DEEPaaS icon indicating copy to clipboard operation
DEEPaaS copied to clipboard
verified publisher icon ai4os

Add bearer token authentication support to DEEPaaS API

Open Copilot opened this issue 5 months ago • 2 comments

This PR implements bearer token authentication for DEEPaaS API endpoints to address cases where fine-grained authentication is not needed but API access control is required.

Overview

The implementation adds optional bearer token authentication that can be enabled via configuration. When enabled, protected endpoints require a valid Authorization: Bearer <token> header. The feature is backward compatible - authentication is disabled by default and existing deployments continue to work unchanged.

Key Features

🔐 Security Implementation

  • Uses FastAPI's built-in HTTPBearer security scheme following RFC 6750 standards
  • Protects model endpoints (/v2/models/) and predict endpoints (/v2/models/{model}/predict)
  • Public endpoints (root / and version /v2/) remain accessible without authentication
  • Proper HTTP 401 responses with WWW-Authenticate: Bearer headers for unauthorized requests

⚙️ Configuration

The bearer token is configured via the new --auth-bearer-token option:

# Command line
deepaas-run --auth-bearer-token my-secret-token

# Environment variable
export DEEPAAS_AUTH_BEARER_TOKEN=my-secret-token
deepaas-run

# Configuration file
[DEFAULT]
auth_bearer_token = my-secret-token

🔌 API Usage

When authentication is enabled, API clients must include the bearer token:

# Models endpoint
curl -H "Authorization: Bearer my-secret-token" \
     http://localhost:5000/v2/models/

# Predict endpoint
curl -H "Authorization: Bearer my-secret-token" \
     -X POST -F "[email protected]" \
     http://localhost:5000/v2/models/my-model/predict

Implementation Details

New Files

  • deepaas/auth.py - Authentication module with token validation logic (using Sphinx docstring format)
  • deepaas/tests/test_auth.py - Unit tests for authentication functionality
  • deepaas/tests/test_e2e_auth.py - End-to-end API integration tests
  • doc/source/user/authentication.rst - Documentation with usage examples and security considerations (reStructuredText format)

Modified Files

  • deepaas/config.py - Added auth_bearer_token configuration option (marked as secret)
  • deepaas/api/v2/models.py - Added authentication dependency to model endpoints
  • deepaas/api/v2/predict.py - Added authentication dependency to predict endpoints
  • doc/source/user/index.rst - Added authentication documentation to user documentation index

Behavioral Changes

  • When auth_bearer_token is not set (default): All endpoints work as before - no authentication required
  • When auth_bearer_token is set: Model and predict endpoints require valid bearer token, other endpoints remain public
  • Invalid/missing tokens: Return HTTP 401 with appropriate error messages

Testing

Added comprehensive test coverage with 18 new tests:

  • Unit tests for authentication logic (token validation, error handling)
  • Integration tests with FastAPI test client
  • End-to-end API tests covering all authentication scenarios
  • All existing tests continue to pass (36 total tests)

Security Considerations

  • Token is stored as a secret configuration option
  • No performance overhead when authentication is disabled
  • Follows security best practices with proper HTTP status codes and headers
  • Documentation includes security recommendations for production use

This implementation provides a simple but effective authentication mechanism for deployments that need basic API access control without the complexity of fine-grained authorization systems.

Fixes ai4os/DEEPaaS#151

Original prompt

This section details on the original issue you should resolve

<issue_title>Add support for bearer authentication</issue_title> <issue_description>It would be useful to be able to setup a bearer token system/API keys for authentication, for cases where we do not need fine-grained auth.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes ai4os/DEEPaaS#151

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot avatar Sep 26 '25 10:09 Copilot

@copilot please address the changes, and take into account that we use rST for docs.

Addressed both changes:

  1. Fixed Sphinx docstring format in deepaas/auth.py
  2. Converted documentation from Markdown to reStructuredText format and moved to doc/source/user/authentication.rst

The documentation is now properly integrated into the Sphinx documentation structure and follows project conventions. Commit 288b790.

Copilot avatar Sep 26 '25 11:09 Copilot

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Sep 26 '25 11:09 sonarqubecloud[bot]