feat: add authentication for token routes

.env.example

@@ -1,6 +1,9 @@
 JWT_SECRET=
 REDIS_URL=
 
+ADMIN_USERNAME=
+ADMIN_PASSWORD=
+
 BITCOIN_JSON_RPC_URL=
 BITCOIN_JSON_RPC_USERNAME=
 BITCOIN_JSON_RPC_PASSWORD=

src/app.ts

@@ -27,6 +27,8 @@ if (env.SENTRY_DSN_URL && env.NODE_ENV !== 'development') {
   });
 }
 
+const isTokenRoutesEnable = env.NODE_ENV === 'production' ? env.ADMIN_USERNAME && env.ADMIN_PASSWORD : true;
+
 async function routes(fastify: FastifyInstance) {
   container.register({ logger: asValue(fastify.log) });
   fastify.decorate('container', container);
@@ -39,7 +41,9 @@ async function routes(fastify: FastifyInstance) {
   fastify.register(cache);
   fastify.register(rateLimit);
 
-  fastify.register(tokenRoutes, { prefix: '/token' });
+  if (isTokenRoutesEnable) {
+    fastify.register(tokenRoutes, { prefix: '/token' });
+  }
   fastify.register(bitcoinRoutes, { prefix: '/bitcoin/v1' });
 
   fastify.setErrorHandler((error, _, reply) => {

src/env.ts

@@ -6,10 +6,14 @@ const envSchema = z.object({
   NODE_ENV: z.string().default('development'),
   PORT: z.string().optional(),
   NETWORK: z.string().default('testnet'),
+
   SENTRY_DSN_URL: z.string().optional(),
   REDIS_URL: z.string().optional(),
   RATE_LIMIT_PER_MINUTE: z.number().default(100),
 
+  ADMIN_USERNAME: z.string().optional(),
+  ADMIN_PASSWORD: z.string().optional(),
+
   /**
    * JWT_SECRET is used to sign the JWT token for authentication.
    */

src/plugins/swagger.ts

@@ -2,6 +2,7 @@ import fp from 'fastify-plugin';
 import swagger from '@fastify/swagger';
 import swaggerUI from '@fastify/swagger-ui';
 import { jsonSchemaTransform } from 'fastify-type-provider-zod';
+import { env } from '../env';
 
 export const DOCS_ROUTE_PREFIX = '/docs';
 
@@ -24,6 +25,19 @@ export default fp(async (fastify) => {
       },
     },
     transform: jsonSchemaTransform,
+    transformObject: ({ swaggerObject }) => {
+      if (env.NODE_ENV === 'production') {
+        const { paths = {} } = swaggerObject;
+        const newPaths = Object.entries(paths).reduce((acc, [path, methods]) => {
+          if (path.startsWith('/token')) {
+            return acc;
+          }
+          return { ...acc, [path]: methods };
+        }, {});
+        swaggerObject.paths = newPaths;
+      }
+      return swaggerObject;
+    },
   });
   fastify.register(swaggerUI, {
     routePrefix: DOCS_ROUTE_PREFIX,

src/routes/token/index.ts

@@ -1,9 +1,32 @@
 import { FastifyPluginCallback } from 'fastify';
 import { Server } from 'http';
-import generateRoute from './generate';
 import { ZodTypeProvider } from 'fastify-type-provider-zod';
+import generateRoute from './generate';
+import { env } from '../../env';
 
 const tokenRoutes: FastifyPluginCallback<Record<never, never>, Server, ZodTypeProvider> = (fastify, _, done) => {
+  if (env.NODE_ENV === 'production') {
+    fastify.addHook('onRequest', async (request, reply) => {
+      const { authorization } = request.headers;
+      if (!authorization) {
+        reply.code(401).send({ error: 'Unauthorized' });
+        return;
+      }
+
+      const [scheme, token] = authorization.split(' ');
+      if (scheme.toLowerCase() !== 'basic') {
+        reply.code(401).send({ error: 'Unauthorized' });
+        return;
+      }
+
+      const [username, password] = Buffer.from(token, 'base64').toString().split(':');
+      if (username !== env.ADMIN_USERNAME || password !== env.ADMIN_PASSWORD) {
+        reply.code(401).send({ error: 'Unauthorized' });
+        return;
+      }
+    });
+  }
+
   fastify.register(generateRoute);
   done();
 };