Improve gateway service

2025-07-20 07:24:04 +02:00
parent 1c730c3c81
commit 8cd433c0cd
4 changed files with 816 additions and 373 deletions
--- a/gateway/app/middleware/auth.py
+++ b/gateway/app/middleware/auth.py
@@ -244,14 +244,41 @@ class AuthMiddleware(BaseHTTPMiddleware):
        await self.redis_client.setex(cache_key, ttl, json.dumps(user_context))

    def _inject_auth_headers(self, request: Request, user_context: Dict[str, Any], tenant_id: Optional[str]):
-        """Inject authentication context into forwarded requests"""
-        # Add user context headers for downstream services
-        if hasattr(request, "headers"):
-            # Create mutable headers
-            headers = dict(request.headers)
-            headers["X-User-ID"] = user_context["user_id"]
-            headers["X-User-Email"] = user_context["email"]
+            """
+            Inject authentication headers for downstream services
+            
+            This allows services to work both:
+            1. Behind the gateway (using request.state)
+            2. Called directly (using headers) for development/testing
+            """
+            # Remove any existing auth headers to prevent spoofing
+            headers_to_remove = [
+                "x-user-id", "x-user-email", "x-user-role", 
+                "x-tenant-id", "x-user-permissions", "x-authenticated"
+            ]
+            
+            for header in headers_to_remove:
+                request.headers.__dict__["_list"] = [
+                    (k, v) for k, v in request.headers.raw 
+                    if k.lower() != header.lower()
+                ]
+            
+            # Inject new headers
+            new_headers = [
+                (b"x-authenticated", b"true"),
+                (b"x-user-id", str(user_context.get("user_id", "")).encode()),
+                (b"x-user-email", str(user_context.get("email", "")).encode()),
+                (b"x-user-role", str(user_context.get("role", "user")).encode()),
+            ]
+            
            if tenant_id:
-                headers["X-Tenant-ID"] = tenant_id
-            # Update request headers
-            request.scope["headers"] = [(k.lower().encode(), v.encode()) for k, v in headers.items()]
+                new_headers.append((b"x-tenant-id", tenant_id.encode()))
+            
+            permissions = user_context.get("permissions", [])
+            if permissions:
+                new_headers.append((b"x-user-permissions", ",".join(permissions).encode()))
+            
+            # Add headers to request
+            request.headers.__dict__["_list"].extend(new_headers)
+            
+            logger.debug(f"Injected auth headers for user {user_context.get('email')}")