Implement API key authentication and management; update Dockerfile and README for persistent storage

Eric-Philippe · Eric-Philippe · commit 1cb6566ac0b6 · 2025-03-18T20:30:25.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 *.test
 *.out
 go.work
+.api-key
 
 # Binaries
 /beeapi
diff --git a/Dockerfile b/Dockerfile
@@ -23,11 +23,15 @@ COPY --from=builder /app/beeapi /app/beeapi
 # Create puzzles directory
 RUN mkdir -p /app/puzzles && chmod -R 777 /app/puzzles
 
+# Create a volume for persistent storage of API key
+VOLUME /app/data
+
 # Environment variables
 ENV SERVER_NAME="Local"
 ENV SERVER_DESCRIPTION="Local Dev Server"
 ENV PYTHON_PATH="python"
 
 EXPOSE 5000
 
-CMD ["/app/beeapi"]
+# Create symbolic link to store API key in persistent volume
+CMD ln -sf /app/data/.api-key /app/.api-key && /app/beeapi
diff --git a/README.md b/README.md
@@ -56,9 +56,32 @@ docker build -t beeapi-go .
 Then, run the Docker container:
 
 ```bash
-docker run -d -p 8080:8080 --name beeapi-go -v $(pwd)/puzzles:/app/puzzles beeapi-go
+docker run -d -p 8080:8080 --name beeapi-go -v $(pwd)/puzzles:/app/puzzles -v $(pwd)/data:/app/data beeapi-go
 ```
 
+## API Authentication
+
+BeeAPI Go uses API key authentication for protected endpoints (POST, PUT, DELETE). When the server starts for the first time, it generates a unique API key and saves it in a `.api-key` file in the root directory.
+
+To authenticate your requests to protected endpoints:
+
+1. Look for the API key in the `.api-key` file or in the server logs when it starts
+2. Include the API key in your requests' Authorization header:
+
+```bash
+curl -X POST "http://localhost:5000/theme" \
+  -H "Authorization: Bearer YOUR_API_KEY" \
+  -d "name=new-theme"
+```
+
+If you're using Docker, you can access the API key by:
+
+```bash
+docker exec beeapi-go cat /app/.api-key
+```
+
+Make sure to keep this key secure as it provides administrative access to your BeeAPI instance.
+
 ## API Documentation
 
 The API documentation is available at `/swagger/index.html` when the server is running.
diff --git a/main.go b/main.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/algohive/beeapi/controllers"
+	"github.com/algohive/beeapi/middlewares"
 	"github.com/algohive/beeapi/services"
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
@@ -36,6 +37,13 @@ func main() {
 	// Load environment variables from .env file if it exists
 	_ = godotenv.Load()
 
+	// Initialize API key manager
+	apiKeyManager, err := services.NewAPIKeyManager(".")
+	if err != nil {
+		log.Fatalf("Failed to initialize API key manager: %v", err)
+	}
+	log.Printf("API key initialized: %s", apiKeyManager.GetAPIKey())
+
 	// Create services
 	puzzlesLoader := services.NewPuzzlesLoader()
 	pythonRunner := services.NewPythonRunner(os.Getenv("PYTHON_PATH")) // Get from env or use default
@@ -75,10 +83,10 @@ func main() {
 	router.GET("/puzzle", puzzleController.GetPuzzle)
 	router.GET("/puzzle/generate", puzzleController.GeneratePuzzle)
 	
-	// Protected routes
+	// Protected routes with API key authentication
 	protected := router.Group("")
-	// protected.Use(middleware.RequireAuth(authService))
-	// {
+	protected.Use(middlewares.RequireAPIKey(apiKeyManager))
+	{
 		// Theme management
 		protected.POST("/theme", themeController.CreateTheme)
 		protected.DELETE("/theme", themeController.DeleteTheme)
@@ -87,7 +95,7 @@ func main() {
 		// Puzzle management
 		protected.POST("/puzzle/upload", puzzleController.UploadPuzzle)
 		protected.DELETE("/puzzle", puzzleController.DeletePuzzle)
-	// }
+	}
 
 	
 	// Make sure puzzles directory exists
@@ -119,6 +127,7 @@ func main() {
 	// Run server in a goroutine so it doesn't block
 	go func() {
 		log.Printf("Server starting on port %s", port)
+		log.Printf("API Key: %s", apiKeyManager.GetAPIKey())
 		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 			log.Fatalf("Server error: %v", err)
 		}
diff --git a/middlewares/auth.go b/middlewares/auth.go
@@ -0,0 +1,40 @@
+package middlewares
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/algohive/beeapi/services"
+	"github.com/gin-gonic/gin"
+)
+
+// RequireAPIKey crée un middleware qui valide la clé API
+func RequireAPIKey(keyManager *services.APIKeyManager) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Récupère l'en-tête Authorization
+		authHeader := c.GetHeader("Authorization")
+
+		// Vérifie si l'en-tête Authorization est présent et a le format correct
+		if authHeader == "" {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Clé API manquante"})
+			return
+		}
+
+		// Le format doit être "Bearer <api-key>"
+		parts := strings.SplitN(authHeader, " ", 2)
+		if len(parts) != 2 || parts[0] != "Bearer" {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Format de clé API invalide"})
+			return
+		}
+
+		key := parts[1]
+
+		// Valide la clé API
+		if !keyManager.ValidateKey(key) {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Clé API invalide"})
+			return
+		}
+
+		c.Next()
+	}
+}
diff --git a/services/apikey.go b/services/apikey.go
@@ -0,0 +1,76 @@
+package services
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+const (
+	apiKeyLength = 32 // 32 bytes = 256 bits
+	apiKeyFile   = ".api-key"
+)
+
+// APIKeyManager gère la génération et validation des clés API
+type APIKeyManager struct {
+	apiKey    string
+	keyPath   string
+}
+
+// NewAPIKeyManager crée un nouveau gestionnaire de clé API
+func NewAPIKeyManager(basePath string) (*APIKeyManager, error) {
+	keyPath := filepath.Join(basePath, apiKeyFile)
+	manager := &APIKeyManager{
+		keyPath: keyPath,
+	}
+
+	// Essaie de charger une clé existante
+	err := manager.loadKey()
+	if err != nil {
+		// Génère et sauvegarde une nouvelle clé si aucune n'existe
+		err = manager.generateAndSaveKey()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return manager, nil
+}
+
+// loadKey charge la clé API depuis le fichier
+func (a *APIKeyManager) loadKey() error {
+	data, err := os.ReadFile(a.keyPath)
+	if err != nil {
+		return err
+	}
+	a.apiKey = strings.TrimSpace(string(data))
+	return nil
+}
+
+// generateAndSaveKey génère une nouvelle clé API et la sauvegarde dans le fichier
+func (a *APIKeyManager) generateAndSaveKey() error {
+	// Génère des octets aléatoires
+	randBytes := make([]byte, apiKeyLength)
+	_, err := rand.Read(randBytes)
+	if err != nil {
+		return err
+	}
+
+	// Encode en base64 pour une clé API lisible
+	a.apiKey = base64.StdEncoding.EncodeToString(randBytes)
+
+	// Sauvegarde dans le fichier
+	return os.WriteFile(a.keyPath, []byte(a.apiKey), 0600)
+}
+
+// GetAPIKey retourne la clé API courante
+func (a *APIKeyManager) GetAPIKey() string {
+	return a.apiKey
+}
+
+// ValidateKey vérifie si la clé fournie correspond à celle stockée
+func (a *APIKeyManager) ValidateKey(key string) bool {
+	return key == a.apiKey
+}
