michael
901f5eb2d8
- Add comprehensive API-key authentication system with X-API-Key header validation - Implement permission-based access control (mail:send, * for admin) - Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP) - Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each) - Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8) - Implement Hugo integration with CORS support for localhost:1313 - Add production-ready configuration with environment variable support - Create comprehensive testing suite (auth, rate-limiting, stress tests) - Add production deployment checklist and cleanup scripts This refactoring transforms the API gateway from a single-file monolith into a biocodie-compliant modular architecture while adding enterprise-grade security features. Performance testing shows 79 RPS concurrent throughput with <100ms latency. Hugo contact form integration tested and working. System is now production-ready for deployment to walter/aitvaras. Resolves #47
79 lines
2.7 KiB
Bash
Executable file
79 lines
2.7 KiB
Bash
Executable file
#!/bin/bash
|
||
# furt-lua/scripts/test_auth.sh
|
||
# Test API-Key-Authentifizierung (ohne jq parse errors)
|
||
|
||
BASE_URL="http://127.0.0.1:8080"
|
||
HUGO_API_KEY="hugo-dev-key-change-in-production"
|
||
ADMIN_API_KEY="admin-dev-key-change-in-production"
|
||
INVALID_API_KEY="invalid-key-should-fail"
|
||
|
||
echo "🔐 Testing Furt API-Key Authentication"
|
||
echo "======================================"
|
||
|
||
# Helper function to make clean API calls
|
||
make_request() {
|
||
local method="$1"
|
||
local url="$2"
|
||
local headers="$3"
|
||
local data="$4"
|
||
|
||
echo "Request: $method $url"
|
||
if [ -n "$headers" ]; then
|
||
echo "Headers: $headers"
|
||
fi
|
||
|
||
local response=$(curl -s $method \
|
||
${headers:+-H "$headers"} \
|
||
${data:+-d "$data"} \
|
||
-H "Content-Type: application/json" \
|
||
"$url")
|
||
|
||
local status=$(curl -s -o /dev/null -w "%{http_code}" $method \
|
||
${headers:+-H "$headers"} \
|
||
${data:+-d "$data"} \
|
||
-H "Content-Type: application/json" \
|
||
"$url")
|
||
|
||
echo "Status: $status"
|
||
echo "Response: $response" | jq '.' 2>/dev/null || echo "$response"
|
||
echo ""
|
||
}
|
||
|
||
# Test 1: Health-Check (public, no auth needed)
|
||
echo "1️⃣ Public Health Check (no auth required):"
|
||
make_request "-X GET" "$BASE_URL/health"
|
||
|
||
# Test 2: No API-Key -> 401
|
||
echo "2️⃣ Mail without API-Key (should fail with 401):"
|
||
make_request "-X POST" "$BASE_URL/v1/mail/send" "" '{"name":"Test","email":"test@example.com","message":"Test"}'
|
||
|
||
# Test 3: Invalid API-Key -> 401
|
||
echo "3️⃣ Mail with invalid API-Key (should fail with 401):"
|
||
make_request "-X POST" "$BASE_URL/v1/mail/send" "X-API-Key: $INVALID_API_KEY" '{"name":"Test","email":"test@example.com","message":"Test"}'
|
||
|
||
# Test 4: Valid API-Key -> 200 (or SMTP error)
|
||
echo "4️⃣ Mail with valid Hugo API-Key (should work):"
|
||
make_request "-X POST" "$BASE_URL/v1/mail/send" "X-API-Key: $HUGO_API_KEY" '{
|
||
"name": "Test User",
|
||
"email": "test@example.com",
|
||
"subject": "API Auth Test",
|
||
"message": "This is a test message via authenticated API"
|
||
}'
|
||
|
||
# Test 5: Auth Status Check
|
||
echo "5️⃣ Auth Status Check with Hugo API-Key:"
|
||
make_request "-X GET" "$BASE_URL/v1/auth/status" "X-API-Key: $HUGO_API_KEY"
|
||
|
||
# Test 6: Auth Status with Admin API-Key
|
||
echo "6️⃣ Auth Status Check with Admin API-Key:"
|
||
make_request "-X GET" "$BASE_URL/v1/auth/status" "X-API-Key: $ADMIN_API_KEY"
|
||
|
||
echo "✅ Auth Testing Complete!"
|
||
echo ""
|
||
echo "Expected Results:"
|
||
echo "- Test 1: ✅ 200 OK (health check)"
|
||
echo "- Test 2: ❌ 401 Unauthorized (Missing API-Key)"
|
||
echo "- Test 3: ❌ 401 Unauthorized (Invalid API-Key)"
|
||
echo "- Test 4: ✅ 200 OK (Valid API-Key) or 500 if SMTP not configured"
|
||
echo "- Test 5,6: ✅ 200 OK with auth details"
|
||
|