♻️(yprovider) support multiple API keys to separate responsibilities

Support for two API keys has been added to the YProvider microservice to
decouple responsibilities between the collaboration server and other
endpoints. This improves security by scoping keys to specific purposes and
ensures a clearer separation of concerns for easier management and debugging.

Author: lebaudantoine

src/backend/impress/settings.py

@@ -506,7 +506,6 @@ class Base(Configuration):
     }
 
     # Y provider microservice
-    # Note: Be careful, this value is currently the same as in the collaboration service.
     Y_PROVIDER_API_KEY = values.Value(
         environ_name="Y_PROVIDER_API_KEY",
         environ_prefix=None,

src/frontend/servers/y-provider/__tests__/server.test.ts

@@ -14,6 +14,7 @@ jest.mock('../src/env', () => {
     PORT: port,
     COLLABORATION_SERVER_ORIGIN: origin,
     COLLABORATION_SERVER_SECRET: 'test-secret-api-key',
+    Y_PROVIDER_API_KEY: 'yprovider-api-key',
   };
 });
 
@@ -115,7 +116,7 @@ describe('Server Tests', () => {
     const response = await request(app as any)
       .post('/api/convert-markdown')
       .set('Origin', origin)
-      .set('Authorization', 'test-secret-api-key');
+      .set('Authorization', 'yprovider-api-key');
 
     expect(response.status).toBe(400);
     expect(response.body.error).toBe('Invalid request: missing content');
@@ -125,7 +126,7 @@ describe('Server Tests', () => {
     const response = await request(app as any)
       .post('/api/convert-markdown')
       .set('Origin', origin)
-      .set('Authorization', 'test-secret-api-key')
+      .set('Authorization', 'yprovider-api-key')
       .send({
         content: '',
       });

src/frontend/servers/y-provider/src/env.ts

@@ -4,5 +4,7 @@ export const COLLABORATION_SERVER_ORIGIN =
   process.env.COLLABORATION_SERVER_ORIGIN || 'http://localhost:3000';
 export const COLLABORATION_SERVER_SECRET =
   process.env.COLLABORATION_SERVER_SECRET || 'secret-api-key';
+export const Y_PROVIDER_API_KEY =
+  process.env.Y_PROVIDER_API_KEY || 'yprovider-api-key';
 export const PORT = Number(process.env.PORT || 4444);
 export const SENTRY_DSN = process.env.SENTRY_DSN || '';

src/frontend/servers/y-provider/src/middlewares.ts

@@ -4,10 +4,13 @@ import * as ws from 'ws';
 import {
   COLLABORATION_SERVER_ORIGIN,
   COLLABORATION_SERVER_SECRET,
+  Y_PROVIDER_API_KEY,
 } from '@/env';
 
 import { logger } from './utils';
 
+const VALID_API_KEYS = [COLLABORATION_SERVER_SECRET, Y_PROVIDER_API_KEY];
+
 export const httpSecurity = (
   req: Request,
   res: Response,
@@ -27,7 +30,7 @@ export const httpSecurity = (
   // Secret API Key check
   // Note: Changing this header to Bearer token format will break backend compatibility with this microservice.
   const apiKey = req.headers['authorization'];
-  if (apiKey !== COLLABORATION_SERVER_SECRET) {
+  if (!apiKey || !VALID_API_KEYS.includes(apiKey)) {
     res.status(403).json({ error: 'Forbidden: Invalid API Key' });
     return;
   }

src/helm/env.d/dev/values.impress.yaml.gotmpl

@@ -105,6 +105,7 @@ yProvider:
     COLLABORATION_LOGGING: true
     COLLABORATION_SERVER_ORIGIN: https://impress.127.0.0.1.nip.io
     COLLABORATION_SERVER_SECRET: my-secret
+    Y_PROVIDER_API_KEY: my-secret
 
 ingress:
   enabled: true