✨ Add management shared key authentication

2025-12-12 06:24:17 +01:00 · 2025-09-26 16:18:53 +02:00
parent 21a7ecb3fe
commit 0aadc3b6b3
4 changed files with 23 additions and 3 deletions
--- a/backend/scripts/start-dev
+++ b/backend/scripts/start-dev
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 export PENPOT_SECRET_KEY=super-secret-devenv-key
 export PENPOT_MANAGEMENT_API_SHARED_KEY=super-secret-management-api-key
 export PENPOT_HOST=devenv
 export PENPOT_FLAGS="\
       $PENPOT_FLAGS \
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@@ -98,6 +98,8 @@
    [:http-server-io-threads {:optional true} ::sm/int]
    [:http-server-max-worker-threads {:optional true} ::sm/int]
    [:management-api-shared-key {:optional true} :string]
    [:telemetry-uri {:optional true} :string]
    [:telemetry-with-taiga {:optional true} ::sm/boolean] ;; DELETE
--- a/backend/src/app/http/access_token.clj
+++ b/backend/src/app/http/access_token.clj
@@ -14,9 +14,9 @@
   [app.tokens :as tokens]
   [yetti.request :as yreq]))
-(def header-re #"^Token\s+(.*)")
+(def header-re #"(?i)^Token\s+(.*)")
-(defn- get-token
+(defn get-token
  [request]
  (some->> (yreq/get-header request "authorization")
           (re-matches header-re)
--- a/backend/src/app/http/management.clj
+++ b/backend/src/app/http/management.clj
@@ -11,7 +11,9 @@
   [app.common.schema :as sm]
   [app.common.schema.generators :as sg]
   [app.common.time :as ct]
   [app.config :as cf]
   [app.db :as db]
   [app.http.access-token :refer [get-token]]
   [app.main :as-alias main]
   [app.rpc.commands.profile :as cmd.profile]
   [app.setup :as-alias setup]
@@ -30,6 +32,20 @@
  [_ params]
  (assert (db/pool? (::db/pool params)) "expect valid database pool"))
 (def ^:private auth
  {:name ::auth
   :compile
   (fn [_ _]
     (fn [handler shared-key]
       (if shared-key
         (fn [request]
           (let [token (get-token request)]
             (if (= token shared-key)
               (handler request)
               {::yres/status 403})))
         (fn [_ _]
           {::yres/status 403}))))})
 (def ^:private default-system
  {:name ::default-system
   :compile
@@ -49,7 +65,8 @@
 (defmethod ig/init-key ::routes
  [_ cfg]
-  ["" {:middleware [[default-system cfg]
+  ["" {:middleware [[auth (cf/get :management-api-shared-key)]
                    [default-system cfg]
                    [transaction]]}
   ["/authenticate"
    {:handler authenticate