🚀 Auto-deploy from GitHub

app/api/v1/endpoints/download.py

@@ -3,6 +3,7 @@ from fastapi.responses import FileResponse
 from pathlib import Path
 from ....services.database import get_supabase_client # Corrected import
 from ....core.config import settings # Import settings
+from ....core.auth import verify_hf_token
 from supabase import Client
 
 router = APIRouter()
@@ -10,7 +11,8 @@ router = APIRouter()
 @router.get("/download/image/{card_id}") # Changed to path parameter
 async def download_generated_image(
     card_id: str, # card_id from path
-    supabase: Client = Depends(get_supabase_client)
+    supabase: Client = Depends(get_supabase_client),
+    authenticated: bool = Depends(verify_hf_token)
 ):
     """
     Download a custom generated image using the card_id to find the image path from Supabase.

app/api/v1/endpoints/generate.py

@@ -10,6 +10,7 @@ from ....services.database import get_supabase_client, save_card
 from ....core.config import settings
 from ....core.model_loader import get_generator
 from ....core.constraints import generate_with_retry, check_constraints
+from ....core.auth import verify_hf_token
 from fastapi.concurrency import run_in_threadpool # Importieren
 
 load_dotenv()
@@ -26,7 +27,8 @@ async def generate_qr_code_async(*args, **kwargs):
 @router.post("/generate", response_model=CardGenerateResponse)
 async def generate_endpoint(
     request: CardGenerateRequest, 
-    supabase: Client = Depends(get_supabase_client)
+    supabase: Client = Depends(get_supabase_client),
+    authenticated: bool = Depends(verify_hf_token)
 ):
     try:
         lang = request.lang or "de"

app/api/v1/endpoints/health.py

@@ -1,5 +1,6 @@
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Depends
 from ..schemas.health_schema import HealthResponse
+from ....core.auth import verify_hf_token
 import httpx
 import asyncio
 from typing import Optional
@@ -25,7 +26,7 @@ async def check_huggingface_space():
         return "unreachable"
 
 @router.get("/health", response_model=HealthResponse)
-async def health_check():
+async def health_check(authenticated: bool = Depends(verify_hf_token)):
     """
     Health check endpoint that verifies server status, model loading status and HuggingFace space availability
     """
@@ -51,4 +52,16 @@ async def health_check():
             huggingface_space_url=HF_SPACE_URL
         )
     except Exception as e:
-        raise HTTPException(status_code=500, detail=f"Health check failed: {str(e)}")
+        raise HTTPException(status_code=500, detail=f"Health check failed: {str(e)}")
+
+@router.get("/health/public")
+async def public_health_check():
+    """
+    Public health check endpoint (no authentication required)
+    Returns basic server status only
+    """
+    return {
+        "status": "healthy",
+        "server": "running",
+        "message": "Server is operational"
+    }

app/core/auth.py

@@ -0,0 +1,63 @@
+"""
+Authentication middleware for HuggingFace API token validation
+"""
+from fastapi import HTTPException, status, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from typing import Optional
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+security = HTTPBearer(auto_error=False)
+
+def get_hf_api_key() -> str:
+    """Get HuggingFace API key from environment"""
+    return os.getenv("HF_API_KEY", "")
+
+def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
+    """
+    Verify HuggingFace API token
+    Returns True if no authentication is required (public space) or if token is valid
+    """
+    expected_token = get_hf_api_key()
+    
+    # If no HF_API_KEY is set, allow public access
+    if not expected_token:
+        return True
+    
+    # If HF_API_KEY is set but no credentials provided, deny access
+    if not credentials:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required. Please provide a valid HuggingFace API token.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    # Verify the token matches
+    if credentials.credentials != expected_token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    return True
+
+def optional_auth(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
+    """
+    Optional authentication - doesn't raise errors if no token provided
+    Used for endpoints that can work with or without authentication
+    """
+    expected_token = get_hf_api_key()
+    
+    # If no HF_API_KEY is set, allow public access
+    if not expected_token:
+        return True
+    
+    # If no credentials provided, still allow access (optional auth)
+    if not credentials:
+        return False
+    
+    # If credentials provided, verify them
+    return credentials.credentials == expected_token

curl_test_commands.md

@@ -1,121 +0,0 @@
-# Direct curl commands for testing the /generate endpoint
-
-## Standard test (German):
-curl -X POST "http://localhost:8000/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -H "Accept: application/json" \
-  -d '{
-    "terms": ["Liebe", "Erfolg", "Glück", "Herausforderung", "Wachstum"],
-    "card_date": "1990-05-15",
-    "lang": "de",
-    "card_design_id_override": 1,
-    "symbol_ids_override": [1, 2]
-  }'
-
-## English test:
-curl -X POST "http://localhost:7860/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -H "Accept: application/json" \
-  -d '{
-    "terms": ["Love", "Success", "Happiness", "Challenge", "Growth"],
-    "card_date": "1985-12-25", 
-    "lang": "en",
-    "card_design_id_override": 2,
-    "symbol_ids_override": [3, 4, 5]
-  }'
-
-## Minimal test (only required fields):
-curl -X POST "http://localhost:7860/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "terms": ["Test1", "Test2", "Test3", "Test4", "Test5"],
-    "card_date": "2000-01-01"
-  }'
-
-## Pretty printed JSON response:
-curl -X POST "http://localhost:7860/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "terms": ["Mut", "Hoffnung", "Freude", "Inspiration", "Kreativität"],
-    "card_date": "1995-07-20",
-    "lang": "de"
-  }' | jq .
-
-# HUGGING FACE SPACE TESTS
-# HOST_URL: https://ch404-cardserver.hf.space/
-
-## Health Check (Hugging Face):
-curl -X GET "https://ch404-cardserver.hf.space/api/v1/health" \
-  -H "Accept: application/json"
-
-## Standard test (German) - Hugging Face:
-curl -X POST "https://ch404-cardserver.hf.space/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -H "Accept: application/json" \
-  -d '{
-    "terms": ["Liebe", "Erfolg", "Glück", "Herausforderung", "Wachstum"],
-    "card_date": "1990-05-15",
-    "lang": "de",
-    "card_design_id_override": 1,
-    "symbol_ids_override": [1, 2]
-  }'
-
-## English test - Hugging Face:
-curl -X POST "https://ch404-cardserver.hf.space/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -H "Accept: application/json" \
-  -d '{
-    "terms": ["Love", "Success", "Happiness", "Challenge", "Growth"],
-    "card_date": "1985-12-25", 
-    "lang": "en",
-    "card_design_id_override": 2,
-    "symbol_ids_override": [3, 4, 5]
-  }'
-
-## Minimal test (only required fields) - Hugging Face:
-curl -X POST "https://ch404-cardserver.hf.space/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "terms": ["Test1", "Test2", "Test3", "Test4", "Test5"],
-    "card_date": "2000-01-01"
-  }'
-
-## Pretty printed JSON response - Hugging Face:
-curl -X POST "https://ch404-cardserver.hf.space/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "terms": ["Mut", "Hoffnung", "Freude", "Inspiration", "Kreativität"],
-    "card_date": "1995-07-20",
-    "lang": "de"
-  }' | jq .
-
-## Debug: Raw response without jq - Hugging Face:
-curl -X POST "https://ch404-cardserver.hf.space/api/v1/generate" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "terms": ["Mut", "Hoffnung", "Freude", "Inspiration", "Kreativität"],
-    "card_date": "1995-07-20",
-    "lang": "de"
-  }' -v
-
-## Debug: Check if service is running - Hugging Face:
-curl -X GET "https://ch404-cardserver.hf.space/" -v
-
-## Debug: Check specific health endpoint - Hugging Face:
-curl -X GET "https://ch404-cardserver.hf.space/api/v1/health" -v
-
-## Debug: Test different port (7860) - Hugging Face:
-curl -X GET "https://ch404-cardserver.hf.space:7860/api/v1/health" -v
-
-## Debug: Check docs endpoint - Hugging Face:
-curl -X GET "https://ch404-cardserver.hf.space/docs" -v
-
-## Download test - Hugging Face:
-curl -X GET "https://ch404-cardserver.hf.space/api/v1/download/YOUR_CARD_ID" \
-  -H "Accept: image/png" \
-  --output card_from_hf.png
-
-## Status check with verbose output - Hugging Face:
-curl -X GET "https://ch404-cardserver.hf.space/api/v1/health" \
-  -H "Accept: application/json" \
-  -v

tests/test_authentication.py

@@ -0,0 +1,183 @@
+#!/usr/bin/env python3
+"""
+Test script to verify bearer token authentication for all endpoints
+"""
+import requests
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+# Configuration
+BASE_URL = "http://127.0.0.1:8000"  # Change to your deployment URL when testing live
+HF_API_KEY = os.getenv("HF_API_KEY")
+
+def test_endpoint(endpoint, method="GET", headers=None, json_data=None):
+    """Test an endpoint and return the response"""
+    url = f"{BASE_URL}{endpoint}"
+    try:
+        if method == "GET":
+            response = requests.get(url, headers=headers)
+        elif method == "POST":
+            response = requests.post(url, headers=headers, json=json_data)
+        
+        return {
+            "status_code": response.status_code,
+            "success": response.status_code < 400,
+            "response": response.json() if response.headers.get("content-type", "").startswith("application/json") else response.text
+        }
+    except Exception as e:
+        return {
+            "status_code": None,
+            "success": False,
+            "error": str(e)
+        }
+
+def main():
+    """Run authentication tests"""
+    print("🔐 Testing Bearer Token Authentication")
+    print("=" * 50)
+    
+    if not HF_API_KEY:
+        print("❌ HF_API_KEY not found in environment variables")
+        return
+    
+    # Test headers
+    auth_headers = {
+        "Authorization": f"Bearer {HF_API_KEY}",
+        "Content-Type": "application/json"
+    }
+    
+    no_auth_headers = {
+        "Content-Type": "application/json"
+    }
+    
+    invalid_auth_headers = {
+        "Authorization": "Bearer invalid_token_123",
+        "Content-Type": "application/json"
+    }
+    
+    tests = [
+        # Public endpoint (should work without auth)
+        {
+            "name": "Public Health Check (No Auth)",
+            "endpoint": "/api/v1/health/public",
+            "method": "GET",
+            "headers": no_auth_headers,
+            "should_succeed": True
+        },
+        
+        # Protected endpoints without auth (should fail)
+        {
+            "name": "Protected Health Check (No Auth)",
+            "endpoint": "/api/v1/health",
+            "method": "GET", 
+            "headers": no_auth_headers,
+            "should_succeed": False
+        },
+        
+        # Protected endpoints with invalid auth (should fail)
+        {
+            "name": "Protected Health Check (Invalid Auth)",
+            "endpoint": "/api/v1/health",
+            "method": "GET",
+            "headers": invalid_auth_headers,
+            "should_succeed": False
+        },
+        
+        # Protected endpoints with valid auth (should succeed)
+        {
+            "name": "Protected Health Check (Valid Auth)",
+            "endpoint": "/api/v1/health",
+            "method": "GET",
+            "headers": auth_headers,
+            "should_succeed": True
+        },
+        
+        # Test generate endpoint with auth
+        {
+            "name": "Generate Endpoint (Valid Auth)",
+            "endpoint": "/api/v1/generate",
+            "method": "POST",
+            "headers": auth_headers,
+            "json_data": {
+                "terms": ["test", "card"],
+                "card_date": "2024-01-01",
+                "lang": "en"
+            },
+            "should_succeed": True
+        },
+        
+        # Test generate endpoint without auth
+        {
+            "name": "Generate Endpoint (No Auth)",
+            "endpoint": "/api/v1/generate",
+            "method": "POST",
+            "headers": no_auth_headers,
+            "json_data": {
+                "terms": ["test", "card"],
+                "card_date": "2024-01-01",
+                "lang": "en"
+            },
+            "should_succeed": False
+        }
+    ]
+    
+    results = []
+    for test in tests:
+        print(f"\n🧪 Testing: {test['name']}")
+        
+        result = test_endpoint(
+            test["endpoint"],
+            test["method"],
+            test["headers"],
+            test.get("json_data")
+        )
+        
+        expected_success = test["should_succeed"]
+        actual_success = result["success"]
+        
+        if expected_success == actual_success:
+            status = "✅ PASS"
+        else:
+            status = "❌ FAIL"
+        
+        print(f"   {status} - Status: {result['status_code']}")
+        
+        if not result["success"] and "error" in result:
+            print(f"   Error: {result['error']}")
+        elif "response" in result:
+            # Print first few lines of response for debugging
+            response_str = str(result["response"])
+            if len(response_str) > 100:
+                response_str = response_str[:100] + "..."
+            print(f"   Response: {response_str}")
+        
+        results.append({
+            "test": test["name"],
+            "passed": expected_success == actual_success,
+            "status_code": result["status_code"]
+        })
+    
+    # Summary
+    print("\n" + "=" * 50)
+    print("📊 Test Summary")
+    print("=" * 50)
+    
+    passed = sum(1 for r in results if r["passed"])
+    total = len(results)
+    
+    print(f"✅ Passed: {passed}/{total}")
+    print(f"❌ Failed: {total - passed}/{total}")
+    
+    if passed == total:
+        print("\n🎉 All authentication tests passed!")
+    else:
+        print("\n⚠️  Some tests failed. Check the output above.")
+        print("\nFailed tests:")
+        for result in results:
+            if not result["passed"]:
+                print(f"   - {result['test']}")
+
+if __name__ == "__main__":
+    main()