fix: add agent key auth for ingest endpoints

2026-02-06 19:13:30 -03:00
parent 615a8b5404
commit 6038e82b22
18 changed files with 1244 additions and 5 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -307,10 +307,10 @@ func (s *Server) setupRoutes() {
 	ingest.Post("/logs", s.ingestLogs)
 	ingest.Post("/traces", s.ingestTraces)

-	// Legacy ingest routes (also protected, for backwards compat)
-	api.Post("/metrics", s.authMiddleware(), s.ingestMetrics)
-	api.Post("/logs", s.authMiddleware(), s.ingestLogs)
-	api.Post("/traces", s.authMiddleware(), s.ingestTraces)
+	// Legacy ingest routes (agent key auth for simplicity)
+	api.Post("/metrics", s.agentAuthMiddleware(), s.ingestMetrics)
+	api.Post("/logs", s.agentAuthMiddleware(), s.ingestLogs)
+	api.Post("/traces", s.agentAuthMiddleware(), s.ingestTraces)

 	// Protected routes
 	protected := api.Group("", s.authMiddleware())
@@ -894,3 +894,32 @@ func parseInt(s string, def int) int {
 	}
 	return def
 }
+
+// agentAuthMiddleware creates middleware that accepts a simple agent key
+func (s *Server) agentAuthMiddleware() fiber.Handler {
+	agentKey := getEnv("AGENT_KEY", "")
+	return func(c *fiber.Ctx) error {
+		// If no agent key is configured, allow all (for backwards compat)
+		if agentKey == "" {
+			return c.Next()
+		}
+
+		authHeader := c.Get("Authorization")
+		token := strings.TrimPrefix(authHeader, "Bearer ")
+
+		// Check agent key
+		if token == agentKey {
+			return c.Next()
+		}
+
+		// Also check X-Agent-Key header
+		if c.Get("X-Agent-Key") == agentKey {
+			return c.Next()
+		}
+
+		return c.Status(401).JSON(fiber.Map{
+			"error":   "Unauthorized",
+			"message": "Invalid agent key",
+		})
+	}
+}