Add an optional auth token to further control API access

Only applies to the HTK server for now, not Mockttp, but that's
the most risky attack surface by a mile. No immediate need for
this - the CORS & CSRF protections are rock-solid AFAIK, but
as the API gets more powerful it would be good to have defence
in depth.

Author: pimterry

src/commands/start.ts

@@ -33,13 +33,17 @@ class HttpToolkitServer extends Command {
         version: flags.version({char: 'v'}),
         help: flags.help({char: 'h'}),
 
-        config: flags.string({char: 'c', description: 'path in which to store config files'}),
+        config: flags.string({char: 'c', description: 'optional path in which to store config files'}),
+        token: flags.string({char: 't', description: 'optional token to authenticate local server access'}),
     }
 
     async run() {
         const { flags } = this.parse(HttpToolkitServer);
 
-        await runHTK({ configPath: flags.config }).catch(async (error) => {
+        await runHTK({
+            configPath: flags.config,
+            authToken: flags.token
+        }).catch(async (error) => {
             await reportError(error);
             throw error;
         });

src/config.d.ts

@@ -1,5 +1,6 @@
 export interface HtkConfig {
     configPath: string;
+    authToken?: string;
     https: {
         keyPath: string;
         certPath: string;

src/httptoolkit-server.ts

@@ -5,6 +5,7 @@ import corsGate = require('cors-gate');
 import { GraphQLServer } from 'graphql-yoga';
 import { GraphQLScalarType } from 'graphql';
 import { generateSPKIFingerprint } from 'mockttp';
+import { Request, Response } from 'express';
 
 import { HtkConfig } from './config';
 import { reportError, addBreadcrumb } from './error-tracking';
@@ -184,6 +185,23 @@ export class HttpToolkitServer extends events.EventEmitter {
             allowSafe: false, // Even for HEAD/GET requests (should be none anyway)
             origin: '' // No origin - we accept *no* same-origin requests
         }));
+
+        if (config.authToken) {
+            // Optional auth token. This allows us to lock down UI/server communication further
+            // when started together. The desktop generates a token every run and passes it to both.
+            this.graphql.use((req: Request, res: Response, next: () => void) => {
+                const authHeader = req.headers['authorization'] || '';
+
+                const tokenMatch = authHeader.match(/Bearer (\S+)/) || [];
+                const token = tokenMatch[1];
+
+                if (token !== config.authToken) {
+                    res.status(403).send('Valid token required');
+                } else {
+                    next();
+                }
+            });
+        }
     }
 
     async start() {

src/index.ts

@@ -66,6 +66,7 @@ function checkCertExpiry(contents: string): void {
 
 export async function runHTK(options: {
     configPath?: string
+    authToken?: string
 } = {}) {
     const startTime = Date.now();
     registerShutdownHandler();
@@ -83,7 +84,7 @@ export async function runHTK(options: {
     const certSetupTime = Date.now();
     console.log('Certificates setup in', certSetupTime - configCheckTime, 'ms');
 
-    // Start a standalone server
+    // Start a Mockttp standalone server
     const standalone = getStandalone({
         serverDefaults: {
             cors: false,
@@ -103,6 +104,7 @@ export async function runHTK(options: {
     // Start a HTK server
     const htkServer = new HttpToolkitServer({
         configPath,
+        authToken: options.authToken,
         https: httpsConfig
     });