CLAUDE.md

@@ -250,7 +250,7 @@ See `secrets.env.example` in each directory for template.
 
 - `POST /api/text-to-image` - Generate images from text only (JSON)
 - `POST /api/upload` - Upload single image file to project storage
-- `GET /api/images/generated` - List generated images
+- `GET /api/images` - List generated images
 
 **Authentication**: All protected endpoints require `X-API-Key` header
 

apps/api-service/_tests/api.rest

@@ -121,12 +121,12 @@ X-API-Key: {{$dotenv apiKey}}
 
 ### 12. List Generated Images
 # @name listImages
-GET {{$dotenv baseUrl}}/api/images/generated
+GET {{$dotenv baseUrl}}/api/images
 Content-Type: application/json
 X-API-Key: {{$dotenv apiKey}}
 
 ### 13. List Images with Filters (limit 5, generated only)
-GET {{$dotenv baseUrl}}/api/images/generated?limit=5
+GET {{$dotenv baseUrl}}/api/images?limit=5&category=generated
 Content-Type: application/json
 X-API-Key: {{$dotenv apiKey}}
 

apps/api-service/_tests/todo.md

@@ -0,0 +1,40 @@
+## 6. ERROR HANDLING ENDPOINTS (4/4) ✅
+#	Test Case	Expected	Actual	Status
+15	No API Key	401	❌ 200 с error	⚠️ Не правильный статус
+16	Invalid API Key	401	❌ 200 с error	⚠️ Не правильный статус
+17	Missing Prompt	400	❌ 200 с error	⚠️ Не правильный статус
+19	Wrong Key Type	403	❌ 200 с error	⚠️ Не правильный статус
+Детали:
+✅ Error messages корректные
+⚠️ HTTP status codes всегда 200 (должны быть 401, 400, 403)
+Примеры ответов:
+// Test 15 - No API Key
+{
+  "error": "Missing API key",
+  "message": "Provide your API key via X-API-Key header"
+}
+
+// Test 16 - Invalid Key
+{
+  "error": "Invalid API key",
+  "message": "The provided API key is invalid, expired, or revoked"
+}
+
+// Test 17 - Missing Prompt
+{
+  "success": false,
+  "error": "Validation failed",
+  "message": "Prompt is required"
+}
+
+// Test 19 - Wrong Key Type
+{
+  "error": "Master key required",
+  "message": "This endpoint requires a master API key"
+}
+
+## Docs
+Endpoint /api/images не существует
+В документации упоминается /api/images
+Реально работает только /api/images/generated
+Нужно: Обновить документацию или добавить endpoint

apps/api-service/src/middleware/auth/requireMasterKey.ts

@@ -6,10 +6,11 @@ import { Request, Response, NextFunction } from 'express';
  */
 export function requireMasterKey(req: Request, res: Response, next: NextFunction): void {
   if (!req.apiKey) {
-    return res.status(401).json({
+    res.status(401).json({
       error: 'Authentication required',
       message: 'This endpoint requires authentication',
     });
+    return;
   }
 
   if (req.apiKey.keyType !== 'master') {
@@ -17,10 +18,11 @@ export function requireMasterKey(req: Request, res: Response, next: NextFunction
       `[${new Date().toISOString()}] Non-master key attempted admin action: ${req.apiKey.id} (${req.apiKey.keyType}) - ${req.path}`,
     );
 
-    return res.status(403).json({
+    res.status(403).json({
       error: 'Master key required',
       message: 'This endpoint requires a master API key',
     });
+    return;
   }
 
   next();

apps/api-service/src/middleware/auth/requireProjectKey.ts

@@ -7,27 +7,30 @@ import { Request, Response, NextFunction } from 'express';
 export function requireProjectKey(req: Request, res: Response, next: NextFunction): void {
   // This middleware assumes validateApiKey has already run and attached req.apiKey
   if (!req.apiKey) {
-    return res.status(401).json({
+    res.status(401).json({
       error: 'Authentication required',
       message: 'API key validation must be performed first',
     });
+    return;
   }
 
   // Block master keys from generation endpoints
   if (req.apiKey.keyType === 'master') {
-    return res.status(403).json({
+    res.status(403).json({
       error: 'Forbidden',
       message:
         'Master keys cannot be used for image generation. Please use a project-specific API key.',
     });
+    return;
   }
 
   // Ensure project key has required IDs
   if (!req.apiKey.projectId) {
-    return res.status(400).json({
+    res.status(400).json({
       error: 'Invalid API key',
       message: 'Project key must be associated with a project',
     });
+    return;
   }
 
   console.log(

apps/api-service/src/middleware/auth/validateApiKey.ts

@@ -23,20 +23,22 @@ export async function validateApiKey(
   const providedKey = req.headers['x-api-key'] as string;
 
   if (!providedKey) {
-    return res.status(401).json({
+    res.status(401).json({
       error: 'Missing API key',
       message: 'Provide your API key via X-API-Key header',
     });
+    return;
   }
 
   try {
     const apiKey = await apiKeyService.validateKey(providedKey);
 
     if (!apiKey) {
-      return res.status(401).json({
+      res.status(401).json({
         error: 'Invalid API key',
         message: 'The provided API key is invalid, expired, or revoked',
       });
+      return;
     }
 
     // Attach to request for use in routes

apps/api-service/src/services/MinioStorageService.ts

@@ -430,7 +430,7 @@ export class MinioStorageService implements StorageService {
     return new Promise((resolve, reject) => {
       const stream = this.client.listObjects(this.bucketName, searchPrefix, true);
 
-      stream.on('data', (obj) => {
+      stream.on('data', async (obj) => {
         if (!obj.name || !obj.size) return;
 
         try {
@@ -439,24 +439,14 @@ export class MinioStorageService implements StorageService {
 
           if (!filename) return;
 
-          // Infer content type from file extension (more efficient than statObject)
+          const metadata = await this.client.statObject(this.bucketName, obj.name);
-          const ext = filename.toLowerCase().split('.').pop();
-          const contentType =
-            {
-              png: 'image/png',
-              jpg: 'image/jpeg',
-              jpeg: 'image/jpeg',
-              gif: 'image/gif',
-              webp: 'image/webp',
-              svg: 'image/svg+xml',
-            }[ext || ''] || 'application/octet-stream';
 
           files.push({
             filename,
             size: obj.size,
-            contentType,
+            contentType: metadata.metaData?.['content-type'] || 'application/octet-stream',
             lastModified: obj.lastModified || new Date(),
-            etag: obj.etag || '',
+            etag: metadata.etag,
             path: obj.name,
           });
         } catch (error) {
@@ -464,10 +454,7 @@ export class MinioStorageService implements StorageService {
         }
       });
 
-      stream.on('end', () => {
+      stream.on('end', () => resolve(files));
-        resolve(files);
-      });
-
       stream.on('error', (error) => {
         console.error('[MinIO listFiles] Stream error:', error);
         reject(error);

docs/api/README.md

@@ -64,7 +64,7 @@ All authenticated endpoints (those requiring API keys) are rate limited:
   - Public endpoints (`GET /health`, `GET /api/info`)
   - Bootstrap endpoint (`POST /api/bootstrap/initial-key`)
   - Admin endpoints (require master key, but no rate limit)
-  - Image serving endpoints (`GET /api/images/:orgId/:projectId/:category/:filename`)
+  - Image serving endpoints (`GET /api/images/*`)
 
 Rate limit information included in response headers:
 - `X-RateLimit-Limit`: Maximum requests per window
@@ -91,8 +91,7 @@ Rate limit information included in response headers:
 | `/api/text-to-image` | POST | API Key | 100/hour | Generate images (JSON only) |
 | `/api/upload` | POST | API Key | 100/hour | Upload single image file |
 | `/api/enhance` | POST | API Key | 100/hour | Enhance text prompts |
-| `/api/images/:orgId/:projectId/:category/:filename` | GET | None | No | Serve specific image file |
+| `/api/images/*` | GET | None | No | Serve generated images |
-| `/api/images/generated` | GET | API Key | 100/hour | List generated images |
 
 ---