feat: add SQLite persistence and REST API for temporary whitelisting

- Migrate IP-based temporary whitelisting from file to SQLite storage
- Add REST API endpoints for managing temporary and permanent whitelists
- Create `.env.example` with required environment variables
- Document API endpoints in README.md and docs/api.md
- Add new dependency `modernc.org/sqlite` for SQLite support
- Update deployment and security documentation
This commit is contained in:
db123-test
2026-05-04 09:08:11 +03:30
parent a5c9c42533
commit 515de33837
18 changed files with 467 additions and 254 deletions

267
openapi.yaml Normal file
View File

@@ -0,0 +1,267 @@
openapi: "3.0.3"
info:
title: Auth-gate API
description: Lightweight Go auth gateway for IP-based whitelisting with temporary entries and audit logging.
version: "1.0.0"
contact:
name: Auth-gate Project
url: https://github.com/your-org/auth-gate
servers:
- url: http://127.0.0.1:8080
description: Local development server
security:
- BearerAuth: []
paths:
/auth:
get:
summary: Auth check (NGINX auth_request)
description: |
The NGINX auth_request endpoint. Do NOT call this directly.
Returns 200 if the client IP is whitelisted, 401 otherwise.
Only checks permanent and temporary IP whitelists.
operationId: checkAuth
parameters:
- name: X-Real-IP
in: header
required: true
schema:
type: string
description: Client IP set by NGINX
responses:
'200':
description: OK
content:
text/plain:
schema:
type: string
example: "ok"
'401':
description: Unauthorized — IP not whitelisted
/status:
get:
summary: Health check
description: Simple health check endpoint.
operationId: healthCheck
security: []
responses:
'200':
description: OK
content:
text/plain:
schema:
type: string
example: "ok\n"
/api/whitelist/temp:
post:
summary: Add a temporary whitelisted IP
description: Create a temporary whitelisted IP entry with a TTL.
operationId: addTempWhitelist
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- ip
- ttl_seconds
properties:
ip:
type: string
description: The IP address to whitelist
example: "203.0.113.10"
ttl_seconds:
type: integer
description: Time-to-live in seconds
minimum: 1
example: 300
reason:
type: string
description: Optional reason for whitelisting
example: "admin laptop"
responses:
'204':
description: Created
'400':
description: Bad request — missing or invalid parameters
content:
text/plain:
schema:
type: string
example: "ip and ttl_seconds required"
'401':
description: Unauthorized — invalid API token
'500':
description: Internal error — database failure
/api/whitelist/temp/list:
get:
summary: List temporary whitelisted IPs
description: List all currently active temporary whitelisted IPs.
operationId: listTempWhitelist
responses:
'200':
description: List of temporary whitelisted IPs
content:
application/json:
schema:
type: array
items:
type: object
properties:
ip:
type: string
example: "1.2.3.4"
reason:
type: string
example: "my laptop"
expires:
type: string
format: date-time
example: "2024-01-01T12:05:00Z"
'401':
description: Unauthorized — invalid API token
'500':
description: Internal error — database failure
/api/whitelist/temp/{ip}:
delete:
summary: Remove a temporary whitelisted IP
description: Remove a specific temporary whitelisted IP entry.
operationId: deleteTempWhitelist
parameters:
- name: ip
in: path
required: true
schema:
type: string
description: The IP address to remove
responses:
'204':
description: Deleted
'400':
description: Bad request — IP required
'401':
description: Unauthorized — invalid API token
'500':
description: Internal error
/api/whitelist/perm:
post:
summary: Add a permanent whitelisted IP or CIDR
description: Add a permanent whitelisted IP address or CIDR range.
operationId: addPermWhitelist
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- entry
properties:
entry:
type: string
description: IP address or CIDR range to whitelist
example: "203.0.113.10"
responses:
'204':
description: Created
'400':
description: Bad request — entry required
'401':
description: Unauthorized — invalid API token
'409':
description: Conflict — entry already exists
content:
text/plain:
schema:
type: string
example: "entry already exists"
'500':
description: Internal error
/api/whitelist/perm/{entry}:
delete:
summary: Remove a permanent whitelisted IP or CIDR
description: Remove a permanent whitelisted IP address or CIDR range.
operationId: deletePermWhitelist
parameters:
- name: entry
in: path
required: true
schema:
type: string
description: The IP address or CIDR range to remove
responses:
'204':
description: Deleted
'400':
description: Bad request — entry required
'401':
description: Unauthorized — invalid API token
'500':
description: Internal error
/api/logs:
get:
summary: Retrieve audit log entries
description: |
Retrieve the last 200 audit log entries.
Each entry records a whitelist operation with its timestamp, action, affected IP,
and the IP of the API client that performed the action.
operationId: getLogs
responses:
'200':
description: List of audit log entries
content:
application/json:
schema:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
example: "2024-01-01T12:00:00Z"
action:
type: string
example: "add_temp"
ip:
type: string
nullable: true
example: "1.2.3.4"
cidr:
type: string
nullable: true
example: "10.0.0.0/24"
ttl_seconds:
type: integer
nullable: true
example: 300
reason:
type: string
nullable: true
example: "admin laptop"
api_client_ip:
type: string
nullable: true
example: "10.0.0.1"
'401':
description: Unauthorized — invalid API token
'500':
description: Internal error — database failure
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: token
description: API token for authenticating to the API endpoints