# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] ### Added - Gitea API token integration - n8n API key integration - API key caching with Moka - Rate limiting for API key validation - Constant-time hash comparison - OpenAPI documentation with utoipa ## [0.1.0] - 2026-03-21 ### Added #### API Key Management System - API key generation with secure random (UUID v4) - SHA256 key hashing - 5 key types: System, User, Service, Integration, Emergency - Key expiration with configurable TTL - Grace period for key rotation #### Anomaly Detection - High request rate detection (>1000/min) - High error rate detection (>50%) - Multiple IP detection (>5/hour) - Unusual time activity detection - Redis Pub/Sub for anomaly alerts #### Rotation Mechanism - Automatic rotation scheduling - Manual rotation requests - Forced rotation for security incidents - Grace period management per key type: - System: 72 hours - User: 24 hours - Service: 48 hours - Integration: 24 hours - Emergency: 0 hours (immediate) #### PostgreSQL Integration - `api_keys` table for key storage - `api_key_audit_log` table for audit trail - `api_key_anomalies` table for anomaly records - Full CRUD operations for API keys #### Redis Integration - Anomaly alert Pub/Sub (`momentry:anomaly:alerts`) - Key anomaly state tracking - Real-time alert notifications #### CLI Commands - `momentry api-key create` - Create new API key - `momentry api-key list` - List all API keys - `momentry api-key validate` - Validate an API key - `momentry api-key revoke` - Revoke an API key - `momentry api-key rotate` - Request key rotation - `momentry api-key stats` - Show statistics #### Gitea Integration - Create Gitea Personal Access Tokens - List user tokens - Delete tokens - Local token tracking - CLI commands: - `momentry gitea create` - `momentry gitea list` - `momentry gitea delete` - `momentry gitea verify` #### n8n Integration - Create n8n API keys - List API keys - Delete API keys - Local key tracking - CLI commands: - `momentry n8n create` - `momentry n8n list` - `momentry n8n delete` - `momentry n8n verify` #### Security Features - Constant-time hash comparison (subtle crate) - Rate limiting for validation attempts - IP-based lockout after failed attempts - Configurable thresholds via environment variables #### Performance Optimizations - Moka-based API key validation cache - Configurable TTL and capacity - Reduced database queries for hot keys #### Documentation - API Key Management design document - Redis user configuration guide - Gitea token integration guide - n8n API key integration guide - Optimization plan with task codes ### Environment Variables #### API Key Configuration ``` CACHE_TTL_SECONDS=300 # Cache TTL (default: 300) CACHE_MAX_CAPACITY=10000 # Max cache entries (default: 10000) RATE_LIMIT_MAX_ATTEMPTS=5 # Max failed attempts (default: 5) RATE_LIMIT_WINDOW_SECONDS=900 # Lockout duration (default: 900) ``` #### Service URLs ``` GITEA_URL=http://localhost:3000 N8N_URL=https://n8n.momentry.ddns.net ``` ### Database Schema #### Tables Created - `api_keys` - API key storage - `api_key_audit_log` - Audit trail - `api_key_anomalies` - Anomaly records - `gitea_tokens` - Gitea token tracking - `n8n_api_keys` - n8n API key tracking ### Dependencies Added - `uuid` - UUID generation - `subtle` - Constant-time comparison - `moka` - Async cache - `utoipa` - OpenAPI documentation - `utoipa-swagger-ui` - Swagger UI --- ## Version History | Version | Date | Description | |---------|------|-------------| | 0.1.0 | 2026-03-21 | Initial release with API Key Management |