Merge pull request #47 from slickage/api-key

Api key
slickage · Jan 17, 2025 · f90dba5 · f90dba5
2 parents 66f67c0 + 88d062c
commit f90dba5
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 1 deletion.
diff --git a/config/runtime.exs b/config/runtime.exs
@@ -71,6 +71,7 @@ EpochtalkServer.RateLimiter.init()
 
 ## Frontend configurations
 config :epochtalk_server, :frontend_config, %{
+  api_key: System.get_env("API_KEY", "ABC123"),
   frontend_url: System.get_env("FRONTEND_URL", "http://localhost:8000"),
   backend_url: System.get_env("BACKEND_URL", "http://localhost:4000"),
   newbie_enabled: get_env_cast_bool_with_default.("NEWBIE_ENABLED", "FALSE"),

diff --git a/example.env b/example.env
@@ -4,3 +4,4 @@ AWS_REGION=us-west-2
 IMAGES_MODE=S3
 S3_BUCKET=xxxxxxxxxxxxx
 SECRET_KEY_BASE=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+API_KEY=ABC123
diff --git a/lib/epochtalk_server_web/endpoint.ex b/lib/epochtalk_server_web/endpoint.ex
@@ -10,7 +10,7 @@ defmodule EpochtalkServerWeb.Endpoint do
     # origins: "*",
     origins: ~r{^https?://(.*\.)?epochtalk\.com$},
     allow_headers: :all,
-    expose_headers: ["epoch-viewer"]
+    expose_headers: ["epoch-viewer", "api-key"]
 
   socket "/socket", EpochtalkServerWeb.UserSocket,
     websocket: true,

diff --git a/lib/epochtalk_server_web/plugs/check_api_key.ex b/lib/epochtalk_server_web/plugs/check_api_key.ex
@@ -0,0 +1,35 @@
+defmodule EpochtalkServerWeb.Plugs.CheckAPIKey do
+  @moduledoc """
+  Plug that tracks user IP address for PUT POST or PATCH operations
+  """
+  use Plug.Builder
+  import Plug.Conn
+
+  @env Mix.env()
+  @methods ~w(GET POST PUT PATCH)
+
+  plug(:check_api_key)
+
+  @doc """
+  Validates and checks API key sent from frontend against one stored on backend
+  """
+  def check_api_key(conn, _opts) do
+    %{method: method} = conn
+
+    if method in @methods and @env != :test do
+      try_verify(conn)
+    else
+      conn
+    end
+  end
+
+  defp try_verify(conn) do
+    config = Application.get_env(:epochtalk_server, :frontend_config)
+    api_key = config[:api_key]
+    [req_api_key] = get_req_header(conn, "api-key")
+
+    if api_key == req_api_key,
+      do: conn,
+      else: raise(Plug.BadRequestError)
+  end
+end
diff --git a/lib/epochtalk_server_web/router.ex b/lib/epochtalk_server_web/router.ex
@@ -20,6 +20,7 @@ defmodule EpochtalkServerWeb.Router do
     plug EpochtalkServerWeb.Plugs.TrackIp
     # Track user last active
     plug EpochtalkServerWeb.Plugs.UserLastActive
+    plug EpochtalkServerWeb.Plugs.CheckAPIKey
   end
 
   pipeline :enforce_auth do