KTOR-9162 Auth API key plugin (#5243)

* KTOR-9162 Auth API key plugin

* fix multiplatform tests

* addressing validate method issue (review comments)

* add missing kdoc

* applying review comments

* better null safety

* add api files

* apply review feedbacks

* fix build issues

* fix api files

* Update artifacts dump

---------

Co-authored-by: Bruce Hamilton <[email protected]>

Author: nathanfallet

gradle/artifacts/publishJvmAndCommonPublications.txt

@@ -331,6 +331,13 @@ io.ktor:ktor-serialization/.jar
 io.ktor:ktor-serialization/javadoc.jar
 io.ktor:ktor-serialization/kotlin-tooling-metadata.json
 io.ktor:ktor-serialization/sources.jar
+io.ktor:ktor-server-auth-api-key-jvm/.jar
+io.ktor:ktor-server-auth-api-key-jvm/javadoc.jar
+io.ktor:ktor-server-auth-api-key-jvm/sources.jar
+io.ktor:ktor-server-auth-api-key/.jar
+io.ktor:ktor-server-auth-api-key/javadoc.jar
+io.ktor:ktor-server-auth-api-key/kotlin-tooling-metadata.json
+io.ktor:ktor-server-auth-api-key/sources.jar
 io.ktor:ktor-server-auth-jvm/.jar
 io.ktor:ktor-server-auth-jvm/javadoc.jar
 io.ktor:ktor-server-auth-jvm/sources.jar

ktor-server/ktor-server-plugins/ktor-server-auth-api-key/api/ktor-server-auth-api-key.api

@@ -0,0 +1,23 @@
+public final class io/ktor/server/auth/apikey/ApiKeyAuth {
+	public static final field DEFAULT_HEADER_NAME Ljava/lang/String;
+	public static final field INSTANCE Lio/ktor/server/auth/apikey/ApiKeyAuth;
+}
+
+public final class io/ktor/server/auth/apikey/ApiKeyAuthKt {
+	public static final fun apiKey (Lio/ktor/server/auth/AuthenticationConfig;Ljava/lang/String;Lkotlin/jvm/functions/Function1;)V
+	public static synthetic fun apiKey$default (Lio/ktor/server/auth/AuthenticationConfig;Ljava/lang/String;Lkotlin/jvm/functions/Function1;ILjava/lang/Object;)V
+}
+
+public final class io/ktor/server/auth/apikey/ApiKeyAuthenticationProvider : io/ktor/server/auth/AuthenticationProvider {
+	public fun onAuthenticate (Lio/ktor/server/auth/AuthenticationContext;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+}
+
+public final class io/ktor/server/auth/apikey/ApiKeyAuthenticationProvider$Configuration : io/ktor/server/auth/AuthenticationProvider$Config {
+	public final fun challenge (Lkotlin/jvm/functions/Function2;)V
+	public final fun getAuthScheme ()Ljava/lang/String;
+	public final fun getHeaderName ()Ljava/lang/String;
+	public final fun setAuthScheme (Ljava/lang/String;)V
+	public final fun setHeaderName (Ljava/lang/String;)V
+	public final fun validate (Lkotlin/jvm/functions/Function3;)V
+}
+

ktor-server/ktor-server-plugins/ktor-server-auth-api-key/api/ktor-server-auth-api-key.klib.api

@@ -0,0 +1,30 @@
+// Klib ABI Dump
+// Targets: [androidNativeArm32, androidNativeArm64, androidNativeX64, androidNativeX86, iosArm64, iosSimulatorArm64, iosX64, js, linuxArm64, linuxX64, macosArm64, macosX64, mingwX64, tvosArm64, tvosSimulatorArm64, tvosX64, wasmJs, watchosArm32, watchosArm64, watchosDeviceArm64, watchosSimulatorArm64, watchosX64]
+// Rendering settings:
+// - Signature version: 2
+// - Show manifest properties: true
+// - Show declarations: true
+
+// Library unique name: <io.ktor:ktor-server-auth-api-key>
+final class io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider : io.ktor.server.auth/AuthenticationProvider { // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider|null[0]
+    final suspend fun onAuthenticate(io.ktor.server.auth/AuthenticationContext) // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.onAuthenticate|onAuthenticate(io.ktor.server.auth.AuthenticationContext){}[0]
+
+    final class Configuration : io.ktor.server.auth/AuthenticationProvider.Config { // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration|null[0]
+        final var authScheme // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.authScheme|{}authScheme[0]
+            final fun <get-authScheme>(): kotlin/String // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.authScheme.<get-authScheme>|<get-authScheme>(){}[0]
+            final fun <set-authScheme>(kotlin/String) // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.authScheme.<set-authScheme>|<set-authScheme>(kotlin.String){}[0]
+        final var headerName // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.headerName|{}headerName[0]
+            final fun <get-headerName>(): kotlin/String // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.headerName.<get-headerName>|<get-headerName>(){}[0]
+            final fun <set-headerName>(kotlin/String) // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.headerName.<set-headerName>|<set-headerName>(kotlin.String){}[0]
+
+        final fun challenge(kotlin.coroutines/SuspendFunction1<io.ktor.server.application/ApplicationCall, kotlin/Unit>) // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.challenge|challenge(kotlin.coroutines.SuspendFunction1<io.ktor.server.application.ApplicationCall,kotlin.Unit>){}[0]
+        final fun validate(kotlin.coroutines/SuspendFunction2<io.ktor.server.application/ApplicationCall, kotlin/String, kotlin/Any?>) // io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration.validate|validate(kotlin.coroutines.SuspendFunction2<io.ktor.server.application.ApplicationCall,kotlin.String,kotlin.Any?>){}[0]
+    }
+}
+
+final object io.ktor.server.auth.apikey/ApiKeyAuth { // io.ktor.server.auth.apikey/ApiKeyAuth|null[0]
+    final const val DEFAULT_HEADER_NAME // io.ktor.server.auth.apikey/ApiKeyAuth.DEFAULT_HEADER_NAME|{}DEFAULT_HEADER_NAME[0]
+        final fun <get-DEFAULT_HEADER_NAME>(): kotlin/String // io.ktor.server.auth.apikey/ApiKeyAuth.DEFAULT_HEADER_NAME.<get-DEFAULT_HEADER_NAME>|<get-DEFAULT_HEADER_NAME>(){}[0]
+}
+
+final fun (io.ktor.server.auth/AuthenticationConfig).io.ktor.server.auth.apikey/apiKey(kotlin/String? = ..., kotlin/Function1<io.ktor.server.auth.apikey/ApiKeyAuthenticationProvider.Configuration, kotlin/Unit>) // io.ktor.server.auth.apikey/apiKey|[email protected](kotlin.String?;kotlin.Function1<io.ktor.server.auth.apikey.ApiKeyAuthenticationProvider.Configuration,kotlin.Unit>){}[0]

ktor-server/ktor-server-plugins/ktor-server-auth-api-key/build.gradle.kts

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2014-2025 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+plugins {
+    id("ktorbuild.project.server-plugin")
+    id("kotlinx-serialization")
+}
+
+kotlin {
+    sourceSets {
+        commonMain.dependencies {
+            api(projects.ktorServerAuth)
+        }
+        commonTest.dependencies {
+            api(projects.ktorServerContentNegotiation)
+            api(projects.ktorClientContentNegotiation)
+            api(projects.ktorSerializationKotlinxJson)
+            api(libs.kotlinx.serialization.json)
+        }
+    }
+}

ktor-server/ktor-server-plugins/ktor-server-auth-api-key/common/src/io/ktor/server/auth/apikey/ApiKeyAuth.kt

@@ -0,0 +1,135 @@
+/*
+ * Copyright 2014-2021 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.server.auth.apikey
+
+import io.ktor.http.*
+import io.ktor.server.application.*
+import io.ktor.server.auth.*
+import io.ktor.server.request.*
+import io.ktor.server.response.*
+
+/**
+ * Installs API Key authentication mechanism.
+ *
+ * @param name optional name for this authentication provider. If not specified, a default name will be used.
+ * @param configure configuration block for setting up the API Key authentication provider.
+ */
+public fun AuthenticationConfig.apiKey(
+    name: String? = null,
+    configure: ApiKeyAuthenticationProvider.Configuration.() -> Unit,
+) {
+    val provider = ApiKeyAuthenticationProvider(ApiKeyAuthenticationProvider.Configuration(name).apply(configure))
+    register(provider)
+}
+
+/**
+ * Alias for function signature that is invoked when verifying an API key from a header.
+ *
+ * The function receives the API key as a [String] parameter and should return an arbitrary
+ * principal object (for example, a user or service identity) if authentication succeeds,
+ * or null if authentication fails.
+ */
+public typealias ApiKeyAuthenticationFunction = suspend ApplicationCall.(String) -> Any?
+
+/**
+ * Alias for function signature that is called when authentication fails.
+ */
+public typealias ApiKeyAuthChallengeFunction = suspend (ApplicationCall) -> Unit
+
+/**
+ * Represents an API Key authentication provider.
+ *
+ * This provider extracts an API key from a specified header and validates it using
+ * the configured authentication function.
+ *
+ * @param configuration the configuration for this authentication provider.
+ */
+public class ApiKeyAuthenticationProvider internal constructor(
+    configuration: Configuration,
+) : AuthenticationProvider(configuration) {
+
+    private val headerName: String = configuration.headerName
+    private val authenticationFunction = requireNotNull(configuration.authenticationFunction) {
+        "API Key authentication requires a validate() function to be configured"
+    }
+    private val challengeFunction = configuration.challengeFunction
+    private val authScheme = configuration.authScheme
+
+    override suspend fun onAuthenticate(context: AuthenticationContext) {
+        val apiKey = context.call.request.header(headerName)
+        val principal = apiKey?.let { authenticationFunction(context.call, it) }
+
+        val cause = when {
+            apiKey == null -> AuthenticationFailedCause.NoCredentials
+            principal == null -> AuthenticationFailedCause.InvalidCredentials
+            else -> null
+        }
+
+        if (cause != null) {
+            context.challenge(authScheme, cause) { challenge, call ->
+                challengeFunction(call)
+                challenge.complete()
+            }
+        }
+        if (principal != null) {
+            context.principal(principal)
+        }
+    }
+
+    /**
+     * Configuration for API Key authentication.
+     *
+     * @param name optional name for this authentication provider.
+     */
+    public class Configuration internal constructor(name: String?) : Config(name) {
+
+        internal var authenticationFunction: ApiKeyAuthenticationFunction? = null
+
+        internal var challengeFunction: ApiKeyAuthChallengeFunction = { call ->
+            call.respond(HttpStatusCode.Unauthorized)
+        }
+
+        /**
+         * Name of the scheme used when challenge fails, see [AuthenticationContext.challenge].
+         */
+        public var authScheme: String = "apiKey"
+
+        /**
+         * Name of the header that will be used as a source for the api key.
+         */
+        public var headerName: String = ApiKeyAuth.DEFAULT_HEADER_NAME
+
+        /**
+         * Sets a validation function that will check the given API key retrieved from the [headerName] header
+         * and return an arbitrary principal object (for example, a user or service identity) if authentication
+         * succeeds, or null if authentication fails.
+         *
+         * @param body the validation function that receives the API key as a [String] parameter and returns
+         * an arbitrary principal object or null.
+         */
+        public fun validate(body: ApiKeyAuthenticationFunction) {
+            authenticationFunction = body
+        }
+
+        /**
+         * A response to send back if authentication failed.
+         *
+         * @param body the challenge function that handles authentication failures.
+         */
+        public fun challenge(body: ApiKeyAuthChallengeFunction) {
+            challengeFunction = body
+        }
+    }
+}
+
+/**
+ * Constants related to API Key authentication.
+ */
+public object ApiKeyAuth {
+    /**
+     * Default name of the header that will be used as a source for the API key.
+     */
+    public const val DEFAULT_HEADER_NAME: String = "X-Api-Key"
+}

ktor-server/ktor-server-plugins/ktor-server-auth-api-key/common/test/io/ktor/server/auth/apikey/ApiKeyAuthTest.kt

@@ -0,0 +1,154 @@
+/*
+ * Copyright 2014-2021 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.server.auth.apikey
+
+import io.ktor.client.call.*
+import io.ktor.client.plugins.contentnegotiation.*
+import io.ktor.client.request.*
+import io.ktor.http.*
+import io.ktor.serialization.kotlinx.json.*
+import io.ktor.server.auth.*
+import io.ktor.server.response.*
+import io.ktor.server.testing.*
+import kotlinx.serialization.Serializable
+import kotlin.random.Random
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertFailsWith
+
+class ApiKeyAuthTest {
+
+    @Serializable
+    private data class ApiKeyPrincipal(val key: String)
+
+    private val defaultHeader = "X-Api-Key"
+
+    @Test
+    fun `test apikey requires validate method to be configured`() {
+        testApplication {
+            install(Authentication) {
+                val exception = assertFailsWith<IllegalArgumentException> {
+                    apiKey(apiKeyAuth) {}
+                }
+
+                assertEquals(
+                    "API Key authentication requires a validate() function to be configured",
+                    exception.message
+                )
+            }
+        }
+    }
+
+    @Test
+    fun `test apikey auth does not influence open routes`() {
+        val apiKey = Random.nextLong().toString()
+
+        val module = buildApplicationModule {
+            validate { header -> header.takeIf { it == apiKey }?.let { ApiKeyPrincipal(it) } }
+        }
+
+        testApplication {
+            application(module)
+            val client = createClient { install(ContentNegotiation) { json() } }
+
+            var response = client.get(Routes.OPEN)
+            assertEquals(HttpStatusCode.OK, response.status)
+
+            response = client.get(Routes.OPEN) {
+                header(defaultHeader, apiKey)
+            }
+            assertEquals(HttpStatusCode.OK, response.status)
+
+            response = client.get(Routes.OPEN) {
+                header(defaultHeader, "$apiKey-wrong")
+            }
+            assertEquals(HttpStatusCode.OK, response.status)
+        }
+    }
+
+    @Test
+    fun `test reasonable defaults work`() {
+        val apiKey = Random.nextLong().toString()
+
+        val module = buildApplicationModule {
+            validate { header -> header.takeIf { it == apiKey }?.let { ApiKeyPrincipal(it) } }
+        }
+
+        testApplication {
+            application(module)
+            val client = createClient { install(ContentNegotiation) { json() } }
+
+            // correct header
+            val response = client.get(Routes.AUTHENTICATED) {
+                header(defaultHeader, apiKey)
+            }
+            assertEquals(HttpStatusCode.OK, response.status)
+            val principal = response.body<ApiKeyPrincipal>()
+            assertEquals(ApiKeyPrincipal(apiKey), principal)
+
+            // incorrect header
+            val unauthorizedResponse = client.get(Routes.AUTHENTICATED) {
+                header(defaultHeader, "$apiKey-wrong")
+            }
+            assertEquals(HttpStatusCode.Unauthorized, unauthorizedResponse.status)
+        }
+    }
+
+    @Test
+    fun `test auth should accept valid api key`() {
+        // use different from default code to verify that it actually works
+        val errorStatus = HttpStatusCode.Conflict
+        val header = "hello"
+        val apiKey = "world"
+
+        val module = buildApplicationModule {
+            headerName = header
+            challenge { call -> call.respond(errorStatus) }
+            validate { header -> header.takeIf { it == apiKey }?.let { ApiKeyPrincipal(it) } }
+        }
+        testApplication {
+            application(module)
+            val client = createClient { install(ContentNegotiation) { json() } }
+
+            val response = client.get(Routes.AUTHENTICATED) {
+                header(header, apiKey)
+            }
+            assertEquals(HttpStatusCode.OK, response.status)
+            val principal = response.body<ApiKeyPrincipal>()
+            assertEquals(ApiKeyPrincipal(apiKey), principal)
+        }
+    }
+
+    @Test
+    fun `test auth should accept reject invalid api key`() {
+        val errorStatus = HttpStatusCode.Conflict
+        val header = "hello"
+        val apiKey = "world"
+
+        val module = buildApplicationModule {
+            headerName = header
+            challenge { call -> call.respond(errorStatus) }
+            validate { header -> header.takeIf { it == apiKey }?.let { ApiKeyPrincipal(it) } }
+        }
+        testApplication {
+            application(module)
+            val client = createClient { install(ContentNegotiation) { json() } }
+
+            // correct header
+            val response = client.get(Routes.AUTHENTICATED) {
+                header(header, apiKey)
+            }
+            assertEquals(HttpStatusCode.OK, response.status)
+            val principal = response.body<ApiKeyPrincipal>()
+            assertEquals(ApiKeyPrincipal(apiKey), principal)
+
+            // incorrect header
+            val unauthorizedResponse = client.get(Routes.AUTHENTICATED) {
+                header(header, "$apiKey-wrong")
+            }
+            assertEquals(errorStatus, unauthorizedResponse.status)
+        }
+    }
+}