From 5b584bf9692aafaabd8f453b7cf5b96cdb36804d Mon Sep 17 00:00:00 2001
From: Fanilo-Nantenaina <r.fanilonantenain.a@gmail.com>
Date: Tue, 20 Jan 2026 13:51:09 +0300
Subject: [PATCH] refactor(security): improve auth middleware and logging

---
 middleware/security.py | 37 ++++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/middleware/security.py b/middleware/security.py
index 137e7dd..c6e75e7 100644
--- a/middleware/security.py
+++ b/middleware/security.py
@@ -34,7 +34,7 @@ async def verify_swagger_credentials(credentials: HTTPBasicCredentials) -> bool:
                     logger.info(f" Accès Swagger autorisé (DB): {username}")
                     return True
 
-            logger.warning(f" Tentative d'accès Swagger refusée: {username}")
+            logger.warning(f"Tentative d'accès Swagger refusée: {username}")
             return False
 
     except Exception as e:
@@ -43,6 +43,7 @@ async def verify_swagger_credentials(credentials: HTTPBasicCredentials) -> bool:
 
 
 class SwaggerAuthMiddleware:
+
     def __init__(self, app):
         self.app = app
 
@@ -54,7 +55,7 @@ class SwaggerAuthMiddleware:
         request = Request(scope, receive=receive)
         path = request.url.path
 
-        protected_paths = ["/docs", "/redoc", "/openapi.json"]
+        protected_paths = ["/docs", "/redoc"]
 
         if any(path.startswith(protected_path) for protected_path in protected_paths):
             auth_header = request.headers.get("Authorization")
@@ -104,6 +105,7 @@ class SwaggerAuthMiddleware:
 
 
 class ApiKeyMiddleware:
+
     def __init__(self, app):
         self.app = app
 
@@ -115,21 +117,24 @@ class ApiKeyMiddleware:
         request = Request(scope, receive=receive)
         path = request.url.path
 
-        excluded_paths = [
+        public_exact_paths = [
+            "/",
+            "/health",
             "/docs",
             "/redoc",
             "/openapi.json",
-            "/health",
-            "/",
-            "/auth/login",
-            "/auth/register",
-            "/auth/verify-email",
-            "/auth/reset-password",
-            "/auth/request-reset",
-            "/auth/refresh",
         ]
 
-        if any(path.startswith(excluded_path) for excluded_path in excluded_paths):
+        public_path_prefixes = [
+            "/api/v1/auth/",
+        ]
+
+        is_public = path in public_exact_paths or any(
+            path.startswith(prefix) for prefix in public_path_prefixes
+        )
+
+        if is_public:
+            logger.debug(f"Chemin public: {path}")
             await self.app(scope, receive, send)
             return
 
@@ -140,12 +145,12 @@ class ApiKeyMiddleware:
         has_api_key = api_key is not None
 
         if has_jwt:
-            logger.debug(f" JWT détecté pour {path}")
+            logger.debug(f"🔑 JWT détecté pour {path}")
             await self.app(scope, receive, send)
             return
 
         elif has_api_key:
-            logger.debug(f" API Key détectée pour {path}")
+            logger.debug(f"🔑 API Key détectée pour {path}")
 
             from services.api_key import ApiKeyService
 
@@ -218,8 +223,9 @@ class ApiKeyMiddleware:
             response = JSONResponse(
                 status_code=status.HTTP_401_UNAUTHORIZED,
                 content={
-                    "detail": "Authentification requise",
+                    "detail": "Authentification requise (JWT ou API Key)",
                     "hint": "Utilisez soit 'X-API-Key: sdk_live_xxx' soit 'Authorization: Bearer <jwt>'",
+                    "endpoint": path,
                 },
                 headers={"WWW-Authenticate": 'Bearer realm="API", charset="UTF-8"'},
             )
@@ -233,4 +239,5 @@ def get_api_key_from_request(request: Request) -> Optional:
 
 
 def get_auth_method(request: Request) -> str:
+
     return getattr(request.state, "authenticated_via", "none")