# oatpp-authkit Header-only C++ library distilled from [fewo-webapp](https://git.uwe-schuster.info/uwe.admin/fewo-webapp)'s hardened auth / security stack. Header-only, oatpp 1.3+, C++17. ## What's in v0.1 (the clean-lift set) | Header | Purpose | |--------|---------| | `interceptor/SecurityHeadersInterceptor.hpp` | CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Strict defaults. | | `interceptor/BodySizeLimitInterceptor.hpp` | Reject request bodies above a configurable limit with 413 before they hit your handlers. | | `handler/JsonErrorHandler.hpp` | Normalises thrown exceptions into `{status, message}` JSON so controllers never leak raw HTML error pages. | | `util/RateLimiter.hpp` | In-memory token-bucket keyed on an arbitrary string (typically the client IP from `clientIpTrusted`). | | `util/TokenExtract.hpp` | `extractToken` (Cookie/Bearer), `isValidIp` (IPv4/IPv6 via `inet_pton`), `clientIpTrusted` (loopback-gated XFF). | | `startup/RequireEncryptionKey.hpp` | `requireEncryptionKey(envVarName, encryptionEnabled, allowPlaintext)` — refuse startup without a symmetric key unless a dev flag overrides. | ## Consume via CMake ```cmake # FetchContent (pin to a tag): include(FetchContent) FetchContent_Declare(oatpp-authkit GIT_REPOSITORY https://git.uwe-schuster.info/uwe.admin/oatpp-authkit.git GIT_TAG v0.1.0) FetchContent_MakeAvailable(oatpp-authkit) target_link_libraries(app PRIVATE oatpp::authkit) ``` Or after `cmake --install`: ```cmake find_package(oatpp-authkit 0.1 REQUIRED) target_link_libraries(app PRIVATE oatpp::authkit) ``` ## Roadmap - **v0.2** — `AuthInterceptor` + `requireAdmin` ported onto three seams (`IAuthBackend`, `IAuthPolicy`, `IRuntimeConfig`) so consumers plug in their own user store, public-path list, and admin role set without forking the interceptor. - **Later** — session cookie helpers, API-key rotation, re-encryption migration. See `docs/security-baseline.md` for language-neutral CSP / rate-limit / body-size constants that non-C++ consumers can re-implement directly.