trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/specs/api-authentication/spec.md
Marko Djordjevic 925e7284e3 Archive code-review-fix change and sync specs to main 
- Synced 14 capability delta specs to main specs
- Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types
- Updated 8 existing specs with security, validation, and performance requirements
- Archived change to openspec/changes/archive/2026-02-20-code-review-fix/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 08:54:59 +01:00

39 lines
2.3 KiB
Markdown
Raw Blame History

## ADDED Requirements
### Requirement: Next.js API key middleware
The system SHALL enforce API key authentication on all `/api/*` routes via Next.js middleware (`src/middleware.ts`). The middleware SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. If the key is missing or incorrect, the middleware SHALL return HTTP 401 with `{ "error": "Unauthorized" }`. The `/api/health` endpoint SHALL be exempt from authentication.
#### Scenario: Valid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: <correct key>`
- **THEN** the request proceeds to the route handler normally
#### Scenario: Missing API key
- **WHEN** a request to `/api/candles` has no `X-API-Key` header
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`
#### Scenario: Invalid API key
- **WHEN** a request to `/api/candles` includes header `X-API-Key: wrong-key`
- **THEN** the middleware returns HTTP 401 with `{ "error": "Unauthorized" }`
#### Scenario: Health endpoint exempt
- **WHEN** a request to `/api/health` has no `X-API-Key` header
- **THEN** the request proceeds normally (health check is unauthenticated)
#### Scenario: API_KEY not configured
- **WHEN** the `API_KEY` environment variable is not set
- **THEN** the middleware SHALL allow all requests (auth disabled) and log a warning at startup
### Requirement: FastAPI API key dependency
The FastAPI ML service SHALL enforce API key authentication via a shared `Depends()` dependency. The dependency SHALL read the expected key from the `API_KEY` environment variable. Requests MUST include the key in the `X-API-Key` header. The `/health` endpoint SHALL be exempt.
#### Scenario: Valid API key on ML service
- **WHEN** a request to `/predict` includes the correct `X-API-Key` header
- **THEN** the request proceeds to the endpoint handler
#### Scenario: Unauthorized ML service request
- **WHEN** a request to `/predict` has no `X-API-Key` header and `API_KEY` is configured
- **THEN** the service returns HTTP 401 with `{ "detail": "Unauthorized" }`
#### Scenario: Next.js proxy forwards API key
- **WHEN** the Next.js proxy route calls the ML service
- **THEN** it SHALL include the `X-API-Key` header from its own environment variable
Reference in a new issue View git blame Copy permalink