Skip to content

Commit 90cdb5f

Browse files
authored
Merge pull request #41 from zenstackhq/auth
feat: support Authentication and Authorization for the proxy
2 parents 898c98e + 4dea042 commit 90cdb5f

8 files changed

Lines changed: 825 additions & 20 deletions

File tree

.github/workflows/build-test.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,3 +57,6 @@ jobs:
5757
run: |
5858
pnpm run build
5959
pnpm tsx scripts/post-build.ts
60+
61+
- name: Test
62+
run: pnpm test

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,9 @@ zenstack-proxy [options]
2222
- `-p, --port <number>` Port number for the server (default: `8008`)
2323
- `-s, --schema <path>` - Path to ZModel schema file (default: "schema.zmodel")
2424
- `-d, --datasource-url <url>` Datasource URL (overrides schema configuration)
25+
- `--studioAuthKey <key>` Authentication key from ZenStack Studio. When set, the proxy will only accept requests signed by your Studio project.
2526
- `-l, --log <level...>` Query log levels (e.g., query, info, warn, error)
27+
- `--signature-tolerance-secs <number>` Time tolerance in seconds for signed requests (default: `60`)
2628

2729
### Examples
2830

@@ -46,6 +48,20 @@ zenstack-proxy -s ./schema/schema.zmodel -z ./generated/zenstack
4648
zenstack-proxy -p 8888
4749
```
4850

51+
#### Enable signed requests
52+
53+
```bash
54+
zenstack-proxy --studioAuthKey "MCowBQYDK2VwAyEAFSJV7wjdFuDz2CqYX7hGnITQvcmJYy7OJQq2Cy2Eiqs="
55+
```
56+
57+
When `--studioAuthKey` is provided, every incoming request must include an `X-ZenStack-Signature` header in the format `t=<unix timestamp>,v1=<base64url signature>`.
58+
The signed message format matches ZenStack Studio: `payload + timestamp [+ authorizationToken]`.
59+
60+
- For `GET` and `DELETE` requests, `payload` is the raw query string without the leading `?`.
61+
- For body-based requests, `payload` is the exact JSON request body string.
62+
- For requests without query params or a request body, `payload` is an empty string.
63+
- If an `Authorization: Bearer <token>` header is present, append `<token>` to the signed message.
64+
4965
## Server Endpoints
5066

5167
The server provides the following endpoints:

package.json

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@zenstackhq/proxy",
3-
"version": "0.4.2",
3+
"version": "0.5.0",
44
"description": "A CLI tool to run an Express server that proxies CRUD requests to a ZenStack backend",
55
"main": "index.js",
66
"publishConfig": {
@@ -18,7 +18,8 @@
1818
},
1919
"scripts": {
2020
"clean": "rimraf dist",
21-
"build": "pnpm clean && tsc && copyfiles -F \"bin/*\" dist && copyfiles ./README.md ./LICENSE ./package.json dist && pnpm pack dist --pack-destination ../build"
21+
"build": "pnpm clean && tsc && copyfiles -F \"bin/*\" dist && copyfiles ./README.md ./LICENSE ./package.json dist && pnpm pack dist --pack-destination ../build",
22+
"test": "node --require tsx/cjs --test test/*.test.ts "
2223
},
2324
"keywords": [
2425
"zenstack",
@@ -49,8 +50,10 @@
4950
"@types/express": "^5.0.0",
5051
"@types/node": "^20.0.0",
5152
"@types/semver": "^7.7.1",
53+
"@types/supertest": "^6.0.2",
5254
"copyfiles": "^2.4.1",
5355
"rimraf": "^4.0.0",
56+
"supertest": "^7.0.0",
5457
"typescript": "^5.0.0"
5558
},
5659
"exports": {

0 commit comments

Comments
 (0)