Skip to content

auth: static X-API-Key gate; 0.3.0#10

Merged
anthrax63 merged 2 commits into
mainfrom
agent/cto/03bf4143
Jul 2, 2026
Merged

auth: static X-API-Key gate; 0.3.0#10
anthrax63 merged 2 commits into
mainfrom
agent/cto/03bf4143

Conversation

@anthrax63

Copy link
Copy Markdown
Member

Summary

Adds an optional static `X-API-Key` gate so `/single` and `/multi` can be safely exposed via ingress. `/healthz` stays open for k8s probes and external liveness monitors. When `api_token` is empty the middleware is a passthrough — dev-stand and port-forward callers keep working without headers.

Wire-up

  • `KZ_SCORING_API_TOKEN` (env / helm `apiToken`) — the shared secret.
  • Chart renders a dedicated `Secret` only when `apiToken` is set and mounts it via `envFrom` on top of the existing ConfigMap.
  • Comparison uses `hmac.compare_digest` — constant-time regression pinned in tests.

Caller shape

```
curl -H "X-API-Key: " "https://kz-scoring.cdp.beelinekz.aggregion.com/single?iin=700205302324\"
```

Test plan

  • `pytest tests/` — 61/61 pass (8 new cases in `tests/test_api_token.py`: healthz-open, missing header, wrong token, correct token, /multi mirror, constant-time compare, disabled-when-empty).
  • `helm template chart --set apiToken=abc123` — Secret + secretRef appear; `helm template chart` (no token) — nothing extra.
  • Overlay bump in kartel-deploy (separate PR): enable ingress + set `apiToken` from a generated value, bump image tag `0.2.3 → 0.3.0`.

Not in scope

Multi-token, per-caller quotas, rotation. Middleware can grow to handle those without breaking callers.

🤖 Generated with Claude Code

DevOps (Aivo agent) and others added 2 commits July 2, 2026 09:14
Enables exposing /single and /multi through ingress while keeping the
service protected by a static shared secret. /healthz stays open so k8s
probes and external liveness monitors don't need to know the token.

- config: new optional `api_token` (env KZ_SCORING_API_TOKEN). Empty =
  no auth (matches original behaviour; dev-stand and port-forward keep
  working without headers).
- app: HTTP middleware compares X-API-Key against api_token via
  hmac.compare_digest. /healthz bypasses the gate.
- chart: dedicated Secret rendered only when apiToken is set, mounted
  via envFrom; deployment stays unchanged when auth is off.
- tests: 8 new cases covering healthz-open, missing header, wrong token,
  correct token, /multi mirror, and constant-time compare regression
  (61 tests total, all green).

Not in scope: multi-token / per-caller quotas / rotation. If needed
later, this middleware can be extended without breaking callers.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: multica-agent <github@multica.ai>
Co-authored-by: multica-agent <github@multica.ai>
@anthrax63 anthrax63 merged commit fa73c5c into main Jul 2, 2026
3 checks passed
@anthrax63 anthrax63 deleted the agent/cto/03bf4143 branch July 2, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant