I need a static mechanism to verify my sender knows a static token. That token is hard coded into the sending system.
My API has an endpoint /webhook
where I need to have that be verified.
This guides/security-customization gives an example on how to implement a custom mechanism, so I implemented this:
@Singleton
public class FixedTokenAuthenticationMechanism implements HttpAuthenticationMechanism {
@Override
public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
String authHeader = context.request().headers().get("magic_header");
if (authHeader == "magic_value")
{
return Uni.createFrom().optional(Optional.empty());
}
else
{
return Uni.createFrom().optional(Optional.empty());
}
}
@Override
public Uni<ChallengeData> getChallenge(RoutingContext context) {
return null;
}
@Override
public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
return Collections.singleton(AuthenticationRequest.class);
}
@Override
public Uni<Boolean> sendChallenge(RoutingContext context) {
return HttpAuthenticationMechanism.super.sendChallenge(context);
}
@Override
public HttpCredentialTransport getCredentialTransport() {
return HttpAuthenticationMechanism.super.getCredentialTransport();
}
@Override
public Uni<HttpCredentialTransport> getCredentialTransport(RoutingContext context) {
return HttpAuthenticationMechanism.super.getCredentialTransport(context);
}
@Override
public int getPriority() {
return HttpAuthenticationMechanism.super.getPriority();
}
}
I do not know how to configure this to be used in the application properties.
There seems to be a configuration for path-specific-authentication-mechanisms which I can not seem to make work.
what would I need to configure in aplication.properties
to use my not so secure security mechanism for the /webhook
endpoint?
Right now this implementation is incomplete, but as far as path-based authentication is concerned, you need to have an alias like
webhook
that you can refer to from the configuration, see https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/BasicAuthenticationMechanism.java#L198 (note,basic
is a qualifier) as well the rest of the class on how to implement the custom mechanism. Delegating to the default interface implementation will likely not work