feat: add API key auth middleware for /generate routes #133

Closed

pook wants to merge 1 commit from feat/api-key-auth-middleware into main

pull from: feat/api-key-auth-middleware

merge into: pook:main

pook:main

pook:feat/ux-remediation

pook:master

pook:agent-task/681

pook:agent-task/mount-billing-api-prefix

pook:agent-task/772

pook:agent-task/769

pook:agent-task/760

pook:agent-task/756

pook:agent-task/757

pook:agent-task/703

pook:agent-task/702

pook:agent-task/688

pook:agent-task/684

pook:agent-task/683

pook:agent-task/674

pook:agent-task/668

pook:feat/simple-health-endpoint

pook:agent-task/663

pook:agent-task/658

pook:agent-task/653

pook:agent-task/651

pook:feat/api-billing-checkout

pook:agent-task/650

pook:agent-task/641

pook:agent-task/639

pook:agent-task/638

pook:feat/login-brute-force-protection

pook:agent-task/634

pook:feat/generate-retry-tests

pook:agent-task/625

pook:agent-task/622-validate-openai-responses

pook:agent-task/615-csrf-token-validation

pook:agent-task/614

pook:agent-task/612

pook:agent-task/611

pook:agent-task/606

pook:agent-task/597

pook:agent-task/596

pook:agent-task/588

pook:agent-task/583

pook:agent-task/575

pook:agent-task/574

pook:agent-task/571

pook:agent-task/570

pook:agent-task/562

pook:agent-task/561

pook:agent-task/556-npm-audit-fix

pook:agent-task/537

pook:agent-task/533

pook:agent-task/524

pook:agent-task/518

pook:agent-task/517

pook:agent-task/516

pook:agent-task/513

pook:agent-task/512

pook:agent-task/508

pook:feat/llm-error-handling-tests

pook:agent-task/483

pook:feat/openai-retry-502

pook:agent-task/478

pook:agent-task/477

pook:feat/csrf-double-submit

pook:agent-task/468

pook:feat/error-handler-middleware

pook:feat/global-request-timeout

pook:agent-task/454

pook:agent-task/453

pook:agent-task/449

pook:feat/llm-timeout-504

pook:feat/sanitize-generate-inputs

pook:fix/body-limit-1mb-test

pook:feat/openai-error-handling

pook:agent-task/426

pook:agent-task/425

pook:agent-task/421

pook:agent-task/420

pook:agent-task/419

pook:agent-task/408

pook:agent-task/406

pook:agent-task/407

pook:feat/zod-generate-validation

pook:agent-task/401

pook:agent-task/397

pook:agent-task/391

pook:agent-task/390

pook:feat/https-redirect-middleware

pook:agent-task/388

pook:agent-task/360

pook:feat/generate-1mb-body-limit

pook:feat/request-timeout

pook:feat/checkout-rate-limit

pook:feat/webhook-rate-limit

pook:feat/centralized-error-handler

pook:agent-task/345

pook:agent-task/342

pook:agent-task/341

pook:agent-task/337

pook:feat/generate-rate-limit

pook:agent-task/332

pook:agent-task/331

pook:agent-task/329

pook:agent-task/325

pook:agent-task/324

pook:feat/single-stage-dockerfile

pook:feat/jest-typecheck-ci-gate

pook:feat/rebase-open-prs-script

pook:fix/unblock-pr-pipeline

pook:agent-task/251

pook:feat/deploy-migrations-on-startup

pook:agent-task/247

pook:agent-task/242

pook:agent-task/241

pook:agent-task/236

pook:fix/close-duplicate-issues

pook:agent-task/237

pook:agent-task/235

pook:agent-task/232

pook:agent-task/231

pook:agent-task/228

pook:agent-task/227

pook:agent-task/222

pook:agent-task/221

pook:feat/stripe-checkout-endpoint

pook:fix/134-sanitize-ai-output

pook:agent-task/212

pook:agent-task/211

pook:test/export-render-unit-tests

pook:agent-task/206

pook:agent-task/205

pook:feat/download-token-utility

pook:feat/security-headers-v2

pook:agent-task/196

pook:fix/env-var-validation

pook:feat/health-endpoint-tests

pook:feat/cors-middleware

pook:agent-task/185

pook:agent-task/184

pook:agent-task/180

pook:feat/pr-triage-workflow

pook:agent-task/177

pook:feat/dockerfile-deploy

pook:feature/131-api-key-auth

pook:feat/graceful-shutdown

pook:agent-task/170

pook:feat/pr-triage-script

pook:agent-task/166

pook:feat/ccpa-privacy-policy

pook:feat/auto-migrate-on-startup

pook:feat/auto-rebase-workflow

pook:feat/openai-timeout-guard

pook:agent-task/154

pook:agent-task/155

pook:feat/body-size-limit-generate

pook:feat/health-endpoint

pook:ci/pr-checks

pook:agent-task/145

pook:feat/startup-env-validation

pook:agent-task/141

pook:feat/stripe-document-checkout

pook:fix/116-sanitize-ai-generated-content

pook:feat/document-validation-41

pook:feature/document-generator-unit-tests

pook:feature/openai-retry-logic

pook:feature/auto-merge-script

pook:feature/ci-auto-labeling

pook:fix/llm-response-null-checks

pook:feat/generate-smoke-tests

pook:feature/request-logging-middleware

pook:feature/csrf-protection

pook:feature/request-id-middleware

pook:feature/cors-allowlist

pook:feature/rate-limit-generate

pook:feature/citation-scanner-and-disclaimer

pook:feature/input-length-validation

pook:feat/ci-quality-gate

pook:fix/stripe-webhook-raw-body

pook:feat/ci-pr-checks

pook:fix/webhook-raw-body-preservation

pook:feat/ci-workflow

pook:feature/71-raw-body-webhook

pook:feature/template-rendering-tests

pook:feature/stripe-document-webhook

pook:feat/security-headers

pook:feat/stripe-webhook-raw-body

pook:feat/startup-migrations

pook:feature/ai-generation-timeout

pook:feature/dependency-audit-ci

pook:feat/webhook-idempotency

pook:feature/body-size-limit

pook:feature/startup-env-validation

pook:ci/add-pr-pipeline

pook:feature/auth-middleware

pook:feature/ccpa-optout-endpoint

pook:feature/async-document-generation

pook:feature/stripe-checkout-paywall

pook:feature/post-generation-validation

pook:feature/llm-retry-mechanism

pook:feature/document-history

pook:feature/prometheus-metrics

pook:feature/dpa-document-type

pook:feature/input-validation-sanitization

pook:feature/document-email-send

pook:feature/api-health-endpoint

Conversation 2 Commits 1 Files changed 3 +199 -1

pook commented 2026-04-08 21:04:49 -04:00

Owner

Copy link

Summary

• Adds apiKeyAuth middleware (src/middleware/apiKeyAuth.ts) that validates Authorization: Bearer <key> or X-API-Key: <key> headers against comma-separated API_KEYS env var
• Applied to all /generate/* routes; /health and other endpoints remain unauthenticated
• Returns 401 { error: 'unauthorized', message: 'Valid API key required' } for missing/invalid keys
• Attaches validated key to request context (c.set("apiKey", key)) for downstream logging

Test plan

• Unit tests: missing header → 401
• Unit tests: invalid key → 401
• Unit tests: valid Bearer key → passes through with key on context
• Unit tests: valid X-API-Key → passes through
• Unit tests: /health remains unauthenticated
• Edge cases: empty Bearer token, non-Bearer auth scheme → 401
• All 8 tests passing

Closes #49

🤖 Generated with Claude Code

## Summary - Adds `apiKeyAuth` middleware (`src/middleware/apiKeyAuth.ts`) that validates `Authorization: Bearer <key>` or `X-API-Key: <key>` headers against comma-separated `API_KEYS` env var - Applied to all `/generate/*` routes; `/health` and other endpoints remain unauthenticated - Returns `401 { error: 'unauthorized', message: 'Valid API key required' }` for missing/invalid keys - Attaches validated key to request context (`c.set("apiKey", key)`) for downstream logging ## Test plan - [x] Unit tests: missing header → 401 - [x] Unit tests: invalid key → 401 - [x] Unit tests: valid Bearer key → passes through with key on context - [x] Unit tests: valid X-API-Key → passes through - [x] Unit tests: /health remains unauthenticated - [x] Edge cases: empty Bearer token, non-Bearer auth scheme → 401 - [x] All 8 tests passing Closes #49 🤖 Generated with [Claude Code](https://claude.com/claude-code)

pook added 1 commit 2026-04-08 21:04:49 -04:00

feat: add API key auth middleware to protect /generate routes ... 72221bbf78

Unauthenticated /api/generate endpoints allow anyone to burn OpenAI credits.
This adds apiKeyAuth middleware that validates Bearer token or X-API-Key
header against API_KEYS env var, returning 401 for missing/invalid keys.

Closes #49

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pook commented 2026-04-08 21:04:58 -04:00

Author

Owner

Copy link

⚠️ No Test Suite Detected

Commit: 72221bbf

No test script found in package.json. Add a test script to enable automated testing.

## ⚠️ No Test Suite Detected **Commit:** `72221bbf` No `test` script found in `package.json`. Add a test script to enable automated testing.

pook referenced this pull request 2026-04-08 21:31:00 -04:00

Close duplicate and superseded issues — #112, #54, #59, #58, #49, #69 #141

pook referenced this pull request 2026-04-08 21:32:17 -04:00

Add API key authentication middleware for protected generation endpoints #49

pook referenced this pull request 2026-04-08 21:32:35 -04:00

[Agent] Issue #141: multiple open issues are duplicates of n #143

pook referenced this pull request 2026-04-09 06:15:40 -04:00

PR pipeline unblocked: 18 PRs merged, 48 remaining need rebase #254

pook commented 2026-04-10 15:08:16 -04:00

Author

Owner

Copy link

Closed 2026-04-10 during pipeline triage.

Merge conflicts with current main were blocking the CEO agent's backlog view. The compliancebot repo had ~60 open PRs and 141 open agent-task issues. CEO couldn't see progress and kept duplicating work due to a git-push race in agent-worker (now fixed — runId threaded through dispatch pipeline for unique branch names).

Reopen / resubmit against current main if the work is still relevant. Shim /shim/ceo route now injects open issues + PRs into the CEO prompt and refuses dispatch when backlog exceeds 20.

Closed 2026-04-10 during pipeline triage. Merge conflicts with current main were blocking the CEO agent's backlog view. The compliancebot repo had ~60 open PRs and 141 open agent-task issues. CEO couldn't see progress and kept duplicating work due to a git-push race in agent-worker (now fixed — runId threaded through dispatch pipeline for unique branch names). Reopen / resubmit against current main if the work is still relevant. Shim `/shim/ceo` route now injects open issues + PRs into the CEO prompt and refuses dispatch when backlog exceeds 20.

pook closed this pull request 2026-04-10 15:08:16 -04:00

Some checks are pending

Hide all checks

agent-worker/pr-tests Running PR tests...

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!133

No description provided.