feat: Update api key setup and account pages/settings

Author: isTravis

Caddyfile

@@ -10,9 +10,6 @@ www.underlay.org {
     handle /api/* {
         reverse_proxy 127.0.0.1:3001
     }
-    handle /assets/* {
-        reverse_proxy 127.0.0.1:3001
-    }
     handle /uploads/* {
         reverse_proxy 127.0.0.1:3001
     }
@@ -30,9 +27,6 @@ dev.underlay.org {
     handle /api/* {
         reverse_proxy 127.0.0.1:3000
     }
-    handle /assets/* {
-        reverse_proxy 127.0.0.1:3000
-    }
     handle /uploads/* {
         reverse_proxy 127.0.0.1:3000
     }

docker-compose.local.yml

@@ -35,35 +35,6 @@ services:
           memory: 1g
           cpus: "1.0"
 
-  minio:
-    image: minio/minio:latest
-    command: server /data --console-address ":9001"
-    environment:
-      MINIO_ROOT_USER: minioadmin
-      MINIO_ROOT_PASSWORD: minioadmin
-    ports:
-      - "9000:9000"
-      - "9001:9001"
-    volumes:
-      - miniodata-dev:/data
-    networks:
-      - dev
-
-  createbucket:
-    image: minio/mc:latest
-    depends_on:
-      minio:
-        condition: service_started
-    networks:
-      - dev
-    entrypoint: >
-      /bin/sh -c "
-      sleep 2;
-      mc alias set local http://minio:9000 minioadmin minioadmin;
-      mc mb local/underlay --ignore-existing;
-      exit 0;
-      "
-
   app:
     build:
       context: .
@@ -79,8 +50,6 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
-      minio:
-        condition: service_started
     volumes:
       - ./src:/app/src
       - ./public:/app/public
@@ -107,4 +76,3 @@ networks:
 
 volumes:
   pgdata-dev:
-  miniodata-dev:

package-lock.json

@@ -32,6 +32,7 @@
     "@fastify/cookie": "^11.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/multipart": "^10.0.0",
+    "@fastify/rate-limit": "^10.3.0",
     "@lucide/astro": "^1.11.0",
     "@sinclair/typebox": "^0.34.0",
     "ajv": "^8.17.0",
@@ -43,6 +44,7 @@
     "lucide-react": "^1.11.0",
     "marked": "^18.0.0",
     "node-cron": "^4.0.0",
+    "nodemailer": "^8.0.7",
     "postgres": "^3.4.0",
     "react": "^19.1.0",
     "react-dom": "^19.1.0",
@@ -53,6 +55,7 @@
     "@tailwindcss/vite": "^4.1.0",
     "@types/bcrypt": "^6.0.0",
     "@types/node": "^25.0.0",
+    "@types/nodemailer": "^8.0.0",
     "@types/react": "^19.1.0",
     "@types/react-dom": "^19.1.0",
     "@types/tar-stream": "^3.1.4",

package.json

@@ -23,9 +23,26 @@ There are two auth methods:
    POST /api/accounts/logout clears the session.
    GET /api/accounts/me returns the current user (works with either auth method).
 
-Public endpoints (browsing collections, reading public versions) require no auth.
-Write endpoints require a key with "write" scope or an active session.
-Delete endpoints require "admin" scope.
+All GET requests are public — no auth required to read public data.
+All write requests (POST, PATCH, PUT, DELETE) require authentication.
+If a Bearer token is provided but invalid, the request is rejected immediately (401).
+
+## Rate Limits
+
+Requests are rate-limited per IP (unauthenticated) or per account (authenticated).
+
+| Auth status       | Limit         |
+|-------------------|---------------|
+| Unauthenticated   | 60 req/min    |
+| Authenticated     | 5,000 req/min |
+
+Rate limit headers are included on every response:
+- X-RateLimit-Limit: max requests in the window
+- X-RateLimit-Remaining: requests left
+- X-RateLimit-Reset: seconds until the window resets
+
+When exceeded, you'll get a 429 response with a Retry-After header.
+To get the higher limit, authenticate with an API key (recommended for any automated access).
 
 ---
 

public/.well-known/ai.txt

@@ -14,17 +14,36 @@ declare module "fastify" {
 }
 
 async function authPlugin(app: FastifyInstance) {
-  // API key auth via Bearer token
   app.decorateRequest("accountId", undefined);
   app.decorateRequest("apiKeyScope", undefined);
   app.decorateRequest("apiKeyCollectionId", undefined);
   app.decorateRequest("sessionUserId", undefined);
 
-  app.addHook("onRequest", async (request: FastifyRequest) => {
+  // Paths that never require auth (even for POST)
+  const publicPaths = new Set([
+    "/api/health",
+    "/api/accounts/signup",
+    "/api/accounts/login",
+    "/api/accounts/forgot-password",
+    "/api/accounts/reset-password",
+  ]);
+
+  const internalToken = process.env.INTERNAL_API_TOKEN ?? "internal-dev-token";
+
+  app.addHook("onRequest", async (request: FastifyRequest, reply: FastifyReply) => {
+    // Internal service calls from Astro SSR
+    const internalHeader = request.headers["x-internal-token"];
+    if (internalHeader === internalToken) {
+      request.apiKeyScope = "read";
+      return;
+    }
+
+    // API key auth via Bearer token
     const auth = request.headers.authorization;
     if (auth?.startsWith("Bearer ")) {
       const token = auth.slice(7);
       const keys = await db.select().from(schema.apiKeys);
+      let matched = false;
       for (const key of keys) {
         const match = await bcrypt.compare(token, key.keyHash);
         if (match) {
@@ -35,9 +54,14 @@ async function authPlugin(app: FastifyInstance) {
             .update(schema.apiKeys)
             .set({ lastUsedAt: new Date() })
             .where(eq(schema.apiKeys.id, key.id));
-          return;
+          matched = true;
+          break;
         }
       }
+      if (!matched) {
+        return reply.status(401).send({ error: "Invalid API key", statusCode: 401 });
+      }
+      return;
     }
 
     // Session cookie auth
@@ -62,6 +86,16 @@ async function authPlugin(app: FastifyInstance) {
         // Invalid or expired cookie — ignore silently
       }
     }
+
+    // Public GETs are allowed without auth (rate-limited by IP)
+    if (request.method === "GET") return;
+
+    // All writes (POST/PATCH/PUT/DELETE) require auth, except public paths
+    if (!request.accountId) {
+      const path = request.url.split("?")[0];
+      if (publicPaths.has(path)) return;
+      return reply.status(401).send({ error: "Authentication required", statusCode: 401 });
+    }
   });
 }