From 3ca39ceb8a4b10a22db38face8118ab865f599c4 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Mon, 16 Dec 2024 12:39:48 +0100
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F(yprovider)=20support=20multi?=
 =?UTF-8?q?ple=20API=20keys=20to=20separate=20responsibilities?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Support for two API keys has been added to the YProvider microservice to
decouple responsibilities between the collaboration server and other
endpoints. This improves security by scoping keys to specific purposes and
ensures a clearer separation of concerns for easier management and debugging.
---
 src/backend/impress/settings.py                          | 1 -
 src/frontend/servers/y-provider/__tests__/server.test.ts | 5 +++--
 src/frontend/servers/y-provider/src/env.ts               | 2 ++
 src/frontend/servers/y-provider/src/middlewares.ts       | 5 ++++-
 src/helm/env.d/dev/values.impress.yaml.gotmpl            | 1 +
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/backend/impress/settings.py b/src/backend/impress/settings.py
index b5789dc8..86be1e55 100755
--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -506,7 +506,6 @@ class Base(Configuration):
     }
 
     # Y provider microservice
-    # Note: Be careful, this value is currently the same as in the collaboration service.
     Y_PROVIDER_API_KEY = values.Value(
         environ_name="Y_PROVIDER_API_KEY",
         environ_prefix=None,
diff --git a/src/frontend/servers/y-provider/__tests__/server.test.ts b/src/frontend/servers/y-provider/__tests__/server.test.ts
index 7e9fe4c8..c1ff4393 100644
--- a/src/frontend/servers/y-provider/__tests__/server.test.ts
+++ b/src/frontend/servers/y-provider/__tests__/server.test.ts
@@ -14,6 +14,7 @@ jest.mock('../src/env', () => {
     PORT: port,
     COLLABORATION_SERVER_ORIGIN: origin,
     COLLABORATION_SERVER_SECRET: 'test-secret-api-key',
+    Y_PROVIDER_API_KEY: 'yprovider-api-key',
   };
 });
 
@@ -115,7 +116,7 @@ describe('Server Tests', () => {
     const response = await request(app as any)
       .post('/api/convert-markdown')
       .set('Origin', origin)
-      .set('Authorization', 'test-secret-api-key');
+      .set('Authorization', 'yprovider-api-key');
 
     expect(response.status).toBe(400);
     expect(response.body.error).toBe('Invalid request: missing content');
@@ -125,7 +126,7 @@ describe('Server Tests', () => {
     const response = await request(app as any)
       .post('/api/convert-markdown')
       .set('Origin', origin)
-      .set('Authorization', 'test-secret-api-key')
+      .set('Authorization', 'yprovider-api-key')
       .send({
         content: '',
       });
diff --git a/src/frontend/servers/y-provider/src/env.ts b/src/frontend/servers/y-provider/src/env.ts
index e2a8d782..7f23bfc5 100644
--- a/src/frontend/servers/y-provider/src/env.ts
+++ b/src/frontend/servers/y-provider/src/env.ts
@@ -4,5 +4,7 @@ export const COLLABORATION_SERVER_ORIGIN =
   process.env.COLLABORATION_SERVER_ORIGIN || 'http://localhost:3000';
 export const COLLABORATION_SERVER_SECRET =
   process.env.COLLABORATION_SERVER_SECRET || 'secret-api-key';
+export const Y_PROVIDER_API_KEY =
+  process.env.Y_PROVIDER_API_KEY || 'yprovider-api-key';
 export const PORT = Number(process.env.PORT || 4444);
 export const SENTRY_DSN = process.env.SENTRY_DSN || '';
diff --git a/src/frontend/servers/y-provider/src/middlewares.ts b/src/frontend/servers/y-provider/src/middlewares.ts
index 11344a27..48e56895 100644
--- a/src/frontend/servers/y-provider/src/middlewares.ts
+++ b/src/frontend/servers/y-provider/src/middlewares.ts
@@ -4,10 +4,13 @@ import * as ws from 'ws';
 import {
   COLLABORATION_SERVER_ORIGIN,
   COLLABORATION_SERVER_SECRET,
+  Y_PROVIDER_API_KEY,
 } from '@/env';
 
 import { logger } from './utils';
 
+const VALID_API_KEYS = [COLLABORATION_SERVER_SECRET, Y_PROVIDER_API_KEY];
+
 export const httpSecurity = (
   req: Request,
   res: Response,
@@ -27,7 +30,7 @@ export const httpSecurity = (
   // Secret API Key check
   // Note: Changing this header to Bearer token format will break backend compatibility with this microservice.
   const apiKey = req.headers['authorization'];
-  if (apiKey !== COLLABORATION_SERVER_SECRET) {
+  if (!apiKey || !VALID_API_KEYS.includes(apiKey)) {
     res.status(403).json({ error: 'Forbidden: Invalid API Key' });
     return;
   }
diff --git a/src/helm/env.d/dev/values.impress.yaml.gotmpl b/src/helm/env.d/dev/values.impress.yaml.gotmpl
index d49cd4a6..7533f5a7 100644
--- a/src/helm/env.d/dev/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.impress.yaml.gotmpl
@@ -105,6 +105,7 @@ yProvider:
     COLLABORATION_LOGGING: true
     COLLABORATION_SERVER_ORIGIN: https://impress.127.0.0.1.nip.io
     COLLABORATION_SERVER_SECRET: my-secret
+    Y_PROVIDER_API_KEY: my-secret
 
 ingress:
   enabled: true