Merge pull request #26 from FachschaftMathPhysInfo/22-secure-mutation…

…s-through-api-key check valid api key
FachschaftMathPhysInfo · Jul 4, 2024 · 7a7f2e6 · 7a7f2e6
2 parents ba698b2 + 1de6441
commit 7a7f2e6
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/.env b/.env
@@ -9,3 +9,5 @@ SMTP_PORT=
 FROM_ADDRESS=
 
 API_URL=http://localhost:8080
+
+API_KEY=
diff --git a/server/server.go b/server/server.go
@@ -18,7 +18,10 @@ import (
 	"github.com/rs/cors"
 )
 
-const defaultPort = "8080"
+const (
+	defaultPort  = "8080"
+	apiKeyHeader = "X-API-Key"
+)
 
 func main() {
 	ctx := context.Background()
@@ -66,7 +69,15 @@ func main() {
 
 	gqlResolvers := graph.Resolver{DB: db}
 	srv := handler.NewDefaultServer(graph.NewExecutableSchema(graph.Config{Resolvers: &gqlResolvers}))
-	router.Handle("/api", srv)
+	router.With(func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.Header.Get(apiKeyHeader) != os.Getenv("API_KEY") {
+				http.Error(w, "Invalid API Key", http.StatusUnauthorized)
+				return
+			}
+			h.ServeHTTP(w, r)
+		})
+	}).Handle("/api", srv)
 
 	router.Handle("/", playground.Handler("GraphQL playground", "/api"))