FOIA-Stream
diff --git a/‎apps/api/.env.example‎
Lines changed: 1 addition & 0 deletions b/‎apps/api/.env.example‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/api/data/foia-stream.db‎
8 KB b/‎apps/api/data/foia-stream.db‎
8 KB
diff --git a/‎apps/api/data/foia-stream.db-shm‎
0 Bytes b/‎apps/api/data/foia-stream.db-shm‎
0 Bytes
diff --git a/‎apps/api/data/foia-stream.db-wal‎
-732 KB b/‎apps/api/data/foia-stream.db-wal‎
-732 KB
diff --git a/‎apps/api/package.json‎
Lines changed: 3 additions & 1 deletion b/‎apps/api/package.json‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎apps/api/src/app.ts‎
Lines changed: 5 additions & 4 deletions b/‎apps/api/src/app.ts‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎apps/api/src/config/env.ts‎
Lines changed: 9 additions & 0 deletions b/‎apps/api/src/config/env.ts‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎apps/api/src/db/schema.ts‎
Lines changed: 27 additions & 0 deletions b/‎apps/api/src/db/schema.ts‎
Lines changed: 27 additions & 0 deletions
@@ -12,6 +12,7 @@ DATABASE_URL=./data/foia-stream.db
 # IMPORTANT: Change this in production!
 JWT_SECRET=your-super-secret-jwt-key-at-least-32-characters-long
 JWT_EXPIRES_IN=7d
+DATA_ENCRYPTION_KEY=other-super-secret-key-at-least-32-char-long
 
 # File Uploads
 UPLOAD_DIR=./uploads
 
@@ -35,12 +35,14 @@
     "nanoid": "^5.1.6",
     "pino": "^10.1.0",
     "pino-pretty": "^13.1.3",
-    "stoker": "^2.0.1"
+    "stoker": "^2.0.1",
+    "ua-parser-js": "^2.0.7"
   },
   "devDependencies": {
     "@foia-stream/typescript-config": "workspace:*",
     "@types/better-sqlite3": "^7.6.13",
     "@types/bun": "latest",
+    "@types/ua-parser-js": "^0.7.39",
     "@vitest/coverage-v8": "^4.0.16",
     "drizzle-kit": "^0.31.8",
     "vitest": "^4.0.16"
 
@@ -128,12 +128,13 @@ app.route('/api/v1', api);
 /**
  * Mount OpenAPI routes with documentation
  * These routes use @hono/zod-openapi for type-safe validation
+ * All routes are prefixed with /api/v1 for consistency
  */
 app.route('/', indexRoute);
-app.route('/', authOpenAPIRoute);
-app.route('/', agenciesOpenAPIRoute);
-app.route('/', requestsOpenAPIRoute);
-app.route('/', templatesOpenAPIRoute);
+app.route('/api/v1', authOpenAPIRoute);
+app.route('/api/v1', agenciesOpenAPIRoute);
+app.route('/api/v1', requestsOpenAPIRoute);
+app.route('/api/v1', templatesOpenAPIRoute);
 
 // ============================================
 // Export App
 
@@ -64,6 +64,15 @@ const EnvSchema = S.Struct({
 
   /** Allowed CORS origins - comma-separated or '*' for all */
   CORS_ORIGIN: S.String.pipe(S.optionalWith({ default: () => '*' })),
+
+  /**
+   * Data encryption key for PII at rest - must be at least 32 characters
+   * @compliance NIST 800-53 SC-28 (Protection of Information at Rest)
+   */
+  DATA_ENCRYPTION_KEY: S.String.pipe(
+    S.minLength(32),
+    S.optionalWith({ default: () => 'change-this-encryption-key-in-prod-min-32' }),
+  ),
 });
 
 /**
 
@@ -85,6 +85,33 @@ export const sessions = sqliteTable('sessions', {
     .references(() => users.id, { onDelete: 'cascade' }),
   token: text('token').notNull().unique(),
   expiresAt: text('expires_at').notNull(),
+  /** Session metadata for device tracking */
+  ipAddress: text('ip_address'),
+  userAgent: text('user_agent'),
+  deviceName: text('device_name'),
+  lastActiveAt: text('last_active_at'),
+  createdAt: text('created_at').notNull().default(sql`CURRENT_TIMESTAMP`),
+});
+
+/**
+ * API Keys table - stores user API keys for programmatic access
+ *
+ * @table api_keys
+ * @description Allows users to generate API keys for external integrations.
+ * @compliance NIST 800-53 IA-5 (Authenticator Management)
+ */
+export const apiKeys = sqliteTable('api_keys', {
+  id: text('id').primaryKey(),
+  userId: text('user_id')
+    .notNull()
+    .references(() => users.id, { onDelete: 'cascade' }),
+  /** Hashed API key (we only store the hash) */
+  keyHash: text('key_hash').notNull(),
+  /** Last 4 characters of the key for display */
+  keyPreview: text('key_preview').notNull(),
+  name: text('name').notNull().default('Default'),
+  lastUsedAt: text('last_used_at'),
+  expiresAt: text('expires_at'),
   createdAt: text('created_at').notNull().default(sql`CURRENT_TIMESTAMP`),
 });