docs: add SECURITY.md and API_KEYS.md documentation
- Create SECURITY.md with vulnerability reporting policy - Add environment variables & secrets best practices - Document input validation and rate limiting strategies - Create docs/API_KEYS.md with step-by-step API credential guides - IGDB OAuth 2.0 via Twitch setup - RAWG API key simple registration - TheGamesDB API key registration - Update README.md with security and API configuration sections - Add tests/documentation.spec.ts with 12 validation tests
This commit is contained in:
88
docs/API_KEYS.md
Normal file
88
docs/API_KEYS.md
Normal file
@@ -0,0 +1,88 @@
|
||||
# Obtaining API Keys
|
||||
|
||||
This guide explains how to get credentials for each metadata service.
|
||||
|
||||
## IGDB (Internet Game Database)
|
||||
|
||||
IGDB uses **OAuth 2.0 via Twitch**. Steps:
|
||||
|
||||
1. Go to [Twitch Developer Console](https://dev.twitch.tv/console/apps)
|
||||
2. Sign in with your Twitch account (create one if needed)
|
||||
3. Click "Create Application"
|
||||
- Name: "Quasar" (or your app name)
|
||||
- Category: Select relevant category
|
||||
- Accept terms, click Create
|
||||
4. You'll see:
|
||||
- **Client ID** — Copy this
|
||||
- Click "New Secret" to generate **Client Secret** — Copy this
|
||||
5. Go to Settings → OAuth Redirect URLs
|
||||
- Add: `http://localhost:3000/oauth/callback` (development)
|
||||
- For production: `https://yourdomain.com/oauth/callback`
|
||||
6. In your `.env` file:
|
||||
```
|
||||
IGDB_CLIENT_ID=your_client_id
|
||||
IGDB_CLIENT_SECRET=your_client_secret
|
||||
```
|
||||
7. Start Quasar, it will use IGDB automatically
|
||||
|
||||
**Rate Limit:** 4 requests/second
|
||||
|
||||
## RAWG (Rawg.io)
|
||||
|
||||
RAWG has a simpler **API Key** approach:
|
||||
|
||||
1. Go to [RAWG Settings](https://rawg.io/settings/account)
|
||||
2. Sign up if needed, then login
|
||||
3. Find "API Key" section
|
||||
4. Click "Create new key" (if needed) or copy existing key
|
||||
5. In your `.env` file:
|
||||
```
|
||||
RAWG_API_KEY=your_api_key_here
|
||||
```
|
||||
6. Start Quasar
|
||||
|
||||
**Rate Limit:** 20 requests/second (free tier)
|
||||
|
||||
**Note:** RAWG requires attribution in UI (include "Powered by RAWG" somewhere visible)
|
||||
|
||||
## TheGamesDB (thegamesdb.net)
|
||||
|
||||
TheGamesDB uses a simple **API Key**:
|
||||
|
||||
1. Go to [TheGamesDB API](https://thegamesdb.net/api)
|
||||
2. Find "API Key" section (free registration required)
|
||||
3. Register or login
|
||||
4. Copy your API key
|
||||
5. In your `.env` file:
|
||||
```
|
||||
THEGAMESDB_API_KEY=your_api_key_here
|
||||
```
|
||||
6. Start Quasar
|
||||
|
||||
**Rate Limit:** 1 request/second (free tier)
|
||||
|
||||
## Testing Without Real Keys
|
||||
|
||||
For development/testing:
|
||||
|
||||
- Leave API keys as `your_*_here` in `.env.local`
|
||||
- Quasar will gracefully degrade and show limited metadata
|
||||
- Frontend will still work with manual game entry
|
||||
|
||||
## Production Deployment
|
||||
|
||||
For production:
|
||||
|
||||
1. Generate new keys on each service (don't reuse dev keys)
|
||||
2. Store keys in **Gitea Secrets** (for CI/CD)
|
||||
3. Or use environment variables on your hosting provider
|
||||
4. Rotate keys every 3 months
|
||||
5. Monitor rate limits in service dashboards
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
**"IGDB_CLIENT_ID not found"** → Check `.env` file exists and has correct format
|
||||
|
||||
**"429 Too Many Requests"** → Rate limit exceeded, wait and retry
|
||||
|
||||
**"Invalid API Key"** → Copy key exactly (no spaces), verify it's active on service website
|
||||
Reference in New Issue
Block a user