init b

.rubocop.yml

@@ -10,3 +10,6 @@ Style/AndOr:
 
 RSpec/NestedGroups:
   Max: 4
+
+RSpec/MultipleExpectations:
+  Max: 2

Gemfile

@@ -4,6 +4,7 @@ source 'https://rubygems.org'
 
 gem 'chunky_png', '~> 1.3', '>= 1.3.5'
 gem 'config', '~> 5.5'
+gem 'digest', '~> 3.1', '>= 3.1.1'
 gem 'faraday', '~> 2.10', '>= 2.10.1'
 gem 'ipaddr', '~> 1.2', '>= 1.2.6'
 gem 'json-schema', '~> 4.3'

Gemfile.lock

@@ -18,6 +18,7 @@ GEM
       rexml
     deep_merge (1.2.2)
     diff-lcs (1.5.1)
+    digest (3.1.1)
     dotenv (3.1.2)
     faraday (2.10.1)
       faraday-net_http (>= 2.0, < 3.2)
@@ -153,6 +154,7 @@ DEPENDENCIES
   byebug (~> 11.1, >= 11.1.3)
   chunky_png (~> 1.3, >= 1.3.5)
   config (~> 5.5)
+  digest (~> 3.1, >= 3.1.1)
   dotenv (~> 3.1, >= 3.1.2)
   faraday (~> 2.10, >= 2.10.1)
   ipaddr (~> 1.2, >= 1.2.6)

app.rb

@@ -10,7 +10,8 @@ class Application < Sinatra::Base
   use Sentry::Rack::CaptureExceptions if sentry?
   register Sinatra::Namespace
 
-  AUTH_TOKEN = "Bearer #{Settings.auth_token}".freeze
+  AUTH_TOKEN = Settings.auth_token
+  AUTH_DIGEST_TOKEN = Settings.auth_digest_token
 
   namespace '/api' do # rubocop:disable Metrics/BlockLength
     before do
@@ -76,7 +77,14 @@ class Application < Sinatra::Base
   attr_reader :controller
 
   def authorize_resource
-    halt 403 unless request.env['HTTP_AUTHORIZATION'] == AUTH_TOKEN
+    token = request.env['HTTP_AUTHORIZATION']
+    halt 403 unless token
+
+    if AUTH_DIGEST_TOKEN
+      halt 403 unless Digest::SHA256.hexdigest(token[7..]) == AUTH_DIGEST_TOKEN
+    else
+      halt 403 unless token[7..] == AUTH_TOKEN
+    end
   end
 
   def instance_versions

config/dependencies.rb

@@ -11,3 +11,4 @@
 require 'ruby_units/namespaced'
 require 'json-schema'
 require 'simple_monads'
+require 'digest'

config/settings/development.yaml

@@ -11,4 +11,5 @@ wg_post_up: <%= ENV['WG_POST_UP'] %>
 wg_post_down: <%= ENV['WG_POST_DOWN'] %>
 wg_persistent_keepalive: <%= ENV['WG_PERSISTENT_KEEPALIVE'] || 0 %>
 auth_token: <%= ENV['AUTH_TOKEN'] %>
+auth_digest_token: <%= ENV['AUTH_DIGEST_TOKEN'] %>
 webhooks_url: <%= ENV['WEBHOOKS_URL'] %>

config/settings/production.yaml

@@ -11,4 +11,5 @@ wg_post_up: <%= ENV['WG_POST_UP'] %>
 wg_post_down: <%= ENV['WG_POST_DOWN'] %>
 wg_persistent_keepalive: <%= ENV['WG_PERSISTENT_KEEPALIVE'] || 0 %>
 auth_token: <%= ENV['AUTH_TOKEN'] %>
+auth_digest_token: <%= ENV['AUTH_DIGEST_TOKEN'] %>
 webhooks_url: <%= ENV['WEBHOOKS_URL'] %>

spec/app/clients_controller_spec.rb

@@ -32,7 +32,7 @@
         }
       end
 
-      it 'creates a configuration file and returns an empty array' do # rubocop:disable RSpec/MultipleExpectations
+      it 'creates a configuration file and returns an empty array' do
         result = controller.index
 
         expect(result).to eq([].to_json)

spec/requests/application_spec.rb

@@ -47,6 +47,30 @@
       end
     end
 
+    context 'when the request is authorized but an encrypted token is set' do
+      before do
+        allow(Settings).to receive(:auth_digest_token)
+          .and_return('8c24220738721bb1a0ad0607527293c16d0d44f2a645980efc271a0a03006d4c')
+        header('Authorization', 'Bearer 123-Ab')
+        get '/api/clients'
+      end
+
+      it 'returns a successful response' do
+        expect(last_response.successful?).to be(true)
+      end
+    end
+
+    context 'when no authorization header was passed at all' do
+      before do
+        get '/api/clients'
+      end
+
+      it 'returns an unsuccessful response' do
+        expect(last_response.successful?).to be(false)
+        expect(last_response.status).to be(403)
+      end
+    end
+
     context 'when the request is not authorized' do
       before do
         header('Authorization', 'Bearer 123-ab')
@@ -55,6 +79,7 @@
 
       it 'returns an unsuccessful response' do
         expect(last_response.successful?).to be(false)
+        expect(last_response.status).to be(403)
       end
     end
   end