diff --git a/kubernetes/bananobot/deployment.yaml b/kubernetes/bananobot/deployment.yaml index 9a7155d..97719b8 100644 --- a/kubernetes/bananobot/deployment.yaml +++ b/kubernetes/bananobot/deployment.yaml @@ -62,6 +62,11 @@ spec: secretKeyRef: name: bananobot key: wallet_id + - name: API_KEY + valueFrom: + secretKeyRef: + name: bananobot + key: api_key volumeMounts: - name: conf mountPath: /config diff --git a/kubernetes/bananobot/ingress.yaml b/kubernetes/bananobot/ingress.yaml index d08ead6..751c1e0 100644 --- a/kubernetes/bananobot/ingress.yaml +++ b/kubernetes/bananobot/ingress.yaml @@ -6,6 +6,10 @@ metadata: annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: "letsencrypt-prod" + nginx.ingress.kubernetes.io/configuration-snippet: | + location = /callback { + return 403; + } spec: tls: - hosts: diff --git a/kubernetes/graham_banano/deployment.yaml b/kubernetes/graham_banano/deployment.yaml index 4957821..b9b2a22 100644 --- a/kubernetes/graham_banano/deployment.yaml +++ b/kubernetes/graham_banano/deployment.yaml @@ -59,6 +59,11 @@ spec: secretKeyRef: name: graham-banano key: wallet_id + - name: API_KEY + valueFrom: + secretKeyRef: + name: graham-banano + key: api_key volumeMounts: - name: conf mountPath: /config diff --git a/kubernetes/graham_banano/ingress.yaml b/kubernetes/graham_banano/ingress.yaml index 8182d97..4f1ddc3 100644 --- a/kubernetes/graham_banano/ingress.yaml +++ b/kubernetes/graham_banano/ingress.yaml @@ -6,6 +6,10 @@ metadata: annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: "letsencrypt-prod" + nginx.ingress.kubernetes.io/configuration-snippet: | + location = /callback { + return 403; + } spec: tls: - hosts: diff --git a/kubernetes/nano/deployment.yaml b/kubernetes/nano/deployment.yaml index c96f751..d764e0c 100644 --- a/kubernetes/nano/deployment.yaml +++ b/kubernetes/nano/deployment.yaml @@ -60,6 +60,11 @@ spec: secretKeyRef: name: graham-nano key: wallet_id + - name: API_KEY + valueFrom: + secretKeyRef: + name: graham-nano + key: api_key volumeMounts: - name: conf mountPath: /config diff --git a/kubernetes/nano/ingress.yaml b/kubernetes/nano/ingress.yaml index e7a5fd0..610e6f9 100644 --- a/kubernetes/nano/ingress.yaml +++ b/kubernetes/nano/ingress.yaml @@ -6,6 +6,10 @@ metadata: annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: "letsencrypt-prod" + nginx.ingress.kubernetes.io/configuration-snippet: | + location = /callback { + return 403; + } spec: tls: - hosts: diff --git a/server.py b/server.py index 4ef0c27..c1a6fea 100644 --- a/server.py +++ b/server.py @@ -13,6 +13,7 @@ import rapidjson as json import string import random +import os from typing import List from db.models.transaction import Transaction @@ -50,6 +51,17 @@ def format_js_iso(self, date: datetime.datetime) -> str: async def get_active(self, request: web.Request) -> List[User]: """Return a list of active users""" + # Retrieve the API_KEY from environment variables + api_key = os.getenv('API_KEY') + + # Get the Authorization header from the request + auth_header = request.headers.get('Authorization') + + # Check if the Authorization header is present and matches the API_KEY + if not auth_header or auth_header != api_key: + # If not, return an HTTP 401 Unauthorized response + raise web.HTTPUnauthorized(reason="Invalid or missing API key.") + redis = await RedisDB.instance().get_redis() if 'server_id' not in request.match_info: @@ -100,6 +112,15 @@ async def get_active(self, request: web.Request) -> List[User]: async def ufw(self, request: web.Request): """Return user info for specified wallet addresses e.g. http://server/wfu/ban_16n5c7qozokx661rneikh6e3mf978mc46qqjen7a51pwzood155bwrha6sfj+ban_37z6omyukgpgttq7bdagweaxdrdm5wjy7tdm97ggtkobdetme3bmhfayjowj""" + api_key = os.getenv('API_KEY') + + # Get the Authorization header from the request + auth_header = request.headers.get('Authorization') + + # Check if the Authorization header is present and matches the API_KEY + if not auth_header or auth_header != api_key: + # If not, return an HTTP 401 Unauthorized response + raise web.HTTPUnauthorized(reason="Invalid or missing API key.") if 'wallet' not in request.match_info: return web.HTTPBadRequest(reason="wallet is required") try: @@ -130,6 +151,15 @@ async def ufw(self, request: web.Request): async def wfu(self, request: web.Request): """Return user info for specified discord IDs e.g. http://server/wfu/303599885800964097+412286270694359052""" + api_key = os.getenv('API_KEY') + + # Get the Authorization header from the request + auth_header = request.headers.get('Authorization') + + # Check if the Authorization header is present and matches the API_KEY + if not auth_header or auth_header != api_key: + # If not, return an HTTP 401 Unauthorized response + raise web.HTTPUnauthorized(reason="Invalid or missing API key.") if 'user' not in request.match_info: return web.HTTPBadRequest(reason="user(s) is required") user_ids = [] @@ -161,6 +191,15 @@ async def wfu(self, request: web.Request): ) async def users(self, request: web.Request): + api_key = os.getenv('API_KEY') + + # Get the Authorization header from the request + auth_header = request.headers.get('Authorization') + + # Check if the Authorization header is present and matches the API_KEY + if not auth_header or auth_header != api_key: + # If not, return an HTTP 401 Unauthorized response + raise web.HTTPUnauthorized(reason="Invalid or missing API key.") cached = await RedisDB.instance().get("apiuserscache") if cached is not None: return web.json_response(