trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/TODO.md
Marko Djordjevic c36ab7c146 Implement task 6.1: Create PUT /api/auth/profile endpoint for updating user display name 
- Create src/app/api/auth/profile/route.ts with PUT handler
- Validates user is authenticated (returns 401 if not)
- Validates request body has a non-empty name field
- Updates user's name in the database
- Returns 200 with updated user data

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 10:20:20 +01:00

17 lines
929 B
Markdown
Raw Permalink Blame History

If you want strict API-key-only auth later, put a reverse proxy in front and inject X-API-Key server-side for same-origin traffic.
Strict API-key-only means every request to /api/* must carry X-API-Key, including browser-originated ones.
Problem: you should not expose your real API_KEY in frontend JavaScript, because users can read it in DevTools.
So the pattern is:
Browser calls your app normally (no API key in JS).
Reverse proxy (Nginx/Traefik/Caddy) receives same-origin requests.
Proxy adds X-API-Key: <secret from server env> before forwarding to Next.js.
Next.js middleware enforces API key for all routes.
This keeps the key server-side only, while still making all backend routes protected.
Minimal Nginx example:
location /api/ {
proxy_pass http://candle-annotator:3000;
proxy_set_header X-API-Key $api_key_secret;
}
Then in Next.js middleware you can remove the same-origin bypass and require the key always.
Reference in a new issue View git blame Copy permalink