Add request authentication to Server with bearer token support

Author: antonmedv

phpstan.neon

@@ -13,5 +13,6 @@ parameters:
         - "#^Constant DEPLOYER_VERSION not found\\.$#"
         - "#^Constant DEPLOYER_BIN not found\\.$#"
         - "#^Constant MASTER_ENDPOINT not found\\.$#"
+        - "#^Constant MASTER_TOKEN not found\\.$#"
         - "#CpanelPhp#"
         - "#AMQPMessage#"

src/Command/WorkerCommand.php

@@ -44,6 +44,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         }
 
         define('MASTER_ENDPOINT', 'http://localhost:' . $input->getOption('port'));
+        define('MASTER_TOKEN', getenv('DEPLOYER_MASTER_TOKEN') ?: '');
 
         $task = $this->deployer->tasks->get($input->getOption('task'));
         $host = $this->deployer->hosts->get($input->getOption('host'));

src/Configuration.php

@@ -183,6 +183,7 @@ public function load(): void
         $values = Httpie::get(MASTER_ENDPOINT . '/load')
             ->setopt(CURLOPT_CONNECTTIMEOUT, 0)
             ->setopt(CURLOPT_TIMEOUT, 0)
+            ->header('Authorization', 'Bearer ' . MASTER_TOKEN)
             ->jsonBody([
                 'host' => $this->get('alias'),
             ])
@@ -199,6 +200,7 @@ public function save(): void
         Httpie::get(MASTER_ENDPOINT . '/save')
             ->setopt(CURLOPT_CONNECTTIMEOUT, 0)
             ->setopt(CURLOPT_TIMEOUT, 0)
+            ->header('Authorization', 'Bearer ' . MASTER_TOKEN)
             ->jsonBody([
                 'host' => $this->get('alias'),
                 'config' => $this->persist(),

src/Deployer.php

@@ -317,6 +317,7 @@ public static function masterCall(Host $host, string $func, mixed ...$arguments)
         return Httpie::get(MASTER_ENDPOINT . '/proxy')
             ->setopt(CURLOPT_CONNECTTIMEOUT, 0) // no timeout
             ->setopt(CURLOPT_TIMEOUT, 0) // no timeout
+            ->header('Authorization', 'Bearer ' . MASTER_TOKEN)
             ->jsonBody([
                 'host' => $host->getAlias(),
                 'func' => $func,

src/Executor/Master.php

@@ -165,13 +165,15 @@ private function runTask(Task $task, array $hosts): int
         }
 
         $server = new Server('127.0.0.1', 0, $this->output);
+        $authToken = bin2hex(random_bytes(16));
+        $server->setAuthToken($authToken);
 
         /** @var Process[] $processes */
         $processes = [];
 
-        $server->afterRun(function (int $port) use (&$processes, $hosts, $task) {
+        $server->afterRun(function (int $port) use (&$processes, $hosts, $task, $authToken) {
             foreach ($hosts as $host) {
-                $processes[] = $this->createProcess($host, $task, $port);
+                $processes[] = $this->createProcess($host, $task, $port, $authToken);
             }
 
             foreach ($processes as $process) {
@@ -242,7 +244,7 @@ private function runTask(Task $task, array $hosts): int
         return $this->cumulativeExitCode($processes);
     }
 
-    protected function createProcess(Host $host, Task $task, int $port): Process
+    protected function createProcess(Host $host, Task $task, int $port, string $authToken): Process
     {
         $command = [
             $this->phpBin, DEPLOYER_BIN,
@@ -257,7 +259,9 @@ protected function createProcess(Host $host, Task $task, int $port): Process
         if ($this->output->isDebug()) {
             $this->output->writeln("[$host] " . join(' ', $command));
         }
-        return new Process($command);
+        $process = new Process($command);
+        $process->setEnv(['DEPLOYER_MASTER_TOKEN' => $authToken]);
+        return $process;
     }
 
     /**

src/Executor/Server.php

@@ -38,13 +38,16 @@ class Server
     private Closure $tickerCallback;
     private Closure $routerCallback;
 
+    private ?string $authToken = null;
+
     /**
      * Timeout in seconds for idle client connections.
      */
     private float $clientTimeout = 30.0;
 
     private const REASON_PHRASES = [
         200 => 'OK',
+        403 => 'Forbidden',
         404 => 'Not Found',
         500 => 'Internal Server Error',
     ];
@@ -167,7 +170,16 @@ private function handleClientRequests(): void
 
             // Process the complete request.
             try {
-                [$path, $payload] = self::parseRequest($buffer);
+                [$path, $payload, $headers] = self::parseRequest($buffer);
+
+                if ($this->authToken !== null) {
+                    $provided = $headers['authorization'] ?? '';
+                    if ($provided !== "Bearer {$this->authToken}") {
+                        $this->sendResponse($socket, new Response(403, ['error' => 'Forbidden']));
+                        continue;
+                    }
+                }
+
                 $response = ($this->routerCallback)($path, $payload);
                 $this->sendResponse($socket, $response);
             } catch (\Throwable $e) {
@@ -208,9 +220,9 @@ public static function isCompleteRequest(string $buffer): bool
     }
 
     /**
-     * Parse a complete HTTP request into path and JSON payload.
+     * Parse a complete HTTP request into path, payload, and headers.
      *
-     * @return array{0: string, 1: mixed}
+     * @return array{0: string, 1: mixed, 2: array<string, string>}
      */
     public static function parseRequest(string $request): array
     {
@@ -249,7 +261,7 @@ public static function parseRequest(string $request): array
         }
 
         $payload = json_decode($body, true, flags: JSON_THROW_ON_ERROR);
-        return [$path, $payload];
+        return [$path, $payload, $headers];
     }
 
     /**
@@ -310,6 +322,11 @@ public function router(Closure $callback): void
         $this->routerCallback = $callback;
     }
 
+    public function setAuthToken(string $token): void
+    {
+        $this->authToken = $token;
+    }
+
     public function stop(): void
     {
         $this->stop = true;

tests/src/Executor/ServerTest.php

@@ -71,10 +71,11 @@ public function testParseRequestValid(): void
         $body = '{"host":"web","config":{}}';
         $request = "POST /save HTTP/1.1\r\nContent-Type: application/json\r\nContent-Length: " . strlen($body) . "\r\n\r\n" . $body;
 
-        [$path, $payload] = Server::parseRequest($request);
+        [$path, $payload, $headers] = Server::parseRequest($request);
 
         self::assertSame('/save', $path);
         self::assertSame(['host' => 'web', 'config' => []], $payload);
+        self::assertSame('application/json', $headers['content-type']);
     }
 
     #[Group('unit')]
@@ -83,7 +84,7 @@ public function testParseRequestTrimsBodyToContentLength(): void
         $body = '{"a":1}';
         $request = "POST /save HTTP/1.1\r\nContent-Type: application/json\r\nContent-Length: " . strlen($body) . "\r\n\r\n" . $body . "garbage";
 
-        [$path, $payload] = Server::parseRequest($request);
+        [$path, $payload, $headers] = Server::parseRequest($request);
 
         self::assertSame('/save', $path);
         self::assertSame(['a' => 1], $payload);
@@ -95,7 +96,7 @@ public function testParseRequestCaseInsensitiveHeaders(): void
         $body = '{"ok":true}';
         $request = "POST /load HTTP/1.1\r\ncontent-type: application/json\r\ncontent-length: " . strlen($body) . "\r\n\r\n" . $body;
 
-        [$path, $payload] = Server::parseRequest($request);
+        [$path, $payload, $headers] = Server::parseRequest($request);
 
         self::assertSame('/load', $path);
         self::assertSame(['ok' => true], $payload);
@@ -119,6 +120,18 @@ public function testParseRequestThrowsOnMissingHeaderTerminator(): void
         Server::parseRequest("POST /save HTTP/1.1\r\nContent-Type: application/json");
     }
 
+    #[Group('unit')]
+    public function testParseRequestReturnsAuthorizationHeader(): void
+    {
+        $body = '{"a":1}';
+        $request = "POST /load HTTP/1.1\r\nContent-Type: application/json\r\nAuthorization: Bearer secret123\r\nContent-Length: " . strlen($body) . "\r\n\r\n" . $body;
+
+        [$path, $payload, $headers] = Server::parseRequest($request);
+
+        self::assertSame('/load', $path);
+        self::assertSame('Bearer secret123', $headers['authorization']);
+    }
+
     #[Group('unit')]
     public function testParseRequestThrowsOnInvalidContentType(): void
     {
@@ -165,14 +178,16 @@ public function testWriteAllWritesLargeData(): void
 
     // ─── Integration: real server lifecycle ──────────────────────
 
-    private static function buildHttpRequest(string $method, string $path, array $payload): string
+    private static function buildHttpRequest(string $method, string $path, array $payload, ?string $token = null): string
     {
         $body = json_encode($payload);
-        return "$method $path HTTP/1.1\r\n"
+        $headers = "$method $path HTTP/1.1\r\n"
             . "Content-Type: application/json\r\n"
-            . "Content-Length: " . strlen($body) . "\r\n"
-            . "\r\n"
-            . $body;
+            . "Content-Length: " . strlen($body) . "\r\n";
+        if ($token !== null) {
+            $headers .= "Authorization: Bearer $token\r\n";
+        }
+        return $headers . "\r\n" . $body;
     }
 
     #[Group('integration')]
@@ -324,4 +339,149 @@ public function testServerHandlesMultipleConnections(): void
 
         self::assertSame(2, $requestCount);
     }
+
+    #[Group('integration')]
+    public function testServerRejectsRequestWithoutToken(): void
+    {
+        $output = new BufferedOutput();
+        $server = new Server('127.0.0.1', 0, $output);
+        $server->setAuthToken('secret-token');
+
+        $routerCalled = false;
+        $server->router(function (string $path, array $payload) use (&$routerCalled) {
+            $routerCalled = true;
+            return new Response(200, ['ok' => true]);
+        });
+
+        $clientSocket = null;
+        $responseData = '';
+
+        $server->afterRun(function (int $port) use (&$clientSocket) {
+            $clientSocket = stream_socket_client("tcp://127.0.0.1:$port", $errno, $errstr, 5);
+            stream_set_blocking($clientSocket, false);
+            // Send request without Authorization header.
+            fwrite($clientSocket, self::buildHttpRequest('POST', '/load', ['host' => 'web']));
+        });
+
+        $tickCount = 0;
+        $server->ticker(function () use ($server, &$tickCount, &$clientSocket, &$responseData) {
+            $tickCount++;
+            if ($clientSocket) {
+                $chunk = @fread($clientSocket, 65536);
+                if ($chunk !== false && $chunk !== '') {
+                    $responseData .= $chunk;
+                }
+                if ($responseData !== '' && feof($clientSocket)) {
+                    fclose($clientSocket);
+                    $clientSocket = null;
+                    $server->stop();
+                    return;
+                }
+            }
+            if ($tickCount >= 30) {
+                $server->stop();
+            }
+        });
+
+        $server->run();
+
+        self::assertFalse($routerCalled, 'Router should not be called for unauthorized request');
+        self::assertStringContainsString('403 Forbidden', $responseData);
+    }
+
+    #[Group('integration')]
+    public function testServerRejectsRequestWithWrongToken(): void
+    {
+        $output = new BufferedOutput();
+        $server = new Server('127.0.0.1', 0, $output);
+        $server->setAuthToken('correct-token');
+
+        $routerCalled = false;
+        $server->router(function (string $path, array $payload) use (&$routerCalled) {
+            $routerCalled = true;
+            return new Response(200, ['ok' => true]);
+        });
+
+        $clientSocket = null;
+        $responseData = '';
+
+        $server->afterRun(function (int $port) use (&$clientSocket) {
+            $clientSocket = stream_socket_client("tcp://127.0.0.1:$port", $errno, $errstr, 5);
+            stream_set_blocking($clientSocket, false);
+            fwrite($clientSocket, self::buildHttpRequest('POST', '/load', ['host' => 'web'], 'wrong-token'));
+        });
+
+        $tickCount = 0;
+        $server->ticker(function () use ($server, &$tickCount, &$clientSocket, &$responseData) {
+            $tickCount++;
+            if ($clientSocket) {
+                $chunk = @fread($clientSocket, 65536);
+                if ($chunk !== false && $chunk !== '') {
+                    $responseData .= $chunk;
+                }
+                if ($responseData !== '' && feof($clientSocket)) {
+                    fclose($clientSocket);
+                    $clientSocket = null;
+                    $server->stop();
+                    return;
+                }
+            }
+            if ($tickCount >= 30) {
+                $server->stop();
+            }
+        });
+
+        $server->run();
+
+        self::assertFalse($routerCalled, 'Router should not be called for wrong token');
+        self::assertStringContainsString('403 Forbidden', $responseData);
+    }
+
+    #[Group('integration')]
+    public function testServerAcceptsRequestWithCorrectToken(): void
+    {
+        $output = new BufferedOutput();
+        $server = new Server('127.0.0.1', 0, $output);
+        $server->setAuthToken('correct-token');
+
+        $routerCalled = false;
+        $server->router(function (string $path, array $payload) use (&$routerCalled) {
+            $routerCalled = true;
+            return new Response(200, ['ok' => true]);
+        });
+
+        $clientSocket = null;
+        $responseData = '';
+
+        $server->afterRun(function (int $port) use (&$clientSocket) {
+            $clientSocket = stream_socket_client("tcp://127.0.0.1:$port", $errno, $errstr, 5);
+            stream_set_blocking($clientSocket, false);
+            fwrite($clientSocket, self::buildHttpRequest('POST', '/load', ['host' => 'web'], 'correct-token'));
+        });
+
+        $tickCount = 0;
+        $server->ticker(function () use ($server, &$tickCount, &$clientSocket, &$responseData) {
+            $tickCount++;
+            if ($clientSocket) {
+                $chunk = @fread($clientSocket, 65536);
+                if ($chunk !== false && $chunk !== '') {
+                    $responseData .= $chunk;
+                }
+                if ($responseData !== '' && feof($clientSocket)) {
+                    fclose($clientSocket);
+                    $clientSocket = null;
+                    $server->stop();
+                    return;
+                }
+            }
+            if ($tickCount >= 30) {
+                $server->stop();
+            }
+        });
+
+        $server->run();
+
+        self::assertTrue($routerCalled, 'Router should be called for authorized request');
+        self::assertStringContainsString('200 OK', $responseData);
+    }
 }