
|
|
const apiKey = process.env.ABE_API_KEY;
|
|
if (!apiKey) return next(); // dev mode: no auth
|
|
const provided = req.headers['x-abe-api-key'];
|
|
if (!provided || provided !== apiKey) {
|
|
return res.status(401).json({ error: 'Invalid or missing API key' });
|
|
}
|
|
next();
|
|
}
|
|
```
|
|
|
|
Apply this middleware to ALL routes EXCEPT:
|
|
- GET /health
|
|
- GET /ready
|
|
|
|
## CORS
|
|
|
|
Only allow requests from the frontend origin.
|
|
Configure via environment variable: `ABE_CORS_ORIGIN` (default: `http://localhost:5173`)
|
|
|
|
## Rate Limiting
|
|
|
|
Add `express-rate-limit`:
|
|
- Max 20 POST /api/sessions per hour per IP
|
|
- Max 200 requests per minute per IP for other endpoints
|
|
|
|
## Environment Variables (full list for .env)
|
|
```
|
|
ABE_API_KEY=change-me-in-production
|
|
ABE_CORS_ORIGIN=http://localhost:5173
|
|
ABE_PORT=3001
|
|
ABE_DB_PATH=./data/abe.db
|
|
ABE_REPORTS_DIR=./reports
|
|
ABE_LOGS_DIR=./logs
|
|
NODE_ENV=production
|
|
```
|
|
|
|
## docker-compose update
|
|
|
|
Add .env file support and environment variables to docker-compose.yml.
|
|
Add a volumes entry for `data/` directory for SQLite persistence.
|