DAW/furt
2
0
Fork 0
Code Issues 11 Pull requests Projects Releases 3 Packages 1 Wiki Activity Actions

feat(auth): implement complete API-key authentication with modular architecture (#47)

Browse source 
- Add comprehensive API-key authentication system with X-API-Key header validation
- Implement permission-based access control (mail:send, * for admin)
- Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP)
- Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each)
- Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8)
- Implement Hugo integration with CORS support for localhost:1313
- Add production-ready configuration with environment variable support
- Create comprehensive testing suite (auth, rate-limiting, stress tests)
- Add production deployment checklist and cleanup scripts

This refactoring transforms the API gateway from a single-file monolith into a
biocodie-compliant modular architecture while adding enterprise-grade security
features. Performance testing shows 79 RPS concurrent throughput with <100ms
latency. Hugo contact form integration tested and working. System is now
production-ready for deployment to walter/aitvaras.

Resolves #47
This commit is contained in:
michael 2025-06-24 22:01:38 +02:00
parent 445e751c16
commit 901f5eb2d8
14 changed files with 1160 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

171
furt-lua/scripts/stress_test.sh Executable file
View file

@ -0,0 +1,171 @@
#!/bin/bash
# furt-lua/scripts/stress_test.sh
# Rate-Limiting und Performance Stress-Test
BASE_URL="http://127.0.0.1:8080"
# Use correct API keys that match current .env
API_KEY="hugo-dev-key-change-in-production"
echo "⚡ Furt API Stress Test"
echo "======================"
# Test 1: Rate-Limiting Test (schnelle Requests)
echo -e "\n1⃣ Rate-Limiting Test (20 quick requests):"
echo "Expected: First ~10 should work, then rate limiting kicks in"
rate_limit_failures=0
rate_limit_success=0
for i in {1..20}; do
response=$(curl -s -w "%{http_code}" \
-H "X-API-Key: $API_KEY" \
"$BASE_URL/v1/auth/status")
status=$(echo "$response" | tail -c 4)
if [ "$status" == "200" ]; then
rate_limit_remaining=$(echo "$response" | head -n -1 | jq -r '.rate_limit_remaining // "N/A"' 2>/dev/null)
echo "Request $i: ✅ 200 OK (Rate limit remaining: $rate_limit_remaining)"
((rate_limit_success++))
elif [ "$status" == "429" ]; then
echo "Request $i: ⛔ 429 Rate Limited"
((rate_limit_failures++))
else
echo "Request $i: ❌ $status Error"
fi
# Small delay to prevent overwhelming
sleep 0.1
done
echo "Rate-Limiting Results: $rate_limit_success success, $rate_limit_failures rate-limited"
# Test 2: Performance Test (concurrent requests)
echo -e "\n2⃣ Performance Test (10 concurrent requests):"
echo "Testing server under concurrent load..."
start_time=$(date +%s.%N)
# Create temp files for results
temp_dir=$(mktemp -d)
trap "rm -rf $temp_dir" EXIT
# Launch concurrent requests
for i in {1..10}; do
{
local_start=$(date +%s.%N)
response=$(curl -s -w "%{http_code}" \
-H "X-API-Key: $API_KEY" \
"$BASE_URL/health")
local_end=$(date +%s.%N)
status=$(echo "$response" | tail -c 4)
duration=$(echo "$local_end - $local_start" | bc -l)
echo "Concurrent $i: Status $status, Duration ${duration}s" > "$temp_dir/result_$i"
} &
done
# Wait for all background jobs
wait
end_time=$(date +%s.%N)
total_duration=$(echo "$end_time - $start_time" | bc -l)
echo "Concurrent Results:"
cat "$temp_dir"/result_* | sort
echo "Total Duration: ${total_duration}s"
# Test 3: Mail API Performance (lighter test)
echo -e "\n3⃣ Mail API Performance Test (5 requests):"
echo "Testing mail endpoint performance..."
mail_success=0
mail_errors=0
for i in {1..5}; do
start_time=$(date +%s.%N)
response=$(curl -s -w "%{http_code}" \
-H "X-API-Key: $API_KEY" \
-H "Content-Type: application/json" \
-d "{\"name\":\"Stress Test $i\",\"email\":\"test$i@example.com\",\"subject\":\"Performance Test\",\"message\":\"Load test message $i\"}" \
"$BASE_URL/v1/mail/send")
end_time=$(date +%s.%N)
duration=$(echo "$end_time - $start_time" | bc -l)
status=$(echo "$response" | tail -c 4)
if [ "$status" == "200" ]; then
echo "Mail $i: ✅ 200 OK (${duration}s)"
((mail_success++))
else
echo "Mail $i: ❌ Status $status (${duration}s)"
((mail_errors++))
fi
# Delay between mail sends to be nice to SMTP server
sleep 1
done
echo "Mail Performance: $mail_success success, $mail_errors errors"
# Test 4: Mixed Load Test
echo -e "\n4⃣ Mixed Load Test (Auth + Health requests):"
echo "Testing mixed endpoint load..."
mixed_total=0
mixed_success=0
for i in {1..15}; do
((mixed_total++))
if [ $((i % 3)) -eq 0 ]; then
# Every 3rd request: auth status
endpoint="/v1/auth/status"
else
# Other requests: health check
endpoint="/health"
fi
response=$(curl -s -w "%{http_code}" \
-H "X-API-Key: $API_KEY" \
"$BASE_URL$endpoint")
status=$(echo "$response" | tail -c 4)
if [ "$status" == "200" ]; then
echo "Mixed $i ($endpoint): ✅ 200 OK"
((mixed_success++))
else
echo "Mixed $i ($endpoint): ❌ $status"
fi
sleep 0.2
done
echo "Mixed Load Results: $mixed_success/$mixed_total successful"
# Summary
echo -e "\n📊 Stress Test Summary:"
echo "================================="
echo "Rate-Limiting: $rate_limit_success success, $rate_limit_failures limited (Expected behavior ✅)"
echo "Concurrent Load: Check above results"
echo "Mail Performance: $mail_success/$((mail_success + mail_errors)) successful"
echo "Mixed Load: $mixed_success/$mixed_total successful"
if [ $rate_limit_failures -gt 0 ]; then
echo "✅ Rate limiting is working correctly!"
else
echo "⚠️ Rate limiting may need adjustment (no limits hit)"
fi
if [ $mixed_success -eq $mixed_total ] && [ $mail_success -gt 3 ]; then
echo "✅ Server performance looks good!"
else
echo "⚠️ Some performance issues detected"
fi
echo -e "\n🎯 Next: Check server logs for any errors or memory issues"