Iterate on caching strategy

Author: matteius

FLEXIBLE_AUTH_README.md

@@ -0,0 +1,204 @@
+# Flexible Authentication for OpenSensor API
+
+This document describes the new flexible authentication system that allows users to access historical data endpoints using either Fief tokens (existing method) or device API keys (new method).
+
+## Problem Solved
+
+Previously, users authenticated in the web app had no way to get temporary tokens for direct API access outside the web interface. They could only:
+- Use Fief access tokens directly (not ideal for external tools)
+- Generate device-specific API keys (permanent, only for data submission)
+
+## Solution
+
+The new flexible authentication system allows users to use their existing device API keys to access historical data endpoints directly, providing a simple solution for data export without complex token management.
+
+## Features
+
+### ✅ Device API Key Authentication
+- Use existing device API keys for historical data retrieval
+- No need to manage separate temporary tokens
+- Automatic device access validation
+
+### ✅ Fief Token Caching
+- Reduced load on Fief authentication server
+- 10-minute cache TTL for token validation
+- Automatic cache invalidation on errors
+
+### ✅ Backward Compatibility
+- All existing Fief token authentication continues to work
+- No breaking changes to current API usage
+
+### ✅ Security
+- API keys can only access their associated device data
+- Strict device ID and name matching
+- Same security model as existing system
+
+## Usage Examples
+
+### 1. Using Device API Key (New Method)
+
+```bash
+# Get temperature data using device API key
+curl -H "X-API-Key: your_device_api_key_here" \
+     "https://api.opensensor.io/temp/device123|MyDevice?page=1&size=10"
+```
+
+```python
+import requests
+
+headers = {"X-API-Key": "your_device_api_key_here"}
+response = requests.get(
+    "https://api.opensensor.io/temp/device123|MyDevice",
+    headers=headers
+)
+data = response.json()
+```
+
+```javascript
+const response = await fetch('https://api.opensensor.io/temp/device123|MyDevice', {
+    headers: {
+        'X-API-Key': 'your_device_api_key_here'
+    }
+});
+const data = await response.json();
+```
+
+### 2. Using Fief Token (Existing Method)
+
+```bash
+# Get temperature data using Fief token
+curl -H "Authorization: Bearer your_fief_token_here" \
+     "https://api.opensensor.io/temp/device123|MyDevice?page=1&size=10"
+```
+
+## Supported Endpoints
+
+All historical data endpoints now support both authentication methods:
+
+- `/temp/{device_id}` - Temperature data
+- `/humidity/{device_id}` - Humidity data
+- `/CO2/{device_id}` - CO2 data
+- `/moisture/{device_id}` - Moisture sensor data
+- `/pH/{device_id}` - pH data
+- `/VPD/{device_id}` - Vapor Pressure Deficit data
+- `/pressure/{device_id}` - Pressure data
+- `/lux/{device_id}` - Light intensity data
+- `/liquid/{device_id}` - Liquid level data
+- `/relays/{device_id}` - Relay status data
+- `/pumps/{device_id}` - Pump data
+
+## Authentication Flow
+
+### Device API Key Flow
+1. User provides API key in `X-API-Key` header
+2. System validates API key exists in database
+3. System checks if API key is authorized for requested device
+4. If authorized, data is returned
+
+### Fief Token Flow (with caching)
+1. User provides token in `Authorization: Bearer` header
+2. System checks Redis cache for token validation
+3. If cache miss, validates with Fief server and caches result
+4. If valid, checks device access permissions
+5. If authorized, data is returned
+
+## Error Responses
+
+### 401 Unauthorized
+```json
+{
+  "detail": "Authentication required"
+}
+```
+- No authentication provided (neither API key nor token)
+
+### 403 Forbidden
+```json
+{
+  "detail": "API key is not authorized to access device device123|MyDevice"
+}
+```
+- API key doesn't match the requested device
+
+```json
+{
+  "detail": "Invalid API key"
+}
+```
+- API key not found in database
+
+## Getting Your API Key
+
+1. Log into the web interface at https://opensensor.io
+2. Navigate to the sensor dashboard
+3. Your existing device API keys are displayed with masked values
+4. Use the full API key value for direct API access
+
+## Implementation Details
+
+### Files Modified
+
+1. **`opensensor/users.py`**
+   - Added flexible authentication functions
+   - Added Fief token caching
+   - Added device access validation for API keys
+
+2. **`opensensor/collection_apis.py`**
+   - Updated historical data routes to use flexible authentication
+   - Improved error messages for different auth types
+
+3. **`opensensor/cache_strategy.py`**
+   - Added Fief token caching methods
+   - 10-minute TTL for token validation cache
+
+### Security Considerations
+
+- API keys can only access data from their associated device
+- Device ID and name must exactly match the API key registration
+- Fief tokens maintain existing access control logic
+- Cache invalidation on authentication failures
+- No sensitive data stored in cache (tokens are hashed)
+
+### Performance Improvements
+
+- **Reduced Fief Server Load**: Token validation cached for 10 minutes
+- **Faster API Key Validation**: Direct database lookup without external calls
+- **Existing Caching**: Leverages existing Redis caching for data queries
+
+## Testing
+
+Use the provided test script to verify functionality:
+
+```bash
+cd opensensor-api
+python test_flexible_auth.py
+```
+
+Update the script with your actual API key and device ID before running.
+
+## Migration Notes
+
+- **No breaking changes**: All existing code continues to work
+- **Gradual adoption**: Users can start using API keys when convenient
+- **Monitoring**: Cache hit rates and authentication patterns can be monitored via Redis
+
+## Benefits
+
+1. **Immediate Solution**: Users can export data using existing API keys
+2. **Simple Integration**: Easy to use in scripts and external tools
+3. **Reduced Complexity**: No temporary token management needed
+4. **Better Performance**: Cached authentication reduces server load
+5. **Backward Compatible**: No impact on existing users
+
+## Future Enhancements
+
+Potential future improvements could include:
+- Bulk export endpoints for large data sets
+- API key usage analytics
+- Rate limiting per API key
+- API key expiration dates
+- Scoped permissions for API keys
+
+---
+
+**Note**: This implementation provides the simplest solution to the immediate problem while maintaining security and performance. The flexible authentication system can be extended in the future as needed.

opensensor/cache_strategy.py

@@ -169,6 +169,49 @@ def invalidate_device_cache(self, device_id: str):
         logger.info(f"Invalidated {deleted_count} cache entries for device {device_id}")
         return deleted_count
 
+    # Fief token caching (to reduce Fief server load)
+    def cache_fief_token_validation(self, token_hash: str, user_info: dict, ttl_minutes: int = 10):
+        """Cache Fief token validation results"""
+        if not self.redis_client:
+            return
+
+        cache_key = f"opensensor:fief_token:{token_hash}"
+        try:
+            self.redis_client.setex(cache_key, ttl_minutes * 60, json.dumps(user_info, default=str))
+            logger.debug(f"Cached Fief token validation: {token_hash[:8]}...")
+        except Exception as e:
+            logger.warning(f"Failed to cache Fief token validation: {e}")
+
+    def get_cached_fief_token_validation(self, token_hash: str) -> Optional[dict]:
+        """Get cached Fief token validation result"""
+        if not self.redis_client:
+            return None
+
+        cache_key = f"opensensor:fief_token:{token_hash}"
+        try:
+            cached_data = self.redis_client.get(cache_key)
+            if cached_data:
+                logger.debug(f"Cache hit for Fief token: {token_hash[:8]}...")
+                return json.loads(cached_data)
+        except Exception as e:
+            logger.warning(f"Failed to get cached Fief token validation: {e}")
+
+        return None
+
+    def invalidate_fief_token_cache(self, token_hash: str):
+        """Invalidate a specific Fief token cache entry"""
+        if not self.redis_client:
+            return False
+
+        cache_key = f"opensensor:fief_token:{token_hash}"
+        try:
+            result = self.redis_client.delete(cache_key)
+            logger.debug(f"Invalidated Fief token cache: {token_hash[:8]}...")
+            return result > 0
+        except Exception as e:
+            logger.warning(f"Failed to invalidate Fief token cache: {e}")
+            return False
+
 
 # Global cache instance
 sensor_cache = SensorDataCache()

opensensor/collection_apis.py

@@ -7,7 +7,6 @@
 from fastapi import APIRouter, Depends, HTTPException, Path, Query, Response, status
 from fastapi_pagination.default import Page as BasePage
 from fastapi_pagination.default import Params as BaseParams
-from fief_client import FiefUserInfo
 from pydantic import BaseModel
 
 from opensensor.cache_strategy import (
@@ -33,10 +32,11 @@
 )
 from opensensor.db import get_open_sensor_db
 from opensensor.users import (
+    AuthInfo,
     User,
-    auth,
-    device_id_is_allowed_for_user,
+    flexible_auth,
     migration_complete,
+    validate_device_access_flexible,
     validate_environment,
 )
 from opensensor.utils.units import convert_temperature
@@ -653,7 +653,7 @@ def sample_and_paginate_collection(
 
 def create_historical_data_route(entity: Type[T]):
     async def historical_data_route(
-        fief_user: Optional[FiefUserInfo] = Depends(auth.current_user(optional=True)),
+        auth_info: AuthInfo = Depends(flexible_auth),
         device_id: str = Path(
             title="The ID of the device chain for which to retrieve historical data."
         ),
@@ -664,11 +664,14 @@ async def historical_data_route(
         size: int = Query(50, ge=1, le=1000, description="Page size"),
         unit: str | None = Query(None, description="Unit"),
     ) -> Page[T]:
-        if not device_id_is_allowed_for_user(device_id, user=fief_user):
-            raise HTTPException(
-                status_code=403,
-                detail=f"User {fief_user} is not authorized to access device {device_id}",
-            )
+        # Use flexible authentication validation
+        if not validate_device_access_flexible(auth_info, device_id):
+            auth_type = auth_info.auth_type
+            if auth_type == "fief":
+                detail = f"User is not authorized to access device {device_id}"
+            else:
+                detail = f"API key is not authorized to access device {device_id}"
+            raise HTTPException(status_code=403, detail=detail)
 
         # TODO - Refactor this to support paid collections
         collection_name = "FreeTier"