Add AI service API token auth
This commit is contained in:
30
internal/httpapi/auth.go
Normal file
30
internal/httpapi/auth.go
Normal file
@@ -0,0 +1,30 @@
|
||||
package httpapi
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func (s *Server) requireAPIToken(path string, r *http.Request) bool {
|
||||
if !strings.HasPrefix(path, "/api/v1/") && path != "/api/v1" {
|
||||
return true
|
||||
}
|
||||
expected := strings.TrimSpace(s.cfg.APIAuthToken)
|
||||
if expected == "" {
|
||||
return true
|
||||
}
|
||||
got := bearerToken(r.Header.Get("Authorization"))
|
||||
if got == "" {
|
||||
return false
|
||||
}
|
||||
return subtle.ConstantTimeCompare([]byte(got), []byte(expected)) == 1
|
||||
}
|
||||
|
||||
func bearerToken(header string) string {
|
||||
header = strings.TrimSpace(header)
|
||||
if len(header) < len("Bearer ") || !strings.EqualFold(header[:len("Bearer ")], "Bearer ") {
|
||||
return ""
|
||||
}
|
||||
return strings.TrimSpace(header[len("Bearer "):])
|
||||
}
|
||||
47
internal/httpapi/auth_test.go
Normal file
47
internal/httpapi/auth_test.go
Normal file
@@ -0,0 +1,47 @@
|
||||
package httpapi
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"ai-service/internal/config"
|
||||
)
|
||||
|
||||
func TestAPITokenProtectsAPIRoutes(t *testing.T) {
|
||||
srv := NewServer(nil, config.Config{APIAuthToken: "secret"})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/stats", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
srv.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("expected unauthorized API request to be 401, got %d", rec.Code)
|
||||
}
|
||||
|
||||
req = httptest.NewRequest(http.MethodGet, "/api/v1/not-found", nil)
|
||||
req.Header.Set("Authorization", "Bearer wrong")
|
||||
rec = httptest.NewRecorder()
|
||||
srv.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("expected wrong token to be 401, got %d", rec.Code)
|
||||
}
|
||||
|
||||
req = httptest.NewRequest(http.MethodGet, "/api/v1/not-found", nil)
|
||||
req.Header.Set("Authorization", "Bearer secret")
|
||||
rec = httptest.NewRecorder()
|
||||
srv.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusNotFound {
|
||||
t.Fatalf("expected authorized unknown route to be 404, got %d", rec.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAPITokenDoesNotProtectHealth(t *testing.T) {
|
||||
srv := NewServer(nil, config.Config{APIAuthToken: "secret"})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/healthz", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
srv.ServeHTTP(rec, req)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("expected healthz to stay open, got %d", rec.Code)
|
||||
}
|
||||
}
|
||||
@@ -29,6 +29,10 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if path == "" {
|
||||
path = "/"
|
||||
}
|
||||
if !s.requireAPIToken(path, r) {
|
||||
writeError(w, http.StatusUnauthorized, "unauthorized")
|
||||
return
|
||||
}
|
||||
switch {
|
||||
case r.Method == http.MethodGet && path == "/healthz":
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
|
||||
|
||||
Reference in New Issue
Block a user