From 9a3bc8e46438544ffc342dcf2e8271acfb1c4c84 Mon Sep 17 00:00:00 2001 From: Wayne <5291640+ringoinca@users.noreply.github.com> Date: Wed, 3 Sep 2025 16:28:40 +0300 Subject: [PATCH] Remove SUPER_API_KEY support --- .env.example | 2 -- docs/api/authentication.md | 15 --------------- docs/user-guides/installation.md | 12 ++++++------ .../backend/src/api/middleware/requireAuth.ts | 5 ----- 4 files changed, 6 insertions(+), 28 deletions(-) diff --git a/.env.example b/.env.example index a7a243d..e45eb88 100644 --- a/.env.example +++ b/.env.example @@ -59,8 +59,6 @@ STORAGE_S3_FORCE_PATH_STYLE=false JWT_SECRET=a-very-secret-key-that-you-should-change JWT_EXPIRES_IN="7d" -# Set the credentials for the initial admin user. -SUPER_API_KEY= # Master Encryption Key for sensitive data (Such as Ingestion source credentials and passwords) # IMPORTANT: Generate a secure, random 32-byte hex string for this diff --git a/docs/api/authentication.md b/docs/api/authentication.md index 6e6295a..84c241e 100644 --- a/docs/api/authentication.md +++ b/docs/api/authentication.md @@ -43,18 +43,3 @@ Authorization: Bearer your.jwt.token ``` If the token is missing, expired, or invalid, the API will respond with a `401 Unauthorized` status code. - -## Using a Super API Key - -Alternatively, for server-to-server communication or scripts, you can use a super API key. This key provides unrestricted access to the API and should be kept secret. - -You can set the `SUPER_API_KEY` in your `.env` file. - -To authenticate using the super API key, include it in the `Authorization` header as a Bearer token. - -**Example:** - -```http -GET /api/v1/dashboard/stats -Authorization: Bearer your-super-secret-api-key -``` diff --git a/docs/user-guides/installation.md b/docs/user-guides/installation.md index 5ab5bbf..92cc0f6 100644 --- a/docs/user-guides/installation.md +++ b/docs/user-guides/installation.md @@ -105,12 +105,12 @@ These variables are used by `docker-compose.yml` to configure the services. #### Security & Authentication -| Variable | Description | Default Value | -| ---------------- | ------------------------------------------------------------------- | ------------------------------------------ | -| `JWT_SECRET` | A secret key for signing JWT tokens. | `a-very-secret-key-that-you-should-change` | -| `JWT_EXPIRES_IN` | The expiration time for JWT tokens. | `7d` | -| `SUPER_API_KEY` | An API key with super admin privileges. | | -| `ENCRYPTION_KEY` | A 32-byte hex string for encrypting sensitive data in the database. | | +| Variable | Description | Default Value | +| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | +| `JWT_SECRET` | A secret key for signing JWT tokens. | `a-very-secret-key-that-you-should-change` | +| `JWT_EXPIRES_IN` | The expiration time for JWT tokens. | `7d` | +| ~~`SUPER_API_KEY`~~ (Deprecated) | An API key with super admin privileges. (The SUPER_API_KEY is deprecated since v0.3.0 after we roll out the role-based access control system.) | | +| `ENCRYPTION_KEY` | A 32-byte hex string for encrypting sensitive data in the database. | | ## 3. Run the Application diff --git a/packages/backend/src/api/middleware/requireAuth.ts b/packages/backend/src/api/middleware/requireAuth.ts index 05e5e38..41bb3f7 100644 --- a/packages/backend/src/api/middleware/requireAuth.ts +++ b/packages/backend/src/api/middleware/requireAuth.ts @@ -20,11 +20,6 @@ export const requireAuth = (authService: AuthService) => { } const token = authHeader.split(' ')[1]; try { - // use a SUPER_API_KEY for all authentications. add process.env.SUPER_API_KEY conditional check in case user didn't set a SUPER_API_KEY. - if (process.env.SUPER_API_KEY && token === process.env.SUPER_API_KEY) { - next(); - return; - } const payload = await authService.verifyToken(token); if (!payload) { return res.status(401).json({ message: 'Unauthorized: Invalid token' });