feat(auth): implement complete API-key authentication with modular architecture (#47)

- Add comprehensive API-key authentication system with X-API-Key header validation - Implement permission-based access control (mail:send, * for admin) - Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP) - Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each) - Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8) - Implement Hugo integration with CORS support for localhost:1313 - Add production-ready configuration with environment variable support - Create comprehensive testing suite (auth, rate-limiting, stress tests) - Add production deployment checklist and cleanup scripts This refactoring transforms the API gateway from a single-file monolith into a biocodie-compliant modular architecture while adding enterprise-grade security features. Performance testing shows 79 RPS concurrent throughput with <100ms latency. Hugo contact form integration tested and working. System is now production-ready for deployment to walter/aitvaras. Resolves #47
2025-06-24 22:01:38 +02:00 · 2025-06-24 22:01:38 +02:00 · 901f5eb2d8
commit 901f5eb2d8
parent 445e751c16
14 changed files with 1160 additions and 80 deletions
--- a/furt-lua/scripts/cleanup_debug.sh
+++ b/furt-lua/scripts/cleanup_debug.sh
@ -0,0 +1,61 @@
+#!/bin/bash
+# furt-lua/scripts/cleanup_debug.sh
+# Clean up debug code and prepare for production
+
+echo "🧹 Cleaning up debug code for production..."
+
+# Remove debug config script
+if [ -f "debug_config.lua" ]; then
+    rm debug_config.lua
+    echo "✅ Removed debug_config.lua"
+fi
+
+# Check for any remaining DEBUG statements
+echo -e "\n🔍 Checking for remaining DEBUG statements:"
+debug_files=$(grep -r "DEBUG:" src/ 2>/dev/null || true)
+if [ -n "$debug_files" ]; then
+    echo "⚠️  Found DEBUG statements:"
+    echo "$debug_files"
+    echo "Please remove these manually!"
+else
+    echo "✅ No DEBUG statements found"
+fi
+
+# Check for any console.log or print statements that might be debug
+echo -e "\n🔍 Checking for debug print statements:"
+print_files=$(grep -r "print(" src/ | grep -v "-- Allow print" | grep -v "print.*error" || true)
+if [ -n "$print_files" ]; then
+    echo "⚠️  Found print statements (review if needed for production):"
+    echo "$print_files"
+else
+    echo "✅ No debug print statements found"
+fi
+
+# Check test endpoint (should be disabled in production)
+echo -e "\n🔍 Checking for test endpoints:"
+test_endpoints=$(grep -r "/test" src/ || true)
+if [ -n "$test_endpoints" ]; then
+    echo "⚠️  Found test endpoints (disable in production):"
+    echo "$test_endpoints"
+else
+    echo "✅ No test endpoints found"
+fi
+
+# Verify API keys are not hardcoded
+echo -e "\n🔍 Checking for hardcoded API keys:"
+hardcoded_keys=$(grep -r "change-me-in-production" config/ src/ || true)
+if [ -n "$hardcoded_keys" ]; then
+    echo "⚠️  Found development API keys (change for production):"
+    echo "$hardcoded_keys"
+else
+    echo "✅ No hardcoded development keys found"
+fi
+
+echo -e "\n✅ Debug cleanup complete!"
+echo "📋 Production checklist:"
+echo "  - [ ] Change API keys in .env"
+echo "  - [ ] Disable /test endpoint"
+echo "  - [ ] Set CORS_ALLOWED_ORIGINS for production"
+echo "  - [ ] Configure production SMTP settings"
+echo "  - [ ] Review log levels"
+
--- a/furt-lua/scripts/stress_test.sh
+++ b/furt-lua/scripts/stress_test.sh
@ -0,0 +1,171 @@
+#!/bin/bash
+# furt-lua/scripts/stress_test.sh
+# Rate-Limiting und Performance Stress-Test
+
+BASE_URL="http://127.0.0.1:8080"
+# Use correct API keys that match current .env
+API_KEY="hugo-dev-key-change-in-production"
+
+echo "⚡ Furt API Stress Test"
+echo "======================"
+
+# Test 1: Rate-Limiting Test (schnelle Requests)
+echo -e "\n1️⃣ Rate-Limiting Test (20 quick requests):"
+echo "Expected: First ~10 should work, then rate limiting kicks in"
+
+rate_limit_failures=0
+rate_limit_success=0
+
+for i in {1..20}; do
+    response=$(curl -s -w "%{http_code}" \
+        -H "X-API-Key: $API_KEY" \
+        "$BASE_URL/v1/auth/status")
+    
+    status=$(echo "$response" | tail -c 4)
+    
+    if [ "$status" == "200" ]; then
+        rate_limit_remaining=$(echo "$response" | head -n -1 | jq -r '.rate_limit_remaining // "N/A"' 2>/dev/null)
+        echo "Request $i: ✅ 200 OK (Rate limit remaining: $rate_limit_remaining)"
+        ((rate_limit_success++))
+    elif [ "$status" == "429" ]; then
+        echo "Request $i: ⛔ 429 Rate Limited"
+        ((rate_limit_failures++))
+    else
+        echo "Request $i: ❌ $status Error"
+    fi
+    
+    # Small delay to prevent overwhelming
+    sleep 0.1
+done
+
+echo "Rate-Limiting Results: $rate_limit_success success, $rate_limit_failures rate-limited"
+
+# Test 2: Performance Test (concurrent requests)
+echo -e "\n2️⃣ Performance Test (10 concurrent requests):"
+echo "Testing server under concurrent load..."
+
+start_time=$(date +%s.%N)
+
+# Create temp files for results
+temp_dir=$(mktemp -d)
+trap "rm -rf $temp_dir" EXIT
+
+# Launch concurrent requests
+for i in {1..10}; do
+    {
+        local_start=$(date +%s.%N)
+        response=$(curl -s -w "%{http_code}" \
+            -H "X-API-Key: $API_KEY" \
+            "$BASE_URL/health")
+        local_end=$(date +%s.%N)
+        
+        status=$(echo "$response" | tail -c 4)
+        duration=$(echo "$local_end - $local_start" | bc -l)
+        
+        echo "Concurrent $i: Status $status, Duration ${duration}s" > "$temp_dir/result_$i"
+    } &
+done
+
+# Wait for all background jobs
+wait
+
+end_time=$(date +%s.%N)
+total_duration=$(echo "$end_time - $start_time" | bc -l)
+
+echo "Concurrent Results:"
+cat "$temp_dir"/result_* | sort
+echo "Total Duration: ${total_duration}s"
+
+# Test 3: Mail API Performance (lighter test)
+echo -e "\n3️⃣ Mail API Performance Test (5 requests):"
+echo "Testing mail endpoint performance..."
+
+mail_success=0
+mail_errors=0
+
+for i in {1..5}; do
+    start_time=$(date +%s.%N)
+    
+    response=$(curl -s -w "%{http_code}" \
+        -H "X-API-Key: $API_KEY" \
+        -H "Content-Type: application/json" \
+        -d "{\"name\":\"Stress Test $i\",\"email\":\"test$i@example.com\",\"subject\":\"Performance Test\",\"message\":\"Load test message $i\"}" \
+        "$BASE_URL/v1/mail/send")
+    
+    end_time=$(date +%s.%N)
+    duration=$(echo "$end_time - $start_time" | bc -l)
+    
+    status=$(echo "$response" | tail -c 4)
+    
+    if [ "$status" == "200" ]; then
+        echo "Mail $i: ✅ 200 OK (${duration}s)"
+        ((mail_success++))
+    else
+        echo "Mail $i: ❌ Status $status (${duration}s)"
+        ((mail_errors++))
+    fi
+    
+    # Delay between mail sends to be nice to SMTP server
+    sleep 1
+done
+
+echo "Mail Performance: $mail_success success, $mail_errors errors"
+
+# Test 4: Mixed Load Test
+echo -e "\n4️⃣ Mixed Load Test (Auth + Health requests):"
+echo "Testing mixed endpoint load..."
+
+mixed_total=0
+mixed_success=0
+
+for i in {1..15}; do
+    ((mixed_total++))
+    
+    if [ $((i % 3)) -eq 0 ]; then
+        # Every 3rd request: auth status
+        endpoint="/v1/auth/status"
+    else
+        # Other requests: health check
+        endpoint="/health"
+    fi
+    
+    response=$(curl -s -w "%{http_code}" \
+        -H "X-API-Key: $API_KEY" \
+        "$BASE_URL$endpoint")
+    
+    status=$(echo "$response" | tail -c 4)
+    
+    if [ "$status" == "200" ]; then
+        echo "Mixed $i ($endpoint): ✅ 200 OK"
+        ((mixed_success++))
+    else
+        echo "Mixed $i ($endpoint): ❌ $status"
+    fi
+    
+    sleep 0.2
+done
+
+echo "Mixed Load Results: $mixed_success/$mixed_total successful"
+
+# Summary
+echo -e "\n📊 Stress Test Summary:"
+echo "================================="
+echo "Rate-Limiting: $rate_limit_success success, $rate_limit_failures limited (Expected behavior ✅)"
+echo "Concurrent Load: Check above results"
+echo "Mail Performance: $mail_success/$((mail_success + mail_errors)) successful"
+echo "Mixed Load: $mixed_success/$mixed_total successful"
+
+if [ $rate_limit_failures -gt 0 ]; then
+    echo "✅ Rate limiting is working correctly!"
+else
+    echo "⚠️  Rate limiting may need adjustment (no limits hit)"
+fi
+
+if [ $mixed_success -eq $mixed_total ] && [ $mail_success -gt 3 ]; then
+    echo "✅ Server performance looks good!"
+else
+    echo "⚠️  Some performance issues detected"
+fi
+
+echo -e "\n🎯 Next: Check server logs for any errors or memory issues"
+
--- a/furt-lua/scripts/test_auth.sh
+++ b/furt-lua/scripts/test_auth.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+# furt-lua/scripts/test_auth.sh
+# Test API-Key-Authentifizierung (ohne jq parse errors)
+
+BASE_URL="http://127.0.0.1:8080"
+HUGO_API_KEY="hugo-dev-key-change-in-production"
+ADMIN_API_KEY="admin-dev-key-change-in-production"
+INVALID_API_KEY="invalid-key-should-fail"
+
+echo "🔐 Testing Furt API-Key Authentication"
+echo "======================================"
+
+# Helper function to make clean API calls
+make_request() {
+    local method="$1"
+    local url="$2"
+    local headers="$3"
+    local data="$4"
+    
+    echo "Request: $method $url"
+    if [ -n "$headers" ]; then
+        echo "Headers: $headers"
+    fi
+    
+    local response=$(curl -s $method \
+        ${headers:+-H "$headers"} \
+        ${data:+-d "$data"} \
+        -H "Content-Type: application/json" \
+        "$url")
+    
+    local status=$(curl -s -o /dev/null -w "%{http_code}" $method \
+        ${headers:+-H "$headers"} \
+        ${data:+-d "$data"} \
+        -H "Content-Type: application/json" \
+        "$url")
+    
+    echo "Status: $status"
+    echo "Response: $response" | jq '.' 2>/dev/null || echo "$response"
+    echo ""
+}
+
+# Test 1: Health-Check (public, no auth needed)
+echo "1️⃣ Public Health Check (no auth required):"
+make_request "-X GET" "$BASE_URL/health"
+
+# Test 2: No API-Key -> 401
+echo "2️⃣ Mail without API-Key (should fail with 401):"
+make_request "-X POST" "$BASE_URL/v1/mail/send" "" '{"name":"Test","email":"test@example.com","message":"Test"}'
+
+# Test 3: Invalid API-Key -> 401
+echo "3️⃣ Mail with invalid API-Key (should fail with 401):"
+make_request "-X POST" "$BASE_URL/v1/mail/send" "X-API-Key: $INVALID_API_KEY" '{"name":"Test","email":"test@example.com","message":"Test"}'
+
+# Test 4: Valid API-Key -> 200 (or SMTP error)
+echo "4️⃣ Mail with valid Hugo API-Key (should work):"
+make_request "-X POST" "$BASE_URL/v1/mail/send" "X-API-Key: $HUGO_API_KEY" '{
+    "name": "Test User",
+    "email": "test@example.com",
+    "subject": "API Auth Test",
+    "message": "This is a test message via authenticated API"
+}'
+
+# Test 5: Auth Status Check
+echo "5️⃣ Auth Status Check with Hugo API-Key:"
+make_request "-X GET" "$BASE_URL/v1/auth/status" "X-API-Key: $HUGO_API_KEY"
+
+# Test 6: Auth Status with Admin API-Key
+echo "6️⃣ Auth Status Check with Admin API-Key:"
+make_request "-X GET" "$BASE_URL/v1/auth/status" "X-API-Key: $ADMIN_API_KEY"
+
+echo "✅ Auth Testing Complete!"
+echo ""
+echo "Expected Results:"
+echo "- Test 1: ✅ 200 OK (health check)"
+echo "- Test 2: ❌ 401 Unauthorized (Missing API-Key)"
+echo "- Test 3: ❌ 401 Unauthorized (Invalid API-Key)"
+echo "- Test 4: ✅ 200 OK (Valid API-Key) or 500 if SMTP not configured"
+echo "- Test 5,6: ✅ 200 OK with auth details"
+
--- a/furt-lua/scripts/test_modular.sh
+++ b/furt-lua/scripts/test_modular.sh
@ -0,0 +1,61 @@
+#!/bin/bash
+# furt-lua/scripts/test_modular.sh
+# Test der modularen Furt-Architektur
+
+BASE_URL="http://127.0.0.1:8080"
+HUGO_API_KEY="hugo-dev-key-change-in-production"
+
+echo "🧩 Testing Modular Furt Architecture"
+echo "===================================="
+
+# Test 1: Module dependencies check
+echo -e "\n1️⃣ Testing module imports (should not error on startup):"
+echo "Starting server in background..."
+cd "$(dirname "$0")/.."
+lua src/main.lua &
+SERVER_PID=$!
+sleep 2
+
+if kill -0 $SERVER_PID 2>/dev/null; then
+    echo "✅ Server started successfully - all modules loaded"
+else
+    echo "❌ Server failed to start - module import error"
+    exit 1
+fi
+
+# Test 2: Public endpoints (no auth)
+echo -e "\n2️⃣ Testing public endpoints:"
+curl -s -w "Status: %{http_code}\n" "$BASE_URL/health" | jq '.features'
+
+# Test 3: Protected endpoints without auth (should fail)
+echo -e "\n3️⃣ Testing auth protection:"
+curl -s -w "Status: %{http_code}\n" \
+  -X POST \
+  -H "Content-Type: application/json" \
+  -d '{"name":"Test","email":"test@example.com","message":"Test"}' \
+  "$BASE_URL/v1/mail/send" | jq '.error'
+
+# Test 4: Protected endpoints with auth (should work)
+echo -e "\n4️⃣ Testing authenticated request:"
+curl -s -w "Status: %{http_code}\n" \
+  -H "X-API-Key: $HUGO_API_KEY" \
+  "$BASE_URL/v1/auth/status" | jq '.'
+
+# Test 5: Rate limiting headers
+echo -e "\n5️⃣ Testing rate limit headers:"
+curl -s -i -H "X-API-Key: $HUGO_API_KEY" "$BASE_URL/v1/auth/status" | grep -E "X-RateLimit|HTTP"
+
+# Cleanup
+echo -e "\n🧹 Cleanup:"
+kill $SERVER_PID 2>/dev/null
+wait $SERVER_PID 2>/dev/null
+echo "Server stopped"
+
+echo -e "\n✅ Modular Architecture Test Complete!"
+echo "Expected behavior:"
+echo "- Test 1: ✅ Server starts without module errors"
+echo "- Test 2: ✅ Health endpoint works, shows features"
+echo "- Test 3: ❌ 401 Unauthorized (missing API key)"
+echo "- Test 4: ✅ 200 OK with auth details"
+echo "- Test 5: ✅ Rate limit headers present"
+