feat(api-key): check for api key on public routes

config/runtime.exs

@@ -71,6 +71,7 @@ EpochtalkServer.RateLimiter.init()
 
 ## Frontend configurations
 config :epochtalk_server, :frontend_config, %{
+  api_key: System.get_env("API_KEY", "ABC123"),
   frontend_url: System.get_env("FRONTEND_URL", "http://localhost:8000"),
   backend_url: System.get_env("BACKEND_URL", "http://localhost:4000"),
   newbie_enabled: get_env_cast_bool_with_default.("NEWBIE_ENABLED", "FALSE"),

lib/epochtalk_server_web/endpoint.ex

@@ -10,7 +10,7 @@ defmodule EpochtalkServerWeb.Endpoint do
     # origins: "*",
     origins: ~r{^https?://(.*\.)?epochtalk\.com$},
     allow_headers: :all,
-    expose_headers: ["epoch-viewer"]
+    expose_headers: ["epoch-viewer", "api-key"]
 
   socket "/socket", EpochtalkServerWeb.UserSocket,
     websocket: true,

lib/epochtalk_server_web/plugs/check_api_key.ex

@@ -0,0 +1,35 @@
+defmodule EpochtalkServerWeb.Plugs.CheckAPIKey do
+  @moduledoc """
+  Plug that tracks user IP address for PUT POST or PATCH operations
+  """
+  use Plug.Builder
+  import Plug.Conn
+
+  @env Mix.env()
+  @methods ~w(GET POST PUT PATCH)
+
+  plug(:check_api_key)
+
+  @doc """
+  Validates and checks API key sent from frontend against one stored on backend
+  """
+  def check_api_key(conn, _opts) do
+    %{method: method} = conn
+
+    if method in @methods and @env != :test do
+      try_verify(conn)
+    else
+      conn
+    end
+  end
+
+  defp try_verify(conn) do
+    config = Application.get_env(:epochtalk_server, :frontend_config)
+    api_key = config[:api_key]
+    [req_api_key] = get_req_header(conn, "api-key")
+
+    if api_key == req_api_key,
+      do: conn,
+      else: raise(Plug.BadRequestError)
+  end
+end

lib/epochtalk_server_web/router.ex

@@ -20,6 +20,7 @@ defmodule EpochtalkServerWeb.Router do
     plug EpochtalkServerWeb.Plugs.TrackIp
     # Track user last active
     plug EpochtalkServerWeb.Plugs.UserLastActive
+    plug EpochtalkServerWeb.Plugs.CheckAPIKey
   end
 
   pipeline :enforce_auth do