Add API key authentication and TLS support

API Authentication (v4.2.1): - API key auth via X-API-Key header - Keys hashed (SHA-256) and stored in ~/.stegasoo/api_keys.json - Auth disabled when no keys configured - Protected endpoints: encode, decode, generate, channel/*, compare, etc. - Public endpoints: /, /docs, /modes, /auth/status, /channel/status TLS Support: - Auto-generates self-signed certs on first run - Certs include localhost, local IPs, hostname.local - Stored in ~/.stegasoo/certs/ CLI Commands: - stegasoo api keys list/create/delete - stegasoo api tls generate/info - stegasoo api serve (starts with TLS by default) Updated systemd service to use TLS. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 18:03:51 -05:00
parent 3b5ab41ce9
commit 34ede3815f
5 changed files with 699 additions and 15 deletions
--- a/TODO-4.2.1.md
+++ b/TODO-4.2.1.md
@@ -31,10 +31,20 @@
  - 68MB vs 79MB for full package
 - [ ] `stegasoo-api` - REST API package (needs auth overhaul first)

-## API Auth Work (blocking stegasoo-api)
- [ ] Implement OAuth2 authentication
- [ ] TLS 1.3 support with self-signed certificates
- [ ] Figure out cert trust/distribution for clients
+## API Auth Work
+- [x] API key authentication (simpler than OAuth2 for personal use)
+  - `frontends/api/auth.py` - key generation, hashing, validation
+  - Keys stored in `~/.stegasoo/api_keys.json` (hashed)
+  - `X-API-Key` header for authentication
+  - Auth disabled when no keys configured
+- [x] TLS with self-signed certificates
+  - Auto-generates certs on first run
+  - CLI: `stegasoo api tls generate`
+  - Certs stored in `~/.stegasoo/certs/`
+- [x] CLI commands for API management
+  - `stegasoo api keys list/create/delete`
+  - `stegasoo api tls generate/info`
+  - `stegasoo api serve` (starts with TLS by default)

 ## API Documentation
 - [ ] Postman collection