From 13c939468ed0143e4a4f9ee1c0b847483dcd8199 Mon Sep 17 00:00:00 2001
From: TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:48:46 +0900
Subject: feat: add API security (auth, CORS, rate limiting, input validation)

- Add Bearer token authentication via API_AUTH_TOKEN (disabled when unset)
- Add CORS middleware with configurable origins
- Add rate limiting (60/min) on order and signal endpoints via slowapi
- Add Query parameter bounds: orders/signals limit 1-1000, snapshots days 1-365
---
 services/api/src/trading_api/dependencies/auth.py | 29 +++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 services/api/src/trading_api/dependencies/auth.py

(limited to 'services/api/src/trading_api/dependencies/auth.py')

diff --git a/services/api/src/trading_api/dependencies/auth.py b/services/api/src/trading_api/dependencies/auth.py
new file mode 100644
index 0000000..a5e76c1
--- /dev/null
+++ b/services/api/src/trading_api/dependencies/auth.py
@@ -0,0 +1,29 @@
+"""Bearer token authentication dependency."""
+
+import logging
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from shared.config import Settings
+
+logger = logging.getLogger(__name__)
+
+_security = HTTPBearer(auto_error=False)
+_settings = Settings()
+
+
+async def verify_token(
+    credentials: HTTPAuthorizationCredentials | None = Depends(_security),
+) -> None:
+    """Verify Bearer token. Skip auth if API_AUTH_TOKEN is not configured."""
+    token = _settings.api_auth_token.get_secret_value()
+    if not token:
+        return  # Auth disabled in dev mode
+
+    if credentials is None or credentials.credentials != token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or missing authentication token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
-- 
cgit v1.2.3