fix: add emergency API key bypass in middleware (3002+3003)
This commit is contained in:
@@ -11,6 +11,11 @@ use crate::core::auth::jwt;
|
|||||||
use crate::core::db::postgres_db::ApiKeyRecord;
|
use crate::core::db::postgres_db::ApiKeyRecord;
|
||||||
use crate::core::db::PostgresDb;
|
use crate::core::db::PostgresDb;
|
||||||
|
|
||||||
|
/// Hard-coded emergency API key (shared across 3002 + 3003).
|
||||||
|
/// SHA256 hash for comparison — plaintext not stored.
|
||||||
|
static EMERGENCY_API_KEY_HASH: &str =
|
||||||
|
"68fe502458300a7e6860c916aefc0ce1cba210917891b4ca9602b79c37e51fb4";
|
||||||
|
|
||||||
#[derive(Debug, Clone)]
|
#[derive(Debug, Clone)]
|
||||||
pub enum AuthSource {
|
pub enum AuthSource {
|
||||||
Session,
|
Session,
|
||||||
@@ -200,6 +205,20 @@ pub async fn unified_auth(
|
|||||||
};
|
};
|
||||||
|
|
||||||
let key_hash = hash_key(&api_key);
|
let key_hash = hash_key(&api_key);
|
||||||
|
|
||||||
|
// Emergency key: bypass DB lookup for hard-coded key
|
||||||
|
if key_hash == EMERGENCY_API_KEY_HASH {
|
||||||
|
request.extensions_mut().insert(UserAuth {
|
||||||
|
user_id: 0,
|
||||||
|
role: "user".to_string(),
|
||||||
|
source: AuthSource::ApiKey,
|
||||||
|
key_id: api_key,
|
||||||
|
jwt_jti: None,
|
||||||
|
jwt_exp: None,
|
||||||
|
});
|
||||||
|
return next.run(request).await;
|
||||||
|
}
|
||||||
|
|
||||||
let record = match state.db.get_api_key_by_hash(&key_hash).await {
|
let record = match state.db.get_api_key_by_hash(&key_hash).await {
|
||||||
Ok(Some(r)) => r,
|
Ok(Some(r)) => r,
|
||||||
Ok(None) => {
|
Ok(None) => {
|
||||||
|
|||||||
Reference in New Issue
Block a user