From 0e65d9b2eeb2c2237cbdae7b4db759488b843a90 Mon Sep 17 00:00:00 2001
From: alyssa <alyssa@mailc.net>
Date: Fri, 8 Aug 2025 20:57:38 +0000
Subject: [PATCH] feat(api): add internal auth

---
 crates/api/src/auth.rs            | 13 +++++++++++--
 crates/api/src/middleware/auth.rs | 17 ++++++++++++++++-
 crates/libpk/src/_config.rs       |  3 +++
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/crates/api/src/auth.rs b/crates/api/src/auth.rs
index c084eafe..4e12a287 100644
--- a/crates/api/src/auth.rs
+++ b/crates/api/src/auth.rs
@@ -7,11 +7,16 @@ pub const INTERNAL_APPID_HEADER: &'static str = "x-pluralkit-appid";
 pub struct AuthState {
     system_id: Option<i32>,
     app_id: Option<i32>,
+    internal: bool,
 }
 
 impl AuthState {
-    pub fn new(system_id: Option<i32>, app_id: Option<i32>) -> Self {
-        Self { system_id, app_id }
+    pub fn new(system_id: Option<i32>, app_id: Option<i32>, internal: bool) -> Self {
+        Self {
+            system_id,
+            app_id,
+            internal,
+        }
     }
 
     pub fn system_id(&self) -> Option<i32> {
@@ -22,6 +27,10 @@ impl AuthState {
         self.app_id
     }
 
+    pub fn internal(&self) -> bool {
+        self.internal
+    }
+
     pub fn access_level_for(&self, a: &impl Authable) -> PrivacyLevel {
         if self
             .system_id
diff --git a/crates/api/src/middleware/auth.rs b/crates/api/src/middleware/auth.rs
index 3d1d813b..0992757f 100644
--- a/crates/api/src/middleware/auth.rs
+++ b/crates/api/src/middleware/auth.rs
@@ -58,8 +58,23 @@ pub async fn auth(State(ctx): State<ApiContext>, mut req: Request, next: Next) -
         authed_app_id = Some(1);
     }
 
+    // todo: fix syntax
+    let internal = if req.headers().get("x-pluralkit-client-ip").is_none()
+        && let Some(auth_header) = req
+            .headers()
+            .get("x-pluralkit-internalauth")
+            .map(|h| h.to_str().ok())
+            .flatten()
+        && let Some(real_token) = libpk::config.internal_auth.clone()
+        && auth_header.as_bytes().ct_eq(real_token.as_bytes()).into()
+    {
+        true
+    } else {
+        false
+    };
+
     req.extensions_mut()
-        .insert(AuthState::new(authed_system_id, authed_app_id));
+        .insert(AuthState::new(authed_system_id, authed_app_id, internal));
 
     next.run(req).await
 }
diff --git a/crates/libpk/src/_config.rs b/crates/libpk/src/_config.rs
index 8358440b..7f992d95 100644
--- a/crates/libpk/src/_config.rs
+++ b/crates/libpk/src/_config.rs
@@ -128,6 +128,9 @@ pub struct PKConfig {
 
     #[serde(default)]
     pub sentry_url: Option<String>,
+
+    #[serde(default)]
+    pub internal_auth: Option<String>,
 }
 
 impl PKConfig {