From c0237026446ccabddc4852a8852ab51f8c9f73c2 Mon Sep 17 00:00:00 2001 From: Marko Djordjevic Date: Wed, 18 Feb 2026 11:06:47 +0100 Subject: [PATCH] feat: add API_KEY to .env.example with placeholder and instructions - Add API_KEY environment variable with placeholder value 'change_me_to_a_strong_random_key' - Include helpful comment explaining its purpose: authentication between Next.js and ML service - Provide command for generating strong random value: openssl rand -hex 32 - Mark task 3.4 as completed --- .env.example | 4 ++++ openspec/changes/code-review-fix/tasks.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index 0a7db31..5a2bdd7 100644 --- a/.env.example +++ b/.env.example @@ -2,6 +2,10 @@ NODE_ENV=production PORT=3000 DATABASE_URL=postgresql://your_db_user:change_me_to_a_strong_password@postgres:5432/candle_annotator +# API key for authenticating requests between Next.js and ML service +# Generate a strong random value: openssl rand -hex 32 +API_KEY=change_me_to_a_strong_random_key + # ML Inference Service Configuration INFERENCE_API_URL=http://localhost:8001 INFERENCE_API_TIMEOUT=30000 diff --git a/openspec/changes/code-review-fix/tasks.md b/openspec/changes/code-review-fix/tasks.md index ce982bf..86e43c4 100644 --- a/openspec/changes/code-review-fix/tasks.md +++ b/openspec/changes/code-review-fix/tasks.md @@ -22,7 +22,7 @@ - [x] 3.1 `[sonnet]` Create `src/middleware.ts` with API key auth middleware: read `API_KEY` env var, check `X-API-Key` header on all `/api/*` routes except `/api/health`, return 401 if invalid - [x] 3.2 `[sonnet]` Add FastAPI `Depends()` API key dependency in `services/ml/app/main.py`: read `API_KEY` env var, check `X-API-Key` header, exempt `/health` endpoint - [x] 3.3 `[sonnet]` Update all Next.js proxy routes to forward `X-API-Key` header to ML service -- [ ] 3.4 `[haiku]` Add `API_KEY` to `.env.example` with placeholder value and instructions +- [x] 3.4 `[haiku]` Add `API_KEY` to `.env.example` with placeholder value and instructions ## 4. API Route Hardening (Next.js)