From 13c939468ed0143e4a4f9ee1c0b847483dcd8199 Mon Sep 17 00:00:00 2001
From: TheSiahxyz <164138827+TheSiahxyz@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:48:46 +0900
Subject: feat: add API security (auth, CORS, rate limiting, input validation)

- Add Bearer token authentication via API_AUTH_TOKEN (disabled when unset)
- Add CORS middleware with configurable origins
- Add rate limiting (60/min) on order and signal endpoints via slowapi
- Add Query parameter bounds: orders/signals limit 1-1000, snapshots days 1-365
---
 services/api/src/trading_api/routers/portfolio.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'services/api/src/trading_api/routers/portfolio.py')

diff --git a/services/api/src/trading_api/routers/portfolio.py b/services/api/src/trading_api/routers/portfolio.py
index 3907a86..fde90cb 100644
--- a/services/api/src/trading_api/routers/portfolio.py
+++ b/services/api/src/trading_api/routers/portfolio.py
@@ -2,7 +2,7 @@
 
 import logging
 
-from fastapi import APIRouter, HTTPException, Request
+from fastapi import APIRouter, HTTPException, Query, Request
 from shared.sa_models import PositionRow
 from sqlalchemy import select
 from sqlalchemy.exc import OperationalError
@@ -39,7 +39,7 @@ async def get_positions(request: Request):
 
 
 @router.get("/snapshots")
-async def get_snapshots(request: Request, days: int = 30):
+async def get_snapshots(request: Request, days: int = Query(30, ge=1, le=365)):
     """Get portfolio snapshots for the last N days."""
     try:
         db = request.app.state.db
-- 
cgit v1.2.3