[public-api] Use personal access token signing key

easyCZ · roboquat · commit a0a9ddddc519 · 2022-11-22T07:11:52.000-03:00
diff --git a/components/public-api-server/pkg/apiv1/tokens.go b/components/public-api-server/pkg/apiv1/tokens.go
@@ -24,18 +24,20 @@ import (
 	"gorm.io/gorm"
 )
 
-func NewTokensService(connPool proxy.ServerConnectionPool, expClient experiments.Client, dbConn *gorm.DB) *TokensService {
+func NewTokensService(connPool proxy.ServerConnectionPool, expClient experiments.Client, dbConn *gorm.DB, signer auth.Signer) *TokensService {
 	return &TokensService{
 		connectionPool: connPool,
 		expClient:      expClient,
 		dbConn:         dbConn,
+		signer:         signer,
 	}
 }
 
 type TokensService struct {
 	connectionPool proxy.ServerConnectionPool
 	expClient      experiments.Client
 	dbConn         *gorm.DB
+	signer         auth.Signer
 
 	v1connect.UnimplementedTokensServiceHandler
 }
diff --git a/components/public-api-server/pkg/apiv1/tokens_test.go b/components/public-api-server/pkg/apiv1/tokens_test.go
@@ -370,13 +370,14 @@ func setupTokensService(t *testing.T, expClient experiments.Client) (*protocol.M
 	t.Helper()
 
 	dbConn := dbtest.ConnectForTests(t)
+	signer := auth.NewHS256Signer([]byte("my-secret"))
 
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 
 	serverMock := protocol.NewMockAPIInterface(ctrl)
 
-	svc := NewTokensService(&FakeServerConnPool{api: serverMock}, expClient, dbConn)
+	svc := NewTokensService(&FakeServerConnPool{api: serverMock}, expClient, dbConn, signer)
 
 	_, handler := v1connect.NewTokensServiceHandler(svc, connect.WithInterceptors(auth.NewServerInterceptor()))
 
diff --git a/components/public-api-server/pkg/server/server.go b/components/public-api-server/pkg/server/server.go
@@ -75,7 +75,7 @@ func Start(logger *logrus.Entry, version string, cfg *config.Configuration) erro
 
 	var stripeWebhookHandler http.Handler = webhooks.NewNoopWebhookHandler()
 	if cfg.StripeWebhookSigningSecretPath != "" {
-		stripeWebhookSecret, err := readStripeWebhookSecret(cfg.StripeWebhookSigningSecretPath)
+		stripeWebhookSecret, err := readSecretFromFile(cfg.StripeWebhookSigningSecretPath)
 		if err != nil {
 			return fmt.Errorf("failed to read stripe secret: %w", err)
 		}
@@ -84,9 +84,21 @@ func Start(logger *logrus.Entry, version string, cfg *config.Configuration) erro
 		log.Info("No stripe webhook secret is configured, endpoints will return NotImplemented")
 	}
 
+	var signer auth.Signer
+	if cfg.PersonalAccessTokenSigningKeyPath != "" {
+		personalACcessTokenSigningKey, err := readSecretFromFile(cfg.PersonalAccessTokenSigningKeyPath)
+		if err != nil {
+			return fmt.Errorf("failed to read personal access token signing key: %w", err)
+		}
+
+		signer = auth.NewHS256Signer([]byte(personalACcessTokenSigningKey))
+	} else {
+		log.Info("No Personal Access Token signign key specified, PersonalAccessToken service will be disabled.")
+	}
+
 	srv.HTTPMux().Handle("/stripe/invoices/webhook", handlers.ContentTypeHandler(stripeWebhookHandler, "application/json"))
 
-	if registerErr := register(srv, connPool, expClient, dbConn); registerErr != nil {
+	if registerErr := register(srv, connPool, expClient, dbConn, signer); registerErr != nil {
 		return fmt.Errorf("failed to register services: %w", registerErr)
 	}
 
@@ -97,7 +109,7 @@ func Start(logger *logrus.Entry, version string, cfg *config.Configuration) erro
 	return nil
 }
 
-func register(srv *baseserver.Server, connPool proxy.ServerConnectionPool, expClient experiments.Client, dbConn *gorm.DB) error {
+func register(srv *baseserver.Server, connPool proxy.ServerConnectionPool, expClient experiments.Client, dbConn *gorm.DB, signer auth.Signer) error {
 	proxy.RegisterMetrics(srv.MetricsRegistry())
 
 	connectMetrics := NewConnectMetrics()
@@ -120,8 +132,10 @@ func register(srv *baseserver.Server, connPool proxy.ServerConnectionPool, expCl
 	teamsRoute, teamsServiceHandler := v1connect.NewTeamsServiceHandler(apiv1.NewTeamsService(connPool), handlerOptions...)
 	srv.HTTPMux().Handle(teamsRoute, teamsServiceHandler)
 
-	tokensRoute, tokensServiceHandler := v1connect.NewTokensServiceHandler(apiv1.NewTokensService(connPool, expClient, dbConn), handlerOptions...)
-	srv.HTTPMux().Handle(tokensRoute, tokensServiceHandler)
+	if signer != nil {
+		tokensRoute, tokensServiceHandler := v1connect.NewTokensServiceHandler(apiv1.NewTokensService(connPool, expClient, dbConn, signer), handlerOptions...)
+		srv.HTTPMux().Handle(tokensRoute, tokensServiceHandler)
+	}
 
 	userRoute, userServiceHandler := v1connect.NewUserServiceHandler(apiv1.NewUserService(connPool), handlerOptions...)
 	srv.HTTPMux().Handle(userRoute, userServiceHandler)
@@ -132,10 +146,10 @@ func register(srv *baseserver.Server, connPool proxy.ServerConnectionPool, expCl
 	return nil
 }
 
-func readStripeWebhookSecret(path string) (string, error) {
+func readSecretFromFile(path string) (string, error) {
 	b, err := os.ReadFile(path)
 	if err != nil {
-		return "", fmt.Errorf("failed to read stripe webhook secret: %w", err)
+		return "", fmt.Errorf("failed to read secret from file: %w", err)
 	}
 
 	return strings.TrimSpace(string(b)), nil

Original file line number	Diff line number	Diff line change
`@@ -24,18 +24,20 @@ import (`
`24`	`24`	`"gorm.io/gorm"`
`25`	`25`	`)`
`26`	`26`
`27`		`-func NewTokensService(connPool proxy.ServerConnectionPool, expClient experiments.Client, dbConn gorm.DB) TokensService {`
	`27`	`+func NewTokensService(connPool proxy.ServerConnectionPool, expClient experiments.Client, dbConn gorm.DB, signer auth.Signer) TokensService {`
`28`	`28`	`return &TokensService{`
`29`	`29`	`connectionPool: connPool,`
`30`	`30`	`expClient: expClient,`
`31`	`31`	`dbConn: dbConn,`
	`32`	`+ signer: signer,`
`32`	`33`	`}`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`type TokensService struct {`
`36`	`37`	`connectionPool proxy.ServerConnectionPool`
`37`	`38`	`expClient experiments.Client`
`38`	`39`	`dbConn *gorm.DB`
	`40`	`+ signer auth.Signer`
`39`	`41`
`40`	`42`	`v1connect.UnimplementedTokensServiceHandler`
`41`	`43`	`}`