From b290c0e7cf78be033a89bd0394734de401cf89db Mon Sep 17 00:00:00 2001
From: Thom Shutt <thomshutt@users.noreply.github.com>
Date: Tue, 11 Oct 2022 11:02:07 +0100
Subject: [PATCH] Make auth token configurable (no longer hardcoded)

---
 api/http.go                   | 10 +++++-----
 api/http_test.go              |  2 +-
 main.go                       |  3 ++-
 middleware/auth.go            |  6 ++----
 middleware/middleware_test.go |  4 ++--
 5 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/api/http.go b/api/http.go
index c0075655a..1bf9ad585 100644
--- a/api/http.go
+++ b/api/http.go
@@ -12,7 +12,7 @@ import (
 	"github.com/livepeer/catalyst-api/middleware"
 )
 
-func ListenAndServe(apiPort, mistPort, mistHttpPort int) error {
+func ListenAndServe(apiPort, mistPort, mistHttpPort int, apiToken string) error {
 	mc := &clients.MistClient{
 		ApiUrl:          fmt.Sprintf("http://localhost:%d/api2", mistPort),
 		HttpReqUrl:      fmt.Sprintf("http://localhost:%d", mistHttpPort),
@@ -20,7 +20,7 @@ func ListenAndServe(apiPort, mistPort, mistHttpPort int) error {
 	}
 
 	listen := fmt.Sprintf("0.0.0.0:%d", apiPort)
-	router := NewCatalystAPIRouter(mc)
+	router := NewCatalystAPIRouter(mc, apiToken)
 
 	_ = config.Logger.Log(
 		"msg", "Starting Catalyst API",
@@ -30,7 +30,7 @@ func ListenAndServe(apiPort, mistPort, mistHttpPort int) error {
 	return http.ListenAndServe(listen, router)
 }
 
-func NewCatalystAPIRouter(mc *clients.MistClient) *httprouter.Router {
+func NewCatalystAPIRouter(mc *clients.MistClient, apiToken string) *httprouter.Router {
 	router := httprouter.New()
 	withLogging := middleware.LogRequest()
 	withAuth := middleware.IsAuthorized
@@ -42,8 +42,8 @@ func NewCatalystAPIRouter(mc *clients.MistClient) *httprouter.Router {
 	router.GET("/ok", withLogging(catalystApiHandlers.Ok()))
 
 	// Public Catalyst API
-	router.POST("/api/vod", withLogging(withAuth(catalystApiHandlers.UploadVOD())))
-	router.POST("/api/transcode/file", withLogging(withAuth(catalystApiHandlers.TranscodeSegment())))
+	router.POST("/api/vod", withLogging(withAuth(apiToken, catalystApiHandlers.UploadVOD())))
+	router.POST("/api/transcode/file", withLogging(withAuth(apiToken, catalystApiHandlers.TranscodeSegment())))
 
 	// Endpoint to receive "Triggers" (callbacks) from Mist
 	router.POST("/api/mist/trigger", withLogging(mistCallbackHandlers.Trigger()))
diff --git a/api/http_test.go b/api/http_test.go
index 1729e0517..56302ad4b 100644
--- a/api/http_test.go
+++ b/api/http_test.go
@@ -8,7 +8,7 @@ import (
 
 func TestInitServer(t *testing.T) {
 	require := require.New(t)
-	router := NewCatalystAPIRouter(nil)
+	router := NewCatalystAPIRouter(nil, "IAmAuthorized")
 
 	handle, _, _ := router.Lookup("GET", "/ok")
 	require.NotNil(handle)
diff --git a/main.go b/main.go
index 05751fa78..47fae38b4 100644
--- a/main.go
+++ b/main.go
@@ -13,6 +13,7 @@ func main() {
 	port := flag.Int("port", 4949, "Port to listen on")
 	mistPort := flag.Int("mist-port", 4242, "Port to listen on")
 	mistHttpPort := flag.Int("mist-http-port", 8080, "Port to listen on")
+	apiToken := flag.String("api-token", "IAmAuthorized", "Auth header value for API access")
 	flag.StringVar(&config.RecordingCallback, "recording", "http://recording.livepeer.com/recording/status", "Callback URL for recording start&stop events")
 	mistJson := flag.Bool("j", false, "Print application info as JSON. Used by Mist to present flags in its UI.")
 	flag.Parse()
@@ -22,7 +23,7 @@ func main() {
 		return
 	}
 
-	if err := api.ListenAndServe(*port, *mistPort, *mistHttpPort); err != nil {
+	if err := api.ListenAndServe(*port, *mistPort, *mistHttpPort, *apiToken); err != nil {
 		log.Fatal(err)
 	}
 }
diff --git a/middleware/auth.go b/middleware/auth.go
index 856f1b52e..3f218c214 100644
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -8,9 +8,7 @@ import (
 	"github.com/livepeer/catalyst-api/errors"
 )
 
-var testToken = "IAmAuthorized"
-
-func IsAuthorized(next httprouter.Handle) httprouter.Handle {
+func IsAuthorized(apiToken string, next httprouter.Handle) httprouter.Handle {
 	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 		authHeader := r.Header.Get("Authorization")
 
@@ -21,7 +19,7 @@ func IsAuthorized(next httprouter.Handle) httprouter.Handle {
 
 		token := strings.TrimPrefix(authHeader, "Bearer ")
 
-		if token != testToken {
+		if token != apiToken {
 			errors.WriteHTTPUnauthorized(w, "Invalid Token", nil)
 			return
 		}
diff --git a/middleware/middleware_test.go b/middleware/middleware_test.go
index dd85bc06f..93c9e5aa5 100644
--- a/middleware/middleware_test.go
+++ b/middleware/middleware_test.go
@@ -17,7 +17,7 @@ func TestNoAuthHeader(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/ok", nil)
 	rr := httptest.NewRecorder()
 	catalystApiHandlers := handlers.CatalystAPIHandlersCollection{}
-	router.GET("/ok", IsAuthorized(catalystApiHandlers.Ok()))
+	router.GET("/ok", IsAuthorized("IAmAuthorized", catalystApiHandlers.Ok()))
 	router.ServeHTTP(rr, req)
 
 	require.Equal(rr.Code, 401, "should return 401")
@@ -33,7 +33,7 @@ func TestWrongKey(t *testing.T) {
 
 	rr := httptest.NewRecorder()
 	catalystApiHandlers := handlers.CatalystAPIHandlersCollection{}
-	router.GET("/ok", IsAuthorized(catalystApiHandlers.Ok()))
+	router.GET("/ok", IsAuthorized("IAmAuthorized", catalystApiHandlers.Ok()))
 	router.ServeHTTP(rr, req)
 
 	require.Equal(rr.Code, 401, "should return 401")