fix(gateway): enforce API key auth on inventory and budget services (#5)
- Added X-API-Key middleware to inventory-service and budget-service - Services reject all requests without valid API key (401) - Gateway proxy injects service API keys for inventory and budget - Dashboard widget fetchers inject API keys - Generated unique API keys per service, stored in .env - Added SERVICE_API_KEY env var to docker-compose for both services Partial fix for #5 — internal services now require auth. Remaining: document trust model, validate service token semantics.
This commit is contained in:
Yusuf Suleman
@@ -34,6 +34,8 @@ services:
|
||||
- TRIPS_BACKEND_URL=http://trips-service:8087
|
||||
- FITNESS_BACKEND_URL=http://fitness-service:8095
|
||||
- INVENTORY_BACKEND_URL=http://inventory-service:3000
|
||||
- INVENTORY_SERVICE_API_KEY=${INVENTORY_SERVICE_API_KEY}
|
||||
- BUDGET_SERVICE_API_KEY=${BUDGET_SERVICE_API_KEY}
|
||||
- MINIFLUX_URL=${MINIFLUX_URL:-http://miniflux:8080}
|
||||
- MINIFLUX_API_KEY=${MINIFLUX_API_KEY}
|
||||
- TRIPS_API_TOKEN=${TRIPS_API_TOKEN}
|
||||
@@ -114,6 +116,7 @@ services:
|
||||
- PUBLIC_APP_URL=${PLATFORM_ORIGIN}/inventory
|
||||
- IMMICH_URL=${IMMICH_URL}
|
||||
- IMMICH_API_KEY=${IMMICH_API_KEY}
|
||||
- SERVICE_API_KEY=${INVENTORY_SERVICE_API_KEY}
|
||||
- TZ=${TZ:-America/Chicago}
|
||||
networks:
|
||||
- default
|
||||
@@ -130,6 +133,7 @@ services:
|
||||
- ACTUAL_SERVER_URL=http://actualbudget:5006
|
||||
- ACTUAL_PASSWORD=${ACTUAL_PASSWORD}
|
||||
- ACTUAL_SYNC_ID=${BUDGET_SYNC_ID}
|
||||
- SERVICE_API_KEY=${BUDGET_SERVICE_API_KEY}
|
||||
- TZ=${TZ:-America/Chicago}
|
||||
networks:
|
||||
- default
|
||||
|
||||
Reference in New Issue
Block a user