auth middlewareを追加#131
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
kaede API に環境変数 KAEDE_API_SHARED_TOKEN による shared token 認証 middleware を追加し、token を持つクライアントのみが /api/* を利用できるようにする PR です(callback/health check は例外)。
Changes:
/api/*に shared token 認証 middleware を適用(/api/trajectories/callbackは除外)KAEDE_API_SHARED_TOKENを runtime config に追加し、各環境の.env.exampleと README に利用方法を追記- middleware 本体および配線のテストを追加
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | shared token 認証の仕様・設定方法・例外パスを追記 |
| deploy/env/test.env.example | KAEDE_API_SHARED_TOKEN の例を追加 |
| deploy/env/staging.env.example | KAEDE_API_SHARED_TOKEN の例を追加 |
| deploy/env/production.env.example | KAEDE_API_SHARED_TOKEN の例を追加 |
| deploy/env/local.env.example | local で無効化できるよう空値の例を追加 |
| apps/kaede/src/server.ts | /api/* に middleware を適用し callback を exempt に設定 |
| apps/kaede/src/server.test.ts | createApp レベルでの認証配線テストを追加 |
| apps/kaede/src/middleware/api-shared-token.ts | shared token 認証 middleware を新規追加 |
| apps/kaede/src/middleware/api-shared-token.test.ts | middleware の単体テストを追加 |
| apps/kaede/src/config/runtime.ts | runtime config に apiSharedToken を追加 |
Comments suppressed due to low confidence (1)
apps/kaede/src/config/runtime.ts:69
-
- 問題:
KAEDE_API_SHARED_TOKENをprocess.envからそのまま読み込んでおり、前後空白の混入やchange_me_*の placeholder のままのデプロイを検出できません。
- 問題:
- 理由: 空白混入は正しい token を送っても一致せず 401 になります。また staging/production で placeholder のままだと推測可能な token で保護され、セキュリティ事故の原因になります。
- 修正案:
.trim()で正規化し、APP_ENV !== 'local'のときchange_me_のような placeholder を拒否して起動時にエラーにしてください。
export const getAppRuntimeConfig = (): AppRuntimeConfig => {
appRuntimeConfig ??= {
apiSharedToken: process.env.KAEDE_API_SHARED_TOKEN,
env: getOptionalEnv('APP_ENV', 'local'),
deployRef: getOptionalEnv('APP_DEPLOY_REF', 'unknown'),
deployedAt: getOptionalEnv('APP_DEPLOYED_AT', 'unknown'),
host: getOptionalEnv('HOST', '0.0.0.0'),
port: parsePositiveIntegerEnv('PORT', defaultPort),
revision: getOptionalEnv('APP_REVISION', 'unknown'),
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
issue番号
変更内容(写真か動画も一緒に)
tokenを持っているアプリじゃないと認証できないように変更
影響範囲(あれば)