Api key (#1241)

pkg/api/server.go

@@ -41,6 +41,8 @@ var uiBox *packr.Box
 var setupUIBox *packr.Box
 var loginUIBox *packr.Box
 
+const ApiKeyHeader = "ApiKey"
+
 func allowUnauthenticated(r *http.Request) bool {
 	return strings.HasPrefix(r.URL.Path, "/login") || r.URL.Path == "/css"
 }
@@ -52,10 +54,24 @@ func authenticateHandler() func(http.Handler) http.Handler {
 
 			// translate api key into current user, if present
 			userID := ""
+			apiKey := r.Header.Get(ApiKeyHeader)
 			var err error
 
-			// handle session
-			userID, err = getSessionUserID(w, r)
+			if apiKey != "" {
+				// match against configured API and set userID to the
+				// configured username. In future, we'll want to
+				// get the username from the key.
+				if config.GetAPIKey() != apiKey {
+					w.Header().Add("WWW-Authenticate", `FormBased`)
+					w.WriteHeader(http.StatusUnauthorized)
+					return
+				}
+
+				userID = config.GetUsername()
+			} else {
+				// handle session
+				userID, err = getSessionUserID(w, r)
+			}
 
 			if err != nil {
 				w.WriteHeader(http.StatusInternalServerError)
@@ -65,8 +81,6 @@ func authenticateHandler() func(http.Handler) http.Handler {
 
 			// handle redirect if no user and user is required
 			if userID == "" && config.HasCredentials() && !allowUnauthenticated(r) {
-				// always allow
-
 				// if we don't have a userID, then redirect
 				// if graphql was requested, we just return a forbidden error
 				if r.URL.Path == "/graphql" {