feat: add API security (auth, CORS, rate limiting, input validation)

- Add Bearer token authentication via API_AUTH_TOKEN (disabled when unset) - Add CORS middleware with configurable origins - Add rate limiting (60/min) on order and signal endpoints via slowapi - Add Query parameter bounds: orders/signals limit 1-1000, snapshots days 1-365
author: TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com> 2026-04-02 15:48:46 +0900
committer: TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com> 2026-04-02 15:48:46 +0900
commit: 13c939468ed0143e4a4f9ee1c0b847483dcd8199 (patch)
tree: e5318ae8973c7a54fe1de81117f56f91329b884a /services/api/src/trading_api/routers/portfolio.py
parent: 776376dda8005635c4c3365905ca7df857789fec (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/services/api/src/trading_api/routers/portfolio.py b/services/api/src/trading_api/routers/portfolio.py
index 3907a86..fde90cb 100644
--- a/services/api/src/trading_api/routers/portfolio.py
+++ b/services/api/src/trading_api/routers/portfolio.py
@@ -2,7 +2,7 @@
 
 import logging
 
-from fastapi import APIRouter, HTTPException, Request
+from fastapi import APIRouter, HTTPException, Query, Request
 from shared.sa_models import PositionRow
 from sqlalchemy import select
 from sqlalchemy.exc import OperationalError
@@ -39,7 +39,7 @@ async def get_positions(request: Request):
 
 
 @router.get("/snapshots")
-async def get_snapshots(request: Request, days: int = 30):
+async def get_snapshots(request: Request, days: int = Query(30, ge=1, le=365)):
     """Get portfolio snapshots for the last N days."""
     try:
         db = request.app.state.db
author	TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com>	2026-04-02 15:48:46 +0900
committer	TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com>	2026-04-02 15:48:46 +0900
commit	13c939468ed0143e4a4f9ee1c0b847483dcd8199 (patch)
tree	e5318ae8973c7a54fe1de81117f56f91329b884a /services/api/src/trading_api/routers/portfolio.py
parent	776376dda8005635c4c3365905ca7df857789fec (diff)