datapress-core 0.2.16

Backend-agnostic core types, config, routing, and HTTP handlers for the datapress dataset server.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

//! Admin endpoint authentication.
//!
//! Reads the expected token from the `ADMIN_TOKEN` environment variable at
//! startup. If the variable is unset or empty, all admin endpoints refuse
//! every request — they are effectively disabled. This is the secure default:
//! you must explicitly opt in by setting `ADMIN_TOKEN` to a non-empty value.
//!
//! Clients authenticate by sending `X-Admin-Token: <value>`. The comparison
//! is constant-time to avoid leaking the token via timing side channels.

use std::sync::OnceLock;

use actix_web::HttpRequest;

use crate::errors::AppError;

static EXPECTED: OnceLock<Option<String>> = OnceLock::new();

fn expected() -> Option<&'static str> {
    EXPECTED
        .get_or_init(|| std::env::var("ADMIN_TOKEN").ok().filter(|s| !s.is_empty()))
        .as_deref()
}

/// Verify the request carries a valid admin token.
///
/// Returns `Err(AppError::Forbidden)` when the token is missing, malformed,
/// or does not match. Returns `Err(AppError::Forbidden)` (not 500) when the
/// server has no `ADMIN_TOKEN` configured at all — admin endpoints stay
/// disabled by default.
pub fn require_admin(req: &HttpRequest) -> Result<(), AppError> {
    let expected = expected().ok_or_else(|| {
        AppError::Forbidden(
            "admin endpoints are disabled (set ADMIN_TOKEN env var to enable)".into(),
        )
    })?;

    let presented = req
        .headers()
        .get("X-Admin-Token")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("");

    if constant_time_eq(presented.as_bytes(), expected.as_bytes()) {
        Ok(())
    } else {
        Err(AppError::Forbidden(
            "invalid or missing X-Admin-Token".into(),
        ))
    }
}

/// Constant-time byte comparison. Returns false immediately when lengths
/// differ (length itself isn't secret); otherwise XORs every byte so the
/// runtime doesn't depend on where the first difference occurs.
fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
    if a.len() != b.len() {
        return false;
    }
    let mut diff: u8 = 0;
    for (x, y) in a.iter().zip(b.iter()) {
        diff |= x ^ y;
    }
    diff == 0
}

#[cfg(test)]
mod tests {
    use super::constant_time_eq;

    #[test]
    fn ct_eq_equal() {
        assert!(constant_time_eq(b"hunter2", b"hunter2"));
        assert!(constant_time_eq(b"", b""));
    }

    #[test]
    fn ct_eq_different_content() {
        assert!(!constant_time_eq(b"hunter2", b"hunter3"));
    }

    #[test]
    fn ct_eq_different_length() {
        assert!(!constant_time_eq(b"abc", b"abcd"));
        assert!(!constant_time_eq(b"abcd", b"abc"));
    }
}