From d3ce95f7bac9bd7bb363af10bb1c24d987537247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Madis=20M=C3=A4gi?= Date: Wed, 2 Aug 2023 00:31:08 +0300 Subject: [PATCH] Add api key checking --- deployment.yaml | 2 ++ inventory-app/api.py | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/deployment.yaml b/deployment.yaml index 8f1383f..0712aee 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -21,6 +21,8 @@ spec: - name: inventory-app image: inventory-app env: + - name: INVENTORY_API_KEY + value: "sptWL6XFxl4b8" - name: PYTHONUNBUFFERED value: "1" - name: RECAPTCHA_PUBLIC_KEY diff --git a/inventory-app/api.py b/inventory-app/api.py index cde846a..60715f3 100644 --- a/inventory-app/api.py +++ b/inventory-app/api.py @@ -1,4 +1,7 @@ +import os +import re import const +from functools import wraps from pymongo import MongoClient from flask import Blueprint, abort, g, make_response, redirect, render_template, request, jsonify from common import CustomForm, build_query, flatten, format_name, spam @@ -6,6 +9,17 @@ from kubernetes import client, config page_api = Blueprint("api", __name__) db = MongoClient(const.MONGO_URI).get_default_database() +api_key = os.getenv("INVENTORY_API_KEY") + +def check_api_key(f): + @wraps(f) + def decorated_function(*args, **kwargs): + request_key = request.headers.get('Authorization', False) + found_key = re.search(r"Basic (.*)", request_key).group(1) + if not found_key or found_key != api_key: + return "nope", 403 + return f(*args, **kwargs) + return decorated_function def get_users(): config.load_incluster_config() @@ -17,12 +31,14 @@ def get_users(): return resp @page_api.route("/users") +@check_api_key def view_users(): resp = get_users() print(resp) return jsonify(resp) @page_api.route("/cards", methods=["POST"]) +@check_api_key def get_group_cards(): groups = request.json.get("groups", False) if not groups: