feat: proxy API key injection + per-source TTL (#70)#102
Merged
Conversation
Add server-side API key injection and per-source cache TTL to the Edge Function proxy, enabling secure upstream authentication without exposing keys to the browser. Schema: - Add authEnvVar, authHeader, cacheTtl fields to SourceSchema Build: - Generate api/_shared/proxy-config.ts with domain-to-auth mapping and source-to-TTL mapping at build time Proxy: - New api/_shared/key-injection.ts for header-based auth injection - Proxy handler injects auth headers based on target domain - TTL resolution: ?ttl= query param > source cacheTtl > default 300 Validation: - Warn when rate limiting is enabled on stateless Edge Functions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Strip authEnvVar and authHeader from source configs in client-side manifests (source-manifest.ts and config-resolved.ts) to prevent leaking secrets to the browser bundle - Validate and clamp ?ttl= query param (positive, finite, max 86400s) - Include authEnvVar in .env.example generation - Add UPPER_SNAKE_CASE regex validation for authEnvVar in schema - Only warn about rate-limit on stateless edge functions when cache provider is memory (not when Upstash is configured) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Only strip authEnvVar (the secret reference) from client bundles. authHeader and cacheTtl are non-sensitive config values safe to include. Update preset snapshots for new source schema fields. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
alohays
force-pushed
the
feat/proxy-key-injection
branch
from
ddf6705 to
3f1f679
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
authEnvVarandauthHeaderto inject credentials at the proxy layer, keeping keys off the clientcacheTtlfield) with runtime override via?ttl=query parameter; resolution order: query param > source config > default 300sforge validatewarning when rate limiting is enabled on stateless Edge Functions (no external state store)api/_shared/proxy-config.tsgenerated at build time with domain-to-auth and source-to-TTL mappingsChanges
forge/src/config/schema.ts):authEnvVar,authHeader,cacheTtlonSourceSchemaforge/src/commands/build.ts,forge/src/generators/manifest-generator.ts):generateProxyConfig()producesapi/_shared/proxy-config.tsapi/proxy/v1/index.ts): importsinjectAuthHeader+proxyConfig/sourceTtl, injects auth headers, resolves TTLapi/_shared/key-injection.ts): pure function, bearer vs plain schemeforge/src/commands/validate.ts): rate-limit warning on stateless edgesrc/core/sources/SourceBase.ts): aligned with schema additionsTest plan
api/_shared/key-injection.test.ts— 6 unit tests for bearer/plain/missing/no-config scenariosapi/proxy/v1/index.test.ts— key injection with/without env var, custom header, TTL override testsforge/src/commands/validate.test.ts— rate-limit warning present/absentforge/src/generators/manifest-generator.test.ts—generateProxyConfigdomain mapping, scheme, TTLnpx tsc --noEmit— zero errorsnpx vitest run— 764 tests passed (39 test files)🤖 Generated with Claude Code