5 files changed, 51 insertions, 2 deletions

diff --git a/crates/sellershut/src/cnfg.rs b/crates/sellershut/src/cnfg.rs
index 4ad7a06..82cd34b 100644
--- a/crates/sellershut/src/cnfg.rs
+++ b/crates/sellershut/src/cnfg.rs
@@ -5,4 +5,5 @@ use serde::Deserialize;
 pub struct LocalConfig {
     pub hostname: String,
     pub instance_name: String,
+    pub auth_endpoint: String,
 }
diff --git a/crates/sellershut/src/server/middleware.rs b/crates/sellershut/src/server/middleware.rs
index aa73518..161b9a8 100644
--- a/crates/sellershut/src/server/middleware.rs
+++ b/crates/sellershut/src/server/middleware.rs
@@ -1 +1,2 @@
+pub mod grpc_interceptor;
 pub mod sign_request;
diff --git a/crates/sellershut/src/server/middleware/grpc_interceptor.rs b/crates/sellershut/src/server/middleware/grpc_interceptor.rs
new file mode 100644
index 0000000..f8759cf
--- /dev/null
+++ b/crates/sellershut/src/server/middleware/grpc_interceptor.rs
@@ -0,0 +1,16 @@
+use tonic::{
+    Status,
+    service::{Interceptor, interceptor::InterceptedService},
+    transport::Channel,
+};
+
+pub type Intercepted = InterceptedService<Channel, MyInterceptor>;
+
+#[derive(Clone, Copy)]
+pub struct MyInterceptor;
+
+impl Interceptor for MyInterceptor {
+    fn call(&mut self, mut request: tonic::Request<()>) -> Result<tonic::Request<()>, Status> {
+        Ok(request)
+    }
+}
diff --git a/crates/sellershut/src/server/middleware/sign_request.rs b/crates/sellershut/src/server/middleware/sign_request.rs
index 4eb3bd3..5c9663b 100644
--- a/crates/sellershut/src/server/middleware/sign_request.rs
+++ b/crates/sellershut/src/server/middleware/sign_request.rs
@@ -4,7 +4,7 @@ use activitypub_federation::{config::FederationConfig, traits::Object};
 use axum::{
     body::Body,
     extract::Request,
-    http::{HeaderValue, StatusCode},
+    http::{HeaderValue, StatusCode, header::AUTHORIZATION},
     response::Response,
 };
 use futures_util::future::BoxFuture;
@@ -64,6 +64,13 @@ where
     fn call(&mut self, request: Request) -> Self::Future {
         let mut inner = self.inner.clone();
         let uri = request.uri().clone();
+
+        let token = request
+            .headers()
+            .get(AUTHORIZATION)
+            .and_then(|value| value.to_str().ok().map(ToOwned::to_owned))
+            .unwrap_or_default();
+
         let (parts, body) = request.into_parts();
         let state = self.state.to_request_data();
         let domain = self.state.domain().to_owned();
@@ -74,6 +81,13 @@ where
                 *response.status_mut() = StatusCode::INTERNAL_SERVER_ERROR;
                 Ok(response)
             };
+
+            if token.is_empty() {
+                let mut response = axum::response::Response::default();
+                *response.status_mut() = StatusCode::UNAUTHORIZED;
+                return Ok(response);
+            }
+
             let bytes = match axum::body::to_bytes(body, usize::MAX).await {
                 Ok(b) => b,
                 Err(e) => {
diff --git a/crates/sellershut/src/state.rs b/crates/sellershut/src/state.rs
index 3ee3248..959d0f3 100644
--- a/crates/sellershut/src/state.rs
+++ b/crates/sellershut/src/state.rs
@@ -1,9 +1,17 @@
 use std::{ops::Deref, sync::Arc};
 
 use activitypub_federation::config::FederationConfig;
+use sellershut_core::auth::auth_client::AuthClient;
 use stack_up::{Configuration, Environment, Services};
+use tonic::transport::Endpoint;
+use tracing::error;
 
-use crate::{cnfg::LocalConfig, entity::user::User, error::AppError};
+use crate::{
+    cnfg::LocalConfig,
+    entity::user::User,
+    error::AppError,
+    server::middleware::grpc_interceptor::{Intercepted, MyInterceptor},
+};
 
 #[derive(Clone)]
 pub struct AppHandle(Arc<AppState>);
@@ -20,6 +28,7 @@ pub struct AppState {
     pub services: Services,
     pub environment: Environment,
     pub protocol: Arc<str>,
+    pub auth_client: AuthClient<Intercepted>,
 }
 
 impl AppState {
@@ -37,6 +46,13 @@ impl AppState {
         )
         .await?;
 
+        let channel = Endpoint::new(hut_config.auth_endpoint.to_string())?
+            .connect()
+            .await
+            .inspect_err(|e| error!("could not connect to auth service: {e}"))?;
+
+        let auth_client = AuthClient::with_interceptor(channel, MyInterceptor);
+
         let config = FederationConfig::builder()
             .domain(&hut_config.hostname)
             .signed_fetch_actor(&user)
@@ -48,6 +64,7 @@ impl AppState {
                     Environment::Production => "https",
                 }
                 .into(),
+                auth_client,
             })))
             // .url_verifier(Box::new(MyUrlVerifier()))
             .debug(configuration.application.env == Environment::Development)