mirror of
https://github.com/0xMassi/webclaw.git
synced 2026-06-07 22:15:12 +02:00
2ba682adf3
Self-hosters hitting docs/self-hosting were promised three binaries
but the OSS Docker image only shipped two. webclaw-server lived in
the closed-source hosted-platform repo, which couldn't be opened. This
adds a minimal axum REST API in the OSS repo so self-hosting actually
works without pretending to ship the cloud platform.
Crate at crates/webclaw-server/. Stateless, no database, no job queue,
single binary. Endpoints: GET /health, POST /v1/{scrape, crawl, map,
batch, extract, summarize, diff, brand}. JSON shapes mirror
api.webclaw.io for the endpoints OSS can support, so swapping between
self-hosted and hosted is a base-URL change.
Auth: optional bearer token via WEBCLAW_API_KEY / --api-key. Comparison
is constant-time (subtle::ConstantTimeEq). Open mode (no key) is
allowed and binds 127.0.0.1 by default; the Docker image flips
WEBCLAW_HOST=0.0.0.0 so the container is reachable out of the box.
Hard caps to keep naive callers from OOMing the process: crawl capped
at 500 pages synchronously, batch capped at 100 URLs / 20 concurrent.
For unbounded crawls or anti-bot bypass the docs point users at the
hosted API.
Dockerfile + Dockerfile.ci updated to copy webclaw-server into
/usr/local/bin and EXPOSE 3000. Workspace version bumped to 0.4.0
(new public binary).
48 lines
1.4 KiB
Rust
48 lines
1.4 KiB
Rust
//! Optional bearer-token middleware.
|
|
//!
|
|
//! When the server is started without `--api-key`, every request is allowed
|
|
//! through (server runs in "open" mode — appropriate for `localhost`-only
|
|
//! deployments). When a key is configured, every `/v1/*` request must
|
|
//! present `Authorization: Bearer <key>` and the comparison is constant-
|
|
//! time to avoid timing-leaking the key.
|
|
|
|
use axum::{
|
|
extract::{Request, State},
|
|
http::StatusCode,
|
|
middleware::Next,
|
|
response::Response,
|
|
};
|
|
use subtle::ConstantTimeEq;
|
|
|
|
use crate::state::AppState;
|
|
|
|
/// Axum middleware. Mount with `axum::middleware::from_fn_with_state`.
|
|
pub async fn require_bearer(
|
|
State(state): State<AppState>,
|
|
request: Request,
|
|
next: Next,
|
|
) -> Result<Response, StatusCode> {
|
|
let Some(expected) = state.api_key() else {
|
|
// Open mode — no key configured. Allow everything.
|
|
return Ok(next.run(request).await);
|
|
};
|
|
|
|
let Some(header) = request
|
|
.headers()
|
|
.get("authorization")
|
|
.and_then(|v| v.to_str().ok())
|
|
else {
|
|
return Err(StatusCode::UNAUTHORIZED);
|
|
};
|
|
|
|
let presented = header
|
|
.strip_prefix("Bearer ")
|
|
.or_else(|| header.strip_prefix("bearer "))
|
|
.ok_or(StatusCode::UNAUTHORIZED)?;
|
|
|
|
if presented.as_bytes().ct_eq(expected.as_bytes()).into() {
|
|
Ok(next.run(request).await)
|
|
} else {
|
|
Err(StatusCode::UNAUTHORIZED)
|
|
}
|
|
}
|