fix(auth): validate API key from POST body and handle content type

- Switch API key validation to use POST body parameters
- Add support for `application/x-www-form-urlencoded` content type
- Store parsed body in context state for further use
- Reject unsupported content types with 415 status

src/__tests__/ltProxyAuth.test.ts

@@ -6,11 +6,19 @@ import { ltProxyAuth } from '../ltProxyAuth.ts';
 Deno.test('ltProxyAuth: accepts valid API key', async () => {
     Deno.env.set('API_KEYS', 'valid123');
 
-    const req = new Request('http://localhost/?apiKey=valid123');
+    const body = new URLSearchParams({ apiKey: 'valid123' });
+    const req = new Request('http://localhost/', {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+
     const ctx: IContext = {
         req,
         params: {},
-        query: { apiKey: 'valid123' },
+        query: {},
         state: {},
     };
 
@@ -26,11 +34,19 @@ Deno.test('ltProxyAuth: accepts valid API key', async () => {
 Deno.test('ltProxyAuth: rejects invalid API key', async () => {
     Deno.env.set('API_KEYS', 'valid123');
 
-    const req = new Request('http://localhost/?apiKey=invalid456');
+    const body = new URLSearchParams({ apiKey: 'invalid456' });
+    const req = new Request('http://localhost/', {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+
     const ctx: IContext = {
         req,
         params: {},
-        query: { apiKey: 'invalid456' },
+        query: {},
         state: {},
     };
 
@@ -46,7 +62,15 @@ Deno.test('ltProxyAuth: rejects invalid API key', async () => {
 Deno.test('ltProxyAuth: rejects missing API key', async () => {
     Deno.env.set('API_KEYS', 'valid123');
 
-    const req = new Request('http://localhost/');
+    const body = new URLSearchParams({ text: 'nur text ohne apiKey' });
+    const req = new Request('http://localhost/', {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+
     const ctx: IContext = {
         req,
         params: {},
@@ -60,4 +84,5 @@ Deno.test('ltProxyAuth: rejects missing API key', async () => {
     );
 
     assertEquals(response.status, 403);
+    assertEquals(await response.text(), 'Forbidden – Invalid API key');
 });

src/ltProxyAuth.ts

@@ -2,18 +2,26 @@ import { Middleware } from 'http-kernel/Types/mod.ts';
 import { Env } from './env.ts';
 
 /**
- * Middleware that checks for a valid API key via ?apiKey=... query/form param.
+ * Middleware that checks for a valid API key via form param.
- * Rejects request with 403 if the key is missing or invalid.
+ * Also stores the body in ctx.state.body for later use.
  */
 export const authMiddleware: Middleware = async (ctx, next) => {
-    const key = ctx.query.apiKey;
+    const contentType = ctx.req.headers.get('content-type') || '';
 
-    // Support both ?apiKey=... and form body with apiKey=...
+    if (contentType.includes('application/x-www-form-urlencoded')) {
-    const extractedKey = Array.isArray(key) ? key[0] : key;
+        const bodyBuffer = await ctx.req.arrayBuffer();
+        ctx.state.body = new Uint8Array(bodyBuffer);
 
-    if (!extractedKey || !Env.apiKeys.includes(extractedKey)) {
+        const text = new TextDecoder().decode(ctx.state.body as Uint8Array);
+        const params = new URLSearchParams(text);
+        const key = params.get('apiKey');
+
+        if (!key || !Env.apiKeys.includes(key)) {
             return new Response('Forbidden – Invalid API key', { status: 403 });
         }
+    } else {
+        return new Response('Unsupported content type', { status: 415 });
+    }
 
     return await next();
 };