UHF-12517

.env.dist

@@ -24,3 +24,5 @@ DIALOGI_SENDER=
 
 # Testing
 TEST_SMS_NUMBER=
+
+HAKUVAHTI_API_KEY='123'

compose.yaml

@@ -9,7 +9,7 @@ services:
       - internal
 
   app:
-    user: root
+    user: "${DOCKER_UID:-1000}:${DOCKER_GID:-1000}"
     build:
       context: .
       dockerfile: openshift/Dockerfile
@@ -20,9 +20,6 @@ services:
       MONGODB: mongodb://mongodb:27017/hakuvahti
     volumes:
       - .:/app:delegated
-      - node_modules:/app/node_modules
-      - type: tmpfs
-        target: /app/dist
     ports:
       - "3000:3000"
     depends_on:

openshift/Dockerfile

@@ -15,8 +15,8 @@ RUN \
 
 FROM registry.access.redhat.com/ubi9/nodejs-22 AS development
 
-ENV npm_config_cache="$HOME/.npm"
-ENV APP_NAME rekry-hakuvahti
+ENV npm_config_cache="/tmp/.npm"
+ENV APP_NAME hakuvahti
 
 WORKDIR /app
 

package.json

@@ -7,7 +7,7 @@
     "test": "test"
   },
   "scripts": {
-    "test": "npm run build:ts && c8 --exclude-node-modules --reporter lcov node --test --test-force-exit -r ts-node/register test/**/*.test.ts",
+    "test": "npm run build:ts && c8 --exclude-node-modules --reporter lcov --reporter text node --test --test-force-exit -r ts-node/register test/**/*.test.ts",
     "start": "npm run build:ts && fastify start -l info dist/app.js",
     "build:ts": "npm run copy:assets; tsc",
     "copy:assets": "mkdir -p dist; cp -R src/templates dist/",

src/app.ts

@@ -9,14 +9,18 @@ export interface AppOptions extends FastifyPluginOptions, Partial<AutoloadPlugin
 // Pass --options via CLI arguments in command to enable these options.
 export const options: AppOptions = {};
 
+const requiredEnvironmentVariables = ['ENVIRONMENT', 'HAKUVAHTI_API_KEY'];
+
 const app: FastifyPluginAsync<AppOptions> = async (fastify, opts) => {
   // Skip override option breaks fastify encapsulation.
   // This is used by tests to get access to plugins
   // registered by application.
   delete opts.skipOverride;
 
-  if (process.env.ENVIRONMENT === undefined) {
-    throw new Error('ENVIRONMENT environment variable is not set');
+  for (const envVar of requiredEnvironmentVariables) {
+    if (process.env[envVar] === undefined) {
+      throw new Error(`${envVar} environment variable is not set`);
+    }
   }
 
   const env = process.env.ENVIRONMENT as Environment;
@@ -51,12 +55,12 @@ const app: FastifyPluginAsync<AppOptions> = async (fastify, opts) => {
   fastify.register(AutoLoad, {
     dir: join(__dirname, 'plugins'),
     options: opts,
-    ignorePattern: /(^|\/|\\)(index|.d).*\.ts$/,
+    ignorePattern: /(^|\/|\\)(index|\.d).*\.ts$/,
   });
   fastify.register(AutoLoad, {
     dir: join(__dirname, 'routes'),
     options: opts,
-    ignorePattern: /(^|\/|\\)(index|.d).*\.ts$/,
+    ignorePattern: /(^|\/|\\)(index|\.d).*\.ts$/,
   });
 };
 

src/plugins/api-key.ts

@@ -0,0 +1,26 @@
+import { timingSafeEqual } from 'node:crypto';
+import fp from 'fastify-plugin';
+
+/**
+ * Validate token in request headers
+ *
+ * Requests must have 'Authorization: api-key <api-key>' header in the request.
+ */
+export default fp(async (fastify, _opts) => {
+  fastify.addHook('preHandler', async (request, reply) => {
+    // Skip token check for health check routes
+    if (request.url === '/healthz' || request.url === '/readiness') {
+      return true;
+    }
+
+    const { HAKUVAHTI_API_KEY } = process.env;
+    const expected = Buffer.from(`api-key ${HAKUVAHTI_API_KEY}`);
+    const received = Buffer.from(request.headers.authorization?.toString() ?? '');
+
+    if (!HAKUVAHTI_API_KEY || expected.length !== received.length || !timingSafeEqual(expected, received)) {
+      return reply.code(403).send();
+    }
+
+    return true;
+  });
+});

test/helper.ts

@@ -14,6 +14,8 @@ export type TestContext = {
   after: typeof test.after;
 };
 
+process.env.HAKUVAHTI_API_KEY = 'test';
+
 const AppPath = path.join(__dirname, '..', 'src', 'app.ts');
 
 // Fill in this config with all the configurations