Api key configuracion and quotes endpooint

src/client/api/rest/controller.go

@@ -348,7 +348,7 @@ func (cont *Controller) AllMessages(ctx *gin.Context) {
 		return
 	}
 
-	if req.APIKey != "1234" {
+	if !cont.checkServiceAPIKey(req.APIKey) {
 		ctx.JSON(http.StatusUnauthorized, HTTPError{Error: "Not allowed to perform this request"})
 		return
 	}
@@ -356,6 +356,13 @@ func (cont *Controller) AllMessages(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, cont.tradeProvider.GetAllMessages(req.In, req.Out))
 }
 
+// checkServiceAPIKey returns true when the provided key matches the configured
+// service-to-service shared secret. Empty configured key is always rejected
+// to avoid open authentication when misconfigured.
+func (cont *Controller) checkServiceAPIKey(key string) bool {
+	return cont.config.ServiceAPIKey != "" && key == cont.config.ServiceAPIKey
+}
+
 // GetPendingQuoteRequests godoc
 // @Summary List pending QuoteRequests
 // @Description Returns all QuoteRequests received from TW that have not been quoted yet by the dealer
@@ -382,12 +389,19 @@ func (cont *Controller) GetPendingQuoteRequests(ctx *gin.Context) {
 // @Failure 500 {object} HTTPError
 // @Router /qfixdpl/v1/quotes [post]
 func (cont *Controller) SendQuote(ctx *gin.Context) {
+	setHeaders(ctx, cont.config)
+
 	var req SendQuoteRequest
 	if err := ctx.ShouldBindJSON(&req); err != nil {
 		ctx.JSON(http.StatusBadRequest, HTTPError{Error: err.Error()})
 		return
 	}
 
+	if !cont.checkServiceAPIKey(req.APIKey) {
+		ctx.JSON(http.StatusUnauthorized, HTTPError{Error: "Not allowed to perform this request"})
+		return
+	}
+
 	price, err := decimal.NewFromString(req.Price)
 	if err != nil {
 		ctx.JSON(http.StatusBadRequest, HTTPError{Error: "invalid price: " + err.Error()})