- Mark T41, T42, T43 as completed with commit reference
- Update progress to 52% (38/74 tasks)
- Add T41-T43 context to githistory.md
- 24 tests with 100% coverage on tokens router
- Add max_api_tokens_per_user config (default 5)
- Implement POST /api/tokens (T41): generate token with limit check
- Implement GET /api/tokens (T42): list active tokens, no values exposed
- Implement DELETE /api/tokens/{id} (T43): soft delete with ownership check
- Security: plaintext token shown ONLY at creation
- Security: SHA-256 hash stored in DB, never the plaintext
- Security: revoked tokens return 401 on public API
- 24 tests with 100% coverage on tokens router
Closes T41, T42, T43
- 100 requests/hour per API token
- 30 requests/minute per IP (fallback)
- In-memory storage with auto-cleanup
- Headers: X-RateLimit-Limit, X-RateLimit-Remaining
- Returns 429 Too Many Requests when exceeded
- GET /api/v1/stats: aggregated stats with date range (default 30 days)
- GET /api/v1/usage: paginated usage with required date filters
- GET /api/v1/keys: key list with stats, no key values exposed
- All endpoints use API token auth and rate limiting
- Validates API tokens (or_api_* prefix)
- SHA-256 hash lookup in api_tokens table
- Updates last_used_at on each request
- Distinguishes from JWT tokens (401 with clear error)
Add statistics router with two endpoints:
- GET /api/stats/dashboard: Aggregated dashboard statistics
- Query param: days (1-365, default 30)
- Auth required
- Returns DashboardResponse
- GET /api/usage: Detailed usage statistics with filtering
- Required params: start_date, end_date
- Optional filters: api_key_id, model
- Pagination: skip, limit (max 1000)
- Auth required
- Returns List[UsageStatsResponse]
Also add get_usage_stats() service function for querying
individual usage records with filtering and pagination.
Add statistics aggregation service with 4 core functions:
- get_summary(): Aggregates total requests, cost, tokens with avg cost
- get_by_model(): Groups stats by model with percentage calculations
- get_by_date(): Groups stats by date for time series data
- get_dashboard_data(): Combines all stats for dashboard view
Features:
- SQLAlchemy queries with ApiKey join for user filtering
- Decimal precision for all monetary values
- Period calculation and percentage breakdowns
- Top models extraction
Test: 11 unit tests covering all aggregation functions
- T24: POST /api/keys with encryption and limit validation
- T25: GET /api/keys with pagination and sorting
- T26: PUT /api/keys/{id} for partial updates
- T27: DELETE /api/keys/{id} with cascade
- Add ownership verification (403 for unauthorized access)
- API key encryption with AES-256 before storage
- Never expose API key value in responses
- 100% coverage on api_keys router (25 tests)
Refs: T24 T25 T26 T27
Document commit history for T17-T22 with:
- Context and motivation for each commit
- Implementation details
- Test coverage summary
- Phase summary with metrics
Add authentication dependency with:
- HTTPBearer for token extraction from Authorization header
- JWT token decoding with decode_access_token()
- User ID extraction from 'sub' claim
- Database user lookup with existence check
- Active user verification
- HTTPException 401 for invalid/expired tokens or inactive users
Used as FastAPI dependency: Depends(get_current_user)
Location: src/openrouter_monitor/dependencies/auth.py
Add POST /api/auth/login endpoint with:
- UserLogin schema validation
- User lookup by email
- Password verification with bcrypt
- JWT token generation
- TokenResponse with access_token, token_type, expires_in
Status: 200 OK with token on success, 401 for invalid credentials
Test coverage: 4 tests for login endpoint including inactive user handling
Add POST /api/auth/register endpoint with:
- UserRegister schema validation
- Email uniqueness check
- Password hashing with bcrypt
- User creation in database
- UserResponse returned (excludes password)
Status: 201 Created on success, 400 for duplicate email, 422 for validation errors
Test coverage: 5 tests for register endpoint
- Add __init__.py with all security service exports
- Export EncryptionService, JWT utilities, Password functions, Token functions
- 70 total tests for security services
- 100% coverage on all security modules
- All imports verified working
- Add generate_api_token with format 'or_api_' + 48 bytes random
- Implement hash_token with SHA-256
- Add verify_api_token with timing-safe comparison (secrets.compare_digest)
- Only hash stored in DB, plaintext shown once
- 20 comprehensive tests with 100% coverage
- Handle TypeError for non-string inputs
- Create config.py with Pydantic Settings (SettingsConfigDict v2)
- Add all required configuration fields with defaults
- Create .env.example template with all environment variables
- Implement get_settings() with @lru_cache for performance
- Add test_configuration.py with 13 unit tests
- All tests passing (13/13)
Refs: T04
