docs(api): Phase 7c API-Auth design — 3-scope keys + rate-limit + /admin/api-keys UI#85
Conversation
…t, /admin/api-keys UI App-side API-Key authentication replacing the current single-secret Pangolin-Bypass for all writes. 3 scopes (read/print/admin), bcrypt hashed keys with prefix UI display, in-memory token-bucket rate limit, per-key printer ACL, audit-trail in Jobs table, transition path via feature flag for the Pangolin-Bypass scope-downgrade. Refs #22 Refs #78
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request implements Phase 7c of the API-Auth design, significantly hardening the application's security posture. By moving from a single shared secret to a granular, multi-key authentication system, the changes provide better access control, audit trails, and rate limiting. The implementation includes necessary database schema updates, a new administrative UI for key management, and a robust middleware layer to enforce scope-based access across the API. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #85 +/- ##
==========================================
- Coverage 91.98% 91.09% -0.89%
==========================================
Files 70 71 +1
Lines 3055 3189 +134
Branches 261 271 +10
==========================================
+ Hits 2810 2905 +95
- Misses 181 216 +35
- Partials 64 68 +4
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Adds a Phase 7c design spec documenting the planned app-side API authentication model (scoped API keys, per-key rate limiting, admin UI, and audit fields) to address the current reliance on Pangolin edge auth.
Changes:
- Introduces a new Phase 7c specification covering
api_keysstorage, endpoint scoping, rate limiting, and job audit fields. - Defines the
/admin/api-keysHTMX UI flows and backend CRUD endpoints for key management. - Documents the transition plan for downgrading Pangolin Basic-Auth bypass to read-only via a feature flag.
Comments suppressed due to low confidence (1)
docs/superpowers/specs/2026-05-17-phase-7c-api-auth-design.md:336
- “Bootstrap-admin seed key emitted in startup log” is a high-risk requirement: secrets frequently end up in long-lived logs and third-party aggregators/backups. If the goal is avoiding lockout, prefer a bootstrap mechanism that surfaces the plaintext key out-of-band from normal app logs (or relies on Pangolin SSO for initial admin access).
- [ ] Backend API for key CRUD under `/api/admin/api-keys/*`
- [ ] Pangolin-bypass scope-downgrade feature flag
- [ ] Bootstrap-admin seed key emitted in startup log on first migration
- [ ] All tests passing, coverage >= 80%
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request provides a design specification for app-side API authentication, introducing multi-key management, scoped access control, and rate limiting. The review feedback identifies critical implementation concerns: the necessity of offloading CPU-intensive bcrypt operations to thread pools to avoid blocking the FastAPI event loop, the need for the rate limiter to reflect database configuration changes, the recommendation for formal foreign key constraints to ensure data integrity, and the requirement for consistent timezone handling in database models.
…ixes - 7c spec: fix key_prefix length example (11→12 chars consistent) - 7c spec: datetime fields use DateTime(timezone=True) sa_column - 7c spec: bootstrap seed key prints plaintext to Alembic stdout only (not app logger) - 7c spec: require_scope() reconciles SSO=admin for /admin/* routes, 401 for missing creds / 403 for insufficient scope - 7c spec: Pangolin-bypass reads feature flag settings.pangolin_bypass_scope_downgrade in pseudocode - 7c spec: cache key is api_key_id (after prefix DB lookup), not raw hash; bcrypt uses asyncio.to_thread - 7c spec: source_ip propagation via X-Real-IP injected by frontend proxy - 7c spec: rate_limit_per_minute applies to all requests (not print-only); rename clarified - 7c spec: RateLimiter uses asyncio.Lock + capacity-drift detection to handle concurrent requests + config changes - 7d spec: replace strausmann.cloud with example.com (privacy scan fix) Refs #22
## <small>0.6.1 (2026-05-19)</small> * fix(ui): preview-PNG data-URL must use template.URL type (#90) ([0f84976](0f84976)), closes [#90](#90) [#87](#87) [#22](#22) [#89](#89) [#22](#22) * docs(api): Phase 7c API-Auth design — 3-scope keys + rate-limit + /admin/api-keys UI (#85) ([8792e84](8792e84)), closes [#85](#85) [#22](#22) [#78](#78) [#85](#85) [#22](#22) [#79](#79) [#22](#22) * docs(api): Phase 7e Template Layout System v2 — semantic schema + aggregation (#86) ([0bab0c0](0bab0c0)), closes [#86](#86) [#22](#22) [#81](#81) [#22](#22) * chore(deps): bump the go-minor-and-patch group (#89) ([d6ba346](d6ba346)), closes [#89](#89) [skip ci]
Summary
Phase 7c spec — closes the security gap exposed by Phase 7b deploy: single-secret Pangolin-Bypass replaced with multi-key app-side authentication.
Key design decisions (user-approved)
What's in scope
Backend:
api_keystable + Alembic migration with bootstrap-admin seedrequire_scope(level)FastAPI dependency, all routes annotatedpangolin_bypass_scope_downgrade)Frontend (Go + HTMX):
/admin/api-keyspage: list + create + revoke + detail-with-audit-logOut of scope (deferred)
Spec polish — deferred suggestions
The following bot-review suggestions were reviewed and deferred as design choices appropriate for the HomeLab context:
api_key_idFK)ForeignKeywithON DELETE SET NULLinstead of "FK hint, no constraint"ON DELETE SET NULLis a Phase 7c.1 polish item once the table is stable.Implementation
Overnight implementer subagent will derive the implementation plan from this spec on a feat branch. User reviews + merges in the next session.
Refs #22
Closes #78