refactor(security): improve auth middleware and logging

2026-01-20 13:51:09 +03:00 · 2026-01-20 13:51:09 +03:00 · 5b584bf969
commit 5b584bf969
parent 022149c237
1 changed files with 22 additions and 15 deletions
--- a/middleware/security.py
+++ b/middleware/security.py
@ -34,7 +34,7 @@ async def verify_swagger_credentials(credentials: HTTPBasicCredentials) -> bool:
                    logger.info(f" Accès Swagger autorisé (DB): {username}")
                    return True

-            logger.warning(f" Tentative d'accès Swagger refusée: {username}")
+            logger.warning(f"Tentative d'accès Swagger refusée: {username}")
            return False

    except Exception as e:
@ -43,6 +43,7 @@ async def verify_swagger_credentials(credentials: HTTPBasicCredentials) -> bool:


 class SwaggerAuthMiddleware:
+
    def __init__(self, app):
        self.app = app

@ -54,7 +55,7 @@ class SwaggerAuthMiddleware:
        request = Request(scope, receive=receive)
        path = request.url.path

-        protected_paths = ["/docs", "/redoc", "/openapi.json"]
+        protected_paths = ["/docs", "/redoc"]

        if any(path.startswith(protected_path) for protected_path in protected_paths):
            auth_header = request.headers.get("Authorization")
@ -104,6 +105,7 @@ class SwaggerAuthMiddleware:


 class ApiKeyMiddleware:
+
    def __init__(self, app):
        self.app = app

@ -115,21 +117,24 @@ class ApiKeyMiddleware:
        request = Request(scope, receive=receive)
        path = request.url.path

-        excluded_paths = [
+        public_exact_paths = [
+            "/",
+            "/health",
            "/docs",
            "/redoc",
            "/openapi.json",
-            "/health",
-            "/",
-            "/auth/login",
-            "/auth/register",
-            "/auth/verify-email",
-            "/auth/reset-password",
-            "/auth/request-reset",
-            "/auth/refresh",
        ]

-        if any(path.startswith(excluded_path) for excluded_path in excluded_paths):
+        public_path_prefixes = [
+            "/api/v1/auth/",
+        ]
+
+        is_public = path in public_exact_paths or any(
+            path.startswith(prefix) for prefix in public_path_prefixes
+        )
+
+        if is_public:
+            logger.debug(f"Chemin public: {path}")
            await self.app(scope, receive, send)
            return

@ -140,12 +145,12 @@ class ApiKeyMiddleware:
        has_api_key = api_key is not None

        if has_jwt:
-            logger.debug(f" JWT détecté pour {path}")
+            logger.debug(f"🔑 JWT détecté pour {path}")
            await self.app(scope, receive, send)
            return

        elif has_api_key:
-            logger.debug(f" API Key détectée pour {path}")
+            logger.debug(f"🔑 API Key détectée pour {path}")

            from services.api_key import ApiKeyService

@ -218,8 +223,9 @@ class ApiKeyMiddleware:
            response = JSONResponse(
                status_code=status.HTTP_401_UNAUTHORIZED,
                content={
-                    "detail": "Authentification requise",
+                    "detail": "Authentification requise (JWT ou API Key)",
                    "hint": "Utilisez soit 'X-API-Key: sdk_live_xxx' soit 'Authorization: Bearer <jwt>'",
+                    "endpoint": path,
                },
                headers={"WWW-Authenticate": 'Bearer realm="API", charset="UTF-8"'},
            )
@ -233,4 +239,5 @@ def get_api_key_from_request(request: Request) -> Optional:


 def get_auth_method(request: Request) -> str:
+
    return getattr(request.state, "authenticated_via", "none")