Optionally accept HTTP key through header in RPC requests. (#1097)

heroiclabs · Oct 18, 2023 · 2396870 · 2396870
1 parent 9fccb5d
commit 2396870
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,14 +4,17 @@ All notable changes to this project are documented below.
 The format is based on [keep a changelog](http://keepachangelog.com) and this project uses [semantic versioning](http://semver.org).
 
 ## [Unreleased]
+### Added
+- Allow HTTP key to be read from an HTTP request's Basic auth header if present.
+
 ### Changed
 - Use Steam partner API instead of public API for Steam profiles and friends requests.
 - Add create_time and update_time to returned storage engine writes acks.
 - Add storage index create flag to read only from the index.
 - Add caller id param to storage listing and storage index listing runtime APIs.
 
 ### Fixed
-- Fix linter-found test issue.
+- Fixed multiple issues found by linter.
 - Fix storage index listing results sometimes being returned with incorrect order.
 - Fixes calculation of leaderboard and tournament times for rare types of CRON expressions that don't execute at a fixed interval.
 - Improved how start and end times are calculated for tournaments occuring in the future.

diff --git a/server/api_rpc.go b/server/api_rpc.go
@@ -63,17 +63,30 @@ func (s *ApiServer) RpcFuncHttp(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	} else if auth := r.Header["Authorization"]; len(auth) >= 1 {
-		var token string
-		userID, username, vars, expiry, token, isTokenAuth = parseBearerAuth([]byte(s.config.GetSession().EncryptionKey), auth[0])
-		if !isTokenAuth || !s.sessionCache.IsValidSession(userID, expiry, token) {
-			// Auth token not valid or expired.
-			w.Header().Set("content-type", "application/json")
-			w.WriteHeader(http.StatusUnauthorized)
-			_, err := w.Write(authTokenInvalidBytes)
-			if err != nil {
-				s.logger.Debug("Error writing response to client", zap.Error(err))
+		if httpKey, _, ok := parseBasicAuth(auth[0]); ok {
+			if httpKey != s.config.GetRuntime().HTTPKey {
+				// HTTP key did not match.
+				w.Header().Set("content-type", "application/json")
+				w.WriteHeader(http.StatusUnauthorized)
+				_, err := w.Write(httpKeyInvalidBytes)
+				if err != nil {
+					s.logger.Debug("Error writing response to client", zap.Error(err))
+				}
+				return
+			}
+		} else {
+			var token string
+			userID, username, vars, expiry, token, isTokenAuth = parseBearerAuth([]byte(s.config.GetSession().EncryptionKey), auth[0])
+			if !isTokenAuth || !s.sessionCache.IsValidSession(userID, expiry, token) {
+				// Auth token not valid or expired.
+				w.Header().Set("content-type", "application/json")
+				w.WriteHeader(http.StatusUnauthorized)
+				_, err := w.Write(authTokenInvalidBytes)
+				if err != nil {
+					s.logger.Debug("Error writing response to client", zap.Error(err))
+				}
+				return
 			}
-			return
 		}
 	} else {
 		// No authentication present.