startup-starter/skybridge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5bccc85c203031baa582ae335321db6feaf3024
skybridge/README.md
Ryan Copley 46264cb556 v0
2025-08-22 14:06:20 -04:00

307 lines
7.9 KiB
Markdown
Raw Blame History

# API Key Management Service
A comprehensive, secure API Key Management Service built in modern Go, designed to scale to millions of concurrent requests.
## Features
- **Scalable Architecture**: Built with interfaces and dependency injection for easy extension
- **Dual Token Types**: Support for both static API keys and user JWT tokens
- **Permission System**: Hierarchical permission scopes with granular access control
- **Multiple Auth Providers**: Header-based and SSO authentication providers
- **Rate Limiting**: Configurable rate limiting to prevent abuse
- **Security**: Comprehensive security headers, CORS, and secure token handling
- **Database**: PostgreSQL with proper migrations and connection pooling
- **Monitoring**: Health checks, metrics, and structured logging
- **Docker Ready**: Complete Docker Compose setup for easy deployment
## Architecture
The service follows clean architecture principles with clear separation of concerns:
```
cmd/server/ - Application entry point
internal/
├── domain/ - Domain models and business logic
├── repository/ - Data access interfaces and implementations
├── services/ - Business logic layer
├── handlers/ - HTTP request handlers
├── middleware/ - HTTP middleware components
├── config/ - Configuration management
└── database/ - Database connection and migrations
```
## Quick Start
### Prerequisites
- Docker and Docker Compose
- Go 1.21+ (for local development)
### Running with Docker Compose
1. **Start the services:**
```bash
docker-compose up -d
```
This starts:
- PostgreSQL database on port 5432
- API service on port 8080
- Nginx proxy on port 80
- Metrics endpoint on port 9090
2. **Check service health:**
```bash
curl http://localhost/health
```
3. **View API documentation:**
```bash
curl http://localhost/api/docs
```
### Configuration
The service is configured via environment variables. Key settings:
```env
# Database
DB_HOST=localhost
DB_PORT=5432
DB_NAME=kms
DB_USER=postgres
DB_PASSWORD=postgres
# Server
SERVER_HOST=0.0.0.0
SERVER_PORT=8080
# Authentication
AUTH_PROVIDER=header
AUTH_HEADER_USER_EMAIL=X-User-Email
# Security
RATE_LIMIT_ENABLED=true
RATE_LIMIT_RPS=100
RATE_LIMIT_BURST=200
```
## API Usage
### Authentication
All protected endpoints require the `X-User-Email` header when using the HeaderAuthenticationProvider:
```bash
curl -H "X-User-Email: admin@example.com" \
-H "Content-Type: application/json" \
http://localhost/api/applications
```
### Creating an Application
```bash
curl -X POST http://localhost/api/applications \
-H "Content-Type: application/json" \
-H "X-User-Email: admin@example.com" \
-d '{
"app_id": "com.mycompany.api",
"app_link": "https://api.mycompany.com",
"type": ["static", "user"],
"callback_url": "https://api.mycompany.com/callback",
"token_renewal_duration": "168h",
"max_token_duration": "720h",
"owner": {
"type": "team",
"name": "API Team",
"owner": "api-team@mycompany.com"
}
}'
```
### Creating a Static Token
```bash
curl -X POST http://localhost/api/applications/com.mycompany.api/tokens \
-H "Content-Type: application/json" \
-H "X-User-Email: admin@example.com" \
-d '{
"owner": {
"type": "individual",
"name": "Service Account",
"owner": "service@mycompany.com"
},
"permissions": ["repo.read", "repo.write"]
}'
```
### Token Verification
```bash
curl -X POST http://localhost/api/verify \
-H "Content-Type: application/json" \
-d '{
"app_id": "com.mycompany.api",
"type": "static",
"token": "your-static-token-here",
"permissions": ["repo.read"]
}'
```
## Permission Scopes
The service includes a hierarchical permission system:
### System Permissions
- `internal` - Full access to internal system operations
- `internal.admin` - Administrative access to internal system
### Application Management
- `app.read` - Read application information
- `app.write` - Create and update applications
- `app.delete` - Delete applications
### Token Management
- `token.read` - Read token information
- `token.create` - Create new tokens
- `token.revoke` - Revoke existing tokens
### Repository Access (Example)
- `repo.read` - Read repository data
- `repo.write` - Write to repositories
- `repo.admin` - Administrative access to repositories
## Development
### Local Development
1. **Install dependencies:**
```bash
go mod download
```
2. **Run database migrations:**
```bash
# Using Docker for PostgreSQL
docker run --name kms-postgres -e POSTGRES_DB=kms -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -p 5432:5432 -d postgres:15-alpine
```
3. **Run the service:**
```bash
go run cmd/server/main.go
```
### Testing
The service includes comprehensive logging and can be tested at different user levels:
- **Port 80**: Regular user (`test@example.com`)
- **Port 8081**: Admin user (`admin@example.com`)
- **Port 8082**: Limited user (`limited@example.com`)
### Building with distrobox
If you have distrobox available:
```bash
distrobox create --name golang-dev --image golang:1.21-alpine
distrobox enter golang-dev
cd /path/to/project
go build -o api-key-service ./cmd/server
```
## Security Features
- **Rate Limiting**: Configurable per-endpoint rate limits
- **Security Headers**: Comprehensive security headers on all responses
- **CORS**: Configurable Cross-Origin Resource Sharing
- **Token Security**: Secure token generation and validation
- **Permission Validation**: Hierarchical permission checking
- **Audit Logging**: All operations logged with user attribution
- **Input Validation**: Request validation with detailed error messages
## Monitoring
### Health Checks
- `GET /health` - Basic health check
- `GET /ready` - Readiness check with database connectivity
### Metrics
- `GET /metrics` - Prometheus-style metrics (when enabled)
### Logging
Structured JSON logging with configurable levels:
- Request/response logging
- Error tracking with stack traces
- Performance metrics
- Security events
## Database Schema
The service uses PostgreSQL with the following key tables:
- `applications` - Application definitions
- `static_tokens` - Static API tokens
- `available_permissions` - Permission catalog
- `granted_permissions` - Token-permission relationships
Migrations are automatically applied on startup.
## Production Considerations
1. **Security**:
- Change default HMAC keys
- Use HTTPS in production
- Configure proper CORS origins
- Set up proper authentication provider
2. **Performance**:
- Tune database connection pools
- Configure appropriate rate limits
- Set up load balancing
- Monitor metrics and logs
3. **High Availability**:
- Run multiple service instances
- Use database clustering
- Implement health check monitoring
- Set up proper backup procedures
## API Documentation
Comprehensive API documentation is available in [`docs/API.md`](docs/API.md), including:
- Complete endpoint reference
- Request/response examples
- Error handling
- Authentication flows
- Rate limiting details
- Security considerations
## Architecture Decisions
- **Interface-based Design**: All dependencies are injected as interfaces for easy testing and replacement
- **Clean Architecture**: Clear separation between domain, service, and infrastructure layers
- **Security First**: Built with security considerations from the ground up
- **Scalability**: Designed to handle millions of concurrent requests
- **Observability**: Comprehensive logging, metrics, and health checks
- **Configuration**: Environment-based configuration with sensible defaults
## Contributing
The codebase follows Go best practices and clean architecture principles. Key patterns:
- Repository pattern for data access
- Service layer for business logic
- Middleware for cross-cutting concerns
- Dependency injection throughout
- Comprehensive error handling
- Structured logging
## License
This project is ready for production use with appropriate security measures in place.
Reference in New Issue View Git Blame Copy Permalink