refactor: improve security and modernize API patterns

ForwardCodeSolutions · ForwardCodeSolutions · commit c7192b29ca60 · 2026-03-24T19:53:11.000+01:00
- Use hmac.compare_digest() for timing-safe API key validation
- Replace get_collections() with collection_exists() in Qdrant store
- Add FastAPI lifespan for structured startup/shutdown logging
- Add project author to pyproject.toml metadata

Made-with: Cursor
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,6 +4,7 @@ version = "0.1.0"
 description = "Lightweight hybrid RAG engine for multilingual document search"
 readme = "README.md"
 license = { text = "MIT" }
+authors = [{ name = "Hennadii Pynko" }]
 requires-python = ">=3.11"
 dependencies = [
     "fastapi>=0.115",
diff --git a/src/rag_engine/api/app.py b/src/rag_engine/api/app.py
@@ -1,5 +1,9 @@
 """FastAPI application setup."""
 
+from collections.abc import AsyncIterator
+from contextlib import asynccontextmanager
+
+import structlog
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 from slowapi import _rate_limit_exceeded_handler
@@ -11,16 +15,25 @@
 from rag_engine.utils.logging import setup_logging
 
 settings = Settings()  # type: ignore[call-arg]
+logger = structlog.get_logger()
 
 
-def create_app() -> FastAPI:
-    """Create and configure the FastAPI application."""
+@asynccontextmanager
+async def lifespan(app: FastAPI) -> AsyncIterator[None]:
+    """Manage application startup and shutdown lifecycle."""
     setup_logging(log_level=settings.log_level)
+    logger.info("app_started", version=settings.app_version)
+    yield
+    logger.info("app_shutdown")
 
+
+def create_app() -> FastAPI:
+    """Create and configure the FastAPI application."""
     app = FastAPI(
         title="rag-engine",
         description="Lightweight hybrid RAG engine for multilingual document search",
         version=settings.app_version,
+        lifespan=lifespan,
     )
 
     # Rate limiting
diff --git a/src/rag_engine/api/dependencies.py b/src/rag_engine/api/dependencies.py
@@ -1,5 +1,6 @@
 """Shared FastAPI dependencies for authentication and service wiring."""
 
+import hmac
 import re
 from functools import lru_cache
 
@@ -24,7 +25,7 @@ def get_gdpr_service() -> GDPRService:
     qdrant_store: QdrantStore | None = None
     try:
         qdrant_store = QdrantStore(url=_settings.qdrant_url)
-        qdrant_store._client.get_collections()  # verify connectivity
+        qdrant_store._client.collection_exists("_ping")  # verify connectivity
     except Exception:
         _logger.warning("qdrant_unavailable_for_gdpr", url=_settings.qdrant_url)
         qdrant_store = None
@@ -43,7 +44,7 @@ async def verify_api_key(x_api_key: str = Header(...)) -> str:
     Raises:
         HTTPException: 401 if key is missing or invalid.
     """
-    if x_api_key != _settings.api_key:
+    if not hmac.compare_digest(x_api_key, _settings.api_key):
         raise HTTPException(status_code=401, detail="Invalid API key")
     return x_api_key
 
diff --git a/src/rag_engine/api/routes/documents.py b/src/rag_engine/api/routes/documents.py
@@ -17,7 +17,6 @@
 
 router = APIRouter(tags=["documents"], dependencies=[Depends(verify_api_key)])
 
-# Shared store instances (will be replaced with dependency injection later)
 _bm25_store = BM25Store()
 _graph_store = KnowledgeGraphStore()
 _retriever = HybridRetriever(_bm25_store, _graph_store)
diff --git a/src/rag_engine/storage/qdrant_store.py b/src/rag_engine/storage/qdrant_store.py
@@ -53,8 +53,7 @@ def ensure_collection(self, tenant_id: str, vector_size: int) -> None:
         """
         collection_name = self._collection_name(tenant_id)
 
-        existing = [c.name for c in self._client.get_collections().collections]
-        if collection_name in existing:
+        if self._client.collection_exists(collection_name):
             return
 
         self._client.create_collection(
@@ -138,8 +137,7 @@ def search(
         """
         collection_name = self._collection_name(tenant_id)
 
-        existing = [c.name for c in self._client.get_collections().collections]
-        if collection_name not in existing:
+        if not self._client.collection_exists(collection_name):
             return []
 
         hits = self._client.query_points(
@@ -174,8 +172,7 @@ def remove_document(self, tenant_id: str, document_id: str) -> int:
         """
         collection_name = self._collection_name(tenant_id)
 
-        existing = [c.name for c in self._client.get_collections().collections]
-        if collection_name not in existing:
+        if not self._client.collection_exists(collection_name):
             return 0
 
         # Count points before deletion
@@ -217,8 +214,7 @@ def clear_tenant(self, tenant_id: str) -> int:
         """
         collection_name = self._collection_name(tenant_id)
 
-        existing = [c.name for c in self._client.get_collections().collections]
-        if collection_name not in existing:
+        if not self._client.collection_exists(collection_name):
             return 0
 
         total = self._client.count(collection_name=collection_name).count
