Skip to content

Api key management — production auth for admin#359

Open
clintjeff2 wants to merge 2 commits into
Bitcoindefi:mainfrom
clintjeff2:API-key-management-—-production-auth-for-admin

Hidden character warning

The head ref may contain hidden characters: "API-key-management-\u2014-production-auth-for-admin"
Open

Api key management — production auth for admin#359
clintjeff2 wants to merge 2 commits into
Bitcoindefi:mainfrom
clintjeff2:API-key-management-—-production-auth-for-admin

Conversation

@clintjeff2

@clintjeff2 clintjeff2 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Protect admin console and public API endpoints with production-ready API keys and tiered rate limits to enable safe production use.
  • Provide an admin-managed workflow for issuing scoped service keys (create/rotate/revoke) and track usage for billing/monitoring.

Description

  • Add lib/auth/api-keys.ts implementing key generation, hashed storage, prefix display, rotation, revocation, expiry, last-used timestamp, request counting, and extraction from Authorization: Bearer or ?apiKey=.
  • Add lib/auth/middleware.ts which maps routes to required scopes, validates keys (including an ADMIN_API_KEY fallback), and enforces tiered rate limits (anonymous 10/min, free 60/min, pro 600/min, admin unlimited) using the existing lib/rate-limit helper.
  • Update root middleware.ts to apply the new auth middleware for /api/* and /admin/* routes via applyApiAuth.
  • Add admin endpoints app/api/admin/keys plus POST subroutes to rotate and revoke keys, and an admin UI page at app/admin/keys/page.tsx to list/manage keys.
  • Move the previous lib/auth.ts into lib/auth/index.ts and add unit tests in lib/auth/api-keys.test.ts covering key creation and scoped validation.

Testing

  • Ran unit tests with npm test -- --run lib/auth/api-keys.test.ts, and the new auth tests passed (2 tests).
  • Ran ESLint on the modified/new files with npx eslint middleware.ts lib/auth app/api/admin/keys app/admin/keys for the introduced files and no new lint errors were reported for those files.
  • Run npx tsc --noEmit which surfaced pre-existing unrelated TypeScript errors (in app/api/agents/[id]/tasks/drain/route.ts, lib/wallet-config.ts, and tests/lib/agents/task-drain.test.ts) that are outside this change.
  • Running the full npm run lint also reported unrelated existing lint issues (not introduced by this PR) in app/offline/page.tsx and lib/passport/validator-client.ts.

Closes #39

@clintjeff2
Add API key auth management
93107d8
@clintjeff2
Merge pull request #7 from clintjeff2/add-api-key-management-for-auth…
16f337a 
…entication

Add API key auth management (scoped service keys, admin UI, middleware)
@sonarqubecloud

sonarqubecloud Bot commented Jun 27, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

API key management — production auth for admin and public endpoints

1 participant

@clintjeff2