fix(infra): harden AI service — graceful shutdown, rate limiting, API key auth, pinned deps, Grafana secrets

- Add dumb-init + --timeout-graceful-shutdown 30 to AI service Dockerfile - Add slowapi rate limiting (configurable via AI_RATE_LIMIT) and X-API-Key auth middleware - Pin all Python dependencies to exact versions for reproducible builds - Move Grafana admin credentials from env vars to Docker secrets in production compose Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:13:29 +07:00
parent e89c8f5810
commit e60b95cdec
5 changed files with 69 additions and 22 deletions
--- a/libs/ai-services/app/main.py
+++ b/libs/ai-services/app/main.py
@@ -1,15 +1,24 @@
-from fastapi import FastAPI
+from fastapi import Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
+from slowapi import Limiter, _rate_limit_exceeded_handler
+from slowapi.errors import RateLimitExceeded
+from slowapi.util import get_remote_address

 from app.config import settings
+from app.middleware import verify_api_key
 from app.routers import avm, moderation

+limiter = Limiter(key_func=get_remote_address, default_limits=[settings.rate_limit])
+
 app = FastAPI(
    title=settings.app_name,
    version="0.1.0",
    docs_url="/docs",
    redoc_url="/redoc",
+    dependencies=[Depends(verify_api_key)],
 )
+app.state.limiter = limiter
+app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

 if not settings.cors_origin_list:
    raise RuntimeError("AI_CORS_ORIGINS must be set (comma-separated list of allowed origins)")
--- a/libs/ai-services/app/middleware.py
+++ b/libs/ai-services/app/middleware.py
@@ -0,0 +1,23 @@
+import hmac
+from typing import Optional
+
+from fastapi import Depends, HTTPException, Security, status
+from fastapi.security import APIKeyHeader
+
+from app.config import settings
+
+api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
+
+
+async def verify_api_key(
+    api_key: Optional[str] = Security(api_key_header),
+) -> str:
+    """Validate X-API-Key header. Skipped when AI_API_KEY is not configured."""
+    if not settings.api_key:
+        return "no-auth"
+    if not api_key or not hmac.compare_digest(api_key, settings.api_key):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or missing API key",
+        )
+    return api_key