Security: API authentication & rate-limiting #329

New issue

Closed

opened 2026-03-02 12:32:01 +00:00 by jack · 0 comments

jack commented

2026-03-02 12:32:01 +00:00

Owner

Problem

Backend-API ist aktuell ohne Authentication → jeder kann API-Calls machen.

Risiken:

Unbefugter Zugriff auf Sessions/Observations
DoS via Mass-Requests
Token-Leaks (falls Tokens in DB gespeichert)

Gewünschte Sicherheitsmaßnahmen

1. API-Key Authentication

// packages/backend/src/middleware/auth.ts
export function requireApiKey(req, res, next) {
  const apiKey = req.headers['x-api-key'] || req.query.key;
  
  if (!apiKey || apiKey !== process.env.API_KEY) {
    return res.status(401).json({ error: 'Unauthorized' });
  }
  
  next();
}

2. Rate-Limiting

Already implemented with multiple tiers (standard, expensive, search, admin, worker spawn, speed limiter).

3. CORS-Protection

Configurable via CORS_ORIGINS setting.

4. Input-Validation (Zod)

Zod schemas for hooks routes (session start/end, prompt, observation, user tasks).

5. Helmet.js (Security Headers)

Added with CSP, X-Frame-Options, X-Content-Type-Options.

Acceptance Criteria

API-Key-Auth implementiert
Rate-Limiting aktiv
CORS konfiguriert
Input-Validation (Zod)
Helmet.js Security-Headers
API-Key wird beim ersten Start generiert
Dokumentation in README.md

Priority

High - Kritisch für Production-Deployment.

Token-Storage-Verschlüsselung und Audit-Log werden in separaten Issues behandelt.

## Problem Backend-API ist aktuell **ohne Authentication** → jeder kann API-Calls machen. **Risiken:** - Unbefugter Zugriff auf Sessions/Observations - DoS via Mass-Requests - Token-Leaks (falls Tokens in DB gespeichert) ## Gewünschte Sicherheitsmaßnahmen ### 1. API-Key Authentication ```typescript // packages/backend/src/middleware/auth.ts export function requireApiKey(req, res, next) { const apiKey = req.headers['x-api-key'] || req.query.key; if (!apiKey || apiKey !== process.env.API_KEY) { return res.status(401).json({ error: 'Unauthorized' }); } next(); } ``` ### 2. Rate-Limiting Already implemented with multiple tiers (standard, expensive, search, admin, worker spawn, speed limiter). ### 3. CORS-Protection Configurable via `CORS_ORIGINS` setting. ### 4. Input-Validation (Zod) Zod schemas for hooks routes (session start/end, prompt, observation, user tasks). ### 5. Helmet.js (Security Headers) Added with CSP, X-Frame-Options, X-Content-Type-Options. ## Acceptance Criteria - [x] API-Key-Auth implementiert - [x] Rate-Limiting aktiv - [x] CORS konfiguriert - [x] Input-Validation (Zod) - [x] Helmet.js Security-Headers - [x] API-Key wird beim ersten Start generiert - [x] Dokumentation in README.md ## Priority **High** - Kritisch für Production-Deployment. ## Related Token-Storage-Verschlüsselung und Audit-Log werden in separaten Issues behandelt.