Add remote autoscaler daemon endpoint support

agent/nix_builder_autoscaler/api.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import hmac
 import logging
 import uuid
 from collections.abc import Callable
@@ -118,6 +119,8 @@ def create_app(
     app.state.runtime = runtime
     app.state.haproxy = haproxy
 
+    auth_token = config.server.auth_token.strip()
+
     @app.middleware("http")
     async def request_id_middleware(request: Request, call_next: Callable) -> Response:
         request.state.request_id = str(uuid.uuid4())
@@ -125,6 +128,25 @@ def create_app(
         response.headers["x-request-id"] = request.state.request_id
         return response
 
+    @app.middleware("http")
+    async def auth_middleware(request: Request, call_next: Callable) -> Response:
+        path = request.url.path
+        if auth_token != "" and (path.startswith("/v1/") or path == "/metrics"):
+            expected = f"Bearer {auth_token}"
+            provided = request.headers.get("authorization", "")
+            if not hmac.compare_digest(provided, expected):
+                request_id = getattr(request.state, "request_id", str(uuid.uuid4()))
+                payload = ErrorResponse(
+                    error=ErrorDetail(
+                        code="unauthorized",
+                        message="Missing or invalid bearer token",
+                        retryable=False,
+                    ),
+                    request_id=request_id,
+                )
+                return JSONResponse(status_code=401, content=payload.model_dump(mode="json"))
+        return await call_next(request)
+
     @app.exception_handler(HTTPException)
     async def http_exception_handler(request: Request, exc: HTTPException) -> JSONResponse:
         detail = exc.detail