apunkt/webclaw
1
0
Fork 0
mirror of https://github.com/0xMassi/webclaw.git synced 2026-06-07 22:15:12 +02:00
Code Issues Projects Releases Packages Wiki Activity
webclaw/crates/webclaw-server/src/auth.rs

49 lines
1.4 KiB
Rust
Raw Normal View History

feat(server): add OSS webclaw-server REST API binary (closes #29) Self-hosters hitting docs/self-hosting were promised three binaries but the OSS Docker image only shipped two. webclaw-server lived in the closed-source hosted-platform repo, which couldn't be opened. This adds a minimal axum REST API in the OSS repo so self-hosting actually works without pretending to ship the cloud platform. Crate at crates/webclaw-server/. Stateless, no database, no job queue, single binary. Endpoints: GET /health, POST /v1/{scrape, crawl, map, batch, extract, summarize, diff, brand}. JSON shapes mirror api.webclaw.io for the endpoints OSS can support, so swapping between self-hosted and hosted is a base-URL change. Auth: optional bearer token via WEBCLAW_API_KEY / --api-key. Comparison is constant-time (subtle::ConstantTimeEq). Open mode (no key) is allowed and binds 127.0.0.1 by default; the Docker image flips WEBCLAW_HOST=0.0.0.0 so the container is reachable out of the box. Hard caps to keep naive callers from OOMing the process: crawl capped at 500 pages synchronously, batch capped at 100 URLs / 20 concurrent. For unbounded crawls or anti-bot bypass the docs point users at the hosted API. Dockerfile + Dockerfile.ci updated to copy webclaw-server into /usr/local/bin and EXPOSE 3000. Workspace version bumped to 0.4.0 (new public binary).
2026-04-22 12:25:11 +02:00
//! Optional bearer-token middleware.
//!
//! When the server is started without `--api-key`, every request is allowed
//! through (server runs in "open" mode — appropriate for `localhost`-only
//! deployments). When a key is configured, every `/v1/*` request must
//! present `Authorization: Bearer <key>` and the comparison is constant-
//! time to avoid timing-leaking the key.
use axum::{
extract::{Request, State},
http::StatusCode,
middleware::Next,
response::Response,
};
use subtle::ConstantTimeEq;
use crate::state::AppState;
/// Axum middleware. Mount with `axum::middleware::from_fn_with_state`.
pub async fn require_bearer(
State(state): State<AppState>,
request: Request,
next: Next,
) -> Result<Response, StatusCode> {
let Some(expected) = state.api_key() else {
// Open mode — no key configured. Allow everything.
return Ok(next.run(request).await);
};
let Some(header) = request
.headers()
.get("authorization")
.and_then(|v| v.to_str().ok())
else {
return Err(StatusCode::UNAUTHORIZED);
};
let presented = header
.strip_prefix("Bearer ")
.or_else(|| header.strip_prefix("bearer "))
.ok_or(StatusCode::UNAUTHORIZED)?;
if presented.as_bytes().ct_eq(expected.as_bytes()).into() {
Ok(next.run(request).await)
} else {
Err(StatusCode::UNAUTHORIZED)
}
}
Reference in a new issue Copy permalink