pi3c/blog.pyaqa.ru
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f6e13fbd5b02bfa4ab703495d2cf3cb5e97337c
blog.pyaqa.ru/.env.example
Sergey Vanyushkin 184b95969c
Some checks failed
ci/woodpecker/pr/lint Pipeline failed
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/type Pipeline was successful
Details
feat(auth): implement Keycloak authentication with RBAC and pagination 
Major changes:
- Add Keycloak integration via token introspection endpoint
- Implement RBAC system with roles: admin, user, guest
- Add role-based permissions for post operations
- Add pagination support (default limit: 10) to list endpoints
- Add published_only filter with admin-only override for unpublished posts

Security improvements:
- Remove hardcoded default secrets (SECRET_KEY, KEYCLOAK_CLIENT_SECRET)
- Update .env.example with proper security placeholders
- Add comprehensive RBAC unit tests

Infrastructure:
- Add httpx dependency for HTTP client
- Add KeycloakAuthClient with token caching (TTL: 60s)
- Add role-based dependencies (RequireAdmin, RequireUser, etc.)
- Update DI container with Keycloak provider

Endpoints updated:
- GET /posts: filter by published status (admin can see all)
- Add pagination params (limit, offset) to list endpoints
- Enforce RBAC on post operations

Tests:
- Add 16 auth infrastructure tests
- Add 13 RBAC role tests
- Update existing tests for new required settings

Breaking changes:
- SECRET_KEY and KEYCLOAK_CLIENT_SECRET now required (no defaults)
2026-05-02 11:21:45 +03:00

34 lines
837 B
Plaintext
Raw Blame History

# Environment mode: dev or prod
ENVIRONMENT=dev
# App settings
APP_NAME=Blog API
APP_DEBUG=false
APP_HOST=0.0.0.0
APP_PORT=8000
# Database settings
# For dev (SQLite): DB_URL=sqlite+aiosqlite:///./blog.db
# For prod (PostgreSQL): DB_URL=postgresql+asyncpg://user:pass@host:port/db
# Or use individual DB_* vars for prod (see below)
DB_URL=
DB_ECHO=false
# PostgreSQL-specific settings (used in prod when DB_URL is not set)
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=postgres
DB_NAME=blog
# Security settings (REQUIRED)
SECURITY_SECRET_KEY=your-secret-key-here-change-in-production
SECURITY_ACCESS_TOKEN_EXPIRE_MINUTES=30
# Keycloak settings (REQUIRED for authentication)
KC_SERVER_URL=http://localhost:8080
KC_REALM=blog
KC_CLIENT_ID=blog-api
KC_CLIENT_SECRET=your-keycloak-client-secret-here
KC_TOKEN_CACHE_TTL=60
Reference in New Issue View Git Blame Copy Permalink