fix(security): improve auth handling and logging in middleware

2026-01-20 19:14:00 +03:00 · 2026-01-20 19:14:00 +03:00 · a7457c3979
commit a7457c3979
parent 5eec115d1d
2 changed files with 17 additions and 21 deletions
--- a/middleware/security.py
+++ b/middleware/security.py
@ -112,6 +112,7 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
        "/health",
        "/auth",
        "/api-keys/verify",
+        "/universign/webhook",
    ]

    def _is_excluded_path(self, path: str) -> bool:
@ -137,6 +138,12 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
        auth_header = request.headers.get("Authorization")
        api_key_header = request.headers.get("X-API-Key")

+        if api_key_header:
+            logger.debug(f"🔑 API Key détectée pour {method} {path}")
+            return await self._handle_api_key_auth(
+                request, api_key_header, path, method, call_next
+            )
+
        if auth_header and auth_header.startswith("Bearer "):
            token = auth_header.split(" ")[1]

@ -144,27 +151,16 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):
                logger.warning(
                    " API Key envoyée dans Authorization au lieu de X-API-Key"
                )
-                api_key_header = token
-            else:
-                logger.debug(f" JWT détecté pour {method} {path}")
-                return await call_next(request)
+                return await self._handle_api_key_auth(
+                    request, token, path, method, call_next
+                )

-        if api_key_header:
-            logger.debug(f" API Key détectée pour {method} {path}")
-            return await self._handle_api_key_auth(
-                request, api_key_header, path, method, call_next
-            )
+            logger.debug(f"🎫 JWT détecté pour {method} {path} → délégation à FastAPI")
+            request.state.authenticated_via = "jwt"
+            return await call_next(request)

-        logger.warning(f" Aucune authentification: {method} {path}")
-        return JSONResponse(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            content={
-                "detail": "Authentification requise",
-                "hint": "Utilisez 'X-API-Key: sdk_live_xxx' ou 'Authorization: Bearer <jwt>'",
-                "path": path,
-            },
-            headers={"WWW-Authenticate": 'Bearer realm="API", charset="UTF-8"'},
-        )
+        logger.debug(f" Aucune auth pour {method} {path} → délégation à FastAPI")
+        return await call_next(request)

    async def _handle_api_key_auth(
        self,
@ -196,7 +192,7 @@ class ApiKeyMiddlewareHTTP(BaseHTTPMiddleware):

                is_allowed, rate_info = await service.check_rate_limit(api_key_obj)
                if not is_allowed:
-                    logger.warning(f"⚠️ Rate limit: {api_key_obj.name}")
+                    logger.warning(f" Rate limit: {api_key_obj.name}")
                    return JSONResponse(
                        status_code=status.HTTP_429_TOO_MANY_REQUESTS,
                        content={"detail": "Rate limit dépassé"},
--- a/scripts/manage_security.py
+++ b/scripts/manage_security.py
@ -162,7 +162,7 @@ async def create_api_key(
            logger.info("   Endpoints: Tous (aucune restriction)")

        logger.info("=" * 70)
-        logger.info("⚠️  SAUVEGARDEZ CETTE CLÉ - Elle ne sera plus affichée !")
+        logger.info("  SAUVEGARDEZ CETTE CLÉ - Elle ne sera plus affichée !")
        logger.info("=" * 70)