2025-07-26 18:46:52 +02:00
|
|
|
# gateway/app/middleware/auth.py
|
2025-07-19 17:49:03 +02:00
|
|
|
"""
|
2025-07-26 18:46:52 +02:00
|
|
|
Enhanced Authentication Middleware for API Gateway with Tenant Access Control
|
2025-07-26 20:04:24 +02:00
|
|
|
FIXED VERSION - Proper JWT verification and token structure handling
|
2025-07-19 17:49:03 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
import structlog
|
|
|
|
|
from fastapi import Request, HTTPException
|
2025-07-17 13:09:24 +02:00
|
|
|
from fastapi.responses import JSONResponse
|
2025-07-17 19:54:04 +02:00
|
|
|
from starlette.middleware.base import BaseHTTPMiddleware
|
|
|
|
|
from starlette.responses import Response
|
2025-07-19 17:49:03 +02:00
|
|
|
from typing import Optional, Dict, Any
|
2025-07-26 20:04:24 +02:00
|
|
|
import httpx
|
|
|
|
|
import json
|
2025-07-17 13:09:24 +02:00
|
|
|
|
|
|
|
|
from app.core.config import settings
|
|
|
|
|
from shared.auth.jwt_handler import JWTHandler
|
2025-07-26 18:46:52 +02:00
|
|
|
from shared.auth.tenant_access import tenant_access_manager, extract_tenant_id_from_path, is_tenant_scoped_path
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-19 17:49:03 +02:00
|
|
|
logger = structlog.get_logger()
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# JWT handler for local token validation - using SAME configuration as auth service
|
2025-07-17 13:09:24 +02:00
|
|
|
jwt_handler = JWTHandler(settings.JWT_SECRET_KEY, settings.JWT_ALGORITHM)
|
|
|
|
|
|
|
|
|
|
# Routes that don't require authentication
|
|
|
|
|
PUBLIC_ROUTES = [
|
|
|
|
|
"/health",
|
2025-09-25 14:30:47 +02:00
|
|
|
"/metrics",
|
2025-07-17 13:09:24 +02:00
|
|
|
"/docs",
|
|
|
|
|
"/redoc",
|
|
|
|
|
"/openapi.json",
|
|
|
|
|
"/api/v1/auth/login",
|
|
|
|
|
"/api/v1/auth/register",
|
2025-07-18 16:48:49 +02:00
|
|
|
"/api/v1/auth/refresh",
|
2025-07-22 17:01:12 +02:00
|
|
|
"/api/v1/auth/verify",
|
2025-09-25 14:30:47 +02:00
|
|
|
"/api/v1/nominatim/search",
|
|
|
|
|
"/api/v1/plans"
|
2025-07-17 13:09:24 +02:00
|
|
|
]
|
|
|
|
|
|
2025-07-17 19:54:04 +02:00
|
|
|
class AuthMiddleware(BaseHTTPMiddleware):
|
2025-07-19 17:49:03 +02:00
|
|
|
"""
|
2025-07-26 18:46:52 +02:00
|
|
|
Enhanced Authentication Middleware with Tenant Access Control
|
2025-07-19 17:49:03 +02:00
|
|
|
"""
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-19 17:49:03 +02:00
|
|
|
def __init__(self, app, redis_client=None):
|
|
|
|
|
super().__init__(app)
|
|
|
|
|
self.redis_client = redis_client # For caching and rate limiting
|
|
|
|
|
|
2025-07-17 19:54:04 +02:00
|
|
|
async def dispatch(self, request: Request, call_next) -> Response:
|
2025-07-26 18:46:52 +02:00
|
|
|
"""Process request with enhanced authentication and tenant access control"""
|
|
|
|
|
|
2025-07-22 23:01:34 +02:00
|
|
|
# Skip authentication for OPTIONS requests (CORS preflight)
|
|
|
|
|
if request.method == "OPTIONS":
|
|
|
|
|
return await call_next(request)
|
2025-07-26 18:46:52 +02:00
|
|
|
|
2025-07-19 17:49:03 +02:00
|
|
|
# Skip authentication for public routes
|
2025-07-17 19:54:04 +02:00
|
|
|
if self._is_public_route(request.url.path):
|
2025-07-17 13:09:24 +02:00
|
|
|
return await call_next(request)
|
2025-07-26 18:46:52 +02:00
|
|
|
|
|
|
|
|
# ✅ STEP 1: Extract and validate JWT token
|
2025-07-17 19:54:04 +02:00
|
|
|
token = self._extract_token(request)
|
|
|
|
|
if not token:
|
2025-07-19 17:49:03 +02:00
|
|
|
logger.warning(f"Missing token for protected route: {request.url.path}")
|
2025-07-17 19:54:04 +02:00
|
|
|
return JSONResponse(
|
|
|
|
|
status_code=401,
|
|
|
|
|
content={"detail": "Authentication required"}
|
|
|
|
|
)
|
2025-07-26 18:46:52 +02:00
|
|
|
|
|
|
|
|
# ✅ STEP 2: Verify token and get user context
|
2025-09-29 07:54:25 +02:00
|
|
|
user_context = await self._verify_token(token, request)
|
2025-07-19 17:49:03 +02:00
|
|
|
if not user_context:
|
|
|
|
|
logger.warning(f"Invalid token for route: {request.url.path}")
|
2025-07-17 19:54:04 +02:00
|
|
|
return JSONResponse(
|
|
|
|
|
status_code=401,
|
2025-07-26 20:04:24 +02:00
|
|
|
content={"detail": "User not authenticated"}
|
2025-07-17 19:54:04 +02:00
|
|
|
)
|
2025-07-26 18:46:52 +02:00
|
|
|
|
|
|
|
|
# ✅ STEP 3: Extract tenant context from URL using shared utility
|
|
|
|
|
tenant_id = extract_tenant_id_from_path(request.url.path)
|
|
|
|
|
|
|
|
|
|
# ✅ STEP 4: Verify tenant access if this is a tenant-scoped route
|
|
|
|
|
if tenant_id and is_tenant_scoped_path(request.url.path):
|
|
|
|
|
# Use TenantAccessManager for gateway-level verification with caching
|
|
|
|
|
if self.redis_client and tenant_access_manager.redis_client is None:
|
|
|
|
|
tenant_access_manager.redis_client = self.redis_client
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
has_access = await tenant_access_manager.verify_basic_tenant_access(
|
2025-07-26 18:46:52 +02:00
|
|
|
user_context["user_id"],
|
|
|
|
|
tenant_id
|
|
|
|
|
)
|
|
|
|
|
|
2025-07-19 17:49:03 +02:00
|
|
|
if not has_access:
|
|
|
|
|
logger.warning(f"User {user_context['email']} denied access to tenant {tenant_id}")
|
|
|
|
|
return JSONResponse(
|
|
|
|
|
status_code=403,
|
2025-07-26 18:46:52 +02:00
|
|
|
content={"detail": f"Access denied to tenant {tenant_id}"}
|
2025-07-19 17:49:03 +02:00
|
|
|
)
|
2025-07-26 18:46:52 +02:00
|
|
|
|
|
|
|
|
# Set tenant context in request state
|
2025-07-19 17:49:03 +02:00
|
|
|
request.state.tenant_id = tenant_id
|
2025-07-26 18:46:52 +02:00
|
|
|
request.state.tenant_verified = True
|
|
|
|
|
|
|
|
|
|
logger.debug(f"Tenant access verified",
|
|
|
|
|
user_id=user_context["user_id"],
|
|
|
|
|
tenant_id=tenant_id,
|
|
|
|
|
path=request.url.path)
|
|
|
|
|
|
|
|
|
|
# ✅ STEP 5: Inject user context into request
|
2025-07-19 17:49:03 +02:00
|
|
|
request.state.user = user_context
|
|
|
|
|
request.state.authenticated = True
|
2025-07-26 18:46:52 +02:00
|
|
|
|
|
|
|
|
# ✅ STEP 6: Add context headers for downstream services
|
|
|
|
|
self._inject_context_headers(request, user_context, tenant_id)
|
|
|
|
|
|
|
|
|
|
logger.debug(f"Authenticated request",
|
|
|
|
|
user_email=user_context['email'],
|
|
|
|
|
tenant_id=tenant_id,
|
|
|
|
|
path=request.url.path)
|
|
|
|
|
|
2025-09-29 07:54:25 +02:00
|
|
|
# Process the request
|
|
|
|
|
response = await call_next(request)
|
|
|
|
|
|
|
|
|
|
# Add token expiry warning header if token is near expiry
|
|
|
|
|
if hasattr(request.state, 'token_near_expiry') and request.state.token_near_expiry:
|
|
|
|
|
response.headers["X-Token-Refresh-Suggested"] = "true"
|
|
|
|
|
|
|
|
|
|
return response
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-17 19:54:04 +02:00
|
|
|
def _is_public_route(self, path: str) -> bool:
|
2025-07-19 17:49:03 +02:00
|
|
|
"""Check if route requires authentication"""
|
2025-07-17 19:54:04 +02:00
|
|
|
return any(path.startswith(route) for route in PUBLIC_ROUTES)
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-17 19:54:04 +02:00
|
|
|
def _extract_token(self, request: Request) -> Optional[str]:
|
2025-07-19 17:49:03 +02:00
|
|
|
"""Extract JWT token from Authorization header"""
|
2025-07-17 19:54:04 +02:00
|
|
|
auth_header = request.headers.get("Authorization")
|
|
|
|
|
if auth_header and auth_header.startswith("Bearer "):
|
|
|
|
|
return auth_header.split(" ")[1]
|
|
|
|
|
return None
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-09-29 07:54:25 +02:00
|
|
|
async def _verify_token(self, token: str, request: Request = None) -> Optional[Dict[str, Any]]:
|
2025-07-26 20:04:24 +02:00
|
|
|
"""
|
|
|
|
|
Verify JWT token with improved fallback strategy
|
|
|
|
|
FIXED: Better error handling and token structure validation
|
|
|
|
|
"""
|
2025-07-19 17:49:03 +02:00
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# Strategy 1: Try local JWT validation first (fast)
|
2025-07-19 17:49:03 +02:00
|
|
|
try:
|
|
|
|
|
payload = jwt_handler.verify_token(token)
|
|
|
|
|
if payload and self._validate_token_payload(payload):
|
|
|
|
|
logger.debug("Token validated locally")
|
2025-09-29 07:54:25 +02:00
|
|
|
|
|
|
|
|
# Check if token is near expiry and set flag for response header
|
|
|
|
|
if request:
|
|
|
|
|
import time
|
|
|
|
|
exp_time = payload.get("exp", 0)
|
|
|
|
|
current_time = time.time()
|
|
|
|
|
time_until_expiry = exp_time - current_time
|
|
|
|
|
|
|
|
|
|
if time_until_expiry < 300: # 5 minutes
|
|
|
|
|
request.state.token_near_expiry = True
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# Convert JWT payload to user context format
|
|
|
|
|
return self._jwt_payload_to_user_context(payload)
|
2025-07-19 17:49:03 +02:00
|
|
|
except Exception as e:
|
|
|
|
|
logger.debug(f"Local token validation failed: {e}")
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# Strategy 2: Check cache for recently validated tokens
|
2025-07-19 17:49:03 +02:00
|
|
|
if self.redis_client:
|
|
|
|
|
try:
|
|
|
|
|
cached_user = await self._get_cached_user(token)
|
|
|
|
|
if cached_user:
|
|
|
|
|
logger.debug("Token found in cache")
|
|
|
|
|
return cached_user
|
|
|
|
|
except Exception as e:
|
|
|
|
|
logger.warning(f"Cache lookup failed: {e}")
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# Strategy 3: Verify with auth service (authoritative)
|
2025-07-19 17:49:03 +02:00
|
|
|
try:
|
|
|
|
|
user_context = await self._verify_with_auth_service(token)
|
|
|
|
|
if user_context:
|
|
|
|
|
# Cache successful validation
|
|
|
|
|
if self.redis_client:
|
|
|
|
|
await self._cache_user(token, user_context)
|
|
|
|
|
logger.debug("Token validated by auth service")
|
|
|
|
|
return user_context
|
|
|
|
|
except Exception as e:
|
|
|
|
|
logger.error(f"Auth service validation failed: {e}")
|
2025-07-26 18:46:52 +02:00
|
|
|
|
2025-07-19 17:49:03 +02:00
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
def _validate_token_payload(self, payload: Dict[str, Any]) -> bool:
|
2025-07-26 20:04:24 +02:00
|
|
|
"""
|
|
|
|
|
Validate JWT payload has required fields
|
|
|
|
|
FIXED: Updated to match actual token structure from auth service
|
|
|
|
|
"""
|
|
|
|
|
required_fields = ["user_id", "email", "exp", "type"]
|
|
|
|
|
missing_fields = [field for field in required_fields if field not in payload]
|
2025-09-29 07:54:25 +02:00
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
if missing_fields:
|
|
|
|
|
logger.warning(f"Token payload missing fields: {missing_fields}")
|
|
|
|
|
return False
|
2025-09-29 07:54:25 +02:00
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# Validate token type
|
2025-07-27 16:29:53 +02:00
|
|
|
token_type = payload.get("type")
|
|
|
|
|
if token_type not in ["access", "service"]:
|
2025-07-26 20:04:24 +02:00
|
|
|
logger.warning(f"Invalid token type: {payload.get('type')}")
|
|
|
|
|
return False
|
2025-07-27 16:29:53 +02:00
|
|
|
|
2025-09-29 07:54:25 +02:00
|
|
|
# Check if token is near expiry (within 5 minutes) and log warning
|
|
|
|
|
import time
|
|
|
|
|
exp_time = payload.get("exp", 0)
|
|
|
|
|
current_time = time.time()
|
|
|
|
|
time_until_expiry = exp_time - current_time
|
|
|
|
|
|
|
|
|
|
if time_until_expiry < 300: # 5 minutes
|
|
|
|
|
logger.warning(f"Token expires in {int(time_until_expiry)} seconds for user {payload.get('email')}")
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def _jwt_payload_to_user_context(self, payload: Dict[str, Any]) -> Dict[str, Any]:
|
|
|
|
|
"""
|
|
|
|
|
Convert JWT payload to user context format
|
|
|
|
|
FIXED: Proper mapping between JWT structure and user context
|
|
|
|
|
"""
|
2025-07-27 16:29:53 +02:00
|
|
|
base_context = {
|
2025-07-26 20:04:24 +02:00
|
|
|
"user_id": payload["user_id"],
|
|
|
|
|
"email": payload["email"],
|
|
|
|
|
"exp": payload["exp"],
|
2025-08-03 00:16:31 +02:00
|
|
|
"valid": True,
|
|
|
|
|
"role": payload.get("role", "user"),
|
2025-07-26 20:04:24 +02:00
|
|
|
}
|
2025-07-27 16:29:53 +02:00
|
|
|
|
|
|
|
|
if payload.get("service"):
|
2025-08-02 21:56:25 +02:00
|
|
|
service_name = payload["service"]
|
|
|
|
|
base_context["service"] = service_name
|
2025-07-27 16:29:53 +02:00
|
|
|
base_context["type"] = "service"
|
2025-08-02 23:05:18 +02:00
|
|
|
base_context["role"] = "admin"
|
2025-08-02 21:56:25 +02:00
|
|
|
base_context["user_id"] = f"{service_name}-service"
|
|
|
|
|
base_context["email"] = f"{service_name}-service@internal"
|
2025-07-27 16:29:53 +02:00
|
|
|
logger.debug(f"Service authentication: {payload['service']}")
|
|
|
|
|
|
|
|
|
|
return base_context
|
2025-07-19 17:49:03 +02:00
|
|
|
|
|
|
|
|
async def _verify_with_auth_service(self, token: str) -> Optional[Dict[str, Any]]:
|
2025-07-26 20:04:24 +02:00
|
|
|
"""
|
|
|
|
|
Verify token with auth service
|
|
|
|
|
FIXED: Improved error handling and response parsing
|
|
|
|
|
"""
|
2025-07-17 19:54:04 +02:00
|
|
|
try:
|
2025-07-26 20:04:24 +02:00
|
|
|
async with httpx.AsyncClient(timeout=5.0) as client:
|
2025-07-17 19:54:04 +02:00
|
|
|
response = await client.post(
|
2025-07-18 16:48:49 +02:00
|
|
|
f"{settings.AUTH_SERVICE_URL}/api/v1/auth/verify",
|
2025-07-17 19:54:04 +02:00
|
|
|
headers={"Authorization": f"Bearer {token}"}
|
|
|
|
|
)
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-17 19:54:04 +02:00
|
|
|
if response.status_code == 200:
|
2025-07-26 20:04:24 +02:00
|
|
|
auth_response = response.json()
|
|
|
|
|
|
|
|
|
|
# Validate auth service response structure
|
|
|
|
|
if auth_response.get("valid") and auth_response.get("user_id"):
|
|
|
|
|
return {
|
|
|
|
|
"user_id": auth_response["user_id"],
|
|
|
|
|
"email": auth_response["email"],
|
|
|
|
|
"exp": auth_response.get("exp"),
|
|
|
|
|
"valid": True
|
|
|
|
|
}
|
|
|
|
|
else:
|
|
|
|
|
logger.warning(f"Auth service returned invalid response: {auth_response}")
|
|
|
|
|
return None
|
2025-07-17 19:54:04 +02:00
|
|
|
else:
|
2025-07-26 20:04:24 +02:00
|
|
|
logger.warning(f"Auth service returned {response.status_code}: {response.text}")
|
2025-07-17 19:54:04 +02:00
|
|
|
return None
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
except httpx.TimeoutException:
|
|
|
|
|
logger.error("Auth service timeout during token verification")
|
|
|
|
|
return None
|
2025-07-19 17:49:03 +02:00
|
|
|
except Exception as e:
|
|
|
|
|
logger.error(f"Auth service error: {e}")
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
async def _get_cached_user(self, token: str) -> Optional[Dict[str, Any]]:
|
2025-07-26 20:04:24 +02:00
|
|
|
"""
|
|
|
|
|
Get user context from cache
|
|
|
|
|
FIXED: Better error handling and JSON parsing
|
|
|
|
|
"""
|
2025-07-19 17:49:03 +02:00
|
|
|
if not self.redis_client:
|
|
|
|
|
return None
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
cache_key = f"auth:token:{hash(token) % 1000000}" # Use modulo for shorter keys
|
2025-07-26 18:46:52 +02:00
|
|
|
try:
|
|
|
|
|
cached_data = await self.redis_client.get(cache_key)
|
|
|
|
|
if cached_data:
|
|
|
|
|
if isinstance(cached_data, bytes):
|
|
|
|
|
cached_data = cached_data.decode()
|
|
|
|
|
return json.loads(cached_data)
|
2025-07-26 20:04:24 +02:00
|
|
|
except json.JSONDecodeError as e:
|
|
|
|
|
logger.warning(f"Failed to parse cached user data: {e}")
|
2025-07-26 18:46:52 +02:00
|
|
|
except Exception as e:
|
2025-07-26 20:04:24 +02:00
|
|
|
logger.warning(f"Cache lookup error: {e}")
|
|
|
|
|
|
2025-07-19 17:49:03 +02:00
|
|
|
return None
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
async def _cache_user(self, token: str, user_context: Dict[str, Any]) -> None:
|
|
|
|
|
"""
|
|
|
|
|
Cache user context
|
|
|
|
|
FIXED: Better error handling and expiration
|
|
|
|
|
"""
|
2025-07-19 17:49:03 +02:00
|
|
|
if not self.redis_client:
|
|
|
|
|
return
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
cache_key = f"auth:token:{hash(token) % 1000000}"
|
2025-07-26 18:46:52 +02:00
|
|
|
try:
|
2025-07-26 20:04:24 +02:00
|
|
|
# Cache for 5 minutes (shorter than token expiry)
|
|
|
|
|
await self.redis_client.setex(
|
|
|
|
|
cache_key,
|
|
|
|
|
300, # 5 minutes
|
|
|
|
|
json.dumps(user_context)
|
|
|
|
|
)
|
2025-07-26 18:46:52 +02:00
|
|
|
except Exception as e:
|
2025-07-26 20:04:24 +02:00
|
|
|
logger.warning(f"Failed to cache user context: {e}")
|
2025-07-19 17:49:03 +02:00
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
def _inject_context_headers(self, request: Request, user_context: Dict[str, Any], tenant_id: Optional[str] = None):
|
|
|
|
|
"""
|
|
|
|
|
Inject user and tenant context headers for downstream services
|
|
|
|
|
FIXED: Proper header injection
|
|
|
|
|
"""
|
|
|
|
|
# Add user context headers
|
|
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-user-id", user_context["user_id"].encode()
|
|
|
|
|
))
|
|
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-user-email", user_context["email"].encode()
|
|
|
|
|
))
|
2025-07-26 18:46:52 +02:00
|
|
|
|
2025-08-02 23:29:18 +02:00
|
|
|
user_role = user_context.get("role", "user")
|
|
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-user-role", user_role.encode()
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
user_type = user_context.get("type", "")
|
|
|
|
|
if user_type:
|
|
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-user-type", user_type.encode()
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
service_name = user_context.get("service", "")
|
|
|
|
|
if service_name:
|
|
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-service-name", service_name.encode()
|
|
|
|
|
))
|
|
|
|
|
|
2025-07-26 20:04:24 +02:00
|
|
|
# Add tenant context if available
|
2025-07-26 18:46:52 +02:00
|
|
|
if tenant_id:
|
2025-07-26 20:04:24 +02:00
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-tenant-id", tenant_id.encode()
|
2025-08-02 23:29:18 +02:00
|
|
|
))
|
2025-07-26 20:04:24 +02:00
|
|
|
|
|
|
|
|
# Add gateway identification
|
|
|
|
|
request.headers.__dict__["_list"].append((
|
|
|
|
|
b"x-forwarded-by", b"bakery-gateway"
|
|
|
|
|
))
|
