add some helper function for BearerTokenAuth

Author: Flo4604

pkg/zen/auth.go

@@ -1,6 +1,7 @@
 package zen
 
 import (
+	"crypto/subtle"
 	"strings"
 
 	"github.com/unkeyed/unkey/pkg/codes"
@@ -50,3 +51,22 @@ func Bearer(s *Session) (string, error) {
 
 	return bearer, nil
 }
+
+// BearerTokenAuth extracts the Bearer token from the session and compares it
+// against the expected token using constant-time comparison. Returns nil if
+// the token matches, or an appropriate error otherwise.
+func BearerTokenAuth(s *Session, expected string) error {
+	token, err := Bearer(s)
+	if err != nil {
+		return err
+	}
+
+	if subtle.ConstantTimeCompare([]byte(token), []byte(expected)) != 1 {
+		return fault.New("invalid bearer token",
+			fault.Code(codes.Auth.Authentication.KeyNotFound.URN()),
+			fault.Internal("bearer token does not match"),
+			fault.Public("The provided token is invalid."))
+	}
+
+	return nil
+}

svc/api/routes/chproxy_metrics/BUILD.bazel

@@ -8,8 +8,6 @@ go_library(
     deps = [
         "//pkg/clickhouse",
         "//pkg/clickhouse/schema",
-        "//pkg/codes",
-        "//pkg/fault",
         "//pkg/prometheus/metrics",
         "//pkg/zen",
     ],

svc/api/routes/chproxy_metrics/handler.go

@@ -2,13 +2,10 @@ package chproxyMetrics
 
 import (
 	"context"
-	"crypto/subtle"
 	"net/http"
 
 	"github.com/unkeyed/unkey/pkg/clickhouse"
 	"github.com/unkeyed/unkey/pkg/clickhouse/schema"
-	"github.com/unkeyed/unkey/pkg/codes"
-	"github.com/unkeyed/unkey/pkg/fault"
 	"github.com/unkeyed/unkey/pkg/prometheus/metrics"
 	"github.com/unkeyed/unkey/pkg/zen"
 )
@@ -33,19 +30,10 @@ func (h *Handler) Path() string {
 func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 	s.DisableClickHouseLogging()
 
-	// Authenticate using Bearer token
-	token, err := zen.Bearer(s)
-	if err != nil {
+	if err := zen.BearerTokenAuth(s, h.Token); err != nil {
 		return err
 	}
 
-	if subtle.ConstantTimeCompare([]byte(token), []byte(h.Token)) != 1 {
-		return fault.New("invalid chproxy token",
-			fault.Code(codes.Auth.Authentication.KeyNotFound.URN()),
-			fault.Internal("chproxy token does not match"),
-			fault.Public("The provided token is invalid."))
-	}
-
 	events, err := zen.BindBody[[]schema.ApiRequest](s)
 	if err != nil {
 		return err

svc/api/routes/chproxy_ratelimits/BUILD.bazel

@@ -8,8 +8,6 @@ go_library(
     deps = [
         "//pkg/clickhouse",
         "//pkg/clickhouse/schema",
-        "//pkg/codes",
-        "//pkg/fault",
         "//pkg/prometheus/metrics",
         "//pkg/zen",
     ],

svc/api/routes/chproxy_ratelimits/handler.go

@@ -2,13 +2,10 @@ package chproxyRatelimits
 
 import (
 	"context"
-	"crypto/subtle"
 	"net/http"
 
 	"github.com/unkeyed/unkey/pkg/clickhouse"
 	"github.com/unkeyed/unkey/pkg/clickhouse/schema"
-	"github.com/unkeyed/unkey/pkg/codes"
-	"github.com/unkeyed/unkey/pkg/fault"
 	"github.com/unkeyed/unkey/pkg/prometheus/metrics"
 	"github.com/unkeyed/unkey/pkg/zen"
 )
@@ -33,19 +30,10 @@ func (h *Handler) Path() string {
 func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 	s.DisableClickHouseLogging()
 
-	// Authenticate using Bearer token
-	token, err := zen.Bearer(s)
-	if err != nil {
+	if err := zen.BearerTokenAuth(s, h.Token); err != nil {
 		return err
 	}
 
-	if subtle.ConstantTimeCompare([]byte(token), []byte(h.Token)) != 1 {
-		return fault.New("invalid chproxy token",
-			fault.Code(codes.Auth.Authentication.KeyNotFound.URN()),
-			fault.Internal("chproxy token does not match"),
-			fault.Public("The provided token is invalid."))
-	}
-
 	events, err := zen.BindBody[[]schema.Ratelimit](s)
 	if err != nil {
 		return err

svc/api/routes/chproxy_verifications/BUILD.bazel

@@ -8,8 +8,6 @@ go_library(
     deps = [
         "//pkg/clickhouse",
         "//pkg/clickhouse/schema",
-        "//pkg/codes",
-        "//pkg/fault",
         "//pkg/prometheus/metrics",
         "//pkg/zen",
     ],

svc/api/routes/chproxy_verifications/handler.go

@@ -2,13 +2,10 @@ package chproxyVerifications
 
 import (
 	"context"
-	"crypto/subtle"
 	"net/http"
 
 	"github.com/unkeyed/unkey/pkg/clickhouse"
 	"github.com/unkeyed/unkey/pkg/clickhouse/schema"
-	"github.com/unkeyed/unkey/pkg/codes"
-	"github.com/unkeyed/unkey/pkg/fault"
 	"github.com/unkeyed/unkey/pkg/prometheus/metrics"
 	"github.com/unkeyed/unkey/pkg/zen"
 )
@@ -33,19 +30,10 @@ func (h *Handler) Path() string {
 func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 	s.DisableClickHouseLogging()
 
-	// Authenticate using Bearer token
-	token, err := zen.Bearer(s)
-	if err != nil {
+	if err := zen.BearerTokenAuth(s, h.Token); err != nil {
 		return err
 	}
 
-	if subtle.ConstantTimeCompare([]byte(token), []byte(h.Token)) != 1 {
-		return fault.New("invalid chproxy token",
-			fault.Code(codes.Auth.Authentication.KeyNotFound.URN()),
-			fault.Internal("chproxy token does not match"),
-			fault.Public("The provided token is invalid."))
-	}
-
 	events, err := zen.BindBody[[]schema.KeyVerification](s)
 	if err != nil {
 		return err

svc/api/routes/internal_cache_invalidate/handler.go

@@ -2,7 +2,6 @@ package internalCacheInvalidate
 
 import (
 	"context"
-	"crypto/subtle"
 	"net/http"
 
 	"github.com/unkeyed/unkey/internal/services/caches"
@@ -32,18 +31,10 @@ func (h *Handler) Path() string {
 func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 	s.DisableClickHouseLogging()
 
-	token, err := zen.Bearer(s)
-	if err != nil {
+	if err := zen.BearerTokenAuth(s, h.Token); err != nil {
 		return err
 	}
 
-	if subtle.ConstantTimeCompare([]byte(token), []byte(h.Token)) != 1 {
-		return fault.New("invalid dashboard token",
-			fault.Code(codes.Auth.Authentication.KeyNotFound.URN()),
-			fault.Internal("dashboard token does not match"),
-			fault.Public("The provided token is invalid."))
-	}
-
 	req, err := zen.BindBody[request](s)
 	if err != nil {
 		return err