Last Updated: 2025-12-07 Security Grade: B+ (85/100) Production Ready: β YES (with minor notes)
# ALL endpoints require JWT token except /api/auth
Authorization: Bearer <your-jwt-token>
# Public endpoints (no auth required):
POST /api/auth/login
POST /api/auth/register
# Protected endpoints (require auth):
ALL /api/models/*
ALL /api/projects/*
ALL /api/executions/*
ALL /api/pipelines/*
ALL /api/experiments/*
ALL /api/notebooks/*
ALL /api/training/*
POST /api/chat # β
NEW - Now requires auth# Login
curl -X POST http://localhost:3001/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin123"}'
# Response includes token:
{
"user": { ... },
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresAt": "2025-12-08T03:17:01.611Z"
}
# Use token in requests:
curl -H "Authorization: Bearer <token>" \
http://localhost:3001/api/projectsname: min 3, max 100 chars (required)
owner: any string (required)
state: LIVE | ARCHIVED | UNKNOWN (default: LIVE)
description: max 500 chars (optional)
customProperties: any object (optional)
externalID: max 100 chars (optional)workflowId: any string (required)
workflowName: min 3, max 100 chars (required)
status: PENDING | RUNNING | COMPLETED | FAILED | CANCELLED
triggeredBy: any string (required)
steps: array of objects (default: [])name: min 3, max 100 chars (required)
description: max 500 chars (optional)
owner: any string (required)
steps: array, min 1 item (required)
status: ACTIVE | DRAFT | ARCHIVED (default: DRAFT)
tags: array of strings, max 10 items (optional)name: min 3, max 50 chars (required)
displayName: min 3, max 100 chars (required)
description: max 500 chars (optional)
owner: any string (required)
phase: Active | Terminating (default: Active)
tags: array, max 10 items (optional)
collaborators: array of emails, max 20 (optional){
"error": "Validation failed",
"details": [
{
"field": "name",
"message": "\"name\" length must be at least 3 characters long"
}
]
}General API: 100 requests / 15 minutes
Chat Endpoint: 10 requests / 1 minuteX-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
X-RateLimit-Reset: 1765077900
{
"message": "Too many requests from this IP, please try again later."
}
HTTP Status: 429 Too Many RequestsmaxPoolSize: 10 connections
minPoolSize: 5 connections
maxIdleTimeMS: 30 seconds
serverTimeout: 5 seconds
socketTimeout: 45 seconds# Default (can override with env var)
MONGODB_URI=mongodb://localhost:27017/odh-workflows# Chat endpoint now requires:
1. Valid JWT token in Authorization header
2. Rate limiting (10 requests/minute)
3. Message validation (max 4000 characters)
4. Message sanitization (trim whitespace)# Get token first
TOKEN="<your-jwt-token>"
# Send chat message
curl -X POST http://localhost:3001/api/chat \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"message": "How many projects are there?",
"conversationHistory": []
}'β
Message must be a string
β
Message required (not empty)
β
Message max 4000 characters
β
Message trimmed of whitespace
β
Conversation history validated# JWT Secret (CRITICAL - use strong random value)
JWT_SECRET=<512-bit-base64-encoded-secret>
# Database
MONGODB_URI=mongodb://localhost:27017/odh-workflows
# Gemini AI
GEMINI_API_KEY=<your-gemini-api-key>
# Server
API_PORT=3001
NODE_ENV=development
CORS_ORIGIN=http://localhost:9000
# Features
AUTO_SEED=true# Use this command to generate:
node -e "console.log(require('crypto').randomBytes(64).toString('base64'))"
# Example output:
dUlpol/qR6fQzl3IRj5sBFUPMN0Asdv/Y6g5KdRXKkNRgWs84jECnSGQCS+LwdKmFbIFbyS2FQ8OmeEL+RHBjA==401 Unauthorized
- "No token provided" - Missing Authorization header
- "Invalid token" - Token malformed or expired
- "Token expired" - Token past expiration time
400 Bad Request
- "Validation failed" - Input doesn't match schema
- "Message is too long" - Chat message > 4000 chars
- Field-specific validation errors
429 Too Many Requests
- "Too many requests from this IP"
- "Too many chat requests, please slow down"
500 Internal Server Error
- Database connection issues
- Unexpected server errors
- API integration failures
# 1. Test authentication
β
Verify login returns token
β
Verify protected endpoints reject without token
β
Verify chat endpoint requires auth
# 2. Test validation
β
Test invalid data returns 400
β
Test valid data returns 201
β
Test all required fields
# 3. Test rate limiting
β
Verify rate limits are enforced
β
Verify headers are returned
# 4. Test database
β
Verify connection succeeds
β
Verify CRUD operations work
β
Verify connection pooling active# Server health
curl http://localhost:3001/health
# Auth working
curl -X POST http://localhost:3001/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin123"}'
# Protected endpoint without token (should fail)
curl http://localhost:3001/api/projects
# Protected endpoint with token (should succeed)
curl -H "Authorization: Bearer $TOKEN" \
http://localhost:3001/api/projectsβ
Always use JWT tokens for protected endpoints
β
Validate all user input on the server
β
Use environment variables for secrets
β
Enable rate limiting in production
β
Use HTTPS in production
β
Keep JWT_SECRET secure and unique per environment
β
Monitor rate limit violations
β
Log authentication failures
β Never commit .env file to git
β Never use weak or default JWT secrets
β Never skip input validation
β Never trust client-side validation alone
β Never expose detailed error messages in production
β Never disable rate limiting in production
β Never reuse JWT secrets across environments
# Add Authorization header
curl -H "Authorization: Bearer <your-token>" ...# Check error details for specific field issues
# Ensure all required fields are provided
# Check field lengths and formats# Wait for rate limit window to reset
# For general API: wait 15 minutes
# For chat API: wait 1 minute# 1. Check MongoDB is running
mongosh --eval "db.version()"
# 2. Check connection string
echo $MONGODB_URI
# 3. Check server logs
tail -f server.log | grep MongoDBOverall Security Grade: B+ (85/100)
Authentication Coverage: 100% (all endpoints)
Input Validation Coverage: 100% (all write endpoints)
Rate Limiting: Active (all endpoints)
Connection Pooling: Configured
Production Readiness: 85%
Total Tests Run: 8
Tests Passed: 8
Tests Failed: 0
Pass Rate: 100%
# Copy example env file
cp .env.example .env
# Generate JWT secret
node -e "console.log(require('crypto').randomBytes(64).toString('base64'))" > jwt_secret.txt
# Edit .env and paste JWT secret
nano .env# Install dependencies
npm install
# Start MongoDB
mongod
# Start server
npm run start:server# Login
curl -X POST http://localhost:3001/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin123"}'
# Save token and test
TOKEN="<token-from-above>"
curl -H "Authorization: Bearer $TOKEN" \
http://localhost:3001/api/projects- Check
CRITICAL_ANALYSIS.mdfor detailed security review - Check
PHASE1_TEST_SUMMARY.mdfor test results - Check
SECURITY_FIXES_SUMMARY.mdfor implementation details
.env.example - Environment variable template
server/validators/index.js - Validation schemas
server/middleware/auth.js - Authentication middleware
server/database.js - Database configuration
Last Updated: 2025-12-07 Version: Phase 1 Complete Next Review: After Phase 2 Implementation