From 2ada8fbc28e9b86985d54a8f03969b2fe8e665a8 Mon Sep 17 00:00:00 2001
From: Gavin Ray <ray.gavin97@gmail.com>
Date: Tue, 28 Jan 2025 16:10:20 -0500
Subject: [PATCH 1/2] Implement optional Bearer token auth w/
 HASURA_SERVICE_TOKEN_SECRET env

---
 ndc-app/src/main/resources/application.properties | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ndc-app/src/main/resources/application.properties b/ndc-app/src/main/resources/application.properties
index bd6746d..492e6b4 100644
--- a/ndc-app/src/main/resources/application.properties
+++ b/ndc-app/src/main/resources/application.properties
@@ -7,7 +7,6 @@ quarkus.live-reload.instrumentation=true
 quarkus.datasource.devservices.enabled=false
 quarkus.opentelemetry.enabled=true
 
-
 quarkus.index-dependency.ndc-ir.group-id=io.hasura
 quarkus.index-dependency.ndc-ir.artifact-id=ndc-ir
 

From 97f868d3edd14e9f2849742c6e8ce20c108c7c4c Mon Sep 17 00:00:00 2001
From: Gavin Ray <ray.gavin97@gmail.com>
Date: Tue, 28 Jan 2025 16:11:34 -0500
Subject: [PATCH 2/2] Implement optional Bearer token auth w/
 HASURA_SERVICE_TOKEN_SECRET env

---
 .../io/hasura/ndc/app/application/Filters.kt  | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt b/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt
index cd9658a..ba1a93c 100644
--- a/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt
+++ b/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt
@@ -3,6 +3,8 @@ package io.hasura.ndc.app.application
 import io.vertx.core.http.HttpServerRequest
 import jakarta.inject.Inject
 import jakarta.ws.rs.container.ContainerRequestContext
+import jakarta.ws.rs.core.HttpHeaders
+import jakarta.ws.rs.core.Response
 import jakarta.ws.rs.core.UriInfo
 import org.jboss.logging.Logger
 import org.jboss.resteasy.reactive.server.ServerRequestFilter
@@ -19,4 +21,31 @@ class Filters {
             logger.debug(b.result())
         }
     }
+
+    @ServerRequestFilter
+    fun tokenFilter(ctx: ContainerRequestContext): Response? {
+        val secret = System.getenv("HASURA_SERVICE_TOKEN_SECRET")
+        if (secret.isNullOrEmpty()) {
+            logger.warn("Environment variable HASURA_SERVICE_TOKEN_SECRET not set. Token validation is bypassed.")
+            return null
+        }
+
+        val authHeader = ctx.getHeaderString(HttpHeaders.AUTHORIZATION)
+        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+            logger.error("Authorization header missing or not in Bearer format")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+
+        val token = authHeader.substringAfter("Bearer ")
+        if (token.isEmpty()) {
+            logger.error("Token is empty")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+        if (token != secret) {
+            logger.error("Token is invalid")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+
+        return null
+    }
 }