mx-cloud auth for SQL

apps/cloud/src/lib.rs

@@ -20,6 +20,7 @@ mod sql;
 pub struct Context {
     pub manage_domain: String,
     pub enrollment_domain: String,
+    pub internal_db_secret: String,
     pub cert: Certificate,
     pub key: KeyPair,
     pub client: reqwest::Client,
@@ -39,6 +40,8 @@ impl Context {
                 .map_err(|_| "'MANAGE_DOMAIN' must be set")?,
             enrollment_domain: std::env::var("ENROLLMENT_DOMAIN")
                 .map_err(|_| "'ENROLLMENT_DOMAIN' must be set")?,
+            internal_db_secret: std::env::var("INTERNAL_DB_SECRET")
+                .map_err(|_| "'INTERNAL_DB_SECRET' must be set")?,
             cert: CertificateParams::from_ca_cert_pem(
                 &std::env::var("IDENTITY_CERT").map_err(|_| "'IDENTITY_CERT' must be set")?,
             )
@@ -83,7 +86,10 @@ impl Context {
                 }),
             )
             .merge(api::mount())
-            .nest("/psdb.v1alpha1.Database", sql::mount())
+            .nest(
+                "/psdb.v1alpha1.Database",
+                sql::mount().route_layer(middleware::from_fn_with_state(this.clone(), sql::auth)),
+            )
             .merge(todo())
             .with_state(this.clone())
             .merge(mx_manage::mount(mdm::App(this)))

apps/cloud/src/sql.rs

@@ -9,8 +9,8 @@
 use std::{collections::HashMap, sync::Arc};
 
 use axum::{
-    extract::State,
-    middleware,
+    extract::{Request, State},
+    middleware::Next,
     response::{IntoResponse, Response},
     routing::post,
     Json, Router,
@@ -234,6 +234,25 @@ pub fn mount() -> Router<Arc<Context>> {
             )
 }
 
+pub async fn auth(State(state): State<Arc<Context>>, request: Request, next: Next) -> Response {
+    let authorization = request
+        .headers()
+        .get("authorization")
+        .and_then(|v| v.to_str().ok());
+
+    if authorization
+        != Some(&format!(
+            "Basic {}",
+            STANDARD.encode(format!(":{}", &state.internal_db_secret))
+        ))
+        && authorization != Some(&format!("Bearer {}", state.internal_db_secret))
+    {
+        return (StatusCode::UNAUTHORIZED, "Unauthorized").into_response();
+    }
+
+    next.run(request).await
+}
+
 fn error(msg: String) -> Response {
     (
         StatusCode::INTERNAL_SERVER_ERROR,

sst.config.ts

@@ -17,6 +17,7 @@ export default $config({
 			cloudflare: true,
 			tls: true,
 			command: true,
+			random: true,
 		},
 	}),
 	async run() {
@@ -29,13 +30,17 @@ export default $config({
 
 		// Configuration
 		const DATABASE_URL = new sst.Secret("DatabaseURL");
-		// const AUTH_SECRET =
 
 		// Derived
 		const webSubdomain = $app.stage === "prod" ? "cloud" : `${$app.stage}-web`;
 		const manageSubdomain =
 			$app.stage === "prod" ? "manage" : `${$app.stage}-manage`;
 
+		// Automatic
+		const INTERNAL_DB_SECRET = new random.RandomString("internalDbSecret", {
+			length: 16,
+		});
+
 		// Defaults
 		$transform(sst.aws.Function, (args) => {
 			args.architecture ??= "arm64";
@@ -85,11 +90,13 @@ export default $config({
 			},
 		});
 
+		// TODO: Remove this
 		new command.local.Command(
 			"todo",
 			{
-				create:
-					"echo 'ITS IS DONE' && ls target/lambda && ls target/lambda/lambda",
+				create: `echo 'ITS IS DONE' && ls target/lambda && ls target/lambda/lambda && echo '${process.cwd()}'`,
+				triggers: [crypto.randomUUID()],
+				dir: process.cwd(),
 			},
 			{
 				dependsOn: [cloudBuild],
@@ -113,6 +120,7 @@ export default $config({
 				memory: "128 MB",
 				environment: {
 					DATABASE_URL: DATABASE_URL.value,
+					INTERNAL_DB_SECRET: INTERNAL_DB_SECRET.result,
 					ENROLLMENT_DOMAIN: renderZoneDomain(zone, webSubdomain),
 					MANAGE_DOMAIN: renderZoneDomain(zone, manageSubdomain),
 					IDENTITY_CERT: identityCert.certPem,
@@ -154,6 +162,7 @@ export default $config({
 				command: "pnpm landing build",
 				output: path.join("apps", "landing", "dist"),
 				environment: {
+					// DATABASE_URL: INTERNAL_DB_SECRET.result, // TODO
 					NITRO_PRESET: "cloudflare_pages",
 					// TODO: Make this use the correct domain
 					VITE_MATTRAX_CLOUD_ORIGIN: "https://bruh.mattrax.app",