feat(auth): implement complete API-key authentication with modular architecture (#47)

- Add comprehensive API-key authentication system with X-API-Key header validation - Implement permission-based access control (mail:send, * for admin) - Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP) - Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each) - Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8) - Implement Hugo integration with CORS support for localhost:1313 - Add production-ready configuration with environment variable support - Create comprehensive testing suite (auth, rate-limiting, stress tests) - Add production deployment checklist and cleanup scripts This refactoring transforms the API gateway from a single-file monolith into a biocodie-compliant modular architecture while adding enterprise-grade security features. Performance testing shows 79 RPS concurrent throughput with <100ms latency. Hugo contact form integration tested and working. System is now production-ready for deployment to walter/aitvaras. Resolves #47
2025-06-24 22:01:38 +02:00 · 2025-06-24 22:01:38 +02:00 · 901f5eb2d8
commit 901f5eb2d8
parent 445e751c16
14 changed files with 1160 additions and 80 deletions
--- a/furt-lua/src/rate_limiter.lua
+++ b/furt-lua/src/rate_limiter.lua
@ -0,0 +1,133 @@
+-- furt-lua/src/rate_limiter.lua
+-- Rate limiting system for API requests
+-- Dragons@Work Digital Sovereignty Project
+
+local RateLimiter = {
+    requests = {}, -- {api_key = {timestamps}, ip = {timestamps}}
+    cleanup_interval = 300, -- Cleanup every 5 minutes
+    last_cleanup = os.time(),
+    
+    -- Default limits
+    default_limits = {
+        api_key_max = 60,        -- 60 requests per hour per API key
+        ip_max = 100,            -- 100 requests per hour per IP
+        window = 3600            -- 1 hour window
+    }
+}
+
+-- Cleanup old requests from memory
+function RateLimiter:cleanup_old_requests()
+    local now = os.time()
+    if now - self.last_cleanup < self.cleanup_interval then
+        return
+    end
+    
+    local cutoff = now - self.default_limits.window
+    
+    for key, timestamps in pairs(self.requests) do
+        local filtered = {}
+        for _, timestamp in ipairs(timestamps) do
+            if timestamp > cutoff then
+                table.insert(filtered, timestamp)
+            end
+        end
+        self.requests[key] = filtered
+    end
+    
+    self.last_cleanup = now
+end
+
+-- Check if request is within rate limit
+function RateLimiter:check_rate_limit(key, max_requests, window_seconds)
+    self:cleanup_old_requests()
+    
+    local now = os.time()
+    local cutoff = now - (window_seconds or self.default_limits.window)
+    
+    if not self.requests[key] then
+        self.requests[key] = {}
+    end
+    
+    -- Count requests in time window
+    local count = 0
+    for _, timestamp in ipairs(self.requests[key]) do
+        if timestamp > cutoff then
+            count = count + 1
+        end
+    end
+    
+    -- Check if limit exceeded
+    if count >= max_requests then
+        return false, count, max_requests - count
+    end
+    
+    -- Record this request
+    table.insert(self.requests[key], now)
+    
+    return true, count + 1, max_requests - (count + 1)
+end
+
+-- Check rate limits for API key and IP
+function RateLimiter:check_api_and_ip_limits(api_key, client_ip)
+    -- Check API key rate limit
+    local api_key_allowed, api_count, api_remaining = self:check_rate_limit(
+        "api_key:" .. api_key, 
+        self.default_limits.api_key_max, 
+        self.default_limits.window
+    )
+    
+    if not api_key_allowed then
+        return false, "API key rate limit exceeded", {
+            type = "api_key",
+            current = api_count,
+            limit = self.default_limits.api_key_max,
+            remaining = api_remaining
+        }
+    end
+    
+    -- Check IP rate limit
+    local ip_allowed, ip_count, ip_remaining = self:check_rate_limit(
+        "ip:" .. client_ip, 
+        self.default_limits.ip_max, 
+        self.default_limits.window
+    )
+    
+    if not ip_allowed then
+        return false, "IP rate limit exceeded", {
+            type = "ip",
+            current = ip_count,
+            limit = self.default_limits.ip_max,
+            remaining = ip_remaining
+        }
+    end
+    
+    -- Both limits OK
+    return true, "OK", {
+        api_key = {
+            current = api_count,
+            limit = self.default_limits.api_key_max,
+            remaining = api_remaining
+        },
+        ip = {
+            current = ip_count,
+            limit = self.default_limits.ip_max,
+            remaining = ip_remaining
+        }
+    }
+end
+
+-- Get rate limit headers for HTTP response
+function RateLimiter:get_rate_limit_headers(limit_info)
+    if not limit_info or not limit_info.api_key then
+        return {}
+    end
+    
+    return {
+        ["X-RateLimit-Remaining"] = tostring(limit_info.api_key.remaining or 0),
+        ["X-RateLimit-Limit"] = tostring(self.default_limits.api_key_max),
+        ["X-RateLimit-Window"] = tostring(self.default_limits.window)
+    }
+end
+
+return RateLimiter
+