Adds auth module

gateway/app/core/config.py

@@ -15,9 +15,6 @@ class Settings(BaseSettings):
     DEBUG: bool = os.getenv("DEBUG", "False").lower() == "true"
     LOG_LEVEL: str = os.getenv("LOG_LEVEL", "INFO")
     
-    # CORS settings - FIXED: Remove List[str] type and parse manually
-    CORS_ORIGINS: str = "http://localhost:3000,http://localhost:3001"
-    
     # Service URLs
     AUTH_SERVICE_URL: str = "http://auth-service:8000"
     TRAINING_SERVICE_URL: str = "http://training-service:8000"
@@ -26,6 +23,19 @@ class Settings(BaseSettings):
     TENANT_SERVICE_URL: str = "http://tenant-service:8000"
     NOTIFICATION_SERVICE_URL: str = "http://notification-service:8000"
     
+    # Service Discovery
+    CONSUL_URL: str = os.getenv("CONSUL_URL", "http://consul:8500")
+    ENABLE_SERVICE_DISCOVERY: bool = os.getenv("ENABLE_SERVICE_DISCOVERY", "false").lower() == "true"
+
+    # CORS
+    CORS_ORIGINS: str = os.getenv("CORS_ORIGINS", "http://localhost:3000,http://localhost:3001")
+
+    @property
+    def CORS_ORIGINS_LIST(self) -> List[str]:
+        """Get CORS origins as list"""
+        return [origin.strip() for origin in self.CORS_ORIGINS.split(",")]
+
+    
     # Redis settings
     REDIS_URL: str = "redis://redis:6379/6"
     
@@ -37,11 +47,6 @@ class Settings(BaseSettings):
     JWT_SECRET_KEY: str = "your-secret-key-change-in-production"
     JWT_ALGORITHM: str = "HS256"
     
-    @property
-    def CORS_ORIGINS_LIST(self) -> List[str]:
-        """Parse CORS origins from string to list"""
-        return [origin.strip() for origin in self.CORS_ORIGINS.split(",") if origin.strip()]
-    
     @property
     def SERVICES(self) -> Dict[str, str]:
         """Service registry"""

gateway/app/core/service_discovery.py

@@ -1,122 +1,65 @@
 """
-Service discovery for microservices
+Service discovery for API Gateway
 """
 
-import asyncio
 import logging
-from typing import Dict, List, Optional
 import httpx
-import redis.asyncio as redis
-from datetime import datetime, timedelta
+from typing import Optional, Dict
+import json
 
 from app.core.config import settings
 
 logger = logging.getLogger(__name__)
 
 class ServiceDiscovery:
-    """Service discovery and health checking"""
+    """Service discovery client"""
     
     def __init__(self):
-        self.redis_client = redis.from_url(settings.REDIS_URL)
-        self.services = settings.SERVICES
-        self.health_check_interval = 30  # seconds
-        self.health_check_task = None
-    
-    async def initialize(self):
-        """Initialize service discovery"""
-        logger.info("Initializing service discovery")
+        self.consul_url = settings.CONSUL_URL if hasattr(settings, 'CONSUL_URL') else None
+        self.service_cache: Dict[str, str] = {}
         
-        # Start health check task
-        self.health_check_task = asyncio.create_task(self._health_check_loop())
-        
-        # Initial health check
-        await self._check_all_services()
-    
-    async def cleanup(self):
-        """Cleanup service discovery"""
-        if self.health_check_task:
-            self.health_check_task.cancel()
-            try:
-                await self.health_check_task
-            except asyncio.CancelledError:
-                pass
-        
-        await self.redis_client.close()
-    
     async def get_service_url(self, service_name: str) -> Optional[str]:
-        """Get service URL"""
-        return self.services.get(service_name)
-    
-    async def get_healthy_services(self) -> List[str]:
-        """Get list of healthy services"""
-        healthy_services = []
+        """Get service URL from service discovery"""
         
-        for service_name in self.services:
-            is_healthy = await self._is_service_healthy(service_name)
-            if is_healthy:
-                healthy_services.append(service_name)
+        # Return cached URL if available
+        if service_name in self.service_cache:
+            return self.service_cache[service_name]
         
-        return healthy_services
-    
-    async def _health_check_loop(self):
-        """Continuous health check loop"""
-        while True:
+        # Try Consul if enabled
+        if self.consul_url and getattr(settings, 'ENABLE_SERVICE_DISCOVERY', False):
             try:
-                await self._check_all_services()
-                await asyncio.sleep(self.health_check_interval)
-            except asyncio.CancelledError:
-                break
+                url = await self._get_from_consul(service_name)
+                if url:
+                    self.service_cache[service_name] = url
+                    return url
             except Exception as e:
-                logger.error(f"Health check error: {e}")
-                await asyncio.sleep(self.health_check_interval)
+                logger.warning(f"Failed to get {service_name} from Consul: {e}")
+        
+        # Fall back to environment variables
+        return self._get_from_env(service_name)
     
-    async def _check_all_services(self):
-        """Check health of all services"""
-        for service_name, service_url in self.services.items():
-            try:
-                is_healthy = await self._check_service_health(service_url)
-                await self._update_service_health(service_name, is_healthy)
-            except Exception as e:
-                logger.error(f"Health check failed for {service_name}: {e}")
-                await self._update_service_health(service_name, False)
-    
-    async def _check_service_health(self, service_url: str) -> bool:
-        """Check individual service health"""
+    async def _get_from_consul(self, service_name: str) -> Optional[str]:
+        """Get service URL from Consul"""
         try:
             async with httpx.AsyncClient(timeout=5.0) as client:
-                response = await client.get(f"{service_url}/health")
-                return response.status_code == 200
+                response = await client.get(
+                    f"{self.consul_url}/v1/health/service/{service_name}?passing=true"
+                )
+                
+                if response.status_code == 200:
+                    services = response.json()
+                    if services:
+                        service = services[0]
+                        address = service['Service']['Address']
+                        port = service['Service']['Port']
+                        return f"http://{address}:{port}"
+                        
         except Exception as e:
-            logger.warning(f"Service health check failed: {e}")
-            return False
+            logger.error(f"Consul query failed: {e}")
+            
+        return None
     
-    async def _update_service_health(self, service_name: str, is_healthy: bool):
-        """Update service health status in Redis"""
-        try:
-            key = f"service_health:{service_name}"
-            value = {
-                "healthy": is_healthy,
-                "last_check":  datetime.now(datetime.timezone.utc).isoformat(),
-                "url": self.services[service_name]
-            }
-            
-            await self.redis_client.hset(key, mapping=value)
-            await self.redis_client.expire(key, 300)  # 5 minutes TTL
-            
-        except Exception as e:
-            logger.error(f"Failed to update service health for {service_name}: {e}")
-    
-    async def _is_service_healthy(self, service_name: str) -> bool:
-        """Check if service is healthy from Redis cache"""
-        try:
-            key = f"service_health:{service_name}"
-            health_data = await self.redis_client.hgetall(key)
-            
-            if not health_data:
-                return False
-            
-            return health_data.get(b'healthy', b'false').decode() == 'True'
-            
-        except Exception as e:
-            logger.error(f"Failed to check service health for {service_name}: {e}")
-            return False
+    def _get_from_env(self, service_name: str) -> Optional[str]:
+        """Get service URL from environment variables"""
+        env_var = f"{service_name.upper().replace('-', '_')}_SERVICE_URL"
+        return getattr(settings, env_var, None)

gateway/app/routes/auth.py

@@ -1,161 +1,262 @@
+# ================================================================
+# gateway/app/routes/auth.py (UPDATED VERSION)
+# ================================================================
 """
-Authentication routes for gateway
+Authentication routes for API Gateway
+Enhanced version that properly proxies to auth microservice
 """
 
-from fastapi import APIRouter, Request, HTTPException
-from fastapi.responses import JSONResponse
-import httpx
 import logging
+import httpx
+from fastapi import APIRouter, Request, Response, HTTPException, status
+from fastapi.responses import JSONResponse
+from typing import Dict, Any
+import json
 
 from app.core.config import settings
 from app.core.service_discovery import ServiceDiscovery
+from shared.monitoring.metrics import MetricsCollector
 
 logger = logging.getLogger(__name__)
 router = APIRouter()
 
+# Initialize service discovery and metrics
 service_discovery = ServiceDiscovery()
+metrics = MetricsCollector("gateway")
 
-@router.post("/login")
-async def login(request: Request):
-    """Proxy login request to auth service"""
-    try:
-        body = await request.body()
+# Auth service configuration
+AUTH_SERVICE_URL = settings.AUTH_SERVICE_URL or "http://auth-service:8000"
+
+class AuthProxy:
+    """Authentication service proxy with enhanced error handling"""
+    
+    def __init__(self):
+        self.client = httpx.AsyncClient(
+            timeout=httpx.Timeout(30.0),
+            limits=httpx.Limits(max_connections=100, max_keepalive_connections=20)
+        )
+    
+    async def forward_request(
+        self, 
+        method: str, 
+        path: str, 
+        request: Request
+    ) -> Response:
+        """Forward request to auth service with proper error handling"""
         
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            response = await client.post(
-                f"{settings.AUTH_SERVICE_URL}/login",
+        try:
+            # Get auth service URL (with service discovery if available)
+            auth_url = await self._get_auth_service_url()
+            target_url = f"{auth_url}/api/v1/auth/{path}"
+            
+            # Prepare headers (remove hop-by-hop headers)
+            headers = self._prepare_headers(dict(request.headers))
+            
+            # Get request body
+            body = await request.body()
+            
+            # Forward request
+            logger.info(f"Forwarding {method} {path} to auth service")
+            
+            response = await self.client.request(
+                method=method,
+                url=target_url,
+                headers=headers,
                 content=body,
-                headers={"Content-Type": "application/json"}
+                params=dict(request.query_params)
             )
             
-            if response.status_code == 200:
-                return response.json()
-            else:
-                return JSONResponse(
-                    status_code=response.status_code,
-                    content=response.json()
-                )
-                
-    except httpx.RequestError as e:
-        logger.error(f"Auth service unavailable: {e}")
-        raise HTTPException(
-            status_code=503,
-            detail="Authentication service unavailable"
-        )
-    except Exception as e:
-        logger.error(f"Login error: {e}")
-        raise HTTPException(status_code=500, detail="Internal server error")
+            # Record metrics
+            metrics.increment_counter("gateway_auth_requests_total")
+            metrics.increment_counter(
+                "gateway_auth_responses_total", 
+                labels={"status_code": str(response.status_code)}
+            )
+            
+            # Prepare response headers
+            response_headers = self._prepare_response_headers(dict(response.headers))
+            
+            return Response(
+                content=response.content,
+                status_code=response.status_code,
+                headers=response_headers,
+                media_type=response.headers.get("content-type")
+            )
+            
+        except httpx.TimeoutException:
+            logger.error(f"Timeout forwarding {method} {path} to auth service")
+            metrics.increment_counter("gateway_auth_errors_total", labels={"error": "timeout"})
+            raise HTTPException(
+                status_code=status.HTTP_504_GATEWAY_TIMEOUT,
+                detail="Authentication service timeout"
+            )
+            
+        except httpx.ConnectError:
+            logger.error(f"Connection error forwarding {method} {path} to auth service")
+            metrics.increment_counter("gateway_auth_errors_total", labels={"error": "connection"})
+            raise HTTPException(
+                status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+                detail="Authentication service unavailable"
+            )
+            
+        except Exception as e:
+            logger.error(f"Error forwarding {method} {path} to auth service: {e}")
+            metrics.increment_counter("gateway_auth_errors_total", labels={"error": "unknown"})
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Internal gateway error"
+            )
+    
+    async def _get_auth_service_url(self) -> str:
+        """Get auth service URL with service discovery"""
+        try:
+            # Try service discovery first
+            service_url = await service_discovery.get_service_url("auth-service")
+            if service_url:
+                return service_url
+        except Exception as e:
+            logger.warning(f"Service discovery failed: {e}")
+        
+        # Fall back to configured URL
+        return AUTH_SERVICE_URL
+    
+    def _prepare_headers(self, headers: Dict[str, str]) -> Dict[str, str]:
+        """Prepare headers for forwarding (remove hop-by-hop headers)"""
+        # Remove hop-by-hop headers
+        hop_by_hop_headers = {
+            'connection', 'keep-alive', 'proxy-authenticate',
+            'proxy-authorization', 'te', 'trailers', 'upgrade'
+        }
+        
+        filtered_headers = {
+            k: v for k, v in headers.items()
+            if k.lower() not in hop_by_hop_headers
+        }
+        
+        # Add gateway identifier
+        filtered_headers['X-Forwarded-By'] = 'bakery-gateway'
+        filtered_headers['X-Gateway-Version'] = '1.0.0'
+        
+        return filtered_headers
+    
+    def _prepare_response_headers(self, headers: Dict[str, str]) -> Dict[str, str]:
+        """Prepare response headers"""
+        # Remove server-specific headers
+        filtered_headers = {
+            k: v for k, v in headers.items()
+            if k.lower() not in {'server', 'date'}
+        }
+        
+        # Add CORS headers if needed
+        if settings.CORS_ORIGINS:
+            filtered_headers['Access-Control-Allow-Origin'] = '*'
+            filtered_headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
+            filtered_headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
+        
+        return filtered_headers
+
+# Initialize proxy
+auth_proxy = AuthProxy()
+
+# ================================================================
+# AUTH ENDPOINTS - All proxied to auth service
+# ================================================================
 
 @router.post("/register")
 async def register(request: Request):
-    """Proxy register request to auth service"""
-    try:
-        body = await request.body()
-        
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            response = await client.post(
-                f"{settings.AUTH_SERVICE_URL}/register",
-                content=body,
-                headers={"Content-Type": "application/json"}
-            )
-            
-            return JSONResponse(
-                status_code=response.status_code,
-                content=response.json()
-            )
-            
-    except httpx.RequestError as e:
-        logger.error(f"Auth service unavailable: {e}")
-        raise HTTPException(
-            status_code=503,
-            detail="Authentication service unavailable"
-        )
-    except Exception as e:
-        logger.error(f"Register error: {e}")
-        raise HTTPException(status_code=500, detail="Internal server error")
+    """Proxy user registration to auth service"""
+    return await auth_proxy.forward_request("POST", "register", request)
+
+@router.post("/login")
+async def login(request: Request):
+    """Proxy user login to auth service"""
+    return await auth_proxy.forward_request("POST", "login", request)
 
 @router.post("/refresh")
 async def refresh_token(request: Request):
-    """Proxy refresh token request to auth service"""
-    try:
-        body = await request.body()
-        
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            response = await client.post(
-                f"{settings.AUTH_SERVICE_URL}/refresh",
-                content=body,
-                headers={"Content-Type": "application/json"}
-            )
-            
-            return JSONResponse(
-                status_code=response.status_code,
-                content=response.json()
-            )
-            
-    except httpx.RequestError as e:
-        logger.error(f"Auth service unavailable: {e}")
-        raise HTTPException(
-            status_code=503,
-            detail="Authentication service unavailable"
-        )
-    except Exception as e:
-        logger.error(f"Refresh token error: {e}")
-        raise HTTPException(status_code=500, detail="Internal server error")
+    """Proxy token refresh to auth service"""
+    return await auth_proxy.forward_request("POST", "refresh", request)
 
 @router.post("/verify")
 async def verify_token(request: Request):
     """Proxy token verification to auth service"""
-    try:
-        auth_header = request.headers.get("Authorization")
-        if not auth_header:
-            raise HTTPException(status_code=401, detail="Authorization header required")
-        
-        async with httpx.AsyncClient(timeout=5.0) as client:
-            response = await client.post(
-                f"{settings.AUTH_SERVICE_URL}/verify",
-                headers={"Authorization": auth_header}
-            )
-            
-            return JSONResponse(
-                status_code=response.status_code,
-                content=response.json()
-            )
-            
-    except httpx.RequestError as e:
-        logger.error(f"Auth service unavailable: {e}")
-        raise HTTPException(
-            status_code=503,
-            detail="Authentication service unavailable"
-        )
-    except Exception as e:
-        logger.error(f"Token verification error: {e}")
-        raise HTTPException(status_code=500, detail="Internal server error")
+    return await auth_proxy.forward_request("POST", "verify", request)
 
 @router.post("/logout")
 async def logout(request: Request):
-    """Proxy logout request to auth service"""
+    """Proxy user logout to auth service"""
+    return await auth_proxy.forward_request("POST", "logout", request)
+
+@router.post("/reset-password")
+async def reset_password(request: Request):
+    """Proxy password reset to auth service"""
+    return await auth_proxy.forward_request("POST", "reset-password", request)
+
+@router.post("/change-password")
+async def change_password(request: Request):
+    """Proxy password change to auth service"""
+    return await auth_proxy.forward_request("POST", "change-password", request)
+
+# ================================================================
+# USER MANAGEMENT ENDPOINTS - Proxied to auth service
+# ================================================================
+
+@router.get("/users/me")
+async def get_current_user(request: Request):
+    """Proxy get current user to auth service"""
+    return await auth_proxy.forward_request("GET", "../users/me", request)
+
+@router.put("/users/me")
+async def update_current_user(request: Request):
+    """Proxy update current user to auth service"""
+    return await auth_proxy.forward_request("PUT", "../users/me", request)
+
+# ================================================================
+# CATCH-ALL ROUTE for any other auth endpoints
+# ================================================================
+
+@router.api_route("/auth/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "PATCH"])
+async def proxy_auth_requests(path: str, request: Request):
+    """Catch-all proxy for auth requests"""
+    return await auth_proxy.forward_request(request.method, path, request)
+
+# ================================================================
+# HEALTH CHECK for auth service
+# ================================================================
+
+@router.get("/auth/health")
+async def auth_service_health():
+    """Check auth service health"""
     try:
-        auth_header = request.headers.get("Authorization")
-        if not auth_header:
-            raise HTTPException(status_code=401, detail="Authorization header required")
-        
         async with httpx.AsyncClient(timeout=5.0) as client:
-            response = await client.post(
-                f"{settings.AUTH_SERVICE_URL}/logout",
-                headers={"Authorization": auth_header}
-            )
+            response = await client.get(f"{AUTH_SERVICE_URL}/health")
             
-            return JSONResponse(
-                status_code=response.status_code,
-                content=response.json()
-            )
-            
-    except httpx.RequestError as e:
-        logger.error(f"Auth service unavailable: {e}")
-        raise HTTPException(
-            status_code=503,
-            detail="Authentication service unavailable"
-        )
+            if response.status_code == 200:
+                return {
+                    "status": "healthy",
+                    "auth_service": "available",
+                    "response_time_ms": response.elapsed.total_seconds() * 1000
+                }
+            else:
+                return {
+                    "status": "unhealthy", 
+                    "auth_service": "error",
+                    "status_code": response.status_code
+                }
+                
     except Exception as e:
-        logger.error(f"Logout error: {e}")
-        raise HTTPException(status_code=500, detail="Internal server error")
+        logger.error(f"Auth service health check failed: {e}")
+        return {
+            "status": "unhealthy",
+            "auth_service": "unavailable", 
+            "error": str(e)
+        }
+
+# ================================================================
+# CLEANUP
+# ================================================================
+
+@router.on_event("shutdown")
+async def cleanup():
+    """Cleanup resources"""
+    await auth_proxy.client.aclose()