trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Archive code-review-fix change and sync specs to main

Browse source 
- Synced 14 capability delta specs to main specs
- Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types
- Updated 8 existing specs with security, validation, and performance requirements
- Archived change to openspec/changes/archive/2026-02-20-code-review-fix/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marko Djordjevic 2026-02-20 08:54:59 +01:00
parent adb93a2d2e
commit 925e7284e3
32 changed files with 691 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

39
openspec/specs/api-authentication/spec.md Normal file
View file

@ -0,0 +1,39 @@
## ADDED Requirements
### Requirement: Next.js API key middleware
The system SHALL enforce API key authentication on all `/api/*` routes via Next.js middleware (`src/middleware.ts`). The middleware SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. If the key is missing or incorrect, the middleware SHALL return HTTP 401 with `{ "error": "Unauthorized" }`. The `/api/health` endpoint SHALL be exempt from authentication.
#### Scenario: Valid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: <correct key>`
- **THEN** the request proceeds to the route handler normally
#### Scenario: Missing API key
- **WHEN** a request to `/api/candles` has no `X-API-Key` header
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`
#### Scenario: Invalid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: wrong-key`
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`
#### Scenario: Health endpoint exempt
- **WHEN** a request to `/api/health` has no `X-API-Key` header
- **THEN** the request proceeds normally (health check is unauthenticated)
#### Scenario: API_KEY not configured
- **WHEN** the `API_KEY` environment variable is not set
- **THEN** the middleware SHALL allow all requests (auth disabled) and log a warning at startup
### Requirement: FastAPI API key dependency
The FastAPI ML service SHALL enforce API key authentication via a shared `Depends()` dependency. The dependency SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. The `/health` endpoint SHALL be exempt.
#### Scenario: Valid API key on ML service
- **WHEN** a request to `/predict` includes the correct `X-API-Key` header
- **THEN** the request proceeds to the endpoint handler
#### Scenario: Unauthorized ML service request
- **WHEN** a request to `/predict` has no `X-API-Key` header and `API_KEY` is configured
- **THEN** the service returns HTTP 401 with `{ "detail": "Unauthorized" }`
#### Scenario: Next.js proxy forwards API key
- **WHEN** the Next.js proxy route calls the ML service
- **THEN** it SHALL include the `X-API-Key` header from its own environment variable