chore(changelog): update changelog for v0.4.0

- Introduce signal listeners for SIGINT and SIGTERM to handle shutdown
- Use AbortController to terminate the server gracefully
- Improve server reliability and resource cleanup during termination

CHANGELOG.md

@@ -2,7 +2,28 @@
 
 All notable changes to this project will be documented in this file.
 
-## [unreleased]
+## [0.4.0](https://git.0xmax42.io/maxp/lt-auth-proxy/compare/v0.3.0..v0.4.0) - 2025-05-11
+
+### 🚀 Features
+
+- *(server)* Add graceful shutdown handling - ([d57cc27](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/d57cc27e19e68c13ac08af223c3721a9c45fafd1))
+
+## [0.3.0](https://git.0xmax42.io/maxp/lt-auth-proxy/compare/v0.2.1..v0.3.0) - 2025-05-11
+
+### 🚀 Features
+
+- *(logging)* Add debug logs for key validation and request handling - ([3299419](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/32994197261e9ab5a46df5f90f2faed89cd68558))
+- *(utils)* Add utility to mask API keys - ([79dfbcf](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/79dfbcf053d613fe3fff63bfd24537a1665c9389))
+
+## [0.2.1](https://git.0xmax42.io/maxp/lt-auth-proxy/compare/v0.1.1..v0.2.1) - 2025-05-11
+
+### 🚀 Features
+
+- *(handler)* Sanitize sensitive fields in form data - ([b6763f7](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/b6763f748325bf9c4129c5230c5e8101f93a2388))
+
+### 🐛 Bug Fixes
+
+- *(auth)* Validate API key from POST body and handle content type - ([4326a2d](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/4326a2d92cb789b8bbed95d9e72b5cbadbafd93a))
 
 ### 🚜 Refactor
 
@@ -10,10 +31,12 @@ All notable changes to this project will be documented in this file.
 
 ### 📚 Documentation
 
+- *(readme)* Update Docker image size information - ([828494c](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/828494c92a3d517a35f2feece48af5cd6116f1d4))
 - *(readme)* Enhance documentation with usage and features - ([573fcf0](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/573fcf0e65b3446b7efdce6b1695722c9d757410))
 
 ### ⚙️ Miscellaneous Tasks
 
+- *(dockerfile)* Switch base image to debian and update curl setup - ([60dcc30](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/60dcc30c0d9bad5dc9c0b1e4f79a4cb53330a965))
 - *(readme)* Update image repository URL - ([7ea8e26](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/7ea8e26660b9c29ead8f5597647a96c27cc9dcb5))
 - *(workflows)* Rename build-docker.yml to build-nightly.yml - ([787bcdc](https://git.0xmax42.io/maxp/lt-auth-proxy/commit/787bcdc1a20e85699b810082895d2a461216c9cf))
 

Dockerfile

@@ -14,10 +14,12 @@ COPY import_map.json ./import_map.json
 RUN deno task compile
 
 # -------- Stage 2: Minimal runtime environment --------
-FROM alpine:latest
+FROM debian:bookworm-slim
 
-# Optional: Install curl for container-level health checks (not needed for production-only binaries)
+# Optional: Install curl for container-level health checks
-RUN apk add --no-cache curl
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends curl \
+    && rm -rf /var/lib/apt/lists/*
 
 # Copy only the compiled application binary from the builder stage
 COPY --from=builder /app/app /app/app

README.md

@@ -10,7 +10,7 @@ This service acts as a transparent gateway that verifies an `apiKey` before forw
 
 * 🔐 **API key authentication** via query or form body
 * 📡 **Transparent proxying** to any LanguageTool backend
-* 🐳 **Minimal Docker image (\~93 MB)**
+* 🐳 **Minimal Docker image (\~166 MB)**
 * 🧱 **Statically compiled** Deno binary
 * 🧪 **Unit tested** middleware and proxy logic
 * 🛠️ Compatible with regular LT clients

VERSION

@@ -1 +1 @@
-0.1.1
+0.4.0

src/__tests__/ltProxyAuth.test.ts

@@ -6,11 +6,19 @@ import { ltProxyAuth } from '../ltProxyAuth.ts';
 Deno.test('ltProxyAuth: accepts valid API key', async () => {
     Deno.env.set('API_KEYS', 'valid123');
 
-    const req = new Request('http://localhost/?apiKey=valid123');
+    const body = new URLSearchParams({ apiKey: 'valid123' });
+    const req = new Request('http://localhost/', {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+
     const ctx: IContext = {
         req,
         params: {},
-        query: { apiKey: 'valid123' },
+        query: {},
         state: {},
     };
 
@@ -26,11 +34,19 @@ Deno.test('ltProxyAuth: accepts valid API key', async () => {
 Deno.test('ltProxyAuth: rejects invalid API key', async () => {
     Deno.env.set('API_KEYS', 'valid123');
 
-    const req = new Request('http://localhost/?apiKey=invalid456');
+    const body = new URLSearchParams({ apiKey: 'invalid456' });
+    const req = new Request('http://localhost/', {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+
     const ctx: IContext = {
         req,
         params: {},
-        query: { apiKey: 'invalid456' },
+        query: {},
         state: {},
     };
 
@@ -46,7 +62,15 @@ Deno.test('ltProxyAuth: rejects invalid API key', async () => {
 Deno.test('ltProxyAuth: rejects missing API key', async () => {
     Deno.env.set('API_KEYS', 'valid123');
 
-    const req = new Request('http://localhost/');
+    const body = new URLSearchParams({ text: 'nur text ohne apiKey' });
+    const req = new Request('http://localhost/', {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+        },
+        body,
+    });
+
     const ctx: IContext = {
         req,
         params: {},
@@ -60,4 +84,5 @@ Deno.test('ltProxyAuth: rejects missing API key', async () => {
     );
 
     assertEquals(response.status, 403);
+    assertEquals(await response.text(), 'Forbidden – Invalid API key');
 });

src/__tests__/ltProxyHandler.test.ts

@@ -16,12 +16,16 @@ Deno.test('ltProxyHandler: proxies request and returns response', async () => {
     const originalFetch = globalThis.fetch;
     globalThis.fetch = async () => expectedResponse;
 
+    // Form body wie bei echtem Request
+    const formData = new URLSearchParams({ text: 'Hallo Welt' });
+    const bodyBytes = new TextEncoder().encode(formData.toString());
+
     const req = new Request('http://localhost/v2/check?language=de-DE', {
         method: 'POST',
-        body: new TextEncoder().encode('text=Hallo+Welt'),
         headers: {
             'content-type': 'application/x-www-form-urlencoded',
         },
+        body: bodyBytes,
     });
 
     const ctx: IContext = {
@@ -30,7 +34,9 @@ Deno.test('ltProxyHandler: proxies request and returns response', async () => {
         query: {
             language: 'de-DE',
         },
-        state: {},
+        state: {
+            body: bodyBytes,
+        },
     };
 
     const response = await ltProxyHandler(ctx);

src/ltProxyAuth.ts

@@ -1,20 +1,32 @@
 import { Middleware } from 'http-kernel/Types/mod.ts';
 import { Env } from './env.ts';
+import { maskApiKey } from './utils.ts';
 
 /**
- * Middleware that checks for a valid API key via ?apiKey=... query/form param.
+ * Middleware that checks for a valid API key via form param.
- * Rejects request with 403 if the key is missing or invalid.
+ * Also stores the body in ctx.state.body for later use.
  */
 export const authMiddleware: Middleware = async (ctx, next) => {
-    const key = ctx.query.apiKey;
+    const contentType = ctx.req.headers.get('content-type') || '';
 
-    // Support both ?apiKey=... and form body with apiKey=...
+    if (contentType.includes('application/x-www-form-urlencoded')) {
-    const extractedKey = Array.isArray(key) ? key[0] : key;
+        const bodyBuffer = await ctx.req.arrayBuffer();
+        ctx.state.body = new Uint8Array(bodyBuffer);
 
-    if (!extractedKey || !Env.apiKeys.includes(extractedKey)) {
+        const text = new TextDecoder().decode(ctx.state.body as Uint8Array);
-        return new Response('Forbidden – Invalid API key', { status: 403 });
+        const params = new URLSearchParams(text);
+        const key = params.get('apiKey');
+
+        if (!key || !Env.apiKeys.includes(key)) {
+            console.debug('Invalid API key:', maskApiKey(key));
+            return new Response('Forbidden – Invalid API key', { status: 403 });
+        }
+    } else {
+        console.debug('Unsupported content type:', contentType);
+        return new Response('Unsupported content type', { status: 415 });
     }
 
+    console.debug('Valid API key:', maskApiKey(ctx.req.headers.get('apiKey')));
     return await next();
 };
 

src/ltProxyHandler.ts

@@ -4,6 +4,7 @@ import { Env } from './env.ts';
 /**
  * Forwards the incoming request to the actual LanguageTool server.
  * Dynamically passes through path and query string.
+ * Removes `username` and `apiKey` from the FormData body if present.
  */
 export const handler: Handler = async (ctx) => {
     const originalUrl = new URL(ctx.req.url);
@@ -12,16 +13,44 @@ export const handler: Handler = async (ctx) => {
         `http://${Env.ltServerHost}:${Env.ltServerPort}`,
     );
 
+    const contentType = ctx.req.headers.get('content-type') ?? '';
+    let body: BodyInit | null = null;
+
+    if (
+        contentType.includes('application/x-www-form-urlencoded') &&
+        ctx.state.body
+    ) {
+        const text = new TextDecoder().decode(ctx.state.body as Uint8Array);
+        const params = new URLSearchParams(text);
+
+        // Remove `apiKey` and `username` from the params
+        // LanguageTool will react with a error if they are present
+        params.delete('apiKey');
+        params.delete('username');
+
+        body = params.toString();
+    } else {
+        console.debug('Unsupported content type:', contentType);
+        body = ctx.state.body as BodyInit | null;
+    }
+
+    const headers = new Headers(ctx.req.headers);
+    headers.delete('content-length');
+
+    console.debug('Forwarding request to:', proxyUrl.toString());
+
     const forwarded = await fetch(proxyUrl.toString(), {
         method: ctx.req.method,
-        headers: ctx.req.headers,
+        headers,
-        body: ctx.req.body,
+        body,
     });
 
-    const headers = new Headers(forwarded.headers);
+    console.debug('Received response from LT server:', forwarded.status);
+
+    const respHeaders = new Headers(forwarded.headers);
     return new Response(forwarded.body, {
         status: forwarded.status,
-        headers,
+        headers: respHeaders,
     });
 };
 

src/main.ts

@@ -3,6 +3,7 @@ import { Env } from './env.ts';
 import { ltProxyAuth } from './ltProxyAuth.ts';
 import { ltProxyHandler } from './ltProxyHandler.ts';
 
+const ac = new AbortController();
 const httpKernel = new HttpKernel();
 
 httpKernel.route({
@@ -11,9 +12,19 @@ httpKernel.route({
 }).middleware(ltProxyAuth).handle(ltProxyHandler);
 
 Deno.serve({
+    signal: ac.signal,
     port: Env.proxyPort,
     hostname: Env.proxyHost,
     onListen: ({ hostname, port }) => {
         console.info(`lt-auth-proxy listening on ${hostname}:${port}`);
     },
 }, async (req) => await httpKernel.handle(req));
+
+const shutdown = () => {
+    console.info('Shutting down the server...');
+    ac.abort();
+    console.info('Server shut down successfully.');
+};
+
+Deno.addSignalListener('SIGINT', shutdown);
+Deno.addSignalListener('SIGTERM', shutdown);

src/utils.ts

@@ -0,0 +1,6 @@
+export const maskApiKey = (key: string | null): string => {
+    if (!key) return '*****';
+    return key.length <= 5
+        ? '*'.repeat(key.length)
+        : key.slice(0, 5) + '*'.repeat(key.length - 5);
+};