2025-07-17 21:25:27 +02:00
|
|
|
# ================================================================
|
|
|
|
|
# gateway/app/routes/auth.py (UPDATED VERSION)
|
|
|
|
|
# ================================================================
|
2025-07-17 13:09:24 +02:00
|
|
|
"""
|
2025-07-17 21:25:27 +02:00
|
|
|
Authentication routes for API Gateway
|
|
|
|
|
Enhanced version that properly proxies to auth microservice
|
2025-07-17 13:09:24 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
import logging
|
2025-07-17 21:25:27 +02:00
|
|
|
import httpx
|
|
|
|
|
from fastapi import APIRouter, Request, Response, HTTPException, status
|
|
|
|
|
from fastapi.responses import JSONResponse
|
|
|
|
|
from typing import Dict, Any
|
|
|
|
|
import json
|
2025-07-17 13:09:24 +02:00
|
|
|
|
|
|
|
|
from app.core.config import settings
|
|
|
|
|
from app.core.service_discovery import ServiceDiscovery
|
2025-07-17 21:25:27 +02:00
|
|
|
from shared.monitoring.metrics import MetricsCollector
|
2025-07-17 13:09:24 +02:00
|
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
# Initialize service discovery and metrics
|
2025-07-17 13:09:24 +02:00
|
|
|
service_discovery = ServiceDiscovery()
|
2025-07-17 21:25:27 +02:00
|
|
|
metrics = MetricsCollector("gateway")
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
# Auth service configuration
|
|
|
|
|
AUTH_SERVICE_URL = settings.AUTH_SERVICE_URL or "http://auth-service:8000"
|
|
|
|
|
|
|
|
|
|
class AuthProxy:
|
|
|
|
|
"""Authentication service proxy with enhanced error handling"""
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
self.client = httpx.AsyncClient(
|
|
|
|
|
timeout=httpx.Timeout(30.0),
|
|
|
|
|
limits=httpx.Limits(max_connections=100, max_keepalive_connections=20)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
async def forward_request(
|
|
|
|
|
self,
|
|
|
|
|
method: str,
|
|
|
|
|
path: str,
|
|
|
|
|
request: Request
|
|
|
|
|
) -> Response:
|
|
|
|
|
"""Forward request to auth service with proper error handling"""
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-22 23:01:34 +02:00
|
|
|
# Handle OPTIONS requests directly for CORS
|
|
|
|
|
if request.method == "OPTIONS":
|
|
|
|
|
return Response(
|
|
|
|
|
status_code=200,
|
|
|
|
|
headers={
|
|
|
|
|
"Access-Control-Allow-Origin": settings.CORS_ORIGINS_LIST,
|
|
|
|
|
"Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
|
|
|
|
|
"Access-Control-Allow-Headers": "Content-Type, Authorization, X-Tenant-ID",
|
|
|
|
|
"Access-Control-Allow-Credentials": "true",
|
|
|
|
|
"Access-Control-Max-Age": "86400" # Cache preflight for 24 hours
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
try:
|
|
|
|
|
# Get auth service URL (with service discovery if available)
|
|
|
|
|
auth_url = await self._get_auth_service_url()
|
|
|
|
|
target_url = f"{auth_url}/api/v1/auth/{path}"
|
|
|
|
|
|
|
|
|
|
# Prepare headers (remove hop-by-hop headers)
|
|
|
|
|
headers = self._prepare_headers(dict(request.headers))
|
|
|
|
|
|
|
|
|
|
# Get request body
|
|
|
|
|
body = await request.body()
|
|
|
|
|
|
|
|
|
|
# Forward request
|
|
|
|
|
logger.info(f"Forwarding {method} {path} to auth service")
|
|
|
|
|
|
|
|
|
|
response = await self.client.request(
|
|
|
|
|
method=method,
|
|
|
|
|
url=target_url,
|
|
|
|
|
headers=headers,
|
2025-07-17 13:09:24 +02:00
|
|
|
content=body,
|
2025-07-17 21:25:27 +02:00
|
|
|
params=dict(request.query_params)
|
2025-07-17 13:09:24 +02:00
|
|
|
)
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
# Record metrics
|
|
|
|
|
metrics.increment_counter("gateway_auth_requests_total")
|
|
|
|
|
metrics.increment_counter(
|
|
|
|
|
"gateway_auth_responses_total",
|
|
|
|
|
labels={"status_code": str(response.status_code)}
|
2025-07-17 13:09:24 +02:00
|
|
|
)
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
# Prepare response headers
|
|
|
|
|
response_headers = self._prepare_response_headers(dict(response.headers))
|
|
|
|
|
|
|
|
|
|
return Response(
|
|
|
|
|
content=response.content,
|
2025-07-17 13:09:24 +02:00
|
|
|
status_code=response.status_code,
|
2025-07-17 21:25:27 +02:00
|
|
|
headers=response_headers,
|
|
|
|
|
media_type=response.headers.get("content-type")
|
2025-07-17 13:09:24 +02:00
|
|
|
)
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
except httpx.TimeoutException:
|
|
|
|
|
logger.error(f"Timeout forwarding {method} {path} to auth service")
|
|
|
|
|
metrics.increment_counter("gateway_auth_errors_total", labels={"error": "timeout"})
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_504_GATEWAY_TIMEOUT,
|
|
|
|
|
detail="Authentication service timeout"
|
2025-07-17 13:09:24 +02:00
|
|
|
)
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
except httpx.ConnectError:
|
|
|
|
|
logger.error(f"Connection error forwarding {method} {path} to auth service")
|
|
|
|
|
metrics.increment_counter("gateway_auth_errors_total", labels={"error": "connection"})
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
|
|
|
|
|
detail="Authentication service unavailable"
|
2025-07-17 13:09:24 +02:00
|
|
|
)
|
|
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
except Exception as e:
|
|
|
|
|
logger.error(f"Error forwarding {method} {path} to auth service: {e}")
|
|
|
|
|
metrics.increment_counter("gateway_auth_errors_total", labels={"error": "unknown"})
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
|
|
|
|
detail="Internal gateway error"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
async def _get_auth_service_url(self) -> str:
|
|
|
|
|
"""Get auth service URL with service discovery"""
|
|
|
|
|
try:
|
|
|
|
|
# Try service discovery first
|
|
|
|
|
service_url = await service_discovery.get_service_url("auth-service")
|
|
|
|
|
if service_url:
|
|
|
|
|
return service_url
|
|
|
|
|
except Exception as e:
|
|
|
|
|
logger.warning(f"Service discovery failed: {e}")
|
|
|
|
|
|
|
|
|
|
# Fall back to configured URL
|
|
|
|
|
return AUTH_SERVICE_URL
|
|
|
|
|
|
|
|
|
|
def _prepare_headers(self, headers: Dict[str, str]) -> Dict[str, str]:
|
|
|
|
|
"""Prepare headers for forwarding (remove hop-by-hop headers)"""
|
|
|
|
|
# Remove hop-by-hop headers
|
|
|
|
|
hop_by_hop_headers = {
|
|
|
|
|
'connection', 'keep-alive', 'proxy-authenticate',
|
|
|
|
|
'proxy-authorization', 'te', 'trailers', 'upgrade'
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filtered_headers = {
|
|
|
|
|
k: v for k, v in headers.items()
|
|
|
|
|
if k.lower() not in hop_by_hop_headers
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Add gateway identifier
|
|
|
|
|
filtered_headers['X-Forwarded-By'] = 'bakery-gateway'
|
|
|
|
|
filtered_headers['X-Gateway-Version'] = '1.0.0'
|
|
|
|
|
|
|
|
|
|
return filtered_headers
|
|
|
|
|
|
|
|
|
|
def _prepare_response_headers(self, headers: Dict[str, str]) -> Dict[str, str]:
|
|
|
|
|
"""Prepare response headers"""
|
|
|
|
|
# Remove server-specific headers
|
|
|
|
|
filtered_headers = {
|
|
|
|
|
k: v for k, v in headers.items()
|
|
|
|
|
if k.lower() not in {'server', 'date'}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Add CORS headers if needed
|
|
|
|
|
if settings.CORS_ORIGINS:
|
|
|
|
|
filtered_headers['Access-Control-Allow-Origin'] = '*'
|
|
|
|
|
filtered_headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
|
|
|
|
|
filtered_headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
|
|
|
|
|
|
|
|
|
|
return filtered_headers
|
|
|
|
|
|
|
|
|
|
# Initialize proxy
|
|
|
|
|
auth_proxy = AuthProxy()
|
|
|
|
|
|
|
|
|
|
# ================================================================
|
|
|
|
|
# AUTH ENDPOINTS - All proxied to auth service
|
|
|
|
|
# ================================================================
|
|
|
|
|
|
|
|
|
|
@router.post("/register")
|
|
|
|
|
async def register(request: Request):
|
|
|
|
|
"""Proxy user registration to auth service"""
|
|
|
|
|
return await auth_proxy.forward_request("POST", "register", request)
|
|
|
|
|
|
|
|
|
|
@router.post("/login")
|
|
|
|
|
async def login(request: Request):
|
|
|
|
|
"""Proxy user login to auth service"""
|
|
|
|
|
return await auth_proxy.forward_request("POST", "login", request)
|
|
|
|
|
|
|
|
|
|
@router.post("/refresh")
|
|
|
|
|
async def refresh_token(request: Request):
|
|
|
|
|
"""Proxy token refresh to auth service"""
|
|
|
|
|
return await auth_proxy.forward_request("POST", "refresh", request)
|
2025-07-17 13:09:24 +02:00
|
|
|
|
|
|
|
|
@router.post("/verify")
|
|
|
|
|
async def verify_token(request: Request):
|
|
|
|
|
"""Proxy token verification to auth service"""
|
2025-07-17 21:25:27 +02:00
|
|
|
return await auth_proxy.forward_request("POST", "verify", request)
|
2025-07-17 13:09:24 +02:00
|
|
|
|
|
|
|
|
@router.post("/logout")
|
|
|
|
|
async def logout(request: Request):
|
2025-07-17 21:25:27 +02:00
|
|
|
"""Proxy user logout to auth service"""
|
|
|
|
|
return await auth_proxy.forward_request("POST", "logout", request)
|
|
|
|
|
|
|
|
|
|
@router.post("/reset-password")
|
|
|
|
|
async def reset_password(request: Request):
|
|
|
|
|
"""Proxy password reset to auth service"""
|
|
|
|
|
return await auth_proxy.forward_request("POST", "reset-password", request)
|
|
|
|
|
|
|
|
|
|
@router.post("/change-password")
|
|
|
|
|
async def change_password(request: Request):
|
|
|
|
|
"""Proxy password change to auth service"""
|
|
|
|
|
return await auth_proxy.forward_request("POST", "change-password", request)
|
|
|
|
|
|
|
|
|
|
# ================================================================
|
|
|
|
|
# CATCH-ALL ROUTE for any other auth endpoints
|
|
|
|
|
# ================================================================
|
|
|
|
|
|
|
|
|
|
@router.api_route("/auth/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "PATCH"])
|
|
|
|
|
async def proxy_auth_requests(path: str, request: Request):
|
|
|
|
|
"""Catch-all proxy for auth requests"""
|
|
|
|
|
return await auth_proxy.forward_request(request.method, path, request)
|
|
|
|
|
|
|
|
|
|
# ================================================================
|
|
|
|
|
# HEALTH CHECK for auth service
|
|
|
|
|
# ================================================================
|
|
|
|
|
|
|
|
|
|
@router.get("/auth/health")
|
|
|
|
|
async def auth_service_health():
|
|
|
|
|
"""Check auth service health"""
|
2025-07-17 13:09:24 +02:00
|
|
|
try:
|
|
|
|
|
async with httpx.AsyncClient(timeout=5.0) as client:
|
2025-07-17 21:25:27 +02:00
|
|
|
response = await client.get(f"{AUTH_SERVICE_URL}/health")
|
2025-07-17 13:09:24 +02:00
|
|
|
|
2025-07-17 21:25:27 +02:00
|
|
|
if response.status_code == 200:
|
|
|
|
|
return {
|
|
|
|
|
"status": "healthy",
|
|
|
|
|
"auth_service": "available",
|
|
|
|
|
"response_time_ms": response.elapsed.total_seconds() * 1000
|
|
|
|
|
}
|
|
|
|
|
else:
|
|
|
|
|
return {
|
|
|
|
|
"status": "unhealthy",
|
|
|
|
|
"auth_service": "error",
|
|
|
|
|
"status_code": response.status_code
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-17 13:09:24 +02:00
|
|
|
except Exception as e:
|
2025-07-17 21:25:27 +02:00
|
|
|
logger.error(f"Auth service health check failed: {e}")
|
|
|
|
|
return {
|
|
|
|
|
"status": "unhealthy",
|
|
|
|
|
"auth_service": "unavailable",
|
|
|
|
|
"error": str(e)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ================================================================
|
|
|
|
|
# CLEANUP
|
|
|
|
|
# ================================================================
|
|
|
|
|
|
|
|
|
|
@router.on_event("shutdown")
|
|
|
|
|
async def cleanup():
|
|
|
|
|
"""Cleanup resources"""
|
|
|
|
|
await auth_proxy.client.aclose()
|
