server/plugins/Authentication.kt:
- Custom Ktor AuthenticationProvider supporting both X-API-Key header
and Authorization: Bearer <key> for API-Key validation
- ApiKeyPrincipal data class implementing Principal interface
- 401 Unauthorized with ErrorResponse body for missing/invalid keys
server/plugins/Routing.kt:
- Inventory routes wrapped in authenticate(api-key) block
- Health endpoint remains public (no auth required)
server/src/main/resources/application.conf:
- API key configurable via krisenvorrat.apiKey property
- Environment variable override via KRISENVORRAT_API_KEY
server/tests:
- 7 new AuthenticationTest cases (valid bearer, valid X-API-Key,
missing key, invalid bearer, invalid X-API-Key, PUT without key,
health without key)
- All existing ApplicationTest cases updated with bearer auth header
Closes#43
cb9bd2bdf4