Files
auth-proxy/docs/api.md
db123-test a281012fc4 fix: simplify whitelist entries and update logs API
- Change whitelist response format to use single `entry` field instead of `ip` + `reason`
- Update auth endpoint to return 204 No Content instead of 200 with body
- Add 405 Method Not Allowed response for auth endpoint
- Fix operationId for permanent whitelist endpoint (was `listTempWhitelist`)
- Add query parameters for logs endpoint: action, ip, limit, offset
- Update documentation in docs/api.md and openapi.yaml
2026-05-04 13:27:06 +03:30

163 lines
3.2 KiB
Markdown

# Auth-proxy API Reference
## Endpoints
### POST /api/whitelist/temp
Create a temporary whitelisted IP.
**Authorization:** Bearer `{API_TOKEN}`
**Request body:**
```json
{
"ip": "1.2.3.4",
"ttl_seconds": 300,
"reason": "my laptop"
}
```
**Response:** 204 No Content
**Example:**
```bash
curl -X POST http://127.0.0.1:8080/api/whitelist/temp \
-H "Authorization: Bearer CHANGE_ME" \
-H "Content-Type: application/json" \
-d '{"ip":"203.0.113.10","ttl_seconds":300,"reason":"admin laptop"}'
```
### GET /api/whitelist/temp/list
List all currently active temporary whitelisted IPs.
**Authorization:** Bearer `{API_TOKEN}`
**Response body:**
```json
[
{
"ip": "1.2.3.4",
"reason": "my laptop",
"expires": "2024-01-01T12:05:00Z"
}
]
```
### DELETE /api/whitelist/temp/{ip}
Remove a temporary whitelisted IP.
**Authorization:** Bearer `{API_TOKEN}`
**Response:** 204 No Content
### POST /api/whitelist/perm
Add a permanent whitelisted IP or CIDR range.
**Authorization:** Bearer `{API_TOKEN}`
**Request body:**
```json
{
"entry": "1.2.3.4"
}
```
**Response:** 204 No Content
**Example:**
```bash
curl -X POST http://127.0.0.1:8080/api/whitelist/perm \
-H "Authorization: Bearer CHANGE_ME" \
-H "Content-Type: application/json" \
-d '{"entry":"203.0.113.10"}'
```
### GET /api/whitelist/perm/list
List all currently active permanent whitelisted IPs.
**Authorization:** Bearer `{API_TOKEN}`
**Response body:**
```json
[
{
"entry": "203.0.113.10"
}
]
```
### DELETE /api/whitelist/perm/{entry}
Remove a permanent whitelisted IP or CIDR range.
**Authorization:** Bearer `{API_TOKEN}`
**Response:** 204 No Content
### GET /api/logs
Retrieve audit log entries.
**Authorization:** Bearer `{API_TOKEN}`
**Query parameters:**
| Parameter | Type | Required | Default | Description |
|-----------|--------|----------|---------|---------------------------------------------------------------------|
| `action` | string | No | | Filter by action type (`add_temp`, `delete_temp`, `add_perm`, etc.) |
| `ip` | string | No | | Filter by IP address |
| `limit` | int | No | 200 | Number of entries to return (max 1000) |
| `offset` | int | No | 0 | Number of entries to skip |
**Response body:**
```json
[
{
"timestamp": "2024-01-01T12:00:00Z",
"action": "add_temp",
"ip": "1.2.3.4",
"reason": "admin laptop",
"ttl_seconds": 300,
"api_client_ip": "10.0.0.1"
}
]
```
**Example:**
```bash
curl -X GET http://127.0.0.1:8080/api/logs \
-H "Authorization: Bearer CHANGE_ME"
```
### GET /auth
The NGINX auth_request endpoint. Do NOT call this directly.
**Response:** 204 No Content (allow) or 401 (deny)
### GET /status
Health check.
**Response:** 200 `ok`
## Security notes
- The API is not exposed publicly. It's only accessible from NGINX via Docker
internal networking.
- The API token is the only secret for the API. Keep it in the environment.
- The auth endpoint only checks IP whitelisting (no Basic Auth fallback).
- Always serve the auth endpoint over TLS.