feat: protect API endpoints with API key authentication

.gitignore

@@ -34,3 +34,5 @@ build/
 
 ### Postgres ###
 postgres-data/
+
+.env

src/main/java/com/litoralregas/openvpn/security/ApiKeyFilter.java

@@ -0,0 +1,46 @@
+package com.litoralregas.openvpn.security;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+public class ApiKeyFilter extends OncePerRequestFilter {
+
+    private static final String HEADER = "X-API-Key";
+
+    private final ApiKeyProperties properties;
+
+    public ApiKeyFilter(ApiKeyProperties properties) {
+        this.properties = properties;
+    }
+
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+
+        String path = request.getRequestURI();
+
+        // allow health or non-api paths if needed
+        if (!path.startsWith("/api")) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        String apiKey = request.getHeader(HEADER);
+
+        if (apiKey == null || !apiKey.equals(properties.getApiKey())) {
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            response.getWriter().write("{\"error\":\"Unauthorized\"}");
+            return;
+        }
+
+        filterChain.doFilter(request, response);
+    }
+}

src/main/java/com/litoralregas/openvpn/security/ApiKeyProperties.java

@@ -0,0 +1,17 @@
+package com.litoralregas.openvpn.security;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "security")
+public class ApiKeyProperties {
+
+    private String apiKey;
+
+    public String getApiKey() {
+        return apiKey;
+    }
+
+    public void setApiKey(String apiKey) {
+        this.apiKey = apiKey;
+    }
+}

src/main/java/com/litoralregas/openvpn/security/SecurityConfig.java

@@ -0,0 +1,15 @@
+package com.litoralregas.openvpn.security;
+
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@EnableConfigurationProperties(ApiKeyProperties.class)
+public class SecurityConfig {
+
+    @Bean
+    public ApiKeyFilter apiKeyFilter(ApiKeyProperties properties) {
+        return new ApiKeyFilter(properties);
+    }
+}

src/main/resources/application.yaml

@@ -34,4 +34,7 @@ lr:
 
   openvpn:
     tools-path: ${LR_OPENVPN_TOOLS_PATH:/var/litoral_regas_openvpn/tools}
-    provision-dry-run: ${LR_OPENVPN_PROVISION_DRY_RUN:true}
+    provision-dry-run: ${LR_OPENVPN_PROVISION_DRY_RUN:true}
+
+security:
+  api-key: ${API_KEY}