Add support for API Key to token

Author: servilla

tests/test_iam.py

@@ -14,6 +14,7 @@
     7/31/25
 """
 import pytest
+from iam_lib.api.api_key import ApiKeyClient
 
 from config import Config
 from edi.iam import IAM
@@ -32,6 +33,18 @@ def edi_token_client():
         truststore="/etc/ssl/certs/ca-certificates.crt"
     )
 
+@pytest.fixture
+def api_key_client():
+    return ApiKeyClient(
+        scheme="https",
+        host="127.0.0.1:5443",
+        accept="json",
+        public_key_path="/home/pasta/git/iam-lib/tests/data/public_key.pem",
+        algorithm="ES256",
+        token=None,
+        truststore="/etc/ssl/certs/ca-certificates.crt"
+    )
+
 @pytest.mark.asyncio
 async def test_create_token():
     iam = IAM()
@@ -40,7 +53,13 @@ async def test_create_token():
 
 def test_iam_lib_create_token(edi_token_client: EdiTokenClient):
     edi_token_response = edi_token_client.create_token(profile_edi_identifier=Config.PUBLIC_ID, key=Config.AUTH_KEY)
-    edi_token = edi_token_response["token"]
+    edi_token = edi_token_response["edi-token"]
     assert edi_token is not None
-    token = Token(edi_token_response["token"])
+    token = Token(edi_token)
     token.validate(public_key_path=Config.AUTH_PUBLIC_KEY, algorithm=Config.JWT_ALGORITHM),
+
+def test_iam_lib_key_to_token(api_key_client: ApiKeyClient):
+    api_key_response = api_key_client.key_to_token(key="pddKCt7H_pODw-k0ExVpNmGhLO8")
+    # auth_token = api_key_response["auth-token"]
+    edi_token = api_key_response["edi-token"]
+    assert edi_token is not None

webapp/auth/authenticate.py

@@ -17,6 +17,7 @@
 
 import daiquiri
 import httpx
+from iam_lib.api.api_key import ApiKeyClient
 from iam_lib.api.edi_token import EdiTokenClient
 from iam_lib.exceptions import IAMResponseError, IAMInvalidToken
 import ssl
@@ -50,11 +51,28 @@ async def authenticate(request: Request) -> tuple:
         truststore=Config.CA_FILE
     )
 
+    api_key_client = ApiKeyClient(
+        scheme=Config.AUTH_SCHEME,
+        host=Config.AUTH_HOST,
+        accept=Config.ACCEPT_TYPE,
+        public_key_path=Config.AUTH_PUBLIC_KEY,
+        algorithm=Config.JWT_ALGORITHM,
+        token=None,
+        truststore=Config.CA_FILE
+
+    )
+
     if ((auth_token is None) and (edi_token is not None)) or ((auth_token is not None) and (edi_token is None)):
         msg = "EDI token and PASTA token must be present together"
         raise InvalidTokenException(msg, status.HTTP_400_BAD_REQUEST)
     elif auth_token is None and edi_token is None:
-        if "authorization" in request.headers:
+        if "key" in request.query_params:
+            key = request.query_params["key"]
+            api_key_response = api_key_client.key_to_token(key=key)
+            auth_token = api_key_response["pasta-token"]
+            pasta_token.from_auth_token(auth_token)
+            edi_token = api_key_response["edi-token"]
+        elif "authorization" in request.headers:
             basic_auth = request.headers["authorization"]
             auth_token, edi_token = await ldap_authenticate(basic_auth)
             pasta_token.from_auth_token(auth_token)