feat: added protection in the metrics routes

Author: nijoe1

.env.example

@@ -6,4 +6,5 @@ INDEXER_URL=https://grants-stack-indexer-v2.gitcoin.co/
 NODE_ENV=development
 
 NEW_RELIC_APP_NAME=retrofunding-api 
-NEW_RELIC_LICENSE_KEY=XXXXXXXXXXXXX
+NEW_RELIC_LICENSE_KEY=XXXXXXXXXXXXX
+ADMIN_API_KEY=XXXXXXXXXXXXX

src/controllers/adminAuthMiddleware.ts

@@ -0,0 +1,12 @@
+import { env } from '@/env';
+import { UnauthorizedError } from '@/errors';
+import { type Request, type Response } from 'express';
+
+export const adminAuthMiddleware = (req: Request, res: Response): void => {
+  const adminApiKey = req.headers['x-admin-api-key'];
+
+  if (adminApiKey !== env.ADMIN_API_KEY) {
+    res.status(401).json({ message: 'Unauthorized' });
+    throw new UnauthorizedError('Unauthorized');
+  }
+};

src/controllers/metricController.ts

@@ -3,6 +3,7 @@ import metricService from '@/service/MetricService';
 import { catchError, validateRequest } from '@/utils';
 import { type Metric, MetricOrientation } from '@/entity/Metric';
 import { BadRequestError, IsNullError } from '@/errors';
+import { adminAuthMiddleware } from '@/controllers/adminAuthMiddleware';
 import { createLogger } from '@/logger';
 
 const logger = createLogger();
@@ -31,8 +32,7 @@ export const addMetrics = async (
   // Validate the incoming request
   validateRequest(req, res);
 
-  // TODO: ensure caller is admin
-
+  adminAuthMiddleware(req, res);
   const data = req.body as Metric[];
 
   // Combined validation to check if req.body is Metric[]
@@ -66,6 +66,8 @@ export const updateMetric = async (
   const identifier = req.params.identifier;
   const metric = req.body as Partial<Metric>;
 
+  adminAuthMiddleware(req, res);
+
   const [error, metrics] = await catchError(
     metricService.updateMetric(identifier, metric)
   );

src/routes/metricRoutes.ts

@@ -10,6 +10,15 @@ const router = Router();
  *     tags:
  *       - metrics
  *     summary: Adds an array of metrics to the database
+ *     security:
+ *       - AdminApiKey: []
+ *     parameters:
+ *       - in: header
+ *         name: X-Admin-API-Key
+ *         schema:
+ *           type: string
+ *         required: true
+ *         description: Admin API key for authentication
  *     requestBody:
  *       required: true
  *       content:
@@ -70,6 +79,8 @@ const router = Router();
  *         description: Metrics added successfully
  *       400:
  *         description: Invalid input
+ *       401:
+ *         description: Unauthorized - Invalid or missing admin API key
  *       500:
  *         description: Internal server error
  */
@@ -82,6 +93,8 @@ router.post('/', addMetrics);
  *     tags:
  *       - metrics
  *     summary: Updates a metric
+ *     security:
+ *       - AdminApiKey: []
  *     parameters:
  *       - in: path
  *         name: identifier
@@ -90,6 +103,12 @@ router.post('/', addMetrics);
  *         schema:
  *           type: string
  *           example: "userEngagement"
+ *       - in: header
+ *         name: X-Admin-API-Key
+ *         schema:
+ *           type: string
+ *         required: true
+ *         description: Admin API key for authentication
  *     requestBody:
  *       required: true
  *       content:
@@ -106,6 +125,8 @@ router.post('/', addMetrics);
  *         description: Metric updated successfully
  *       400:
  *         description: Invalid input
+ *       401:
+ *         description: Unauthorized - Invalid or missing admin API key
  *       500:
  *         description: Internal server error
  */