lyn/GiteaCustomApi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add API key rotation mechanism and client-side key fetch documentation

Browse Source
This commit is contained in:
lyn
2026-04-14 12:54:17 +00:00
parent 8ddb7c2846
commit 1e853e9f75
1 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
PROJECT_PLAN.md
View File

@@ -34,11 +34,35 @@ A lightweight Go service that:
- **Source DB**: Gitea MySQL (read-only, same docker network) - **Source DB**: Gitea MySQL (read-only, same docker network)
- **HTTP**: Standard library `net/http` - **HTTP**: Standard library `net/http`
- **Deployment**: Docker + Docker Compose on vps.git - **Deployment**: Docker + Docker Compose on vps.git
- **API Key**: Rotates every 10 minutes, stored in Docker volume at `/data/api-key`
## Authentication
All `/list` and `/webhook/gitea` endpoints require `Authorization: Bearer <api-key>` header.
### API Key Rotation
- API key is generated every **10 minutes** by the c-api service itself
- Stored in the Docker volume at `/data/api-key`
- Clients must fetch the latest key before each request
### Client-side key fetch
Before calling any c-api endpoint, fetch the current key:
```bash
API_KEY=$(ssh root@vps.git "cat /path/to/api-key")
curl -H "Authorization: Bearer $API_KEY" "https://git.hangman-lab.top/c-api/list?username=xxx"
```
> **Note**: Script-side clients (e.g. `list-projs`) should perform this key fetch as part of their request flow. The key changes every 10 minutes so it must be re-fetched each time.
## API ## API
### `GET /list?username={username}` ### `GET /list?username={username}`
> **Requires**: `Authorization: Bearer <api-key>` header
Returns all repositories visible to the given Gitea user. Returns all repositories visible to the given Gitea user.
**Response** (JSON): **Response** (JSON):
@@ -61,7 +85,7 @@ Returns all repositories visible to the given Gitea user.
### `POST /webhook/gitea` ### `POST /webhook/gitea`
Receives Gitea webhook events (requires `X-Gitea-Event` header). Receives Gitea webhook events (create/delete only).
Supported events: Supported events:
- `repository.create` — insert new repo into cache - `repository.create` — insert new repo into cache
@@ -94,7 +118,8 @@ Environment variables:
| `DB_USER` | `root` | MySQL username | | `DB_USER` | `root` | MySQL username |
| `DB_PASS` | — | MySQL password | | `DB_PASS` | — | MySQL password |
| `DB_NAME` | `giteadb` | MySQL database name | | `DB_NAME` | `giteadb` | MySQL database name |
| `SQLITE_PATH` | `cache.db` | SQLite file path | | `SQLITE_PATH` | `/data/cache.db` | SQLite file path |
| `API_KEY_FILE` | `/data/api-key` | Path for rotating api-key |
| `WEBHOOK_SECRET` | — | Gitea webhook secret token | | `WEBHOOK_SECRET` | — | Gitea webhook secret token |
| `PORT` | `8080` | HTTP listen port | | `PORT` | `8080` | HTTP listen port |
@@ -130,6 +155,7 @@ services:
PORT: 8080 PORT: 8080
volumes: volumes:
- ./gitea-custom-api/data:/data - ./gitea-custom-api/data:/data
- ./gitea-custom-api/api-key:/data/api-key
networks: networks:
- git-network - git-network