Add fixes to procurement logic and fix rel-time connections

2025-10-02 13:20:30 +02:00
parent c9d8d1d071
commit 1243c2ca6d
24 changed files with 4984 additions and 348 deletions
--- a/gateway/app/middleware/auth.py
+++ b/gateway/app/middleware/auth.py
@@ -131,10 +131,29 @@ class AuthMiddleware(BaseHTTPMiddleware):
        return any(path.startswith(route) for route in PUBLIC_ROUTES)

    def _extract_token(self, request: Request) -> Optional[str]:
-        """Extract JWT token from Authorization header"""
+        """
+        Extract JWT token from Authorization header or query params for SSE.
+
+        For SSE endpoints (/api/events), browsers' EventSource API cannot send
+        custom headers, so we must accept token as query parameter.
+        For all other routes, token must be in Authorization header (more secure).
+
+        Security note: Query param tokens are logged. Use short expiry and filter logs.
+        """
+        # SSE endpoint exception: token in query param (EventSource API limitation)
+        if request.url.path == "/api/events":
+            token = request.query_params.get("token")
+            if token:
+                logger.debug("Token extracted from query param for SSE endpoint")
+                return token
+            logger.warning("SSE request missing token in query param")
+            return None
+
+        # Standard authentication: Authorization header for all other routes
        auth_header = request.headers.get("Authorization")
        if auth_header and auth_header.startswith("Bearer "):
            return auth_header.split(" ")[1]
+
        return None

    async def _verify_token(self, token: str, request: Request = None) -> Optional[Dict[str, Any]]: