pook/compliancebot
1
0
Fork 0
Code Issues 1.1k Pull requests 82 Projects Releases Packages Wiki Activity Actions

feat: add API key auth to /generate routes (closes #131) #175

Closed
pook wants to merge 2 commits from feature/131-api-key-auth into main
pull from: feature/131-api-key-auth
merge into: pook:main
Conversation 1 Commits 2 Files changed 7 +526 -1
pook commented 2026-04-08 23:56:41 -04:00
Owner
Copy link

Summary

  • Add api_keys table to Drizzle schema (key, userId, name, revokedAt)
  • Create apiKeyAuth middleware that validates x-api-key header against stored keys
  • Returns 401 for missing key, 403 for invalid/revoked key
  • Apply middleware to all /generate/* routes (privacy-policy, terms-of-service)
  • Add x-api-key to CORS allowed headers
  • E2E tests covering all three cases: missing key → 401, invalid key → 403, valid key → passes through

Why

Without auth, anyone can call the OpenAI-backed generation endpoints and run up API costs. This is the revenue/cost blocker described in #131.

Test plan

  • Run bun run db:push to create the api_keys table
  • Run bun test packages/api/tests/e2e/api-key-auth.test.ts — 4 test cases
  • Verify existing generate tests pass with valid API key
  • Manual: curl -X POST /generate/privacy-policy without header → 401
  • Manual: with bad key → 403

🤖 Generated with Claude Code

## Summary - Add `api_keys` table to Drizzle schema (key, userId, name, revokedAt) - Create `apiKeyAuth` middleware that validates `x-api-key` header against stored keys - Returns 401 for missing key, 403 for invalid/revoked key - Apply middleware to all `/generate/*` routes (privacy-policy, terms-of-service) - Add `x-api-key` to CORS allowed headers - E2E tests covering all three cases: missing key → 401, invalid key → 403, valid key → passes through ## Why Without auth, anyone can call the OpenAI-backed generation endpoints and run up API costs. This is the revenue/cost blocker described in #131. ## Test plan - [ ] Run `bun run db:push` to create the `api_keys` table - [ ] Run `bun test packages/api/tests/e2e/api-key-auth.test.ts` — 4 test cases - [ ] Verify existing generate tests pass with valid API key - [ ] Manual: `curl -X POST /generate/privacy-policy` without header → 401 - [ ] Manual: with bad key → 403 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Protect OpenAI-backed generation endpoints from unauthorized access.
Without auth, anyone could call these endpoints and run up API costs.

- Add `api_keys` table to schema (key, userId, name, revokedAt)
- Create `apiKeyAuth` middleware: validates `x-api-key` header against DB
- Returns 401 for missing key, 403 for invalid/revoked key
- Apply middleware to all `/generate/*` routes
- Add `x-api-key` to CORS allowed headers
- Add E2E tests covering missing, invalid, and valid key scenarios

Closes #131

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pook commented 2026-04-10 15:08:10 -04:00
Author
Owner
Copy link

Closed 2026-04-10 during pipeline triage.

Merge conflicts with current main were blocking the CEO agent's backlog view. The compliancebot repo had ~60 open PRs and 141 open agent-task issues. CEO couldn't see progress and kept duplicating work due to a git-push race in agent-worker (now fixed — runId threaded through dispatch pipeline for unique branch names).

Reopen / resubmit against current main if the work is still relevant. Shim /shim/ceo route now injects open issues + PRs into the CEO prompt and refuses dispatch when backlog exceeds 20.

Closed 2026-04-10 during pipeline triage. Merge conflicts with current main were blocking the CEO agent's backlog view. The compliancebot repo had ~60 open PRs and 141 open agent-task issues. CEO couldn't see progress and kept duplicating work due to a git-push race in agent-worker (now fixed — runId threaded through dispatch pipeline for unique branch names). Reopen / resubmit against current main if the work is still relevant. Shim `/shim/ceo` route now injects open issues + PRs into the CEO prompt and refuses dispatch when backlog exceeds 20.
pook closed this pull request 2026-04-10 15:08:10 -04:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
agent-task

Task for autonomous agent execution

  
agent-task

Paperclip autonomous agent task

No labels
agent-task
agent-task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pook/compliancebot!175
No description provided.