DAW/furt
2
0
Fork 0
Code Issues 11 Pull requests Projects Releases 3 Packages 1 Wiki Activity Actions
furt/furt-lua/production_checklist.md
michael 901f5eb2d8 feat(auth): implement complete API-key authentication with modular architecture (#47) 
- Add comprehensive API-key authentication system with X-API-Key header validation
- Implement permission-based access control (mail:send, * for admin)
- Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP)
- Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each)
- Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8)
- Implement Hugo integration with CORS support for localhost:1313
- Add production-ready configuration with environment variable support
- Create comprehensive testing suite (auth, rate-limiting, stress tests)
- Add production deployment checklist and cleanup scripts

This refactoring transforms the API gateway from a single-file monolith into a
biocodie-compliant modular architecture while adding enterprise-grade security
features. Performance testing shows 79 RPS concurrent throughput with <100ms
latency. Hugo contact form integration tested and working. System is now
production-ready for deployment to walter/aitvaras.

Resolves #47
2025-06-24 22:01:38 +02:00

3.8 KiB
Raw Blame History

Furt API-Gateway Production Deployment Checklist

🔐 Security Configuration

API Keys

  • Generate secure API keys (32+ characters)
  • Set HUGO_API_KEY in .env.production
  • Set ADMIN_API_KEY in .env.production
  • Remove/change all development keys
  • Verify API key permissions in config/server.lua

CORS Configuration

  • Set production domains in CORS_ALLOWED_ORIGINS
  • Remove localhost/development origins
  • Test CORS with production domains

Endpoints

  • Disable test endpoint (ENABLE_TEST_ENDPOINT=false)
  • Remove any debug endpoints
  • Verify only required endpoints are exposed

📧 SMTP Configuration

  • Configure production SMTP server
  • Test SMTP authentication
  • Set proper FROM and TO addresses
  • Verify mail delivery works
  • Test mail sending with rate limits

🔧 Server Configuration

Environment

  • Copy .env.production to .env
  • Set GATEWAY_HOST (127.0.0.1 for internal)
  • Set GATEWAY_PORT (8080 default)
  • Set LOG_LEVEL to "warn" or "error"

Performance

  • Verify rate limits are appropriate
  • Test concurrent load handling
  • Monitor memory usage under load
  • Test restart behavior

🛡️ Security Testing

Authentication

  • Test invalid API keys return 401
  • Test missing API keys return 401
  • Test permission system works correctly
  • Test IP restrictions (if configured)

Rate Limiting

  • Test rate limits trigger at correct thresholds
  • Test 429 responses are returned
  • Test rate limit headers are present
  • Test rate limit cleanup works

🚀 Deployment

File Permissions

  • Lua files readable by server user
  • .env file protected (600 permissions)
  • Log directory writable
  • No world-readable sensitive files

Process Management

  • Configure systemd service (if applicable)
  • Test automatic restart on failure
  • Configure log rotation
  • Set up monitoring/health checks

Reverse Proxy (if applicable)

  • Configure nginx/apache reverse proxy
  • Set up SSL termination
  • Configure rate limiting at proxy level
  • Test proxy → furt communication

📊 Monitoring

Health Checks

  • /health endpoint responds correctly
  • Set up external monitoring (e.g., Uptime Kuma)
  • Configure alerting for service down
  • Test health check under load

Logging

  • Configure appropriate log level
  • Set up log rotation
  • Monitor log file sizes
  • Review error patterns

Metrics

  • Monitor request rates
  • Monitor response times
  • Monitor memory usage
  • Monitor SMTP connection health

🧪 Integration Testing

Hugo Integration

  • Test contact forms submit successfully
  • Test error handling displays correctly
  • Test rate limiting shows user-friendly messages
  • Test CORS works with production domains

Mail Delivery

  • Send test emails through all forms
  • Verify emails arrive correctly formatted
  • Test email content encoding
  • Test attachment handling (if applicable)

📝 Documentation

  • Document API endpoints for other developers
  • Document configuration options
  • Document troubleshooting procedures
  • Document backup/restore procedures

🔄 Backup & Recovery

  • Document configuration files to backup
  • Test service restart procedures
  • Document rollback procedures
  • Test recovery from configuration errors

Final Verification

  • All API endpoints respond correctly
  • All security measures tested
  • Performance meets requirements
  • Monitoring and alerting configured
  • Documentation complete
  • Team trained on operations

Last Updated: $(date +%Y-%m-%d)
Deployed By: _______________
Deployment Date: _______________