✨ Add management shared key authentication

2025-12-11 22:14:05 +01:00 · 2025-09-26 16:18:53 +02:00
parent 21a7ecb3fe
commit 0aadc3b6b3
4 changed files with 23 additions and 3 deletions
--- a/backend/scripts/start-dev
+++ b/backend/scripts/start-dev
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash

 export PENPOT_SECRET_KEY=super-secret-devenv-key
+export PENPOT_MANAGEMENT_API_SHARED_KEY=super-secret-management-api-key
 export PENPOT_HOST=devenv
 export PENPOT_FLAGS="\
       $PENPOT_FLAGS \
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@@ -98,6 +98,8 @@
    [:http-server-io-threads {:optional true} ::sm/int]
    [:http-server-max-worker-threads {:optional true} ::sm/int]

+    [:management-api-shared-key {:optional true} :string]
+
    [:telemetry-uri {:optional true} :string]
    [:telemetry-with-taiga {:optional true} ::sm/boolean] ;; DELETE

--- a/backend/src/app/http/access_token.clj
+++ b/backend/src/app/http/access_token.clj
@@ -14,9 +14,9 @@
   [app.tokens :as tokens]
   [yetti.request :as yreq]))

-(def header-re #"^Token\s+(.*)")
+(def header-re #"(?i)^Token\s+(.*)")

-(defn- get-token
+(defn get-token
  [request]
  (some->> (yreq/get-header request "authorization")
           (re-matches header-re)
--- a/backend/src/app/http/management.clj
+++ b/backend/src/app/http/management.clj
@@ -11,7 +11,9 @@
   [app.common.schema :as sm]
   [app.common.schema.generators :as sg]
   [app.common.time :as ct]
+   [app.config :as cf]
   [app.db :as db]
+   [app.http.access-token :refer [get-token]]
   [app.main :as-alias main]
   [app.rpc.commands.profile :as cmd.profile]
   [app.setup :as-alias setup]
@@ -30,6 +32,20 @@
  [_ params]
  (assert (db/pool? (::db/pool params)) "expect valid database pool"))

+(def ^:private auth
+  {:name ::auth
+   :compile
+   (fn [_ _]
+     (fn [handler shared-key]
+       (if shared-key
+         (fn [request]
+           (let [token (get-token request)]
+             (if (= token shared-key)
+               (handler request)
+               {::yres/status 403})))
+         (fn [_ _]
+           {::yres/status 403}))))})
+
 (def ^:private default-system
  {:name ::default-system
   :compile
@@ -49,7 +65,8 @@

 (defmethod ig/init-key ::routes
  [_ cfg]
-  ["" {:middleware [[default-system cfg]
+  ["" {:middleware [[auth (cf/get :management-api-shared-key)]
+                    [default-system cfg]
                    [transaction]]}
   ["/authenticate"
    {:handler authenticate