[SECURITY] Add rate limiting and API authentication to recommendation endpoints

Security Gap

Current state: Recommendation API has NO authentication or rate limiting.

# Anyone can spam requests
curl https://api.example.com/recommend?user_id=123

Risks:

1. DoS attack: Malicious actors can overwhelm API
2. Data scraping: Competitors can harvest recommendations
3. Cost: Unlimited compute consumption
4. Privacy: User IDs are guessable (sequential)

Security Requirements

1. API Authentication

• API Keys: Client-specific keys with scopes
• JWT tokens: For user-specific requests
• HMAC request signing: Prevent replay attacks

2. Rate Limiting

• Per API key: 1000 req/min
• Per user: 100 req/min
• Global: 50K req/min
• Storage: Redis with sliding window

3. Authorization

• Scope-based: read:recommendations, write:feedback
• User isolation: Users can only access their own data
• Admin endpoints: Separate auth (internal only)

Implementation Plan

Phase 1: Rate Limiting (Week 1)

@app.middleware("http")
async def rate_limit_middleware(request, call_next):
    client_id = get_client_id(request)
    
    if not check_rate_limit(client_id):
        return JSONResponse(
            status_code=429,
            content={"error": "Rate limit exceeded"}
        )
    
    return await call_next(request)

Phase 2: API Key Auth (Week 2)

@app.middleware("http")
async def auth_middleware(request, call_next):
    api_key = request.headers.get("X-API-Key")
    
    if not validate_api_key(api_key):
        return JSONResponse(
            status_code=401,
            content={"error": "Invalid API key"}
        )
    
    request.state.client = get_client(api_key)
    return await call_next(request)

Phase 3: Request Signing (Week 3)

• HMAC-SHA256 signature validation
• Timestamp checking (prevent replay)
• Nonce tracking (prevent reuse)

Testing

• Unit tests for rate limiter
• Integration tests for auth flow
• Load tests with auth overhead
• Pen testing by security team

Migration Plan

1. Week 1: Deploy rate limiting (no breaking changes)
2. Week 2: Deploy API key auth with grace period (warnings only)
3. Week 3: Enforce API key auth (reject unauthenticated)
4. Week 4: Add request signing (optional)

Related

• Similar to ai-content-moderation#3 (they need auth too)
• Blocks production launch (security review requirement)

Priority: HIGH - Security requirement for production

cc @bill_staples @jean_gabriel @michael_usanchenko