Add api key checking
All checks were successful
ci/woodpecker/manual/woodpecker Pipeline was successful

This commit is contained in:
Madis Mägi 2023-08-02 00:31:08 +03:00
parent 71bb9694bc
commit d3ce95f7ba
2 changed files with 18 additions and 0 deletions

View File

@ -21,6 +21,8 @@ spec:
- name: inventory-app - name: inventory-app
image: inventory-app image: inventory-app
env: env:
- name: INVENTORY_API_KEY
value: "sptWL6XFxl4b8"
- name: PYTHONUNBUFFERED - name: PYTHONUNBUFFERED
value: "1" value: "1"
- name: RECAPTCHA_PUBLIC_KEY - name: RECAPTCHA_PUBLIC_KEY

View File

@ -1,4 +1,7 @@
import os
import re
import const import const
from functools import wraps
from pymongo import MongoClient from pymongo import MongoClient
from flask import Blueprint, abort, g, make_response, redirect, render_template, request, jsonify from flask import Blueprint, abort, g, make_response, redirect, render_template, request, jsonify
from common import CustomForm, build_query, flatten, format_name, spam from common import CustomForm, build_query, flatten, format_name, spam
@ -6,6 +9,17 @@ from kubernetes import client, config
page_api = Blueprint("api", __name__) page_api = Blueprint("api", __name__)
db = MongoClient(const.MONGO_URI).get_default_database() db = MongoClient(const.MONGO_URI).get_default_database()
api_key = os.getenv("INVENTORY_API_KEY")
def check_api_key(f):
@wraps(f)
def decorated_function(*args, **kwargs):
request_key = request.headers.get('Authorization', False)
found_key = re.search(r"Basic (.*)", request_key).group(1)
if not found_key or found_key != api_key:
return "nope", 403
return f(*args, **kwargs)
return decorated_function
def get_users(): def get_users():
config.load_incluster_config() config.load_incluster_config()
@ -17,12 +31,14 @@ def get_users():
return resp return resp
@page_api.route("/users") @page_api.route("/users")
@check_api_key
def view_users(): def view_users():
resp = get_users() resp = get_users()
print(resp) print(resp)
return jsonify(resp) return jsonify(resp)
@page_api.route("/cards", methods=["POST"]) @page_api.route("/cards", methods=["POST"])
@check_api_key
def get_group_cards(): def get_group_cards():
groups = request.json.get("groups", False) groups = request.json.get("groups", False)
if not groups: if not groups: