From 0aadc3b6b329ca34c5dd09a24c4221b5e51dc8ae Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Fri, 26 Sep 2025 16:18:53 +0200
Subject: [PATCH] :sparkles: Add management shared key authentication

---
 backend/scripts/start-dev             |  1 +
 backend/src/app/config.clj            |  2 ++
 backend/src/app/http/access_token.clj |  4 ++--
 backend/src/app/http/management.clj   | 19 ++++++++++++++++++-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/backend/scripts/start-dev b/backend/scripts/start-dev
index 4060813ea0..5fb637be3f 100755
--- a/backend/scripts/start-dev
+++ b/backend/scripts/start-dev
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 export PENPOT_SECRET_KEY=super-secret-devenv-key
+export PENPOT_MANAGEMENT_API_SHARED_KEY=super-secret-management-api-key
 export PENPOT_HOST=devenv
 export PENPOT_FLAGS="\
        $PENPOT_FLAGS \
diff --git a/backend/src/app/config.clj b/backend/src/app/config.clj
index 09f1a50cd6..a65e6bb0ca 100644
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@@ -98,6 +98,8 @@
     [:http-server-io-threads {:optional true} ::sm/int]
     [:http-server-max-worker-threads {:optional true} ::sm/int]
 
+    [:management-api-shared-key {:optional true} :string]
+
     [:telemetry-uri {:optional true} :string]
     [:telemetry-with-taiga {:optional true} ::sm/boolean] ;; DELETE
 
diff --git a/backend/src/app/http/access_token.clj b/backend/src/app/http/access_token.clj
index b9b85a8b57..ae8b61122e 100644
--- a/backend/src/app/http/access_token.clj
+++ b/backend/src/app/http/access_token.clj
@@ -14,9 +14,9 @@
    [app.tokens :as tokens]
    [yetti.request :as yreq]))
 
-(def header-re #"^Token\s+(.*)")
+(def header-re #"(?i)^Token\s+(.*)")
 
-(defn- get-token
+(defn get-token
   [request]
   (some->> (yreq/get-header request "authorization")
            (re-matches header-re)
diff --git a/backend/src/app/http/management.clj b/backend/src/app/http/management.clj
index f88dadc16c..cf91503f67 100644
--- a/backend/src/app/http/management.clj
+++ b/backend/src/app/http/management.clj
@@ -11,7 +11,9 @@
    [app.common.schema :as sm]
    [app.common.schema.generators :as sg]
    [app.common.time :as ct]
+   [app.config :as cf]
    [app.db :as db]
+   [app.http.access-token :refer [get-token]]
    [app.main :as-alias main]
    [app.rpc.commands.profile :as cmd.profile]
    [app.setup :as-alias setup]
@@ -30,6 +32,20 @@
   [_ params]
   (assert (db/pool? (::db/pool params)) "expect valid database pool"))
 
+(def ^:private auth
+  {:name ::auth
+   :compile
+   (fn [_ _]
+     (fn [handler shared-key]
+       (if shared-key
+         (fn [request]
+           (let [token (get-token request)]
+             (if (= token shared-key)
+               (handler request)
+               {::yres/status 403})))
+         (fn [_ _]
+           {::yres/status 403}))))})
+
 (def ^:private default-system
   {:name ::default-system
    :compile
@@ -49,7 +65,8 @@
 
 (defmethod ig/init-key ::routes
   [_ cfg]
-  ["" {:middleware [[default-system cfg]
+  ["" {:middleware [[auth (cf/get :management-api-shared-key)]
+                    [default-system cfg]
                     [transaction]]}
    ["/authenticate"
     {:handler authenticate