feat: add api auth

Author: pomelo-nwu

infra/sandbox/package.json

@@ -28,6 +28,7 @@
     "start": "tsx watch --clear-screen=false src/index.ts",
     "dev": "tsx watch --clear-screen=false src/index.ts",
     "dev:mcp": "tsx watch --clear-screen=false src/mcp-server.ts",
+    "generate-api-key": "node scripts/generate-api-key.cjs",
     "test": "jest",
     "lint": "eslint src --ext .ts",
     "prepack": "npm run build"
@@ -75,4 +76,4 @@
     "tsx": "^4.16.5",
     "typescript": "^5.3.3"
   }
-}
+}

infra/sandbox/scripts/generate-api-key.cjs

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+
+/**
+ * GraphScope Sandbox API Key Generator
+ *
+ * Usage:
+ * node scripts/generate-api-key.cjs
+ * node scripts/generate-api-key.cjs --count 3
+ * node scripts/generate-api-key.cjs --prefix custom_prefix
+ */
+
+const crypto = require("crypto");
+
+function generateApiKey(prefix = "ai-spider") {
+  const chars =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  let result = prefix + "_";
+
+  for (let i = 0; i < 32; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+
+  return result;
+}
+
+function main() {
+  const args = process.argv.slice(2);
+
+  let count = 1;
+  let prefix = "ai-spider";
+
+  // Parse command line arguments
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--count" && i + 1 < args.length) {
+      count = parseInt(args[i + 1]);
+      i++;
+    } else if (args[i] === "--prefix" && i + 1 < args.length) {
+      prefix = args[i + 1];
+      i++;
+    } else if (args[i] === "--help" || args[i] === "-h") {
+      console.log(`
+GraphScope Sandbox API Key Generator
+
+Usage:
+  node scripts/generate-api-key.cjs [options]
+
+Options:
+  --count <number>    Number of API Keys to generate (default: 1)
+  --prefix <string>   API Key prefix (default: ai-spider)
+  --help, -h          Show help
+
+Examples:
+  node scripts/generate-api-key.cjs
+  node scripts/generate-api-key.cjs --count 3
+  node scripts/generate-api-key.cjs --prefix my_app
+      `);
+      return;
+    }
+  }
+
+  console.log("🔑 GraphScope Sandbox API Key Generator\n");
+
+  if (count === 1) {
+    const apiKey = generateApiKey(prefix);
+    console.log(`Generated API Key: ${apiKey}`);
+    console.log("\n💡 Usage:");
+    console.log(`export SANDBOX_API_KEY="${apiKey}"`);
+    console.log(`Or add to your .env file:`);
+    console.log(`SANDBOX_API_KEY=${apiKey}`);
+  } else {
+    const apiKeys = [];
+    for (let i = 0; i < count; i++) {
+      apiKeys.push(generateApiKey(prefix));
+    }
+
+    console.log(`Generated ${count} API Keys:`);
+    apiKeys.forEach((key, index) => {
+      console.log(`${index + 1}. ${key}`);
+    });
+
+    console.log("\n💡 Usage:");
+    console.log("Method 1 - Use a single key (pick one):");
+    console.log(`export SANDBOX_API_KEY="${apiKeys[0]}"`);
+
+    console.log("\nMethod 2 - Use all keys together:");
+    console.log(`export SANDBOX_API_KEYS="${apiKeys.join(",")}"`);
+
+    console.log("\nOr add to your .env file:");
+    console.log(`SANDBOX_API_KEYS=${apiKeys.join(",")}`);
+  }
+
+  console.log("\n⚠️  Security Tips:");
+  console.log("- Keep your API Keys safe");
+  console.log("- Do not hardcode API Keys in your code");
+  console.log("- Rotate API Keys regularly");
+  console.log("- Use different API Keys for different environments");
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { generateApiKey };

infra/sandbox/src/middleware/simple-auth.ts

@@ -0,0 +1,145 @@
+import { Request, Response, NextFunction } from "express";
+import logger from "../utils/logger";
+
+interface AuthenticatedRequest extends Request {
+  isAuthenticated?: boolean;
+}
+
+/**
+ * Simple API Key authentication middleware.
+ * Supports multiple API keys via environment variables.
+ */
+export const simpleApiKeyAuth = (
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction
+) => {
+  try {
+    const authHeader = req.headers.authorization;
+
+    // Check if Authorization header exists
+    if (!authHeader) {
+      logger.warn("Missing authorization header", {
+        ip: req.ip,
+        path: req.path,
+        method: req.method
+      });
+
+      return res.status(401).json({
+        error: {
+          code: "MISSING_AUTH",
+          message:
+            "Authorization header is required. Use: Authorization: Bearer <your-api-key>"
+        }
+      });
+    }
+
+    // Check format: Bearer <api-key>
+    if (!authHeader.startsWith("Bearer ")) {
+      logger.warn("Invalid authorization format", {
+        ip: req.ip,
+        path: req.path,
+        authHeader: authHeader.substring(0, 20) + "..."
+      });
+
+      return res.status(401).json({
+        error: {
+          code: "INVALID_AUTH_FORMAT",
+          message:
+            "Authorization header must be in format: Bearer <your-api-key>"
+        }
+      });
+    }
+
+    const apiKey = authHeader.replace("Bearer ", "").trim();
+
+    // Validate API Key
+    if (!isValidApiKey(apiKey)) {
+      logger.warn("Invalid API key attempt", {
+        ip: req.ip,
+        path: req.path,
+        keyPrefix: apiKey.substring(0, 8) + "..."
+      });
+
+      return res.status(401).json({
+        error: {
+          code: "INVALID_API_KEY",
+          message: "Invalid API key"
+        }
+      });
+    }
+
+    // Authentication successful
+    req.isAuthenticated = true;
+    logger.info("API key authentication successful", {
+      ip: req.ip,
+      path: req.path,
+      method: req.method,
+      keyPrefix: apiKey.substring(0, 8) + "..."
+    });
+
+    next();
+  } catch (error) {
+    logger.error("Authentication error", { error, ip: req.ip, path: req.path });
+
+    return res.status(500).json({
+      error: {
+        code: "AUTH_ERROR",
+        message: "Authentication service error"
+      }
+    });
+  }
+};
+
+/**
+ * Validate if the API Key is valid.
+ * Supports multiple configuration methods:
+ * 1. Environment variable SANDBOX_API_KEYS (comma separated)
+ * 2. Environment variable SANDBOX_API_KEY (single key)
+ */
+function isValidApiKey(apiKey: string): boolean {
+  if (!apiKey || apiKey.length < 8) {
+    return false;
+  }
+
+  // Method 1: Multiple API keys, comma separated
+  const apiKeys = process.env.SANDBOX_API_KEYS;
+  if (apiKeys) {
+    const validKeys = apiKeys.split(",").map((key) => key.trim());
+    return validKeys.includes(apiKey);
+  }
+
+  // Method 2: Single API key
+  const singleApiKey = process.env.SANDBOX_API_KEY;
+  if (singleApiKey) {
+    return apiKey === singleApiKey.trim();
+  }
+
+  // If no API key is configured, reject all requests
+  logger.error(
+    "No API keys configured. Please set SANDBOX_API_KEY or SANDBOX_API_KEYS environment variable"
+  );
+  return false;
+}
+
+/**
+ * Health check and management endpoints can skip authentication.
+ */
+export const skipAuthPaths = ["/health"];
+
+/**
+ * Authentication middleware with path filtering.
+ */
+export const conditionalAuth = (
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction
+) => {
+  // Skip authentication for health check and similar paths
+  if (skipAuthPaths.some((path) => req.path.startsWith(path))) {
+    return next();
+  }
+
+  // Require authentication for other paths
+  return simpleApiKeyAuth(req, res, next);
+};

infra/sandbox/src/server.ts

@@ -4,6 +4,7 @@ import helmet from "helmet";
 import morgan from "morgan";
 import http, { createServer } from "http";
 import { errorHandler, notFoundHandler } from "./middleware/error-handler";
+import { conditionalAuth } from "./middleware/simple-auth";
 import {
   createSandboxValidation,
   execCodeValidation,
@@ -37,11 +38,14 @@ export function createApp(): {
   app.use(express.urlencoded({ limit: "100mb", extended: true })); // Parse URL-encoded bodies with 100MB limit
   app.use(morgan("dev")); // HTTP request logging
 
-  // Health check endpoint
+  // Health check endpoint (no auth required)
   app.get("/health", (req, res) => {
     res.status(200).json({ status: "ok" });
   });
 
+  // Apply API Key authentication to all /api routes
+  app.use("/api", conditionalAuth);
+
   // API routes
   app.post(
     "/api/sandbox",