feat(security): Phase 7c — app-side API-Key authentication with 3-scope keys + rate-limit + admin UI

[strausmann]

Summary

Phase 7c closes the security gap from Phase 7b's first production deploy: the API previously had no own authentication — all access control hung at the Pangolin edge with a single shared secret. This PR introduces full app-side API key management:

• Multi-key management via a new HTMX UI at /admin/api-keys
• 3-level scope model: read, print, admin per key with hierarchy (admin ⊇ print ⊇ read)
• bcrypt-hashed key storage with prefix preserved for UI display (lh_pat_ab12cd34...)
• 60 prints/min default rate-limit per key, configurable per-key (in-memory token-bucket, single-instance design)
• Audit trail in the Jobs table — api_key_id, source_ip on every print
• Pangolin-Basic-Auth-Bypass downgrade — feature-flagged (PRINTER_HUB_PANGOLIN_BYPASS_SCOPE_DOWNGRADE=false default), allows gradual migration
• Bootstrap-admin seed key printed to Alembic migration stdout on first migration to avoid lockout (never to app logger)

Contributor License Agreement (CLA)

By opening this pull request you affirm that you have read and agree to the project's Contributor License Agreement for the contribution(s) included here.

• I have read and agree to the Contributor License Agreement.

Linked issue

Refs #22
Closes #78

Type of change

• New feature (non-breaking)

Hardware tested on

• No hardware impact

---

Round 2 Changes (code-review bot fixes)

Objective fixes (5282c5f, 924a9ca, 7e0b1e4, 1d91cf6)

Fix	Description	Commit
Fix A	bcrypt.checkpw wrapped in asyncio.to_thread — event loop no longer blocked during key verification	5282c5f
Fix B	_scope_satisfies fail-closed: unknown scope raises ValueError instead of silently granting access via fallback	924a9ca
Fix C	effective_scope default "read" removed — key with empty scopes list returns 401 (key_no_scopes)	924a9ca
Fix D	__import__("sqlalchemy"...) replaced with top-level from sqlalchemy import select	7e0b1e4
Fix E	ApiKeyCreate.expires_at changed from str to datetime | None (Pydantic validates, returns 422 on bad input); rate_limit_per_minute uses Field(ge=1, le=10000)	7e0b1e4
GitGuardian	Bootstrap key printed to Alembic migration stdout via print() only — removed _log.warning() so plaintext never enters application logger	7e0b1e4
Lint/type (Fail 1)	All ruff (F401, I001, W605, E501, B904, RUF100) and mypy errors fixed across Phase 7c test files and app code. require_scope has return type annotation.	1d91cf6
Error format	404 responses in admin_api_keys.py now use structured {error_code, error_message} consistent with auth errors	7e0b1e4

TDD approach: failing test written first (RED) for each security fix, then implementation (GREEN).

Deferred suggestions (subjective / polish / out-of-scope)

Bot comment	File:Line	Reason deferred
HTTP client timeout in Go frontend	frontend/internal/handlers/admin_api_keys.go:151	Frontend Go cleanup; out of scope for this security backend PR
json.Marshal error ignored in Go	frontend/internal/handlers/admin_api_keys.go:170	Go frontend cleanup; deferred
APIKeyMeta missing JSON tags in Go	frontend/internal/handlers/admin_api_keys.go:48	Go frontend; deferred
last_used_at update on critical path	backend/app/auth/dependencies.py:209	Already best-effort try/except; async offload needs background task infrastructure — deferred to Phase 7d
RateLimiter bucket capacity not updated on rate-limit change	backend/app/services/rate_limiter.py:45	In-memory limiter is single-instance; future improvement
bypass_auth test helper override may not match	backend/tests/helpers/auth.py:55	Integration tests pass using api_client_with_seed fixture directly; no regression
Typo "supersumes" in docs	docs/site/operations/api-keys.md:16	Docs-only; trivial, deferred
Readiness endpoint _auth optional type	backend/app/main.py:578	Pre-existing pattern; no behavioral change
AuthContext.allowed_printer_ids mutable list default	backend/app/auth/dependencies.py:69	Pydantic model copy semantics handles this correctly; not a functional bug

---

Round 3 — Key Format + Detectors

• API-Key format: lh_<entropy> → lh_pat_<entropy> (PAT-style infix for unambiguous secret-scanner detection)
• Prefix-length: 12 → 16 chars (covers full lh_pat_ marker + 9 body discriminator chars)
• New Alembic migration 20260518_phase7c_pat_prefix extends key_prefix to VARCHAR(16)
• Bootstrap-admin seed in 20260517_phase7c_api_keys regenerated with lh_pat_ format
• .gitleaks.toml + .gitguardian.yaml custom detector labelhub-pat added (regex: lh_pat_[A-Za-z0-9_-]{43})
• All tests updated to lh_pat_ plaintext strings and [:16] prefix slices (777 passed, 5 skipped)
• Spec 2026-05-17-phase-7c-api-auth-design.md updated as erratum

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
32941077	Triggered	Generic High Entropy Secret	7605377	backend/tests/unit/auth/test_verifier.py	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements Phase 7c of the security roadmap, moving from a single shared secret at the edge to robust, app-side API key authentication. It provides granular access control, per-key rate limiting, and audit logging, while ensuring backward compatibility through a configurable migration path for existing automation.

Highlights

• API Key Authentication: Introduced app-side API key management with a 3-level scope model (read, print, admin) and bcrypt-hashed storage.
• Admin UI: Added an HTMX-based management interface at /admin/api-keys for creating, viewing, and revoking API keys.
• Rate Limiting & Audit: Implemented an in-memory token-bucket rate limiter (default 60 prints/min) and added audit fields (api_key_id, source_ip) to the Jobs table.
• Security Migration: Added a feature-flagged downgrade for the existing Pangolin-Basic-Auth-Bypass, allowing a transition to dedicated API keys.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request implements Phase 7c, introducing app-side API key authentication with a three-tiered scope model, bcrypt-hashed storage, and an LRU cache for verification performance. It also adds a token-bucket rate limiter, job audit trails, and a new HTMX-based admin UI for key management. The review identifies critical security vulnerabilities in the scope resolution logic and performance bottlenecks caused by executing CPU-intensive operations synchronously on the event loop. Additional feedback recommends improving model validation, standardizing error response formats, and configuring proper timeouts for frontend HTTP clients.

[gemini-code-assist]

The fallback value in _SCOPE_HIERARCHY.get(key_scope, [required_scope]) creates a security vulnerability. If key_scope is not found in the hierarchy (e.g., if it's an empty string or an invalid value), it returns a list containing the required_scope, making the condition required_scope in [...] always true. This effectively grants access if the key has an unknown scope. It should return an empty list instead.

Suggested change

	return required_scope in _SCOPE_HIERARCHY.get(key_scope, [required_scope])
	return required_scope in _SCOPE_HIERARCHY.get(key_scope, [])

[strausmann]

Fixed in 924a9ca (Fix B): _scope_satisfies now raises ValueError for unknown scopes instead of returning a fallback. The caller catches this and returns 401 (key_invalid_scope). Test coverage in tests/unit/auth/test_scope_fail_closed.py::test_scope_satisfies_raises_for_unknown_scope.

[gemini-code-assist]

The bcrypt.checkpw function is a CPU-intensive operation that typically takes 100-200ms per call. Executing it synchronously within an async def context (as called by the authentication dependency) will block the event loop, preventing the server from handling other concurrent requests. This should be wrapped in asyncio.to_thread to offload the work to a separate thread. Note that verify_api_key will need to be changed to async def and all call sites updated to await it.

async def verify_api_key(plaintext: str, hashed: str) -> bool:
    """Return True if plaintext matches the bcrypt hashed value.

    Results are cached for ttl seconds (default 300s / 5 minutes) to avoid
    repeated expensive bcrypt verifications.

    Args:
        plaintext: The full API key as provided in the X-Label-Hub-Key header.
        hashed:    The bcrypt hash stored in the DB.

    Returns:
        True if the key is valid, False otherwise.
    """
    cache_key = (plaintext, hashed)
    if cache_key in _cache:
        return _cache[cache_key]

    import asyncio
    result = await asyncio.to_thread(bcrypt.checkpw, plaintext.encode(), hashed.encode())
    _cache[cache_key] = result
    return result

References

1. Wrap CPU-bound or synchronous blocking operations (e.g., image processing with PIL) in asyncio.to_thread when calling them from asynchronous FastAPI route handlers to prevent blocking the event loop.

[strausmann]

Fixed in 5282c5f (Fix A): added verify_api_key_async that wraps bcrypt.checkpw in asyncio.to_thread. Cache check still runs on the loop thread (fast path); bcrypt only runs in thread pool on cache miss. _validate_api_key now awaits the async version. Test: tests/unit/auth/test_verifier.py::test_verify_api_key_does_not_block_event_loop.

[gemini-code-assist]

Defaulting effective_scope to "read" means that an API key with an empty scopes list will still be granted read access. Scopes should be explicitly assigned; a key with no scopes should have no access.

Suggested change

	effective_scope: str = "read"
	effective_scope: str | None = None
	for s in ["admin", "print", "read"]:
	if s in key_scopes:
	effective_scope = s
	break
	if effective_scope is None or not _scope_satisfies(effective_scope, required_scope):

[strausmann]

Fixed in 924a9ca (Fix C): effective_scope no longer defaults to "read". A key with an empty scopes list now raises 401 with error_code: "key_no_scopes". Test: tests/unit/auth/test_scope_fail_closed.py::test_key_with_empty_scopes_returns_401.

[gemini-code-assist]

Using __import__ to dynamically load sqlalchemy.select is unconventional and reduces code readability and maintainability. Use a standard import statement at the top of the file or a local import if circularity is a concern.

Suggested change

	result = await session.execute(__import__("sqlalchemy", fromlist=["select"]).select(ApiKey))
	from sqlalchemy import select
	result = await session.execute(select(ApiKey))

[strausmann]

Fixed in 7e0b1e4 (Fix D): replaced with top-level from sqlalchemy import select at module scope.

[gemini-code-assist]

The ApiKeyCreate model should use the datetime type for expires_at and include validation for rate_limit_per_minute. Using str for dates requires manual parsing and bypasses Pydantic's automatic validation and error reporting (422 Unprocessable Entity). Additionally, a non-positive rate limit could cause a division-by-zero error in the rate limiter.

Suggested change

	class ApiKeyCreate(BaseModel):
	name: str
	scopes: list[str]
	allowed_printer_ids: list[str] = []
	rate_limit_per_minute: int = 60
	notes: str | None = None
	expires_at: str | None = None # ISO-8601 string or null
	class ApiKeyCreate(BaseModel):
	name: str
	scopes: list[str]
	allowed_printer_ids: list[str] = []
	rate_limit_per_minute: int = Field(default=60, gt=0)
	notes: str | None = None
	expires_at: datetime | None = None

[strausmann]

Fixed in 7e0b1e4 (Fix E): expires_at is now datetime | None — Pydantic parses and validates at request time, returning 422 on invalid input. rate_limit_per_minute now uses Field(ge=1, le=10000).

[gemini-code-assist]

Using http.DefaultClient is discouraged in production code as it lacks a default timeout. This can cause the handler to hang indefinitely if the backend is unresponsive, potentially leading to resource exhaustion in the frontend server. Use a custom http.Client with a reasonable timeout.

[gemini-code-assist]

The error response format here (a plain string detail) is inconsistent with the structured dictionary format used in backend/app/auth/dependencies.py (e.g., {"error_code": "...", "error_message": "..."}). For a consistent API experience, especially for automated consumers, all error responses should follow the same schema (ideally RFC 7807 Problem Details as referenced in the project's OpenAPI completeness tests).

[gemini-code-assist]

Updating the last_used_at timestamp is awaited on every authenticated request. This adds unnecessary database latency to the critical path of every API call. Since this is an audit field and not critical for the request's success, consider making this update non-blocking or using a background task.

[Copilot]

Pull request overview

Adds app-side API-key authentication to the Label Printer Hub backend (scoped keys, rate limiting, audit trail), plus an admin UI in the Go frontend to manage keys and updated docs/tests to support the new security model.

Changes:

• Implemented backend API-key auth (read/print/admin), per-key rate limiting, and job audit fields (api_key_id, source_ip).
• Added /api/admin/api-keys CRUD endpoints and a new HTMX admin UI at /admin/api-keys.
• Added extensive unit/integration tests, an Alembic migration, and operator documentation for key management.

Reviewed changes

Copilot reviewed 52 out of 55 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
frontend/web/templates/layout.html	Adds “API Keys” nav link to the layout.
frontend/web/templates/admin_api_keys.html	List page template for API keys.
frontend/web/templates/admin_api_keys_detail.html	Detail page template for a single API key.
frontend/web/templates/admin_api_keys_create.html	Create page template + one-time plaintext display.
frontend/internal/handlers/base.go	Registers new admin templates and stub template content.
frontend/internal/handlers/admin_api_keys.go	Adds Go handlers + raw backend calls for API key UI.
frontend/internal/api/client.go	Exposes HubClient BaseURL for handler use.
frontend/cmd/server/main.go	Wires new /admin/api-keys routes into the frontend router.
docs/superpowers/specs/2026-05-17-phase-7c-api-auth-design.md	Design spec for Phase 7c auth/key system.
docs/superpowers/plans/2026-05-17-phase-7c-api-auth.md	Implementation plan/checklist for Phase 7c.
docs/site/operations/api-keys.md	Operator guide for creating/using/revoking API keys.
backend/tests/unit/services/test_rate_limiter.py	Unit tests for the token-bucket limiter.
backend/tests/unit/models/test_api_key_model.py	Model/column tests for ApiKey + Job audit fields.
backend/tests/unit/auth/test_verifier.py	Unit tests for bcrypt verification caching.
backend/tests/unit/auth/test_key_generator.py	Unit tests for API key generation format/entropy.
backend/tests/unit/auth/test_dependencies.py	Unit tests for auth dependency behavior across paths/scopes.
backend/tests/unit/auth/init.py	Test package marker for auth unit tests.
backend/tests/unit/api/test_templates_routes.py	Updates template-route tests for new auth deps.
backend/tests/unit/api/test_printers_routes.py	Updates printer-route tests for new auth deps.
backend/tests/unit/api/test_print_routes.py	Updates print-route tests for new auth deps.
backend/tests/unit/api/test_jobs_routes.py	Updates jobs-route tests for new auth deps.
backend/tests/unit/api/test_admin_api_keys_routes.py	Unit tests for admin API-keys CRUD endpoints.
backend/tests/integration/test_status_endpoint_cached.py	Updates integration tests to include auth headers.
backend/tests/integration/test_print_e2e.py	Updates E2E print tests to bypass auth via dependency overrides.
backend/tests/integration/db/test_alembic_phase7c_migration.py	Integration tests for Phase 7c migration + seed key.
backend/tests/integration/api/test_readiness_endpoint.py	Updates readiness integration tests to include auth headers.
backend/tests/integration/api/test_rate_limit.py	Integration tests for rate limiting behavior.
backend/tests/integration/api/test_printer_acl.py	Integration tests for per-key printer ACL enforcement.
backend/tests/integration/api/test_auth_wiring.py	Integration tests confirming auth is wired across routes.
backend/tests/integration/api/test_audit_trail.py	Integration tests for auth enforcement on print endpoints.
backend/tests/integration/api/test_api_datetime_format.py	Updates datetime-format tests to include auth headers.
backend/tests/helpers/auth.py	Adds (intended) shared helper to bypass auth in tests.
backend/tests/helpers/init.py	Test helpers package marker.
backend/tests/db/test_api_keys_repo.py	DB/repo tests for ApiKey repository methods.
backend/tests/api/test_openapi_completeness.py	Adjusts expected OpenAPI operation-count range.
backend/pyproject.toml	Adds bcrypt + cachetools dependencies.
backend/app/services/rate_limiter.py	Implements in-memory token-bucket rate limiter singleton.
backend/app/repositories/jobs.py	Extends job creation to persist api_key_id/source_ip audit fields.
backend/app/repositories/api_keys.py	Adds ApiKey repository CRUD/query helpers.
backend/app/models/job.py	Adds audit fields and index to the Job model.
backend/app/models/api_key.py	Adds ApiKey SQLModel table definition.
backend/app/models/init.py	Registers ApiKey in model import side effects for Alembic.
backend/app/main.py	Registers admin router + protects readiness with read auth.
backend/app/config.py	Adds feature flag for Pangolin bypass scope downgrade.
backend/app/auth/verifier.py	Adds bcrypt verify + TTL cache + invalidation.
backend/app/auth/scope_deps.py	Adds overridable singleton scope dependencies (read/print/admin).
backend/app/auth/key_generator.py	Adds API key generator (plaintext/prefix/bcrypt hash).
backend/app/auth/dependencies.py	Implements require_scope() dependency + printer ACL enforcement.
backend/app/auth/init.py	Auth package marker.
backend/app/api/routes/templates.py	Requires read scope for template listing.
backend/app/api/routes/printers.py	Requires read/print scopes and enforces printer ACL where relevant.
backend/app/api/routes/print.py	Requires print/read scopes for print/job-status endpoints.
backend/app/api/routes/jobs.py	Requires read/print scopes on job endpoints.
backend/app/api/routes/admin_api_keys.py	Adds admin-only CRUD endpoints for API keys.
backend/alembic/versions/20260517_phase7c_api_keys.py	Migration: api_keys table, job audit columns, bootstrap seed key.

[strausmann]

Fixed in 1d91cf6: the f-string literal {retry_after} was not interpolated. Fixed to use the correct f-string interpolation so the actual value is included in the response body.

[strausmann]

Corrected: Fixed in c4f050f — the rate-limit error message had string concatenation where the second fragment was a plain string (not an f-string), so {retry_after} appeared literally in the response body. Added f prefix to the second fragment so the actual integer seconds value is interpolated.

[codecov]

❌ 1 Tests Failed:

Tests completed	Failed	Passed	Skipped
795	1	794	5

View the top 1 failed test(s) by shortest run time

tests/integration/db/test_alembic_phase7b_migration.py::test_migration_adds_tz_to_naive_template_row

Stack Traces | 0.626s run time

tmp_path = PosixPath('.../pytest-of-runner/pytest-0/test_migration_adds_tz_to_naiv0')

    def test_migration_adds_tz_to_naive_template_row(tmp_path):
        db = tmp_path / "phase7b_data.db"
        sync_url = f"sqlite:///{db}"
        cfg = _alembic_config(db)
    
        # Walk schema forward to head (gives us tables with the new column types).
        command.upgrade(cfg, "head")
    
        # Roll back to the migration BEFORE this one so we can simulate a legacy
        # DB with naive datetime rows, then upgrade forward and check the result.
        command.downgrade(cfg, "-1")
    
        sync_engine = create_engine(sync_url)
        with sync_engine.begin() as conn:
            conn.execute(
                text(
                    "INSERT INTO templates (id, key, name, app, printer_model, "
                    "tape_width_mm, schema_version, definition, source, "
                    "created_at, updated_at) "
                    "VALUES ('11111111-1111-1111-1111-111111111111', 'k', 'n', NULL, "
                    "'pt-series', 12, 1, '{}', 'seed', "
                    "'2026-05-17T12:00:00', '2026-05-17T12:00:00')"
                )
            )
    
        command.upgrade(cfg, "head")
    
        with sync_engine.begin() as conn:
            row = conn.execute(
                text(
                    "SELECT created_at, updated_at FROM templates "
                    "WHERE id = '11111111-1111-1111-1111-111111111111'"
                )
            ).first()
            assert row is not None
            for value in row:
>               assert value.endswith("+00:00") or value.endswith("Z"), (
                    f"datetime not normalised: {value!r}"
                )
E               AssertionError: datetime not normalised: '2026-05-17T12:00:00'
E               assert (False or False)
E                +  where False = <built-in method endswith of str object at 0x7f39f4fc59f0>('+00:00')
E                +    where <built-in method endswith of str object at 0x7f39f4fc59f0> = '2026-05-17T12:00:00'.endswith
E                +  and   False = <built-in method endswith of str object at 0x7f39f4fc59f0>('Z')
E                +    where <built-in method endswith of str object at 0x7f39f4fc59f0> = '2026-05-17T12:00:00'.endswith

.../integration/db/test_alembic_phase7b_migration.py:68: AssertionError

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}