From 13c939468ed0143e4a4f9ee1c0b847483dcd8199 Mon Sep 17 00:00:00 2001
From: TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:48:46 +0900
Subject: feat: add API security (auth, CORS, rate limiting, input validation)

- Add Bearer token authentication via API_AUTH_TOKEN (disabled when unset)
- Add CORS middleware with configurable origins
- Add rate limiting (60/min) on order and signal endpoints via slowapi
- Add Query parameter bounds: orders/signals limit 1-1000, snapshots days 1-365
---
 services/api/src/trading_api/routers/orders.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'services/api/src/trading_api/routers/orders.py')

diff --git a/services/api/src/trading_api/routers/orders.py b/services/api/src/trading_api/routers/orders.py
index a29ae2f..217efef 100644
--- a/services/api/src/trading_api/routers/orders.py
+++ b/services/api/src/trading_api/routers/orders.py
@@ -2,18 +2,22 @@
 
 import logging
 
-from fastapi import APIRouter, HTTPException, Request
+from fastapi import APIRouter, HTTPException, Query, Request
 from shared.sa_models import OrderRow, SignalRow
+from slowapi import Limiter
+from slowapi.util import get_remote_address
 from sqlalchemy import select
 from sqlalchemy.exc import OperationalError
 
 logger = logging.getLogger(__name__)
 
 router = APIRouter()
+limiter = Limiter(key_func=get_remote_address)
 
 
 @router.get("/")
-async def get_orders(request: Request, limit: int = 50):
+@limiter.limit("60/minute")
+async def get_orders(request: Request, limit: int = Query(50, ge=1, le=1000)):
     """Get recent orders."""
     try:
         db = request.app.state.db
@@ -45,7 +49,8 @@ async def get_orders(request: Request, limit: int = 50):
 
 
 @router.get("/signals")
-async def get_signals(request: Request, limit: int = 50):
+@limiter.limit("60/minute")
+async def get_signals(request: Request, limit: int = Query(50, ge=1, le=1000)):
     """Get recent signals."""
     try:
         db = request.app.state.db
-- 
cgit v1.2.3