Expand description
Router-level authentication gate (AAASM-3125).
Historically every protected handler had to opt in to authentication by
declaring an AuthenticatedCaller / RequireScope extractor. Handlers
that forgot to do so (e.g. the alert-rule CRUD endpoints, AAASM-3129)
silently shipped unauthenticated. This module provides a single
deny-by-default require_authentication middleware that is applied as a
route_layer over the protected sub-router in the consuming service’s
router, so a new route is authenticated unless it is explicitly mounted on
the public router.
The gate reuses the existing AuthenticatedCaller extractor, so it
honours AuthMode::Off (bypass) and the API-key / JWT validation and
per-key rate-limit logic exactly as the per-handler extractors do.
Functions§
- require_
authentication - Deny-by-default authentication middleware.