feat: add optional authentication logic for worker (#331)

Signed-off-by: Ravindra Meena <rmeena840@gmail.com>

Author: rmeena840

packages/btcindexer/src/index.ts

@@ -18,9 +18,26 @@ export { RPCMock } from "./rpc-mock";
 
 const router = new HttpRouter(undefined);
 
+/**
+ * Validates the Authorization header against the AUTH_BEARER_TOKEN env var.
+ */
+function isAuthorized(req: Request, env: Env): boolean {
+	// If the token isn't set in the environment, we assume the endpoint is public
+	if (!env.AUTH_BEARER_TOKEN) return true;
+
+	const authHeader = req.headers.get("Authorization");
+	if (!authHeader || !authHeader.startsWith("Bearer ")) return false;
+
+	const token = authHeader.substring(7);
+	return token === env.AUTH_BEARER_TOKEN;
+}
+
 export default {
 	async fetch(req: Request, env: Env, _ctx: ExecutionContext): Promise<Response> {
 		try {
+			if (!isAuthorized(req, env)) {
+				return new Response("Unauthorized", { status: 401 });
+			}
 			const indexer = await indexerFromEnv(env);
 			return await router.fetch(req, env, indexer);
 		} catch (e) {

packages/btcindexer/worker-configuration.d.ts

@@ -1,5 +1,5 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types` (hash: d1762921ce9ce60578e7e61df0f8e97d)
+// Generated by Wrangler by running `wrangler types` (hash: 0f6ea38d8b9ed234c528c82214007cdc)
 // Runtime types generated with workerd@1.20251210.0 2025-06-20 nodejs_compat
 declare namespace Cloudflare {
 	interface GlobalProps {
@@ -11,6 +11,7 @@ declare namespace Cloudflare {
 		CONFIRMATION_DEPTH: "4";
 		MAX_NBTC_MINT_TX_RETRIES: "1";
 		BTC_BLOCK_PROCESSING_BATCH_SIZE: "100";
+		AUTH_BEARER_TOKEN: "";
 		DB: D1Database;
 		NBTC_MINTING_SIGNER_MNEMONIC: SecretsStoreSecret;
 		SuiIndexer: Fetcher /* sui-indexer */;
@@ -21,7 +22,7 @@ type StringifyValues<EnvType extends Record<string, unknown>> = {
 	[Binding in keyof EnvType]: EnvType[Binding] extends string ? EnvType[Binding] : string;
 };
 declare namespace NodeJS {
-	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "CONFIRMATION_DEPTH" | "MAX_NBTC_MINT_TX_RETRIES" | "BTC_BLOCK_PROCESSING_BATCH_SIZE">> {}
+	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "CONFIRMATION_DEPTH" | "MAX_NBTC_MINT_TX_RETRIES" | "BTC_BLOCK_PROCESSING_BATCH_SIZE" | "AUTH_BEARER_TOKEN">> {}
 }
 
 // Begin runtime types
@@ -9383,7 +9384,7 @@ interface IncomingRequestCfPropertiesTLSClientAuthPlaceholder {
     certNotAfter: "";
 }
 /** Possible outcomes of TLS verification */
-declare type CertVerificationStatus = 
+declare type CertVerificationStatus =
 /** Authentication succeeded */
 "SUCCESS"
 /** No certificate was presented */
@@ -9447,7 +9448,7 @@ interface D1ExecResult {
     count: number;
     duration: number;
 }
-type D1SessionConstraint = 
+type D1SessionConstraint =
 // Indicates that the first query should go to the primary, and the rest queries
 // using the same D1DatabaseSession will go to any replica that is consistent with
 // the bookmark maintained by the session (returned by the first query).
@@ -10028,7 +10029,7 @@ declare namespace Rpc {
     // The reason for using a generic type here is to build a serializable subset of structured
     //   cloneable composite types. This allows types defined with the "interface" keyword to pass the
     //   serializable check as well. Otherwise, only types defined with the "type" keyword would pass.
-    type Serializable<T> = 
+    type Serializable<T> =
     // Structured cloneables
     BaseType
     // Structured cloneable composites

packages/btcindexer/wrangler.jsonc

@@ -34,6 +34,7 @@
     "CONFIRMATION_DEPTH": "4",
     "MAX_NBTC_MINT_TX_RETRIES": "1",
     "BTC_BLOCK_PROCESSING_BATCH_SIZE": "100",
+    "AUTH_BEARER_TOKEN": "",
   },
   "secrets_store_secrets": [
     {