From 47e259fa2802361d3e49c011fbc94c586f6c5377 Mon Sep 17 00:00:00 2001 From: Grendgi Date: Fri, 12 Jun 2026 16:32:12 +0300 Subject: [PATCH] Protect monitoring PF API with internal key --- internal/pf/config.go | 2 ++ internal/pf/http.go | 14 ++++++++++++++ k8s/secrets.yaml | 1 + 3 files changed, 17 insertions(+) diff --git a/internal/pf/config.go b/internal/pf/config.go index a9bfa26..dafb781 100644 --- a/internal/pf/config.go +++ b/internal/pf/config.go @@ -15,6 +15,7 @@ type Config struct { ScrapeIntervalHours int TGBotToken string TGBotUsername string + InternalAPIKey string WorkerPython string WorkerModule string } @@ -28,6 +29,7 @@ func LoadConfig() Config { ScrapeIntervalHours: max(1, envInt("SCRAPE_INTERVAL_HOURS", 4)), TGBotToken: env("TG_BOT_TOKEN", ""), TGBotUsername: strings.TrimPrefix(env("TG_BOT_USERNAME", ""), "@"), + InternalAPIKey: env("INTERNAL_API_KEY", env("PORTAL_INTERNAL_API_KEY", "")), WorkerPython: env("WORKER_PYTHON", "python"), WorkerModule: env("WORKER_MODULE", "app.worker"), } diff --git a/internal/pf/http.go b/internal/pf/http.go index e23fe05..68868a9 100644 --- a/internal/pf/http.go +++ b/internal/pf/http.go @@ -29,6 +29,8 @@ func (s Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { writeJSON(w, http.StatusOK, map[string]string{"service": "monitoring-pf", "ui": "portal", "api": "go"}) case !strings.HasPrefix(path, "/api/v1"): writeError(w, http.StatusNotFound, "not found") + case !s.checkInternalAuth(w, r): + return case path == "/api/v1/access/me" && r.Method == http.MethodGet: s.accessMe(w, r) case path == "/api/v1/summary" && r.Method == http.MethodGet: @@ -50,6 +52,18 @@ func (s Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } +func (s Server) checkInternalAuth(w http.ResponseWriter, r *http.Request) bool { + want := strings.TrimSpace(s.App.Cfg.InternalAPIKey) + if want == "" { + return true + } + if r.Header.Get("X-Internal-Key") != want { + writeError(w, http.StatusUnauthorized, "unauthorized") + return false + } + return true +} + func (s Server) apiPath(path string) string { base := s.App.Cfg.PublicBasePath if base != "" && path == base { diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml index 28c50bd..a0d020d 100644 --- a/k8s/secrets.yaml +++ b/k8s/secrets.yaml @@ -5,5 +5,6 @@ metadata: namespace: monitoring-pf type: Opaque stringData: + INTERNAL_API_KEY: "36fe89ed40c01fdc54d3cf4e3fcacc8751dc456a4a1acd394e9fed48257c5734" TG_BOT_TOKEN: "8942895371:AAGCWTr8g0FeqdM3QWmbV_3PxoSb5c_urf0" ADMIN_CHAT_ID: ""