cat_gateway/service/common/auth/
api_key.rs

1//! API Key authorization scheme is used ONLY by internal endpoints.
2//!
3//! Its purpose is to prevent their use externally, if they were accidentally exposed.
4//!
5//! It is NOT to be used on any endpoint intended to be publicly facing.
6
7use anyhow::{Result, bail};
8use poem::{Request, http::HeaderMap};
9use poem_openapi::{SecurityScheme, auth::ApiKey};
10
11use crate::settings::Settings;
12
13/// The header name that holds the API Key
14pub(crate) const API_KEY_HEADER: &str = "X-API-Key";
15
16/// `ApiKey` authorization for Internal Endpoints
17#[derive(SecurityScheme)]
18#[oai(
19    ty = "api_key",
20    key_name = "X-API-Key", // MUST match the `API_KEY_HEADER` constant.
21    key_in = "header",
22    checker = "api_checker"
23)]
24#[allow(dead_code)]
25pub(crate) struct InternalApiKeyAuthorization(String);
26
27/// Check the provided API Key matches the API Key defined by for the deployment.
28#[allow(clippy::unused_async)]
29async fn api_checker(
30    _req: &Request,
31    api_key: ApiKey,
32) -> Option<String> {
33    if Settings::check_internal_api_key(&api_key.key) {
34        Some(api_key.key)
35    } else {
36        None
37    }
38}
39
40/// Check if the API Key is correctly set.
41/// Returns an error if it is not.
42pub(crate) fn check_api_key(headers: &HeaderMap) -> Result<()> {
43    if let Some(key) = headers.get(API_KEY_HEADER)
44        && Settings::check_internal_api_key(key.to_str()?)
45    {
46        return Ok(());
47    }
48    bail!("Invalid API Key");
49}
cat_gateway/service/common/auth/api_key.rs

cat_gateway/service/common/auth/
api_key.rs
