feat(agent): add hashed token basea authentication

swiftwave-org · Feb 9, 2025 · 77f6239 · 77f6239
1 parent 1f10524
commit 77f6239
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 13 deletions.
diff --git a/agent/api_server.go b/agent/api_server.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
+	"golang.org/x/crypto/bcrypt"
 )
 
 func startHttpServer() {
@@ -18,16 +19,22 @@ func startHttpServer() {
 		Format: "method=${method}, uri=${uri}, status=${status}\n",
 	}))
 
+	config, err := GetConfig()
+	if err != nil {
+		log.Fatalf("Failed to fetch config: %v", err)
+	}
+
 	// Auth middleware
-	// e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
-	// 	return func(c echo.Context) error {
-	// 		token := c.Request().Header.Get("Authorization")
-	// 		if token != "Token" {
-	// 			return c.JSON(http.StatusUnauthorized, "Unauthorized")
-	// 		}
-	// 		return next(c)
-	// 	}
-	// })
+	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			token := c.Request().Header.Get("Authorization")
+			err := bcrypt.CompareHashAndPassword([]byte(config.AuthTokenHash), []byte(token))
+			if err != nil || token == "" || config.AuthTokenHash == "" {
+				return c.JSON(http.StatusUnauthorized, map[string]string{"error": "invalid token"})
+			}
+			return next(c)
+		}
+	})
 
 	// Volume API
 	e.GET("/volumes", fetchAllVolumes)
@@ -73,10 +80,6 @@ func startHttpServer() {
 	e.DELETE("/containers/:uuid", deleteContainer)
 	e.GET("/containers/:uuid/status", statusOfContainer)
 
-	config, err := GetConfig()
-	if err != nil {
-		log.Fatalf("Failed to fetch config: %v", err)
-	}
 	ip, _, err := net.ParseCIDR(config.WireguardConfig.Address)
 	if err != nil {
 		log.Fatalf("Failed to parse wireguard address: %v", err)

diff --git a/agent/cli.go b/agent/cli.go
@@ -21,6 +21,7 @@ func init() {
 	rootCmd.AddCommand(dbMigrate)
 	rootCmd.AddCommand(cleanup)
 
+	setupCmd.Flags().String("auth-token-hash", "", "Auth token hash")
 	setupCmd.Flags().String("wireguard-private-key", "", "Wireguard private key")
 	setupCmd.Flags().String("wireguard-address", "", "Wireguard address")
 	setupCmd.Flags().String("docker-network-gateway-address", "", "Docker network gateway address")
@@ -33,6 +34,7 @@ func init() {
 	setupCmd.Flags().String("master-node-public-key", "", "Master server public key")
 	setupCmd.Flags().String("master-node-allowed-ips", "", "Master server allowed ips")
 
+	setupCmd.MarkFlagRequired("auth-token-hash")
 	setupCmd.MarkFlagRequired("wireguard-private-key")
 	setupCmd.MarkFlagRequired("wireguard-address")
 	setupCmd.MarkFlagRequired("docker-network-gateway-address")
@@ -111,6 +113,7 @@ var setupCmd = &cobra.Command{
 		}
 
 		config := AgentConfig{
+			AuthTokenHash:           cmd.Flag("auth-token-hash").Value.String(),
 			NodeType:                nodeType,
 			SwiftwaveServiceAddress: cmd.Flag("swiftwave-service-address").Value.String(),
 			WireguardConfig: WireguardConfig{

diff --git a/agent/config.go b/agent/config.go
@@ -14,6 +14,7 @@ const (
 
 type AgentConfig struct {
 	ID                      uint                    `gorm:"primaryKey"`
+	AuthTokenHash           string                  `json:"auth_token_hash" gorm:"column:auth_token_hash"`
 	NodeType                NodeType                `json:"node_type" gorm:"column:node_type"`
 	SwiftwaveServiceAddress string                  `json:"swiftwave_service_address" gorm:"column:swiftwave_service_address"`
 	WireguardConfig         WireguardConfig         `json:"wireguard_config" gorm:"embedded;embeddedPrefix:wireguard_"`