feat(auth): implement complete API-key authentication with modular architecture (#47)

- Add comprehensive API-key authentication system with X-API-Key header validation - Implement permission-based access control (mail:send, * for admin) - Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP) - Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each) - Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8) - Implement Hugo integration with CORS support for localhost:1313 - Add production-ready configuration with environment variable support - Create comprehensive testing suite (auth, rate-limiting, stress tests) - Add production deployment checklist and cleanup scripts This refactoring transforms the API gateway from a single-file monolith into a biocodie-compliant modular architecture while adding enterprise-grade security features. Performance testing shows 79 RPS concurrent throughput with <100ms latency. Hugo contact form integration tested and working. System is now production-ready for deployment to walter/aitvaras. Resolves #47
2025-06-24 22:01:38 +02:00 · 2025-06-24 22:01:38 +02:00 · 901f5eb2d8
commit 901f5eb2d8
parent 445e751c16
14 changed files with 1160 additions and 80 deletions
--- a/furt-lua/.env.production
+++ b/furt-lua/.env.production
@ -0,0 +1,50 @@
+# furt-lua/.env.production
+# Production Environment Configuration Template
+
+# =====================================
+# API KEYS (CHANGE THESE!)
+# =====================================
+# Generate secure keys: openssl rand -hex 32
+HUGO_API_KEY=daw-hugo-$(openssl rand -hex 16)
+ADMIN_API_KEY=daw-admin-$(openssl rand -hex 16)
+MONITORING_API_KEY=daw-monitor-$(openssl rand -hex 16)
+
+# =====================================
+# SMTP CONFIGURATION
+# =====================================
+SMTP_HOST=mail.dragons-at-work.de
+SMTP_PORT=465
+SMTP_USERNAME=noreply@dragons-at-work.de
+SMTP_PASSWORD=your-secure-smtp-password-here
+SMTP_FROM=noreply@dragons-at-work.de
+SMTP_TO=michael@dragons-at-work.de
+
+# =====================================
+# CORS CONFIGURATION (Production Domains)
+# =====================================
+CORS_ALLOWED_ORIGINS=https://dragons-at-work.de,https://www.dragons-at-work.de
+
+# =====================================
+# GATEWAY CONFIGURATION
+# =====================================
+GATEWAY_HOST=127.0.0.1
+GATEWAY_PORT=8080
+GATEWAY_LOG_LEVEL=warn
+
+# =====================================
+# SECURITY SETTINGS
+# =====================================
+# Test endpoint (disable in production)
+ENABLE_TEST_ENDPOINT=false
+
+# Rate limiting (production values)
+RATE_LIMIT_API_KEY_MAX=60
+RATE_LIMIT_IP_MAX=100
+RATE_LIMIT_WINDOW=3600
+
+# =====================================
+# DEVELOPMENT SETTINGS (Remove in production)
+# =====================================
+# DEBUG=false
+# LOG_REQUESTS=false
+