gsc-ops-api/internal/middleware/apikey.go

package middleware

import (
	"crypto/subtle"

	"github.com/gofiber/fiber/v2"

	"github.com/gosec/gsc-ops-api/pkg/types"
)

const APIKeyHeader = "X-API-Key"

// APIKey validates the X-API-Key header against configured keys
func APIKey(validKeys []string) fiber.Handler {
	return func(c *fiber.Ctx) error {
		key := c.Get(APIKeyHeader)
		if key == "" {
			apiErr := types.NewUnauthorized("Missing API key")
			return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, GetRequestID(c)))
		}

		valid := false
		for _, vk := range validKeys {
			if subtle.ConstantTimeCompare([]byte(key), []byte(vk)) == 1 {
				valid = true
				break
			}
		}

		if !valid {
			apiErr := types.NewUnauthorized("Invalid API key")
			return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, GetRequestID(c)))
		}

		return c.Next()
	}
}