From a8b66dbfaacb71b6f2a51c382859466ab1b6bae0 Mon Sep 17 00:00:00 2001
From: Dzejkop <jakubtrad@gmail.com>
Date: Tue, 5 Dec 2023 12:19:45 +0100
Subject: [PATCH] Enable auth for admin routes

---
 Cargo.lock          |  2 ++
 Cargo.toml          |  2 +-
 src/app.rs          |  4 ----
 src/config.rs       | 21 +++++++++++++++------
 src/server.rs       |  8 +++++++-
 tests/common/mod.rs |  3 ++-
 6 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b560d61..b9e9345 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4641,6 +4641,7 @@ version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "61c5bb1d698276a2443e5ecfabc1008bf15a36c12e6a7176e7bf089ea9131140"
 dependencies = [
+ "base64 0.21.5",
  "bitflags 2.4.1",
  "bytes",
  "futures-core",
@@ -4648,6 +4649,7 @@ dependencies = [
  "http",
  "http-body",
  "http-range-header",
+ "mime",
  "pin-project-lite",
  "tower-layer",
  "tower-service",
diff --git a/Cargo.toml b/Cargo.toml
index 04bf3c5..be920b0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -46,7 +46,7 @@ tracing-subscriber = { version = "0.3", default-features = false, features = [
     "json",
     "ansi",
 ] }
-tower-http = { version = "0.4.4", features = ["trace"] }
+tower-http = { version = "0.4.4", features = [ "trace", "auth" ] }
 uuid = { version = "0.8", features = ["v4"] }
 futures = "0.3"
 chrono = "0.4"
diff --git a/src/app.rs b/src/app.rs
index 4de5286..712423a 100644
--- a/src/app.rs
+++ b/src/app.rs
@@ -80,10 +80,6 @@ impl App {
         &self,
         api_token: &ApiKey,
     ) -> eyre::Result<bool> {
-        if self.config.server.disable_auth {
-            return Ok(true);
-        }
-
         self.db
             .is_api_key_valid(&api_token.relayer_id, api_token.api_key_hash())
             .await
diff --git a/src/config.rs b/src/config.rs
index e371edb..8836e9c 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -24,8 +24,17 @@ pub struct TxSitterConfig {
 pub struct ServerConfig {
     pub host: SocketAddr,
 
-    #[serde(default)]
-    pub disable_auth: bool,
+    pub username: Option<String>,
+    pub password: Option<String>,
+}
+
+impl ServerConfig {
+    pub fn credentials(&self) -> Option<(&str, &str)> {
+        let username = self.username.as_deref()?;
+        let password = self.password.as_deref()?;
+
+        Some((username, password))
+    }
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -102,7 +111,6 @@ mod tests {
 
         [server]
         host = "127.0.0.1:3000"
-        disable_auth = false
 
         [database]
         kind = "connection_string"
@@ -118,7 +126,6 @@ mod tests {
 
         [server]
         host = "127.0.0.1:3000"
-        disable_auth = false
 
         [database]
         kind = "parts"
@@ -140,7 +147,8 @@ mod tests {
             },
             server: ServerConfig {
                 host: SocketAddr::from(([127, 0, 0, 1], 3000)),
-                disable_auth: false,
+                username: None,
+                password: None,
             },
             database: DatabaseConfig::connection_string(
                 "postgres://postgres:postgres@127.0.0.1:52804/database"
@@ -162,7 +170,8 @@ mod tests {
             },
             server: ServerConfig {
                 host: SocketAddr::from(([127, 0, 0, 1], 3000)),
-                disable_auth: false,
+                username: None,
+                password: None,
             },
             database: DatabaseConfig::Parts(DbParts {
                 host: "host".to_string(),
diff --git a/src/server.rs b/src/server.rs
index 9c7dc98..0bf6b5a 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -6,6 +6,7 @@ use axum::routing::{get, post, IntoMakeService};
 use axum::Router;
 use hyper::server::conn::AddrIncoming;
 use thiserror::Error;
+use tower_http::validate_request::ValidateRequestHeaderLayer;
 
 use self::routes::relayer::{
     create_relayer, create_relayer_api_key, get_relayer, relayer_rpc,
@@ -73,7 +74,7 @@ pub async fn spawn_server(
         .route("/:api_token/rpc", post(relayer_rpc))
         .with_state(app.clone());
 
-    let admin_routes = Router::new()
+    let mut admin_routes = Router::new()
         .route("/relayer", post(create_relayer))
         .route(
             "/relayer/:relayer_id",
@@ -83,6 +84,11 @@ pub async fn spawn_server(
         .route("/network/:chain_id", post(routes::network::create_network))
         .with_state(app.clone());
 
+    if let Some((username, password)) = app.config.server.credentials() {
+        admin_routes = admin_routes
+            .layer(ValidateRequestHeaderLayer::basic(username, password));
+    }
+
     let v1_routes = Router::new()
         .nest("/api", api_routes)
         .nest("/admin", admin_routes);
diff --git a/tests/common/mod.rs b/tests/common/mod.rs
index d233f81..50c0460 100644
--- a/tests/common/mod.rs
+++ b/tests/common/mod.rs
@@ -147,7 +147,8 @@ pub async fn setup_service(
                 Ipv4Addr::new(127, 0, 0, 1),
                 0,
             )),
-            disable_auth: true,
+            username: None,
+            password: None,
         },
         database: DatabaseConfig::connection_string(db_connection_url),
         keys: KeysConfig::Local(LocalKeysConfig {}),