Api improvements

Author: isTravis

Caddyfile

@@ -10,9 +10,6 @@ www.underlay.org {
     handle /api/* {
         reverse_proxy 127.0.0.1:3001
     }
-    handle /assets/* {
-        reverse_proxy 127.0.0.1:3001
-    }
     handle /uploads/* {
         reverse_proxy 127.0.0.1:3001
     }
@@ -30,9 +27,6 @@ dev.underlay.org {
     handle /api/* {
         reverse_proxy 127.0.0.1:3000
     }
-    handle /assets/* {
-        reverse_proxy 127.0.0.1:3000
-    }
     handle /uploads/* {
         reverse_proxy 127.0.0.1:3000
     }

docker-compose.local.yml

@@ -35,35 +35,6 @@ services:
           memory: 1g
           cpus: "1.0"
 
-  minio:
-    image: minio/minio:latest
-    command: server /data --console-address ":9001"
-    environment:
-      MINIO_ROOT_USER: minioadmin
-      MINIO_ROOT_PASSWORD: minioadmin
-    ports:
-      - "9000:9000"
-      - "9001:9001"
-    volumes:
-      - miniodata-dev:/data
-    networks:
-      - dev
-
-  createbucket:
-    image: minio/mc:latest
-    depends_on:
-      minio:
-        condition: service_started
-    networks:
-      - dev
-    entrypoint: >
-      /bin/sh -c "
-      sleep 2;
-      mc alias set local http://minio:9000 minioadmin minioadmin;
-      mc mb local/underlay --ignore-existing;
-      exit 0;
-      "
-
   app:
     build:
       context: .
@@ -79,8 +50,6 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
-      minio:
-        condition: service_started
     volumes:
       - ./src:/app/src
       - ./public:/app/public
@@ -107,4 +76,3 @@ networks:
 
 volumes:
   pgdata-dev:
-  miniodata-dev:

package-lock.json

@@ -32,6 +32,7 @@
     "@fastify/cookie": "^11.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/multipart": "^10.0.0",
+    "@fastify/rate-limit": "^10.3.0",
     "@lucide/astro": "^1.11.0",
     "@sinclair/typebox": "^0.34.0",
     "ajv": "^8.17.0",

package.json

@@ -23,9 +23,26 @@ There are two auth methods:
    POST /api/accounts/logout clears the session.
    GET /api/accounts/me returns the current user (works with either auth method).
 
-Public endpoints (browsing collections, reading public versions) require no auth.
-Write endpoints require a key with "write" scope or an active session.
-Delete endpoints require "admin" scope.
+All GET requests are public — no auth required to read public data.
+All write requests (POST, PATCH, PUT, DELETE) require authentication.
+If a Bearer token is provided but invalid, the request is rejected immediately (401).
+
+## Rate Limits
+
+Requests are rate-limited per IP (unauthenticated) or per account (authenticated).
+
+| Auth status       | Limit         |
+|-------------------|---------------|
+| Unauthenticated   | 60 req/min    |
+| Authenticated     | 5,000 req/min |
+
+Rate limit headers are included on every response:
+- X-RateLimit-Limit: max requests in the window
+- X-RateLimit-Remaining: requests left
+- X-RateLimit-Reset: seconds until the window resets
+
+When exceeded, you'll get a 429 response with a Retry-After header.
+To get the higher limit, authenticate with an API key (recommended for any automated access).
 
 ---
 

public/.well-known/ai.txt

@@ -14,17 +14,36 @@ declare module "fastify" {
 }
 
 async function authPlugin(app: FastifyInstance) {
-  // API key auth via Bearer token
   app.decorateRequest("accountId", undefined);
   app.decorateRequest("apiKeyScope", undefined);
   app.decorateRequest("apiKeyCollectionId", undefined);
   app.decorateRequest("sessionUserId", undefined);
 
-  app.addHook("onRequest", async (request: FastifyRequest) => {
+  // Paths that never require auth (even for POST)
+  const publicPaths = new Set([
+    "/api/health",
+    "/api/accounts/signup",
+    "/api/accounts/login",
+    "/api/accounts/forgot-password",
+    "/api/accounts/reset-password",
+  ]);
+
+  const internalToken = process.env.INTERNAL_API_TOKEN ?? "internal-dev-token";
+
+  app.addHook("onRequest", async (request: FastifyRequest, reply: FastifyReply) => {
+    // Internal service calls from Astro SSR
+    const internalHeader = request.headers["x-internal-token"];
+    if (internalHeader === internalToken) {
+      request.apiKeyScope = "read";
+      return;
+    }
+
+    // API key auth via Bearer token
     const auth = request.headers.authorization;
     if (auth?.startsWith("Bearer ")) {
       const token = auth.slice(7);
       const keys = await db.select().from(schema.apiKeys);
+      let matched = false;
       for (const key of keys) {
         const match = await bcrypt.compare(token, key.keyHash);
         if (match) {
@@ -35,9 +54,14 @@ async function authPlugin(app: FastifyInstance) {
             .update(schema.apiKeys)
             .set({ lastUsedAt: new Date() })
             .where(eq(schema.apiKeys.id, key.id));
-          return;
+          matched = true;
+          break;
         }
       }
+      if (!matched) {
+        return reply.status(401).send({ error: "Invalid API key", statusCode: 401 });
+      }
+      return;
     }
 
     // Session cookie auth
@@ -62,6 +86,16 @@ async function authPlugin(app: FastifyInstance) {
         // Invalid or expired cookie — ignore silently
       }
     }
+
+    // Public GETs are allowed without auth (rate-limited by IP)
+    if (request.method === "GET") return;
+
+    // All writes (POST/PATCH/PUT/DELETE) require auth, except public paths
+    if (!request.accountId) {
+      const path = request.url.split("?")[0];
+      if (publicPaths.has(path)) return;
+      return reply.status(401).send({ error: "Authentication required", statusCode: 401 });
+    }
   });
 }
 

src/api/plugins/auth.ts

@@ -7,6 +7,9 @@ import { requireAuth } from "../plugins/auth.js";
 import { uploadToS3, deleteS3Objects, listS3Objects } from "../../lib/s3.js";
 import { sendEmail } from "../../lib/email.js";
 
+/** Base URL for public assets (avatars, etc.) */
+const ASSETS_BASE_URL = process.env.ASSETS_BASE_URL ?? "https://assets.underlay.org";
+
 const RESERVED_SLUGS = new Set([
   "explore", "docs", "connect", "blog", "dashboard", "settings",
   "api", "login", "signup", "admin", "about", "help", "support",
@@ -323,13 +326,12 @@ export async function accountRoutes(app: FastifyInstance) {
 
       await uploadToS3(key, buffer, data.mimetype);
 
-      const avatarUrl = `/api/files/avatars/${request.accountId}/${key.split("/").pop()}`;
       await db
         .update(schema.accounts)
-        .set({ avatarUrl })
+        .set({ avatarUrl: `${ASSETS_BASE_URL}/${key}` })
         .where(eq(schema.accounts.id, request.accountId!));
 
-      return { ok: true, avatarUrl };
+      return { ok: true, avatarUrl: `${ASSETS_BASE_URL}/${key}` };
     },
   );
 
@@ -1070,10 +1072,9 @@ export async function accountRoutes(app: FastifyInstance) {
 
       await uploadToS3(key, buffer, data.mimetype);
 
-      const avatarUrl = `/api/files/avatars/${org.id}/${key.split("/").pop()}`;
-      await db.update(schema.accounts).set({ avatarUrl }).where(eq(schema.accounts.id, org.id));
+      await db.update(schema.accounts).set({ avatarUrl: `${ASSETS_BASE_URL}/${key}` }).where(eq(schema.accounts.id, org.id));
 
-      return { ok: true, avatarUrl };
+      return { ok: true, avatarUrl: `${ASSETS_BASE_URL}/${key}` };
     },
   );
 

src/api/routes/accounts.ts

@@ -2,6 +2,7 @@ import Fastify from "fastify";
 import cookie from "@fastify/cookie";
 import cors from "@fastify/cors";
 import multipart from "@fastify/multipart";
+import rateLimit from "@fastify/rate-limit";
 
 import authPlugin from "./plugins/auth.js";
 import { healthRoutes } from "./routes/health.js";
@@ -29,6 +30,23 @@ export async function buildApp() {
     credentials: true,
   });
 
+  // Rate limiting: unauthenticated gets 60/min, authenticated gets 5000/min
+  await app.register(rateLimit, {
+    max: (request) => request.accountId ? 5000 : 60,
+    timeWindow: "1 minute",
+    keyGenerator: (request) => {
+      if (request.accountId) return `acct:${request.accountId}`;
+      return request.ip;
+    },
+    hook: "preHandler", // runs after onRequest (auth), so accountId is set
+    errorResponseBuilder: (_request, context) => ({
+      statusCode: 429,
+      error: "Too Many Requests",
+      message: `Rate limit exceeded. Try again in ${Math.ceil(context.ttl / 1000)} seconds.`,
+      retryAfter: Math.ceil(context.ttl / 1000),
+    }),
+  });
+
   await app.register(multipart, {
     limits: { fileSize: 500 * 1024 * 1024 }, // 500MB for large files
   });