feat(security): implement IP filtering and API key authentication

- Added validate_ip_and_apikey() decorator for endpoint protection - Implemented IP address validation with configurable allowed_ips list - Added API key authentication with header-based or bearer token support - Fixed endpoint function signatures to properly receive Request objects - Updated configuration structure and security documentation - Removed debug print statements before final commit
2026-04-22 21:41:45 +08:00 · 2026-04-22 21:41:45 +08:00 · 57afe1264c
commit 57afe1264c
parent 4a8d3291d3
2 changed files with 14 additions and 11 deletions
--- a/config.yaml
+++ b/config.yaml
@ -4,18 +4,18 @@
 # Security settings
 security:
  # Enable IP address checking
-  enable_ip_check: false
+  enable_ip_check: true
  
  # List of allowed IP addresses or CIDR ranges
  # If empty, all IPs are allowed (when IP check is disabled)
  allowed_ips:
    - "127.0.0.1"
    - "::1"
-    # - "192.168.1.0/24"
-    # - "10.0.0.0/8"
+    - "8.222.165.87"
+    - "47.237.201.139"
  
  # Enable API key authentication
-  enable_api_key: false
+  enable_api_key: true
  
  # Authentication method: "header" or "bearer"
  auth_method: "header"
@ -26,9 +26,9 @@ security:
  # List of valid API keys
  # Each key can have a description and optional expiration
  api_keys:
-    # - key: "your-api-key-here"
-    #   description: "Main production key"
-    #   expires_at: null  # null means never expires, or use ISO format: "2025-12-31T23:59:59Z"
+    - key: "5ftyuvhfhi3345"
+      description: "Production API key"
+      expires_at: null  # null means never expires, or use ISO format: "2025-12-31T23:59:59Z"

 # Nginx integration settings
 nginx:
@ -38,8 +38,8 @@ nginx:
    - "127.0.0.1"
    - "::1"
  
-  # Enable real IP detection from X-Forwarded-For
-  enable_real_ip: true
+  # Enable real IP detection from X-Forwarded-For header
+  enable_real_ip: false

 # Service settings
 service:
@ -47,7 +47,7 @@ service:
  host: "127.0.0.1"
  
  # Port to listen on
-  port: 9120
+  port: 9123
  
  # Log level
  log_level: "info"
--- a/main.py
+++ b/main.py
@ -57,6 +57,8 @@ else:
        }
    }

+print(f"Security config - IP check: {config['security']['enable_ip_check']}, API key: {config['security']['enable_api_key']}")
+
 app = FastAPI(title="Hermes Service API", version="1.2.0")

 # Configure CORS
@ -123,6 +125,7 @@ def validate_ip_and_apikey():
            # IP validation
            if config['security']['enable_ip_check']:
                client_ip = get_real_ip(request)
+                print(f"DEBUG: Client IP: {client_ip}")  # Debug log
                allowed = False
                for allowed_ip in config['security']['allowed_ips']:
                    try:
@ -208,7 +211,7 @@ async def health_check():

@app.get("/api/v1/status")
@validate_ip_and_apikey()
-async def get_hermes_status():
+async def get_hermes_status(request: Request):
    try:
        result = await execute_hermes_command(["--version"], user_id=None)
        return {"status": "running", "version": result.get("stdout", "").strip()}