Harden API security, add tests, and document setup

Author: lunaticsm

.env-sample

@@ -0,0 +1 @@
+API_KEY=

.gitignore

@@ -0,0 +1,24 @@
+# Bytecode / cache
+__pycache__/
+*.py[cod]
+.Python
+
+# Environments
+env/
+venv/
+.venv/
+
+# Testing
+.pytest_cache/
+.coverage
+coverage.xml
+
+# Editors
+.vscode/
+.idea/
+*.swp
+
+# Local data
+uploads/
+*.db
+.env

app/__init__.py

@@ -0,0 +1,9 @@
+from apscheduler.schedulers.background import BackgroundScheduler
+from app.storage import delete_expired_files
+
+
+def start_cleaner(engine):
+    scheduler = BackgroundScheduler()
+    scheduler.add_job(lambda: delete_expired_files(engine), "interval", hours=1)
+    scheduler.start()
+    return scheduler

app/cleaner.py

@@ -0,0 +1,16 @@
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+API_KEY = os.getenv("API_KEY")
+if not API_KEY:
+    raise RuntimeError("API_KEY environment variable must be set")
+
+UPLOAD_DIR = os.getenv("UPLOAD_DIR", os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "uploads")))
+DB_URL = os.getenv("DB_URL", "sqlite:///./cdn.db")
+DELETE_AFTER_HOURS = int(os.getenv("DELETE_AFTER_HOURS", "72"))
+CORS_ORIGINS = os.getenv("CORS_ORIGINS", "*")
+
+DB_CONNECT_ARGS = {"check_same_thread": False} if DB_URL.startswith("sqlite") else {}
+ENABLE_CLEANER = os.getenv("ENABLE_CLEANER", "true").lower() in {"true", "1", "yes"}

app/config.py

@@ -0,0 +1,85 @@
+from fastapi import FastAPI, UploadFile, File, HTTPException, Header, Depends
+from fastapi.responses import FileResponse
+from fastapi.middleware.cors import CORSMiddleware
+from sqlmodel import SQLModel, create_engine, Session, select
+from urllib.parse import quote
+from pathlib import Path
+from app.config import API_KEY, DB_URL, UPLOAD_DIR, CORS_ORIGINS, DB_CONNECT_ARGS, ENABLE_CLEANER
+from app.models import File as FileModel
+from app.storage import save_file
+from app.cleaner import start_cleaner
+
+app = FastAPI(title="AlterBase CDN API", version="1.0")
+
+# CORS
+origins = [o.strip() for o in CORS_ORIGINS.split(",")]
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=origins,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+engine = create_engine(DB_URL, connect_args=DB_CONNECT_ARGS)
+SQLModel.metadata.create_all(engine)
+if ENABLE_CLEANER:
+    start_cleaner(engine)  # background scheduler
+
+# --- API Key guard ---
+async def require_api_key(x_api_key: str | None = Header(default=None)):
+    if API_KEY and x_api_key != API_KEY:
+        raise HTTPException(status_code=401, detail="Invalid or missing API Key")
+
+# --- Routes ---
+
+@app.post("/upload", dependencies=[Depends(require_api_key)])
+async def upload(file: UploadFile = File(...)):
+    if not file.filename:
+        raise HTTPException(status_code=400, detail="Missing filename")
+    data = await file.read()
+    stored_name, size_bytes = save_file(data, file.filename, file.content_type or "application/octet-stream")
+    file_id = stored_name.split(".")[0]
+
+    with Session(engine) as session:
+        rec = FileModel(
+            id=file_id,
+            original_name=file.filename,
+            stored_name=stored_name,
+            content_type=file.content_type or "application/octet-stream",
+            size_bytes=size_bytes,
+        )
+        session.add(rec)
+        session.commit()
+
+    return {
+        "id": file_id,
+        "url": f"/{quote(stored_name)}",
+        "size": size_bytes,
+        "type": file.content_type,
+    }
+
+@app.get("/list", dependencies=[Depends(require_api_key)])
+def list_files():
+    with Session(engine) as session:
+        files = session.exec(select(FileModel).order_by(FileModel.created_at.desc())).all()
+        return [
+            {
+                "id": f.id,
+                "url": f"/{quote(f.stored_name)}",
+                "name": f.original_name,
+                "size": f.size_bytes,
+                "created_at": f.created_at,
+            } for f in files
+        ]
+
+@app.get("/{filename}")
+def serve_file(filename: str):
+    upload_root = Path(UPLOAD_DIR).resolve()
+    try:
+        path = (upload_root / filename).resolve()
+        path.relative_to(upload_root)
+    except (ValueError, RuntimeError):
+        raise HTTPException(status_code=404, detail="Not found")
+    if not path.is_file():
+        raise HTTPException(status_code=404, detail="Not found")
+    return FileResponse(path)

app/main.py

@@ -0,0 +1,10 @@
+from datetime import datetime
+from sqlmodel import SQLModel, Field
+
+class File(SQLModel, table=True):
+    id: str = Field(primary_key=True)
+    original_name: str
+    stored_name: str
+    content_type: str
+    size_bytes: int
+    created_at: datetime = Field(default_factory=datetime.utcnow)

app/models.py

@@ -0,0 +1,32 @@
+import os
+import uuid
+from datetime import datetime, timedelta
+from sqlmodel import Session, select
+from app.config import UPLOAD_DIR, DELETE_AFTER_HOURS
+from app.models import File
+
+os.makedirs(UPLOAD_DIR, exist_ok=True)
+
+def save_file(file_bytes: bytes, original_name: str, content_type: str) -> str:
+    ext = os.path.splitext(original_name)[1] or ".bin"
+    file_id = str(uuid.uuid4())
+    stored_name = f"{file_id}{ext}"
+    path = os.path.join(UPLOAD_DIR, stored_name)
+    with open(path, "wb") as f:
+        f.write(file_bytes)
+    return stored_name, len(file_bytes)
+
+def delete_expired_files(engine):
+    from datetime import datetime
+    with Session(engine) as session:
+        cutoff = datetime.utcnow() - timedelta(hours=DELETE_AFTER_HOURS)
+        stmt = select(File).where(File.created_at < cutoff)
+        old_files = session.exec(stmt).all()
+        for f in old_files:
+            try:
+                os.remove(os.path.join(UPLOAD_DIR, f.stored_name))
+            except FileNotFoundError:
+                pass
+            session.delete(f)
+        session.commit()
+    return len(old_files)

app/storage.py

@@ -0,0 +1,9 @@
+fastapi==0.115.4
+uvicorn==0.32.0
+sqlmodel==0.0.22
+python-multipart==0.0.9
+pillow==10.4.0
+python-dotenv==1.0.1
+apscheduler==3.10.4
+pytest==7.4.4
+httpx==0.27.2

requirements.txt

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+export APP_HOST=${APP_HOST:-0.0.0.0}
+export APP_PORT=${APP_PORT:-8000}
+uvicorn app.main:app --host "$APP_HOST" --port "$APP_PORT" --workers 2 --proxy-headers