Skip to content

feat: Implement API Key Authentication middleware for Issue #3

John Haleyrequested to merge
feat/issue-3-api-authentication into main

Summary

Implements comprehensive API Key Authentication middleware with audit logging for MCP Unraid Server.

Key Changes

  • Functional Core: Added pure authentication types, validators, and service using Effect.ts patterns
  • Timing-Safe Comparisons: Uses crypto.timingSafeEqual to prevent timing attacks
  • Service Architecture: Refactored 102 lines of inline authentication to clean Effect.Layer service pattern
  • Comprehensive Audit Logging: Structured logging with sensitive data redaction (only first 8 chars logged)
  • Configuration Support: Added AUDIT_LOG_ENABLED environment variable parsing

Architecture

  • /src/functional-core/auth/ - Pure business logic for authentication validation
  • /src/imperative-shell/middleware/authentication.ts - HTTP middleware factory
  • Maintains functional/imperative boundary compliance with ESLint enforcement

Security Features

  • Bearer token format validation with length and character set restrictions
  • Timing-safe token comparison prevents timing attacks
  • Token prefix logging only (never logs actual tokens)
  • Protected endpoints: /api/v1/tools/* and /tools/*
  • Excluded endpoints: /, /health, /api/v1/auth/status

Testing

  • Added comprehensive unit tests for all authentication validators
  • Effect.ts test patterns with structured error validation
  • Tests cover edge cases, security scenarios, and functional programming compliance

Closes #3 (closed)

Merge request reports