Merge branch 'main' into tulir/provider-secret

beeper · Dec 19, 2023 · 2856706 · 2856706
2 parents 89a35f3 + 3a55c6f
commit 2856706
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 2 deletions.
diff --git a/cmd/registration_relay/main.go b/cmd/registration_relay/main.go
@@ -40,6 +40,12 @@ func main() {
 		"Metrics listen address",
 	)
 
+	validateAuthURL := flag.String(
+		"validateAuthURL",
+		flagenv.StringEnvWithDefault("REGISTRATION_RELAY_VALIDATE_AUTH_URL", ""),
+		"Validate auth header URL",
+	)
+
 	flag.Parse()
 
 	if *prettyLogs {
@@ -59,6 +65,7 @@ func main() {
 	if err != nil || len(cfg.Secret) != 32 {
 		log.Fatal().Err(err).Int("secret_len", len(cfg.Secret)).Msg("Invalid secret")
 	}
+	cfg.API.ValidateAuthURL = *validateAuthURL
 
 	log.Info().Str("commit", Commit).Str("build_time", BuildTime).Msg("registration-relay starting")
 

diff --git a/internal/api/api.go b/internal/api/api.go
@@ -43,7 +43,15 @@ func NewAPI(cfg config.Config) *api {
 	r.Get("/health", health.Health)
 
 	r.Get("/api/v1/provider", api.providerWebsocket)
-	r.Post("/api/v1/bridge/{command}", api.bridgeExecuteCommand)
+
+	commandHandler := api.bridgeExecuteCommand
+	if cfg.API.ValidateAuthURL != "" {
+		commandHandler = api.requireAuthHandler(
+			cfg.API.ValidateAuthURL,
+			commandHandler,
+		)
+	}
+	r.Post("/api/v1/bridge/{command}", commandHandler)
 
 	api.server = &http.Server{Addr: cfg.API.Listen, Handler: r}
 

diff --git a/internal/api/auth.go b/internal/api/auth.go
@@ -0,0 +1,76 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/hlog"
+)
+
+var httpClient = &http.Client{}
+
+type authResp struct {
+	Identifier string `json:"identifier"`
+}
+
+func (a *api) requireAuthHandler(
+	validateURL string,
+	next http.HandlerFunc,
+) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		authToken := r.Header.Get("X-Beeper-Access-Token")
+
+		if authToken == "" {
+			a.log.Warn().Msg("Request missing auth header")
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		req, err := http.NewRequest(http.MethodGet, validateURL, nil)
+		if err != nil {
+			a.log.Err(err).Msg("Failed to create request to auth validation URL")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		req.Header.Add("Authorization", "Bearer "+authToken)
+
+		resp, err := httpClient.Do(req)
+		if err != nil {
+			a.log.Err(err).Msg("Failed to make request to auth validation URL")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode >= 500 {
+			a.log.Error().
+				Int("status_code", resp.StatusCode).
+				Msg("Unexpected status from auth URL")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		if resp.StatusCode != 200 {
+			a.log.Warn().
+				Int("status_code", resp.StatusCode).
+				Msg("Unauthorized status from auth URL")
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		var response authResp
+		if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
+			a.log.Err(err).Msg("Failed to decode auth response")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		hlog.FromRequest(r).UpdateContext(func(c zerolog.Context) zerolog.Context {
+			return c.Str("identifier", response.Identifier)
+		})
+
+		next(w, r)
+	}
+}
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -4,6 +4,7 @@ type Config struct {
 	Version string
 	Secret  []byte
 	API     struct {
-		Listen string
+		Listen          string
+		ValidateAuthURL string
 	}
 }