fix(gateway): enforce API key auth on inventory and budget services (#5)
- Added X-API-Key middleware to inventory-service and budget-service - Services reject all requests without valid API key (401) - Gateway proxy injects service API keys for inventory and budget - Dashboard widget fetchers inject API keys - Generated unique API keys per service, stored in .env - Added SERVICE_API_KEY env var to docker-compose for both services Partial fix for #5 — internal services now require auth. Remaining: document trust model, validate service token semantics.
This commit is contained in:
Yusuf Suleman
@@ -23,6 +23,10 @@ SHELFMARK_URL = os.environ.get("SHELFMARK_URL", "http://shelfmark:8084")
|
||||
SPOTIZERR_URL = os.environ.get("SPOTIZERR_URL", "http://spotizerr-app:7171")
|
||||
BUDGET_URL = os.environ.get("BUDGET_BACKEND_URL", "http://localhost:3001")
|
||||
|
||||
# ── Service API keys (for internal service auth) ──
|
||||
INVENTORY_SERVICE_API_KEY = os.environ.get("INVENTORY_SERVICE_API_KEY", "")
|
||||
BUDGET_SERVICE_API_KEY = os.environ.get("BUDGET_SERVICE_API_KEY", "")
|
||||
|
||||
# ── Booklore (book library manager) ──
|
||||
BOOKLORE_URL = os.environ.get("BOOKLORE_URL", "http://booklore:6060")
|
||||
BOOKLORE_USER = os.environ.get("BOOKLORE_USER", "")
|
||||
|
||||
Reference in New Issue
Block a user