Skip to main content

Module gate

Module gate 

Source
Expand description

Router-level authentication gate (AAASM-3125).

Historically every protected handler had to opt in to authentication by declaring an AuthenticatedCaller / RequireScope extractor. Handlers that forgot to do so (e.g. the alert-rule CRUD endpoints, AAASM-3129) silently shipped unauthenticated. This module provides a single deny-by-default require_authentication middleware that is applied as a route_layer over the protected sub-router in the consuming service’s router, so a new route is authenticated unless it is explicitly mounted on the public router.

The gate reuses the existing AuthenticatedCaller extractor, so it honours AuthMode::Off (bypass) and the API-key / JWT validation and per-key rate-limit logic exactly as the per-handler extractors do.

Functions§

require_authentication
Deny-by-default authentication middleware.