Merge branch 'feat/api-key'

Author: NeedleInAJayStack

README.md

@@ -9,6 +9,7 @@ Create a `.env` file in this directory that contains necessary environment varia
 ```
 USERNAME=<username>
 PASSWORD=<password>
+API_KEY=<apikey>
 
 HOST=<host>
 PORT=<port>

authController.go

@@ -14,28 +14,22 @@ import (
 type authController struct {
 	jwtSecret            string
 	tokenDurationSeconds int
-	username             string
-	password             string
+	authenticator        authenticator
 }
 
 // GET /auth/token
 // Requires basic auth
 func (a authController) getAuthToken(w http.ResponseWriter, r *http.Request) {
 	reqUsername, reqPassword, _ := r.BasicAuth()
-	if reqUsername != a.username {
-		log.Printf("Invalid username: %s", reqUsername)
-		w.WriteHeader(http.StatusForbidden)
-		return
-	}
-	if reqPassword != a.password {
-		log.Printf("Invalid password")
+	valid, err := a.authenticator.authenticate(reqUsername, reqPassword)
+	if !valid {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"subject":  "go",
-		"username": a.username,
+		"username": reqUsername,
 		"exp":      time.Now().Unix() + int64(a.tokenDurationSeconds),
 	})
 	tokenString, err := token.SignedString([]byte(a.jwtSecret))
@@ -60,34 +54,50 @@ func (a authController) getAuthToken(w http.ResponseWriter, r *http.Request) {
 	w.Write(httpJson)
 }
 
-func tokenAuthMiddleware(jwtSecret string, next http.Handler) http.Handler {
+func authMiddleware(jwtSecret string, apiKey string, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var tokenString string
+		var bearerTokenString string
+		var apiKeyString string
 		for _, headerValue := range r.Header["Authorization"] {
 			if strings.HasPrefix(headerValue, "Bearer ") {
-				tokenString, _ = strings.CutPrefix(headerValue, "Bearer ")
+				bearerTokenString, _ = strings.CutPrefix(headerValue, "Bearer ")
+			}
+			if strings.HasPrefix(headerValue, "ApiKey ") {
+				apiKeyString, _ = strings.CutPrefix(headerValue, "ApiKey ")
 			}
 		}
 
-		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		if bearerTokenString != "" {
+			token, err := jwt.Parse(bearerTokenString, func(token *jwt.Token) (interface{}, error) {
+				if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+					return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+				}
+				return []byte(jwtSecret), nil
+			})
+			if err != nil {
+				log.Printf("JWT parsing failed: %s", err)
+				w.WriteHeader(http.StatusUnauthorized)
+				return
 			}
-			return []byte(jwtSecret), nil
-		})
-		if err != nil {
-			log.Printf("JWT parsing failed: %s", err)
-			w.WriteHeader(http.StatusUnauthorized)
-			return
-		}
 
-		claims, ok := token.Claims.(jwt.MapClaims)
-		if !ok {
-			log.Printf("JWT claims failed: %s", err)
-		}
-		exp, _ := claims.GetExpirationTime()
-		if exp.Before(time.Now()) {
-			log.Printf("JWT expired at: %s", exp)
+			claims, ok := token.Claims.(jwt.MapClaims)
+			if !ok {
+				log.Printf("JWT claims failed: %s", err)
+			}
+			exp, _ := claims.GetExpirationTime()
+			if exp.Before(time.Now()) {
+				log.Printf("JWT expired at: %s", exp)
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+		} else if apiKey != "" && apiKeyString != "" {
+			if apiKeyString != apiKey {
+				log.Printf("Invalid API key")
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+		} else {
+			log.Printf("Authorization scheme not supported")
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}

authenticator.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"fmt"
+	"log"
+)
+
+// authenticator is an interface for validating usernames and passwords.
+type authenticator interface {
+	// authenticate returns true if the username and password are valid.
+	authenticate(username string, password string) (bool, error)
+}
+
+// singleUserAuthenticator is a simple authenticator that only accepts a literal single username and password.
+// In real applications, these should be injected by environment variables.
+type singleUserAuthenticator struct {
+	username string
+	password string
+}
+
+func (a singleUserAuthenticator) authenticate(username string, password string) (bool, error) {
+	if username != a.username {
+		log.Printf("Invalid username: %s", username)
+		return false, fmt.Errorf("Invalid username: %s", username)
+	}
+	if password != a.password {
+		log.Printf("Invalid password")
+		return false, fmt.Errorf("Invalid password")
+	}
+	return true, nil
+}

main.go

@@ -64,13 +64,17 @@ func main() {
 	go serveMetrics()
 
 	// Stores
+	authenticator := singleUserAuthenticator{
+		username: os.Getenv("USERNAME"),
+		password: os.Getenv("PASSWORD"),
+	}
 	historyStore := newGormHistoryStore(db)
 	recStore := newGormRecStore(db)
 	currentStore := newInMemoryCurrentStore()
 
 	serverConfig := ServerConfig{
-		username:             os.Getenv("USERNAME"),
-		password:             os.Getenv("PASSWORD"),
+		authenticator:        authenticator,
+		apiKey:               os.Getenv("API_KEY"),
 		jwtSecret:            os.Getenv("JWT_SECRET"),
 		tokenDurationSeconds: 60 * 60, // 1 hour
 

server.go

@@ -8,8 +8,8 @@ import (
 
 type ServerConfig struct {
 	// Auth
-	username             string
-	password             string
+	authenticator        authenticator
+	apiKey               string
 	jwtSecret            string
 	tokenDurationSeconds int
 
@@ -27,8 +27,7 @@ func NewServer(serverConfig ServerConfig) (http.Handler, error) {
 	authController := authController{
 		jwtSecret:            serverConfig.jwtSecret,
 		tokenDurationSeconds: serverConfig.tokenDurationSeconds,
-		username:             serverConfig.username,
-		password:             serverConfig.password,
+		authenticator:        serverConfig.authenticator,
 	}
 	hisController := hisController{store: serverConfig.historyStore}
 	recController := recController{store: serverConfig.recStore}
@@ -51,9 +50,9 @@ func NewServer(serverConfig ServerConfig) (http.Handler, error) {
 	handleFunc(tokenAuth, "DELETE /api/recs/{pointId}/history", hisController.deleteHis)
 	handleFunc(tokenAuth, "GET /api/recs/{pointId}/current", currentController.getCurrent)
 	handleFunc(tokenAuth, "POST /api/recs/{pointId}/current", currentController.postCurrent)
-	server.Handle("/api/his/", tokenAuthMiddleware(serverConfig.jwtSecret, tokenAuth))
-	server.Handle("/api/recs", tokenAuthMiddleware(serverConfig.jwtSecret, tokenAuth))
-	server.Handle("/api/recs/", tokenAuthMiddleware(serverConfig.jwtSecret, tokenAuth))
+	server.Handle("/api/his/", authMiddleware(serverConfig.jwtSecret, serverConfig.apiKey, tokenAuth))
+	server.Handle("/api/recs", authMiddleware(serverConfig.jwtSecret, serverConfig.apiKey, tokenAuth))
+	server.Handle("/api/recs/", authMiddleware(serverConfig.jwtSecret, serverConfig.apiKey, tokenAuth))
 
 	// Catch all others with public files. Not found fallback is app index for browser router.
 	server.Handle("/app/", fileServerWithFallback(http.Dir("./public"), "./public/app/index.html"))

server_test.go

@@ -33,15 +33,19 @@ func (suite *ServerTestSuite) SetupTest() {
 	err = db.AutoMigrate(&gormHis{}, &gormRec{})
 	assert.Nil(suite.T(), err)
 
+	authenticator := singleUserAuthenticator{
+		username: "test",
+		password: "password",
+	}
 	historyStore := newGormHistoryStore(db)
 	recStore := newGormRecStore(db)
 	currentStore := newInMemoryCurrentStore()
 
 	server, err := NewServer(ServerConfig{
-		username:             "test",
-		password:             "password",
+		authenticator:        authenticator,
 		jwtSecret:            "aaa",
 		tokenDurationSeconds: 60,
+		apiKey:               "valid",
 
 		historyStore: historyStore,
 		recStore:     recStore,
@@ -88,6 +92,26 @@ func (suite *ServerTestSuite) TestGetAuthTokenInvalidPassword() {
 	assert.Equal(suite.T(), response.Code, http.StatusForbidden)
 }
 
+func (suite *ServerTestSuite) TestApiKey() {
+	request, _ := http.NewRequest(http.MethodGet, "/api/recs", nil)
+	request.Header.Add("Authorization", fmt.Sprintf("ApiKey %s", "valid"))
+	response := httptest.NewRecorder()
+
+	suite.server.ServeHTTP(response, request)
+
+	assert.Equal(suite.T(), http.StatusOK, response.Code)
+}
+
+func (suite *ServerTestSuite) TestApiKeyInvalid() {
+	request, _ := http.NewRequest(http.MethodGet, "/api/recs", nil)
+	request.Header.Add("Authorization", fmt.Sprintf("ApiKey %s", "invalid"))
+	response := httptest.NewRecorder()
+
+	suite.server.ServeHTTP(response, request)
+
+	assert.Equal(suite.T(), http.StatusUnauthorized, response.Code)
+}
+
 func (suite *ServerTestSuite) TestGetHis() {
 	// Insert data for 2 different points with varying timestamps
 	pointId1 := uuid.New()