diff --git a/cmd/server/main.go b/cmd/server/main.go index 1d9943e..ec438d8 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -50,6 +50,7 @@ type config struct { LLMTimeout time.Duration AIServiceURL string AIServiceToken string + InternalAPIKey string MinioEndpoint string MinioAccessKey string MinioSecretKey string @@ -191,6 +192,9 @@ func (a *app) serveHTTP(w http.ResponseWriter, r *http.Request) { writeError(w, http.StatusNotFound, "not found") return } + if !a.checkInternalAuth(w, r) { + return + } ctx := r.Context() switch { @@ -227,6 +231,18 @@ func (a *app) serveHTTP(w http.ResponseWriter, r *http.Request) { } } +func (a *app) checkInternalAuth(w http.ResponseWriter, r *http.Request) bool { + want := strings.TrimSpace(a.cfg.InternalAPIKey) + if want == "" { + return true + } + if r.Header.Get("X-Internal-Key") != want { + writeError(w, http.StatusUnauthorized, "unauthorized") + return false + } + return true +} + func (a *app) apiPath(path string) string { base := strings.TrimRight(a.cfg.PublicBasePath, "/") if base != "" && strings.HasPrefix(path, base+"/") { @@ -1873,6 +1889,7 @@ func loadConfig() config { LLMTimeout: time.Duration(envInt("LLM_TIMEOUT_SECONDS", 120)) * time.Second, AIServiceURL: env("AI_SERVICE_URL", ""), AIServiceToken: env("AI_SERVICE_TOKEN", ""), + InternalAPIKey: env("INTERNAL_API_KEY", env("PORTAL_INTERNAL_API_KEY", "")), MinioEndpoint: env("MINIO_ENDPOINT", ""), MinioAccessKey: env("MINIO_ACCESS_KEY", ""), MinioSecretKey: env("MINIO_SECRET_KEY", ""), diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml index 55f6ac4..2e6b2d6 100644 --- a/k8s/secrets.yaml +++ b/k8s/secrets.yaml @@ -10,6 +10,7 @@ stringData: TG_PHONE: "+971524994695" TG_SESSION_STRING: "" POSTGRES_PASSWORD: "parser" + INTERNAL_API_KEY: "36fe89ed40c01fdc54d3cf4e3fcacc8751dc456a4a1acd394e9fed48257c5734" AI_SERVICE_TOKEN: "d18bcacf9e02bae1806ee6b6eeda62b95be6a915c0a22936d9a700128b275442" MINIO_ACCESS_KEY: "admjn" MINIO_SECRET_KEY: "TropicalMacaw9Fantasize"