Skip to content

Add optional API-key authentication on registration/device routes#62

Open
ff225 wants to merge 1 commit into
mainfrom
fix/sciot-053-api-key-auth
Open

Add optional API-key authentication on registration/device routes#62
ff225 wants to merge 1 commit into
mainfrom
fix/sciot-053-api-key-auth

Conversation

@ff225

@ff225 ff225 commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • The HTTP registration/device_input/device_inference_result routes had no authentication — any device on the network could register and send data.
  • Adds an ASGI middleware gate on HttpServer behind communication.http.auth.enabled (default false, so existing deployments are unaffected). When enabled, requests to those three routes must send a matching X-API-Key header; the key is set via communication.http.auth.api_key or the SCIOT_API_KEY env var (env var takes precedence). Enabling auth without a configured key fails fast at server startup instead of silently locking everyone out or silently doing nothing.
  • Documented in docs/config/server.full.yaml, src/server/settings.yaml, and docs/CONFIGURATION.md; validated in sciot.config.validate_server_config.

Test plan

  • Added tests/integration/test_http_api_key_auth.py: disabled-by-default passthrough, missing/wrong key rejected with 401, correct key accepted, env var precedence over settings key, unprotected routes (e.g. offloading_layer) unaffected, fail-fast when enabled without a key.
  • Added communication.http.auth validation cases to tests/unit/test_config_validation.py.
  • uv run pytest tests/unit tests/integration -m "not external_server and not model_artifact" passes (191 passed, 1 skipped).

Closes #53

The registration/device_input/device_inference_result HTTP routes had
no authentication, so any device on the network could register and
send data. Adds a middleware gate behind
communication.http.auth.enabled, requiring an X-API-Key header that
matches auth.api_key (or the SCIOT_API_KEY env var, which takes
precedence). Off by default to avoid breaking existing deployments.

Closes #53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add basic API-key authentication on routes

1 participant