Skip to content

03-08-2025
Compare
Choose a tag to compare
@fulleni fulleni released this 03 Aug 10:10
· 49 commits to main since this release
03-08-2025
c3c1108

🚀 Enhanced Security, Admin Control & Data Refactoring

This release brings foundational improvements to the API, focusing on security, system stability, and a significant refactoring of how data is seeded and managed. These changes make the API more robust, secure, and easier to manage from an administrative perspective.

🛡️ Security & Stability Enhancements

We've introduced two major features to protect the API from abuse and ensure stable operation.

  • API Rate Limiting: A new, configurable rate-limiting system has been implemented to prevent abuse of key endpoints.

    • It is applied to the authentication endpoint (/auth/request-code) based on IP address and to the data API (/api/v1/data) based on the authenticated user's ID.
    • Limits and time windows are easily configurable via new environment variables.
    • A rate_limiting.bypass permission is granted to Admin and Publisher roles, ensuring administrative tasks are not affected.
    • The system now correctly returns an HTTP 429 (Too Many Requests) status code when a limit is exceeded.

  • Declarative Admin Account Management: We've introduced a more robust way to manage the system's administrator account.

    • A new OVERRIDE_ADMIN_EMAIL environment variable allows you to securely define the sole administrator.
    • On startup, the database seeding process will automatically create or update the admin user based on this variable, simplifying initial setup and account recovery.

💾 Database Seeding & Data Model Refactor

The database seeding process has been significantly refactored. The goal was to separate foundational system data from dynamic content fixtures, making the initial setup cleaner and more predictable.

Our Rationale: The core database seed should only be responsible for setting up the essential, static data required for the application to function—not for populating it with sample content like headlines or topics.

  • Leaner Seeding Process: The default seeding operation no longer populates the database with content fixtures. Its primary responsibilities are now reduced to creating database indexes and seeding the override admin user.
  • New Language Entity: A new Language data model has been introduced as a first-class entity within the API, complete with its own repository and role-based access permissions.
  • Read-Only Static Data: The Country and newly added Language models are now configured as read-only through the API. This enforces the new philosophy that this type of foundational data is managed via the database seeding process, not through user-driven API calls.
Assets 2
Loading