[Application] Use Spring Security for API Key validation.

[binchoo]

As-is: No API keys are required for calling the paimonganyu-skill endpoints. If an attacker who uses a fake KakaoTalk chatbot sends a request to our endpoints via the ikakao skill connectors, he may find a botUserId matching one in the PaimonGanyu system with a very low probability.

To-be: Although the probability is significantly low, I do not want to have this vulnerability affect my system. So I'll implement an API key validation using Spring Security filter chain.

[binchoo]

Change Impact

• Spring Security configuration

  @Configuration
  @EnableWebSecurity
  public class SecurityConfig extends WebSecurityConfigurerAdapter {
  
  @Value("${auth.apikey}")
  private String expectedApiKey;
  
  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http
          .antMatcher("/ikakao/**")
              .authorizeRequests().anyRequest().permitAll()
              .and()
              .addFilterBefore(new ApiKeyValidationFilter(expectedApiKey), BasicAuthenticationFilter.class)
          .csrf().disable();
  }
  }

• API Key validation filter

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  var httpRequest = (HttpServletRequest) request;
  var httpResponse = (HttpServletResponse) response;
  
  String actualApiKey = httpRequest.getHeader(HEADER_X_API_KEY);
  
  if (expectedApiKey.equals(actualApiKey)) {
      chain.doFilter(request, response);
  } else {
      httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
      String clientIp = httpRequest.getHeader(HEADER_X_FORWARDED_FOR);
      logger.warn("[Security] Unauthorized api-key: {} from {}", actualApiKey, clientIp);
  }
  }