bakery-ia/gateway/app/middleware/auth.py

"""
Authentication middleware for gateway
"""

import logging
from fastapi import Request, HTTPException
from fastapi.responses import JSONResponse
import httpx
from typing import Optional

from app.core.config import settings
from shared.auth.jwt_handler import JWTHandler

logger = logging.getLogger(__name__)

# JWT handler
jwt_handler = JWTHandler(settings.JWT_SECRET_KEY, settings.JWT_ALGORITHM)

# Routes that don't require authentication
PUBLIC_ROUTES = [
    "/health",
    "/metrics",
    "/docs",
    "/redoc",
    "/openapi.json",
    "/api/v1/auth/login",
    "/api/v1/auth/register",
    "/api/v1/auth/refresh"
]

async def auth_middleware(request: Request, call_next):
    """Authentication middleware"""
    
    # Check if route requires authentication
    if _is_public_route(request.url.path):
        return await call_next(request)
    
    # Get token from header
    token = _extract_token(request)
    if not token:
        return JSONResponse(
            status_code=401,
            content={"detail": "Authentication required"}
        )
    
    # Verify token
    try:
        # First try to verify token locally
        payload = jwt_handler.verify_token(token)
        
        if payload:
            # Add user info to request state
            request.state.user = payload
            return await call_next(request)
        else:
            # Token invalid or expired, verify with auth service
            user_info = await _verify_with_auth_service(token)
            if user_info:
                request.state.user = user_info
                return await call_next(request)
            else:
                return JSONResponse(
                    status_code=401,
                    content={"detail": "Invalid or expired token"}
                )
                
    except Exception as e:
        logger.error(f"Authentication error: {e}")
        return JSONResponse(
            status_code=401,
            content={"detail": "Authentication failed"}
        )

def _is_public_route(path: str) -> bool:
    """Check if route is public"""
    return any(path.startswith(route) for route in PUBLIC_ROUTES)

def _extract_token(request: Request) -> Optional[str]:
    """Extract JWT token from request"""
    auth_header = request.headers.get("Authorization")
    if auth_header and auth_header.startswith("Bearer "):
        return auth_header.split(" ")[1]
    return None

async def _verify_with_auth_service(token: str) -> Optional[dict]:
    """Verify token with auth service"""
    try:
        async with httpx.AsyncClient(timeout=5.0) as client:
            response = await client.post(
                f"{settings.AUTH_SERVICE_URL}/verify",
                headers={"Authorization": f"Bearer {token}"}
            )
            
            if response.status_code == 200:
                return response.json()
            else:
                return None
                
    except Exception as e:
        logger.error(f"Auth service verification failed: {e}")
        return None
Initial microservices setup from artifacts 2025-07-17 13:09:24 +02:00			`"""`
			`Authentication middleware for gateway`
			`"""`

			`import logging`
			`from fastapi import Request, HTTPException`
			`from fastapi.responses import JSONResponse`
			`import httpx`
			`from typing import Optional`

			`from app.core.config import settings`
			`from shared.auth.jwt_handler import JWTHandler`

			`logger = logging.getLogger(__name__)`

			`# JWT handler`
			`jwt_handler = JWTHandler(settings.JWT_SECRET_KEY, settings.JWT_ALGORITHM)`

			`# Routes that don't require authentication`
			`PUBLIC_ROUTES = [`
			`"/health",`
			`"/metrics",`
			`"/docs",`
			`"/redoc",`
			`"/openapi.json",`
			`"/api/v1/auth/login",`
			`"/api/v1/auth/register",`
			`"/api/v1/auth/refresh"`
			`]`

			`async def auth_middleware(request: Request, call_next):`
			`"""Authentication middleware"""`

			`# Check if route requires authentication`
			`if _is_public_route(request.url.path):`
			`return await call_next(request)`

			`# Get token from header`
			`token = _extract_token(request)`
			`if not token:`
			`return JSONResponse(`
			`status_code=401,`
			`content={"detail": "Authentication required"}`
			`)`

			`# Verify token`
			`try:`
			`# First try to verify token locally`
			`payload = jwt_handler.verify_token(token)`

			`if payload:`
			`# Add user info to request state`
			`request.state.user = payload`
			`return await call_next(request)`
			`else:`
			`# Token invalid or expired, verify with auth service`
			`user_info = await _verify_with_auth_service(token)`
			`if user_info:`
			`request.state.user = user_info`
			`return await call_next(request)`
			`else:`
			`return JSONResponse(`
			`status_code=401,`
			`content={"detail": "Invalid or expired token"}`
			`)`

			`except Exception as e:`
			`logger.error(f"Authentication error: {e}")`
			`return JSONResponse(`
			`status_code=401,`
			`content={"detail": "Authentication failed"}`
			`)`

			`def _is_public_route(path: str) -> bool:`
			`"""Check if route is public"""`
			`return any(path.startswith(route) for route in PUBLIC_ROUTES)`

			`def _extract_token(request: Request) -> Optional[str]:`
			`"""Extract JWT token from request"""`
			`auth_header = request.headers.get("Authorization")`
			`if auth_header and auth_header.startswith("Bearer "):`
			`return auth_header.split(" ")[1]`
			`return None`

			`async def _verify_with_auth_service(token: str) -> Optional[dict]:`
			`"""Verify token with auth service"""`
			`try:`
			`async with httpx.AsyncClient(timeout=5.0) as client:`
			`response = await client.post(`
			`f"{settings.AUTH_SERVICE_URL}/verify",`
			`headers={"Authorization": f"Bearer {token}"}`
			`)`

			`if response.status_code == 200:`
			`return response.json()`
			`else:`
			`return None`

			`except Exception as e:`
			`logger.error(f"Auth service verification failed: {e}")`
			`return None`