feat(server): check optional bearer access token

src/commands/server.ts

@@ -9,6 +9,7 @@ export const serverCommand = new Command('server')
   .option('--car-storage <path>', 'path for CAR file storage', './cars')
   .option('--database <path>', 'path to SQLite database', './pins.db')
   .option('--private-key <key>', 'private key for Synapse (or use PRIVATE_KEY env var)')
+  .option('--access-token <token>', 'bearer token required on all API requests (or use ACCESS_TOKEN env var)')
 
 addNetworkOptions(serverCommand)
   .addOption(
@@ -20,6 +21,9 @@ addNetworkOptions(serverCommand)
     if (options.privateKey) {
       process.env.PRIVATE_KEY = options.privateKey
     }
+    if (options.accessToken) {
+      process.env.ACCESS_TOKEN = options.accessToken
+    }
     // RPC URL takes precedence over network flag
     if (options.rpcUrl) {
       process.env.RPC_URL = options.rpcUrl

src/config.ts

@@ -50,6 +50,7 @@ export function createConfig(): Config {
 
     // Synapse SDK configuration
     privateKey: process.env.PRIVATE_KEY, // Required: Ethereum-compatible private key
+    accessToken: process.env.ACCESS_TOKEN,
     rpcUrl, // Determined from RPC_URL, NETWORK, or default to calibration
     // Storage paths
     databasePath: process.env.DATABASE_PATH ?? join(dataDir, 'pins.db'),

src/core/synapse/index.ts

@@ -30,6 +30,7 @@ export interface Config {
   port: number
   host: string
   privateKey: string | undefined
+  accessToken: string | undefined
   rpcUrl: string
   databasePath: string
   carStoragePath: string

src/filecoin-pinning-server.ts

@@ -126,6 +126,11 @@ export async function createFilecoinPinningServer(
       return
     }
 
+    if (config.accessToken && token !== config.accessToken) {
+      await reply.code(401).send({ error: 'Invalid access token' })
+      return
+    }
+
     // Add user to request context
     request.user = DEFAULT_USER_INFO
   })