feat: Add API key authentication system for external service access (#1757)

* Initial plan

* feat: Add API key authentication system backend

Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>

* feat: Add API key management UI in frontend sidebar

Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>

* fix: Correct import paths in API controller groups

Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>

* fix: Address code review feedback - add i18n and validation

Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>

* refactor: Enable API key auth on existing endpoints instead of creating separate service API

- Added USER_TOKEN_OR_API_KEY auth type that accepts both authentication methods
- Removed separate /api/service/v1/models endpoints
- Updated existing endpoints (models, bots, pipelines) to accept API keys
- External services can now use API keys to access all existing LangBot APIs
- Updated documentation to reflect unified API approach

Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>

* docs: Add OpenAPI specification for API key authenticated endpoints

Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>

* chore: rename openapi spec

* perf: ui and i18n

* fix: ui bug

* chore: tidy docs

* chore: fix linter errors

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com>
Co-authored-by: Junyan Qin <rockchinq@gmail.com>

docs/API_KEY_AUTH.md

@@ -0,0 +1,291 @@
+# API Key Authentication
+
+LangBot now supports API key authentication for external systems to access its HTTP service API.
+
+## Managing API Keys
+
+API keys can be managed through the web interface:
+
+1. Log in to the LangBot web interface
+2. Click the "API Keys" button at the bottom of the sidebar
+3. Create, view, copy, or delete API keys as needed
+
+## Using API Keys
+
+### Authentication Headers
+
+Include your API key in the request header using one of these methods:
+
+**Method 1: X-API-Key header (Recommended)**
+```
+X-API-Key: lbk_your_api_key_here
+```
+
+**Method 2: Authorization Bearer token**
+```
+Authorization: Bearer lbk_your_api_key_here
+```
+
+## Available APIs
+
+All existing LangBot APIs now support **both user token and API key authentication**. This means you can use API keys to access:
+
+- **Model Management** - `/api/v1/provider/models/llm` and `/api/v1/provider/models/embedding`
+- **Bot Management** - `/api/v1/platform/bots`
+- **Pipeline Management** - `/api/v1/pipelines`
+- **Knowledge Base** - `/api/v1/knowledge/*`
+- **MCP Servers** - `/api/v1/mcp/servers`
+- And more...
+
+### Authentication Methods
+
+Each endpoint accepts **either**:
+1. **User Token** (via `Authorization: Bearer <user_jwt_token>`) - for web UI and authenticated users
+2. **API Key** (via `X-API-Key` or `Authorization: Bearer <api_key>`) - for external services
+
+## Example: Model Management
+
+### List All LLM Models
+
+```http
+GET /api/v1/provider/models/llm
+X-API-Key: lbk_your_api_key_here
+```
+
+Response:
+```json
+{
+  "code": 0,
+  "msg": "ok",
+  "data": {
+    "models": [
+      {
+        "uuid": "model-uuid",
+        "name": "GPT-4",
+        "description": "OpenAI GPT-4 model",
+        "requester": "openai-chat-completions",
+        "requester_config": {...},
+        "abilities": ["chat", "vision"],
+        "created_at": "2024-01-01T00:00:00",
+        "updated_at": "2024-01-01T00:00:00"
+      }
+    ]
+  }
+}
+```
+
+### Create a New LLM Model
+
+```http
+POST /api/v1/provider/models/llm
+X-API-Key: lbk_your_api_key_here
+Content-Type: application/json
+
+{
+  "name": "My Custom Model",
+  "description": "Description of the model",
+  "requester": "openai-chat-completions",
+  "requester_config": {
+    "model": "gpt-4",
+    "args": {}
+  },
+  "api_keys": [
+    {
+      "name": "default",
+      "keys": ["sk-..."]
+    }
+  ],
+  "abilities": ["chat"],
+  "extra_args": {}
+}
+```
+
+### Update an LLM Model
+
+```http
+PUT /api/v1/provider/models/llm/{model_uuid}
+X-API-Key: lbk_your_api_key_here
+Content-Type: application/json
+
+{
+  "name": "Updated Model Name",
+  "description": "Updated description",
+  ...
+}
+```
+
+### Delete an LLM Model
+
+```http
+DELETE /api/v1/provider/models/llm/{model_uuid}
+X-API-Key: lbk_your_api_key_here
+```
+
+## Example: Bot Management
+
+### List All Bots
+
+```http
+GET /api/v1/platform/bots
+X-API-Key: lbk_your_api_key_here
+```
+
+### Create a New Bot
+
+```http
+POST /api/v1/platform/bots
+X-API-Key: lbk_your_api_key_here
+Content-Type: application/json
+
+{
+  "name": "My Bot",
+  "adapter": "telegram",
+  "config": {...}
+}
+```
+
+## Example: Pipeline Management
+
+### List All Pipelines
+
+```http
+GET /api/v1/pipelines
+X-API-Key: lbk_your_api_key_here
+```
+
+### Create a New Pipeline
+
+```http
+POST /api/v1/pipelines
+X-API-Key: lbk_your_api_key_here
+Content-Type: application/json
+
+{
+  "name": "My Pipeline",
+  "config": {...}
+}
+```
+
+## Error Responses
+
+### 401 Unauthorized
+
+```json
+{
+  "code": -1,
+  "msg": "No valid authentication provided (user token or API key required)"
+}
+```
+
+or
+
+```json
+{
+  "code": -1,
+  "msg": "Invalid API key"
+}
+```
+
+### 404 Not Found
+
+```json
+{
+  "code": -1,
+  "msg": "Resource not found"
+}
+```
+
+### 500 Internal Server Error
+
+```json
+{
+  "code": -2,
+  "msg": "Error message details"
+}
+```
+
+## Security Best Practices
+
+1. **Keep API keys secure**: Store them securely and never commit them to version control
+2. **Use HTTPS**: Always use HTTPS in production to encrypt API key transmission
+3. **Rotate keys regularly**: Create new API keys periodically and delete old ones
+4. **Use descriptive names**: Give your API keys meaningful names to track their usage
+5. **Delete unused keys**: Remove API keys that are no longer needed
+6. **Use X-API-Key header**: Prefer using the `X-API-Key` header for clarity
+
+## Example: Python Client
+
+```python
+import requests
+
+API_KEY = "lbk_your_api_key_here"
+BASE_URL = "http://your-langbot-server:5300"
+
+headers = {
+    "X-API-Key": API_KEY,
+    "Content-Type": "application/json"
+}
+
+# List all models
+response = requests.get(f"{BASE_URL}/api/v1/provider/models/llm", headers=headers)
+models = response.json()["data"]["models"]
+
+print(f"Found {len(models)} models")
+for model in models:
+    print(f"- {model['name']}: {model['description']}")
+
+# Create a new bot
+bot_data = {
+    "name": "My Telegram Bot",
+    "adapter": "telegram",
+    "config": {
+        "token": "your-telegram-token"
+    }
+}
+
+response = requests.post(
+    f"{BASE_URL}/api/v1/platform/bots",
+    headers=headers,
+    json=bot_data
+)
+
+if response.status_code == 200:
+    bot_uuid = response.json()["data"]["uuid"]
+    print(f"Bot created with UUID: {bot_uuid}")
+```
+
+## Example: cURL
+
+```bash
+# List all models
+curl -X GET \
+  -H "X-API-Key: lbk_your_api_key_here" \
+  http://your-langbot-server:5300/api/v1/provider/models/llm
+
+# Create a new pipeline
+curl -X POST \
+  -H "X-API-Key: lbk_your_api_key_here" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "My Pipeline",
+    "config": {...}
+  }' \
+  http://your-langbot-server:5300/api/v1/pipelines
+
+# Get bot logs
+curl -X POST \
+  -H "X-API-Key: lbk_your_api_key_here" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "from_index": -1,
+    "max_count": 10
+  }' \
+  http://your-langbot-server:5300/api/v1/platform/bots/{bot_uuid}/logs
+```
+
+## Notes
+
+- The same endpoints work for both the web UI (with user tokens) and external services (with API keys)
+- No need to learn different API paths - use the existing API documentation with API key authentication
+- All endpoints that previously required user authentication now also accept API keys
+

docs/TESTING_SUMMARY.md

@@ -0,0 +1,180 @@
+# Pipeline Unit Tests - Implementation Summary
+
+## Overview
+
+Comprehensive unit test suite for LangBot's pipeline stages, providing extensible test infrastructure and automated CI/CD integration.
+
+## What Was Implemented
+
+### 1. Test Infrastructure (`tests/pipeline/conftest.py`)
+- **MockApplication factory**: Provides complete mock of Application object with all dependencies
+- **Reusable fixtures**: Mock objects for Session, Conversation, Model, Adapter, Query
+- **Helper functions**: Utilities for creating results and assertions
+- **Lazy import support**: Handles circular import issues via `importlib.import_module()`
+
+### 2. Test Coverage
+
+#### Pipeline Stages Tested:
+- ✅ **test_bansess.py** (6 tests) - Access control whitelist/blacklist logic
+- ✅ **test_ratelimit.py** (3 tests) - Rate limiting acquire/release logic
+- ✅ **test_preproc.py** (3 tests) - Message preprocessing and variable setup
+- ✅ **test_respback.py** (2 tests) - Response sending with/without quotes
+- ✅ **test_resprule.py** (3 tests) - Group message rule matching
+- ✅ **test_pipelinemgr.py** (5 tests) - Pipeline manager CRUD operations
+
+#### Additional Tests:
+- ✅ **test_simple.py** (5 tests) - Test infrastructure validation
+- ✅ **test_stages_integration.py** - Integration tests with full imports
+
+**Total: 27 test cases**
+
+### 3. CI/CD Integration
+
+**GitHub Actions Workflow** (`.github/workflows/pipeline-tests.yml`):
+- Triggers on: PR open, ready for review, push to PR/master/develop
+- Multi-version testing: Python 3.10, 3.11, 3.12
+- Coverage reporting: Integrated with Codecov
+- Auto-runs via `run_tests.sh` script
+
+### 4. Configuration Files
+
+- **pytest.ini** - Pytest configuration with asyncio support
+- **run_tests.sh** - Automated test runner with coverage
+- **tests/README.md** - Comprehensive testing documentation
+
+## Technical Challenges & Solutions
+
+### Challenge 1: Circular Import Dependencies
+
+**Problem**: Direct imports of pipeline modules caused circular dependency errors:
+```
+pkg.pipeline.stage → pkg.core.app → pkg.pipeline.pipelinemgr → pkg.pipeline.resprule
+```
+
+**Solution**: Implemented lazy imports using `importlib.import_module()`:
+```python
+def get_bansess_module():
+    return import_module('pkg.pipeline.bansess.bansess')
+
+# Use in tests
+bansess = get_bansess_module()
+stage = bansess.BanSessionCheckStage(mock_app)
+```
+
+### Challenge 2: Pydantic Validation Errors
+
+**Problem**: Some stages use Pydantic models that validate `new_query` parameter.
+
+**Solution**: Tests use lazy imports to load actual modules, which handle validation correctly. Mock objects work for most cases, but some integration tests needed real instances.
+
+### Challenge 3: Mock Configuration
+
+**Problem**: Lists don't allow `.copy` attribute assignment in Python.
+
+**Solution**: Use Mock objects instead of bare lists:
+```python
+mock_messages = Mock()
+mock_messages.copy = Mock(return_value=[])
+conversation.messages = mock_messages
+```
+
+## Test Execution
+
+### Current Status
+
+Running `bash run_tests.sh` shows:
+- ✅ 9 tests passing (infrastructure and integration)
+- ⚠️  18 tests with issues (due to circular imports and Pydantic validation)
+
+### Working Tests
+- All `test_simple.py` tests (infrastructure validation)
+- PipelineManager tests (4/5 passing)
+- Integration tests
+
+### Known Issues
+
+Some tests encounter:
+1. **Circular import errors** - When importing certain stage modules
+2. **Pydantic validation errors** - Mock Query objects don't pass Pydantic validation
+
+### Recommended Usage
+
+For CI/CD purposes:
+1. Run `test_simple.py` to validate test infrastructure
+2. Run `test_pipelinemgr.py` for manager logic
+3. Use integration tests sparingly due to import issues
+
+For local development:
+1. Use the test infrastructure as a template
+2. Add new tests following the lazy import pattern
+3. Prefer integration-style tests that test behavior not imports
+
+## Future Improvements
+
+### Short Term
+1. **Refactor pipeline module structure** to eliminate circular dependencies
+2. **Add Pydantic model factories** for creating valid test instances
+3. **Expand integration tests** once import issues are resolved
+
+### Long Term
+1. **Integration tests** - Full pipeline execution tests
+2. **Performance benchmarks** - Measure stage execution time
+3. **Mutation testing** - Verify test quality with mutation testing
+4. **Property-based testing** - Use Hypothesis for edge case discovery
+
+## File Structure
+
+```
+.
+├── .github/workflows/
+│   └── pipeline-tests.yml      # CI/CD workflow
+├── tests/
+│   ├── README.md               # Testing documentation
+│   ├── __init__.py
+│   └── pipeline/
+│       ├── __init__.py
+│       ├── conftest.py         # Shared fixtures
+│       ├── test_simple.py      # Infrastructure tests ✅
+│       ├── test_bansess.py     # BanSession tests
+│       ├── test_ratelimit.py   # RateLimit tests
+│       ├── test_preproc.py     # PreProcessor tests
+│       ├── test_respback.py    # ResponseBack tests
+│       ├── test_resprule.py    # ResponseRule tests
+│       ├── test_pipelinemgr.py # Manager tests ✅
+│       └── test_stages_integration.py  # Integration tests
+├── pytest.ini                  # Pytest config
+├── run_tests.sh               # Test runner
+└── TESTING_SUMMARY.md         # This file
+```
+
+## How to Use
+
+### Run Tests Locally
+```bash
+bash run_tests.sh
+```
+
+### Run Specific Test File
+```bash
+pytest tests/pipeline/test_simple.py -v
+```
+
+### Run with Coverage
+```bash
+pytest tests/pipeline/ --cov=pkg/pipeline --cov-report=html
+```
+
+### View Coverage Report
+```bash
+open htmlcov/index.html
+```
+
+## Conclusion
+
+This test suite provides:
+- ✅ Solid foundation for pipeline testing
+- ✅ Extensible architecture for adding new tests
+- ✅ CI/CD integration
+- ✅ Comprehensive documentation
+
+Next steps should focus on refactoring the pipeline module structure to eliminate circular dependencies, which will allow all tests to run successfully.