trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/changes/code-review-fix/specs/api-authentication/spec.md
Marko Djordjevic c327ba3370 bind: MLflow port to 127.0.0.1:5000:5000 in docker-compose.yml 
Changes:
- Updated docker-compose.yml MLflow service port binding from 5000:5000 to 127.0.0.1:5000:5000
  to restrict access to localhost only for security
- Marked task 1.7 as complete in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 10:58:11 +01:00

39 lines
2.3 KiB
Markdown
Raw Blame History

## ADDED Requirements
### Requirement: Next.js API key middleware
The system SHALL enforce API key authentication on all `/api/*` routes via Next.js middleware (`src/middleware.ts`). The middleware SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. If the key is missing or incorrect, the middleware SHALL return HTTP 401 with `{ "error": "Unauthorized" }`. The `/api/health` endpoint SHALL be exempt from authentication.
#### Scenario: Valid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: <correct key>`
- **THEN** the request proceeds to the route handler normally
#### Scenario: Missing API key
- **WHEN** a request to `/api/candles` has no `X-API-Key` header
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`
#### Scenario: Invalid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: wrong-key`
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`
#### Scenario: Health endpoint exempt
- **WHEN** a request to `/api/health` has no `X-API-Key` header
- **THEN** the request proceeds normally (health check is unauthenticated)
#### Scenario: API_KEY not configured
- **WHEN** the `API_KEY` environment variable is not set
- **THEN** the middleware SHALL allow all requests (auth disabled) and log a warning at startup
### Requirement: FastAPI API key dependency
The FastAPI ML service SHALL enforce API key authentication via a shared `Depends()` dependency. The dependency SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. The `/health` endpoint SHALL be exempt.
#### Scenario: Valid API key on ML service
- **WHEN** a request to `/predict` includes the correct `X-API-Key` header
- **THEN** the request proceeds to the endpoint handler
#### Scenario: Unauthorized ML service request
- **WHEN** a request to `/predict` has no `X-API-Key` header and `API_KEY` is configured
- **THEN** the service returns HTTP 401 with `{ "detail": "Unauthorized" }`
#### Scenario: Next.js proxy forwards API key
- **WHEN** the Next.js proxy route calls the ML service
- **THEN** it SHALL include the `X-API-Key` header from its own environment variable
Reference in a new issue View git blame Copy permalink