feat: add API key authentication middleware

- Add FastAPI middleware checking X-API-Key header on all routes except / and /health
- Store API key as Key Vault secret, referenced by Container Apps via managed identity
- Add Next.js server-side proxy (/api/backend/) to inject API key for frontend requests
- Update frontend api-client to route through proxy instead of direct backend calls
- Update MCP page to show auth_required and X-API-Key header in config examples
- Configure both backend (API_KEY) and frontend (BACKEND_API_KEY) env vars in Bicep

Author: kmavrodis

.gitignore

@@ -154,3 +154,4 @@ test-output/
 
 # Mac
 .DS_Store
+demo/.DS_Store

frontend-next/src/app/api/backend/[...path]/route.ts

@@ -0,0 +1,83 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || process.env.NEXT_PUBLIC_BACKEND_URL || 'http://localhost:8000'
+const API_KEY = process.env.BACKEND_API_KEY || ''
+
+/**
+ * Catch-all proxy route that forwards requests to the backend with the API key.
+ * Browser calls /api/backend/... → this route adds X-API-Key → forwards to backend.
+ */
+async function proxyRequest(
+  request: NextRequest,
+  { params }: { params: Promise<{ path: string[] }> }
+) {
+  const { path } = await params
+  const backendPath = '/' + path.join('/')
+  const searchParams = request.nextUrl.searchParams.toString()
+  const url = `${BACKEND_URL}${backendPath}${searchParams ? `?${searchParams}` : ''}`
+
+  const headers = new Headers()
+  // Forward relevant headers from the original request
+  const contentType = request.headers.get('content-type')
+  if (contentType) {
+    headers.set('Content-Type', contentType)
+  }
+  const accept = request.headers.get('accept')
+  if (accept) {
+    headers.set('Accept', accept)
+  }
+
+  // Add API key (server-side only — never exposed to browser)
+  if (API_KEY) {
+    headers.set('X-API-Key', API_KEY)
+  }
+
+  const fetchOptions: RequestInit = {
+    method: request.method,
+    headers,
+  }
+
+  // Forward body for methods that have one
+  if (request.method !== 'GET' && request.method !== 'HEAD') {
+    // Check if it's a form/multipart upload
+    if (contentType?.includes('multipart/form-data')) {
+      fetchOptions.body = await request.arrayBuffer()
+      // Let fetch set the correct content-type with boundary
+      headers.delete('Content-Type')
+      headers.set('Content-Type', contentType)
+    } else {
+      fetchOptions.body = await request.arrayBuffer()
+    }
+  }
+
+  try {
+    const response = await fetch(url, fetchOptions)
+
+    // Stream the response back
+    const responseHeaders = new Headers()
+    response.headers.forEach((value, key) => {
+      // Skip headers that Next.js manages
+      if (!['transfer-encoding', 'connection'].includes(key.toLowerCase())) {
+        responseHeaders.set(key, value)
+      }
+    })
+
+    return new NextResponse(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: responseHeaders,
+    })
+  } catch (error) {
+    console.error('Backend proxy error:', error)
+    return NextResponse.json(
+      { detail: 'Failed to reach backend service' },
+      { status: 502 }
+    )
+  }
+}
+
+export const GET = proxyRequest
+export const POST = proxyRequest
+export const PUT = proxyRequest
+export const PATCH = proxyRequest
+export const DELETE = proxyRequest

frontend-next/src/app/mcp/page.tsx

@@ -47,6 +47,7 @@ interface MCPInfo {
   description: string
   version: string
   transport: string
+  auth_required?: boolean
   endpoints: {
     mcp: string
   }
@@ -983,6 +984,7 @@ export default function MCPPage() {
                       mcpServers: {
                         argus: {
                           url: mcpInfo?.configuration_example?.mcpServers?.argus?.url || "<backend-url-loading...>",
+                          ...(mcpInfo?.auth_required ? { headers: { "X-API-Key": "<your-api-key>" } } : {}),
                         },
                       },
                     },
@@ -1007,6 +1009,7 @@ export default function MCPPage() {
                       mcpServers: {
                         argus: {
                           url: mcpInfo?.configuration_example?.mcpServers?.argus?.url || "<backend-url-loading...>",
+                          ...(mcpInfo?.auth_required ? { headers: { "X-API-Key": "<your-api-key>" } } : {}),
                         },
                       },
                     },

frontend-next/src/lib/api-client.ts

@@ -126,9 +126,11 @@ export interface MCPInfo {
     mcpServers: {
       argus: {
         url: string
+        headers?: Record<string, string>
       }
     }
   }
+  auth_required?: boolean
 }
 
 // Settings types
@@ -239,7 +241,7 @@ class BackendClient {
   private initPromise: Promise<void> | null = null
 
   constructor() {
-    // Base URL will be fetched lazily from /api/config
+    // All requests are proxied through Next.js API routes to keep the API key server-side
   }
 
   /**
@@ -256,18 +258,8 @@ class BackendClient {
     }
 
     this.initPromise = (async () => {
-      try {
-        // Fetch backend URL from the Next.js API route
-        const response = await fetch('/api/config')
-        if (response.ok) {
-          const config = await response.json()
-          this.baseUrl = config.backendUrl || ''
-        }
-      } catch (error) {
-        console.warn('Failed to fetch backend config, using fallback:', error)
-        // Fallback to environment variable or empty string
-        this.baseUrl = process.env.NEXT_PUBLIC_API_URL || process.env.NEXT_PUBLIC_BACKEND_URL || ''
-      }
+      // Route all requests through the Next.js proxy to keep the API key server-side
+      this.baseUrl = '/api/backend'
       this.initialized = true
     })()
 

infra/main.bicep

@@ -177,6 +177,7 @@ module containerApps 'modules/container-apps.bicep' = {
     aiServicesEndpoint: aiServices.outputs.aiServicesEndpoint
     azureOpenaiModelDeploymentName: azureOpenaiModelDeploymentName
     keyVaultUri: keyVault.outputs.keyVaultUri
+    apiKeySecretUri: keyVault.outputs.apiKeySecretUri
     containerAppsSubnetId: network.outputs.containerAppsSubnetId
   }
 }

infra/modules/container-apps.bicep

@@ -40,6 +40,9 @@ param azureOpenaiModelDeploymentName string
 // Key Vault
 param keyVaultUri string
 
+// API Key (Key Vault secret URI)
+param apiKeySecretUri string
+
 // VNet
 param containerAppsSubnetId string
 
@@ -84,6 +87,13 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
           maxAge: 3600
         }
       }
+      secrets: [
+        {
+          name: 'api-key'
+          keyVaultUrl: apiKeySecretUri
+          identity: userManagedIdentityId
+        }
+      ]
       registries: [
         {
           server: containerRegistryLoginServer
@@ -101,6 +111,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
             memory: '2Gi'
           }
           env: [
+            { name: 'API_KEY', secretRef: 'api-key' }
             { name: 'STORAGE_ACCOUNT_NAME', value: storageAccountName }
             { name: 'BLOB_ACCOUNT_URL', value: blobEndpoint }
             { name: 'CONTAINER_NAME', value: containerName }
@@ -165,6 +176,13 @@ resource frontendApp 'Microsoft.App/containerApps@2024-03-01' = {
         external: true
         targetPort: 3000
       }
+      secrets: [
+        {
+          name: 'api-key'
+          keyVaultUrl: apiKeySecretUri
+          identity: userManagedIdentityId
+        }
+      ]
       registries: [
         {
           server: containerRegistryLoginServer
@@ -182,6 +200,7 @@ resource frontendApp 'Microsoft.App/containerApps@2024-03-01' = {
             memory: '2Gi'
           }
           env: [
+            { name: 'BACKEND_API_KEY', secretRef: 'api-key' }
             { name: 'BLOB_ACCOUNT_URL', value: blobEndpoint }
             { name: 'CONTAINER_NAME', value: containerName }
             { name: 'COSMOS_URL', value: cosmosEndpoint }

infra/modules/key-vault.bicep

@@ -61,6 +61,17 @@ resource kvDnsGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@202
   }
 }
 
+// API key for backend authentication
+// Uses a deterministic but hard-to-guess value derived from resource group identity
+resource apiKeySecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
+  parent: keyVault
+  name: 'argus-api-key'
+  properties: {
+    value: uniqueString(keyVault.id, resourceGroup().id, 'argus-api-key')
+  }
+}
+
 output keyVaultId string = keyVault.id
 output keyVaultName string = keyVault.name
 output keyVaultUri string = keyVault.properties.vaultUri
+output apiKeySecretUri string = apiKeySecret.properties.secretUri

src/containerapp/main.py

@@ -8,6 +8,7 @@
 
 from fastapi import FastAPI, Request, BackgroundTasks
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import JSONResponse
 from starlette.types import Receive, Scope, Send
 
 from dependencies import initialize_azure_clients, cleanup_azure_clients
@@ -89,6 +90,22 @@ async def lifespan(_app: FastAPI):  # noqa: ARG001
     expose_headers=["Mcp-Session-Id"],  # Required for MCP Streamable HTTP transport
 )
 
+# API Key authentication middleware
+API_KEY = os.getenv("API_KEY")
+
+# Paths that don't require authentication
+PUBLIC_PATHS = {"/", "/health"}
+
+
+@app.middleware("http")
+async def api_key_auth(request: Request, call_next):
+    """Verify API key for all requests except health checks."""
+    if API_KEY and request.url.path not in PUBLIC_PATHS:
+        provided_key = request.headers.get("X-API-Key")
+        if not provided_key or provided_key != API_KEY:
+            return JSONResponse(status_code=401, content={"detail": "Invalid or missing API key"})
+    return await call_next(request)
+
 
 # Health check endpoints
 @app.get("/")
@@ -315,10 +332,12 @@ async def mcp_info(request: Request):
         "configuration_example": {
             "mcpServers": {
                 "argus": {
-                    "url": mcp_url
+                    "url": mcp_url,
+                    **({"headers": {"X-API-Key": "<your-api-key>"}} if API_KEY else {})
                 }
             }
-        }
+        },
+        "auth_required": bool(API_KEY)
     }