Security: Enforce mandatory API Keys for V3, fix search logic, and update frontend guide

tests/repro_security_bypass.py

@@ -0,0 +1,52 @@
+import requests
+import sys
+
+BASE_URL = "http://dev-api.oneskyit.com" # Standard Dev Domain
+OBJ_TYPE = "journal"
+ENDPOINT = f"{BASE_URL}/v3/crud/{OBJ_TYPE}/schema"
+
+# Replace with the key found from DB query
+VALID_API_KEY = "dummy_key_placeholder" 
+
+def test_request(description, headers, expected_status):
+    print(f"Testing: {description}")
+    try:
+        response = requests.get(ENDPOINT, headers=headers, timeout=10)
+        status = response.status_code
+        result = "PASS" if status == expected_status else "FAIL"
+        print(f"   Status: {status} (Expected: {expected_status}) -> {result}")
+        if result == "FAIL":
+            print(f"   Response: {response.text[:200]}...")
+        return result == "PASS"
+    except Exception as e:
+        print(f"   Error: {e}")
+        return False
+
+def main():
+    if len(sys.argv) > 1:
+        global VALID_API_KEY
+        VALID_API_KEY = sys.argv[1]
+
+    print(f"--- Security Bypass Test (Target: {ENDPOINT}) ---")
+    
+    # Case 1: No Auth
+    # Expected: 403 Forbidden (Account context required)
+    test_request("No Auth Headers", {}, 403)
+
+    # Case 2: Vulnerability Check (Bypass Header Only)
+    # AFTER FIX: Expected 403 (Protected)
+    test_request("Bypass Header Only (Vulnerability Check)", {"x-no-account-id": "bypass"}, 403)
+
+    # Case 3: Invalid API Key + Bypass Header
+    # Expected: 403 Forbidden
+    test_request("Bypass Header + Invalid Key", {"x-no-account-id": "bypass", "x-aether-api-key": "invalid-key-12345"}, 403)
+
+    # Case 4: Valid API Key + Bypass Header
+    # Expected: 200 OK
+    if VALID_API_KEY != "dummy_key_placeholder":
+        test_request("Bypass Header + Valid Key", {"x-no-account-id": "bypass", "x-aether-api-key": VALID_API_KEY}, 200)
+    else:
+        print("Skipping Case 4 (No Valid API Key provided)")
+
+if __name__ == "__main__":
+    main()