feat: HTTP authentication for events endpoint

2022-12-07 13:02:09 +05:30 · 2022-12-07 13:02:09 +05:30 · f9d23cb3ef
commit f9d23cb3ef
parent 6145695980
4 changed files with 53 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -193,6 +193,21 @@ dependencies = [
 "syn",
 ]

+[[package]]
+name = "actix-web-httpauth"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dda62cf04bc3a9ad2ea8f314f721951cfdb4cdacec4e984d20e77c7bb170991"
+dependencies = [
+ "actix-utils",
+ "actix-web",
+ "base64",
+ "futures-core",
+ "futures-util",
+ "log",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "adler"
 version = "1.0.2"
@ -405,6 +420,7 @@ dependencies = [
 "actix-rt",
 "actix-web",
 "actix-web-codegen-const-routes",
+ "actix-web-httpauth",
 "base64",
 "clap",
 "config",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -24,6 +24,7 @@ derive_more = "0.99.17"
 url = { version = "2.2.2", features = ["serde"]}
 serde_json = { version ="1", features = ["raw_value"]}
 clap = { vesrion = "3.2.20", features = ["derive"]}
+actix-web-httpauth = "0.8.0"

 [dependencies.libconductor]
 path = "./env/libconductor"
--- a/src/api/v1/mod.rs
+++ b/src/api/v1/mod.rs
@ -14,11 +14,33 @@
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
+use actix_web::dev::ServiceRequest;
 use actix_web::web;
+use actix_web::Error;
+use actix_web_httpauth::extractors::basic::BasicAuth;
+
+use crate::errors::*;
+use crate::AppCtx;
+use crate::SETTINGS;

 pub mod meta;
 pub mod webhook;

+pub async fn httpauth(
+    req: ServiceRequest,
+    credentials: BasicAuth,
+) -> Result<ServiceRequest, (Error, ServiceRequest)> {
+    let _ctx: &AppCtx = req.app_data().unwrap();
+    let username = credentials.user_id();
+    let password = credentials.password().unwrap();
+    if SETTINGS.authenticate(username, password) {
+        Ok(req)
+    } else {
+        let e = Error::from(ServiceError::Unauthorized);
+        Err((e, req))
+    }
+}
+
 pub const API_V1_ROUTES: routes::Routes = routes::Routes::new();

 #[derive(Debug, Clone, Eq, PartialEq)]
--- a/src/api/v1/webhook.rs
+++ b/src/api/v1/webhook.rs
@ -15,6 +15,7 @@
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 use actix_web::{web, HttpResponse, Responder};
+use actix_web_httpauth::middleware::HttpAuthentication;
 use serde::{Deserialize, Serialize};

 use libconductor::EventType;
@ -23,6 +24,8 @@ use crate::errors::*;
 use crate::AppCtx;
 use crate::*;

+use super::httpauth;
+
 pub mod routes {
    use super::*;
    #[derive(Debug, Eq, PartialEq, Deserialize, Serialize)]
@ -42,7 +45,10 @@ pub fn services(cfg: &mut web::ServiceConfig) {
    cfg.service(post_event);
 }

-#[actix_web_codegen_const_routes::post(path = "API_V1_ROUTES.webhook.post_event")]
+#[actix_web_codegen_const_routes::post(
+    path = "API_V1_ROUTES.webhook.post_event",
+    wrap = "HttpAuthentication::basic(httpauth)"
+)]
 async fn post_event(ctx: AppCtx, payload: web::Json<EventType>) -> ServiceResult<impl Responder> {
    ctx.conductor.process(payload.into_inner()).await;
    Ok(HttpResponse::Created())
@ -65,12 +71,19 @@ pub mod tests {
        )
        .await;

+        let creds = settings.api_keys.get(0).unwrap().clone();
+        let auth = format!(
+            "Basic {}",
+            base64::encode(format!("{}:{}", creds.username.clone(), creds.password))
+        );
+
        let new_hostname = EventType::NewHostname("demo.librepages.org".into());

        // upload json
        let upload_json = test::call_service(
            &app,
            test::TestRequest::post()
+                .append_header((actix_web::http::header::AUTHORIZATION, auth.clone()))
                .uri(API_V1_ROUTES.webhook.post_event)
                .set_json(&new_hostname)
                .to_request(),