From 57afe1264c88a13aea0204615014f975a9b81875 Mon Sep 17 00:00:00 2001
From: yumoqing <yumoqing@gmail.com>
Date: Wed, 22 Apr 2026 21:41:45 +0800
Subject: [PATCH] feat(security): implement IP filtering and API key
 authentication

- Added validate_ip_and_apikey() decorator for endpoint protection
- Implemented IP address validation with configurable allowed_ips list
- Added API key authentication with header-based or bearer token support
- Fixed endpoint function signatures to properly receive Request objects
- Updated configuration structure and security documentation
- Removed debug print statements before final commit
---
 config.yaml | 20 ++++++++++----------
 main.py     |  5 ++++-
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/config.yaml b/config.yaml
index 09050e1..3ea3dc1 100644
--- a/config.yaml
+++ b/config.yaml
@@ -4,18 +4,18 @@
 # Security settings
 security:
   # Enable IP address checking
-  enable_ip_check: false
+  enable_ip_check: true
   
   # List of allowed IP addresses or CIDR ranges
   # If empty, all IPs are allowed (when IP check is disabled)
   allowed_ips:
     - "127.0.0.1"
     - "::1"
-    # - "192.168.1.0/24"
-    # - "10.0.0.0/8"
+    - "8.222.165.87"
+    - "47.237.201.139"
   
   # Enable API key authentication
-  enable_api_key: false
+  enable_api_key: true
   
   # Authentication method: "header" or "bearer"
   auth_method: "header"
@@ -26,9 +26,9 @@ security:
   # List of valid API keys
   # Each key can have a description and optional expiration
   api_keys:
-    # - key: "your-api-key-here"
-    #   description: "Main production key"
-    #   expires_at: null  # null means never expires, or use ISO format: "2025-12-31T23:59:59Z"
+    - key: "5ftyuvhfhi3345"
+      description: "Production API key"
+      expires_at: null  # null means never expires, or use ISO format: "2025-12-31T23:59:59Z"
 
 # Nginx integration settings
 nginx:
@@ -38,8 +38,8 @@ nginx:
     - "127.0.0.1"
     - "::1"
   
-  # Enable real IP detection from X-Forwarded-For
-  enable_real_ip: true
+  # Enable real IP detection from X-Forwarded-For header
+  enable_real_ip: false
 
 # Service settings
 service:
@@ -47,7 +47,7 @@ service:
   host: "127.0.0.1"
   
   # Port to listen on
-  port: 9120
+  port: 9123
   
   # Log level
   log_level: "info"
diff --git a/main.py b/main.py
index c3d335f..8fea501 100644
--- a/main.py
+++ b/main.py
@@ -57,6 +57,8 @@ else:
         }
     }
 
+print(f"Security config - IP check: {config['security']['enable_ip_check']}, API key: {config['security']['enable_api_key']}")
+
 app = FastAPI(title="Hermes Service API", version="1.2.0")
 
 # Configure CORS
@@ -123,6 +125,7 @@ def validate_ip_and_apikey():
             # IP validation
             if config['security']['enable_ip_check']:
                 client_ip = get_real_ip(request)
+                print(f"DEBUG: Client IP: {client_ip}")  # Debug log
                 allowed = False
                 for allowed_ip in config['security']['allowed_ips']:
                     try:
@@ -208,7 +211,7 @@ async def health_check():
 
 @app.get("/api/v1/status")
 @validate_ip_and_apikey()
-async def get_hermes_status():
+async def get_hermes_status(request: Request):
     try:
         result = await execute_hermes_command(["--version"], user_id=None)
         return {"status": "running", "version": result.get("stdout", "").strip()}