REFACTOR API gateway fix 3

jwt_debug_script.sh

@@ -0,0 +1,230 @@
+#!/bin/bash
+# JWT Debug and Verification Script
+# This script helps debug JWT token issues between gateway and auth service
+
+set -e
+
+# Configuration
+API_BASE="http://localhost:8000"
+AUTH_BASE="http://localhost:8001"
+EMAIL="test@bakery.com"
+PASSWORD="TestPassword123!"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+log_info() {
+    echo -e "${BLUE}ℹ️  $1${NC}"
+}
+
+log_success() {
+    echo -e "${GREEN}✅ $1${NC}"
+}
+
+log_warning() {
+    echo -e "${YELLOW}⚠️  $1${NC}"
+}
+
+log_error() {
+    echo -e "${RED}❌ $1${NC}"
+}
+
+log_step() {
+    echo -e "${BLUE}🔄 $1${NC}"
+}
+
+echo "🔍 JWT Token Debug and Verification Script"
+echo "==========================================="
+
+# Step 1: Check JWT Configuration
+log_step "Step 1: Checking JWT Configuration Consistency"
+
+log_info "Checking Gateway JWT Settings..."
+GATEWAY_JWT_SECRET=$(docker-compose exec -T gateway env 2>/dev/null | grep JWT_SECRET_KEY || echo "NOT_SET")
+GATEWAY_JWT_ALGO=$(docker-compose exec -T gateway env 2>/dev/null | grep JWT_ALGORITHM || echo "NOT_SET")
+
+log_info "Checking Auth Service JWT Settings..."
+AUTH_JWT_SECRET=$(docker-compose exec -T auth-service env 2>/dev/null | grep JWT_SECRET_KEY || echo "NOT_SET")
+AUTH_JWT_ALGO=$(docker-compose exec -T auth-service env 2>/dev/null | grep JWT_ALGORITHM || echo "NOT_SET")
+
+echo "Gateway JWT Secret: $GATEWAY_JWT_SECRET"
+echo "Auth Service JWT Secret: $AUTH_JWT_SECRET"
+echo "Gateway JWT Algorithm: $GATEWAY_JWT_ALGO"
+echo "Auth Service JWT Algorithm: $AUTH_JWT_ALGO"
+
+if [ "$GATEWAY_JWT_SECRET" = "$AUTH_JWT_SECRET" ]; then
+    log_success "JWT Secret Keys match!"
+else
+    log_error "JWT Secret Keys DO NOT match!"
+    log_warning "This is likely the cause of the authentication issue"
+fi
+
+echo ""
+
+# Step 2: Test Direct Auth Service
+log_step "Step 2: Testing Direct Auth Service"
+
+# Login directly to auth service
+log_info "Logging in directly to auth service..."
+AUTH_LOGIN_RESPONSE=$(curl -s -X POST "$AUTH_BASE/api/v1/auth/login" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"email\": \"$EMAIL\",
+        \"password\": \"$PASSWORD\"
+    }")
+
+echo "Direct Auth Login Response:"
+echo "$AUTH_LOGIN_RESPONSE" | jq '.' 2>/dev/null || echo "$AUTH_LOGIN_RESPONSE"
+
+# Extract token
+DIRECT_TOKEN=$(echo "$AUTH_LOGIN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
+
+if [ "$DIRECT_TOKEN" != "null" ] && [ "$DIRECT_TOKEN" != "" ]; then
+    log_success "Direct auth login successful!"
+    echo "Token: ${DIRECT_TOKEN:0:50}..."
+    
+    # Test direct auth verification
+    log_info "Testing direct auth token verification..."
+    AUTH_VERIFY_RESPONSE=$(curl -s -X POST "$AUTH_BASE/api/v1/auth/verify" \
+        -H "Authorization: Bearer $DIRECT_TOKEN")
+    
+    echo "Direct Auth Verify Response:"
+    echo "$AUTH_VERIFY_RESPONSE" | jq '.' 2>/dev/null || echo "$AUTH_VERIFY_RESPONSE"
+    
+    # Test direct auth /users/me
+    log_info "Testing direct auth /users/me endpoint..."
+    AUTH_ME_RESPONSE=$(curl -s -X GET "$AUTH_BASE/api/v1/users/me" \
+        -H "Authorization: Bearer $DIRECT_TOKEN")
+    
+    echo "Direct Auth /users/me Response:"
+    echo "$AUTH_ME_RESPONSE" | jq '.' 2>/dev/null || echo "$AUTH_ME_RESPONSE"
+    
+else
+    log_error "Direct auth login failed!"
+    exit 1
+fi
+
+echo ""
+
+# Step 3: Test Gateway Login
+log_step "Step 3: Testing Gateway Login"
+
+GATEWAY_LOGIN_RESPONSE=$(curl -s -X POST "$API_BASE/api/v1/auth/login" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"email\": \"$EMAIL\",
+        \"password\": \"$PASSWORD\"
+    }")
+
+echo "Gateway Login Response:"
+echo "$GATEWAY_LOGIN_RESPONSE" | jq '.' 2>/dev/null || echo "$GATEWAY_LOGIN_RESPONSE"
+
+GATEWAY_TOKEN=$(echo "$GATEWAY_LOGIN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
+
+if [ "$GATEWAY_TOKEN" != "null" ] && [ "$GATEWAY_TOKEN" != "" ]; then
+    log_success "Gateway login successful!"
+    echo "Token: ${GATEWAY_TOKEN:0:50}..."
+else
+    log_error "Gateway login failed!"
+    exit 1
+fi
+
+echo ""
+
+# Step 4: Compare Tokens
+log_step "Step 4: Comparing Tokens"
+
+if [ "$DIRECT_TOKEN" = "$GATEWAY_TOKEN" ]; then
+    log_success "Tokens are identical (expected)"
+else
+    log_warning "Tokens are different (unexpected if same login)"
+fi
+
+# Decode tokens for comparison
+log_info "Decoding direct auth token payload..."
+DIRECT_PAYLOAD=$(echo "$DIRECT_TOKEN" | cut -d'.' -f2)
+# Add padding if needed
+while [ $((${#DIRECT_PAYLOAD} % 4)) -ne 0 ]; do
+    DIRECT_PAYLOAD="${DIRECT_PAYLOAD}="
+done
+echo "$DIRECT_PAYLOAD" | base64 -d 2>/dev/null | jq '.' || echo "Failed to decode"
+
+log_info "Decoding gateway token payload..."
+GATEWAY_PAYLOAD=$(echo "$GATEWAY_TOKEN" | cut -d'.' -f2)
+# Add padding if needed
+while [ $((${#GATEWAY_PAYLOAD} % 4)) -ne 0 ]; do
+    GATEWAY_PAYLOAD="${GATEWAY_PAYLOAD}="
+done
+echo "$GATEWAY_PAYLOAD" | base64 -d 2>/dev/null | jq '.' || echo "Failed to decode"
+
+echo ""
+
+# Step 5: Test Gateway Authentication
+log_step "Step 5: Testing Gateway Authentication Middleware"
+
+# Test gateway token verification
+log_info "Testing gateway token verification..."
+GATEWAY_VERIFY_RESPONSE=$(curl -s -X POST "$API_BASE/api/v1/auth/verify" \
+    -H "Authorization: Bearer $GATEWAY_TOKEN")
+
+echo "Gateway Verify Response:"
+echo "$GATEWAY_VERIFY_RESPONSE" | jq '.' 2>/dev/null || echo "$GATEWAY_VERIFY_RESPONSE"
+
+# Test gateway /users/me (this is where the issue occurs)
+log_info "Testing gateway /users/me endpoint (THE FAILING ENDPOINT)..."
+GATEWAY_ME_RESPONSE=$(curl -s -w "\nHTTP_CODE:%{http_code}\n" -X GET "$API_BASE/api/v1/users/me" \
+    -H "Authorization: Bearer $GATEWAY_TOKEN")
+
+echo "Gateway /users/me Response:"
+echo "$GATEWAY_ME_RESPONSE"
+
+# Check if successful
+if echo "$GATEWAY_ME_RESPONSE" | grep -q "HTTP_CODE:200"; then
+    log_success "Gateway /users/me endpoint working!"
+elif echo "$GATEWAY_ME_RESPONSE" | grep -q "HTTP_CODE:401"; then
+    log_error "Gateway /users/me endpoint returning 401 Unauthorized"
+    log_warning "This confirms the JWT middleware issue"
+else
+    log_warning "Gateway /users/me endpoint returned unexpected response"
+fi
+
+echo ""
+
+# Step 6: Test with verbose curl to see middleware behavior
+log_step "Step 6: Verbose Gateway Request Analysis"
+
+log_info "Making verbose request to gateway /users/me..."
+curl -v -X GET "$API_BASE/api/v1/users/me" \
+    -H "Authorization: Bearer $GATEWAY_TOKEN" 2>&1 | head -20
+
+echo ""
+
+# Step 7: Recommendations
+log_step "Step 7: Recommendations"
+
+if [ "$GATEWAY_JWT_SECRET" != "$AUTH_JWT_SECRET" ]; then
+    log_error "CRITICAL: JWT secrets don't match between services"
+    echo "Fix: Update your .env file and restart services:"
+    echo "export JWT_SECRET_KEY='your-super-secret-jwt-key-change-in-production-min-32-characters-long'"
+    echo "docker-compose down && docker-compose up -d"
+elif echo "$GATEWAY_ME_RESPONSE" | grep -q "HTTP_CODE:401"; then
+    log_warning "JWT secrets match but gateway middleware is still failing"
+    echo "Possible causes:"
+    echo "1. Gateway middleware token validation logic issue"
+    echo "2. Token payload structure mismatch"
+    echo "3. Gateway not using updated shared JWT handler"
+    echo ""
+    echo "Recommended fixes:"
+    echo "1. Apply the fixed gateway auth middleware"
+    echo "2. Apply the fixed shared JWT handler"
+    echo "3. Restart gateway service: docker-compose restart gateway"
+else
+    log_success "All tests passed! JWT authentication is working correctly."
+fi
+
+echo ""
+echo "🏁 Debug script completed!"