- Add comprehensive API-key authentication system with X-API-Key header validation
- Implement permission-based access control (mail:send, * for admin)
- Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP)
- Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each)
- Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8)
- Implement Hugo integration with CORS support for localhost:1313
- Add production-ready configuration with environment variable support
- Create comprehensive testing suite (auth, rate-limiting, stress tests)
- Add production deployment checklist and cleanup scripts
This refactoring transforms the API gateway from a single-file monolith into a
biocodie-compliant modular architecture while adding enterprise-grade security
features. Performance testing shows 79 RPS concurrent throughput with <100ms
latency. Hugo contact form integration tested and working. System is now
production-ready for deployment to walter/aitvaras.
Resolves#47
- Add CORS headers to all API responses in main.lua
- Implement OPTIONS preflight request handling
- Add environment-variable based CORS origin configuration
- Create production.env.example for deployment documentation
- Update .env.example with CORS_ALLOWED_ORIGINS setting
Resolves cross-origin request blocking for Hugo dev server integration.
CORS origins now configurable via CORS_ALLOWED_ORIGINS environment variable
for production deployments while maintaining dev-friendly defaults.
Related to #49
- Add multi-distribution config path detection
- Support /usr/local/etc/furt/environment (OpenBSD)
- Support /etc/furt/environment (Debian/Ubuntu/RHEL)
- Maintain .env support for development
- Add configurable Lua command via LUA_COMMAND environment variable
POSIX compatibility improvements:
- Replace command -v with [ -x ] for service user compatibility
- Change shebang from #!/bin/bash to #!/bin/sh for OpenBSD
- Replace ${BASH_SOURCE[0]} with $0 for POSIX shell compatibility
walter deployment changes:
- Migrate directory structure to /usr/local/furt/furt-lua/
- Set up _furt user permissions
- Configure system config in /usr/local/etc/furt/environment
Known issues:
- karl development environment regression (lua51 detection failed)
- walter SSL missing for SMTP (luasec vs luaossl compatibility)
- Config strategy needs comprehensive redesign for multi-implementation
Related: #68
Files modified:
- furt-lua/scripts/start.sh (POSIX compatibility + universal config)
- .env.example (added LUA_COMMAND and LUA_VERSION)
- walter: /usr/local/etc/furt/environment (system config setup)
- Add native Lua SMTP client with SSL/TLS support for mail.dragons-at-work.de:465
- Implement POST /v1/mail/send endpoint with real email delivery functionality
- Add environment variable integration (SMTP_*) for secure credential management
- Add comprehensive input validation and error handling for mail requests
- Add health check endpoint with SMTP configuration status reporting
- Add multi-line SMTP response handling for robust server communication
- Add request ID tracking system for debugging and monitoring
- Update start.sh script for automatic .env loading and dependency checking
- Add complete testing suite for SMTP functionality verification
This completes the Week 2 Challenge migration from Go to pure Lua HTTP server
with full production-ready SMTP capabilities. The implementation eliminates all
Google/corporate dependencies while achieving superior performance (18ms response
time) and maintaining digital sovereignty principles.
Real mail delivery confirmed: test email successfully sent to admin@dragons-at-work.de
Ready for Hugo website integration and production deployment with security layer.
Closes#65
- Go-Projektstruktur nach Low-Tech-Prinzipien
- Issue-Templates für Service-Requests und Bug-Reports
- Konfiguration für sichere Entwicklung (.env.example)
- Scripts-Verzeichnis für Build und Deployment
- Dokumentationsstruktur für Dev und User Docs
- Apache 2.0 Lizenz für Open-Source-Entwicklung
Furt (Durchgang) vereint Services unter einheitlicher API
für vollständige digitale Souveränität.
