feat: Implement external generation import API secured by HMAC-SHA256 signature verification.

utils/external_auth.py

@@ -0,0 +1,46 @@
+import hmac
+import hashlib
+import os
+from fastapi import Header, HTTPException
+from typing import Optional
+
+def verify_signature(body: bytes, signature: str, secret: str) -> bool:
+    """
+    Verify HMAC-SHA256 signature.
+    
+    Args:
+        body: Raw request body bytes
+        signature: Signature from X-Signature header
+        secret: Shared secret key
+    
+    Returns:
+        True if signature is valid, False otherwise
+    """
+    expected_signature = hmac.new(
+        secret.encode('utf-8'),
+        body,
+        hashlib.sha256
+    ).hexdigest()
+    
+    return hmac.compare_digest(signature, expected_signature)
+
+
+async def verify_external_signature(
+    x_signature: Optional[str] = Header(None, alias="X-Signature")
+):
+    """
+    FastAPI dependency to verify external API signature.
+    
+    Raises:
+        HTTPException: If signature is missing or invalid
+    """
+    if not x_signature:
+        raise HTTPException(
+            status_code=401,
+            detail="Missing X-Signature header"
+        )
+    
+    # Note: We'll need to access the raw request body in the endpoint
+    # This dependency just validates the header exists
+    # Actual signature verification happens in the endpoint
+    return x_signature