From 5ed9d265f68953c7a6d3409223f3e443f48a1283 Mon Sep 17 00:00:00 2001
From: gahusb <bgg8988@gmail.com>
Date: Tue, 19 May 2026 01:51:38 +0900
Subject: [PATCH] feat(insta-lab): verify_internal_key auth for Windows webhook
 (SP-4)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

X-Internal-Key 헤더 검증 dependency. .env의 INTERNAL_API_KEY와 비교.
미설정 시 401 (fail-safe). Plan-B-Insta Phase 1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 insta-lab/app/auth.py        | 17 +++++++++++++++++
 insta-lab/tests/test_auth.py | 25 +++++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 insta-lab/app/auth.py
 create mode 100644 insta-lab/tests/test_auth.py

diff --git a/insta-lab/app/auth.py b/insta-lab/app/auth.py
new file mode 100644
index 0000000..ebce542
--- /dev/null
+++ b/insta-lab/app/auth.py
@@ -0,0 +1,17 @@
+"""SP-4 — Windows worker → NAS internal webhook 인증.
+
+X-Internal-Key 헤더를 .env의 INTERNAL_API_KEY와 비교.
+서버 측 키 미설정 시 401 (안전한 기본값).
+"""
+from __future__ import annotations
+
+import os
+from fastapi import Header, HTTPException
+
+
+def verify_internal_key(x_internal_key: str = Header(...)):
+    expected = os.getenv("INTERNAL_API_KEY")
+    if not expected:
+        raise HTTPException(401, "INTERNAL_API_KEY not configured on server")
+    if x_internal_key != expected:
+        raise HTTPException(401, "Invalid X-Internal-Key")
diff --git a/insta-lab/tests/test_auth.py b/insta-lab/tests/test_auth.py
new file mode 100644
index 0000000..f33b206
--- /dev/null
+++ b/insta-lab/tests/test_auth.py
@@ -0,0 +1,25 @@
+"""verify_internal_key dependency — Windows webhook 인증."""
+import os
+import pytest
+from fastapi import HTTPException
+from app.auth import verify_internal_key
+
+
+def test_valid_key_passes(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret123")
+    # dependency가 raise 안 하면 통과
+    verify_internal_key(x_internal_key="secret123")
+
+
+def test_invalid_key_raises_401(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret123")
+    with pytest.raises(HTTPException) as exc:
+        verify_internal_key(x_internal_key="wrong")
+    assert exc.value.status_code == 401
+
+
+def test_missing_env_key_raises_401(monkeypatch):
+    monkeypatch.delenv("INTERNAL_API_KEY", raising=False)
+    with pytest.raises(HTTPException) as exc:
+        verify_internal_key(x_internal_key="any")
+    assert exc.value.status_code == 401