mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-16 17:39:40 +02:00
7e931b1c6d
mana-search-go → mana-search mana-notify-go → mana-notify mana-crawler-go → mana-crawler mana-api-gateway-go → mana-api-gateway Legacy NestJS versions are deleted, suffix no longer needed. Updated all references in docker-compose, CLAUDE.md, package.json, Forgejo workflows, and service package.json files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
106 lines
2.7 KiB
Go
106 lines
2.7 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"log/slog"
|
|
"net/http"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/manacore/mana-api-gateway/internal/service"
|
|
)
|
|
|
|
type contextKey string
|
|
|
|
const ApiKeyContextKey contextKey = "apiKey"
|
|
|
|
var endpointRegex = regexp.MustCompile(`/v1/(\w+)`)
|
|
|
|
// ApiKeyMiddleware validates X-API-Key header and attaches key data to context.
|
|
func ApiKeyMiddleware(apiKeyService *service.ApiKeyService) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
rawKey := r.Header.Get("X-API-Key")
|
|
if rawKey == "" {
|
|
writeJSON(w, http.StatusUnauthorized, map[string]string{
|
|
"error": "API key required. Use X-API-Key header.",
|
|
})
|
|
return
|
|
}
|
|
|
|
keyData, err := apiKeyService.ValidateKey(r.Context(), rawKey)
|
|
if err != nil {
|
|
slog.Debug("invalid api key", "error", err)
|
|
writeJSON(w, http.StatusUnauthorized, map[string]string{
|
|
"error": "Invalid API key",
|
|
})
|
|
return
|
|
}
|
|
|
|
if !keyData.Active {
|
|
writeJSON(w, http.StatusUnauthorized, map[string]string{
|
|
"error": "API key is disabled",
|
|
})
|
|
return
|
|
}
|
|
|
|
if keyData.ExpiresAt != nil && time.Now().After(*keyData.ExpiresAt) {
|
|
writeJSON(w, http.StatusUnauthorized, map[string]string{
|
|
"error": "API key has expired",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Check endpoint permission
|
|
endpoint := extractEndpoint(r.URL.Path)
|
|
if !hasEndpointPermission(keyData, endpoint) {
|
|
writeJSON(w, http.StatusForbidden, map[string]string{
|
|
"error": "Endpoint '" + endpoint + "' not allowed for this API key. Upgrade your plan.",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Attach key data to context
|
|
ctx := context.WithValue(r.Context(), ApiKeyContextKey, keyData)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// GetApiKey retrieves the API key data from the request context.
|
|
func GetApiKey(r *http.Request) *service.ApiKeyData {
|
|
data, _ := r.Context().Value(ApiKeyContextKey).(*service.ApiKeyData)
|
|
return data
|
|
}
|
|
|
|
func extractEndpoint(path string) string {
|
|
m := endpointRegex.FindStringSubmatch(path)
|
|
if len(m) >= 2 {
|
|
return m[1]
|
|
}
|
|
return "unknown"
|
|
}
|
|
|
|
func hasEndpointPermission(keyData *service.ApiKeyData, endpoint string) bool {
|
|
if keyData.AllowedEndpoints == "" {
|
|
return true
|
|
}
|
|
var allowed []string
|
|
if err := json.Unmarshal([]byte(keyData.AllowedEndpoints), &allowed); err != nil {
|
|
return true
|
|
}
|
|
for _, e := range allowed {
|
|
if e == endpoint || strings.HasPrefix(endpoint, e) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func writeJSON(w http.ResponseWriter, status int, data any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(status)
|
|
json.NewEncoder(w).Encode(data)
|
|
}
|