From 6d5594a376c6f960f32eb4ae706675d09da34038 Mon Sep 17 00:00:00 2001 From: Jan Eitzinger Date: Wed, 26 Jun 2024 05:31:28 +0200 Subject: [PATCH] Change JWT Auth to Middleware Handler Caveat: Cache is per endpoint --- api/swagger.json | 28 ++++++------- api/swagger.yaml | 74 +++++++++++++++++----------------- go.sum | 31 +++----------- internal/api/api.go | 20 +-------- internal/api/authentication.go | 70 +++++++++++++++++--------------- internal/api/docs.go | 28 ++++++------- internal/api/server.go | 16 +++++--- 7 files changed, 120 insertions(+), 147 deletions(-) diff --git a/api/swagger.json b/api/swagger.json index 13a358b..402fd11 100644 --- a/api/swagger.json +++ b/api/swagger.json @@ -17,30 +17,32 @@ "host": "localhost:8082", "basePath": "/api/", "paths": { - "/clusters/": { - "get": { + "/debug/": { + "post": { "security": [ { "ApiKeyAuth": [] } ], + "description": "Write metrics to store", "produces": [ "application/json" ], "tags": [ - "free" + "debug" ], + "summary": "Debug endpoint", "parameters": [ { "type": "string", - "description": "up to timestamp", - "name": "to", + "description": "Selector", + "name": "selector", "in": "query" } ], "responses": { "200": { - "description": "ok", + "description": "Debug dump", "schema": { "type": "string" } @@ -72,32 +74,30 @@ } } }, - "/debug/": { - "post": { + "/free/": { + "get": { "security": [ { "ApiKeyAuth": [] } ], - "description": "Write metrics to store", "produces": [ "application/json" ], "tags": [ - "write" + "free" ], - "summary": "Debug endpoint", "parameters": [ { "type": "string", - "description": "Job Cluster", - "name": "selector", + "description": "up to timestamp", + "name": "to", "in": "query" } ], "responses": { "200": { - "description": "Debug dump", + "description": "ok", "schema": { "type": "string" } diff --git a/api/swagger.yaml b/api/swagger.yaml index 3cfd459..51c7322 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -100,7 +100,43 @@ info: title: cc-metric-store REST API version: 1.0.0 paths: - /clusters/: + /debug/: + post: + description: Write metrics to store + parameters: + - description: Selector + in: query + name: selector + type: string + produces: + - application/json + responses: + "200": + description: Debug dump + schema: + type: string + "400": + description: Bad Request + schema: + $ref: '#/definitions/api.ErrorResponse' + "401": + description: Unauthorized + schema: + $ref: '#/definitions/api.ErrorResponse' + "403": + description: Forbidden + schema: + $ref: '#/definitions/api.ErrorResponse' + "500": + description: Internal Server Error + schema: + $ref: '#/definitions/api.ErrorResponse' + security: + - ApiKeyAuth: [] + summary: Debug endpoint + tags: + - debug + /free/: get: parameters: - description: up to timestamp @@ -134,42 +170,6 @@ paths: - ApiKeyAuth: [] tags: - free - /debug/: - post: - description: Write metrics to store - parameters: - - description: Job Cluster - in: query - name: selector - type: string - produces: - - application/json - responses: - "200": - description: Debug dump - schema: - type: string - "400": - description: Bad Request - schema: - $ref: '#/definitions/api.ErrorResponse' - "401": - description: Unauthorized - schema: - $ref: '#/definitions/api.ErrorResponse' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.ErrorResponse' - "500": - description: Internal Server Error - schema: - $ref: '#/definitions/api.ErrorResponse' - security: - - ApiKeyAuth: [] - summary: Debug endpoint - tags: - - write /query/: get: consumes: diff --git a/go.sum b/go.sum index 2656faa..ec38174 100644 --- a/go.sum +++ b/go.sum @@ -21,8 +21,9 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gops v0.3.28 h1:2Xr57tqKAmQYRAfG12E+yLcoa2Y42UJo2lOrUFL9ark= github.com/google/gops v0.3.28/go.mod h1:6f6+Nl8LcHrzJwi8+p0ii+vmBFSlB4f8cOOkTJ7sk4c= github.com/influxdata/line-protocol-corpus v0.0.0-20210519164801-ca6fa5da0184/go.mod h1:03nmhxzZ7Xk2pdG+lmMd7mHDfeVOYFyhOgwO61qWU98= @@ -34,8 +35,6 @@ github.com/influxdata/line-protocol/v2 v2.2.1 h1:EAPkqJ9Km4uAxtMRgUubJyqAr6zgWM0 github.com/influxdata/line-protocol/v2 v2.2.1/go.mod h1:DmB3Cnh+3oxmG6LOBIxce4oaL4CPj3OmMPgvauXh+tM= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg= -github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= @@ -47,8 +46,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/nats-io/nats.go v1.33.1 h1:8TxLZZ/seeEfR97qV0/Bl939tpDnt2Z2fK3HkPypj70= -github.com/nats-io/nats.go v1.33.1/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8= github.com/nats-io/nats.go v1.36.0 h1:suEUPuWzTSse/XhESwqLxXGuj8vGRuPRoG7MoRN/qyU= github.com/nats-io/nats.go v1.36.0/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8= github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI= @@ -64,12 +61,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/swaggo/files v1.0.0 h1:1gGXVIeUFCS/dta17rnP0iOpr6CXFwKD7EO5ID233e4= -github.com/swaggo/files v1.0.0/go.mod h1:N59U6URJLyU1PQgFqPM7wXLMhJx7QAolnvfQkqO13kc= github.com/swaggo/files v1.0.1 h1:J1bVJ4XHZNq0I46UU90611i9/YzdrF7x92oX1ig5IdE= github.com/swaggo/files v1.0.1/go.mod h1:0qXmMNH6sXNf+73t65aKeB+ApmgxdnkQzVTAj2uaMUg= -github.com/swaggo/http-swagger v1.3.3 h1:Hu5Z0L9ssyBLofaama21iYaF2VbWyA8jdohaaCGpHsc= -github.com/swaggo/http-swagger v1.3.3/go.mod h1:sE+4PjD89IxMPm77FnkDz0sdO+p5lbXzrVWT6OTVVGo= github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww= github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ= github.com/swaggo/swag v1.16.3 h1:PnCYjPCah8FK4I26l2F/KQ4yz3sILcVUN3cTlBFA9Pg= @@ -81,53 +74,41 @@ github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQut github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= +golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= -golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= -golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/internal/api/api.go b/internal/api/api.go index 38d5f50..b5e55fa 100644 --- a/internal/api/api.go +++ b/internal/api/api.go @@ -137,10 +137,6 @@ func (data *ApiMetricData) PadDataWithNull(ms *memorystore.MemoryStore, from, to // @security ApiKeyAuth // @router /free/ [get] func handleFree(rw http.ResponseWriter, r *http.Request) { - if err := isAuthenticated(r); err != nil { - handleError(err, http.StatusUnauthorized, rw) - return - } rawTo := r.URL.Query().Get("to") if rawTo == "" { handleError(errors.New("'to' is a required query parameter"), http.StatusBadRequest, rw) @@ -200,10 +196,6 @@ func handleFree(rw http.ResponseWriter, r *http.Request) { // @security ApiKeyAuth // @router /write/ [post] func handleWrite(rw http.ResponseWriter, r *http.Request) { - if err := isAuthenticated(r); err != nil { - handleError(err, http.StatusUnauthorized, rw) - return - } bytes, err := io.ReadAll(r.Body) rw.Header().Add("Content-Type", "application/json") if err != nil { @@ -263,10 +255,6 @@ type ApiQuery struct { // @security ApiKeyAuth // @router /query/ [get] func handleQuery(rw http.ResponseWriter, r *http.Request) { - if err := isAuthenticated(r); err != nil { - handleError(err, http.StatusUnauthorized, rw) - return - } var err error req := ApiQueryRequest{WithStats: true, WithData: true, WithPadding: true} if err := json.NewDecoder(r.Body).Decode(&req); err != nil { @@ -385,10 +373,10 @@ func handleQuery(rw http.ResponseWriter, r *http.Request) { // handleDebug godoc // @summary Debug endpoint -// @tags write +// @tags debug // @description Write metrics to store // @produce json -// @param selector query string false "Job Cluster" +// @param selector query string false "Selector" // @success 200 {string} string "Debug dump" // @failure 400 {object} api.ErrorResponse "Bad Request" // @failure 401 {object} api.ErrorResponse "Unauthorized" @@ -397,10 +385,6 @@ func handleQuery(rw http.ResponseWriter, r *http.Request) { // @security ApiKeyAuth // @router /debug/ [post] func handleDebug(rw http.ResponseWriter, r *http.Request) { - if err := isAuthenticated(r); err != nil { - handleError(err, http.StatusUnauthorized, rw) - return - } raw := r.URL.Query().Get("selector") rw.Header().Add("Content-Type", "application/json") selector := []string{} diff --git a/internal/api/authentication.go b/internal/api/authentication.go index e9ebab5..6d8db4f 100644 --- a/internal/api/authentication.go +++ b/internal/api/authentication.go @@ -10,43 +10,47 @@ import ( "github.com/golang-jwt/jwt/v4" ) -var publicKey ed25519.PublicKey - -func isAuthenticated(r *http.Request) error { +func authHandler(next http.Handler, publicKey ed25519.PublicKey) http.Handler { cacheLock := sync.RWMutex{} cache := map[string]*jwt.Token{} - authheader := r.Header.Get("Authorization") - if authheader == "" || !strings.HasPrefix(authheader, "Bearer ") { - return errors.New("Use JWT Authentication") - } - - rawtoken := authheader[len("Bearer "):] - cacheLock.RLock() - token, ok := cache[rawtoken] - cacheLock.RUnlock() - if ok && token.Claims.Valid() == nil { - return nil - } - - // The actual token is ignored for now. - // In case expiration and so on are specified, the Parse function - // already returns an error for expired tokens. - var err error - token, err = jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) { - if t.Method != jwt.SigningMethodEdDSA { - return nil, errors.New("only Ed25519/EdDSA supported") + return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { + authheader := r.Header.Get("Authorization") + if authheader == "" || !strings.HasPrefix(authheader, "Bearer ") { + http.Error(rw, "Use JWT Authentication", http.StatusUnauthorized) + return } - return publicKey, nil + rawtoken := authheader[len("Bearer "):] + cacheLock.RLock() + token, ok := cache[rawtoken] + cacheLock.RUnlock() + if ok && token.Claims.Valid() == nil { + next.ServeHTTP(rw, r) + return + } + + // The actual token is ignored for now. + // In case expiration and so on are specified, the Parse function + // already returns an error for expired tokens. + var err error + token, err = jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) { + if t.Method != jwt.SigningMethodEdDSA { + return nil, errors.New("only Ed25519/EdDSA supported") + } + + return publicKey, nil + }) + if err != nil { + http.Error(rw, err.Error(), http.StatusUnauthorized) + return + } + + cacheLock.Lock() + cache[rawtoken] = token + cacheLock.Unlock() + + // Let request through... + next.ServeHTTP(rw, r) }) - if err != nil { - return err - } - - cacheLock.Lock() - cache[rawtoken] = token - cacheLock.Unlock() - - return nil } diff --git a/internal/api/docs.go b/internal/api/docs.go index 0c1bc42..9d49c13 100644 --- a/internal/api/docs.go +++ b/internal/api/docs.go @@ -23,30 +23,32 @@ const docTemplate = `{ "host": "{{.Host}}", "basePath": "{{.BasePath}}", "paths": { - "/clusters/": { - "get": { + "/debug/": { + "post": { "security": [ { "ApiKeyAuth": [] } ], + "description": "Write metrics to store", "produces": [ "application/json" ], "tags": [ - "free" + "debug" ], + "summary": "Debug endpoint", "parameters": [ { "type": "string", - "description": "up to timestamp", - "name": "to", + "description": "Selector", + "name": "selector", "in": "query" } ], "responses": { "200": { - "description": "ok", + "description": "Debug dump", "schema": { "type": "string" } @@ -78,32 +80,30 @@ const docTemplate = `{ } } }, - "/debug/": { - "post": { + "/free/": { + "get": { "security": [ { "ApiKeyAuth": [] } ], - "description": "Write metrics to store", "produces": [ "application/json" ], "tags": [ - "write" + "free" ], - "summary": "Debug endpoint", "parameters": [ { "type": "string", - "description": "Job Cluster", - "name": "selector", + "description": "up to timestamp", + "name": "to", "in": "query" } ], "responses": { "200": { - "description": "Debug dump", + "description": "ok", "schema": { "type": "string" } diff --git a/internal/api/server.go b/internal/api/server.go index ef16357..3f7bcd9 100644 --- a/internal/api/server.go +++ b/internal/api/server.go @@ -19,11 +19,15 @@ func MountRoutes(r *http.ServeMux) { if err != nil { log.Fatalf("starting server failed: %v", err) } - publicKey = ed25519.PublicKey(buf) + publicKey := ed25519.PublicKey(buf) + r.Handle("POST /api/free/", authHandler(http.HandlerFunc(handleFree), publicKey)) + r.Handle("POST /api/write/", authHandler(http.HandlerFunc(handleWrite), publicKey)) + r.Handle("GET /api/query/", authHandler(http.HandlerFunc(handleQuery), publicKey)) + r.Handle("GET /api/debug/", authHandler(http.HandlerFunc(handleDebug), publicKey)) + } else { + r.HandleFunc("POST /api/free/", handleFree) + r.HandleFunc("POST /api/write/", handleWrite) + r.HandleFunc("GET /api/query/", handleQuery) + r.HandleFunc("GET /api/debug/", handleDebug) } - - r.HandleFunc("POST /api/free/", handleFree) - r.HandleFunc("POST /api/write/", handleWrite) - r.HandleFunc("GET /api/query/", handleQuery) - r.HandleFunc("GET /api/debug/", handleDebug) }