networknt
diff --git a/‎src/SUMMARY.md‎
Lines changed: 16 additions & 0 deletions b/‎src/SUMMARY.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/concern/admin/cache-explorer.md‎
Lines changed: 86 additions & 0 deletions b/‎src/concern/admin/cache-explorer.md‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎src/concern/admin/config-reload.md‎
Lines changed: 113 additions & 0 deletions b/‎src/concern/admin/config-reload.md‎
Lines changed: 113 additions & 0 deletions
diff --git a/‎src/concern/middleware/api-key.md‎
Lines changed: 113 additions & 0 deletions b/‎src/concern/middleware/api-key.md‎
Lines changed: 113 additions & 0 deletions
@@ -14,6 +14,10 @@
       - [Path Resource](./concern/handler/path-resource.md)
       - [Virtual Host](./concern/handler/virtual-host.md)
     - [Middleware Handler](./concern/middleware-handler.md)
+      - [API Key](./concern/middleware/api-key.md)
+      - [Audit Handler](./concern/middleware/audit-handler.md)
+      - [Basic Auth](./concern/middleware/basic-auth.md)
+      - [Body Handler](./concern/middleware/body-handler.md)
       - [Header Handler](./concern/middleware/header-handler.md)
       - [IP Whitelist](./concern/middleware/ip-whitelist.md)
       - [Rate Limit](./concern/middleware/rate-limit.md)
@@ -28,11 +32,23 @@
       - [Request Transformer](./concern/interceptor/request-transformer.md)
       - [Response Transformer](./concern/interceptor/response-transformer.md)
     - [Admin Endpoint](./concern/admin-endpoint.md)
+      - [Cache Explorer](./concern/admin/cache-explorer.md)
+      - [Config Reload](./concern/admin/config-reload.md)
       - [Server Info](./concern/admin/server-info.md)
       - [Logger Handler](./concern/admin/logger-handler.md)
     - [Utility](./concern/utility/utility.md)
       - [Ldap Utility](./concern/utility/ladp-util.md)
     - [Module](./concern/module/module.md)  
+      - [Load Balance](./concern/module/load-balance.md)
+      - [Cluster](./concern/module/cluster.md)
+      - [Switch](./concern/module/switch.md)
+      - [Consul Registry](./concern/module/consul-registry.md)
+      - [Config](./concern/module/config.md)
+      - [Cache Manager](./concern/module/cache-manager.md)
+      - [Data Source](./concern/module/data-source.md)
+      - [DB Provider](./concern/module/db-provider.md)
+      - [Decryptor](./concern/module/decryptor.md)
+      - [Http2 Client](./concern/module/http2-client.md)
       - [Monard Result](./concern/module/monard-result.md)
       - [Data Mask](./concern/module/data-mask.md)
       - [Portal Registry](./concern/module/portal-registry.md)
 
@@ -0,0 +1,86 @@
+# Cache Explorer
+
+The `CacheExplorerHandler` is an admin endpoint that allows developers and operators to inspect the contents of the application's internal caches. It is particularly useful for debugging and verifying that data (such as JWKs, ensuring config reloading, etc.) is correctly cached.
+
+## Overview
+
+-   **Type**: Admin Handler
+-   **Class**: `com.networknt.cache.CacheExplorerHandler`
+-   **Source**: `light-4j/cache-explorer`
+
+## Usage
+
+The handler operates by retrieving a specific cache by name via the `CacheManager` singleton.
+
+### Endpoint
+
+The endpoint is typically accessible via the admin port (default 8473) if configured using the [admin-endpoint][] module.
+
+**Method**: `GET`
+**Path**: `/adm/cache` (or as configured in `handler.yml`)
+
+### Parameters
+
+| Parameter | Type | Required | Description |
+| :--- | :--- | :--- | :--- |
+| `name` | Query | Yes | The name of the cache to inspect (e.g., `jwk`, `jwt`, `myCache`). |
+
+### Examples
+
+#### Inspect JWK Cache
+
+The `jwk` cache has special handling to format the output as a simple JSON map of strings.
+
+Request:
+```
+GET /adm/cache?name=jwk
+```
+
+Response:
+```json
+{
+  "key1": "value1",
+  "key2": "value2"
+}
+```
+
+#### Inspect Generic Cache
+
+For other caches, it returns the JSON representation of the cache's key-value pairs.
+
+Request:
+```
+GET /adm/cache?name=myCache
+```
+
+Response:
+```json
+{
+  "user123": {
+    "name": "John",
+    "role": "admin"
+  }
+}
+```
+
+## Configuration
+
+This module does not have a specific configuration file (e.g., `cache-explorer.yml`). It relies on the `CacheManager` being available and populated.
+
+To use it, you must register the handler in `handler.yml` and add it to the admin chain (or another chain).
+
+### `handler.yml` Registration
+
+```yaml
+handler.handlers:
+  # ... other handlers ...
+  - com.networknt.cache.CacheExplorerHandler@cache_explorer
+
+handler.chains.default:
+  # ...
+  - cache_explorer
+```
+
+**Note**: In most standard `light-4j` templates, if you are using the unified `admin-endpoint`, this handler might not be wired by default and needs explicit registration if you want it exposed on the main port, or it might be auto-wired in the admin chain if the dependency is present (depending on the chassis version).
+
+[admin-endpoint]: /concern/admin-endpoint/
@@ -0,0 +1,113 @@
+# Config Reload
+
+The `config-reload` module provides admin endpoints to reload configuration files for specific modules or plugins at runtime without restarting the server. This is particularly useful in shared environments like a gateway where restarting would impact multiple services, or for dynamic updates to policies and rules.
+
+## Endpoints
+
+The module typically exposes two operations on the same path (e.g., `/adm/modules`).
+
+### Get Registered Modules
+
+-   **Path**: `/adm/modules`
+-   **Method**: `GET`
+-   **Description**: Returns a list of all registered modules and plugins capable of being reloaded.
+-   **Response**: A JSON array of class names (Strings).
+
+### Trigger Config Reload
+
+-   **Path**: `/adm/modules`
+-   **Method**: `POST`
+-   **Description**: Triggers a config reload for the specified list of modules or plugins.
+-   **Request Body**: A JSON array of class names (Strings) to reload. If the list is empty or contains "ALL", it attempts to reload all registered modules.
+-   **Response**: A JSON array of the class names that were successfully reloaded.
+
+## Configuration
+
+### Module Configuration (`configreload.yml`)
+
+The module itself is configured via `configReload.yml` (or `configReload.yaml`/`json`).
+
+| Property | Description | Default |
+| :--- | :--- | :--- |
+| `enabled` | Enable or disable the config reload endpoints. | `true` |
+
+### Handler Configuration (`handler.yml`)
+
+To expose the endpoints, you need to configure them in your `handler.yml`.
+
+```yaml
+paths:
+  - path: '/adm/modules'
+    method: 'get'
+    exec:
+      - admin
+      - modules
+  - path: '/adm/modules'
+    method: 'post'
+    exec:
+      - admin
+      - configReload
+```
+
+And in `values.yml` (if using aliases):
+
+```yaml
+handler.handlers:
+  - com.networknt.config.reload.handler.ModuleRegistryGetHandler@modules
+  - com.networknt.config.reload.handler.ConfigReloadHandler@configReload
+```
+
+## Security
+
+These are sensitive admin endpoints. They should be protected by OAuth 2.0 (requiring a specific scope like `admin` or `${serviceId}/admin`) or restricted by IP whitelist in a sidecar/gateway deployment.
+
+## Dependency
+
+Add the following dependency to your `pom.xml`:
+
+```xml
+<dependency>
+  <groupId>com.networknt</groupId>
+  <artifactId>config-reload</artifactId>
+  <version>${version.light-4j}</version>
+</dependency>
+```
+
+## Usage Examples
+
+### List Modules
+
+```bash
+curl -k https://localhost:8443/adm/modules
+```
+
+**Response:**
+```json
+[
+    "com.networknt.limit.LimitHandler",
+    "com.networknt.audit.AuditHandler",
+    "com.networknt.router.middleware.PathPrefixServiceHandler",
+    ...
+]
+```
+
+### Reload Config
+
+Reload configuration for the Limit Handler and Path Prefix Handler.
+
+```bash
+curl -k -X POST https://localhost:8443/adm/modules \
+  -H 'Content-Type: application/json' \
+  -d '[
+    "com.networknt.limit.LimitHandler",
+    "com.networknt.router.middleware.PathPrefixServiceHandler"
+  ]'
+```
+
+**Response:**
+```json
+[
+    "com.networknt.limit.LimitHandler",
+    "com.networknt.router.middleware.PathPrefixServiceHandler"
+]
+```
@@ -0,0 +1,113 @@
+# API Key Handler
+
+For some legacy applications to migrate from a monolithic gateway to the light-gateway without changing any code on the consumer application, we need to support the API Key authentication on the light-gateway (LG) or client-proxy (LCP). The consumer application sends the API key in a header to authenticate itself on the light-gateway. Then the light-gateway will retrieve a JWT token to access the downstream API.
+
+Only specific paths will have API Key set up, and the header name for each application might be different. To support all use cases, we add a list of maps to the configuration `apikey.yml` to `pathPrefixAuths` property.
+
+Each config item will have `pathPrefix`, `headerName`, and `apiKey`. The handler will try to match the path prefix first and then get the input API Key from the header. After comparing with the configured API Key, the handler will return either `ERR10075` API_KEY_MISMATCH or pass the control to the next handler in the chain.
+
+## Configuration
+
+The configuration is managed by `ApiKeyConfig` and corresponds to `apikey.yml` (or `apikey.json`/`apikey.properties`).
+
+### Configuration Properties
+
+| Property | Type | Default | Description |
+| :--- | :--- | :--- | :--- |
+| `enabled` | boolean | `false` | Enable ApiKey Authentication Handler. |
+| `hashEnabled` | boolean | `false` | If API key hash is enabled. The API key will be hashed with PBKDF2WithHmacSHA1 before it is stored in the config file. It is more secure than putting the clear text key into the config file. |
+| `pathPrefixAuths` | list | `null` | A list of mappings between path prefix and the api key parameters. |
+
+### Configuration Example (apikey.yml)
+
+```yaml
+# ApiKey Authentication Security Configuration for light-4j
+# Enable ApiKey Authentication Handler, default is false.
+enabled: ${apikey.enabled:false}
+
+# If API key hash is enabled. The API key will be hashed with PBKDF2WithHmacSHA1 before it is
+# stored in the config file. It is more secure than put the encrypted key into the config file.
+# The default value is false. If you want to enable it, you need to use the light-hash command line tool.
+hashEnabled: ${apikey.hashEnabled:false}
+
+# path prefix to the api key mapping. It is a list of map between the path prefix and the api key
+# for apikey authentication. In the handler, it loops through the list and find the matching path
+# prefix. Once found, it will check if the apikey is equal to allow the access or return an error.
+pathPrefixAuths: ${apikey.pathPrefixAuths:}
+```
+
+### Values Example (values.yml)
+
+To enable the handler and configure paths, add the following to your `values.yml`:
+
+```yaml
+# apikey.yml
+apikey.enabled: true
+apikey.pathPrefixAuths:
+  - pathPrefix: /test1
+    headerName: x-gateway-apikey
+    apiKey: abcdefg
+  - pathPrefix: /test2
+    headerName: x-apikey
+    apiKey: mykey
+```
+
+JSON format example for `pathPrefixAuths` (useful for config server):
+
+```json
+[{"pathPrefix":"/test1","headerName":"x-gateway-apikey","apiKey":"abcdefg"},{"pathPrefix":"/test2","headerName":"x-apikey","apiKey":"mykey"}]
+```
+
+### Multiple Consumers for Same Path
+
+Most services will have multiple consumers, and each consumer might have its own API key for authentication. You can define multiple entries for the same path prefix:
+
+```yaml
+apikey.pathPrefixAuths:
+  - pathPrefix: /test1
+    headerName: x-gateway-apikey
+    apiKey: abcdefg
+  # The same prefix has another apikey header and value.
+  - pathPrefix: /test1
+    headerName: authorization
+    apiKey: xyz
+```
+
+## Security with Hash
+
+Storing API keys in clear text is only recommended for testing. For production, enable hashing:
+
+1.  Enable hash in `values.yml`:
+    ```yaml
+    apikey.hashEnabled: true
+    ```
+2.  Generate the hash of your API key using the [light-hash](https://github.com/networknt/light-hash) utility.
+3.  Use the generated hash string as the `apiKey` value in your configuration.
+
+## Error Response
+
+If the request path matches a configured prefix but the API key verification fails, the handler returns error `ERR10075`.
+
+**Status Code**: 401
+**Code**: ERR10075
+**Message**: API_KEY_MISMATCH
+**Description**: APIKEY from header %s is not matched for request path prefix %s.
+
+To prevent leaking sensitive information, the expected apiKey from the config file is not revealed in the error message.
+
+## Usage
+
+Register the `ApiKeyHandler` in your `handler.yml` chain.
+
+```yaml
+handler.handlers:
+  .
+  - com.networknt.apikey.ApiKeyHandler@apikey
+
+handler.chains.default:
+  .
+  - apikey
+  .
+```
+
+If you are using the Unified Security Handler, you can integrate the API Key handler there as well to support multiple authentication methods (ApiKey, Basic, OAuth2, SWT) simultaneously.