feat: Include apikey based authentication mechanism

Author: dormant-user

Cargo.toml

@@ -40,3 +40,4 @@ log = "0.4.29"
 uuid = { version = "1.23.1", features = ["v4"] }
 dotenv = "0.15.0"
 url = "2.5.8"
+regex = "1.12.3"

src/api.rs

@@ -1,7 +1,7 @@
 use crate::qb;
 use crate::settings;
 
-use actix_web::{web, HttpResponse, Responder};
+use actix_web::{web, HttpRequest, HttpResponse, Responder};
 use reqwest::Client;
 use serde_json::{json, Value};
 use std::collections::HashMap;
@@ -16,6 +16,7 @@ use uuid::Uuid;
 #[utoipa::path(
     get,
     path = "/status",
+    security(()),
     responses(
         (status = 200, description = "List of users", body = serde_json::Value),
     ),
@@ -32,6 +33,7 @@ pub async fn status() -> impl Responder {
 #[utoipa::path(
     get,
     path = "/version",
+    security(()),
     responses(
         (status = 200, description = "API version", body = serde_json::Value)
     )
@@ -40,6 +42,25 @@ pub async fn version() -> impl Responder {
     HttpResponse::Ok().json(json!({ "version": env!("CARGO_PKG_VERSION") }))
 }
 
+/// Authenticates the `apikey` through incoming request headers.
+///
+/// # Arguments
+///
+/// - `request` - Reference to the `HttpRequest` object.
+/// * `config` - Reference to the `Config` object.
+///
+/// # Returns
+///
+/// Returns a boolean value to indicate the authentication status.
+fn authenticator(request: HttpRequest, config: &settings::Config) -> bool {
+    if let Some(apikey) = request.headers().get("apikey") {
+        if apikey.to_str().unwrap().to_string() == config.apikey {
+            return true;
+        }
+    }
+    false
+}
+
 /// API endpoint to get download/copy status.
 ///
 /// # Arguments
@@ -73,9 +94,13 @@ pub async fn version() -> impl Responder {
     )
 )]
 pub async fn get_torrents(
+    request: HttpRequest,
     state: web::Data<settings::SharedState>,
     config: web::Data<settings::Config>,
 ) -> impl Responder {
+    if !authenticator(request, &config) {
+        return HttpResponse::Unauthorized().json("Unauthorized");
+    }
     let client = match qb::client(&config).await {
         Ok(c) => c,
         Err(e) => return e,
@@ -250,10 +275,14 @@ fn resolve_payload(body: &[settings::PutItem]) -> Vec<settings::PutItem> {
     )
 )]
 pub async fn put_torrent(
+    request: HttpRequest,
     pending: web::Data<settings::PendingMap>,
     config: web::Data<settings::Config>,
     body: web::Json<Vec<settings::PutItem>>,
 ) -> impl Responder {
+    if !authenticator(request, &config) {
+        return HttpResponse::Unauthorized().json("Unauthorized");
+    }
     let client = match qb::client(&config).await {
         Ok(c) => c,
         Err(e) => return e,
@@ -357,9 +386,13 @@ pub async fn put_torrent(
     )
 )]
 pub async fn delete_torrent(
+    request: HttpRequest,
     config: web::Data<settings::Config>,
     query: web::Query<HashMap<String, String>>,
 ) -> impl Responder {
+    if !authenticator(request, &config) {
+        return HttpResponse::Unauthorized().json("Unauthorized");
+    }
     let identifier = match query.get("name") {
         Some(i) => i,
         None => return HttpResponse::BadRequest().body("Missing name"),

src/settings.rs

@@ -18,6 +18,7 @@ pub type PendingMap = Arc<RwLock<HashMap<String, PutItem>>>;
 pub struct Config {
     pub host: String,
     pub port: u16,
+    pub apikey: String,
     pub workers: usize,
     pub qbit_api: String,
     pub username: String,
@@ -26,6 +27,10 @@ pub struct Config {
     pub log_level: log::LevelFilter,
 }
 
+fn startup_error(msg: &str) {
+    eprintln!("\nStartupError:\n\t{}\n", msg);
+}
+
 /// ### Config::new
 /// Creates a new [`Config`] instance from environment variables.
 ///
@@ -38,14 +43,34 @@ impl Config {
         let port = squire::get_env_var("port", Some("3000"))
             .parse::<u16>()
             .unwrap();
+        let apikey = squire::get_env_var("apikey", None);
+        if apikey.is_empty() {
+            startup_error("'apikey' is empty");
+            std::process::exit(1)
+        }
+        match squire::complexity_checker(&apikey, 32) {
+            Ok(()) => (),
+            Err(err) => {
+                startup_error(format!("Invalid 'apikey': {}", err).as_str());
+                std::process::exit(1)
+            },
+        }
 
         let available_workers = std::thread::available_parallelism().map_or(2, NonZeroUsize::get);
         let default_workers =
             squire::get_env_var("workers", Some(available_workers.to_string().as_str()));
         let workers = match default_workers.parse::<usize>() {
             Ok(n) if n > 0 => n,
-            Ok(_) => panic!("\nParseError:\n\t'workers' must be > 0, got {default_workers}\n"),
-            Err(e) => panic!("\nParseError:\n\tInvalid 'workers' value '{default_workers}': {e}\n"),
+            Ok(_) => {
+                startup_error(format!("'workers' must be > 0, got {}", default_workers).as_str());
+                std::process::exit(1)
+            }
+            Err(e) => {
+                startup_error(
+                    format!("Invalid 'workers' value '{default_workers}': {e}\n").as_str(),
+                );
+                std::process::exit(1)
+            }
         };
 
         let qbit_api = squire::get_env_var("qbit_api", Some("http://localhost:8080"));
@@ -57,16 +82,19 @@ impl Config {
         let log_level = match default_log_level.parse::<log::LevelFilter>() {
             Ok(level) => level,
             Err(_) => {
-                panic!(
-                    "\nParseError:\n\tInvalid 'log_level' value '{}'. Expected one of: off, error, warn, info, debug, trace\n",
-                    default_log_level
+                startup_error(
+                    format!(
+                        "Invalid 'log_level' value '{default_log_level}'. Expected one of: off, error, warn, info, debug, trace"
+                    ).as_str()
                 );
+                std::process::exit(1)
             }
         };
 
         Self {
             host,
             port,
+            apikey,
             workers,
             qbit_api,
             username,

src/squire.rs

@@ -1,3 +1,4 @@
+use regex::Regex;
 use crate::{qb, rsync, settings};
 use reqwest::Client;
 use serde_json::Value;
@@ -161,7 +162,7 @@ pub fn spawn_worker(
 
             let mut db = state.write().await;
 
-            // Remove entries that qBit no longer knows about (deleted via WebUI).
+            // Remove entries that QBitAPI no longer knows about (deleted via WebUI).
             let returned: std::collections::HashSet<&str> =
                 arr.iter().filter_map(|t| t["hash"].as_str()).collect();
             hashes.iter().for_each(|h| {
@@ -244,3 +245,60 @@ pub fn load_env_file() {
     let env_file_path = std::env::current_dir().unwrap_or_default().join(env_file);
     let _ = dotenv::from_path(env_file_path.as_path());
 }
+
+/// Verifies the strength of a secret string.
+///
+/// # Description
+/// A secret is considered strong if it satisfies all the following:
+///
+///     - Has at least `min_length` characters
+///     - Contains at least 1 digit
+///     - Contains at least 1 symbol (non-alphanumeric, non-whitespace)
+///     - Contains at least 1 uppercase letter
+///     - Contains at least 1 lowercase letter
+///
+/// # Arguments
+///
+/// * `value` - The secret string to validate.
+/// * `min_length` - Minimum required length of the secret.
+///
+/// # Returns
+///
+/// * `Ok(())` if the secret meets all strength requirements.
+/// * `Err(String)` with a message describing the first failed condition.
+pub fn complexity_checker(value: &String, min_length: usize) -> Result<(), String> {
+    if value.trim().is_empty() {
+        return Err("Value cannot be empty".to_string());
+    }
+
+    if value.len() < min_length {
+        return Err(format!(
+            "Minimum length is {}, received {}",
+            min_length,
+            value.len()
+        ));
+    }
+
+    let digit_re = Regex::new(r"\d").unwrap();
+    let upper_re = Regex::new(r"[A-Z]").unwrap();
+    let lower_re = Regex::new(r"[a-z]").unwrap();
+    let symbol_re = Regex::new(r#"[^\w\s]"#).unwrap();
+
+    if !digit_re.is_match(value) {
+        return Err("Value must include an integer".to_string());
+    }
+
+    if !upper_re.is_match(value) {
+        return Err("Value must include at least one uppercase letter".to_string());
+    }
+
+    if !lower_re.is_match(value) {
+        return Err("Value must include at least one lowercase letter".to_string());
+    }
+
+    if !symbol_re.is_match(value) {
+        return Err("Value must contain at least one special character".to_string());
+    }
+
+    Ok(())
+}