Api key configuracion and quotes endpooint
This commit is contained in:
@ -348,7 +348,7 @@ func (cont *Controller) AllMessages(ctx *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
if req.APIKey != "1234" {
|
||||
if !cont.checkServiceAPIKey(req.APIKey) {
|
||||
ctx.JSON(http.StatusUnauthorized, HTTPError{Error: "Not allowed to perform this request"})
|
||||
return
|
||||
}
|
||||
@ -356,6 +356,13 @@ func (cont *Controller) AllMessages(ctx *gin.Context) {
|
||||
ctx.JSON(http.StatusOK, cont.tradeProvider.GetAllMessages(req.In, req.Out))
|
||||
}
|
||||
|
||||
// checkServiceAPIKey returns true when the provided key matches the configured
|
||||
// service-to-service shared secret. Empty configured key is always rejected
|
||||
// to avoid open authentication when misconfigured.
|
||||
func (cont *Controller) checkServiceAPIKey(key string) bool {
|
||||
return cont.config.ServiceAPIKey != "" && key == cont.config.ServiceAPIKey
|
||||
}
|
||||
|
||||
// GetPendingQuoteRequests godoc
|
||||
// @Summary List pending QuoteRequests
|
||||
// @Description Returns all QuoteRequests received from TW that have not been quoted yet by the dealer
|
||||
@ -382,12 +389,19 @@ func (cont *Controller) GetPendingQuoteRequests(ctx *gin.Context) {
|
||||
// @Failure 500 {object} HTTPError
|
||||
// @Router /qfixdpl/v1/quotes [post]
|
||||
func (cont *Controller) SendQuote(ctx *gin.Context) {
|
||||
setHeaders(ctx, cont.config)
|
||||
|
||||
var req SendQuoteRequest
|
||||
if err := ctx.ShouldBindJSON(&req); err != nil {
|
||||
ctx.JSON(http.StatusBadRequest, HTTPError{Error: err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
if !cont.checkServiceAPIKey(req.APIKey) {
|
||||
ctx.JSON(http.StatusUnauthorized, HTTPError{Error: "Not allowed to perform this request"})
|
||||
return
|
||||
}
|
||||
|
||||
price, err := decimal.NewFromString(req.Price)
|
||||
if err != nil {
|
||||
ctx.JSON(http.StatusBadRequest, HTTPError{Error: "invalid price: " + err.Error()})
|
||||
|
||||
@ -18,6 +18,7 @@ type Session struct {
|
||||
}
|
||||
|
||||
type SendQuoteRequest struct {
|
||||
APIKey string `json:"APIKey" binding:"required"`
|
||||
QuoteReqID string `json:"QuoteReqID" binding:"required"`
|
||||
Price string `json:"Price" binding:"required" example:"99.6"`
|
||||
}
|
||||
|
||||
@ -24,10 +24,11 @@ func SetRoutes(api *API) {
|
||||
qfixdpl.GET("/trades", cont.GetTrades)
|
||||
qfixdpl.GET("/trades/:quoteReqID/logs", cont.GetLogs)
|
||||
qfixdpl.GET("/quote-requests", cont.GetPendingQuoteRequests)
|
||||
qfixdpl.POST("/quotes", cont.SendQuote)
|
||||
|
||||
msgs := v1.Group("/")
|
||||
msgs.POST("/messages", cont.AllMessages)
|
||||
// services group: API-key auth via body, no session cookie required.
|
||||
services := v1.Group("/")
|
||||
services.POST("/messages", cont.AllMessages)
|
||||
services.POST("/quotes", cont.SendQuote)
|
||||
|
||||
backoffice := qfixdpl.Group("/backoffice")
|
||||
backoffice.Use(cont.BackOfficeUser)
|
||||
|
||||
@ -39,6 +39,10 @@ type Config struct {
|
||||
AuthorizedServices map[string]app.AuthorizedService `toml:"AuthorizedServices"`
|
||||
Port string
|
||||
EnableJWTAuth bool
|
||||
// ServiceAPIKey authenticates internal services (qbymarouter, etc.) calling
|
||||
// /qfixdpl/v1/quotes and /qfixdpl/v1/messages. Compared against the APIKey
|
||||
// field in the request body.
|
||||
ServiceAPIKey string
|
||||
}
|
||||
|
||||
func New(userData app.UserDataProvider, storeInstance *store.Store, tradeProvider TradeProvider, config Config, notify domain.Notifier) *API {
|
||||
|
||||
Reference in New Issue
Block a user