Skip to content

feat: secure API authentication system#27

Open
venkidesh04 wants to merge 10 commits into
mainfrom
feat/secure-auth-system
Open

feat: secure API authentication system#27
venkidesh04 wants to merge 10 commits into
mainfrom
feat/secure-auth-system

Conversation

@venkidesh04
Copy link
Copy Markdown
Contributor

@venkidesh04 venkidesh04 commented Apr 1, 2026

Overview

This PR introduces a secure authentication and request validation pipeline between the CLI and controller, replacing the previous plaintext API key approach.

Key Improvements

CLI Enhancements

  • Secure API Key Storage

    • API key is now stored in the OS keychain (via go-keyring)
    • Removes dependency on plaintext storage in ~/.mini/config.json

  • Request Signing

    • All outgoing requests include:

      • Authorization: Bearer <api_key>
      • X-Timestamp
      • X-Signature

  • Centralized Auth Handling

    • attachAuth() and NewSignedRequest() ensure consistent signing across all CLI commands (deploy, logs, etc.)

Controller Enhancements

  • Authentication Middleware

    • Sequential validation pipeline:

      1. API Key validation (constant-time compare)
      2. Timestamp validation (±5 minute window)
      3. HMAC signature verification

  • Replay Protection

    • Timestamp validation prevents reuse of captured requests

  • Request Integrity

    • HMAC ensures request authenticity and tamper detection

  • Rate Limiting

    • Applied globally via middleware
    • Default: 10 req/sec, burst 20
    • Includes cleanup of idle limiter entries

venkidesh04 added 10 commits April 1, 2026 20:04
@venkidesh04
test: add failing tests for OS keychain storage
e00386b
@venkidesh04
feat: implement OS keychain storage for API key
fa79f52 
- add cli/keychain/keychain.go wrapping go-keyring
- migrate set-api-key cmd to write into OS keychain
- migrate deploy and logs cmds to read API key from keychain
- remove api_key field from cli/config/config.go (no longer stored on disk)
- add github.com/zalando/go-keyring to cli/go.mod
@venkidesh04
test: add failing tests for HMAC request signer
9b96d26
@venkidesh04
feat: implement HMAC-SHA256 request signing and wire into client
c9c1274 
- add cli/signer/signer.go with Sign() and Headers() helpers
- update cli/client/client.go to attach X-Timestamp and X-Signature on every request
- add NewSignedRequest helper for commands that build requests directly (logs)
- update cli/cmd/logs.go to use NewSignedRequest
@venkidesh04
test: add failing tests for timestamp and HMAC validation
94c9584
@venkidesh04
feat: implement timestamp validation and HMAC verification middleware
068f9fe 
- add controller/internal/auth/hmac.go with ValidateTimestamp and ValidateHMAC
- update controller/internal/auth/middleware.go to run timestamp and HMAC checks
  after API key validation
- expose AuthService.Secret() for use within the auth package
@venkidesh04
test: add failing tests for per-IP rate limiting middleware
00f4d98
@venkidesh04
feat: implement per-IP rate limiting middleware
435122c 
- add controller/internal/ratelimit/ratelimit.go
- per-IP token-bucket limiter using golang.org/x/time/rate
- respects X-Forwarded-For for clients behind proxies
@venkidesh04
refactor: wire rate limiter and full auth chain into controller
a8e8570 
- wrap all protected routes with ratelimit.Middleware
- apply rate limiter globally (before routing) using ratelimit.DefaultConfig
- no handler logic changes; purely middleware wiring in main.go
@venkidesh04
style: add missing newline at end of files
584d97a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@venkidesh04