feat: add auth token for api

Author: mfts

Makefile

@@ -34,8 +34,10 @@ API_TIMEOUT=30s
 API_ROOT_PATH=/
 API_TRACE_HEADER=Gotenberg-Trace
 API_ENABLE_BASIC_AUTH=false
+API_ENABLE_BEARER_TOKEN_AUTH=false
 GOTENBERG_API_BASIC_AUTH_USERNAME=
 GOTENBERG_API_BASIC_AUTH_PASSWORD=
+GOTENBERG_API_BEARER_TOKEN=
 API_DISABLE_HEALTH_CHECK_LOGGING=false
 CHROMIUM_RESTART_AFTER=0
 CHROMIUM_MAX_QUEUE_SIZE=0
@@ -94,6 +96,7 @@ run: ## Start a Gotenberg container
 	--api-root-path=$(API_ROOT_PATH) \
 	--api-trace-header=$(API_TRACE_HEADER) \
 	--api-enable-basic-auth=$(API_ENABLE_BASIC_AUTH) \
+	--api-enable-bearer-token-auth=$(API_ENABLE_BEARER_TOKEN_AUTH) \
 	--api-disable-health-check-logging=$(API_DISABLE_HEALTH_CHECK_LOGGING) \
 	--chromium-restart-after=$(CHROMIUM_RESTART_AFTER) \
 	--chromium-auto-start=$(CHROMIUM_AUTO_START) \

pkg/modules/api/api.go

@@ -37,6 +37,7 @@ type Api struct {
 	basicAuthUsername         string
 	basicAuthPassword         string
 	disableHealthCheckLogging bool
+	bearerToken               string
 
 	routes              []Route
 	externalMiddlewares []Middleware
@@ -169,6 +170,7 @@ func (a *Api) Descriptor() gotenberg.ModuleDescriptor {
 			fs.String("api-trace-header", "Gotenberg-Trace", "Set the header name to use for identifying requests")
 			fs.Bool("api-enable-basic-auth", false, "Enable basic authentication - will look for the GOTENBERG_API_BASIC_AUTH_USERNAME and GOTENBERG_API_BASIC_AUTH_PASSWORD environment variables")
 			fs.Bool("api-disable-health-check-logging", false, "Disable health check logging")
+			fs.Bool("api-enable-bearer-token-auth", false, "Enable bearer token authentication")
 			return fs
 		}(),
 		New: func() gotenberg.Module { return new(Api) },
@@ -212,6 +214,15 @@ func (a *Api) Provision(ctx *gotenberg.Context) error {
 		a.basicAuthPassword = basicAuthPassword
 	}
 
+	enableBearerToken := flags.MustBool("api-enable-bearer-token-auth")
+	if enableBearerToken {
+		bearerToken, err := gotenberg.StringEnv("GOTENBERG_API_BEARER_TOKEN")
+		if err != nil {
+			return fmt.Errorf("get bearer token from env: %w", err)
+		}
+		a.bearerToken = bearerToken
+	}
+
 	// Get routes from modules.
 	mods, err := ctx.Modules(new(Router))
 	if err != nil {
@@ -409,6 +420,7 @@ func (a *Api) Start() error {
 		rootPathMiddleware(a.rootPath),
 		traceMiddleware(a.traceHeader),
 		loggerMiddleware(a.logger, disableLoggingForPaths),
+		a.bearerTokenMiddleware(),
 	)
 
 	// Add the modules' middlewares in their respective stacks.
@@ -524,6 +536,34 @@ func (a *Api) Stop(ctx context.Context) error {
 	return a.srv.Shutdown(ctx)
 }
 
+func (a *Api) bearerTokenMiddleware() echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			// Skip authentication for health and version endpoints
+			if strings.HasSuffix(c.Path(), "/health") || strings.HasSuffix(c.Path(), "/version") {
+				return next(c)
+			}
+
+			authHeader := c.Request().Header.Get("Authorization")
+			if authHeader == "" {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Missing Authorization header")
+			}
+
+			tokenParts := strings.Split(authHeader, " ")
+			if len(tokenParts) != 2 || strings.ToLower(tokenParts[0]) != "bearer" {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Invalid Authorization header format")
+			}
+
+			token := tokenParts[1]
+			if token != a.bearerToken {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Invalid API token")
+			}
+
+			return next(c)
+		}
+	}
+}
+
 // Interface guards.
 var (
 	_ gotenberg.Module      = (*Api)(nil)