trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/changes/archive/2026-02-20-code-review-fix/specs/api-authentication/spec.md
Marko Djordjevic 925e7284e3 Archive code-review-fix change and sync specs to main 
- Synced 14 capability delta specs to main specs
- Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types
- Updated 8 existing specs with security, validation, and performance requirements
- Archived change to openspec/changes/archive/2026-02-20-code-review-fix/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 08:54:59 +01:00

2.3 KiB
Raw Blame History

ADDED Requirements

Requirement: Next.js API key middleware

The system SHALL enforce API key authentication on all /api/* routes via Next.js middleware (src/middleware.ts). The middleware SHALL read the expected key from the API_KEY environment variable. Requests MUST include the key in the X-API-Key header. If the key is missing or incorrect, the middleware SHALL return HTTP 401 with { "error": "Unauthorized" }. The /api/health endpoint SHALL be exempt from authentication.

Scenario: Valid API key

  • WHEN a request to /api/candles includes header X-API-Key: <correct key>
  • THEN the request proceeds to the route handler normally

Scenario: Missing API key

  • WHEN a request to /api/candles has no X-API-Key header
  • THEN the middleware returns HTTP 401 with { "error": "Unauthorized" }

Scenario: Invalid API key

  • WHEN a request to /api/candles includes header X-API-Key: wrong-key
  • THEN the middleware returns HTTP 401 with { "error": "Unauthorized" }

Scenario: Health endpoint exempt

  • WHEN a request to /api/health has no X-API-Key header
  • THEN the request proceeds normally (health check is unauthenticated)

Scenario: API_KEY not configured

  • WHEN the API_KEY environment variable is not set
  • THEN the middleware SHALL allow all requests (auth disabled) and log a warning at startup

Requirement: FastAPI API key dependency

The FastAPI ML service SHALL enforce API key authentication via a shared Depends() dependency. The dependency SHALL read the expected key from the API_KEY environment variable. Requests MUST include the key in the X-API-Key header. The /health endpoint SHALL be exempt.

Scenario: Valid API key on ML service

  • WHEN a request to /predict includes the correct X-API-Key header
  • THEN the request proceeds to the endpoint handler

Scenario: Unauthorized ML service request

  • WHEN a request to /predict has no X-API-Key header and API_KEY is configured
  • THEN the service returns HTTP 401 with { "detail": "Unauthorized" }

Scenario: Next.js proxy forwards API key

  • WHEN the Next.js proxy route calls the ML service
  • THEN it SHALL include the X-API-Key header from its own environment variable