Improve HealthController security

Author: dansup

app/Http/Controllers/HealthController.php

@@ -3,6 +3,7 @@
 namespace App\Http\Controllers;
 
 use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Redis;
@@ -15,8 +16,15 @@ public function ping(): Response
             ->header('Content-Type', 'text/plain');
     }
 
-    public function health(): JsonResponse
+    public function health(Request $request): JsonResponse
     {
+        abort_unless(config('loops.health.enabled'), 404);
+        $request->validate([
+            'key' => 'required|string|min:3',
+        ]);
+
+        abort_unless(strlen(config('loops.health.secret')) >= 3 && hash_equals(config('loops.health.secret'), $request->input('key')), 404);
+
         $checks = [
             'database' => $this->checkDatabase(),
             'redis' => $this->checkRedis(),

config/loops.php

@@ -80,4 +80,9 @@
         'to' => env('LOOPS_ADMIN_MAILS_TO'),
         'reports' => (bool) env('LOOPS_ADMIN_MAILS_REPORTS', false),
     ],
+
+    'health' => [
+        'enabled' => env('LOOPS_HEALTH_ENDPOINT_ENABLED', false),
+        'secret' => env('LOOPS_HEALTH_ENDPOINT_SECRET'),
+    ],
 ];