Implement optional Bearer token auth w/ HASURA_SERVICE_TOKEN_SECRET env

GavinRay97 · GavinRay97 · commit 97f868d3edd1 · 2025-01-28T16:11:34.000-05:00
diff --git a/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt b/ndc-app/src/main/kotlin/io/hasura/ndc/app/application/Filters.kt
@@ -3,6 +3,8 @@ package io.hasura.ndc.app.application
 import io.vertx.core.http.HttpServerRequest
 import jakarta.inject.Inject
 import jakarta.ws.rs.container.ContainerRequestContext
+import jakarta.ws.rs.core.HttpHeaders
+import jakarta.ws.rs.core.Response
 import jakarta.ws.rs.core.UriInfo
 import org.jboss.logging.Logger
 import org.jboss.resteasy.reactive.server.ServerRequestFilter
@@ -19,4 +21,31 @@ class Filters {
             logger.debug(b.result())
         }
     }
+
+    @ServerRequestFilter
+    fun tokenFilter(ctx: ContainerRequestContext): Response? {
+        val secret = System.getenv("HASURA_SERVICE_TOKEN_SECRET")
+        if (secret.isNullOrEmpty()) {
+            logger.warn("Environment variable HASURA_SERVICE_TOKEN_SECRET not set. Token validation is bypassed.")
+            return null
+        }
+
+        val authHeader = ctx.getHeaderString(HttpHeaders.AUTHORIZATION)
+        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+            logger.error("Authorization header missing or not in Bearer format")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+
+        val token = authHeader.substringAfter("Bearer ")
+        if (token.isEmpty()) {
+            logger.error("Token is empty")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+        if (token != secret) {
+            logger.error("Token is invalid")
+            return Response.status(Response.Status.UNAUTHORIZED).build()
+        }
+
+        return null
+    }
 }
