♻️(yprovider) support multiple API keys to separate responsibilities

Support for two API keys has been added to the YProvider microservice to decouple responsibilities between the collaboration server and other endpoints. This improves security by scoping keys to specific purposes and ensures a clearer separation of concerns for easier management and debugging.
2024-12-16 12:39:48 +01:00
parent 8a93122882
commit 3ca39ceb8a
5 changed files with 10 additions and 4 deletions
--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -506,7 +506,6 @@ class Base(Configuration):
    }

    # Y provider microservice
-    # Note: Be careful, this value is currently the same as in the collaboration service.
    Y_PROVIDER_API_KEY = values.Value(
        environ_name="Y_PROVIDER_API_KEY",
        environ_prefix=None,
--- a/src/frontend/servers/y-provider/tests/server.test.ts
+++ b/src/frontend/servers/y-provider/tests/server.test.ts
@@ -14,6 +14,7 @@ jest.mock('../src/env', () => {
    PORT: port,
    COLLABORATION_SERVER_ORIGIN: origin,
    COLLABORATION_SERVER_SECRET: 'test-secret-api-key',
+    Y_PROVIDER_API_KEY: 'yprovider-api-key',
  };
 });

@@ -115,7 +116,7 @@ describe('Server Tests', () => {
    const response = await request(app as any)
      .post('/api/convert-markdown')
      .set('Origin', origin)
-      .set('Authorization', 'test-secret-api-key');
+      .set('Authorization', 'yprovider-api-key');

    expect(response.status).toBe(400);
    expect(response.body.error).toBe('Invalid request: missing content');
@@ -125,7 +126,7 @@ describe('Server Tests', () => {
    const response = await request(app as any)
      .post('/api/convert-markdown')
      .set('Origin', origin)
-      .set('Authorization', 'test-secret-api-key')
+      .set('Authorization', 'yprovider-api-key')
      .send({
        content: '',
      });
--- a/src/frontend/servers/y-provider/src/env.ts
+++ b/src/frontend/servers/y-provider/src/env.ts
@@ -4,5 +4,7 @@ export const COLLABORATION_SERVER_ORIGIN =
  process.env.COLLABORATION_SERVER_ORIGIN || 'http://localhost:3000';
 export const COLLABORATION_SERVER_SECRET =
  process.env.COLLABORATION_SERVER_SECRET || 'secret-api-key';
+export const Y_PROVIDER_API_KEY =
+  process.env.Y_PROVIDER_API_KEY || 'yprovider-api-key';
 export const PORT = Number(process.env.PORT || 4444);
 export const SENTRY_DSN = process.env.SENTRY_DSN || '';
--- a/src/frontend/servers/y-provider/src/middlewares.ts
+++ b/src/frontend/servers/y-provider/src/middlewares.ts
@@ -4,10 +4,13 @@ import * as ws from 'ws';
 import {
  COLLABORATION_SERVER_ORIGIN,
  COLLABORATION_SERVER_SECRET,
+  Y_PROVIDER_API_KEY,
 } from '@/env';

 import { logger } from './utils';

+const VALID_API_KEYS = [COLLABORATION_SERVER_SECRET, Y_PROVIDER_API_KEY];
+
 export const httpSecurity = (
  req: Request,
  res: Response,
@@ -27,7 +30,7 @@ export const httpSecurity = (
  // Secret API Key check
  // Note: Changing this header to Bearer token format will break backend compatibility with this microservice.
  const apiKey = req.headers['authorization'];
-  if (apiKey !== COLLABORATION_SERVER_SECRET) {
+  if (!apiKey || !VALID_API_KEYS.includes(apiKey)) {
    res.status(403).json({ error: 'Forbidden: Invalid API Key' });
    return;
  }
--- a/src/helm/env.d/dev/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.impress.yaml.gotmpl
@@ -105,6 +105,7 @@ yProvider:
    COLLABORATION_LOGGING: true
    COLLABORATION_SERVER_ORIGIN: https://impress.127.0.0.1.nip.io
    COLLABORATION_SERVER_SECRET: my-secret
+    Y_PROVIDER_API_KEY: my-secret

 ingress:
  enabled: true