Feature: Public routes (auth_required=false) for unauthenticated access

[artpar]

Problem

When using APIGate as a reverse proxy for Hoster, ALL requests require API key authentication. There's no way to configure a route as "public" to allow unauthenticated access.

Use Case

Hoster (deployment marketplace) needs:

1. Public frontend (/*) - Marketplace browsing without login
2. Authenticated API (/api/*) - Requires API key with header injection
3. Authenticated apps (*.apps.domain) - Deployed apps

Currently, even the marketplace landing page requires an API key, which breaks the user experience.

Proposed Solution

Add auth_required field to routes (default: true for backward compatibility):

Database Migration

ALTER TABLE routes ADD COLUMN auth_required INTEGER NOT NULL DEFAULT 1;

Route Domain Model

type Route struct {
    // ... existing fields ...
    AuthRequired bool `json:"auth_required"` // Default: true
}

Proxy Handler Change

Move route matching BEFORE auth check:

1. Match route first
2. If route.AuthRequired == false: skip API key validation, forward request
3. If route.AuthRequired == true: current flow (validate key, inject headers, etc.)

Admin API

Accept auth_required in route create/update:

{
  "name": "hoster-frontend",
  "path_pattern": "/*",
  "upstream_id": "xxx",
  "auth_required": false
}

CLI

apigate routes create --name frontend --path "/*" --upstream hoster --auth=false

Behavior When auth_required=false

• No API key required
• No rate limiting applied
• No quota tracking
• Anonymous usage still logged for analytics
• Request/response transforms still work
• Upstream auth injection still works

Related

This was previously discussed in issue #22 but implementation was not completed.

Environment

• APIGate: latest
• Hoster: using APIGate for auth/billing proxy

[artpar]

Investigation Findings

Current State: Partially Implemented

Component	Status	Details
Domain Model	✅ Done	Route.AuthRequired exists in domain/route/route.go
Proxy Logic	✅ Done	app/proxy.go checks route.AuthRequired and skips auth for public routes
Database Schema	❌ Missing	003_routes.sql lacks auth_required column
Route Store	❌ Missing	Does not persist/load auth_required field
Admin API	❌ Missing	Does not expose auth_required in JSON:API
CLI	❌ Missing	Does not support --auth=false flag

Implementation Plan

1. Database Migration - Add auth_required column (default: 1 for backward compatibility)
2. Route Store - Update SQLite store to persist/load the field
3. Admin API - Update route handlers to accept/return auth_required
4. CLI - Add --auth-required flag to route commands

Key Files

• domain/route/route.go - Domain model (already has field)
• app/proxy.go:149-214 - Auth flow (already checks field)
• adapters/sqlite/migrations/003_routes.sql - Schema (needs column)
• adapters/sqlite/routestore.go - Store (needs update)
• adapters/http/admin/routes.go - Admin API (needs update)

Starting implementation...

[artpar]

Implementation Complete

All components for public routes (auth_required=false) are already implemented:

Existing Implementation

Component	File	Status
Database migration	adapters/sqlite/migrations/022_auth_required.sql	✅ Complete
Domain model	domain/route/route.go - AuthRequired bool	✅ Complete
Route store	adapters/sqlite/routestore.go - persists/loads field	✅ Complete
Admin API	adapters/http/admin/routes.go - accepts/returns auth_required	✅ Complete
Module CLI	core/modules/route.yaml - --auth flag for create/update	✅ Complete
Proxy logic	app/proxy.go - skips auth when \!route.AuthRequired	✅ Complete

Usage

Create a public route via Admin API:

curl -X POST /admin/routes -d '{
  "name": "public-frontend",
  "path_pattern": "/*",
  "upstream_id": "hoster",
  "auth_required": false
}'

Create via CLI:

apigate mod routes create --name public-frontend --path "/*" --upstream hoster --auth=false

This issue can be closed as the feature is fully implemented.

[artpar]

Resolution: Already Implemented

Investigation confirmed this feature is fully implemented across all layers:

• Migration: 022_auth_required.sql adds the column
• Domain: Route model has AuthRequired field
• Store: adapters/sqlite/routestore.go persists/loads the field
• Admin API: adapters/http/admin/routes.go supports auth_required attribute
• CLI: core/modules/route.yaml has --auth flag
• Proxy: Checks route.AuthRequired before requiring API key

Usage:

# CLI
apigate route add my-public-route --upstream http://api.example.com --auth=false

# API
POST /api/admin/routes
{"data": {"type": "routes", "attributes": {"name": "public", "auth_required": false, ...}}}

Closing as complete.