Skip to content

Add API key authentication for /server/* endpoints #116

New issue
New issue
Closed
Closed
Add API key authentication for /server/* endpoints#116
Labels
securitySecurity hardening and vulnerability fixes
Milestone
v0.12.10
@nitrobass24

Description

@nitrobass24
nitrobass24
opened on Mar 4, 2026

Summary

Add optional API key authentication to protect all /server/* REST and SSE endpoints.

Details

Currently the SeedSync web UI and API have zero authentication. Anyone with network access to port 8800 has full control.

Implementation

  • Add api_key field to [Web] config section (empty = auth disabled for backward compat)
  • Add Bottle before_request hook that checks X-Api-Key header on all /server/* routes
  • SSE endpoint (/server/stream) should accept ?api_key= query param as alternative
  • Return HTTP 401 when key is missing/invalid
  • Angular HttpInterceptor to auto-inject the header
  • Settings UI field (masked input) to configure the key

Acceptance Criteria

  • API key configurable in settings UI
  • All /server/* endpoints reject requests without valid key (when key is set)
  • SSE stream works with query param auth
  • Empty key = no auth (backward compatible)

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity hardening and vulnerability fixes

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions