Use spring security for api-key validation

PaimonGanyu/paimonganyu-app/paimonganyu-skill/build.gradle

@@ -7,7 +7,7 @@ dependencies {
     implementation project(':paimonganyu-infra')
     implementation project(':ikakao')
 
-    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+    implementation 'org.springframework.boot:spring-boot-starter-security'
 
     testImplementation(testFixtures(project(':paimonganyu-domain')))
     testImplementation('org.springframework.boot:spring-boot-starter-test') {

PaimonGanyu/paimonganyu-app/paimonganyu-skill/src/main/java/org/binchoo/paimonganyu/chatbot/configs/security/SecurityConfig.java

@@ -0,0 +1,31 @@
+package org.binchoo.paimonganyu.chatbot.configs.security;
+
+import org.binchoo.paimonganyu.chatbot.securities.ApiKeyValidationFilter;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+/**
+ * @author jbinchoo
+ * @since 2022/09/24
+ */
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Value("${auth.apikey}")
+    private String expectedApiKey;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .antMatcher("/ikakao/**")
+                .authorizeRequests().anyRequest().permitAll()
+                .and()
+                .addFilterBefore(new ApiKeyValidationFilter(expectedApiKey), BasicAuthenticationFilter.class)
+            .csrf().disable();
+    }
+}

PaimonGanyu/paimonganyu-app/paimonganyu-skill/src/main/java/org/binchoo/paimonganyu/chatbot/securities/ApiKeyValidationFilter.java

@@ -0,0 +1,42 @@
+package org.binchoo.paimonganyu.chatbot.securities;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @author jbinchoo
+ * @since 2022/09/24
+ */
+public class ApiKeyValidationFilter implements Filter {
+
+    private static final Logger logger = LoggerFactory.getLogger(ApiKeyValidationFilter.class);
+    private static final String HEADER_X_API_KEY = "X-Api-Key";
+    private static final String HEADER_X_FORWARDED_FOR = "X-Forwarded-For";
+
+    private final String expectedApiKey;
+
+    public ApiKeyValidationFilter(String apiKey) {
+        this.expectedApiKey = apiKey;
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        var httpRequest = (HttpServletRequest) request;
+        var httpResponse = (HttpServletResponse) response;
+
+        String actualApiKey = httpRequest.getHeader(HEADER_X_API_KEY);
+
+        if (expectedApiKey.equals(actualApiKey)) {
+            chain.doFilter(request, response);
+        } else {
+            httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            String clientIp = httpRequest.getHeader(HEADER_X_FORWARDED_FOR);
+            logger.warn("[Security] Unauthorized api-key: {} from {}", actualApiKey, clientIp);
+        }
+    }
+}