Merge pull request #46 from hasura/gavin/service-token-bearer-auth

GavinRay97 · web-flow · commit 3a1aad1e5d5f · 2025-01-28T16:12:10.000-05:00
Implement optional Bearer token auth w/ HASURA_SERVICE_TOKEN_SECRET env
diff --git a/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt b/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt
@@ -3,6 +3,8 @@ package io.hasura.ndc.app.application
 import io.vertx.core.http.HttpServerRequest
 import jakarta.inject.Inject
 import jakarta.ws.rs.container.ContainerRequestContext
+import jakarta.ws.rs.core.HttpHeaders
+import jakarta.ws.rs.core.Response
 import jakarta.ws.rs.core.UriInfo
 import org.jboss.logging.Logger
 import org.jboss.resteasy.reactive.server.ServerRequestFilter
@@ -19,4 +21,31 @@ class Filters {
             logger.debug(b.result())
         }
     }
+
+    @ServerRequestFilter
+    fun tokenFilter(ctx: ContainerRequestContext): Response? {
+        val secret = System.getenv("HASURA_SERVICE_TOKEN_SECRET")
+        if (secret.isNullOrEmpty()) {
+            logger.warn("Environment variable HASURA_SERVICE_TOKEN_SECRET not set. Token validation is bypassed.")
+            return null
+        }
+
+        val authHeader = ctx.getHeaderString(HttpHeaders.AUTHORIZATION)
+        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+            logger.error("Authorization header missing or not in Bearer format")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+
+        val token = authHeader.substringAfter("Bearer ")
+        if (token.isEmpty()) {
+            logger.error("Token is empty")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+        if (token != secret) {
+            logger.error("Token is invalid")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+
+        return null
+    }
 }
diff --git a/ndc-app/src/main/resources/application.properties b/ndc-app/src/main/resources/application.properties
@@ -7,7 +7,6 @@ quarkus.live-reload.instrumentation=true
 quarkus.datasource.devservices.enabled=false
 quarkus.opentelemetry.enabled=true
 
-
 quarkus.index-dependency.ndc-ir.group-id=io.hasura
 quarkus.index-dependency.ndc-ir.artifact-id=ndc-ir
 
